摘要
针对传统建模容易引入不可信样本的问题,提出了一种自适应建立基于Web攻击异常检测模型的方法。依据样本中Request-URL的结构特征对样本集进行分类,并利用样本的各属性来构造样本分类子集的离散性函数,其中离散程度值将作为识别正常行为集的依据;在此基础上,使用改进的隐马尔可夫模型(HMM)算法对正常行为样本集进行建模,并利用HMM合并的方法实现检测模型的动态更新。实验结果表明,所提方法建立的模型能够有效地识别出Web攻击请求,并降低检测的误报率。
Concerning the problem that untrusted sample can be easily introduced in traditional methods,an adaptive model was proposed in this paper.Based on the description of the structural feature of Request-URL,a whole sample set was divided into smaller subsets.The discreteness of a subset was calculated by its properties,which would determine whether the subset is normal.On basis of these,the detection model was created by the improved algorithm with the normal subsets,and dynamic update of model was achieved by Hidden Markov Model(HMM) merging.The experimental results show that the adaptive model built by the proposed method can effectively identify Web-based attacks and reduce false alert ratio.
出处
《计算机应用》
CSCD
北大核心
2012年第7期2003-2006,2014,共5页
journal of Computer Applications
基金
江西省教育厅科技项目(20101106)
科技部国际合作项目(2010DFA70990)
关键词
分类
离散性函数
自适应
隐马尔可夫模型
入侵检测系统
classification
discrete function
adaptive
Hidden Markov Model(HMM)
Intrusion Detection System(IDS)