CN112866281B

CN112866281B - Distributed real-time DDoS attack protection system and method

Info

Publication number: CN112866281B
Application number: CN202110174157.6A
Authority: CN
Inventors: 代红; 陈泽鑫; 张媛媛; 袁阳可; 吴子健; 孙翘楚; 孟迪; 徐瑶; 史添玮; 任玲
Original assignee: University of Science and Technology Liaoning USTL
Current assignee: University of Science and Technology Liaoning USTL
Priority date: 2021-02-07
Filing date: 2021-02-07
Publication date: 2023-04-07
Anticipated expiration: 2041-02-07
Also published as: CN112866281A

Abstract

The invention discloses a distributed real-time DDoS attack protection system and a method, which divide the whole DDoS protection work into three parts of perception, detection and defense. The DDoS attack detection work can be suspended when the DDoS attack does not occur, so that the calculation waste is reduced, a detection algorithm can be selected according to different DDoS attack types, and the detection accuracy is improved. Meanwhile, a system self-feedback adjustment mechanism is designed, and corresponding optimization mechanisms such as a communication structure, a storage mode and the like are specified. The DDoS attack detection method based on the perception algorithm can judge whether the system is in a DDoS attack state, can prejudge whether the system is in the DDoS attack state, and can prejudge the DDoS attack type, so that the characteristics of short duration and high launching speed of the DDoS attack of the current application layer are faced.

Description

Distributed real-time DDoS attack protection system and method

Technical Field

The invention relates to the technical field of network security, in particular to a distributed real-time DDoS attack protection system and a method.

Background

The internet, as an important component of global economic development, has now fully penetrated into various fields of economic society, and has become a novel platform and a revolutionary power for production construction, economic trade, technological innovation, public service, cultural transmission, life and entertainment. Web services are the most widely used types and content providing means in the internet, and therefore become the main attack target of network attacks. Distributed Denial-of-Service Attack (DDoS) employs a cheating and disguising strategy to perform network Attack, so that a website server is flooded with a large amount of information requiring reply, thereby consuming network bandwidth or system resources, causing the network or system to fail over load to be paralyzed and stopping providing normal network Service, thereby achieving the purpose of meeting the business competition, service kidnapping or economic requirement of an attacker, and being one of the biggest threats faced by the current Web Service.

According to the DDoS attack situation report released by the telecom cloud dike, more than 50% of invaded devices in the current network are used for launching DDoS attack.

DDoS attacks are increasingly frequently seen in the public view and have enormous malignant consequences and economic losses as personal computers become popular and internet of things devices evolve. The improvement of the hardware capability of the personal computer reduces the cost of DDoS attack, the improvement of the complexity of network application brings greater workload asymmetry, and the development of the internet of things device provides hackers with more puppets, which results in more complicated and variable source IP and network UA identification, and increases the difficulty of DDoS attack detection and defense. And DDoS attack initiating tools such as Hyenae, DDOSIM-Layer, HULK, pyroris and the like are convenient to download, and many lawless persons with weak speciality can also initiate DDoS attack, thereby bringing great harm to service providers and common users and causing huge economic loss and resource waste. According to statistics, the average flow cost for resisting DDoS attack reaches 3 ten thousand Gb, the flow peak value of the DDoS attack is higher and higher at present, network application becomes the content essential for daily life of people, the large-flow DDoS attack can cause complete paralysis of website service, and the detection real-time performance of the DDoS attack is particularly important in order not to influence the use of users.

Disclosure of Invention

In view of the above defects, the present invention provides a distributed real-time DDoS attack protection method and system.

In order to achieve the above purpose, the technical scheme of the invention is as follows:

a distributed real-time DDoS attack protection system comprises: the attack detection system comprises an attack sensing module, an attack detection module and an attack defense module, wherein the attack sensing module, the attack detection module and the attack defense module are arranged in the system;

the attack sensing module is used for monitoring the system state index in real time and judging whether the system is in a DDoS attack state or not according to the system state index; when the system is in a DDoS attack state, judging the type of the DDoS attack according to a system state index triggering attack perception;

the attack detection module is used for detecting interface flow and screening out an IP address of origin of DDoS attack or an interface with abnormal access frequency;

and the attack defense module is used for carrying out normality test on the interface, entering subsequent defense processing when the test result is correct, and carrying out defense processing on the interface subjected to the DDoS attack.

The system further comprises a visualization module, wherein the visualization module is used for monitoring the state of the target Web application server group, and the Web application server group state comprises server hardware information, software information and an operating system state.

The attack sensing module, the attack detection module and the attack defense module are communicated in a communication link mode of message agent service.

A distributed real-time DDoS attack protection method comprises the following steps:

monitoring system state indexes in real time, and judging whether the system is in a DDoS attack state or not according to the system state indexes;

when the system is in a DDoS attack state, judging the type of the DDoS attack according to a system state index triggering attack perception;

detecting interface flow, and screening out an IP address of origin of DDoS attack or an interface with abnormal access frequency;

and carrying out normality test on the interface, entering subsequent defense processing when the test result is correct, and carrying out defense processing on the interface with DDoS attack.

The step of judging whether the system is in a DDoS attack state or not according to the system state index comprises the following steps:

1.1, predicting a system state index value through a data model;

and 1.2, acquiring the deviation degree by utilizing the predicted value and the observed value, and judging whether the system is in a DDoS attack state or not according to the deviation degree.

The data model includes: an AR model, a MA model, or an ARMA model.

The predicting of the system state index value through the AR model comprises the following steps:

the formula of the AR model:

θ＝(2 ^-1 ，2 ^-2 ，2 ^-3 …2 ^-L )；

L＝min{10,max{3,0.3≤|lg(V _t-L /V _t-L-1 )|}}；

wherein V _t The predicted value of the target system state index at the time interval times t is obtained; t is the number of times of the current statistical interval time; s _t-i The observed value of the system state index at the t-i moment is obtained; i is a time index from 1 to L, i.e. a certain time;

θ _i for AR model parameters, here θ _i Can be regarded as the confidence level of observed value at the t-i moment in the prediction; in order to ensure universality and improve calculation efficiency, the parameter theta is used for replacing theta _i (ii) a To ensure that the sum of the overall coefficients is 1, θ is added _L S _t-L Part, i.e. doubling the coefficient value of the last parameter;

l is the order of the model, i.e. the number of observations V involved in the prediction _t-L Searching forward for a predicted value, V, of the number of times in the time interval t-L for a target system state index _t-L-1 Searching a predicted value of the time interval t-L-1 times in the forward direction for the target system state index; vt-L and vt-L-1 are two continuous vt at forward searching L moments; e is a compensation value of the error;

after the predicted value is obtained, calculating the deviation degree according to the predicted value and the observed value, wherein the calculation formula is as follows:

the variance of all observation values participating in prediction is compared with the difference of the predicted value, and when the difference between the predicted value and the observation value exceeds the variance of p times, the system is judged to be suffering DDoS attack; and the p is a judgment threshold value of the DDoS attack perception algorithm.

