CN104270373B

CN104270373B - A kind of Web server anonymous access flow rate testing methods based on temporal characteristics

Info

Publication number: CN104270373B
Application number: CN201410535015.8A
Authority: CN
Inventors: 何高峰; 张涛; 张波; 马媛媛; 陈亚东; 楚杰
Original assignee: State Grid Corp of China SGCC; China Electric Power Research Institute Co Ltd CEPRI; Global Energy Interconnection Research Institute
Current assignee: State Grid Corp of China SGCC; China Electric Power Research Institute Co Ltd CEPRI; Smart Grid Research Institute of SGCC
Priority date: 2014-10-11
Filing date: 2014-10-11
Publication date: 2017-07-14
Anticipated expiration: 2034-10-11
Also published as: CN104270373A

Abstract

The present invention provides a kind of Web server anonymous access flow rate testing methods based on temporal characteristics, comprises the following steps：Temporal characteristics are extracted；Based on one-class support vector machines setup time characteristic model；Temporal characteristics are substituted into and detected in temporal characteristics model；Testing result is confirmed.The present invention provides a kind of Web server anonymous access flow rate testing methods based on temporal characteristics, solves test problems of the Web server to anonymous access flow, it is possible to achieve quick, the accurate detection of anonymous web access flow, improves the security of Web server.

Description

A kind of Web server anonymous access flow rate testing methods based on temporal characteristics

Technical field

The present invention relates to a kind of detection method, a kind of Web server anonymous access stream based on temporal characteristics of specific design Quantity measuring method.

Background technology

With Internet and mobile Internet fast development and widely use, network has incorporated people's daily life Every aspect.At the same time, the security and privacy problem that network service is brought is also of increased attention.To protect The privacy information of the network user is protected, researcher proposes anonymous communication concept and correlation technique is realized.

Anonymous communication technology was proposed first in 1981 by Chaum, and the technology passes through in the logical of sender and recipients One or more intermediate nodes (Mix nodes) are inserted on letter path to realize hiding for user identity and correspondence.User exists When sending data, it is first determined the address information of Mix nodes and recipient on forward-path, then using each on forward-path The public key of Mix nodes is encrypted layer by layer to data and address information, formed " Onion Loaf ", and should " Onion Loaf " send extremely turn Send out first Mix node on path.Receive after " Onion Loaf ", the Mix nodes it are decrypted operation to obtain next-hop Address, and " Onion Loaf " after decryption is sent to next-hop node, other nodes are operated until last by initial data successively It is forwarded to recipient.Then carried out during returned data by corresponding reverse order, data are back to by recipient to be directly connected Mix nodes (last Mix node i.e. on forward-path), then on path each Mix nodes utilize the private key pair of oneself Data carry out encryption layer by layer and opposite direction forwarding, and finally performing multiple decryption oprerations by user draws Content of Communication.Based on this Technology, researcher devises a variety of anonymous communication schemes such as onion routing agreement etc., and develops some realities on this basis With anonymous communication system, such as Tor, JAP.

While network user identity privacy information is protected, the abuse of anonymous communication system also gives network security and network Management brings grave danger.Such as German Government has arrested the supplier of several Tor Egress nodes in 2007 successively, and actual The supplier of these upper Tor Egress nodes is the illegal scapegoat for browsing the such network crime such as pornography.When anonymous crime When molecule utilizes Tor Network Capture child porn information, corresponding network traffics will be first sent to Tor Egress nodes, then By these Egress nodes anonymous criminal is given by related data through Tor forwardeds.IP address information according to network traffics is only capable of These Tor Egress nodes are traced, and really cybercriminal can not learn.In addition, Botnet (Botnet) has started to Come hidden command and control (C＆C) server using Tor anonymous communication networks, each Bot nodes are entered by Tor and C＆C servers Row communication, conceals the relevance between the true identity of C＆C servers and Bot nodes so as to the detection of Botnet more Plus it is difficult.More seriously, some popular network attack instruments, are such as directed to the DoS attack instrument of Web server Torshammer, SQL injection attack tool sqlmap etc. provide config option so that attack traffic turns by Tor Anonymizing networks Hair is detected and followed the trail of so as to hide.In view of the widespread deployment of Web applications and it is important in the national economy such as electric power field Status, it is necessary to supervised to anonymous web access, prevents anonymous attack, lifts the security of Web server.And anonymous visit The detection for asking flow is to perform the premise further supervised and basis.

