摘要
提出一种基于Web用户访问行为的异常检测方案,用于检测应用层上的分布式拒绝服务攻击,并以具有非稳态流特性的大型活动网站为例,进行应用研究.根据Web页面的超文本链接特征和网络中各级Web代理对用户请求的响应作用,用隐半马尔可夫模型来描述服务器端观测到的正常Web用户的访问行为,并用与大多数正常用户访问行为特征的偏离作为一个流的异常程度的测量.给出了模型的参数化方法,推导了模型参数估计与异常检测算法,讨论了实际网络环境下异常检测系统的实现方法.最后用实际数据验证了模型和检测算法的有效性.仿真结果表明,该模型和检测算法可以很好地描述Web用户的正常浏览行为,有效地检测应用层分布式拒绝服务攻击.
This paper proposes an anomaly detection based on Web user access behavior for the defense of application layer Distributed Denial-of-Service (DDoS) attack. Based on the hyperlink characteristics of Web pages and the HTTP responding effect of different proxies in the Internet, this paper uses hidden semi-Markov model (HsMM) to describe the Web user browsing behavior observed at Web server, and employs likelihood of the observation sequence on user browsing behaviors fitting to the model as a measure of user's normality. A parameterized model and its recursive formulae are derived and an on-line anomaly detection approach is introduced. Some issues involved in practical implementations of the model and the anomaly detection approach are discussed. Finally, an experiment is conducted to validate the model and the algorithm, which is based on a set of data colleted from a heavy-loaded Web server and an emulated DDoS attack that launches HTTP flooding to the Web site. The experimental results show that the model is effective in measuring the user behaviors and in detecting the application layer DDoS attacks.
出处
《软件学报》
EI
CSCD
北大核心
2007年第4期967-977,共11页
Journal of Software
基金
SupportedbytheNationalNaturalScienceFoundationofChinaunderGrantNo.90304011(国家自然科学基金)
theNaturalScienceFoundationofGuangdongProvinceofChinaunderGrantNo.04009747(广东省自然科学基金)
theResearchFundfortheDoctoralProgramofHigherEducationofChinaunderGrantNo.20040558043(高等学校博士学科点专项科研基金)
关键词
隐半马尔可夫模型
大型活动网站
浏览行为
分布式拒绝服务
异常检测
hidden semi-Markov model
large-scale Web site
browsing behavior
DdoS (distributed denial-of-service)
anomaly detection
