In this paper, we study the “Session Reconstruction” problem which is the reconstruction of user interactions from recorded request/response logs of a session. The reconstruction is especially useful when the only available information about the session is its HTTP trace, as could be the case during a forensic analysis of an attack on a website. Solutions to the reconstruction problem do exist for “traditional” Web applications. However, these solutions cannot handle modern “Rich Internet Applications” (RIAS). Our solution is implemented in the context of RIAs in a tool called D-ForenRIA. Our tool is made of a proxy and a set of browsers. Browsers are responsible for trying candidate actions on each DOM, and the proxy, which contains the observed HTTP trace, is responsible for responding to browsers’ requests and validating attempted actions on each DOM. D-ForenRIA has a distributed architecture, a learning mechanism to guide the session reconstruction process efficiently, and can handle complex user-inputs, client-side randomness, and to some extents actions that do not generate any HTTP traffic. In addition, concurrent reconstruction makes the system scalable for real-world use. The results of our evaluation on several RIAs show that D-ForenRIA can efficiently reconstruct user-sessions in practice.

中文翻译：

---

通过重放HTTP跟踪来恢复Rich Internet Application的用户交互

在本文中，我们研究了“会话重建”问题，即从记录的会话请求/响应日志中重建用户交互。当有关会话的唯一可用信息是其HTTP跟踪时，重构尤其有用，例如在对网站攻击进行取证分析时可能就是这种情况。确实存在针对“传统” Web应用程序的重建问题的解决方案。但是，这些解决方案无法处理现代的“丰富Internet应用程序”（RIAS）。我们的解决方案是在RIA的D-ForenRIA工具中实现的。我们的工具由代理和一组浏览器组成。浏览器负责在每个DOM上尝试候选操作，而代理则包含观察到的HTTP跟踪，负责响应浏览器的请求并验证每个DOM上的尝试操作。D-ForenRIA具有分布式体系结构，一种学习机制，可以有效地指导会话重建过程，并且可以处理复杂的用户输入，客户端随机性以及在某种程度上不会产生任何HTTP流量的操作。此外，并行重建使系统可扩展以供实际使用。我们对多个RIA的评估结果表明，D-ForenRIA在实践中可以有效地重建用户会话。并发重建使系统可扩展以供实际使用。我们对多个RIA的评估结果表明，D-ForenRIA在实践中可以有效地重建用户会话。并发重建使系统可扩展以供实际使用。我们对多个RIA的评估结果表明，D-ForenRIA在实践中可以有效地重建用户会话。