基于Web日志挖掘的安全事件分析与实现

发布时间：2018-07-03 14:40

本文选题：Web日志 + 安全事件　；参考：《北京邮电大学》2014年硕士论文

【摘要】：随着互联网的飞速发展,“骇客”的恶意攻击事件呈现快速上升的趋势,对互联网用户的社会、经济利益构成巨大威胁。大量的网络攻击行为(如SQL注入,跨站脚本攻击)会在Web日志中留下访问痕迹。传统的Web日志安全分析局限于抓取出日志中的攻击记录,而忽略了攻击行为之间的深层次关联。而Web日志挖掘主要用以发现用户的访问行为及模式等,挖掘对象鲜有定位于Web日志中的安全事件。单个攻击者的攻击行为往往是多次的并且具有时序性,而不同攻击者在一定程度上所共有的攻击行为必然反映了网站的某些安全信息。本文借助于Web日志挖掘技术,首次提出了对Web日志中攻击行为的序列模式进行挖掘,并以此为核心设计与实现了一个Web日志安全分析系统。在研究多种网络攻击类型的基础上,明确了Web日志中可用于安全分析的字段以及能够通过分析Web日志进行捕捉的攻击行为。根据这些攻击行为的特征,通过规则匹配和统计分析的方法从Web日志中捕获安全事件,进而建立攻击序列数据库,采用PrefixSpan算法进行挖掘,最终得到攻击行为的序列模式。攻击序列模式一方面揭示了大多数攻击者对网站进行了序列模式所对应的攻击步骤,另一方面说明了网站存在相应的安全漏洞并被攻击者发现和利用了。系统验证表明,通过分析攻击序列模式,能够有效定位网站的安全漏洞,进而为网站管理员提供有针对性的安全信
[Abstract]:With the rapid development of the Internet, the malicious attack of "hacker" is increasing rapidly, which poses a great threat to the social and economic interests of Internet users. A large number of network attacks (such as SQL injection, cross-site scripting attacks) leave access marks in Web logs. The traditional analysis of Web log security is limited to grabbing the attack record in the log, but neglecting the deep correlation between the attack behavior. However, Web log mining is mainly used to discover users' access behavior and patterns, and there are few security events located in Web logs. The attack behavior of a single attacker is often multiple and sequential, but the attacks common to different attackers to a certain extent must reflect some security information of the website. With the help of Web log mining technology, this paper proposes the first time to mine the sequence pattern of attack behavior in Web log, and designs and implements a Web log security analysis system based on this technology. Based on the study of various types of network attacks, the fields that can be used for security analysis in Web logs and the attack behaviors that can be captured by analyzing Web logs are defined. According to the characteristics of these attacks, the security events are captured from the Web log by rule matching and statistical analysis, and then the attack sequence database is established, and the prefixSpan algorithm is used to mine the sequence pattern of the attack behavior. On the one hand, the attack sequence pattern reveals the corresponding attack steps of most attackers to the website, on the other hand, it shows that the website has a corresponding security vulnerability and is discovered and exploited by the attacker. The system verification shows that by analyzing the attack sequence pattern, we can effectively locate the security vulnerabilities of the website, and then provide the targeted security letter for the website administrator.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】