Anomaly Detection Method Based On The Statistics Of The Web Client Behavior Research

With the increasing development of network technology, the technology research of network security mechanism is more focused.With the widely application of intrusion detection technology, unknown network attacks detection technology have researched very poor. Because web application's technology is widely developing. Those using the misuse detection in the intrusion detection technology do not meet the existing network security mechanisms. In particular, the B/S (Browser/Server) architecture is widely popular. At the same time the existing network attacks have become diversified.A large number of unknown network attacks have begun to emerge, therefore, this paper proposes a Web-based client behavior anomaly detection system.First we use statistical analysis technology designed the user pre-processing module to filter out most of the normal web user's HTTP request sequences。Those small amounts of the user's HTTP request sequence are processed by web user behavior module.Fisrstly, the paper obtains the nomal user's HTTP request sequence, and then uses the hidden semi-Markov model to establish the normal user browsing behavior model.Secondly, the detection system test the real-time web user's HTTP request sequences based on the established model of nomal user behavior. In the previous HsMM detection system we use the GA to optimization. First, the system selects a different time period user's HTTP request data and uses the GA to optimize the initial parameters. Second, we use the GA optimized parameters to revaluate the initial parameters.Ultimately, the sysytem use the optimized and revaluated initial parameters to train the nomal Web users's behavioral. Therefore, genetic algorithm to solve the HsMM training algorithm (Baum-Welch) sensitivity to initial parameters.Firstly, the sysytem uses the pre-use tool to analysis the user's access traffic.Secondly,at the user behavior modeling we use the data source that is the Web user's HTTP request records of the University of Saskatchewan server.We established the detection system based on HSMM of the GA optimization's initial parametes,and then comparing another moel that is established based on HsMM. Experimental results show an obvious improvement of the system to improve the detection rate and low the normal user's error rate.