Web-based Request Behavior Comprehension*

Kong Weiguang Wuhan University of Science and Engineering，Wuhan China

wgkong@public.wh.hb.cn

* This work is partially supported by Hubei Education Foundation Grant #200717005 to Mr. Hu Ming

Abstract

Software behavior controlling technology represents the development direction of forward defense in information systems. We must use different technology to monitor and understand different kinds of software behaviors. In web server, request behavior is mainly composed of requests from network users. Request behavior is better than request to be the base element of log and access control system. One request is isolated, it is the component of one or more request behaviors, and user’s request behavior is abstract. Based on theory of software behavior, this paper puts forward the definition of request behavior and behavior set, and studies the expression of request behavior, and builds web-based request behavior comprehension model based on fuzzy matching algorithm. From user’s request list, it can get the finished request behaviors, and compute the contain degree of partly finished request behaviors which may be useful in user’s behavior forecast. 1. Introduction

Users’ behaviors are performed by software’s behaviors in network. It is necessary to monitor and control software behaviors to hold the order of network. We concern not only what software and subjects can do, but also whether it has done anything forbidden or not[1].

In information systems, forward defense technology becomes the development trend of security with the faster producing speed of threat. As one of the main way of forward defense, behavior controlling technology will monitor and control software behavior, and prevent any behavior figured dangerous[2]. It runs in real system, and it will consult with user while underlying vicious behavior is occuring, and it can

judge software behaviors in more intelligent way by analyzing their main features.

Up to now, the main implement of behavior controlling is watching the probably dangerous operations which are key operations of vicious behaviors such as system registration modification, system process injection, keyboard recording and program hiding. There are limitations to regard an isolated operation as abnormal software behavior because normal software may perform these operations too. The better approach is monitoring and comprehending the software behavior so as to filter target software behaviors accurately.

Along with the popularization of Internet applications, more and more business has migrated to the Internet, and the security problem of applications has become serious. There doesn’t only exist vicious operate intention from invalid users, but also exist requests exceed one’s authority initiated by valid users. Web servers must face this kind of threat timely. Behavior controlling technology may be one appropriate settlement[3].

Currently, the main work style of web service on Internet is client-server mode, client submits request to server, and server execute the request and send back the result. Through this work style, one server can serve more clients.

Access controlling technology can partly defeat this kind of threat. It can identify one user and bind it to its authorities so that the server can check according to its authorities. The bounded authority is usually user requests. Server may deny invalid users and request not authorized. In access controlling model, user is usually bound with its authorities statically, and authorities do not change with time or space.

Log may record series of requests occurred in the system, and its basic record element is requests. Administrators can resume the finished process according to log records, but the comprehension of log record is now manual work.

2008 IEEE Asia-Pacific Services Computing Conference

978-0-7695-3473-2/08 $25.00 © 2008 IEEE

DOI 10.1109/APSCC.2008.84

1556

2008 IEEE Asia-Pacific Services Computing Conference

978-0-7695-3473-2/08 $25.00 © 2008 IEEE

DOI 10.1109/APSCC.2008.84

1556

In web server, log and access control is commonly based on request operations, but the most appropriate basic element of log and access control system is users’ request behavior because it is user’s behavior that imply user’s intention. One operation is isolated, and it is the component part of one or more request behavior. User’s request behavior is abstract; one request behavior may be composed by a series of requests.

It is possible to enhance the security control ability of web server by controlling users’ request behaviors in real time if log and access control found on request behavior. Server will refuse request behaviors violate the security rules.

The author of reference [1] advanced the definition of general software behavior and pointed out that there exists several levels of software behaviors, and he studied the work style and target of software behavior controlling, monitoring, authentication and confrontation. Ivan Porres researched modeling and analyzing of software behavior in UML[4]. Reference [5] and [6] studied automatic classification of software behavior. In reference [7], the author researched the pattern recognition and analysis of software behavior, the model can establishe a state of health of the target software by comparing real-time measurements with the baseline indicating the target software performance and activity. The baseline is automatically derived from a subset of measurements by a third-part tool. The tool includes sensors embedded into the target software to measure specific code segments and examiner which receives measurements from the sensors. The baseline made up of feedback measurements represents the target software’s behavior.

The primary work of this paper is researching the method to build request behaviors from users’ request list. The steps are monitoring user’s request as basic elements of request behavior, forming request sequence in real time, and matching the running request sequence with each request sequence of request behaviors in request behavior set defined by software designer. The matching result includes information of finished request behaviors and partly finished request behaviors, and supports request behavior controlling and forecast.

