多特征关联的注入型威胁检测方法

根据注入型威胁的执行流程，提取用户输入、关键函数、响应数据3个关键节点的行为作为分析特征.采用隐马尔科夫模型检测用户输入是否存在异常，对异常参数在关键函数处进行词法结构分析以判断异常类型，对返回内容进行敏感字符或水印特征分析，确保重要数据不能传递给攻击者.实验结果表明，分析参数长度和字符分类对隐马尔科夫模型存在影响；对比实验证明该方法使检测准确率和误报率取得了较好的平衡.
Abstract: Behaviors of the user input, key functions and response data were extracted as analysis features according to the execution flow of injection threat. The hidden Markov model was used to detect the abnormal users' input, and the lexical structure analysis of abnormal parameters in the key function was used to determine the type of abnormality. Finally, sensitive characters or watermark feature were analyzed in response data to ensure that important data would not be leaked out to attackers. The experimental results show that parameter length and character classification have influence upon the hidden Markov model; the comparative experiments indicate that this method can enable detection accuracy rate and false positive rate to achieve a good balance.