Академический Документы
Профессиональный Документы
Культура Документы
m.geraily@gmail.com
HTTP
.
.
False Positive
.
.
HTTP .
HTTP
. False Positive ROC
.
.
:
False Positive
.1
] [6,12,13,14 .
. ][4
2007 1098723791
.
.
)(
. 1
.
.
.
.
.
3
. 4
. 5
6 .
.2
] [11 ) : (1
-1
) (
.
-2
: ) (
2
.3
: 4
-3
( .
HTTP
1
-web application
- Signature
3
- Anomaly
2
- Parameterization
.3
) (1
:
:
.
:
.
.
.
.
2
. HTTP
HMM
HTTP
:
HMM
HTTP .
HMM
HMM .
.
. search.php
. HTTP
) (
False Positive .
HMM
:
.
.
HTTP
HTTP
.
.4
.
. :
.1
.2
.3
.4
.
HTTP .
HTTP
:
. .....
. HMM .5SVM
HMM .
.5 6 7
.
.
.
:
) (outlier
.
] .[10
2
5
false positive
. 3.5
.
: 10
.
.
.
.5
3
:
) 8(MCS
. ] [378 .
MCS
. MCS
HMM .
4
9 HMM } .
{=H
n HMM
HMM
(a
(b (c
(d HMM
2 .
(a :
.
.
.
.
.
HMM .
-1
- multiple classifier
-HMM ensemble
:
.
.
8
9
- fusion
10
-2
:
HMM
.
) (Cre.mitre.org
][1,M
|)
( |q
= N
|
| .
11
) ' ('/','- ..
N A .
. HMM
(b : 2
:
www.milworm.com
.
:
)|/N
() = |q
(freq
.
)
( freq
M
)
(c :
12
( q i
( .
-Suspicious
- Legitimate
11
12
|)
( . |q
HMM
HMM
HMM
)
( .
.
} { a,b,c,b,c
( freq.
a,b,c .
( S
:
][1,M
( freq
HMM
14
.
13
.
HMM.
(d : HMM
HMM
: )
(
. Baum-Welch ][9
HMM .
likehood . HMM
: HMM
HMM
. S i
HMM HMM
:
)
(|s) p (s) / p
()=p
|p(s
. HMM
-confidence factor
13
- apriori knowledge
14
15
:
][1,k
) =c ,
. IDS
(P
k HMM HMM
.
, :
][1,k
) , i
][1,k
False positive ).
(D
.
|Output = max { p ( s
| s) , i
( man { p
) p(s .
.
HMM .
16 HMM
.
www.milworm.com
A . 19 SQL injection 19
xss 18
.
IDS .
.6
IDS
.
)
17
.
. GET
(
.
).
D .
( .
D :
150000 3 .
52
24.
28 .
D
) (
D :
= 0.995%
-apriori probability
- diversity
17
- data set
16
HTML
HTTP :
15
5 False positive
6 HMM HMM
HMM HMM
] [5
. HMM
False positive
IDS D
False
positive
% %96
False positive %1 .
:
[1] Ghmm: General hidden markov model
library. http://ghmm.org/
[2] Rfc2616 - hypertext transfer protocol
hp / 1. 1.
[3] I. Corona, G. Giacinto, C.Mazzariello, F. Roli,
and C. Sansone. Information fusion for
computer security: State of the art and open
issues. Informaon Fus i on, 10: 274 284, 2009.
[4] Giorgio Fumera and Fabio Roli. A heorec al
and experimental analysis of linear combiners
formultiple classier systems. IEEE Transactions
on Pattern Analysis and Machine Intelligence,
27:942956, 06/2005 2005.
[5] C. Kruegel, G. Vigna, andW. Robertson.
Amulti-model approach to the detection of
web-based attacks. Computer Networks,
48(5):717738, 2005.
[6] Christopher Kruegel and Giovanni Vigna.
Anomaly detection of web-based attacks. In CCS
03: Proceedings of the 10th ACM conference on
Computer and communications security - New
York, NY, USA, 2003. ACM
[7] L. Kuncheva. Combining Pattern Classiers.
Wiley, 2004.
[8] R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and
W. Lee. Mcpad: A multiple classier system for
accurate payload-based anomaly detection.
Computer Networks, 53(6):864 881, 2009
[9] L.R. Rabiner. A tutorial on hidden markov
models and selected applications in speech
recognion. Pr oceedi ngs of the IEEE, 77( 2) :257
286, 1989.
[10] D. M. J. Tax. One-Class Classication ,
Concept Learning in the Absence of Counter
Examples. PhD thesis, Delft University of
Technology, Del, Ne t her l and, 2001.
[11] P. Garc a-Teodoroa , J.D az-Verdejoa , G.
Macia - Ferna ndeza , E.Va zquezb , Anomaly-