Computer and Communication Technology |
|
|
|
|
Injection vulnerability threat detection method with multi-feature correlation |
JIA Wen-chao, HU Rong-gui, SHI Fan, XU Cheng-xi |
Electronic Engineering Institute of PLA, Hefei 230037, China |
|
|
Abstract Behaviors of the user input, key functions and response data were extracted as analysis features according to the execution flow of injection threat. The hidden Markov model was used to detect the abnormal users' input, and the lexical structure analysis of abnormal parameters in the key function was used to determine the type of abnormality. Finally, sensitive characters or watermark feature were analyzed in response data to ensure that important data would not be leaked out to attackers. The experimental results show that parameter length and character classification have influence upon the hidden Markov model; the comparative experiments indicate that this method can enable detection accuracy rate and false positive rate to achieve a good balance.
|
Received: 08 October 2016
Published: 11 September 2018
|
|
多特征关联的注入型威胁检测方法
根据注入型威胁的执行流程,提取用户输入、关键函数、响应数据3个关键节点的行为作为分析特征.采用隐马尔科夫模型检测用户输入是否存在异常,对异常参数在关键函数处进行词法结构分析以判断异常类型,对返回内容进行敏感字符或水印特征分析,确保重要数据不能传递给攻击者.实验结果表明,分析参数长度和字符分类对隐马尔科夫模型存在影响;对比实验证明该方法使检测准确率和误报率取得了较好的平衡.
|
|
[1] 王培凤,李莉. 一种改进的多模式匹配算法在Snort中的应用[J]. 计算机科学,2012,02:72-79. WANG Pei-feng, LI Li. Application of an Improved multi-pattern matching algorithm in Snort[J]. Computer Science,2012,02:72-79.
[2] CHANDOLA V, BANERJEE A, KUMAR V. Anomaly detection:a survey[J]. Acm Computing Surveys, 2009, 41(3):1-58.
[3] BARBORA M, MCWILLIAMS B, ASSENT I. Learning outlier ensembles:the best of both worlds-su-pervised and unsupervised[C]//InKD-D'14Works-hops:Outlier Detection and Description (ODD^2). New York:ACM, 2014:51-54.
[4] BORGOLTE K, KRUEGEL C, VIGNA G. Delta:automatic identification of unknown web-based infection campaigns[C]//ACM Sigsac Conference on Computer & Communications Security. Berlin:ACM, 2013:109-120.
[5] VEERAMACHANENI K, ARNALDO I, KORRAPATI V, et al. AI ^2:training a big data machine to defend[C]//IEEE, International Conference on Big Data Security on Cloud. New York:IEEE, 2016:1-13.
[6] 何毓锟,李强,嵇跃德,等. 一种关联网络和主机行为的延迟僵尸检测方法[J]. 计算机学报,2014,37(1):50-61. HE Yu-kun, LI Qiang, JI Yue-de, et al. Detecting response-delayed bot by correlating host behavior and network activity[J]. Chinese Journal of Computers,2014,37(1):50-61.
[7] 康健,杨媚,ZHANG Jun-yao. 基于多维观测特征的MF-HMM模型识别新型LDoS驱动的高分散低速率QoS侵犯[J]. 四川大学学报:工程科学版, 2015, 47(1):42-48. KANG Jian, YANG Mei,ZHANG Jun-yao. Identifying new high-distributed low-rate QoS violation driven by LDoS based on multi-observed features MF-HMM[J]. Journal of Sichuan University:Engineering Science Edition, 2015, 47(1):42-48.
[8] COVA M, KRUEGEL C, VIGNA G. Detection and analysis of drive-by-download attacks and malicious JavaScript code[C]//International Conference on World Wide Web, WWW 2010. Raleigh:DBLP, 2010:281-290.
[9] PROVOS N, MAVROMMATIS P, RAJAB M A, et al. All your iFRAMEs point to us[C]//Conference on Security Symposium. Berkeley:USENIX Association, 2008:1-15.
[10] CANALI D, COVA M, VIGNA G, et al. Prophiler:a fast filter for the large-scale detection of malicious web pages[C]//International Conference on World Wide Web. Hyderabad:ACM, 2011:197-206.
[11] RIECK K, KRUEGER T, DEWALD A. Cujo:efficient detection and prevention of drive-by-download attacks[C]//Twenty-Sixth Computer Security Applications Conference. Austin:DBLP, 2010:31-39.
[12] Runtime application self-protection (RASP)[EB/OL].[2016-08-15].http://www.gartner.com/it-glossary/runtime-application-self-protection-rasp/.
[13] KRUEGEL C, VIGNA G. Anomaly detection of Web-based attacks[C]//In Proceedings of the 10th ACM Conference on Computer and Communications Security. Washington DC:ACM, 2003:251-261.
[14] SONG Y, KEROMYTIS A D, STOLFO S J. Spectrogram:a mixture-of-Markov-chains model for anomaly detection in Web traffic[C]//Network & Distributed System Security Symposium. San Diego:DBLP, 2009:121-135.
[15] RABINER L R. A tutorial on hidden Markov models and selected applications in speech recognition[J]. Readings in Speech Recognition, 1989, 77(2):267-296.
[16] 顾晓丹, 杨明, 罗军舟,等. 针对SSH匿名流量的网站指纹攻击方法[J]. 计算机学报, 2015, 38(4):833-845. GU Xiao-dan,YANG Ming, LUO Jun-zhou, et al.Website fingerprinting attack based on hyperlink relations[J]. Chinese Journal of Computers, 2015, 38(4):831-845.
[17] Download HMM toolbox[EB/OL]. (2002-10-23)[2016-10-08]. http://www.cs.ubc.ca/~murphyk/Software/HMM/hmm_download.html. |
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|