Research And Implementation Of Log-based Web Attack Trace Association Analysis Technology

With the rapid development of Internet technology,web application systems as an important part of the Internet have been widely used in all walks of life.In the context of large-scale use of web applications,its security issues have gradually been paid attention to.For some enterprises that carry their core business with web applications,the network attack from attackers against web application systems may bring huge losses to the enterprises.In the context of offensive and defensive confrontation,technologies such as log analysis and attack source tracing have gradually developed as a research direction.The significance of studying log analysis technology is that after the web application system is attacked,the traces left by the attacker during the attack can be used to restore the attacker's actions and analyze it,trace the source of the attacker,and prevent the second attack occur.Based on that,this paper studies a log-based web attack trace correlation analysis technology,which uses the multi-source log information in the server to mine the correlation between different attack traces,so as to provide some help for web attack traceability.In order to analyze the relationship between the attack traces,this paper collects different types of logs from multiple servers,first performs data preprocessing on them,and selects appropriate log fields as the data source for feature extraction.This paper constructs an attack event description model based on key attributes and behavior sequence,collects character features of Web attacks for feature extraction,generates attack event behavior sequence including time,address and attack type,and implements a prototype system in the process of research.Finally,this paper improves the Apriori algorithm,and proposes the concept of multi-level correlation,which adapts to the analysis of attack event behavior sequence,and can intuitively describe the degree of correlation between attack traces.The improved Apriori algorithm studied in this paper is optimized at the execution level,and its running time efficiency and function realization degree are better than other association analysis algorithms.We innovatively applied it to the research of attack path recovery technology,and finally formed the relationship between more than ten kinds of attack traces.Through the verification of the attack path recovery experiment,it is proved that the technology studied in this paper has a certain practical effect on the analysis of attack tracing.