基于频繁闭情节规则的Web异常入侵检测

发布时间：2018-05-15 01:29

本文选题：Web访问日志 + 频繁闭情节规则　；参考：《山东大学》2017年硕士论文

【摘要】：由于Web服务遍布世界各地,因此Web攻击数量在迅速增加。近年来,各种Web攻击事件,比如SQL注入攻击、网站扫描攻击等频繁出现,Web安全问题引起了大家的广泛关注和讨论。Web访问日志数据包含了许多有价值的信息。对Web访问日志数据进行分析,从中挖掘到有用的信息,不仅可以及时发现入侵行为,而且还可以了解攻击者的攻击过程来发现相应的安全漏洞,从而采取对应的措施来进行防范。然而通过人为地处理这些Web访问日志数据,不仅浪费时间而且消耗人力,同时效率还比较低。目前存在的一些序列模式挖掘算法,比如CloSpan算法等,在分析大量的日志数据的时候可能会出现挖掘效率低下的情况,同时PrefixSpan算法还会生成冗余的频繁情节,所以设计一个能够高效地挖掘大量Web访问日志数据且减少冗余频繁情节的序列模式挖掘算法是非常有必要的。传统的误用入侵检测方法无法给Web服务提供足够的保护,虽然它可以识别出过去出现过的攻击但是无法识别出新的未出现的攻击。通过以上分析,我们设计了一种使用频繁闭情节规则挖掘算法去处理大量Web访问日志数据的Web异常入侵检测方法。其中的频繁闭情节规则挖掘算法可以在Spark上快速地处理大量Web访问日志数据,并从中并行地挖掘频繁闭情节规则。同时该算法还减少了一部分规则来提高匹配效率,这些规则对于Web异常入侵检测来说是冗余的。然后又设计了一个分组方案去改善算法的并行效率。最后,使用SQLMAP和WebCruiser去模拟一些常见的Web攻击来获取模拟攻击数据。实验结果表明,我们的方法在检测异常用户方面的检测率和误报率分别是96.67%和3.33%。冗余规则的减少也可以很大幅度的提高匹配效率。此外,这也能证明我们的算法要比其余的序列模式挖掘算法更加高效,更加能适应处理大量日志数据。
[Abstract]:Because Web services are spread around the world, the number of Web attacks is growing rapidly. In recent years, a variety of Web attacks, such as SQL injection attacks, website scanning attacks and other frequent web security issues have caused widespread concern and discussion. Web access log data contains a lot of valuable information. By analyzing the Web access log data and mining useful information from it, not only the intrusion behavior can be discovered in time, but also the attacker's attack process can be understood to discover the corresponding security vulnerabilities. Therefore, corresponding measures are taken to prevent it. However, by artificially processing these Web access log data, it not only wastes time, but also consumes manpower, at the same time, the efficiency is relatively low. Some existing sequential pattern mining algorithms, such as the CloSpan algorithm, may be inefficient when analyzing a large amount of log data, and the PrefixSpan algorithm will also generate redundant frequent plots. Therefore, it is necessary to design a sequential pattern mining algorithm which can efficiently mine a large amount of Web access log data and reduce redundant frequent episodes. The traditional misuse intrusion detection method can not provide sufficient protection for Web services, although it can identify the past attacks, but it can not identify the new attacks that did not appear. Through the above analysis, we design a Web anomaly intrusion detection method which uses frequent closed plot rules mining algorithm to deal with a large number of Web access log data. The frequent closed scenario rules mining algorithm can process a large amount of Web access log data quickly on Spark and mine frequent closed plot rules in parallel. At the same time, the algorithm also reduces some rules to improve the matching efficiency. These rules are redundant for Web anomaly intrusion detection. Then a grouping scheme is designed to improve the parallel efficiency of the algorithm. Finally, SQLMAP and WebCruiser are used to simulate some common Web attacks to obtain simulated attack data. The experimental results show that the detection rate and false alarm rate of our method in detecting abnormal users are 96.67% and 3.33 respectively. The reduction of redundant rules can also greatly improve the matching efficiency. In addition, it can be proved that our algorithm is more efficient than other sequential pattern mining algorithms, and is more suitable for processing a large amount of log data.
【学位授予单位】：山东大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP311.13;TP393.08

【相似文献】