Web服务资源消耗脆弱性检测技术研究  被引量：1

作　　者：史立敏 王晓茜 张宏斌 刘心宇 汪旭童 Shi Limin;Wang Xiaoxi;Zhang Hongbin;Liu Xinyu;Wang Xutong(Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100093;The 6th Research Institute of China Electronics Corporation,Beijing 100083)

机构地区：[1]中国科学院信息工程研究所,北京100093 [2]中国科学院大学网络空间安全学院,北京100093 [3]中国电子信息产业集团有限公司第六研究所,北京100083

出　　处：《信息安全研究》2021年第6期527-534,共8页Journal of Information Security Research

基　　金：国家自然科学基金项目(61902396)。

摘　　要：当前,针对Web应用层的分布式拒绝服务攻击(distributed denial of service,DDoS)形式愈加严峻,但是对此类DDoS的缓解手段研究较少且技术不够成熟,并且主要聚集于攻击过程中的检测和流量清洗,而缺乏针对Web服务器资源消耗脆弱性的主动检测手段.为此,提出了面向Web服务资源消耗脆弱性的检测模型和评测框架,能够检测Web服务资源消耗脆弱点,并且评测Web服务资源消耗脆弱程度,旨在Web服务受到攻击前预先分析和了解Web服务的资源消耗脆弱性安全问题,为网站安全性能优化和需要采取的防御手段提供支撑.通过对某网站的实际测评验证了本模型和框架的有效性,能够通过对实际应用的网站进行Web服务资源消耗脆弱性检测和评测,发现其Web服务资源消耗脆弱点.At present,the form of distributed denial of service(DDoS)attacks against the Web application layer is becoming more and more strict.However,the research on the mitigation methods of this kind of DDoS is less and the technology is not mature enough.It mainly focuses on the detection and traffic cleaning in the attack process and lacks active detection methods for the vulnerability of Web server resource consumption.Therefore,this paper proposes a detection model and evaluation framework for the vulnerability of Web service resource consumption,which can detect the vulnerability of Web service resource consumption and evaluate the vulnerability of Web service resource consumption.The purpose is to analyze and understand the vulnerability of Web service resource consumption before Web service is attacked,so as to provide a reference for website security performance optimization and defense measures support.Through the actual evaluation of a website,the effectiveness of the model and framework is verified.The vulnerability of Web service resource consumption can be detected and evaluated through the actual application website,and the vulnerability of Web service resource consumption can be found.

关 键 词：DDOS WEB服务资源 定向分析 脆弱性测试 评测框架 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]