一种基于多视角特征融合的Webshell检测方法

林锋; 徐柳婧; 陈晓华; 戚伟强; 陈可; 朱添田

doi:10.11959/j.issn.1000-0801.2020158

您当前的位置：

首页 >

文章列表页 >

一种基于多视角特征融合的Webshell检测方法

研究与开发 | 更新时间：2024-06-05

- 一种基于多视角特征融合的Webshell检测方法
- Method of Webshell detection based on multi-view feature fusion
- 电信科学 2020年36卷第6期页码：125-132
- 作者机构：
  
  1. 浙江经贸职业技术学院信息技术系，浙江杭州310018
  2. 国网浙江省电力有限公司信息通信分公司，浙江杭州 310007
  3. 湖州师范学院信息工程学院，浙江湖州 313002
  4. 浙江工业大学计算机科学与技术学院，浙江杭州 310023
- 作者简介：
  
  [ "林锋（1979- ），男，浙江经贸职业技术学院信息技术系副教授，主要研究方向为网络安全" ]
  [ "徐柳婧（1989- ），女，现就职于国网浙江省电力有限公司信息通信分公司，主要研究方向为信号与信息技术、信息技术管理" ]
  [ "陈晓华（1977- ），男，湖州师范学院信息工程学院副教授，主要研究方向为网络资源分配与安全" ]
  [ "戚伟强（1984- ），男，现就职于国网浙江省电力有限公司信息通信分公司，主要研究方向为网络安全和信息运维" ]
  [ "陈可（1988- ），男，现就职于国网浙江省电力有限公司信息通信分公司，主要研究方向为电力信息技术" ]
  [ "朱添田（1992- ），男，博士，浙江工业大学讲师，主要研究方向为网络安全" ]
- 基金信息：
  
  国家自然科学基金资助项目;The National Natural Science Foundation of China(61772026);国家自然科学基金资助项目;The National Natural Science Foundation of China(U1936215)
- DOI：10.11959/j.issn.1000-0801.2020158
  中图分类号： TP309.5
- 网络出版日期：2020-06，
  
  纸质出版日期：2020-06-20
- 稿件说明：
移动端阅览
林锋, 徐柳婧, 陈晓华, 等. 一种基于多视角特征融合的Webshell检测方法[J]. 电信科学, 2020,36(6):125-132.

Feng LIN, Liujing XU, Xiaohua CHEN, et al. Method of Webshell detection based on multi-view feature fusion[J]. Telecommunications science, 2020, 36(6): 125-132.
林锋, 徐柳婧, 陈晓华, 等. 一种基于多视角特征融合的Webshell检测方法[J]. 电信科学, 2020,36(6):125-132. DOI： 10.11959/j.issn.1000-0801.2020158.

Feng LIN, Liujing XU, Xiaohua CHEN, et al. Method of Webshell detection based on multi-view feature fusion[J]. Telecommunications science, 2020, 36(6): 125-132. DOI： 10.11959/j.issn.1000-0801.2020158.

摘要

Webshell是一种Web端的恶意脚本文件。它通常由攻击者上传至目标服务器来达成其非法的访问控制的目的。现有Webshell检测方法存在诸多不足，如单一的网络流量行为、简易被绕过的签名比对、单一的正则匹配等。针对上述不足之处，基于PHP语言的Webshell，提出了一种基于多视角特征融合的Webshell检测方法，首先，提取包括词法特征、句法特征、抽象特征在内的多种特征；其次，利用费舍尔评分对特征进行重要程度的排序与筛选；最后，通过 SVM 建立能有效区分 Webshell 和正常脚本的模型。在大规模的实验中，模型对Webshell和正常样本的最终分类精度达到了92.1%。

Abstract

Webshell is a malicious script file on the Web.It is usually uploaded by the attacker to the target server to achieve the purpose of illegal access control.In order to overcome the shortcoming of the existing Webshell detection methods

such as single network traffic behavior

simple by passed signature comparison

and easily bypassed signature comparison

a method of Webshell detection based on multi-view feature fusion for PHP Webshell detecting was proposed.Firstly

multiple features including lexical features

syntactic features

and abstract features were extracted.Secondly

fisher score was used to sort and filter all features according to the degree of importance.Finally

a model that can effectively distinguish Webshell from normal scripts was established through SVM.The large-scale experiment in real-world scenario shows that the final accuracy of our model can reach 92.1%.

关键词

Keywords

references

Compromised web servers and web Shells [Z ] . 2017 .

YANG W , SUN B , CUI B . A Webshell detection technology based on http traffic analysis [C ] // Proceedings of International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing . Berlin:Springer , 2018 .

赵运弢 , 徐春雨 , 薄波 , 等 . 基于流量的 Webshell 行为分析与检测方法 [J ] . 网络安全技术与应用 , 2018 ( 4 ): 8 - 9 .

ZHAO Y T , XU C Y , BAO B , et al . Webshell behavior analysis and detection method based on traffic [J ] . Network Security Technology and Application , 2018 ( 4 ): 8 - 9 .

王应军 . 基于流量的 Webshell 通信识别 [D ] . 武汉:武汉大学 , 2018 .

