Behaviors of the user input, key functions and response data were extracted as analysis features according to the execution flow of injection threat. The hidden Markov model was used to detect the abnormal users' input, and the lexical structure analysis of abnormal parameters in the key function was used to determine the type of abnormality. Finally, sensitive characters or watermark feature were analyzed in response data to ensure that important data would not be leaked out to attackers. The experimental results show that parameter length and character classification have influence upon the hidden Markov model; the comparative experiments indicate that this method can enable detection accuracy rate and false positive rate to achieve a good balance.
Received: 08 October 2016
Published: 11 September 2018
JIA Wen-chao, HU Rong-gui, SHI Fan, XU Cheng-xi. Injection vulnerability threat detection method with multi-feature correlation. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2018, 52(3): 524-530.
[1] 王培凤,李莉. 一种改进的多模式匹配算法在Snort中的应用[J]. 计算机科学,2012,02:72-79. WANG Pei-feng, LI Li. Application of an Improved multi-pattern matching algorithm in Snort[J]. Computer Science,2012,02:72-79.
[2] CHANDOLA V, BANERJEE A, KUMAR V. Anomaly detection:a survey[J]. Acm Computing Surveys, 2009, 41(3):1-58.
[3] BARBORA M, MCWILLIAMS B, ASSENT I. Learning outlier ensembles:the best of both worlds-su-pervised and unsupervised[C]//InKD-D'14Works-hops:Outlier Detection and Description (ODD^2). New York:ACM, 2014:51-54.
[4] BORGOLTE K, KRUEGEL C, VIGNA G. Delta:automatic identification of unknown web-based infection campaigns[C]//ACM Sigsac Conference on Computer & Communications Security. Berlin:ACM, 2013:109-120.
[5] VEERAMACHANENI K, ARNALDO I, KORRAPATI V, et al. AI ^2:training a big data machine to defend[C]//IEEE, International Conference on Big Data Security on Cloud. New York:IEEE, 2016:1-13.
[6] 何毓锟,李强,嵇跃德,等. 一种关联网络和主机行为的延迟僵尸检测方法[J]. 计算机学报,2014,37(1):50-61. HE Yu-kun, LI Qiang, JI Yue-de, et al. Detecting response-delayed bot by correlating host behavior and network activity[J]. Chinese Journal of Computers,2014,37(1):50-61.
[7] 康健,杨媚,ZHANG Jun-yao. 基于多维观测特征的MF-HMM模型识别新型LDoS驱动的高分散低速率QoS侵犯[J]. 四川大学学报:工程科学版, 2015, 47(1):42-48. KANG Jian, YANG Mei,ZHANG Jun-yao. Identifying new high-distributed low-rate QoS violation driven by LDoS based on multi-observed features MF-HMM[J]. Journal of Sichuan University:Engineering Science Edition, 2015, 47(1):42-48.
[8] COVA M, KRUEGEL C, VIGNA G. Detection and analysis of drive-by-download attacks and malicious JavaScript code[C]//International Conference on World Wide Web, WWW 2010. Raleigh:DBLP, 2010:281-290.
[9] PROVOS N, MAVROMMATIS P, RAJAB M A, et al. All your iFRAMEs point to us[C]//Conference on Security Symposium. Berkeley:USENIX Association, 2008:1-15.
[10] CANALI D, COVA M, VIGNA G, et al. Prophiler:a fast filter for the large-scale detection of malicious web pages[C]//International Conference on World Wide Web. Hyderabad:ACM, 2011:197-206.
[11] RIECK K, KRUEGER T, DEWALD A. Cujo:efficient detection and prevention of drive-by-download attacks[C]//Twenty-Sixth Computer Security Applications Conference. Austin:DBLP, 2010:31-39.
[12] Runtime application self-protection (RASP)[EB/OL].[2016-08-15].http://www.gartner.com/it-glossary/runtime-application-self-protection-rasp/.
[13] KRUEGEL C, VIGNA G. Anomaly detection of Web-based attacks[C]//In Proceedings of the 10th ACM Conference on Computer and Communications Security. Washington DC:ACM, 2003:251-261.
[14] SONG Y, KEROMYTIS A D, STOLFO S J. Spectrogram:a mixture-of-Markov-chains model for anomaly detection in Web traffic[C]//Network & Distributed System Security Symposium. San Diego:DBLP, 2009:121-135.
[15] RABINER L R. A tutorial on hidden Markov models and selected applications in speech recognition[J]. Readings in Speech Recognition, 1989, 77(2):267-296.
[16] 顾晓丹, 杨明, 罗军舟,等. 针对SSH匿名流量的网站指纹攻击方法[J]. 计算机学报, 2015, 38(4):833-845. GU Xiao-dan,YANG Ming, LUO Jun-zhou, et al.Website fingerprinting attack based on hyperlink relations[J]. Chinese Journal of Computers, 2015, 38(4):831-845.
[17] Download HMM toolbox[EB/OL]. (2002-10-23)[2016-10-08]. http://www.cs.ubc.ca/~murphyk/Software/HMM/hmm_download.html.