HTTP

m.geraily@gmail.com

HTTP

.
.
False Positive
.
.
HTTP .
HTTP
. False Positive ROC
.
.

:
False Positive

.1

] [6,12,13,14 .

. ][4

2007 1098723791
.

.

)(
. 1
.

.

.
.
.

3
. 4

. 5

6 .
.2

] [11 ) : (1
-1

) (

.
-2

: ) (

2
.3

: 4

-3

( .

HTTP

1

-web application
- Signature
3
- Anomaly
2

- Parameterization





.3
) (1


:
:


.
:


.
.

.

.

2
. HTTP
HMM
HTTP
:

HMM
HTTP .


HMM
HMM .
.
. search.php

. HTTP

) (

False Positive .

HMM

:

.

.

HTTP
HTTP
.

 .4


.

. :
.1

.2

.3

.4

.


HTTP .


HTTP
:
. .....

. HMM .5SVM
HMM .
.5 6 7


.

.
.
:


) (outlier
.


] .[10

2
5

-support vector machine

-classifier
7
-ensemble
6

 false positive

. 3.5

.
: 10
.

.

.
.5

3
:
) 8(MCS


. ] [378 .
MCS

. MCS
HMM .
4
9 HMM } .

{=H

n HMM

HMM

(a
(b (c
(d HMM
2 .
(a :
.
.


.
.
.
HMM .
-1

- multiple classifier
-HMM ensemble

:
.

.

8
9

- fusion

10

-2

:

HMM
.

) (Cre.mitre.org

][1,M

|)

( |q

= N
|
| .

11

) ' ('/','- ..

N A .

" "/dir/sub/1,2 ""/AAA/AAA/N,N

. HMM

(b : 2
:

(1 HMM ) }({ cat,key

.
(2
HMM
) {N,N} : cat .({A,A,A} key

HMM
.

www.milworm.com

.


:

)|/N

() = |q

(freq

.
)

( freq

M
)

(c :

12

( q i

( .

-Suspicious
- Legitimate

11
12

|)

( . |q

HMM

HMM

HMM

)
( .

.
} { a,b,c,b,c

( freq.

a,b,c .

( S

:
][1,M

( freq

HMM
14
.

13

.
HMM.

(d : HMM

HMM
: )
(
. Baum-Welch ][9
HMM .

likehood . HMM

: HMM
HMM
. S i
HMM HMM

:
)

(|s) p (s) / p

()=p

|p(s

. HMM

-confidence factor

13

- apriori knowledge

14

 15
:

][1,k

) =c ,

. IDS

(P

k HMM HMM
.
, :
][1,k

) , i

][1,k

False positive ).
(D

.

|Output = max { p ( s
| s) , i

( man { p

) p(s .


.
HMM .
16 HMM
.

www.milworm.com
A . 19 SQL injection 19
xss 18
.

IDS .

.6

IDS
.
)

17

.
. GET

(
.

).

D .

( .

D :

150000 3 .

52
24.
28 .
D

) (

D :

= 0.995%

-apriori probability
- diversity
17
- data set
16

HTML
HTTP :

15

 5 False positive

6 HMM HMM

HMM HMM

] [5

. HMM

HMM False positive

False positive

IDS D

False

positive

% %96
False positive %1 .

based network intrusion detection: Techniques,

systems and challenges journal sciencedirect
2009
[12] Gaurav Tandon (Doctor of Philosophy In
Computer Science) - Machine Learning for Hostbased Anomaly Detection -Melbourne, Florida
May, 2008
[13]Juan M. EstvezTapiador,
Pedro GarcaTeodoro , Jess E. DazVerdejo Detection of Webbased Attacks through
Markovian Protocol Parsing IEEE proceedings
2005
[14] Igino Corona, Davide Ariu , Giorgio Giacinto
- a framework for the detection of attacks
against Web applications - publication in the
IEEE ICC 2009 proceedings - 978-1-4244-3435

:
[1] Ghmm: General hidden markov model
library. http://ghmm.org/
[2] Rfc2616 - hypertext transfer protocol
hp / 1. 1.
[3] I. Corona, G. Giacinto, C.Mazzariello, F. Roli,
and C. Sansone. Information fusion for
computer security: State of the art and open
issues. Informaon Fus i on, 10: 274 284, 2009.
[4] Giorgio Fumera and Fabio Roli. A heorec al
and experimental analysis of linear combiners
formultiple classier systems. IEEE Transactions
on Pattern Analysis and Machine Intelligence,
27:942956, 06/2005 2005.
[5] C. Kruegel, G. Vigna, andW. Robertson.
Amulti-model approach to the detection of
web-based attacks. Computer Networks,
48(5):717738, 2005.
[6] Christopher Kruegel and Giovanni Vigna.
Anomaly detection of web-based attacks. In CCS
03: Proceedings of the 10th ACM conference on
Computer and communications security - New
York, NY, USA, 2003. ACM
[7] L. Kuncheva. Combining Pattern Classiers.
Wiley, 2004.
[8] R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and
W. Lee. Mcpad: A multiple classier system for
accurate payload-based anomaly detection.
Computer Networks, 53(6):864 881, 2009
[9] L.R. Rabiner. A tutorial on hidden markov
models and selected applications in speech
recognion. Pr oceedi ngs of the IEEE, 77( 2) :257
286, 1989.
[10] D. M. J. Tax. One-Class Classication ,
Concept Learning in the Absence of Counter
Examples. PhD thesis, Delft University of
Technology, Del, Ne t her l and, 2001.
[11] P. Garc a-Teodoroa , J.D az-Verdejoa , G.
Macia - Ferna ndeza , E.Va zquezb , Anomaly-