CN104270373A - Web server anonymous access flow detection method based on time characteristics - Google Patents

Abstract

The invention provides a Web server anonymous access flow detection method based on time characteristics. The method comprises the steps of conducting time characteristic extraction, establishing a time characteristic model based on a one-class support vector machine, substituting the time characteristics into the time characteristic model for detection, and confirming a detection result. By the adoption of the Web server anonymous access flow detection method based on time characteristics, detection of anonymous access flow is achieved by a Web server, quick and accurate detection of anonymous Web access flow can be achieved, and the safety of the Web server is improved.

Description

A kind of Web server anonymous access flow rate testing methods based on temporal characteristics

Technical field

The present invention relates to a kind of detection method, a kind of Web server anonymous access flow rate testing methods based on temporal characteristics of specific design.

Background technology

Along with Internet and mobile Internet fast development and widely use, network has incorporated the every aspect of people's daily life.Meanwhile, the safety brought of network service and privacy concern also receive increasing concern.For the privacy information of protecting network user, researcher proposes anonymous communication concept and correlation technique realizes.

Anonymous communication technology is proposed first in 1981 by Chaum, and this technology realizes hiding of user identity and correspondence by inserting one or more intermediate node (Mix node) on the communication path of sender and recipient.User is when sending data, first the address information of Mix node and recipient on forward-path is determined, then the PKI of each Mix node on forward-path is utilized to encrypt layer by layer data and address information, formed " Onion Loaf ", and " Onion Loaf " will be somebody's turn to do be sent to first Mix node on forward-path.After receiving " Onion Loaf ", this Mix node is decrypted operation to obtain next hop address to it, and " Onion Loaf " after deciphering is sent to next-hop node, and other node operates successively until finally initial data is forwarded to recipient.Reverse order then by correspondence during return data carries out, data are back to the Mix node (last the Mix node namely on forward-path) be directly connected with it by recipient, then on path, each Mix node utilizes the private key of oneself to encrypt layer by layer data and forwards in the other direction, and finally performing repeatedly decryption oprerations by user draws Content of Communication.Based on this technology, researcher devises multiple anonymous communication scheme as onion routing agreement etc., and develops some practical anonymous communication system on this basis, as Tor, JAP etc.

While protecting network user identity privacy information, the abuse of anonymous communication system brings grave danger also to network security and network management.Such as German Government has arrested the supplier of several Tor Egress node successively in 2007, and in fact the supplier of these Tor Egress nodes is the scapegoats illegally browsing the such network crimes such as pornography.When anonymous offender utilizes Tor Network Capture child porn information, first corresponding network traffics will be sent to Tor Egress node, then give anonymous criminal by related data through Tor forwarded by these Egress nodes.IP address information according to network traffics only can trace these Tor Egress nodes, and real cybercriminal cannot learn.In addition, Botnet (Botnet) has brought into use Tor anonymous communication network to come hidden command and control (C & C) server, each Bot node is communicated by Tor and C & C server, conceal the relevance between the true identity of C & C server and Bot node, make the detection of Botnet more difficult.More seriously, some popular network attack instruments, make attack traffic through the forwarding of Tor Anonymizing networks as provided config option for DoS attack instrument torshammer, SQL injection attacks instrument sqlmap etc. of Web server thus hide to detect and follow the trail of.In view of widespread deployment and its critical role in the national economy fields such as electric power of Web application, be necessary to supervise anonymous web access, prevent anonymous attack, promote the fail safe of Web server.And the detection of anonymous access flow is the prerequisite and the basis that perform supervision further.