The system status indicators specifically include KNR, PCIR, IUR, and PUR:

counting the access frequency ratio KNR of the key interface and the common interface according to a preset time interval; the key interface is an interface which needs to be matched with a database for use or wait for the reply function of other third-party services;

counting the interface access frequency ratio PCIR of the principal component analysis of the key interface access frequency ratio;

counting the ratio IUR of the number of times of accessing the key interface to the number of current users;

and counting the number of times of accessing the webpage and the number of current user persons.

The access frequency ratio of the Key Interface and the common Interface is expressed by KNR (Key Interface to Normal Interface Radio), and the calculation formula is as follows:

wherein request _key Request for number of accesses of critical interface _normal The access times of other interfaces are shown, and t is unit time of algorithm detection;

the interface access frequency ratio of the principal component analysis of the statistical key interface access frequency ratio is expressed by PCIR, and the calculation formula is as follows:

PCIR＝PCA ₁ ([Interface ₁ ,Interface ₂ ...Interface _n ] _t )

whereint represents the unit time, interface, detected by the algorithm _n Representing the request times of the nth interface in the Web service application;

the ratio of the access times of the statistical interface to the number of the current users is expressed by IUR, and the calculation formula is as follows:

where t represents the unit time of algorithm detection, request _all Representing the number of all HTTP requests of the Web service application at the moment, wherein the IP represents the number of all active user links of the Web service application at the moment, namely the number of source IPs;

the statistical number of times of accessing the webpage and the current user number ratio are represented by PUR, and the calculation formula is as follows:

wherein t represents unit time detected by the algorithm, page represents the number of access pages in the time, and IP represents the number of all active user links of the Web service application at the moment, namely the number of source IPs.

When the system is in a DDoS attack state, judging the type of the DDoS attack specifically comprises according to the system state index triggering attack perception;

when the KNR deviates, triggering asymmetric workload type DDoS attack perception;

when IUR deviates, triggering request flooding DDoS attack perception;

the interface flow is detected, and the interface for screening out the IP address of origin of DDoS attack or abnormal access frequency comprises the following steps:

3.1, establishing a detection model, and calculating the normality probability of a model user through the detection model;

3.2, acquiring a user operation sequence, and calculating to obtain the operation normality probability of the user operation sequence;

3.3, comparing the operation normality probability with the model user normality probability, and judging that the user behavior is normal when the operation normality probability is contained in the model user normality probability; and when the operation normality probability is not contained in the model user normality probability, judging that the user behavior is abnormal.

The detection model is a hidden semi-Markov model;

hidden semi-markov model parameter set description:

HSMM＝(A＝{s _m },P＝{ts _mn },T＝{tr _m (r _i ,τ _i )},D＝{num _m (d)})

a is an initial probability matrix of a user access state and represents a set of probabilities that a user is in a certain initial state; p is a probability matrix of mutual transition between states and is a probability set from a user in a certain browsing state to another browsing state; t is a probability matrix of observed values in a certain state, and is used for describing the probability of a certain group of actual request contents and request time intervals of a certain real browsing state of a user appearing as a background server, namely a probability distribution function of observed values of the browsing state of the user; and D is the probability distribution of the state residence time, namely the background server actually receives the request access of the user when the user reaches the next service key point or the browsing state, namely the number of the observed values.

Wherein s is _m ＝∑state _m /∑state；

ts _mn ＝(∑θ(state _m ,state _n ))/(∑state _m )；

num _m (d)＝∑length _m-1,m (d)/∑state _m ；

Wherein s is _m State for user in initial browsing state _m Probability of (1), state _m The browsing state m is shown, and the state shows any browsing state; ts is _mn Indicating that the user's browsing status is from state _m Transfer to State _n Probability of (e), θ (state) _m ,state _n ) Is shown in allState of the sequence of observations _m Initial, state _n A non-repeating subset of endings; tr _m (r _i ,τ _i ) Indicating for reaching an access state _m The time background server actually receives the passing tau _i Access observation state r after a time interval of _i Wherein r is _i Representing the user's browsing status, r, observed by the background server _i-1 For r in the browsing sequence _i Last browsing state of τ _i In two corresponding states r _i 、r _i-1 Access time interval of

The space function is a probability density function of the access interval of two http requests of the user in the Web application, space (tau) _i ) I.e. the interval between two requests of the user is tau _i The probability of (d); num _m (d) When the user reaches the service key point, the access state is state _m The probability that the number of the observation state accesses received by the time background server is d, wherein length _m-1,m (d) Function represents the state occurring in all observation sequences _m-1 Initial, state _m The length of the end is d number of subsets.

Compared with the prior art, the invention has the beneficial effects that:

the invention provides a Distributed Real-time DDoS attack Protection system and a method, wherein a Distributed Real-time DDoS attack Protection frame (DRDPF) is used for containing a complete frame with DDoS attack sensing, detecting and defending functions. The DRDPF framework capable of reducing resource waste is composed of core modules such as a DDoS attack perception module, a DDoS attack detection module and a DDoS attack defense module, and a visual management module, a message middleware, a database and the like, and efficiency is improved through an optimization mechanism for communication, storage and the like, so that instantaneity is realized. The method comprises the steps of monitoring system state indexes, judging whether a system is in a DDoS attack state or not according to the system state indexes, pre-judging whether the system is in the DDoS attack state or not, and pre-judging DDoS attack types, so that the method is opposite to the characteristics of short DDoS attack duration and high launching speed of the current application layer, when the DDoS attacks do not occur, the DDoS attack detection work is suspended, the performance consumption of a server is reduced, the DDoS attack types pre-judged by a perception algorithm can be used for selecting a proper DDoS attack detection algorithm, the accuracy of the whole attack detection is improved, and in addition, the DDoS attack detection algorithm can be processed.

Furthermore, in order to cope with the development trend of high frequency, low duration and large scale presented by the current application layer DDoS attack and solve the common difficulties of high quality data set shortage, environment antagonism, model interpretability and the like in the current DDoS attack detection, a DDoS attack detection algorithm based on user access behavior with real-time performance and real-time parameter updating is provided.