2. Request behavior comprehension 2.1. Definitions

User’s behavior act on web server will be carried out by a series of requests. Request behavior may be defined as following:

Request Behavior::= Behavior_Id ×Behavior _Type ×Behavior _Subject ×Behavior _Object ×Behavior _Time ×Behavior _Source ×< Request_Sequence >

Behavior_Id is the exclusive Id of this behavior assigned by web server for the convenience of managing. Behavior _Type is the type of this behavior classified by web server. Behavior_Subject and Behavior_Object represent the subject(user) and object of this behavior, Behavior_time and Behavior_Source indicates the appropriate time domain and source domain(specified PC etc.) of the behavior.

Request_Sequence means the necessary requires in order for one behavior. There are a great amount of different requests, only specified requests are collected into Request_Sequence, and there must be one or more signal request in one Reqest_Sequence.

In one specified system, all possible request behaviors are included in its behavior set:

Behavior Set::={Request Behaviors} Subset of one behavior set can be made from

behavior set by classifying its request behaviors, such as forbidden request behavior set, permitted request behavior set and dangerous behavior set. The web server will deny behaviors in forbidden behavior set, perform behaviors in permitted behavior set and alarm behaviors in dangerous behavior set.

2.2. Request behavior comprehension model

Request behavior comprehension process will end up with a conclusion: which behaviors are finished in a specified request sequence and the contain degree (discussed below) of partly finished behaviors in the request sequence. The key task is determining whether a behavior’s Request_Sequence is contained in the specified request sequence or not, and computing the contain degree of a request behavior.

There are two steps to perform request behavior comprehension:

1. Ensuring that the compounding form (subject, object, time, source) of a request behavior is consistent with the running process. The compounding form is commonly assured and relatively easy to get and compare.

2. Comparing the request sequence in a request behavior and the request sequence in the running process in order to decide the contain degree of the request behavior contained in the running process.

For the convenience of computing, Request_Sequence of each request behavior and the

15571557

specified running request sequence must be expressed as a matrix, and the contain degree can be computed by fuzzy calculation.

On the assumption that one standard request behavior named B has been set, and B contains a require sequence expressed as (r1,r2,……rM). We can distribute one weight ai (0≤ai≤1) to ri, and the sum of all ai is 1. Matrix (R1, R2, R3, …… , RN) represents all possible requires on the web server, B can be extend to the matrix below by a special rule: if Ri appears in B as rj then replace Ri with aj, else replace Ri with 0 implying that B has no relation with Ri .

B=(a1, a2, a3, …… , aN) 11

=∑=

N

iia (1)

Through monitoring the request of running process, the running request sequence b will be expressed as matrix:

b=(r1, r2, r3, …… rN) (2) All ri are initialized to 0, if Ri has been detected in

the running process, then ri will be set to 1, else ri remains 0, and ri will be set back to 0 if Ri is retracted.

Matrix b changes with the going of process. We can match b and B with fuzzy operation “and” in real time, this operation may result with a value between 0 and 1. The result means the contain degree (d) of request behavior B contained in running request sequence b.

d=B●b= ● =∑=

×N

iii ra

1)(

(3)

If the contain degree d is 1, it means that request sequence b contain request behavior B; if the value of d is 0, it means none of requests in behavior B is included in request sequence b; if d is between 0 and 1, it means part of requests in behavior B has been found in request sequence b. Contain degree d represents the weight of occurred requests in request behavior b, and it can help system forecast user’s next operation.

Because there are more than one request behavior in a request behavior set commonly, each request behavior must be fuzzy matched with running request sequence b to get its contain degree, and contain degrees of all request behaviors may form a behavior contain report.

2.3. Web-based request behavior controlling flow

The log system will analyze all request behaviors finished or partly finished in recorded data, and the

behavior controlling mechanism may predict the probability of the running request process contains a specified request behavior and answer the predict suitably.

The request behavior controlling flow must have four important functions to work together (Figure1.); they are request monitor, request behavior comprehension, behavior control strategy database and request behavior controlling mechanism.

In a web server application, there must be a lot of

users’ link at the same time. Request monitor will pick up each request from one specified user continuously, obtain the basic elements information including subject, object, time and source, generate and update the request sequence matrix b of current process, and pass the half-backed request sequence matrix b to function request behavior comprehension function.