Current Web server, to the detection Main Basis IP address information of anonymous access flow, whether in disclosed anonymous node listing, detect anonymous access flow, but the method has obvious limitation by the IP address of inquiring client terminal.Specifically, there are following 3 deficiencies in existing method:

1) if client is hidden anonymous node, and its IP address underground, then Web server cannot detect anonymous access flow;

2) if client is double netcard, one piece of network interface card access anonymous communication system, and second piece of network interface card accesses normal Internet, anonymous access flow is sent to Web server by second piece of network interface card, owing to only having the IP address of first piece of network interface card in disclosed anonymous node listing, and Web server inspection is the IP address of second piece of network interface card, thus cannot detect its anonymous access flow produced;

3) if be anonymous node before client, and close now its anonymous service, but anonymous node listing fails to upgrade in time, then server will judge that the flowing of access of active client is anonymous access, thus there is erroneous judgement situation.

Summary of the invention

In order to overcome above-mentioned the deficiencies in the prior art, the invention provides a kind of Web server anonymous access flow rate testing methods based on temporal characteristics, solve the test problems of Web server to anonymous access flow, can realize anonymous web access flow quick, accurately detect, improve the fail safe of Web server.

In order to realize foregoing invention object, the present invention takes following technical scheme:

The invention provides a kind of Web server anonymous access flow rate testing methods based on temporal characteristics, said method comprising the steps of:

Step 1: temporal characteristics extracts;

Step 2: based on one-class support vector machines characteristic model settling time;

Step 3: temporal characteristics is substituted in temporal characteristics model and detect;

Step 4: testing result is confirmed.

In described step 1, in Web server record http protocol GET request and POST ask the respective time of advent, using occur continuously GET request or POST ask between the time interval as temporal characteristics.

Described step 1 specifically comprises the following steps:

Step 1-1: according to IP address, for the client of each connection Web server, Web server building database search index;

The time of advent of GET request and POST request in step 1-2:Web server record http protocol, and identical repeatedly GET is asked or POST request, Web server only records the time of advent of first time GET request or POST request;

Step 1-3: ask to reach time series extraction time feature from the GET request of record and POST.

In described step 1-1, for the client ip address of IPv4 type, the IP address of client, according to the byte order of self operating system, is saved as 4 byte INT types by Web server, Web server calculates corresponding numerical value afterwards, and using this numerical value as the search index of client;

For the client ip address of IPv6 type, the IPv6 address of client as character string, uses BKDRHash hash function to calculate hash value by Web server, and using result of calculation as database index, preserves IPv6 address information in database simultaneously.

In described step 1-3, Web server asks the respective time of advent according to the GET request of record and POST, calculate GET request and POST asks time interval of reaching, and according to descending order, the time interval is sorted, extract the time interval of at least 20%, save as characteristic vector using as temporal characteristics.

In described step 2, the temporal characteristics of extraction is saved as characteristic vector, use one-class support vector machines to carry out model training, draw temporal characteristics model.

In described step 2, if the length of characteristic vector is l, and characteristic vector formalization representation is P={p ₁, p ₂..., p _m... p _l, p _mit is m the time interval; If total k characteristic vector, P _ibe i-th characteristic vector, the training pattern set up by described one-class support vector machines is as follows:

$\left.\begin{array}{c}\underset{w,\mathrm{\ρ},{\mathrm{\ϵ}}_i}{\min }\frac{1}{2}{\left|\right|w\left|\right|}^2+\frac{1}{\mathrm{vl}}\underset{i=1}{\overset{k}{\mathrm{\Σ}}}{\mathrm{\ϵ}}_i-\mathrm{\ρ}\\ \begin{array}{cc}s.t.& w\·\mathrm{\φ}\left(P_i\right)\≥\mathrm{\ρ}-{\mathrm{\ϵ}}_i\end{array}\\ {\mathrm{\ϵ}}_i\≥0,i=\mathrm{1,2},...,k\end{array}\right\}$

Wherein, w is the normal vector of Optimal Separating Hyperplane; ρ is setting constant, and it determines the distance of the relative hyperplane of initial point; ε _islack variable, in order to punish the point of classification error; V is the balance parameters of largest interval and penalty term, and v ∈ (0,1]; φ (P _i) for representing i-th maps feature vectors to higher dimensional space;

Introduce Lagrange multiplier α _iand β _i, have:

