网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (4): 119-130.doi: 10.11959/j.issn.2096-109x.2022055

• 学术论文 • 上一篇    下一篇

面向高速网络流量的加密混淆型WebShell检测

曹艺怀1, 陈伟1, 张帆2, 吴礼发1   

  1. 1 南京邮电大学计算机学院,江苏 南京 210023
    2 武汉轻工大学数学与计算机学院,湖北 武汉 430048
  • 修回日期:2022-01-07 出版日期:2022-08-15 发布日期:2022-08-01
  • 作者简介:曹艺怀(1996− ),男,湖北黄冈人,南京邮电大学硕士生,主要研究方向为Web安全、攻防技术和流量分析
    陈伟(1979− ),男,江苏淮安人,南京邮电大学教授,主要研究方向为无线网络安全、移动互联网安全
    张帆(1977− ),男,湖北当阳人,武汉轻工大学副教授,主要研究方向为信息系统安全、可信计算和机器学习及安全
    吴礼发(1968− ),男,湖北蕲春人,南京邮电大学教授、博士生导师,主要研究方向为网络协议逆向、软件安全漏洞挖掘及逆向和入侵检测
  • 基金资助:
    国家重点研发计划(2019YFB2101704);湖北省自然科学基金(2020CFB761)

Encrypted and obfuscation WebShell detection for high-speed network traffic

Yihuai CAO1, Wei CHEN1, Fan ZHANG2, Lifa WU1   

  1. 1 School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
    2 School of Mathematics and Computer Science, Wuhan Polytechnic University, Wuhan 430048, China
  • Revised:2022-01-07 Online:2022-08-15 Published:2022-08-01
  • Supported by:
    The National Key R&D Program of China(2019YFB2101704);The National Science Foundation of Hubei Province(2020CFB761)

摘要:

WebShell 是一种常见的 Web 脚本入侵工具。随着流量加密和代码混淆等技术的逐渐发展,使用传统的文本内容特征和网络流特征进行匹配的检测手段越来越难以防范生产环境下复杂的 WebShell 恶意攻击事件,特别是对于对抗性样本、变种样本或 0Day 漏洞样本的检测效果不够理想。搭建网络采集环境,在高速网络环境中利用数据平面开发套件(DPDK,data plane development kit)技术捕获网络数据包,标注了一套由1万余条不同平台、不同语言、不同工具、不同加密混淆方式的WebShell恶意流量与3万余条正常流量组成的数据集;通过异步流量分析系统框架和轻量型日志采集组件快速地解析原始流量,并融合专家知识深度分析几种流行的WebShell管理工具通信过程中的HTTP数据包,从而构建面向加密混淆型WebShell流量的有效特征集;基于该有效特征集使用支持向量机(SVM,support vector machine)算法实现对加密混淆型 WebShell 恶意流量的离线训练和在线检测。同时,利用遗传算法改进参数搜索方式,克服了由人工经验设置参数方位以及网格搜索陷入局部最优解的缺点,模型训练效率也得到提升。实验结果显示,在自建的WebShell攻击流量数据集上,保证了检测高效性的同时,检测模型的精确率为97.21%,召回率为98.01%,且在对抗性WebShell攻击的对比实验中表现良好。结果表明,所提方法能够显著降低WebShell攻击风险,可以对现有的安全监控体系进行有效补充,并在真实网络环境中部署和应用。

关键词: WebShell, DPDK, 流量分析, 异常检测

Abstract:

With the gradual development of traffic encryption and text obfuscation technologies, it is increasingly difficult to prevent complicated and malicious WebShell attack events in production environment using traditional detection methods based on text content and network flow features, especially for adversarial samples, variant samples and 0Day vulnerability samples.With the established network traffic collection environment, DPDK technology was used to capture network traffic in the high-speed network environment, and a dataset was marked with label.The dataset consisted of more than 24,000 normal traffic and more than 10,000 malicious WebShell traffic under different platforms, different languages, different tools, different encryption and obfuscation methods.Then Asynchronous traffic analysis system framework and lightweight log collection components were used to efficiently parse raw traffic.Expert knowledge was integrated to analyze HTTP data packets during the communication process of several popular WebShell management tools, and the effective feature set for encrypted and obfuscation WebShell was obtained.Support Vector Machine (SVM) algorithm was used to realize offline training and online detection of complicated WebShell malicious traffic based on the effective feature set.Meanwhile, improving the parameter search method with the genetic algorithm promoted the model training efficiency furthermore.The experimental results showed that the detection efficiency can be guaranteed based on the self-built WebShell attack traffic dataset.Besides, the detection model has a precision rate of 97.21% and a recall rate of 98.01%, and it performed well in the comparative experiments of adversarial WebShell attacks.It can be concluded from the results that the proposed method can significantly reduce the risk of WebShell attack, effectively supplement the existing security monitoring system, and be applied in real network environments.

Key words: WebShell, DPDK, traffic analysis, abnormal detection

中图分类号: 

No Suggested Reading articles found!