Further, the attack defense module can perform normality test on the threat object in the detection result of the attack detection module, can confirm the attack perception and the attack detection result according to the feedback of the normality test, and updates and corrects the parameters of the used algorithm according to the result so that the parameters can be automatically adjusted along with the service change of the protected Web application.

Drawings

FIG. 1 is a block diagram of a distributed real-time DDoS attack protection system of the present invention;

FIG. 2 is a block diagram of the internal work flow of a DDoS attack sensing module according to the present invention;

FIG. 3 is a block diagram of the internal workflow of a DDoS attack detection module according to the present invention;

FIG. 4 is a block diagram of the internal workflow of a DDoS attack defense module according to the present invention;

FIG. 5 is a flow chart of a distributed real-time DDoS attack protection method of the present invention;

FIG. 6 is a HSMM model training flow diagram of the present invention;

fig. 7 is a HSMM model parameter updating flow of the present invention.

Detailed Description

The present invention will now be described in detail with reference to the drawings, wherein the described embodiments are only some, but not all embodiments of the invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, belong to the scope of the present invention.

As shown in fig. 1, the present invention provides a Distributed Real-time DDoS attack Protection system, which provides a Distributed Real-time DDoS attack Protection Framework (DRDPF) for adapting to the current DDoS attack development trend by observing and researching DDoS attack development situations, and comprises: the attack detection system comprises an attack sensing module 1, an attack detection module 2 and an attack defense module 3, wherein the attack sensing module, the attack detection module and the attack defense module are respectively connected with the attack sensing module;

the attack sensing module 1 is used for monitoring system state indexes in real time and judging whether the system is in a DDoS attack state or not according to the system state indexes; and when the system is in a DDoS attack state, judging the type of the DDoS attack according to the system state index triggering attack perception.

The DDoS attack sensing module is used for judging whether the current system is in an abnormal state or not, and is one of mechanisms for ensuring real-time operation of the system in a DRDPF framework. The DDoS attack sensing module internally comprises functions of data acquisition, data processing, state judgment and the like, and the functions can be matched with a real-time attack sensing algorithm to early warn the arrival of DDoS attack and judge the attack type while reducing the computational power consumption. In order to improve the independence and the cohesion of module programs, a unified framework is realized, and the functions are divided into two parts, namely a data collector and a state predictor in a DDoS attack perception module. The specific work flow inside the DDoS attack perception module is shown in fig. 2. The data processing and data simplifying process includes extracting network flow mainly including URI and parameter part in HTTP request and including header in HTTP request and mapping URI to short link based on practical Web application service, and this can reduce calculation amount and raise efficiency while maintaining path relation.

And the attack detection module 2 is used for detecting the interface flow and screening out an IP address of origin of DDoS attack or an interface with abnormal access frequency.

The attack detection module 2 has a main function of detecting a source IP initiating a DDoS attack or a main interface suffering from a requested one-shot attack from a traffic log by using a corresponding detection algorithm according to a DDoS attack type pre-determined by the attack sensing module, and forming a source IP set with abnormal access or a URI set with abnormal access times as a processing result of the DDoS attack detection module. The detection result is sent to the DDoS defense module to be used as input information of subsequent defense processing. The specific internal workflow of the attack detection module is shown in fig. 3.

The application layer DDoS can be divided into the following three types, namely request flooding, asymmetric workload and requested one-shot according to attack characteristics. Whereas request flooding attacks generate a large number of the same source IPs, asymmetric workload attacks generate URIs with abnormally high access times. The expected one-shot attack traffic characteristics are small, and the attack source IP and the target URI cannot generate stronger statistical characteristics, which is also a part with higher difficulty in the current DDoS attack detection method.

Because different Web service applications are easy to be attacked by DDoS in different ways and due to the existence of the adversaries of attackers to the detection algorithm, the DDoS attack variability is strong, and therefore, it is unrealistic to hope that the problems in all environments can be completely solved by a certain algorithm in the current situation. The DRDPF framework does not limit the number of algorithms, algorithm selection is carried out according to the weights of the accuracy and the false alarm rate, weight calculation is carried out according to information transmitted by the attack sensing module, a proper detection algorithm is selected, and different problem sources are expected to be adapted to different detection algorithms, so that the overall accuracy is improved. Meanwhile, the invention provides a DDoS attack detection algorithm based on user access behaviors for realizing a DDoS attack protection system.

And the attack defense module 3 is used for carrying out normality test on the interface, entering subsequent defense processing when the test result is correct, and carrying out defense processing on the interface subjected to DDoS attack.

The DDoS attack defense module mainly has the functions of verifying and confirming the detection result of the attack detection module and performing subsequent processing on the verification result. Today, network transactions and e-commerce are rapidly developed, judgment aiming at DDoS attack sources is subject to a conservative principle. When an attack detection module submits a source IP or an abnormal interface of suspected DDoS attack, normality test needs to be carried out on an accessor, and the correctness of a detection result is judged according to the result of the normality test. The result can be used as feedback information of DDoS attack perception and detection algorithm while ensuring that normal users can continue to use, so that the attack perception and detection algorithm are more accurate. The internal work flow of the DDoS attack defense module is shown in fig. 4. The realization mode of the normality test mainly comprises a verification code, a question answer, a short message verification, a token check and the like, and the current better verification defense means of the user normality test mainly comprises a verification code mode, such as an image verification code, a character verification code and the like. But due to the application development mode or the developer, the normality test is generally required only under the condition of login or user safety. Particularly, a part of systems with earlier development time cannot require a user to perform normality test at any time, and the universality of the protection system is influenced. The invention provides a non-invasive intervention mode realization of global normality test in the realization section of a distributed real-time DDoS attack protection system. And an asynchronous test request mode is adopted, active initiation and waiting for the reply of the client are not needed, and the performance is saved compared with the traditional test request mode.

In addition, the system also comprises a visualization module 4, wherein the visualization module 4 is used for monitoring the state of the target Web application server group, and the Web application server group state comprises server hardware information, software information and an operating system state. The hardware information comprises CPU utilization rate, CPU temperature, memory usage, disk usage information and the like, and the software information comprises database state, SQL execution record, web service execution state and the like. According to the information, operation and maintenance personnel can quickly judge the running state of the Web service, whether the application runs normally or not and the like. Meanwhile, the information collected in the visual monitoring assembly is also one of the information required in DDoS attack perception and detection algorithm operation in the DDoS attack protection system and exists as a part of the whole information collection.

