This application relates to the field of
Web attack detection, and relates to a method,
system, medium and equipment for
Web attack detection. This application includes constructing a
reconstruction error model based on the first
positive sample; calculating the error matrix corresponding to the second
positive sample set according to all characters of the second
positive sample, and calculating the threshold T; according to the
reconstruction error model, calculating the output
test sample set The corresponding probability P of each character nj ; Through the Sparsemax function, the probability P is obtained nj The corresponding sparse probability value H(P nj ); According to the sparse probability value, corresponding to the xth HTTP sample string sample loss Loss in the
test sample set xj ; when Loss xj >T, the xth HTTP sample string in the
test sample set is abnormal. Based on the idea of detecting first and then identifying, this application uses
unsupervised learning to detect and discover abnormal requests and abnormal characters; then, uses regular classification and
matching methods to identify
attack types for detected suspicious characters.