$L(w,{\mathrm{\ϵ}}_i,\mathrm{\ρ},{\mathrm{\α}}_i,{\mathrm{\β}}_i)=\frac{1}{2}{\left|\right|w\left|\right|}^2+\frac{1}{\mathrm{vl}}\underset{i=1}{\overset{k}{\mathrm{\Σ}}}{\mathrm{\ϵ}}_i-\mathrm{\ρ}-\underset{i=1}{\overset{k}{\mathrm{\Σ}}}{\mathrm{\α}}_i((w\·\mathrm{\φ}\left(P_i\right))-\mathrm{\ρ}+{\mathrm{\ϵ}}_i)-\underset{i=1}{\overset{k}{\mathrm{\Σ}}}{\mathrm{\β}}_i{\mathrm{\ϵ}}_i$

Substitute into kernel function and can obtain following dual function:

$\left.\begin{array}{c}\underset{{\mathrm{\α}}_i}{\min }\frac{1}{2}\underset{i=1}{\overset{k}{\mathrm{\Σ}}}\underset{j=1}{\overset{k}{\mathrm{\Σ}}}{\mathrm{\α}}_i{\mathrm{\α}}_j\mathrm{\φ}\left(P_i\right)\·\mathrm{\φ}\left(P_j\right)=\underset{\mathrm{\α}}{\min }\frac{1}{2}\underset{i=1}{\overset{k}{\mathrm{\Σ}}}\underset{j=1}{\overset{k}{\mathrm{\Σ}}}{\mathrm{\α}}_i{\mathrm{\α}}_{j}K(P_i,P_j)\\ \begin{array}{cc}s.t.& 0\≤{\mathrm{\α}}_i\≤\frac{1}{\mathrm{vk}}\end{array}\\ \underset{i=1}{\overset{k}{\mathrm{\Σ}}}{\mathrm{\α}}_i=1\end{array}\right\}$

Wherein, α _jfor Lagrange multiplier, φ (P _j) represent a jth maps feature vectors to higher dimensional space; P _jfor a jth characteristic vector, j=1,2 ..., k; K (P _i, P _j)=φ (P _j) φ (P _j) be kernel function, adopt RBF to be corresponding kernel function, K (P _i, P _j) be expressed as:

K(P _i，P _j)＝exp(-γ||P _i-P _j|| ²)

K(Pi,Pj)＝exp(-γPi-Pj)

Wherein, γ is Control Radius parameter, γ > 0;

Support vector collection SV and corresponding α is obtained finally by solving dual function _ivalue, is temporal characteristics model.

The optimal value of the balance parameters v of largest interval and penalty term is determined according to following process:

1) with 0.01 for step-length, (0,1] between test the discrimination of different v value, the v value that meter maximum discrimination score is corresponding is v ';

2) (v '-0.1, v '+0.1] between, with 0.001 for step-length, test the discrimination of different v value, and finally with the value v that maximum discrimination score is corresponding _maxas the optimal value of balance parameters v.

In described step 3, use the support vector collection SV and corresponding α that calculate _ivalue, is expressed as discriminant function Y (P):

$y\left(P\right)=\mathrm{sign}[\underset{p_i\∈\mathrm{SV}}{\mathrm{\Σ}}{\mathrm{\α}}_{i}K(P_i,P_j)-\mathrm{\ρ}]$

Wherein, sign () is sign function, is defined as:

$\mathrm{sign}[\underset{p_i\&Element;\mathrm{SV}}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(P_i,P_j)-\mathrm{\&rho;}]=\left\{\begin{array}{ccc}-1& \mathrm{if}& \underset{p_i\&Element;\mathrm{SV}}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(P_i,P_j)-\mathrm{\&rho;}<0\\ 1& \mathrm{if}& \underset{p_i\&Element;\mathrm{SV}}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(P_i,P_j)-\mathrm{\&rho;}\&GreaterEqual;0\end{array}\right.$

When network traffics to be detected are differentiated, the temporal characteristics of network traffics to be detected is brought in discriminant function, if testing result is 1, then proceeds anonymous access flow and confirm; If testing result is-1, be then determined as normal flowing of access.