Current Web server passes through inquiring client terminal to the detection Main Basiss IP address information of anonymous access flow Whether IP address detects anonymous access flow, but this method has obvious limitation in disclosed anonymous node listing. Specifically, there is following three points deficiency in existing method：

If 1) client is hidden anonymous node, and its underground IP address, then Web server can not detect anonymity Flowing of access；

2) if client is double netcard, one piece of network interface card accesses anonymous communication system, and second piece of network interface card access is normal Internet, anonymous access flow is sent to Web server by second piece of network interface card, due to there was only the IP address of first piece of network interface card In disclosed anonymous node listing, and the IP address for second piece of network interface card that Web server is checked, thus can not detect Its anonymous access flow produced；

If 3) be anonymous node before client, and close its anonymous service now, but anonymous node listing fail and Shi Gengxin, then server will determine that the flowing of access of active client is anonymous access, thus there is erroneous judgement situation.

The content of the invention

In order to overcome the above-mentioned deficiencies of the prior art, the present invention provides a kind of Web server anonymity based on temporal characteristics Flowing of access detection method, solves test problems of the Web server to anonymous access flow, it is possible to achieve anonymous web access Quick, the accurate detection of flow, improves the security of Web server.

In order to realize foregoing invention purpose, the present invention is adopted the following technical scheme that：

The present invention provides a kind of Web server anonymous access flow rate testing methods based on temporal characteristics, methods described bag Include following steps：

Step 1：Temporal characteristics are extracted；

Step 2：Based on one-class support vector machines setup time characteristic model；

Step 3：Temporal characteristics are substituted into and detected in temporal characteristics model；

Step 4：Testing result is confirmed.

, GET request and POST request respective arrival time in Web server record http protocol, will in the step 1 Time interval between the GET request or POST request that continuously occur is as temporal characteristics.

The step 1 specifically includes following steps：

Step 1-1：According to IP address, for the client of each connection Web server, Web server sets up database Search index；

Step 1-2：The arrival time of GET request and POST request in Web server record http protocol, and for identical Multiple GET request or POST request, Web server only records the arrival time of first time GET request or POST request；

Step 1-3：From the GET request and POST request of record reach time series in extraction time feature.

In the step 1-1, for the client ip address of IPv4 types, Web server is according to itself operating system Byte order, 4 byte INT types are saved as by the IP address of client, and Web server calculates corresponding numerical value afterwards, and with this Numerical value as client search index；

For the client ip address of IPv6 types, Web server as character string, uses the IPv6 addresses of client BKDRHash hash functions calculate hash values, and using result of calculation as database index, while with preserving IPv6 in database Location information.

In the step 1-3, Web server is calculated according to GET request and the POST request respective arrival time of record Go out the time interval that GET request and POST request reach, and time interval is ranked up according to descending order, extract At least 20% time interval, saves as characteristic vector to be used as temporal characteristics.

In the step 2, the temporal characteristics of extraction are saved as into characteristic vector, model is carried out using one-class support vector machines Training, draws temporal characteristics model.

In the step 2, if the length of characteristic vector is l, and characteristic vector formalization representation is P={ p₁,p₂,…, p_m,…p_l, p_mFor m-th of time interval；If having k characteristic vector, P_iFor ith feature vector, pass through single class branch The training pattern for holding vector machine foundation is as follows：

Wherein, w is the normal vector of Optimal Separating Hyperplane；ρ is setting constant, and it determines distance of the origin with respect to hyperplane；ε_i It is slack variable, the point to punish classification error；V is the balance parameters of largest interval and penalty term, and v ∈ (0,1]；φ (P_i) it is to represent ith feature DUAL PROBLEMS OF VECTOR MAPPING to higher dimensional space；

Introduce Lagrange multiplier α_iAnd β_i, have：

Following dual function can be obtained by substituting into kernel function：

Wherein, α_jFor Lagrange multiplier, φ (P_j) represent j-th of maps feature vectors to higher dimensional space；P_jFor jth Individual characteristic vector, j=1,2 ..., k；K(P_i,P_j)=φ (P_j)·φ(P_j) it is kernel function, it is corresponding to use RBF Kernel function, K (P_i,P_j) be expressed as：

K(P_i, P_j)=exp (- γ | | P_i-P_j||²)

K (Pi, Pj)=exp (- γ Pi-Pj)

Wherein, γ is Control Radius parameter, γ ＞ 0；

Supporting vector collection SV and corresponding α are obtained finally by dual function is solved_iValue, as temporal characteristics model.