As shown in fig. 5, the present invention further provides a distributed real-time DDoS attack protection method, which includes the following steps:

1. monitoring system state indexes in real time, and judging whether the system is in a DDoS attack state or not according to the system state indexes;

most of traditional DDoS attack detection modes are that acquired traffic is processed and then directly sent to a detection algorithm to perform work such as traffic classification and attack detection, but the time of actually suffering DDoS attack is a minority, and the DDoS attack detection mode has burstiness. This approach can result in a significant amount of computational waste due to the continuous operation of the algorithm. The current state of the system and the attack type when the DDoS attack occurs are prejudged through a DDoS attack perception algorithm. When DDoS attack does not occur, DDoS attack detection work is suspended, and therefore waste of computing power is reduced. When the system state is normal, the server to which the attack detection module belongs is in a dormant state, and a large amount of server cost can be saved by matching with an elastic computing scheme of a cloud server provider. Meanwhile, by pre-judging the DDoS attack type, the system can select a DDoS attack detection method which is best in performance aiming at the attack type or the problem source, so that the overall detection performance is improved.

The judging whether the system is in a DDoS attack state or not according to the system state index comprises the following steps:

1.1, predicting a system state index value through a data model;

The data model includes: an AR model, a MA model, or an ARMA model. The data required by the system state index mainly comprises source IP, URI information, time information, a system interface list and the like in access flow, and the information belongs to complete information which can be directly obtained in Web application. The information is a numerical value sequence which changes according to time under the view point of serving as a system state index in the Web application, the system state index sequence can be regarded as a state sequence which is complete in data and enough in data quantity and depends on time lapse, and meanwhile, the states of the sequence are all related to the system use condition and the user behavior at the last moment, and have autocorrelation. Under these conditions and characteristics, the bosx Jenkins method (Box-Jenkins), also called B-J method, is used to predict the system state index.

The Box-Jenkins method is a statistical method for predicting time series, by which time series can be predicted more completely and accurately using sufficient data on the basis of analyzing the time series. The common models include: AR model (autoregressive model), MA model (moving average model), ARMA model (autoregressive-moving average hybrid model), and the like.

(1) AR model

Wherein n is the order of the autoregressive model; num _t Is the observed value of the time series at time t, num _t-1 For the observed value of the time series at time t-1, similarly, num _t-n Is the observed value of the time series at the time t-n;

is a parameter of the autoregressive model; e.g. of a cylinder _t Is the deviation caused by random factors that cannot be accounted for by the model.

(2) MR model

Num _t ＝e _t -θ ₁ e _t-1 -θ ₂ e _t-2 -…-θ _n e _t-n

Wherein n is the order of the moving average model; num _t Is the observed value of the time series at time t; e.g. of a cylinder _t Is the deviation of the time series model at time t, e _t-1 Is the deviation of the time series model at time t-1, similarly e _t-q Is the deviation of the time series model at the time t-q; and theta is a parameter of the moving average model.

(3) ARMA model

The ARMA is an autoregressive moving average mixed model, is an organic combination of an autoregressive model and a moving average model, and has the same meaning of each parameter as the autoregressive model and the moving average model.

Because the actual DDoS attack tries to exhaust system resources, and the value of the system state index changes in order of magnitude, when the prediction of the system state index is used for judging the DDoS attack state, the high precision is not needed, and therefore the AR model with the highest efficiency is selected for predicting the system state index.

The following description takes an AR model as an example:

the formula of the AR model:

θ＝(2 ^-1 ，2 ^-2 ，2 ^-3 …2 ^-L )；

L＝min{10,max{3,0.3≤|lg(V _t-L /V _t-L-1 )|}}；

l is the order of the model, namely the number of observed values participating in prediction; v _t-L Searching forward for a predicted value, V, of the number of times in the time interval t-L for a target system state index _t-L-1 Searching a predicted value of the time interval t-L-1 times in the forward direction for the target system state index; vt-L and vt-L-1 are two continuous vt at forward searching L moments; in order to smooth out possible peaks, the above formula is used, and the length of more than 10 is obtained due to the value of the coefficient valueThe length is 2-10, the result is not influenced in the accuracy requirement of DDoS attack perception, and | lg (V) is taken _t-L /V _t-L-1 ) The purpose of | being less than 0.3 is to select a more gentle part in the observed value, so that the appearing sharp value or peak does not affect the prediction result.

e is the compensation value of the error. The compensation value can be dynamically adjusted by normal test request result feedback in subsequent DDoS defense module work, and can also be manually adjusted by a user of the system according to the operation condition of the website, for example, when the website holds an event or releases a new function. The adjustment method is described in detail in the section of supplementing the system status index and automatically correcting the determination threshold.

the variance of all observation values participating in prediction is compared with the difference of the predicted value, and when the difference between the predicted value and the observation value exceeds the variance of p times, the system is judged to be suffering DDoS attack; and p is a judgment threshold value of the DDoS attack perception algorithm, and the initial value of p is set to be 2 according to the experimental result because automatic correction can be performed according to the feedback of the DDoS attack defense module.

In an experiment, it is found that the fluctuation in the observed value greatly affects the prediction accuracy, and in order to improve the overall prediction accuracy, it is necessary to perform filtering processing on the observed value of the sequence on which the system state index participating in the prediction depends, such as the number of source IPs, the number of interface accesses, and the CPU utilization. The commonly used numerical filtering method includes the following methods:

(1) Amplitude limiting filtering method

The maximum difference value between two sampling is limited as x, when a new observation value is detected each time, if the difference between the observation value of this time and the last observation value is less than or equal to x, the observation value of this time is valid, if the difference is greater than x, the observation value of this time is invalid, and the last observation value is used for substitution, namely, the value range formula of the observation value:

V _t -x≤V _t+1 ＜V _t +x

the amplitude limiting filtering method has the advantages that the method has few calculated amount, can effectively overcome pulse type interference caused by accidental factors in observed values, but the selection of the parameter value x needs to be judged according to experiments or experience, and the numerical value change of a sequence loses numerical value characteristics and smoothness is poor by adopting the method.

(2) Recursive average filtering method

The recursive average filtering method is also called as a moving average filtering method, utilizes the idea of a sliding window, takes continuous N observed values as a queue, and performing arithmetic mean operation on the data in the queue as a filtering result of the observed value at the next moment.

The advantage of the recursive average filtering method is that it has good suppression effect on periodic interference, obtains better smoothness, but has low sensitivity and poor effect on sporadic pulse-type interference.