Described step 4 specifically comprises the following steps:

Step 4-1:Web server jumps to certification page;

Step 4-2: according to producing the identifying code of specific size, the identifying code requiring user to input to show in webpage;

For detecting Tor and JAP anonymous access flow simultaneously, the size of identifying code is set to 990 bytes;

Step 4-3: identifying code is sent back to Web server;

The message length that step 4-4:Web server is corresponding according to identifying code is confirmed whether as anonymous access flow;

If the network message that identifying code is corresponding is split into two messages, and the message length of correspondence is respectively 498,492 bytes or 989,1 byte, then confirm as anonymous access flow, otherwise be judged as normal flowing of access.

Compared with prior art, beneficial effect of the present invention is:

1. the present invention adopts temporal characteristics to distinguish anonymous access flow and normal flowing of access, enhances the versatility of method, expands the scope of application of method;

2. use the temporal characteristics model of one-class support vector machines modeling anonymous access flow, only need the learning sample of anonymous access flow when modeling, be convenient to use in practice;

3., when finding suspicious anonymous access, the identifying code producing specific size by jumping to the checking page is verified further to anonymous access flow, reduces the rate of false alarm of detection method;

4. the present invention is mainly used in solving Web server to the test problems of anonymous access flow, can realize anonymous web access flow quick, accurately detect, strengthen the fail safe of Web server.

Accompanying drawing explanation

Fig. 1 is the Web server anonymous access flow rate testing methods functional structure chart based on temporal characteristics in the embodiment of the present invention;

Fig. 2 is the Web server anonymous access flow rate testing methods particular flow sheet based on temporal characteristics in the embodiment of the present invention.

Embodiment

Below in conjunction with accompanying drawing, the present invention is described in further detail.

As Fig. 1 and Fig. 2, the invention provides a kind of Web server anonymous access flow rate testing methods based on temporal characteristics, said method comprising the steps of:

Step 1: temporal characteristics extracts;

Step 2: based on one-class support vector machines characteristic model settling time;

Step 3: temporal characteristics is substituted in temporal characteristics model and detect;

Step 4: testing result is confirmed.

In described step 1, in Web server record http protocol GET request and POST ask the respective time of advent, using occur continuously GET request or POST ask between the time interval as temporal characteristics.

Described step 1 specifically comprises the following steps:

Step 1-1: according to IP address, for the client of each connection Web server, Web server building database search index;

The time of advent of GET request and POST request in step 1-2:Web server record http protocol, and identical repeatedly GET is asked or POST request, Web server only records the time of advent of first time GET request or POST request;

Step 1-3: ask to reach time series extraction time feature from the GET request of record and POST.

In described step 1-1, for the client ip address of IPv4 type, the IP address of client, according to the byte order of self operating system, is saved as 4 byte INT types by Web server, Web server calculates corresponding numerical value afterwards, and using this numerical value as the search index of client;

For the client ip address of IPv6 type, the IPv6 address of client as character string, uses BKDRHash hash function to calculate hash value by Web server, and using result of calculation as database index, preserves IPv6 address information in database simultaneously.

In described step 1-3, Web server asks the respective time of advent according to the GET request of record and POST, calculate GET request and POST asks time interval of reaching, and according to descending order, the time interval is sorted, extract the time interval of at least 20%, save as characteristic vector using as temporal characteristics.

In described step 2, the temporal characteristics of extraction is saved as characteristic vector, use one-class support vector machines to carry out model training, draw temporal characteristics model.

