基于云环境下Web服务应用层DDoS攻击检测系统

doi:10.3969/j.issn.1006-2475.2016.06.022

摘要/Abstract

摘要： Web服务技术具有低耦合度、跨平台和语言无关等优点，使其在网络和电子商务中得到广泛应用。针对云计算环境中的Web服务应用层容易遭受攻击的问题，提出一种检测XML和HTTP层分布式拒绝服务(DDoS)攻击的防御系统，并嵌入到云环境中，实现对云中介和云服务提供商的保护。首先，从属于特定简单对象访问协议（SOAP）正常操作中提取数据集的特征值，构建相应的高斯请求模型；然后，对Web服务的网络服务描述语言（WSDL）中的一些属性进行设置，实现对攻击的初步过滤；最后，对服务请求的HTTP头部和XML内容进行检查，并与模型数据比较，进一步实现攻击检测。实验结果表明，该系统能够有效地预防多种DDoS攻击，且消耗较少的响应时间。


关键词: 云环境, Web服务, 分布式拒绝服务, 攻击检测, 云计算

Abstract: Web service technology is of the advantages of low coupling degree, cross platform and language independence, so it has been widely used on the network and electronic commerce. Aiming at the problem that the application layer of Web services in cloud computing environment is vulnerable to be attacked, a defense system is proposed to detect the distributed denial of service (DDoS) attack in XML and HTTP layer. First, extracting characteristic values of the data set from belonging to a particular Simple Object Access Protocol (SOAP) normal operation, the corresponding Gaussian request model was constructed; after setting some of the attributes of network services for Web Services Description Language (WSDL), attack was achieved initial filter; finally, the service request HTTP headers and XML content were examined and compared with the model data, and the further attack detection was implemented. Experimental results show that the system can effectively prevent many DDoS attacks, and consume less response time.

Key words: cloud environment, Web services, distributed denial of service, attack detection, cloud computing

中图分类号:

TP393.08

邓娉. 基于云环境下Web服务应用层DDoS攻击检测系统[J]. 计算机与现代化, doi: 10.3969/j.issn.1006-2475.2016.06.022.

DENG Ping. DDoS Attack Detection System Based on Web Service Application Layer under Cloud Environment[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2016.06.022.

参考文献

［1］莫秀良,常畅,王春东. 基于活跃熵的Web应用入侵检测模型［J］. 武汉大学学报(理学版), 2014,60(6):543-547.
［2］吴志军,崔奕,岳猛. 基于虚拟散列安全访问路径VHSAP的云计算路由平台防御DDoS攻击法［J］. 通信学报, 2015,36(1):30-37.
［3］ Varalakshmi P, Selvi S T. Thwarting DDoS attacks in grid using information divergence［J］. Future Generation Computer Systems, 2013,29(1):429-441.
［4］ Karnwal T, Sivakumar T, Aghila G. A comber approach to protect cloud computing against XML DDoS and HTTP DDoS attack［C］//2012 IEEE Students’Conference on Electrical,Electronics and Computer Science. 2012:1-5.
［5］ Masood A. Cyber security for service oriented architectures in a Web 2.0 world: An overview of SOA vulnerabilities in financial services［C］// Proceedings of 2013 IEEE International Conference on Technologies for Homeland Security. 2013:1-6.
［6］江先亮,金光,杨建刚,等. 面向自治域的DoS攻击流抑制模型［J］. 通信学报, 2013,34(9):132-141.
［7］ Wei Chunxia, Zhang Linlin, Zhao Kai, et al. MAC token based on WSS defending Web service DoS attacks［C］// Proceedings of 2013 International Conference on Mechatronic Sciences, Electric Engineering and Computer. 2013:2452-2455.
［8］ Saleh M A, Manaf A A. Protective frameworks and schemes to detect and prevent high rate DoS/DDoS and flash crowd attacks: A comprehensive review［J］. Communications in Computer & Information Science, 2014,488:145-152.
［9］魏春霞,张琳琳,赵楷. 基于源地址伪造的Web服务DoS攻击防御方法［J］. 计算机工程与设计, 2014,35(9):3034-3038.
［10］Salas M I P, Martins E. Security testing methodology for vulnerabilities detection of XSS in Web services and WS-security［J］. Electronic Notes in Theoretical Computer Science, 2014,302:133-154.
［11］Tiwari S, Singh P. Survey of potential attacks on Web services and Web service compositions［C］// Proceedings of 2011 3rd International Conference on Electronics Computer Technology. 2011:47-51.
［12］Kedjar S, Tari A. The hybrid model for Web services security access control and information flow control［C］// Proceedings of the 8th International Conference on Internet Technology and Secured Transactions. 2013:194-202.
［13］Pinzón C I, Bajo J, De Paz J F D, et al. S-MAS: An adaptive hierarchical distributed multiagent architecture for blocking malicious SOAP messages within Web services environments［J］. Expert Systems with Applications, 2011,38(5):5486-5499.
［14］王风宇,曹首峰,肖军,等. 一种基于Web群体外联行为的应用层DDoS检测方法［J］. 软件学报, 2013,24(6):1263-1273.
［15］Sarhadi R M, Ghafori V. New approach to mitigate XML-DOS and HTTP-DOS attacks for cloud computing［J］. International Journal of Computer Applications, 2013,72(16):27-31.
［16］王进,阳小龙,隆克平. 基于大偏差统计模型的Http-Flood DDoS检测机制及性能分析［J］. 软件学报, 2013,34(5):1272-1280.