(3) Average filtering method for preventing pulse interference

The advantages of a median filtering method and an arithmetic mean filtering method are combined, the maximum value and the minimum value in the sliding window are removed, and then a filtering result is calculated, so that impulse interference and periodic interference can be well avoided, and the method is suitable for a system with high frequency and periodic variation.

(4) First order lag filtering method

The first-order lag filtering method, observed value filtering, the formula is:

V _t+1 ＝(1-x)*S _t+1 +x*V _t

wherein S is an actual observed value, x is a selected proportional parameter, and the filtering mode has a good effect in a scene with a relatively gentle value, but can reduce the sensitivity of system judgment.

Other filtering methods also include kalman filtering, weighted recursive filtering, debounce filtering, and the like. Since each parameter is exponentially changed during DDoS attack, the filtering algorithm needs to eliminate the pulse interference and simultaneously retain the characteristics of large pulses. And because of the network factors and the caching functions of servers such as users, DNS nodes and the like, high-frequency jitter can occur to each parameter of the system state index, so that the pulse interference prevention average filtering method is selected for the AR model to carry out filtering processing before data prediction, pulse interference caused by the network and accidental factors can be eliminated better, and the accuracy of the prediction model is improved.

In the invention, based on the assumption of the Web service application user access behavior, a concept of a key interface and perception that a plurality of judging Web service system current system state indexes are used for aiming at DDoS attack are provided. The application layer DDoS can be divided into the following three types, namely request flooding, asymmetric workload and requested one-shot according to attack characteristics, and corresponding system state index alarm can be triggered when different types of attacks occur, so that the DDoS attack type is judged in advance and subsequent DDoS attack detection and defense work is informed to be executed. In order to improve the user experience in modern Web service application, some functions with high complexity and large time expenditure exist, such as a total station search function, an order query function, a history log query function, short message sending or mail sending for password modification, and the like. These functions all need to be matched with the database for use or wait for the reply of other third-party services, occupy a large amount of CPU time and have extremely high workload asymmetry. When the functions are attacked, as long as an attacker has a certain amount of attack sources, even if the attacker performs low-speed repeated access or uses a replicated one-shot attack, system resources can be quickly exhausted, so that the functional interfaces are often used as targets of DDoS attack and can be used as one of modes for judging DDoS attack states. The present invention defines such interfaces in Web applications as "critical interfaces".

According to the above analysis and research on real network traffic, a typical network application is found, and the system status indicators specifically include KNR, IUR, and PUR:

counting the access frequency ratio KNR of the key interface and the common interface according to a preset time interval; the key interface is an interface which needs to be matched with a database for use or wait for other third-party services to reply a second acquisition function;

the access times ratio of the key interface to the common interface is expressed by KNR, and the calculation formula is as follows:

wherein request _key Request for number of accesses of critical interface _normal The number of access times of a common interface is shown, and t is unit time of algorithm detection;

the requirements for website services among normal users in Web service application are similar, the frequency of using different interfaces by the users is relatively stable under the condition, the use of the key interfaces is not sensible and careless, and strong targeted access aiming at the key interfaces should not occur. The low-speed DDoS attack consumes system resources by using a key interface with high resource consumption, and the access frequency of the key interface in statistical time can be greatly improved. When the index deviates, the asymmetric workload type DDoS attack perception is triggered.

The Interface access frequency ratio of the Principal Component analysis of the statistical key Interface access frequency ratio is expressed by PCIR (Principal Component of Interface Radio), and the calculation formula is as follows:

PCIR＝PCA ₁ ([Interface ₁ ,Interface ₂ ...Interface _n ] _t )

where t represents the unit time, interface, of algorithm detection _n Representing the request times of the nth interface in the Web service application;

the access times of the statistical key Interface are compared with the number of the current users by IUR (Interface to User Radio);

where t represents the unit time of algorithm detection, request _all The number of all HTTP requests of the Web service application at the moment is represented, and the IP represents the number of all active user links of the Web service application at the moment, namely the number of source IPs.

The speed of operation under normal user requirements, i.e. the speed of accessing the interface, is relatively stable, so the ratio of the number of users (number of source IPs) to the number of times of accessing the interface within the statistical time is relatively stable. When a request flood attack occurs, an attack source host can quickly initiate an HTTP request, so that when the index is greatly deviated, request flooding DDoS attack perception is triggered.

The index is mainly directed to attacks (e.g., CC attacks) initiated by dynamic pages. When a system is attacked aiming at a dynamic page, the attacker mainly aims to exhaust system resources by acquiring the page and accessing a data updating interface of the dynamic page, so that the access frequency of the interface in the Web application page part and the ratio of the number of users, namely the source IP, are greatly increased under the statistical time, namely the index is greatly deviated from a normal value.

Through the system state index and the analysis thereof, the system state index can describe the state of the current Web application service, has the characteristics of convenient data acquisition, low calculation amount, no need of manual data marking and the like, and accords with the original purpose of the design of a distributed DDoS attack protection system, namely the real-time performance of operation.

In order to realize automatic correction or manual correction of the threshold value judged by the algorithm, monitoring of the service condition of a CPU (central processing unit) and memory resources of the server is additionally added, and two system state indexes of a CUR (Central processing Unit) and a RUR (remote operation Unit) are supplemented, and the method is specifically defined as follows:

(1) Counting the increment ratio of the CPU resource utilization rate increment to the number of users (IP number) at a time interval, and using a CUR (CPU use to User Radio) to express, specifically defining a formula: .

Where t is the unit time interval for algorithm detection, CPU _increment Is the incremental value of CPU usage at that time, IP _increment The active user increment at that time, i.e., the active IP link increment.

(2) Counting the increment ratio of the access times of the access interface to the number of users (IP number) in a time interval, and using RUR (RAM User to User Radio) to express, and specifically defining a formula:

where t is the unit time interval of algorithm detection, RAM _increment For incremental values of RAM usage at that time, IP _increment The active user increment at that time, i.e., the active IP link increment.

When the occupation of system resources abnormally rises and the CUR or RUR index alarm is triggered, the algorithm directly informs an attack detection module to carry out attack detection, and after a detection result is obtained, the perception algorithm is adjusted according to the normality test feedback result of the attack defense module. If the DDoS attack does occur, correcting the threshold value for judging the attack occurrence of the system state index to make the DDoS attack more sensitive; and if the DDoS attack does not occur, notifying operation and maintenance personnel of the system to upgrade the server configuration.