In described step 2, if the length of characteristic vector is l, and characteristic vector formalization representation is P={p ₁, p ₂..., p _m... p _l, p _mit is m the time interval; If total k characteristic vector, P _ibe i-th characteristic vector, the training pattern set up by described one-class support vector machines is as follows:

$\left.\begin{array}{c}\underset{w,\mathrm{\&rho;},{\mathrm{\&epsiv;}}_i}{\min }\frac{1}{2}{\left|\right|w\left|\right|}^2+\frac{1}{\mathrm{vl}}\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&epsiv;}}_i-\mathrm{\&rho;}\\ \begin{array}{cc}s.t.& w\&CenterDot;\mathrm{\&phi;}\left(P_i\right)\&GreaterEqual;\mathrm{\&rho;}-{\mathrm{\&epsiv;}}_i\end{array}\\ {\mathrm{\&epsiv;}}_i\&GreaterEqual;0,i=\mathrm{1,2},...,k\end{array}\right\}$

Wherein, w is the normal vector of Optimal Separating Hyperplane; ρ is setting constant, and it determines the distance of the relative hyperplane of initial point; ε _islack variable, in order to punish the point of classification error; V is the balance parameters of largest interval and penalty term, and v ∈ (0,1]; φ (P _i) for representing i-th maps feature vectors to higher dimensional space;

Introduce Lagrange multiplier α _iand β _i, have:

$L(w,{\mathrm{\&epsiv;}}_i,\mathrm{\&rho;},{\mathrm{\&alpha;}}_i,{\mathrm{\&beta;}}_i)=\frac{1}{2}{\left|\right|w\left|\right|}^2+\frac{1}{\mathrm{vl}}\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&epsiv;}}_i-\mathrm{\&rho;}-\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_i((w\&CenterDot;\mathrm{\&phi;}\left(P_i\right))-\mathrm{\&rho;}+{\mathrm{\&epsiv;}}_i)-\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&beta;}}_i{\mathrm{\&epsiv;}}_i$

Substitute into kernel function and can obtain following dual function:

$\left.\begin{array}{c}\underset{{\mathrm{\&alpha;}}_i}{\min }\frac{1}{2}\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}\underset{j=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_i{\mathrm{\&alpha;}}_j\mathrm{\&phi;}\left(P_i\right)\&CenterDot;\mathrm{\&phi;}\left(P_j\right)=\underset{\mathrm{\&alpha;}}{\min }\frac{1}{2}\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}\underset{j=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_i{\mathrm{\&alpha;}}_{j}K(P_i,P_j)\\ \begin{array}{cc}s.t.& 0\&le;{\mathrm{\&alpha;}}_i\&le;\frac{1}{\mathrm{vk}}\end{array}\\ \underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_i=1\end{array}\right\}$

Wherein, α _jfor Lagrange multiplier, φ (P _j) represent a jth maps feature vectors to higher dimensional space; P _jfor a jth characteristic vector, j=1,2 ..., k; K (P _i, P _j)=φ (P _j) φ (P _j) be kernel function, adopt RBF to be corresponding kernel function, K (P _i, P _j) be expressed as:

K(P _i，P _j)＝exp(-γ||P _i-P _j|| ²)

K(Pi,Pj)＝exp(-γPi-Pj)

Wherein, γ is Control Radius parameter, γ > 0;

Support vector collection SV and corresponding α is obtained finally by solving dual function _ivalue, is temporal characteristics model.

The optimal value of the balance parameters v of largest interval and penalty term is determined according to following process:

1) with 0.01 for step-length, (0,1] between test the discrimination of different v value, the v value that meter maximum discrimination score is corresponding is v ';

2) (v '-0.1, v '+0.1] between, with 0.001 for step-length, test the discrimination of different v value, and finally with the value v that maximum discrimination score is corresponding _maxas the optimal value of balance parameters v.