WANG Y J . Webshell communication recognition based on traffic [D ] . Wuhan:Wuhan University , 2018 .

TIAN Y , WANG J , ZHOU Z , et al . CNN-Webshell:malicious Webshell detection with convolutional neural network [C ] // Proceedings of the 2017 VI International Conference.[S.l.:s.n . ] , 2017 .

KIM J , YOO D H , JANG H , et al . WebShark 1.0:a benchmark collection for malicious Webshell detection [J ] . Journal of Information Processing Systems , 2015 , 11 ( 2 ): 229 - 238 .

TU D T , CHENG G , GUO X J , , et al . Webshell detection techniques in Web applications [C ] // Proceedings of International Conference on Computing,Communication and Networking Technologies (ICCCNT) . Piscataway:IEEE Press , 2014 .

HUANG Y W , TSAI C H , LIN T P , et al . A testing framework for Web application security assessment [J ] . Computer Networks , 2005 , 48 ( 5 ): 739 - 761 .

SOOEL S , VITALY S . Saferphp:finding semantic vulnerabilities in PHP applications [C ] // Proceedings of ACM SIGPLAN Workshop on Programming Languages ＆ Analysis for Security . New York:ACM Press , 2011 .

WASSERMANN G , SU Z . Sound and precise analysis of web applications for injection vulnerabilities [J ] . ACM SIGPLAN Notices , 2007 , 42 ( 6 ):32.

GARY W , SU Z D . Static detection of cross-site scripting vulnerabilities [C ] // Proceedings of ACM/IEEE International Conference on Software Engineering . Piscataway:IEEE Press , 2008 .

XIE Y , AIKEN A . Static detection of security vulnerabilities in scripting languages [J ] . USENIX Security Symposium , 2006 ( 15 ): 179 - 192 .

EE M , LEE Y , YOON H . An enhanced rule-based web scanner based on similarity score [J ] . Advances in Electrical and Computer Engineering , 2016 , 16 ( 3 ): 9 - 14 .

ANG X , WANG L , WEI G , et al . Hidden web crawling for SQL injection detection [C ] // Proceedings of IEEE International Conference on Broadband Network and Multimedia Technology (IC-BNMT) . Piscataway:IEEE Press , 2010 .

ALMGREN M , DEBAR H , DACIER M . A lightweight tool for detecting web server attacks [C ] // Proceedings of ISOC Network and Distributed System Security Symposium.[S.l.:s.n] . 2000 .

KRUEGEL C , VIGNA G . Anomaly detection of web-based attacks [C ] // Proceedings of the 10th ACM Conference on Computer and Communications Security . New York:ACM Press , 2003 : 251 - 261 .

ROBERTSON W , VIGNA G , KRUEGEL C , et al . Using generalization and characterization techniques in the anomaly-based detection of Web attacks [C ] // Proceedings of ISOC Network and Distributed System Security Symposium.[S.l.:s.n . ] , 2006 .

KO C , RUSCHITZKA M , LECITTK . Execution monitoring of security-critical programs in distributed systems:A specification-based approach [C ] // Proceedings of 1997 IEEE Symposium on Security and Privacy . Piscataway:IEEE Press , 1997 : 175 - 187 .

PREM U , SEKAR R . Experiences with specification-based intrusion detection [C ] // Proceedings of International Workshop on Recent Advances in Intrusion Detection . Berlin:Springer , 2001 : 172 - 189 .

HOSSAIN M N , MILAJERDI S M , WANG J , et al . Sleuth:real-time attack scenario reconstruction from cots audit data [C ] // Proceedings of 26th Security Symposium.[S.l.:s.n] . 2017 : 487 - 504 .

STAROV O , DAHSE J , AHMADS S , et al . No honor among thieves:A large-scale analysis of malicious Webshells [C ] // Proceedings of the 25th International Conference on World Wide Web.[S.l.:s.n] . 2016 : 1021 - 1032 .

CUI H , HUANG D , FANG Y , et al . Webshell detection based on random forest–gradient boosting decision tree algorithm [C ] // Proceedings of 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC) . Piscataway:IEEE Press , 2018 : 153 - 160 .

OHN T . JohnTroony’s php-Webshells repository [EB ] . 2016 .

IKICAT . Nikicat’s web-malware-collection repository [EB ] . 2016 .

Ennc’s Webshell Repository . Tennc’s Webshell repository [EB ] . 2016 .

HANG Z , LI M , ZHU L , et al . Smart detect:a smart detection scheme for malicious Webshell codes via ensemble learning [C ] // Proceedings of International Conference on Smart Computing and Communication . Berlin:Springer , 2018 .

HAITIN . Webshell detector [EB ] . 2018 .

HU T , QU Z , XU H , et al . Risk Cog:unobtrusive real-time user authentication on mobile devices in the wild [J ] . IEEE Transactions on Mobile Computing , 2019 , 19 ( 2 ): 466 - 483 .

浏览量

443

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于可解释机器学习模型的电信行业客户流失预测研究

基于流量特征重构与映射的物联网DDoS攻击单流检测方法

基于5G语音质差自适应算法研究及应用

基于区块链与深度学习的空间分集协作频谱感知系统

基于柔性太阳能电池和超薄水凝胶薄膜的手势识别