Research On Attack Behavior Technology Detection Of S2-045 Vulnerability Based On Cyber Range

On March 6,2017,Apache Struts2 was exposed to a remote command execution vulnerability with vulnerability number S2-045.The vulnerability is due to the fact that a malicious user can trigger the vulnerability by modifying the Content-Type value in the HTTP request header,using the file upload function based on the Jakarta plugin.Within two or three days after the vulnerability was exposed,NSFOCUS indicated that the number of tests has reached more than 20,000 times.The main areas of influence are government departments,financial industry,educational institutions,communications industry,and the Internet industry.The traditional Struts2 vulnerability detection method is based on the traffic detection engine.By analyzing the behavior of the payload,it matches the keywords according to the vulnerability.If it matches,it is proved to be a packet containing the attack behavior.This thesis creatively proposes the use of machine learning to detect attack behavior,and takes the S2-045 vulnerability as the research object.This thesis introduces the basic principles of the Ognl language and the Struts2 framework,and simulates an attack behavior in the network range simulation domain to reproduce the attack process of the S2-045 vulnerability,analyzes the captured packet data in detail,and deeply understands the exploitation of the vulnerability.The principle of execution of the code.The second chapter introduces the mainstream machine learning algorithms,including support vector machine(SVM),random forest algorithm and common feature vector selection methods.In the third chapter,based on the characteristics of the S2-045 vulnerability and the unfavorable factors of collecting data sets,the TV-SVM algorithm and the improved random forest algorithm based on feature partitioning are proposed.Based on the "one pool and five domains" model,the overall design scheme of the network shooting range is proposed,which mainly includes supporting environment module,attack domain,defensive domain and simulation domain.The supporting environment module mainly provides the software and hardware environment of the system,which is the core of the whole system;the attack domain and the defensive domain cooperate to form an online detection platform,and the simulation domain provides various research environments including a recurring environment,a target machine,etc.;the defensive domain includes a machine based machine The algorithm analysis module of the learning model is used to detect the S2-045 vulnerability attack behavior;the attack domain provides attack scripts and displays statistics.In the simulation experiment platform,different algorithms are used to detect the sample data.It is found that BP-RF algorithm has the best effect,but the performance of TV-SVM algorithm and SVM algorithm are not much different.Based on the detection of the on-line environment in the shooting range,it was found that the TV-SVM algorithm has the best performance and is better than the simulation.Compared with the traditional key matching method,the detection rate is increased by 15.3%,and the false alarm rate is reduced by 11.3%.Therefore,the TV-SVM algorithm is most suitable for vulnerability attack behavior detection in real environments.