The value of the system status indicator is influenced by the current user situation or the status of the Web application. For example, when activities such as shopping festival and large promotion occur in a shopping website, the group behavior of users changes suddenly, so that the system state index changes sharply, and abnormal alarm of the algorithm is caused. (note: since all the system status indexes are ratios related to the number of users, and the algorithm integrates filtering processing of abnormal values, so that website activities under general conditions cannot cause the above-mentioned situations.) meanwhile, due to different Web applications and different business characteristics of different industries, DDoS attacks initiated by DDoS attackers have purposiveness, and a system status index judgment threshold p configured at the initial running stage of the algorithm in actual use may be over-sensitive or delayed.

In order to be able to cope with the abnormal change of the state of the Web service system caused by the special condition, thereby realizing the automatic compatibility of the algorithm when the Web service application changes reasonably, when the system state index gives an alarm by mistake, the algorithm records the condition and adjusts the judgment threshold according to the normality test result returned by the attack defense module. In the invention, the data sheet defined in the table 1 is adopted to record the correction, and operation and maintenance personnel can manually add the record in a visual mode to be used as a white list for exclusion.

TABLE 1 attack perception correction record table structure

The data sheet is used for automatically recording the feedback of the normality test result in the system operation process, and the sensing sensitivity and accuracy of the algorithm on DDoS attack can be gradually improved along with the operation of the system by matching with the active supplement of system operation and maintenance personnel.

2. When the system is in a DDoS attack state, judging the type of the DDoS attack according to a system state index triggering attack perception;

when IUR deviates, triggering request flooding DDoS attack perception;

3. and detecting the interface flow, and screening out an IP address of origin of DDoS attack or an interface with abnormal access frequency so as to initiate defense work aiming at the interface.

If the page visited by the user or the step of currently operating the service is regarded as a state, a series of operation processes from logging in the website to completing the service by the user can be regarded as transition between the states, and the transition is a random process for the website server that the user may open different pages, browse different contents and handle the service in the visiting process. Meanwhile, according to the DDoS attack perception algorithm, the time interval of the HTTP request can be known to be one of important parameters for describing the normal access behavior of the user, and the time interval is used for describing the probability of transition between states. The key point of the business executed by the user to complete the website business is a set of ordered and necessary state sequences, namely, in the process of the behavior state transition accessed by the user, the probability of the transition from one state to the next state is related to the historical state which has occurred in addition to the current state.

According to the thought that the user browsing behaviors are regarded as state transition and the characteristics that the user accesses to the service key points and is related to the previous state, the browsing behaviors of the website users can be better described by selecting a Hidden Semi-Markov model (HSMM). The new model adds a component of the dwell time on the basis of the hidden Markov model, has better modeling capability, and can correctly describe two important indexes of the user access state and the access interval.

The method specifically comprises the following steps:

The detection model is a hidden semi-Markov model;

hidden semi-markov model parameter set description:

HSMM＝(A＝{s _m },P＝{ts _mn },T＝{tr _m (r _i ,τ _i )},D＝{num _m (d)})

a is an initial probability matrix of a user access state and represents a set of probabilities that a user is in a certain initial state; p is a probability matrix of mutual transition between states and is a probability set from a user in a certain browsing state to another browsing state; t is a probability matrix of observed values in a certain state, and is used for describing the probability of a certain group of actual request contents and request time intervals of a certain real browsing state of a user appearing as a background server, namely a probability distribution function of observed values of the browsing state of the user; d is the probability distribution of the state residence time, that is, the background server actually receives the request access of the user when the user reaches the next service key point or browsing state, that is, the number of observed values.

Wherein s is _m ＝∑state _m /∑state；

ts _mn ＝(∑θ(state _m ,state _n ))/(∑state _m )；

num _m (d)＝∑length _m-1,m (d)/∑state _m ；

Wherein s is _m State for user in initial browsing state _m Probability of (1), state _m The browsing state m is shown, and the state shows any browsing state; ts is _mn Representing users browsing status slave state _m Transfer to State _n Probability of (e), θ (state) _m ,state _n ) Indicates the state appearing in all observation sequences _m Initial, state _n A non-repeating subset of endings; tr _m (r _i ,τ _i ) Indicating for reaching an access state _m The time background server actually receives the passing tau _i Access observation state r after a time interval of _i Wherein r is _i Representing the user's browsing status, r, observed by the background server _i-1 For r in the browsing sequence _i Last browsing state of τ _i In two corresponding states r _i 、r _i-1 Access time interval of

Because the number of the log data which can be actually obtained and accessed by the user is limited, and the algorithm is designed with the purposes of low calculation amount and real-time updating, space (tau) _i ) The function is used as a probability density function of a user access interval in Web application, cannot be directly determined through effective data, and can only be obtained through a fitting mode. Refer to the study of JDKnowles and VDBEwout et al, and find space (. Tau.) based on the study analysis of the network access datasets like Clark-HTTP, NASA-HTTP and so on _i ) The function is close to the pareto distribution (also called bradford distribution), so space (τ) is assumed _i ) Subject to the pareto distribution, the following formula may be used instead:

wherein tau is _min The value of (2) is possibly inaccurate due to the selection problem of training data at the initial stage of model training use, and the value can be gradually rationalized through a feedback mechanism of the normality detection of a DDoS attack defense module; the way in which the k value is obtained can be estimated by:

(1) The expected values of the random variables that satisfy the pareto distribution are:

(2) The standard deviation of the random variables that satisfy the pareto distribution is:

using these two characteristics of the pareto distribution, the mathematical expectation and standard deviation of the training data can be calculated, and hence the k value. Since the model formed by the training data does not perfectly follow the pareto distribution, the k value calculated from the expected value and the standard deviation has a slight difference, and only the average value needs to be calculated. Meanwhile, when the training data is reasonably selected, the k value difference distance is not too large, and whether the currently selected training data is reasonable or not can be judged through the difference of the two k values.

The DDoS attack detection is performed by selecting the HSMM model, so that the model can better describe the user access behavior, and common difficulties and disadvantages of most of the existing DDoS attack detection algorithms in implementation are avoided. These difficulties and disadvantages mainly stem from the lack of high quality data, the need to combat the environment and the model interpretability.

