Based On Webdecoy Attacks Characteristics Extraction Studies

Study is sponsored by National Natural Science Foundation project of China "Study of Network Camouflaging Cooperative Security Model" with grant number 60503008.Due to the flexibility of deploying and the lower requirements on the client, the Web Applications based on B/S pattern becomes the mainstream of Web-based applications, and the attendant security issues has become one of the focus areas of network security field.Feature extraction for Web attacks based on Genetic algorithms, data mining methods and so on, use network data reported as date resource, without considering the characteristics of the loaded specific business applications. However, in practice, the Web applications of the same pattern may correspond to Web applications of different areas and functions. Therefore, this thesis carries out the research of the feature extraction and detection aiming at Web attacks which is set in specific system based on WebDecoy and the effectiveness of the model and the algorithm has been validated by experiments.The main works in the thesis are summarized as follows:(1),The design of the frame about the attacks feature extraction system based on WebDecoy. The frame is made up of two parts--the system module simulated by WebDecoy, feature extraction and detection module. The first module is used to collect the data of the protected objects that enter into the system and hand the collected data to the second part to be analyzed in order to realize the detection to the Web attacks.(2),The design and realization of the system which is simulated by WebDecoy. Choose PHPMyAdmin as the specific system which is simulated through the way of embedding the monitoring codes. Three key problems are considered mostly, such as the embedded position of the codes, the means to embed the codes and the function of the embedded codes. In the end, select the database of the Web-application as the protected objects, use the aspect-Oriented program idea, java.io system to achieve the automatic embed of the codes and obtain the users'information who enter into the protected objects using the function variable that provided by PHP.(3),Discuss two kind of feature extraction and detection technology.One way collects the HTTP requests that enter into the system through the WebDecoy mechanism and realizes the feature extraction and detection based on structure alignment algorithm. Use the typical structure character of HTTP requests to ignore the difference of the single character in the requests and divide one request into pieces of attributes. Through the dynamic comparison of the attributes we can get the similar structure and the character of attack behavior.The other way realizes the extraction of the request data in the specific system through the WebDecoy mechanism and achieves the feature extraction and detection of the Web attacks based on sequence pattern mining. Processes number on the operations provided by the specific system. In this way, the operations of the attackers in the specific system can be composed into number sequence and then obtain the normal and attacked sequence pattern analyzed from the sequence pattern mining algorithm. Mean time, this solution can introduce the pruning technique and auto learning function which can improve the detection efficiency and discover the unknown attacks as soon as possible.(4),The design and realization of the attacks feature extraction prototype based on WebDecoy. The effectiveness of the model and the algorithm has been validated by experiments.