In described step 3, use the support vector collection SV and corresponding α that calculate _ivalue, is expressed as discriminant function Y (P):

$y\left(P\right)=\mathrm{sign}[\underset{p_i\&Element;\mathrm{SV}}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(P_i,P_j)-\mathrm{\&rho;}]$

Wherein, sign () is sign function, is defined as:

$\mathrm{sign}[\underset{p_i\&Element;\mathrm{SV}}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(P_i,P_j)-\mathrm{\&rho;}]=\left\{\begin{array}{ccc}-1& \mathrm{if}& \underset{p_i\&Element;\mathrm{SV}}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(P_i,P_j)-\mathrm{\&rho;}<0\\ 1& \mathrm{if}& \underset{p_i\&Element;\mathrm{SV}}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(P_i,P_j)-\mathrm{\&rho;}\&GreaterEqual;0\end{array}\right.$

When network traffics to be detected are differentiated, the temporal characteristics of network traffics to be detected is brought in discriminant function, if testing result is 1, then proceeds anonymous access flow and confirm; If testing result is-1, be then determined as normal flowing of access.

Described step 4 specifically comprises the following steps:

Step 4-1:Web server jumps to certification page;

Step 4-2: according to producing the identifying code of specific size, the identifying code requiring user to input to show in webpage;

For detecting Tor and JAP anonymous access flow simultaneously, the size of identifying code is set to 990 bytes;

Step 4-3: identifying code is sent back to Web server;

The message length that step 4-4:Web server is corresponding according to identifying code is confirmed whether as anonymous access flow;

If the network message that identifying code is corresponding is split into two messages, and the message length of correspondence is respectively 498,492 bytes or 989,1 byte, then confirm as anonymous access flow, otherwise be judged as normal flowing of access.

Embodiment

In its information outer net, dispose a Web server, this server and Intranet background data base carry out data interaction.For obtaining the data content of background data base, hacker uses sqlmaq instrument to carry out sql injection attacks, and configures sqlmap attack traffic is forwarded through Tor anonymous communication system, thus hides the real IP address of self, hides network trace.By detecting anonymous access flow, can Timeliness coverage anonymous access flow disconnect network and connect, ensure the fail safe of power information Intranet information data, and then ensure whole electrical power system network safety.

Its specific embodiment is:

First, server managers by the Web server in Tor anonymous communication system visit information outer net, and records the time of advent that http protocol GET asks and POST asks in the preposition fire compartment wall of Web server.For obtaining learning sample comparatively fully, server admin will repeatedly access Web server content, then ask to reach the time extraction time feature from the GET request of record and POST, save as learning sample.After acquisition learning sample data, use one-class support vector machines is carried out modeling to the temporal characteristics of anonymous access flow by Web server manager, uses network search method to determine optimal value of the parameter, and generate final model file during modeling.

After completing above-mentioned steps, anonymous access flow detection function can be disposed in Web server frontend firewall.For the access links that each is new, its HTTP GET of fire compartment wall record asks and time of advent of POST request, and for the repeatedly access of same Web object, only time of accessing record first time.After the time of advent of statistics some, fire compartment wall allocating time feature extractor, produces the temporal characteristics of current accessed flow, and is updated in model file by this feature, computational discrimination result.If differentiate, result is-1, be then normal flowing of access, allows to continue access.Otherwise if differentiate, result is 1, be then suspicious anonymous access flow, current accessed is forwarded to the server authentication page by fire compartment wall.

Show Picture in the checking page identifying code shown, and requires that user inputs this verification code information.Meanwhile, verification code information is filled to 990 bytes by increase identification field and random digit by the JavaScript code embedded in the page, and this information is back to server.Fire compartment wall detects the network layer message length of return information, if length is respectively 498,492 bytes, then judge that current access is the anonymous access forwarded through Tor anonymous systems, interrupt network connects.On this basis, can take further measures, as current IP address is added blacklist etc., guarantee the fail safe of Web server.

Finally should be noted that: above embodiment is only in order to illustrate that technical scheme of the present invention is not intended to limit; those of ordinary skill in the field still can modify to the specific embodiment of the present invention with reference to above-described embodiment or equivalent replacement; these do not depart from any amendment of spirit and scope of the invention or equivalent replacement, are all applying within the claims of the present invention awaited the reply.

Claims (10)

1., based on a Web server anonymous access flow rate testing methods for temporal characteristics, it is characterized in that: said method comprising the steps of:

Step 1: temporal characteristics extracts;

Step 2: based on one-class support vector machines characteristic model settling time;

Step 3: temporal characteristics is substituted in temporal characteristics model and detect;

Step 4: testing result is confirmed.

