网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (6): 143-154.doi: 10.11959/j.issn.2096-109x.2021103

• 学术论文 • 上一篇    

基于多特征融合的Webshell恶意流量检测方法

李源, 王运鹏, 李涛, 马宝强   

  1. 四川大学网络空间安全学院,四川 成都 610065
  • 修回日期:2021-10-18 出版日期:2021-12-01 发布日期:2021-12-01
  • 作者简介:李源(1997− ),男,四川广元人,四川大学硕士生,主要研究方向为Web安全、恶意流量检测
    王运鹏(1984− ),男,河南南阳人,四川大学讲师,主要研究方向为网络靶场、人工免疫、信息安全
    李涛(1965− ),男,四川广安人,四川大学教授、博士生导师,主要研究方向为人工免疫、信息安全、网络安全、数据安全
    马宝强(1997− ),男,河北邯郸人,四川大学硕士生,主要研究方向为信息安全、漏洞挖掘
  • 基金资助:
    国家重点研发计划(2020YFB1805400);国家自然科学基金(U1736212);国家自然科学基金(U19A2068);国家自然科学基金(62002248);国家自然科学基金(62032002);中国博士后科学基金(2019TQ0217);中国博士后科学基金(2020M673277);中央高校基本科研业务经费(YJ201933);四川省重点研发(20ZDYF3145)

Webshell malicious traffic detection method based on multi-feature fusion

Yuan LI, Yunpeng WANG, Tao LI, Baoqiang MA   

  1. School of Cyber Science and Engineering, Sichuan University, Chengdu 610065, China
  • Revised:2021-10-18 Online:2021-12-01 Published:2021-12-01
  • Supported by:
    The National Key R&D Program of China(2020YFB1805400);The National Natural Science Foundation of China(U1736212);The National Natural Science Foundation of China(U19A2068);The National Natural Science Foundation of China(62002248);The National Natural Science Foundation of China(62032002);The China Postdoctoral Science Foundation(2019TQ0217);The China Postdoctoral Science Foundation(2020M673277);The Fundamental Research Funds for the Central Universities(YJ201933);The Provincial Key Research and Development Program of Sichuan(20ZDYF3145)

摘要:

Webshell是针对Web应用系统进行持久化控制的最常用恶意后门程序,对Web服务器安全运行造成巨大威胁。对于 Webshell 检测的方法大多通过对整个请求包数据进行训练,该方法对网页型 Webshell 识别效果较差,且模型训练效率较低。针对上述问题,提出了一种基于多特征融合的Webshell恶意流量检测方法,该方法以Webshell的数据包元信息、数据包载荷内容以及流量访问行为3个维度信息为特征,结合领域知识,从3个不同维度对数据流中的请求和响应包进行特征提取;并对提取特征进行信息融合,形成可以在不同攻击类型进行检测的判别模型。实验结果表明,与以往研究方法相比,所提方法在正常、恶意流量的二分类上精确率得到较大提升,可达99.25%;训练效率和检测效率也得到了显著提升,训练时间和检测时间分别下降95.73%和86.14%。

关键词: 多特征, 特征融合, Webshell检测, 集成学习

Abstract:

Webshell is the most common malicious backdoor program for persistent control of Web application systems, which poses a huge threat to the safe operation of Web servers.For most Webshell detection method based on the request packet data for training, the method for web-based Webshell recognition effect is poorer, and the model of training efficiency is low.In response to the above problems, a Webshell malicious traffic detection method based on multi-feature fusion was proposed.The method was characterized by the three dimensions of Webshell packet meta information, packet payload content and traffic access behavior.Combining domain knowledge, feature extraction of request and response packets in the data stream.Transformed into feature extraction information for information fusion, forming a discriminant model that could detect different types of attacks.Compared with the previous research method, the accuracy rate of the method here in the two classification of normal and malicious traffic has been improved to 99.25%.The training efficiency and detection efficiency have also been significantly improved, and the training time and detection time have been reduced by 95.73% and 86.14%.

Key words: multi-feature, feature fusion, Webshell detection, ensemble learning

中图分类号: 

No Suggested Reading articles found!