基于N-gram的HTTP攻击检测技术研究

发布时间：2018-04-01 14:04

本文选题：HTTP攻击检测　切入点：N-gram特征提取　出处：《西安电子科技大学》2014年硕士论文

【摘要】：随着互联网技术的飞速发展，网络安全越来越受到人们重视。恶意病毒检测是信息安全领域一个重要课题，其中对HTTP攻击检测是新的研究热点。基于隐含马尔科夫模型的检测系统可以检测HTTP攻击，但是这样的系统复杂度高，不适合检测大量HTTP数据。本文针对现有HTTP攻击检测模型存在的复杂度高、检测性能低和不能对大量HTTP数据进行及时检测等缺陷，在深入研究HTTP攻击检测技术的基础上，给出了一种HTTP攻击检测框架。该检测模型框架分为三个部分，分别为数据输入和输出部分、HTTP数据的混合N-gram特征提取部分和HTTP数据的检测部分。在HTTP数据的混合N-gram特征提取部分，本文设计一种提取混合N-gram特征的方法，该方法综合考虑了不同长度的N-gram特征对HTTP攻击检测效果的影响，采用专家投票机制，产生了更好的HTTP数据N-gram特征向量。在HTTP数据的检测部分，本文研究了基于计算距离度量相似度的检测技术和基于机器学习算法中决策树算法的检测技术，给出了计算卡方距离度量相似度的检测算法和流程，在此基础上，，提出一种计算改进距离度量相似度的检测算法。经过实验比较，证明了计算改进距离度量相似度检测方法的简单和高效，可以用于对大量HTTP数据进行检测。验证了决策树算法在检测经过多态变形的复杂HTTP攻击的有效性。
[Abstract]:With the rapid development of Internet technology, people pay more and more attention to network security. Malicious virus detection is an important subject in the field of information security. The detection system based on hidden Markov model can detect HTTP attack, but it is not suitable for detecting a large amount of HTTP data because of its high complexity. Aiming at the shortcomings of the existing HTTP attack detection models, such as high complexity, low detection performance and being unable to detect a large amount of HTTP data in time, this paper studies the HTTP attack detection technology in depth. This paper presents a HTTP attack detection framework, which is divided into three parts: the mixed N-gram feature extraction part of the data input and output parts and the detection part of the HTTP data, and the hybrid N-gram feature extraction part of the HTTP data. In this paper, a method of extracting mixed N-gram features is designed. The influence of different length of N-gram features on HTTP attack detection is considered synthetically, and the expert voting mechanism is adopted. In the part of HTTP data detection, this paper studies the detection technology based on computational distance measurement similarity and the detection technology based on decision tree algorithm in machine learning algorithm. The detection algorithm and flow chart for calculating the similarity of chi-square distance measurement are presented. On the basis of this, a detection algorithm for calculating the similarity of improved distance measurement is proposed. The experimental results show that the improved distance metric similarity detection method is simple and efficient and can be used to detect a large number of HTTP data. The effectiveness of decision tree algorithm in detecting complex polymorphic HTTP attacks is verified.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】