(1) Lack of high quality data: since network requests occur at all times, data for network traffic is not scarce, but a high quality data set suitable for machine learning use is lacking. The Web service application causes the diversity of white samples due to different services, but most machines learn to carry out DDoS attack detection and require black samples, and DDoS attack modes are variable, so that the variety of the black samples is difficult to complete, and the reliability problem is caused. Meanwhile, due to the diversity of Web service application, network flow data appears in an unstructured manner, data processing, cleaning and labeling require complex processing and speciality, and large data processing consumption causes security relevant data sets not to be shared or disclosed among security manufacturers, thereby causing vicious circle of high-quality data shortage.

(2) And (3) resisting the environment: relative to the general application environment of machine learning, DDoS attacks are varied in ways, and attackers have sufficient motivation and purpose to bypass or fight the model of machine learning. Whether the data layer is exposed to virus attacks or the model layer is used for resisting sample attacks, the DDoS attack detection is difficult, the difficulty is particularly obvious for a model which uses black samples to train, and an attack method which is changed by an attacker continuously can be faced only by keeping continuously updating model parameters in operation.

(3) Requirement for model interpretability: because the Web service application needs to respond to the use of the user in real time, the DDoS attack detection model or detection result may reflect the current problems of the Web service application or directly influence the use of normal users, and website operation and maintenance personnel need to respond quickly. The interpretability of the model of machine learning and the output result is poor for DDoS attack detection, because operation and maintenance personnel cannot directly distinguish whether the result provided by the model is really performing DDoS attack and then processing the DDoS attack as facing image recognition or other common classification application scenes. Meanwhile, the readability of the training result of the model for algorithm developers is poor, the condition is more obvious when deep learning is used, the network security knowledge of the algorithm developers cannot be well exerted mainly by the data quality.

By using and optimizing the HSMM to take advantage of the advantages thereof, the following purposes can be achieved so as to solve or avoid the difficulty in the application of the DDoS attack detection algorithm.

(1) Real-time performance: the algorithm model only needs a backward algorithm of the model when calculating the state transition probability in the DDoS detection process. The main time overhead of the algorithm is the search of user operation, the optimization can be carried out by establishing a hash table or a search tree, and the purposes of real-time operation and quick response can be completely achieved in practical application.

(2) Adaptability: compared with the current popular deep learning algorithm, the training of the HSMM model does not need massive data and is high in training speed, meanwhile, as the detection algorithm utilizes the access behavior of a normal user to carry out modeling, only a normal network log is used for training, the data does not need to be marked by DDoS attack, and the data is not limited by a data set or a data source, so that the time and the cost of manual marking are reduced. The core is that the real-time training can be realized by using the weblog generated by the website to be protected, so that the detection algorithm can be better adapted to different Web applications.

(3) Model interpretability: compared with training results of methods such as integrated learning, random forest, deep learning and the like, the training result of the HSMM can achieve certain readability if a better visual page and operation guidance are matched, even manual optimization or fine adjustment is achieved, and meanwhile, the extracted user access behavior model can also provide help for development and maintenance of websites. When the detection result of the algorithm appears, operation and maintenance personnel can know the difference between the operation sequence and the normal user access behavior described by the model and the service node where the user is located when the algorithm is judged to be DDoS attack by backtracking the user operation, so that the interpretability of the algorithm result is realized.

The application of the model is divided into two parts of model training and DDoS attack detection by using the model. Firstly, an algorithm is used for forming an access behavior model of a user by utilizing an http request log of the user, the probability of the http request sequence of a certain user under the user behavior model is calculated during detection, the deviation degree is compared, and whether the access behavior of the user is normal or not can be judged according to a given judgment threshold value.

Training of model parameters

The training of model parameters is firstly the acquisition and processing of training data, and space (tau) needs to be confirmed _i ) The k value of the function and whether the k value difference calculated from the standard deviation by the mathematical expectation during the calculation is too large. The data processing process mainly arranges HTTP access data of each user observed and recorded by the Web application according to time and service sequence to form an access sequence formula:

then, by using the algorithm of the HSMM model, the parameter set required in the HSMM model can be obtained through iterative computation of the flow described in fig. 6, so as to complete the training process of the model.

In the case of enough training data, the judgment mark enough for model training can be used as the model result Pr (list) _i | data), that is, the probability of the user normality for a certain user access sequence converges to a certain interval as a flag.

The DDoS attack detection using the model needs to record multiple accesses of a user from the establishment of a session to a website, and when the access times of the user to the website, namely the length of an observation state sequence accessed by a background server to the user, reach a sufficient length, the algorithm model can be used for calculating the normality probability of the user. The minimum length of the observation state sequence is mainly determined by the typical traffic chain length of the web site, and needs to be longer than the typical traffic chain length to reduce part of unnecessary detection work.

After the user operation sequence is obtained, the normality probability of the user operation sequence needs to be obtained through calculation. The reason for using the backward algorithm is that, compared with using the forward algorithm, the Web application website can accurately acquire the first state and the subsequent operation sequence of the user operation sequence when the user establishes the session, and the first state and the subsequent operation sequence are used for the operation of the backward algorithm, but the Web application website cannot judge the normality of the user until the user closes the session to acquire the complete operation sequence. Therefore, the DDoS attack defense part cannot play a role, and meanwhile, in the process of detecting the DDoS attack perception, the operation sequence of a detected user may grow or change simultaneously.

The optimization of the backward algorithm is performed mainly in the implementation angle. Because the backward algorithm needs to backtrack and search the operation sequence of the user for many times, a time-to-space mode is adopted in the implementation, and the calculation process is optimized through a hash table. Meanwhile, in the storage query of the database, the attribute superposition mode is utilized, the id identification and the operation sequence of the user are spliced to be used as a shaping field in the operation log for storage and index establishment, and the whole operation sequence of the user can be quickly obtained from the database when detection is needed.

After the normality probability of the user is obtained through calculation, the normality probability needs to be compared with the normal probability distribution of the model, and the probability distribution of typical service user behaviors of the website can be obtained after the model training is completed. And judging whether the user behavior is normal or not according to whether the probability is contained by the behavior probability distribution of the normal user or not, and realizing DDoS attack detection.

And (3) real-time updating of the model:

the real-time update of the model parameter set is the original purpose of model selection and algorithm design, and the real-time update of the algorithm parameters can be realized according to the process shown in fig. 7.

By the aid of the process and feedback of results of user normality judgment in the DDoS attack defense module of the system, user habit operation sequences different from the previous version and appearing in the current version of Web service application can be obtained, and counterattack sample attacks of non-DDoS attackers of the sequences are guaranteed, namely reliability and effectiveness of data sources are guaranteed. By utilizing the user sequences, incremental updating of the model parameters can be realized, and meanwhile, due to the high real-time performance of the algorithm, the model parameters can be updated in real time along with the operation of the system.