When a request sequence matrix b arrives, the request behavior comprehension function will fuzzy match it with each request behavior in request behavior set, and output a contain degree report to request behavior controlling mechanism.

The request behavior controlling mechanism will decide the next step according to its behavior control strategy database and the contain degree report. Generally, if one running process has been judged abnormal, the decision will be turned false and the process will be interrupted.

r1 r2

…

… rN

a1, a2, …… , aN

Web server

YN

Figure 1.Request behavior controlling flow

user

Client

User identification and authentication

Pretreatment

Request monitor

Request behavior Comprehension

Permit and Perform

Ok?

Query or Deny

Behavior Set

Request behavior Controlling

Behavior Controll Strategy

15581558

For example, in simulate network bank system, there are requests (except Login and Logout) as following:

① Account_Enquiry ② Account_Transfer_Form_Request ③ Transfer_Confirm ④ Payment_Form_Request ⑤ Payment_Confirm

Such request behaviors can be defined:：: Enquiry=( 1, 0, 0, 0, 0 ) Transfer=( 0, 0.8, 0.2, 0, 0 ) Payment=( 0, 0, 0, 0.8, 0.2)

Now user0001 login this system, and his account number is 0001. The user queries his account once, and then he requests the account transfer from, but he has not submitted his form. At this time, his request behavior report can be gotten in the background of web server. (Table 1.)

Table 1.Request behavior report Current Request Behavior Report

Subject: User0001 Object: Account 0001 Time: 2008-7-22 13:30 Source: 127.0.0.1 State: Login

Request Behavior Name Probability Enquiry 1Transfer 0.8 Payment 0

Following steps generates the result of probability: 1. the system gets the running request matrix:

b=( 1, 1, 0, 0, 0) 2. the probability of each behavior is generated

(“Transfer” for instance): d(Transfer)=Transfer • b

= • =0.8

It indicates that 80% weight of request behavior “Transfer” has occurred. The report tells us that this user has finished behavior “Enquiry” and may be doing behavior “Transfer”.

3. Conclusion

Request from client to web server is relatively easy to be monitored and controlled by web server. Request behavior comprehension model developed in this paper is found on fuzzy matching of request sequences, it can

catch on finished request behaviors and contain degree of partly finished request behaviors. The output is propitious to be the basic element of log system and real time behavior controlling. Web server will be more secure by adopting this kind of forwardly defensive technology. In the meantime, the model increases the server processing expenses while enhancing system safety.

Synthetically, along with flooding of network crimes, forward defense will take more important role in the future. The request behavior comprehension model is feasible to be the foundation of web based request behavior controlling. 4. References [1] Yanwen Qu, Software Behavior(in Chinese), Publishing House of Electronics industry, Beijing China, 2004.10. [2] W. Gao, “Forwardly Defensive Technology”, Software World, 2007.10. [3] Tim Mccollum, “Applications control: Software behavior monitoring offers another layer of protection to corporate information systems”, Computers & Auditing, Internal Auditor, 2002.4. [4] Ivan Porres, “Modeling and Analyzing Software Behavior in UML”, [Online] Available: http://citeseer.ist.psu.edu /porres01modeling.html. [5] James F. Bowring, “Software Behavior: Automatic Classification and its Applications”, [Online] Available: http://www.cercs.gatech.edu/tech-reports/././tr2003/git-cercs-03-19.pdf， 2003.

[6] James F. Bowring, “Active Learning for Automatic Classification of Software Behavior”, [Online] Available: http://www.cc.gatech.edu/aristotle/Publications/Papers/p398-bowring.pdf, 2003. [7] Noy, “Software behavior pattern recognition and analysis”, United States Patent 7269824, [Online]Available: http://www.freepatentsonline.com/7269824.html. [8] B. Liu, “The Summarize of the Technique about Proactive Network Security Protection”, Proceedings of the 11th China Symposium on Computer Application in Mordern Science & Technology, 2003.9 [9] B. Zhang, J. Yin, W. Tang, and J. Hao, “Unknown computer virus detection based on fuzzy pattern recognition”, Computer Applications, 2005.9, pp. 2050-2053. Profile: Kong Weiguang(1970-), Associate professor, has research interesting of Computer Network Theory and Information Security.

0, 0.8, 0.2, 0, 0

1 1 0 0 0

15591559