The balance parameters v of largest interval and penalty term optimal value is determined as follows：

1) be step-length with 0.01, (0,1] between test the discriminations of different v values, the corresponding v values of meter maximum discrimination score are v′；

2) (v ' -0.1, v '+0.1] between, be step-length with 0.001, test the discrimination of different v values, and finally with maximum The corresponding value v of discrimination_maxIt is used as balance parameters v optimal value.

In the step 3, the supporting vector collection SV and corresponding α obtained using calculating_iValue, discriminant function Y (P) is represented For：

Wherein, sign () is sign function, is defined as：

When differentiating to network traffics to be detected, the temporal characteristics of network traffics to be detected are brought into discriminant function In, if testing result is 1, proceed the confirmation of anonymous access flow；If testing result is -1, it is determined as normal access and flows Amount.

The step 4 specifically includes following steps：

Step 4-1：Web server jumps to certification page；

Step 4-2：According to the identifying code for producing particular size, it is desirable to the identifying code shown in user input webpage；

To detect Tor and JAP anonymous access flows simultaneously, identifying code is sized to 990 bytes；

Step 4-3：Identifying code is sent back to Web server；

Step 4-4：Web server is confirmed whether it is anonymous access flow according to the corresponding message length of identifying code；

If the corresponding network message of identifying code is divided into two messages, and corresponding message length is respectively 498,492 Byte or 989,1 byte, then confirm as anonymous access flow, be otherwise judged as normal flowing of access.

Compared with prior art, the beneficial effects of the present invention are：

1. the present invention distinguishes anonymous access flow and normal flowing of access using temporal characteristics, the general of method is enhanced Property, expand the scope of application of method；

2. modeling the temporal characteristics model of anonymous access flow using one-class support vector machines, anonymous visit is only needed in modeling The learning sample of flow is asked, is easy to use in practice；

3. when finding suspicious anonymous access, the identifying code of particular size is produced to anonymity by jumping to the checking page Flowing of access is further verified, reduces the rate of false alarm of detection method；

4. present invention is mainly used for solve test problems of the Web server to anonymous access flow, it is possible to achieve anonymous Web Quick, the accurate detection of flowing of access, strengthens the security of Web server.

Brief description of the drawings

Fig. 1 is the Web server anonymous access flow rate testing methods function knot based on temporal characteristics in the embodiment of the present invention Composition；

Fig. 2 is that the Web server anonymous access flow rate testing methods based on temporal characteristics specifically flow in the embodiment of the present invention Cheng Tu.

Embodiment

The present invention is described in further detail below in conjunction with the accompanying drawings.

Such as Fig. 1 and Fig. 2, the present invention provides a kind of Web server anonymous access flow rate testing methods based on temporal characteristics, It the described method comprises the following steps：

Step 1：Temporal characteristics are extracted；

Step 4：Testing result is confirmed.

The step 1 specifically includes following steps：

Introduce Lagrange multiplier α_iAnd β_i, have：

Following dual function can be obtained by substituting into kernel function：

K(P_i, P_j)=exp (- γ | | P_i-P_j||²)

K (Pi, Pj)=exp (- γ Pi-Pj)

Wherein, γ is Control Radius parameter, γ ＞ 0；

Wherein, sign () is sign function, is defined as：

The step 4 specifically includes following steps：

Step 4-1：Web server jumps to certification page；

Step 4-3：Identifying code is sent back to Web server；

Embodiment

A Web server is disposed in its information outer net, the server carries out data interaction with Intranet background data base. To obtain the data content of background data base, hacker carries out sql injection attacks using sqlmaq instruments, and configures sqlmap and make Obtain attack traffic to forward by Tor anonymous communication systems, so as to hide the real IP address of itself, hide network trace.Pass through Anonymous access flow is detected, anonymous access flow can be found in time and network connection is disconnected, it is ensured that power information Intranet information The security of data, and then ensure whole electrical power system network safety.