The realization mode of the normality test mainly comprises a verification code, a question answer, a short message verification, a token check and the like, and the current better verification defense means of the user normality test mainly comprises a verification code mode, such as an image verification code, a character verification code and the like. But due to the application development mode or the developer, the normality test is generally required only under the condition of login or user safety. Especially, part of systems with earlier development time cannot require a user to perform normality test at any time, and the universality of a protection system is influenced. The invention provides a non-invasive intervention mode realization of global normality test in the realization section of a distributed real-time DDoS attack protection system. And an asynchronous test request mode is adopted, active initiation and waiting for the reply of the client are not needed, and the performance is saved compared with the traditional test request mode.

It will be appreciated by those skilled in the art that the above embodiments are merely preferred embodiments of the invention, and thus, modifications and variations may be made in the invention by those skilled in the art, which will embody the principles of the invention and achieve the objects and objectives of the invention while remaining within the scope of the invention.

Claims

1. A distributed real-time DDoS attack protection system is characterized by comprising: the attack detection system comprises an attack sensing module, an attack detection module and an attack defense module, wherein the attack sensing module, the attack detection module and the attack defense module are arranged in the system;

the attack detection module is used for detecting interface flow and screening an IP address of DDoS attack origin or an interface with abnormal access frequency;

the attack defense module is used for carrying out normality test on the interface, entering subsequent defense processing when a test result is correct, and carrying out defense processing on the interface subjected to DDoS attack;

the attack perception module is also used for predicting the system state index value through a data model; obtaining the deviation degree by utilizing the predicted value and the observed value, and judging whether the system is in a DDoS attack state or not according to the deviation degree; the data model includes: an AR model, a MA model, or an ARMA model; the predicting of the system state index value through the AR model comprises the following steps:

the formula of the AR model:

θ＝(2 ^-1 ，2 ^-2 ，2 ^-3 …2 ^-L )；

L＝min{10,max{3,0.3≤|lg(V _t-L /V _t-L-1 )|}}；

wherein V _t Is a target systemThe predicted value of the state index at the time interval times t; t is the number of times of the current statistical interval time; s _t-i The observed value of the system state index at the t-i moment is obtained; i is a time index from 1 to L, namely a certain time;

2. The distributed real-time DDoS attack protection system of claim 1, further comprising a visualization module, said visualization module configured to perform state monitoring on a target Web application server group state, said Web application server group state comprising server hardware information, software information, and operating system state.

3. The distributed real-time DDoS attack protection system according to claim 1, wherein said attack sensing module, said attack detection module, and said attack defense module communicate with each other by means of communication links of message broker services.

4. A distributed real-time DDoS attack protection method is characterized by comprising the following steps:

carrying out normality test on the interface, entering subsequent defense processing when a test result is correct, and carrying out defense processing on the interface subjected to DDoS attack;

1.1, predicting a system state index value through a data model;

1.2, obtaining deviation by utilizing the predicted value and the observed value, and judging whether the system is in a DDoS attack state or not according to the deviation;

the data model includes: an AR model, a MA model, or an ARMA model; the predicting of the system state index value through the AR model comprises the following steps:

the formula of the AR model:

θ＝(2 ^-1 ，2 ^-2 ，2 ^-3 …2 ^-L )；

L＝min{10,max{3,0.3≤|lg(V _t-L /V _t-L-1 )|}}；

wherein V _t The predicted value of the target system state index at the time interval times t is obtained; t is the number of times of the current statistical interval time; s _t-i Is the state of the systemThe observed value of the index at the time t-i; i is a time index from 1 to L, i.e. a certain time;

5. The method according to claim 4, wherein the system status indicators specifically include KNR, PCIR, IUR, and PUR:

counting the number of times of accessing a webpage and the number of current user persons;

PCIR＝PCA ₁ ([Interface ₁ ,Interface ₂ ...Interface _n ] _t )

wherein t represents unit time detected by the algorithm, page represents the number of pages visited within the time, and IP represents the number of all active user links applied by the Web service at the moment, namely the number of source IPs;

and when the IUR is deviated, triggering request flooding DDoS attack perception.

6. The distributed real-time DDoS attack protection method according to claim 4, wherein detecting interface traffic and screening out an interface with abnormal IP address or access frequency of origin of DDoS attack comprises:

7. The distributed real-time DDoS attack protection method according to claim 5, wherein said detection model is a hidden semi-markov model;

hidden semi-markov model parameter set description:

HSMM＝(A＝{s _m },P＝{ts _mn },T＝{tr _m (r _i ,τ _i )},D＝{num _m (d)})

a is an initial probability matrix of a user access state and represents a set of probabilities that a user is in a certain initial state; p is a probability matrix of mutual transition between states and is a probability set from a user in a certain browsing state to another browsing state; t is a probability matrix of observed values in a certain state, and is used for describing the probability of a certain group of actual request contents and request time intervals of a certain real browsing state of a user appearing as a background server, namely a probability distribution function of observed values of the browsing state of the user; d is the probability distribution of the state residence time, namely the background server actually receives the request access of the user when the user reaches the next service key point or the browsing state, namely the number of the observed values;

wherein s is _m ＝∑state _m /∑state；

ts _mn ＝(∑θ(state _m ,state _n ))/(∑state _m )；

/>

num _m (d)＝∑length _m-1,m (d)/∑state _m ；

Wherein s is _m State for user in initial browsing state _m Probability of (1), state _m The browsing state m is shown, and the state shows any browsing state; ts is _mn Indicating that the user's browsing status is from state _m Transfer to State _n Probability of (e), θ (state) _m ,state _n ) Indicates the occurrence of the observed in all observation sequences in state _m Initial, state _n A non-repeating subset of endings; tr _m (r _i ,τ _i ) Indicating for reaching an access state _m The time background server actually receives the passing tau _i Access observation state r after a time interval of _i In which r is _i Representing the user's browsing status, r, observed by the background server _i-1 For r in the browsing sequence _i Last browsing state of τ _i In two corresponding states r _i 、r _i- 1 access time interval of

space function is the Web applicationProbability density function, space (tau), of a user's two http request access interval _i ) I.e. the interval between two requests of the user is tau _i The probability of (d); num _m (d) When the user reaches the service key point, the access state is state _m The probability that the number of the observation state accesses received by the time background server is d, wherein length _m-1,m (d) Function represents the state occurring in all observation sequences _m-1 Initial, state _m The length of the end is d number of subsets. />