Journal of Computer Applications ›› 2012, Vol. 32 ›› Issue (07): 2003-2006.DOI: 10.3724/SP.J.1087.2012.02003

• Information security • Previous Articles     Next Articles

Adaptive anomaly detection method of Web-based attacks

WEN Kai,GUO Fan,YU Min   

  1. School of Computer and Information Engineering, Jiangxi Normal University, Nanchang Jiangxi 330022, China
  • Received:2011-12-20 Revised:2012-02-14 Online:2012-07-05 Published:2012-07-01
  • Contact: WEN Kai

自适应的Web攻击异常检测方法

温凯,郭帆,余敏   

  1. 江西师范大学 计算机信息工程学院,南昌330022
  • 通讯作者: 温凯
  • 作者简介:温凯(1985-),男,江西石城人,硕士研究生,主要研究方向:信息安全、软件体系结构;郭帆(1977-),男,江西于都人,副教授,博士,主要研究方向:信息安全、软件体系结构;余敏(1964-),女,江西南昌人,教授,博士,主要研究方向:分布式计算、信息安全。
  • 基金资助:

    江西省教育厅科技项目(20101106);科技部国际合作项目(2010DFA70990)

Abstract: Concerning the problem that untrusted sample can be easily introduced in traditional methods, an adaptive model was proposed in this paper. Based on the description of the structural feature of Request-URL, a whole sample set was divided into smaller subsets. The discreteness of a subset was calculated by its properties, which would determine whether the subset is normal. On basis of these, the detection model was created by the improved algorithm with the normal subsets, and dynamic update of model was achieved by Hidden Markov Model (HMM) merging. The experimental results show that the adaptive model built by the proposed method can effectively identify Web-based attacks and reduce false alert ratio.

Key words: classification, discrete function, adaptive, Hidden Markov Model (HMM), Intrusion Detection System (IDS)

摘要: 针对传统建模容易引入不可信样本的问题,提出了一种自适应建立基于Web攻击异常检测模型的方法。依据样本中Request-URL的结构特征对样本集进行分类,并利用样本的各属性来构造样本分类子集的离散性函数,其中离散程度值将作为识别正常行为集的依据;在此基础上,使用改进的隐马尔可夫模型(HMM)算法对正常行为样本集进行建模,并利用HMM合并的方法实现检测模型的动态更新。实验结果表明,所提方法建立的模型能够有效地识别出Web攻击请求,并降低检测的误报率。

关键词: 分类, 离散性函数, 自适应, 隐马尔可夫模型, 入侵检测系统

CLC Number: