网络主动防护下潜在漏洞溢出点检测方法仿真

Simulation of Potential Vulnerability Spillover Detection Under Network Active Protection

潜在溢出漏洞是一种较为常见的软件漏洞,其对计算机网络造成的危害巨大。针对常规漏洞溢出检测方法根据漏洞攻击对象类别属性以及字符串编码形式的修改完成漏洞溢出点数据标记,但难以对异常点进行辨别,存在溢出点检测时间长、速度慢以及内存占用大、误检等情况。提出一种网络主动防护下潜在漏洞溢出点检测方法。通过检测潜在漏洞溢出点的频繁模式和关联规则,剥离数据流中的噪声点和异常点,计算安全数据的加权频繁溢出因子,精确定位潜在漏洞溢出点,从中自动筛选出溢出属性。在空间维,基于最大后验概率选取待检测潜在漏洞溢出点测量传感器当前时刻的空间近邻点,在时间维,选取待检测潜在漏洞溢出点传感器之前若干个时段的检测结果作为时间近邻点,依据待检测漏洞溢出点测量传感器与其空-时近邻点测量数据之间的差异对其溢出程度进行量化,利用似然比检验判断待测数据是否为潜在漏洞溢出点。实验结果表明,所提方法可有效剥离数据流中的噪声点和异常点,相比当前检测方法具有溢出点检测耗时短、速度快以及内存占用小等优势。

This article focuses on a method to detect spill point of potential vulnerability in network active protec- tion. Through detecting frequent patterns and association rules of potential vulnerability spill points, and stripping out noise points and abnormal points in data flow, weighted frequent spill factors of security data were calculated, and po- tential vulnerability spill points were located precisely. Automatically, the overflow attribute was screened out. In the spatial dimension, the potential vulnerability spill point to be detected was selected to measure spatial neighbor point of sensor at the present moment based on the maximum posterior probability. In the time dimension, the detection re- sult at several periods of time before measuring sensor was selected as the neighbor point of time. According to the po- tential spill point to be detected, the difference between the sensor and the measurement data of space-time neighbor points was measured, and degree of spillover was quantized. Finally, the likelihood ratio test was used to determine whether the data to be tested was the potential spill point. Experimental results show that the proposed method can effectively strip out noise point and abnormal point in data flow. Compared with current detection methods, the proposed method has short detection time for spill point, high speed and small memory footprint.