2. the Web server anonymous access flow rate testing methods based on temporal characteristics according to claim 1, it is characterized in that: in described step 1, in Web server record http protocol GET request and POST ask the respective time of advent, using occur continuously GET request or POST ask between the time interval as temporal characteristics.

3. the Web server anonymous access flow rate testing methods based on temporal characteristics according to claim 1 and 2, is characterized in that: described step 1 specifically comprises the following steps:

Step 1-1: according to IP address, for the client of each connection Web server, Web server building database search index;

The time of advent of GET request and POST request in step 1-2:Web server record http protocol, and identical repeatedly GET is asked or POST request, Web server only records the time of advent of first time GET request or POST request;

Step 1-3: ask to reach time series extraction time feature from the GET request of record and POST.

4. the Web server anonymous access flow rate testing methods based on temporal characteristics according to claim 3, it is characterized in that: in described step 1-1, for the client ip address of IPv4 type, Web server is according to the byte order of self operating system, the IP address of client is saved as 4 byte INT types, Web server calculates corresponding numerical value afterwards, and using this numerical value as the search index of client;

For the client ip address of IPv6 type, the IPv6 address of client as character string, uses BKDRHash hash function to calculate hash value by Web server, and using result of calculation as database index, preserves IPv6 address information in database simultaneously.

5. the Web server anonymous access flow rate testing methods based on temporal characteristics according to claim 3, it is characterized in that: in described step 1-3, Web server asks the respective time of advent according to the GET request of record and POST, calculate GET request and POST asks time interval of reaching, and according to descending order, the time interval is sorted, extract the time interval of at least 20%, save as characteristic vector using as temporal characteristics.

6. the Web server anonymous access flow rate testing methods based on temporal characteristics according to claim 1, it is characterized in that: in described step 2, the temporal characteristics of extraction is saved as characteristic vector, uses one-class support vector machines to carry out model training, draw temporal characteristics model.

7. the Web server anonymous access flow rate testing methods based on temporal characteristics according to claim 1 or 6, is characterized in that: in described step 2, if the length of characteristic vector is l, and characteristic vector formalization representation is P={p ₁, p ₂, p _m, p _l, p _mit is m the time interval; If total k characteristic vector, P _ibe i-th characteristic vector, the training pattern set up by described one-class support vector machines is as follows:

$\left.\begin{array}{c}\underset{w,\mathrm{\&rho;},{\mathrm{\&epsiv;}}_i}{\min }\frac{1}{2}{\left|\right|w\left|\right|}^2+\frac{1}{\mathrm{vl}}\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&epsiv;}}_i-\mathrm{\&rho;}\\ s.t.w\&CenterDot;\mathrm{\&phi;}\left(P_i\right)\&GreaterEqual;\mathrm{\&rho;}-{\mathrm{\&epsiv;}}_i\\ {\mathrm{\&epsiv;}}_i\&GreaterEqual;0,i=\mathrm{1,2},...,k\end{array}\right\}$

Wherein, w is the normal vector of Optimal Separating Hyperplane; ρ is setting constant, and it determines the distance of the relative hyperplane of initial point; ε _islack variable, in order to punish the point of classification error; V is the balance parameters of largest interval and penalty term, and v ∈ (0,1]; φ (P _i) for representing i-th maps feature vectors to higher dimensional space;

Introduce Lagrange multiplier α _iand β _i, have:

$L(w,{\mathrm{\&epsiv;}}_i,\mathrm{\&rho;},{\mathrm{\&alpha;}}_i,{\mathrm{\&beta;}}_i)=\frac{1}{2}{\left|\right|w\left|\right|}^2+\frac{1}{\mathrm{vl}}\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&epsiv;}}_i-\mathrm{\&rho;}-\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_i((w\&CenterDot;\mathrm{\&phi;}\left(P_i\right))-\mathrm{\&rho;}+{\mathrm{\&epsiv;}}_i)-\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&beta;}}_i{\mathrm{\&epsiv;}}_i$

