摘要
传统的基于关键字的Web漏洞扫描器识别方法容易被攻击者欺骗导致漏报.针对此问题提出了一种基于有限状态机的识别方法.对攻击者的扫描数据处理,以扫描器的扫描行为特征为迁移条件构建识别模型,并将模型状态转移过程抽象为多维向量,再利用余弦相似度公式进行相似度计算,结合设定的阈值,实现扫描器种类的判定.实验结果表明,在攻击者有意伪装的情况下,基于有限状态机的识别方法能更有效地识别扫描器的种类.
The traditional keyword-based method to identify Web vulnerability scanner is easy to be cheated by attackers. Aiming at this problem, a new recognition method based on Finite-state machine is proposed. The scanning data of the attacker is processed and the recognition model could be constructed using the scan behavior of scanners as transition conditions. The model state transition process is abstracted as multidimensional vector, and then the cosine similarity formula is used to calculate the similarity. Combined with the set threshold, the type of scanner can be determined. The experimental results show that the identification method based on finite state machine can identify the scanner more effectively when the attackers intentionally masquerade.
出处
《信息安全研究》
2017年第2期123-128,共6页
Journal of Information Security Research
关键词
有限状态机
Web扫描器
漏洞
行为特征
佘弦相似度
finite-state machine
Web scanner
vulnerability
behavioral characteristics
cosine similarity
