摘要
针对基于HTTP协议进行通信的恶意程序,现有的检测方法大都不能提供一个可视化界面。为此,提出一种HTTP异常活动取证及可视化系统(HAFVS)。首先,通过对服务器网关日志文件进行分析,构建成出HTTP请求的请求图;然后,利用事件分组和频繁项集挖掘(FIM)算法对事件进行汇聚,以减少可视化条目,并利用普遍性过滤器识别普遍性事件;最后,构建可视化界面,显示事件的访问轨迹,并淡化显示普遍性事件(正常事件),突出显示特殊事件(恶意事件)。实验结果表明,系统能够缩减可视化事件条目18.9倍,并能够准确的识别出异常访问流量,并突出显示,为网络管理者提供有力的判断依据,大大节约了人力成本。
In view of the malicious program based on HTTP protocol, the existing detection methods can't provide a visual interface. Therefore, a HTTP anomaly activity forensics and visualization system(HAFVS) is proposed. First, the server gateway log files are analyzed to construct the request graph of HTTP request. Then, the event grouping and frequent item sets mining algorithm(FIM) are used to reduce the visual items. Then, the popularity filter is used to identify the popularity event. Finally, the visual interface is constructed to display the event's access trace and to fade out the display of the popularity events(normal events), highlighting the special events(malicious events). Experimental results show that the system can reduce the visual event items with 18.9 times, and can accurately identify the anomaly access traffic, and highlights the display. It provides a strong basis for the network management, greatly saving the human consumption.
出处
《微型电脑应用》
2016年第3期23-26,共4页
Microcomputer Applications
基金
新疆维吾尔自治区自然科学基金科研项目(2015211A016)
关键词
HTTP
计算机取证
异常活动取证
请求图
可视化系统
异常流量检测
HTTP
Computer forensic
Anomaly Activity Forensics
Request Graph
Visualization System
Abnormal Traffic Detecting
