多特征关联的注入型威胁检测方法

doi:10.3785/j.issn.1008-973X.2018.03.014

浙江大学学报(工学版)

2018, Vol. 52

Issue (3): 524-530 DOI: 10.3785/j.issn.1008-973X.2018.03.014

计算机与通信技术

多特征关联的注入型威胁检测方法

贾文超, 胡荣贵, 施凡, 许成喜

解放军电子工程学院, 安徽合肥 230037

Injection vulnerability threat detection method with multi-feature correlation

JIA Wen-chao, HU Rong-gui, SHI Fan, XU Cheng-xi

Electronic Engineering Institute of PLA, Hefei 230037, China

全文: PDF(1323 KB) HTML

摘要：

根据注入型威胁的执行流程，提取用户输入、关键函数、响应数据3个关键节点的行为作为分析特征.采用隐马尔科夫模型检测用户输入是否存在异常，对异常参数在关键函数处进行词法结构分析以判断异常类型，对返回内容进行敏感字符或水印特征分析，确保重要数据不能传递给攻击者.实验结果表明，分析参数长度和字符分类对隐马尔科夫模型存在影响；对比实验证明该方法使检测准确率和误报率取得了较好的平衡.

Abstract:

Behaviors of the user input, key functions and response data were extracted as analysis features according to the execution flow of injection threat. The hidden Markov model was used to detect the abnormal users' input, and the lexical structure analysis of abnormal parameters in the key function was used to determine the type of abnormality. Finally, sensitive characters or watermark feature were analyzed in response data to ensure that important data would not be leaked out to attackers. The experimental results show that parameter length and character classification have influence upon the hidden Markov model; the comparative experiments indicate that this method can enable detection accuracy rate and false positive rate to achieve a good balance.

收稿日期: 2016-10-08 出版日期: 2018-09-11

CLC:

TP393

基金资助:

国家自然科学基金资助项目（61602491）.

通讯作者: 许成喜,男,讲师.orcid.org/0000-0001-8069-0029. E-mail: 13966742453@126.com

作者简介: 贾文超(1988-),男,博士生,从事网络安全、机器学习研究.orcid.org/0000-0002-1913-6464.E-mail:jiatoday2013@163.com

	服务
	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	作者相关文章

引用本文:

贾文超, 胡荣贵, 施凡, 许成喜. 多特征关联的注入型威胁检测方法[J]. 浙江大学学报(工学版), 2018, 52(3): 524-530.

JIA Wen-chao, HU Rong-gui, SHI Fan, XU Cheng-xi. Injection vulnerability threat detection method with multi-feature correlation. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2018, 52(3): 524-530.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2018.03.014 或 http://www.zjujournals.com/eng/CN/Y2018/V52/I3/524

[1] 王培凤,李莉. 一种改进的多模式匹配算法在Snort中的应用[J]. 计算机科学,2012,02:72-79. WANG Pei-feng, LI Li. Application of an Improved multi-pattern matching algorithm in Snort[J]. Computer Science,2012,02:72-79.
[2] CHANDOLA V, BANERJEE A, KUMAR V. Anomaly detection:a survey[J]. Acm Computing Surveys, 2009, 41(3):1-58.
[3] BARBORA M, MCWILLIAMS B, ASSENT I. Learning outlier ensembles:the best of both worlds-su-pervised and unsupervised[C]//InKD-D'14Works-hops:Outlier Detection and Description (ODD^2). New York:ACM, 2014:51-54.
[4] BORGOLTE K, KRUEGEL C, VIGNA G. Delta:automatic identification of unknown web-based infection campaigns[C]//ACM Sigsac Conference on Computer & Communications Security. Berlin:ACM, 2013:109-120.
[5] VEERAMACHANENI K, ARNALDO I, KORRAPATI V, et al. AI ^2:training a big data machine to defend[C]//IEEE, International Conference on Big Data Security on Cloud. New York:IEEE, 2016:1-13.
[6] 何毓锟,李强,嵇跃德,等. 一种关联网络和主机行为的延迟僵尸检测方法[J]. 计算机学报,2014,37(1):50-61. HE Yu-kun, LI Qiang, JI Yue-de, et al. Detecting response-delayed bot by correlating host behavior and network activity[J]. Chinese Journal of Computers,2014,37(1):50-61.
[7] 康健,杨媚,ZHANG Jun-yao. 基于多维观测特征的MF-HMM模型识别新型LDoS驱动的高分散低速率QoS侵犯[J]. 四川大学学报:工程科学版, 2015, 47(1):42-48. KANG Jian, YANG Mei,ZHANG Jun-yao. Identifying new high-distributed low-rate QoS violation driven by LDoS based on multi-observed features MF-HMM[J]. Journal of Sichuan University:Engineering Science Edition, 2015, 47(1):42-48.
[8] COVA M, KRUEGEL C, VIGNA G. Detection and analysis of drive-by-download attacks and malicious JavaScript code[C]//International Conference on World Wide Web, WWW 2010. Raleigh:DBLP, 2010:281-290.
[9] PROVOS N, MAVROMMATIS P, RAJAB M A, et al. All your iFRAMEs point to us[C]//Conference on Security Symposium. Berkeley:USENIX Association, 2008:1-15.
[10] CANALI D, COVA M, VIGNA G, et al. Prophiler:a fast filter for the large-scale detection of malicious web pages[C]//International Conference on World Wide Web. Hyderabad:ACM, 2011:197-206.
[11] RIECK K, KRUEGER T, DEWALD A. Cujo:efficient detection and prevention of drive-by-download attacks[C]//Twenty-Sixth Computer Security Applications Conference. Austin:DBLP, 2010:31-39.
[12] Runtime application self-protection (RASP)[EB/OL].[2016-08-15].http://www.gartner.com/it-glossary/runtime-application-self-protection-rasp/.
[13] KRUEGEL C, VIGNA G. Anomaly detection of Web-based attacks[C]//In Proceedings of the 10th ACM Conference on Computer and Communications Security. Washington DC:ACM, 2003:251-261.
[14] SONG Y, KEROMYTIS A D, STOLFO S J. Spectrogram:a mixture-of-Markov-chains model for anomaly detection in Web traffic[C]//Network & Distributed System Security Symposium. San Diego:DBLP, 2009:121-135.
[15] RABINER L R. A tutorial on hidden Markov models and selected applications in speech recognition[J]. Readings in Speech Recognition, 1989, 77(2):267-296.
[16] 顾晓丹, 杨明, 罗军舟,等. 针对SSH匿名流量的网站指纹攻击方法[J]. 计算机学报, 2015, 38(4):833-845. GU Xiao-dan,YANG Ming, LUO Jun-zhou, et al.Website fingerprinting attack based on hyperlink relations[J]. Chinese Journal of Computers, 2015, 38(4):831-845.
[17] Download HMM toolbox[EB/OL]. (2002-10-23)[2016-10-08]. http://www.cs.ubc.ca/~murphyk/Software/HMM/hmm_download.html.

