Alibaba Cloud security research results were selected as the top AI conference IJCAI 2019. it is the first time in the industry to use AI to solve another problem! -Alibaba Cloud Developer Community

from August 10 to August 16, IJCAI 2019(International Joint Conference on Artificial Intelligence 2019), a Joint International Artificial Intelligence organization meeting, was held in Macao, China. Alibaba Cloud's four AI research papers stand out among many papers, one of which was included in the main forum and three by the AIBS Workshop. This paper deeply analyzes the research results and scenario-based applications of AI technology in the fields of network security, data security and content security, and demonstrates the leadership of Alibaba Cloud security in the field of intelligent security.

Since it was first held in Washington, D. C., in 1969, IJCAI has become one of the most important top academic conferences in the field of artificial intelligence. The papers successfully collected by IJCAI every year are the most cutting-edge research results in the AI field. This year, the paper inclusion rate of IJCAI main forum is only 17.9%, which is lower than that of last year. Alibaba Cloud's paper "Locate Then Detect:Web Attack Detection via Attention-based Deep Neural Networks" included in the main forum, it solves the problem of interpretability of the results of deep learning in the field of Web attack detection for the first time and has unprecedented innovative significance. , proving that Alibaba Cloud is leading the industry in academic research and application of security AI technology.

"Locate Then Detect:Web Attack Detection via Attention-based Deep Neural Networks" (Tianlong Liu, Yu Qi, Liang Shi, Jianan Yan), that is, the application of Deep Neural network based on Attention mechanism in Web Attack Detection.

This paper proposes a new two-stage Web attack detection framework called Locate-Then-Detect(LTD). The LTD model combines the idea of Object Detection and attention mechanism, and creatively puts forward PLN(Payload Locating Network attack load targeted positioning Network) and PCN(Payload Classification Network attack Load Classification Network), the combination of two deep neural networks can accurately locate the location of malicious attacks and accurately identify their types. PLN is used to locate the suspicious positions of attack vectors. PCN classifies the identified suspicious vectors. Through the extraction capability of target recognition network, the detection system can pay more attention to the truly harmful attacks, this avoids the impact of normal parts of the entire request content on the model prediction results.

For the first time, LTD solved the problem of interpretability of the results of deep learning in the field of Web attack detection (implemented through Payload targeted positioning). At the same time, compared with other traditional methods, LTD also outperforms rules-based, symbolic features, and traditional machine learning methods. Currently, the LTD detection framework has been applied to Alibaba Cloud Web application firewall in the form of an AI kernel. With the support of the AI kernel, it provides real-time Intelligent Protection for cloud customers and ensures the security of cloud users.

The other three topics included by AIBS Workshop Paper(Artificial Intelligence for Business Security) all focus on the latest research results and applications of AI technology in cloud Security, namely "Multi-strategy Integration Architecture for Pornographic Web Site Detection", insider Threat-Data Exfiltration Detection using Node2Vec in Instant Message, Webshell Detection with Attention-Based Opcode Sequence Classification.

Multi-strategy Integration Architecture for Pornographic Web Site Detection (Yu Pang) is a pornography risk Detection model based on Multi-strategy fusion.

With the continuous development of the Internet, prohibited risk content is also increasing, such as violence, pornography, racial discrimination, etc. Therefore, a powerful detection model that can identify and shield such risks must be established. To solve this problem, this paper proposes a risk detection model for pornographic websites based on multi-strategy fusion. Different from the website content-based detection models (such as keyword detection or blacklist detection) used in other commercial scenarios, this method integrates text features, structure content features and semantic features construct a detection model. The experimental results show that the model is superior to other risk detection models in accuracy and F1 score.

Insider Threat-Data Exfiltration Detection using Node2Vec in Instant Message (Xiaoyu Tang, Jie Chen): an internal Threat Detection model based on Node2Vec.

Data is the core asset of many companies, including but not limited to the company's future planning, transaction data, employee personal information data, customer data, etc, data leakage caused by internal employees is the most costly and difficult to detect. On the one hand, internal employees themselves may have multiple permissions of the company and can access a large amount of sensitive data; On the other hand, due to the internal of the company, instant messaging tools are often used to communicate data with external customers. Instant messaging tools may be used by some employees to back up sensitive data or move data out. Therefore, it is meaningful and necessary to protect data security at the instant messaging tool level. Traditionally, some statistical rules and statistical data are used to detect user behavior anomalies on instant messaging tools. This method requires more human experience to extract features, the recall rate and accuracy are not high. After analysis and investigation, this paper finds that suspicious users transfer files in instant messaging tools will produce different file network structures from normal users. Based on this, we propose a method to detect abnormal file transmission structures by using Node2Vec, which can complete automatic feature extraction and has good performance in accuracy and recall.

"Webshell Detection with Attention-Based Opcode Sequence Classification" (Wei He, Yue Xu, Liang Shi), that is, Webshell Detection Based on Opcode Sequence of Attention mechanism.

In recent years, more and more Web applications have been migrated to the cloud platform. They may contain serious Webshell or have been implanted with Webshell due to vulnerabilities. However, there are some challenges in detecting Webshell, because Webshell usually have no clear boundaries between malicious and normal files. For example, the functions of the upload plug-in and administrator maintenance page in the WordPress are very similar to those of malicious Webshell. On the other hand, many Webshell simulate normal scripts to bypass various detection methods. Therefore, a reliable detector should distinguish Webshell from common Web scripts with a low false positive rate. In this paper, a method based on operator code sequence detection is proposed. We establish a sequence classification model to predict the probability of malicious Webshell. This method does not process the fuzzy part of the PHP script, but processes the actual machine code during execution. Use BiLSTM with attention mechanism to learn and identify the operation code sequence. Through the evaluation of more than 30,000 samples, the experimental results show that our method reaches F1 = 98.78% and AUC = 99.97%, exceeding other detection models. Due to its good accuracy and multi-functionality, our method can be used in common Webshell detection, not just PHP Webshell.

Alibaba Cloud currently serves 40% of websites in China and provides basic security defense for millions of customers. The number of DDoS attacks that Alibaba Cloud successfully defends every day accounts for more than half of the total number of DDoS attacks across the country. Rich practical experience provides favorable conditions for Alibaba Cloud's academic research. The cutting-edge research results feed products and offensive and defensive practices to provide customers with more intelligent security products and services, to ensure the security of tens of millions of enterprises on the cloud.