论文部分内容阅读
针对基于HTTP协议进行通信的恶意程序,现有的检测方法大都不能提供一个可视化界面。为此,提出一种HTTP异常活动取证及可视化系统(HAFVS)。首先,通过对服务器网关日志文件进行分析,构建成出HTTP请求的请求图;然后,利用事件分组和频繁项集挖掘(FIM)算法对事件进行汇聚,以减少可视化条目,并利用普遍性过滤器识别普遍性事件;最后,构建可视化界面,显示事件的访问轨迹,并淡化显示普遍性事件(正常事件),突出显示特殊事件(恶意事件)。实验结果表明,系统能够缩减可视化事件条目18.9倍,并能够准确的识别出异常访问流量,并突出显示,为网络管理者提供有力的判断依据,大大节约了人力成本。
For malicious programs based on the HTTP protocol to communicate, most of the existing detection methods can not provide a visual interface. To this end, we propose a HTTP abnormal event forensics and visualization system (HAFVS). Firstly, the request log of the HTTP request is constructed by analyzing the log file of the server gateway. Then, event grouping and frequent itemsets mining (FIM) algorithm are used to aggregate the events to reduce the visualization entries, and the universal filter Identify common events; and finally, build a visual interface to show the access trajectories of the events and to fade the display of common events (normal events) and highlight special events (malicious events). The experimental results show that the system can reduce 18.9 times of visual event entries, and can accurately identify abnormal access traffic and highlight the network managers to provide a strong basis for judgments, significant savings in labor costs.