[1]	刘甫, 余劲松弟, 魏丹丹, . 基于北斗网格的影像数据REST Web服务系统[J]. 计算机与现代化, 2023, 0(11): 108-112.
[2]	杨柳青, 王冲. 基于极大熵的Web服务资源个性化推荐方法[J]. 计算机与现代化, 2023, 0(09): 32-37.
[3]	何玉鹏, 陶勇, 王必恒, 赵英男. 智能配电网边缘计算研究现状与展望[J]. 计算机与现代化, 2023, 0(08): 87-92.
[4]	杨波, 徐胜超. 基于SRv6服务链的云网专线场景安全防护方法[J]. 计算机与现代化, 2023, 0(08): 107-111.
[5]	毛明扬, 徐胜超. 可信赖云计算的通信终端攻击行为识别算法[J]. 计算机与现代化, 2022, 0(11): 37-42.
[6]	曹禹, 李晓辉, 刘忠麟, 贾贺, 费志伟. 云环境大数据工作流编排管理系统研究综述[J]. 计算机与现代化, 2022, 0(01): 41-53.
[7]	张晓敏. 基于布隆过滤器属性基的多关键词可搜索方案[J]. 计算机与现代化, 2021, 0(08): 104-111.
[8]	邓斌涛, 徐胜超. 基于动态双子种群的差分进化K中心点聚类算法[J]. 计算机与现代化, 2021, 0(07): 54-59.
[9]	吴君才, 刘雪芳. 基于云计算和深度信念网络的数字资源配置[J]. 计算机与现代化, 2021, 0(05): 78-82.
[10]	王文蔚, 肖军弼, 程鹏, 张悦. 基于SDN的DDoS攻击防御系统[J]. 计算机与现代化, 2021, 0(02): 117-121.
[11]	陈明帅, 吴克河. 基于shell命令的内部攻击检测[J]. 计算机与现代化, 2021, 0(01): 56-60.
[12]	陆歌皓, 杨丹妮. 区块链即服务的发展现状与展望[J]. 计算机与现代化, 2020, 0(10): 31-35.
[13]	梁慈1,陈世平2. 基于包簇映射架构的包漂移策略研究[J]. 计算机与现代化, 2019, 0(11): 112-.
[14]	丁顺1,陈世平2. 基于包簇映射机制的实验平台建设及应用[J]. 计算机与现代化, 2019, 0(11): 120-.
[15]	文婷婷,李洪赭. 面向云服务平台的弹性负载均衡算法[J]. 计算机与现代化, 2019, 0(10): 28-.