Substitute into kernel function and can obtain following dual function:

$\left.\begin{array}{c}\underset{{\mathrm{\&alpha;}}_i}{\min }\frac{1}{2}\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}\underset{j=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_i{\mathrm{\&alpha;}}_j\mathrm{\&phi;}\left(P_j\right)=\underset{\mathrm{\&alpha;}}{\min }\frac{1}{2}\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}\underset{j=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_i{\mathrm{\&alpha;}}_{j}K(P_i,P_j)\\ s.t.0\&le;{\mathrm{\&alpha;}}_i\&le;\frac{1}{\mathrm{vk}}\\ \underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_i=1\end{array}\right\}$

Wherein, α _jfor Lagrange multiplier, φ (P _j) represent a jth maps feature vectors to higher dimensional space; P _jfor a jth characteristic vector, j=1,2 ..., k; K (P _i, P _j)=φ (P _j) φ (P _j) be kernel function, adopt RBF to be corresponding kernel function, K (P _i, P _j) be expressed as:

K(P _i,P _j)＝exp(-γ||P _i-P _j|| ²)

Wherein, γ is Control Radius parameter, γ > 0;

Support vector collection SV and corresponding α is obtained finally by solving dual function _ivalue, is temporal characteristics model.

8. the Web server anonymous access flow rate testing methods based on temporal characteristics according to claim 7, is characterized in that: the optimal value of the balance parameters v of largest interval and penalty term is determined according to following process:

1) with 0.01 for step-length, (0,1] between test the discrimination of different v value, the v value that meter maximum discrimination score is corresponding is v ';

2) (v '-0.1, v '+0.1] between, with 0.001 for step-length, test the discrimination of different v value, and finally with the value v that maximum discrimination score is corresponding _maxas the optimal value of balance parameters v.

9. the Web server anonymous access flow rate testing methods based on temporal characteristics according to claim 1, is characterized in that: in described step 3, uses the support vector collection SV and corresponding α that calculate _ivalue, is expressed as discriminant function Y (P):

$y\left(P\right)=\mathrm{sign}[\underset{p_i\&Element;\mathrm{SV}}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(P_i,P_j)-\mathrm{\&rho;}]$

Wherein, sign () is sign function, is defined as:

$\mathrm{sign}[\underset{p_i\&Element;\mathrm{SV}}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(P_i,P_j)-\mathrm{\&rho;}]=\left\{\begin{array}{ccc}-1& \mathrm{if}& \underset{p_i\&Element;\mathrm{SV}}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(P_i,P_j)-\mathrm{\&rho;}<0\\ 1& \mathrm{if}& \underset{p_i\&Element;\mathrm{SV}}{\mathrm{\&Sigma;}}{\mathrm{\&alpha;}}_{i}K(P_i,P_j)-\mathrm{\&rho;}\&GreaterEqual;0\end{array}\right.$

When network traffics to be detected are differentiated, the temporal characteristics of network traffics to be detected is brought in discriminant function, if testing result is 1, then proceeds anonymous access flow and confirm; If testing result is-1, be then determined as normal flowing of access.

10. the Web server anonymous access flow rate testing methods based on temporal characteristics according to claim 1, is characterized in that: described step 4 specifically comprises the following steps:

Step 4-1:Web server jumps to certification page;

Step 4-2: according to producing the identifying code of specific size, the identifying code requiring user to input to show in webpage;

For detecting Tor and JAP anonymous access flow simultaneously, the size of identifying code is set to 990 bytes;

Step 4-3: identifying code is sent back to Web server;

The message length that step 4-4:Web server is corresponding according to identifying code is confirmed whether as anonymous access flow;

If the network message that identifying code is corresponding is split into two messages, and the message length of correspondence is respectively 498,492 bytes or 989,1 byte, then confirm as anonymous access flow, otherwise be judged as normal flowing of access.