The Construction Of A Hybrid Intrusion Detection Model Based On Web Logs

With the continuous development of Web technology,security problems are also increasing.The intrusion behavior of Web application has caused serious property losses.When users visit Internet pages,they will leave a large number of Web logs,which record a large number of normal and abnormal user access traces.Mining these logs can get a lot of useful characteristic information,which is helpful for better intrusion detection.This thesis discusses the shortcomings of the existing intrusion detection models,and finally builds a hybrid intrusion detection model based on Web logs on the basis of misuse detection technology and anomaly detection technology based on machine learning.The specific research content is as follows:(1)Based on the analysis of several common types of Web attacks,the misuse detection rule base is constructed with regular expressions.At the same time,considering the huge workload of maintenance and update of the misuse detection rule base,it is proposed that the Apriori algorithm can be used to realize the adaptive expansion of the rule base,and the frequent item discovery process of the Apriori algorithm is improved to improve the execution efficiency of the algorithm.(2)Study and improve anomaly detection based on Hidden Markov model.The 2-gram model and the equivalence relation between sets are used to improve the generalization process of the hidden Markov model.Meanwhile,the learning algorithm of the hidden Markov model is improved,and the calculation method of the probability distribution of state transition is modified to further enhance the detection ability of the model.On the other hand,because the HMM is only the anomaly detection for the request parameters,it is a rough detection model compared with the classification model based on all the characteristics of Web logs.Therefore,feature extraction is carried out on Web logs,and the detection performance of anomaly detection models constructed by several common classification algorithms is compared.(3)Finally,a hybrid intrusion detection model based on Web logs is constructed.This model integrates misuse detection technology and anomaly detection technology,and continuously extracts characteristic rules from new anomalies with the help of association analysis algorithm to supplement misuse detection rule base.The experimental results show that the whole hybrid intrusion detection model can maintain a high detection rate(97.62%)while maintaining a low false positives rate(0.25%),and constantly learns the exception log to extract new rules,and has a strong adaptive ability.After adaptive detection rate is up to99.14%,and the false positives rate is 0.08%.