Its specific embodiment is：

First, server managers are by the Web server in Tor anonymous communication system access information outer nets, and The arrival time of http protocol GET request and POST request is recorded in the preposition fire wall of Web server.It is more sufficient to obtain Learning sample, server admin will repeatedly access Web server content, then be reached from the GET request and POST request of record Extraction time feature in time, saves as learning sample.After learning sample data are obtained, Web server manager will make The temporal characteristics of anonymous access flow are modeled with one-class support vector machines, determined during modeling using network search method Optimal value of the parameter, and generate final model file.

Complete after above-mentioned steps, anonymous access flow detection function can be disposed in Web server frontend firewall.For Each new access link, fire wall records the arrival time of its HTTP GET request and POST request, and for same The multiple access of individual Web object, the time that only record is accessed for the first time.After a number of arrival time is counted, fire wall Allocating time feature extractor, produces the temporal characteristics of current accessed flow, and this feature is updated in model file, counts Calculate and differentiate result.If it is -1 to differentiate result, for normal flowing of access, it is allowed to continue to access.Otherwise, if differentiating, result is 1, For suspicious anonymous access flow, current accessed is forwarded to the server authentication page by fire wall.

The identifying code that picture is shown is shown in the checking page, it is desirable to the user input verification code information.Meanwhile, in the page Embedded JavaScript code is filled verification code information to 990 bytes by increasing identification field and random digit, and will The information is back to server.Fire wall detects the Internet message length of return information, if length is respectively 498,492 words Section, then it is the anonymous access forwarded by Tor anonymous systems to judge current access, interrupts network connection.On this basis, may be used Take further measures, current IP address is such as added into blacklist, it is ensured that the security of Web server.

Finally it should be noted that：The above embodiments are merely illustrative of the technical solutions of the present invention rather than its limitations, institute The those of ordinary skill in category field with reference to above-described embodiment still can to the present invention embodiment modify or Equivalent, these any modifications or equivalent without departing from spirit and scope of the invention are applying for this pending hair Within bright claims.

Claims

1. a kind of Web server anonymous access flow rate testing methods based on temporal characteristics, it is characterised in that：Methods described includes Following steps：

Step 1：Temporal characteristics are extracted；

Step 4：Testing result is confirmed；

The step 4 specifically includes following steps：

Step 4-1：Web server jumps to certification page；

Step 4-3：Identifying code is sent back to Web server；

If the corresponding network message of identifying code is divided into two messages, and corresponding message length is respectively 498,492 bytes Or 989,1 byte, then anonymous access flow is confirmed as, is otherwise judged as normal flowing of access.

2. the Web server anonymous access flow rate testing methods according to claim 1 based on temporal characteristics, its feature exists In：, GET request and POST request respective arrival time in Web server record http protocol, will be continuous in the step 1 Time interval between the GET request or POST request of appearance is used as temporal characteristics.

3. the Web server anonymous access flow rate testing methods according to claim 1 or 2 based on temporal characteristics, it is special Levy and be：The step 1 specifically includes following steps：

Step 1-1：According to IP address, for the client of each connection Web server, Web server sets up database retrieval Index；

Step 1-2：The arrival time of GET request and POST request in Web server record http protocol, and it is many for identical Secondary GET request or POST request, Web server only record the arrival time of first time GET request or POST request；

4. the Web server anonymous access flow rate testing methods according to claim 3 based on temporal characteristics, its feature exists In：In the step 1-1, for the client ip address of IPv4 types, Web server is suitable according to the byte of itself operating system Sequence, 4 byte INT types are saved as by the IP address of client, and Web server calculates corresponding numerical value afterwards, and is made with the numerical value For the search index of client；

5. the Web server anonymous access flow rate testing methods according to claim 3 based on temporal characteristics, its feature exists In：In the step 1-3, Web server calculates GET according to GET request and the POST request respective arrival time of record The time interval that request and POST request reach, and time interval is ranked up according to descending order, extract at least 20% time interval, saves as characteristic vector to be used as temporal characteristics.

6. the Web server anonymous access flow rate testing methods according to claim 1 based on temporal characteristics, its feature exists In：In the step 2, the temporal characteristics of extraction are saved as into characteristic vector, model training is carried out using one-class support vector machines, Draw temporal characteristics model.

