【作者】 王进；

【导师】 隆克平；

【作者基本信息】 电子科技大学 ， 通信与信息系统， 2013， 博士

【摘要】 随着Web服务不断得到普及，它的安全受到学术界和工业界的高度关注。HTTP洪泛攻击是一类新的分布式拒绝服务攻击（DDoS，Distributed Denial ofService），它通过模拟正常用户浏览网页行为往目标网站发送大量HTTP GET请求，以消耗目标网站服务器的CPU、内存等资源，造成Web服务瘫痪，正常用户访问中断。HTTP洪泛攻击给Web服务生存性带来了严峻的挑战，是目前Web服务面临的一个重要安全问题。由于具有隐蔽性高、攻击力强等特点，HTTP洪泛攻击检测较为困难，目前尚缺乏有效的检测和防御方法。一方面，相比于带宽洪泛型DDoS攻击，HTTP洪泛攻击流量较小，通常不会造成受害服务节点相关的网络链路流量异常；另一方面，相比于TCP/SYN型DDoS攻击，HTTP洪泛攻击会话具有与正常用户极为相似的TCP协议统计特征（例如，不同类型TCP协议包的统计分布），不会造成服务端TCP协议包统计特征异常。HTTP洪泛攻击能够有效地规避现有检测方法，被越来越多地用于实施攻击。目前关于HTTP洪泛攻击的相关研究工作较少，多数还存在检测性能不高、算法过于复杂、稳定性差等问题，HTTP洪泛攻击问题仍然是一个开放性问题。本论文围绕HTTP洪泛攻击检测核心问题，借助统计学习领域研究方法，从Web用户访问行为特征量化、检测机制设计、检测机制鲁棒性三个方面深入研究HTTP洪泛攻击检测机制与算法。本论文首先从Web用户访问行为特征入手，围绕用户访问主题流行度、访问逻辑关联度两个网页语义特征，提出了基于大偏差统计的Web访问行为网页语义特征量化分析方法，有效地量化分析不同Web用户在访问主题流行度、访问逻辑关联度两个网页语义特征方面的差异，为后续研究奠定基础。其次，围绕用户访问主题流行度，设计了新的HTTP洪泛攻击检测机制与算法，采用多种不同类型HTTP洪泛攻击模型进行验证。最后，围绕基于正常用户访问行为的HTTP检测机制可靠性，分析了训练数据集中网页抓取行为日志对它们的影响；以用户访问主题流行度为核心，本论文进一步提出一种可容忍训练数据集中噪声的的HTTP洪泛攻击检测机制与算法。具体地，本论文从如下几个方面展开研究：1.基于网页语义的Web用户访问行为特征及量化方法研究Web用户访问行为特征及量化方法研究是检测HTTP洪泛攻击的基础，它刻画了不同Web访问用户之间的行为差异，是有效识别HTTP洪泛攻击的关键。现有检测机制中采用的一些访问请求间隔、访问速率等典型Web访问行为特征容易被一些攻击者模仿，导致检测机制失效，亟需研究新的Web访问行为特征用于检测HTTP洪泛攻击。结合现有Web访问行为研究基础，本论文围绕Web用户访问主题流行度、访问逻辑关联度两个网页语义特征，研究可有效量化Web用户行为差异的方法，采用大偏差统计量化分析Web用户在访问主题流行度、访问逻辑关联度方面的差异，建立基于大偏差统计的Web用户网页语义行为特征量化框架，初步分析正常用户会话跟一些常见HTTP洪泛攻击在网页语义特征方面的区别，为后续HTTP洪泛攻击检测奠定基础。2.基于用户访问主题流行度的HTTP洪泛攻击检测机制与算法研究围绕用户访问主题流行度特征，设计可检测多种不同类型HTTP洪泛攻击的检测机制与算法。全局网页点击率是Web用户访问主题流行度量化的基础，它衡量了不同网页主题最新流行趋势。受网页内容通常动态变化、检测模型的滞后性等因素影响，全局网页点击率分布呈动态变化。如何准确实时估算全局网页点击率分布是量化用户访问主题流行度的关键，也是HTTP洪泛攻击检测方法需要解决的一个重要问题。针对上述问题，本论文研究可动态估算全局网页点击率分布的方法，提出运用指数加权移动平均统计方法（EWMA，Exponential WeightedMoving Average）设计可动态估算全局网页点击率的算法，结合网站历史全局网页点击率分布、当前用户访问请求目标，动态更新当前全局网页点击率分布，进一步对该更新算法修正，反向消减恶意攻击者对网站全局点击率分布的影响。3. HTTP洪泛攻击检测机制鲁棒性研究训练数据的准确性是基于正常用户访问行为检测方法需要考虑的重要问题，是影响检测性能的关键因素。Web访问日志是HTTP洪泛攻击检测机制的主要数据源，其中通常包含有网页抓取行为日志。经过分析，发现网页抓取行为跟正常用户访问行为的差异性造成建立的检测基准不准确，严重影响检测性能。本论文以Web用户访问主题流行度、访问会话长度为主要特征，分析正常用户访问行为的关联特征分布，由此建立可容忍网页抓取行为的HTTP洪泛攻击检测机制。更多还原

