| With the enlargement of the web's opening, sharing and inter-connect character, the Internet develops quite quickly, especially lots of web businesses grow very fast, such as web bank, electronic wallet and electronic business. Web is more and more important for all of the society. But at the same time, more and more web crimes do harm to PCs, enterprises and even nations. Web security is becoming a severely concerned problem. In recent years, scientists have done lots of research in web authentication and authorization, web access control, firewall, computer and system security administration, as a result the scientists have gain many achievements. The traditional process to build up an intrusion detection model has low efficiency and high price, while the data mining has many advantages in acquisition of unknown knowledge, so the intrusion detection based on data mining becomes hotspot. Web monitoring is also becoming an urgent problem for many users.In essence, web security is just the security of information transferred on web. Generally speaking, any technology and theory dealing with web information's secrecy, integrity, usability, trueness and controllability is part of web security field. The attempts and behaviors such as unauthorized use of system, potency abuse of authorized users and exceeding one's authority to access another system are called intrusion, which attempts to destroy the integrity, secrecy, usual use of information. Intrusion Detection is a kind of active safety-defend technology. It does not influence web performance at all when it supervises web activities, thus it offers real-time protection from outside intrusion, inside attack and wrong operation. It is regarded as the safety strobe behind the firewall. The system which is composed of software and hardware and could detect intrusions is called Intrusion Detection System (IDS).With operating system becomes more complicate and web data flux grows rapidly, audit data also increase amazingly. It is crucial for implementation of intrusion detection that how to pick up representative data in so much audit data and make an exact description for program and users. The goal of data mining is to find out latent, unknown and useful information from lots of data and then abstract some knowledge and rules which are always denoted by concepts, rules, regulations, and models, so it is feasible to apply data mining technology to the intrusion detection system. Because Windows is"device-independent", which means it is not approved to communicate with bottom layers of computer and it would cause protection mode error and even worse if access or operate computer directly by Windows API or I/O instructions. On the other hand, we can use Winsock2 SPI to make DLL which fits for our system and could be used to fulfill many jobs such as operation of data collection card's port, access of extended memory, manipulation of video buffer or BIOS. It is convenient to access memory and I/O port directly in Windows by this way. We needn't modify the application program when version upgrades, just update the DLL is enough.Web security technology in existence and its evolution trend are firstly introduced in this paper, then analyzing technology of IDS and developing trend of IDS are described in details, data mining and its common using way in IDS are also depicted in short, and Windows web program technology is introduced at last in this paper. In chapter four, Winsock2 SPI is specified, which is program interface to system bottom layers and is offered by Winsock component. Winsock2 SPI connects kernel driver program to high layer application program, and it responds all of the Winsock requests which are produced by system, that means Winsock data packages would be captured by SPI when they pass through SPI layer. We could use this character of SPI to deal with the packages captured, and accomplish information filtering in this way.In this paper, a real-time supervision system model of web security is offered, the design of main modules, process flow and its realization are specified in details. The whole system is composed of data capturing, package filtering module, linkage display, history record query module, statistical analyzing module, intelligent mining module, database and rule store. Winsock2 SPI technology is used in Data capturing module and package filtering module. Data obtained in data capturing module is transacted by package filtering module. SPI offers interface functions to configure work mode and control rules, and the filtering process is carried on according to work mode, control rules and filtering rules. Linkage display module offers session supervision dialog. Users could configure work mode by themselves according to parameter configuration indication when any package is obstructed. Control rules are put in rule store. Users could add some control rules into the store manually, such as add or delete IP address segment and supervision port segment. History record module saves web session to log file, one could inquire package information by time section. Attributes and information of demo data and web real-time data are saved in database and would be used by statistical analyzing module and intelligent mining module. Statistical analyzing module calculates and analyzes the data in a special period, then shows the results, such as top ten users'IP information in a special period, to users in the form of pole chart or cake chart. Intelligent mining module extracts demo data from database, and mines and disposes the data by improved arithmetic, consequently gets the user's activity character or rules, at last builds up new rules after update the rules got in previous steps. Match the new rules with the rules got in real-time data mining, in this way we could find out abnormity.The test in experimental environment shows that it is efficient and fast to use Winsock2 SPI in data package capturing and filtering. The improved data mining arithmetic in intelligent detection could enhance the practicability of mining rules and reduce system cost and misinformation ratio. |
PDF Full Text Request