7. the Web server anonymous access flow rate testing methods based on temporal characteristics according to claim 1 or 6, it is special Levy and be：In the step 2, if the length of characteristic vector is l, and characteristic vector formalization representation is P={ p₁,p₂,…, p_m,…p_l, p_mFor m-th of time interval；If having k characteristic vector, P_iFor ith feature vector, pass through single class branch The training pattern for holding vector machine foundation is as follows：

\begin{matrix} \min_{w, ρ, ϵ_{i}} \frac{1}{2} | | w | |^{2} + \frac{1}{v l} Σ_{i = 1}^{k} ϵ_{i} - ρ \\ \begin{matrix} s . t . & w \cdot φ (P_{i}) &GreaterEqual; ρ - ϵ_{i} \end{matrix} \\ ϵ_{i} &GreaterEqual; 0, i = 1, 2, ..., k \end{matrix}\}

Wherein, w is the normal vector of Optimal Separating Hyperplane；ρ is setting constant, and it determines distance of the origin with respect to hyperplane；ε_iIt is loose Variable, the point to punish classification error；V is the balance parameters of largest interval and penalty term, and v ∈ (0,1]；φ(P_i) it is table Show ith feature DUAL PROBLEMS OF VECTOR MAPPING to higher dimensional space；

Introduce Lagrange multiplier α_iAnd β_i, have：

L (w, ϵ_{i}, ρ, α_{i}, β_{i}) = \frac{1}{2} | | w | |^{2} + \frac{1}{v l} Σ_{i = 1}^{k} ϵ_{i} - ρ - Σ_{i = 1}^{k} α_{i} ((w \cdot φ (P_{i})) - ρ + ϵ_{i}) - Σ_{i = 1}^{k} β_{i} ϵ_{i}

Following dual function can be obtained by substituting into kernel function：

\begin{matrix} \min_{α_{i}} \frac{1}{2} Σ_{i = 1}^{k} Σ_{j = 1}^{k} α_{i} α_{j} φ (P_{i}) \cdot φ (P_{j}) = \min_{α} \frac{1}{2} Σ_{i = 1}^{k} Σ_{j = 1}^{k} α_{i} α_{j} K (P_{i}, P_{j}) \\ \begin{matrix} s . t . & 0 \leq α_{i} \leq \frac{1}{v k} \\ Σ_{i = 1}^{k} α_{i} = 1 \end{matrix} \end{matrix}\}

Wherein, α_jFor Lagrange multiplier, φ (P_j) represent j-th of maps feature vectors to higher dimensional space；P_jIt is special for j-th Levy vector, j=1,2 ..., k；K(P_i,P_j)=φ (P_j)·φ(P_j) it is kernel function, RBF is used for corresponding core Function, K (P_i,P_j) be expressed as：

K(P_i,P_j)=exp (- γ | | P_i-P_j||²)

Wherein, γ is Control Radius parameter, γ ＞ 0；

8. the Web server anonymous access flow rate testing methods according to claim 7 based on temporal characteristics, its feature exists In：The balance parameters v of largest interval and penalty term optimal value is determined as follows：

1) be step-length with 0.01, (0,1] between test the discriminations of different v values, the corresponding v values of meter maximum discrimination score are v '；

2) (v ' -0.1, v '+0.1] between, be step-length with 0.001, test the discrimination of different v values, and final recognized with maximum The corresponding value v of rate_maxIt is used as balance parameters v optimal value.

9. the Web server anonymous access flow rate testing methods according to claim 8 based on temporal characteristics, its feature exists In：In the step 3, the supporting vector collection SV and corresponding α obtained using calculating_iValue, discriminant function y (P) is expressed as：

y (P) = s i g n [\underset{p_{i} &Element; S V}{Σ} α_{i} K (P_{i}, P_{j}) - ρ]

Wherein, sign () is sign function, is defined as：

s i g n [\underset{p_{i} &Element; S V}{Σ} α_{i} K (P_{i}, P_{j}) - ρ] = \{\begin{matrix} - 1 & i f & \underset{p_{i} &Element; S V}{Σ} α_{i} K (P_{i}, P_{j}) - ρ < 0 \\ 1 & i f & \underset{p_{i} &Element; S V}{Σ} α_{i} K (P_{i}, P_{j}) - ρ &GreaterEqual; 0 \end{matrix}

When differentiating to network traffics to be detected, the temporal characteristics of network traffics to be detected are brought into discriminant function, if Testing result is 1, then proceeds the confirmation of anonymous access flow；If testing result is -1, normal flowing of access is determined as.