An Web-attacked Anomaly Detection Method Based On URL

With the rapid development of network and information technology,the Internet makes our daily life more and more convenient.However,network systems may exist in a variety of vulnerabilities due to the lack of safety awareness of the network developer.Which makes the network servers are become targeted by hackers frequently.Therefore,the Internet security has become an urgent problem needed to be solved.Intrusion Detection is the main means of defense against Web-based attacks.The Intrusion Detection System(IDS)is divided into two major categories: misuse detection and anomaly detection.An abnormal behavior is defined first in a misuse detection approach,and then,all other behaviors are defined as normal.The disadvantage of misuse detection is it must match the attack rules exactly.It is hard to maintain and update.In order to solve this problem,more and more attention is paid to anomaly-based intrusion detection.The anomaly-based intrusion detection approaches mostly are performed by creating detection model via training samples and distinguishing unknown behaviors by matching against the normal one.Based on the above research background,the mainly work for HTTP-Flow data of this thesis as follows:(1)The anomaly detection for parameters: The traditional hidden Markov model detection algorithm(HMM)can not detect the value of the parameters that have not been trained well.So,this thesis uses the equivalence class idea of rough set to improve the training process of HMM.Using the equivalent class to generalize the same class of parameter value characters,thus solving this problem.(2)For some data that does not contain parameter values: In this thesis,a node anomaly detection model based on energy heat is proposed.The principle of this model is that the anomaly node would not be visited by many people,only a little attackers will visit it.Besides,the amount of human's daily requests and the daily requests of machine are varies greatly.The model can effectively detect anomaly paths,anomaly pages,and anomaly files.(3)Finally,the two models are combined to apply as a whole anomaly detection system.And performed well in real data sets which provided by a company.