Research And Application Of Web Service Anomaly Detection

With the development and innovation of Internet technology,Web services are favored by individuals,institutions and service providers because of their advantages over traditional applications,such as heterogeneity,dynamic interaction and cross-platform.Web services,represented by e-commerce,information management platform and social network,have developed rapidly and become one of the core application services of the Internet.At the same time,due to the unique openness and sharing of the network itself,the security risks faced by Web services can not be ignored.In recent years,attacks against Web services have become more and more complex and the scale of attacks has been expanding,the security situation of Web services is grim.Traditional security technology and attack protection system are not very effective in detecting unknown threats,and in the case of negligent management,intranet violations also can not be stopped in time.In order to remedy the deficiency of traditional security system in Web service security,this paper proposes anomaly detection methods based on business logic and log analysis to solve the above problems.The main work of this paper is as follows:(1)Combining business logic with anomaly detection,an anomaly detection method(1)Combining business logic with anomaly detection,an anomaly detection method which uses business logic generated in the process of Web service implementation to construct user's normal behavior profile is proposed.This method uses the traffic data generated by users when accessing Web services as the data source for anomaly analysis,extracts the business logic at the server level of Web services,and uses the rule of access path as the criterion to distinguish the ordered data generated by normal users from the disordered data generated by abnormal behavior,so as to get the detection results.This method is designed for Web servers deployed on important nodes.The algorithm proposed in the anomaly detection based on business logic can be used to detect whether there are anomalies in the user's access and provide reference information for administrators to adjust the site security policy in time.(2)This paper combines log analysis,outlier algorithm and anomaly detection,then extracts eigenvalues from Web log files,after improving the classical outlier detection algorithm,using optimized OPT-LOF algorithm to do vertical anomaly analysis and horizontal anomaly analysis respectively.The vertical anomaly analysis in this anomaly detection method firstly divides the user's files into IP addresses as the classification criteria,then selects the vertical anomaly detection feature items to analyze the anomaly of each user's access data,the anomaly analysis of all access data of each user is carried out,and the anomaly access records which deviate from the user's own access habits are obtained.The horizontal anomaly analysis classifies the log files with access time as the classification criterion.After selecting the horizontal anomaly detection feature items,the access situation of all users in the same period of time is analyzed,and the abnormal log records which are inconsistent with the access behavior rules of all users in each period of time are obtained.This method can detect violations of user habits,and it can be an effective complement to traditional intrusion detection methods.(3)The anomaly detection system of Web services proposed in this paper is designed,including requirement analysis,overall design,module design and database design.Finally,The validity and efficiency of anomaly detection based on business logic and log analysis are experimented respectively.The results show that the above anomaly detection methods can discover a large number of anomaly visits to the site irregularly,SQL injection attempts to the site,semantic URL attacks and anomaly visits which are quite different from conventional access records.This method can effectively remedy the shortcomings of traditional intrusion detection methods.It enhances the monitoring of business flow and the analysis and review of log files in Web service system.And this method can detect some illegal intrusions and operations,expand the existing security defense methods,enrich the network security defense system.