【Abstract】 With the Web services becoming more and more popular, web security attractsmore attentions from the field of academic and industry. HTTP-flooding is a newDistributed-Denial-of-Service attack. It imitates normal web surfing behavior sendinglarge number of legitimate HTTP GET requests to the victim, aiming at exhausting thevictim’s precious resources (e.g., CPU, memory etc.) and paralyzing the web services.HTTP-flooding attack seriously challenges the survivability of web applications. Due tothe stealthy attacking behavior, HTTP-flooding is difficult to detect. On one hand,compared with the tremendous traffic of Bandwidth-flooding attack (e.g., the averagetraffic is162Mbps), the low traffic of HTTP-flooding (e.g.,10Mbps) usually does notcause traffic anomaly. On the other hand, unlike the bogus TCP connections ofSYN-flooding, the true TCP connections of HTTP-flooding attack do not bringsignificant changes to the statistics of TCP SYN packets. Even worse, HTTP-floodingattackers can generate HTTP GET requests as normal web surfers. Thus,HTTP-flooding attack is much harder to detect than other DDoS, and can evade thedetection approaches for the Bandwidth-flooding and the TCP SYN-flooding DDoS.Most of the existing detection schemes usually have poor detection performance. Thus,HTTP-flooding is still an open problem. This dissertation focuses on HTTP-flooding,and detects HTTP-flooding attack with the statistical learning methods.This dissertation firstly proposes a novel method to efficiently quantify websurfing preference and surfing semantics, Based on the consistency between theindividual temporal surfing preference and the overall webpage popularity, thisdissertation analyzes the personal surfing differences, and detects HTTP-floodingattackers with their behavioral difference. Furthermore, aiming at the web-crawlingtraces in the training phase, this dissertation associates more surfing features, and buildsthe reference surfing profile according to the distribution density. Specifically, thisdissertation studies the HTTP-flooding attack from the following aspects:1. Studying the quantification of individual web surfing differencesThe quantification of individual web surfing differences is critical toHTTP-flooding detection. How to select appropriate surfing features is the key problemof efficiently quantify infividual web surfing differences. With the surfing preference and surfing semantics, this dissertation analyzes the consistency between the individualsurfing behavior and the corresponding feature of website, and builds the quantificationframework with large deviation principle. Then, this dissertation primarily analyse thesurfing difference between normal users and some simple HTTP-flooding attack.2. Detecting HTTP-flooding attack with the individual surfing differenceTaking the surfing preference as the main feature, this dissertation studiesHTTP-flooding detection based on the surfing preference. Webpage popularity is thebasic of quantifing web surfing preference. Accurately computing webpage popularity isthe key problem for the surfing preference-based HTTP-flooding detection. On onehand, due to update the webpage content, webpage popularity changes dynamically. Onthe other hand, influenced by the detection-lag property, the attacking sessions beforedetected participate in the updating of webpage popularity, causing webpage popularitybiased and further degrading detection performance. Aiming at these problems, thisdissertation studies how to update webpage popularity dynamicly.3. Studying the web-crawling behavior-tolerant HTTP-flooding detectionThe accuracy of training dataset is the key factor determing the performance ofnormal web surfing behavior-based detection schemes. Web surfing logs are the maindataset of HTTP-flooding detection, which usually includes some web-crawling traces.These web-crawling traces can degrade the detection of HTTP-flooding attacks. Aimingat the web-crawling traces in the training phase, this dissertation studies the jointfeatures distribution density-based HTTP-flooding detection scheme. It builds thereference surfing profile from the noisy web logs, and detects HTTP-flooding attack bycomparing their surfing profile with the reference surfing profile.更多还原