摘要
为提升跨站脚本(XSS)漏洞检测方法的检测效果,本文提出了基于隐马尔科夫模型(HMM)的攻击向量动态生成和优化方法。采用决策树模型和代码混淆策略对攻击向量进行分类和变形,获得测试用攻击向量。使用注入点去重处理和探子技术去除一部分不存在XSS漏洞的Web页面,避免重复检测不同Web页面中相同的漏洞注入点,减少测试阶段与Web服务器的交互次数;进一步采用XPath路径定位技术提高漏洞检测结果分析的效率。对比实验结果表明,本文提出的方法降低了响应时间和漏报率,提高了检测效率。
To improve the detection results of cross site scripting(XSS)vulnerability,a dynamic attack vector generation and optimization scheme was proposed based on hidden Markov model.The mutated attack vector was generated by using decision tree model to classify the attack vectors and the code confusion strategy to deform the attack vector.To reduce the interactions between the test phase and the web server,an injection point de duplication and probe algorithm are designed to remove web pages that do not include XSS vulnerabilities and to avoid detecting the same injection point in different web pages.XPath path location technology was adopted to improve the analysis efficiency for vulnerability detection results.Experimental results show that the proposed method can reduce the response time and the miss report,and improve the detection efficiency.
作者
王丹
顾明昌
赵文兵
WANG Dan;GU Mingchang;ZHAO Wenbing(College of Computer Science, Beijing University of Technology, Beijing 100124, China)
出处
《哈尔滨工程大学学报》
EI
CAS
CSCD
北大核心
2017年第11期1769-1774,共6页
Journal of Harbin Engineering University
基金
国家自然科学基金重大研究计划培育项目(91546111)
北京市自然科学基金项目(4173072)
信息网络安全公安部重点实验室开放课题项目
关键词
跨站脚本漏洞
渗透测试
隐马尔科夫模型
攻击向量
注入点
cross site scripting
penetration test
hidden Markov model(HMM)
attack vector
injection point