[1]	刘炜伦, 张衡阳, 郑博, 高维廷. 优先级区分服务的机载网络媒质接入控制协议[J]. 浙江大学学报(工学版), 2019, 53(1): 99-106.
[2]	赖晓翰, 文昊翔, 陈隆道. 潮间带无线传感器网络路由算法[J]. 浙江大学学报(工学版), 2018, 52(12): 2414-2422.
[3]	刘臻, 武泽慧, 曹琰, 魏强. 基于漏洞指纹的软件脆弱性代码复用检测方法[J]. 浙江大学学报(工学版), 2018, 52(11): 2180-2190.
[4]	齐小刚, 王振宇, 刘立芳, 刘兴成, 马久龙. 无线传感器和执行器网络可靠高效路由[J]. 浙江大学学报(工学版), 2018, 52(10): 1964-1972.
[5]	胡钢, 徐翔, 过秀成. 基于解释结构模型的复杂网络节点重要性计算[J]. 浙江大学学报(工学版), 2018, 52(10): 1989-1997.
[6]	任智源, 侯向往, 郭凯, 张海林, 陈晨. 分布式卫星云雾网络及时延与能耗策略[J]. 浙江大学学报(工学版), 2018, 52(8): 1474-1481.
[7]	李冰, 金涛, 陈帅. 提高SRAM PUFs密钥生成可靠性的方法[J]. 浙江大学学报(工学版), 2018, 52(1): 133-141.
[8]	余洋, 夏春和, 胡潇云. 采用混和路径攻击图的防御方案生成方法[J]. 浙江大学学报(工学版), 2017, 51(9): 1745-1759.
[9]	罗友强, 刘胜利, 颜猛, 武东英. 基于通信行为分析的DNS隧道木马检测方法[J]. 浙江大学学报(工学版), 2017, 51(9): 1780-1787.
[10]	尹可挺, 周波, 张帅, 徐斌, 陈一稀, 江丹. Web服务组合中基于QoS的自底向上服务替换[J]. J4, 2010, 44(4): 700-709.
[11]	王瑞琴, 孔繁胜, 潘俊. 基于WordNet的无导词义消歧方法[J]. J4, 2010, 44(4): 732-737.
[12]	周强, 应晶, 吴明晖. 基于特征分类的机会网络多因素预测路由[J]. J4, 2010, 44(3): 413-419.
[13]	欧阳杨, 陈宇峰, 陈溪源, 等. 教育语义网中的知识领域本体建模[J]. J4, 2009, 43(09): 1591-1596.
[14]	孔祥杰, 沈国江, 梁同海. 具有公交优先的路网交通流智能协调控制[J]. J4, 2009, 43(6): 1026-1031.
[15]	王健, 孙建伶, 王新宇, 等. 软件容错模型中的部分抢占实时调度算法[J]. J4, 2009, 43(6): 1047-1052.

Viewed

Full text

Abstract

Cited

Shared

Discussed