基于多特征融合的Webshell恶意流量检测方法

doi:10.11959/j.issn.2096-109x.2021103

网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (6): 143-154.doi: 10.11959/j.issn.2096-109x.2021103

基于多特征融合的Webshell恶意流量检测方法

李源, 王运鹏, 李涛, 马宝强

四川大学网络空间安全学院，四川成都 610065

修回日期:2021-10-18 出版日期:2021-12-15 发布日期:2021-12-01
作者简介:李源（1997− ），男，四川广元人，四川大学硕士生，主要研究方向为Web安全、恶意流量检测
王运鹏（1984− ），男，河南南阳人，四川大学讲师，主要研究方向为网络靶场、人工免疫、信息安全
李涛（1965− ），男，四川广安人，四川大学教授、博士生导师，主要研究方向为人工免疫、信息安全、网络安全、数据安全
马宝强（1997− ），男，河北邯郸人，四川大学硕士生，主要研究方向为信息安全、漏洞挖掘
基金资助:
国家重点研发计划(2020YFB1805400);国家自然科学基金(U1736212);国家自然科学基金(U19A2068);国家自然科学基金(62002248);国家自然科学基金(62032002);中国博士后科学基金(2019TQ0217);中国博士后科学基金(2020M673277);中央高校基本科研业务经费(YJ201933);四川省重点研发(20ZDYF3145)

Webshell malicious traffic detection method based on multi-feature fusion

Yuan LI, Yunpeng WANG, Tao LI, Baoqiang MA

School of Cyber Science and Engineering, Sichuan University, Chengdu 610065, China

Revised:2021-10-18 Online:2021-12-15 Published:2021-12-01
Supported by:
The National Key R＆D Program of China(2020YFB1805400);The National Natural Science Foundation of China(U1736212);The National Natural Science Foundation of China(U19A2068);The National Natural Science Foundation of China(62002248);The National Natural Science Foundation of China(62032002);The China Postdoctoral Science Foundation(2019TQ0217);The China Postdoctoral Science Foundation(2020M673277);The Fundamental Research Funds for the Central Universities(YJ201933);The Provincial Key Research and Development Program of Sichuan(20ZDYF3145)

摘要/Abstract

摘要：

Webshell是针对Web应用系统进行持久化控制的最常用恶意后门程序，对Web服务器安全运行造成巨大威胁。对于 Webshell 检测的方法大多通过对整个请求包数据进行训练，该方法对网页型 Webshell 识别效果较差，且模型训练效率较低。针对上述问题，提出了一种基于多特征融合的Webshell恶意流量检测方法，该方法以Webshell的数据包元信息、数据包载荷内容以及流量访问行为3个维度信息为特征，结合领域知识，从3个不同维度对数据流中的请求和响应包进行特征提取；并对提取特征进行信息融合，形成可以在不同攻击类型进行检测的判别模型。实验结果表明，与以往研究方法相比，所提方法在正常、恶意流量的二分类上精确率得到较大提升，可达99.25%；训练效率和检测效率也得到了显著提升，训练时间和检测时间分别下降95.73%和86.14%。

关键词: 多特征, 特征融合, Webshell检测, 集成学习

Abstract:

Webshell is the most common malicious backdoor program for persistent control of Web application systems, which poses a huge threat to the safe operation of Web servers.For most Webshell detection method based on the request packet data for training, the method for web-based Webshell recognition effect is poorer, and the model of training efficiency is low.In response to the above problems, a Webshell malicious traffic detection method based on multi-feature fusion was proposed.The method was characterized by the three dimensions of Webshell packet meta information, packet payload content and traffic access behavior.Combining domain knowledge, feature extraction of request and response packets in the data stream.Transformed into feature extraction information for information fusion, forming a discriminant model that could detect different types of attacks.Compared with the previous research method, the accuracy rate of the method here in the two classification of normal and malicious traffic has been improved to 99.25%.The training efficiency and detection efficiency have also been significantly improved, and the training time and detection time have been reduced by 95.73% and 86.14%.

Key words: multi-feature, feature fusion, Webshell detection, ensemble learning

中图分类号:

TP393

李源, 王运鹏, 李涛, 马宝强. 基于多特征融合的Webshell恶意流量检测方法[J]. 网络与信息安全学报, 2021, 7(6): 143-154.

Yuan LI, Yunpeng WANG, Tao LI, Baoqiang MA. Webshell malicious traffic detection method based on multi-feature fusion[J]. Chinese Journal of Network and Information Security, 2021, 7(6): 143-154.

图/表 14

图1

图2

表1

图3

图4

表2

图5

表3

图6

图7

图8

图9

图10

图11

参考文献 19

[1]	2019中国主机安全服务报告[R].
	2019 China Host Security Service Report[R].
[2]	W3Techs W3Techs.Usage of server-side programming languages for websites[EB]. 2020.
[3]	戴桦, 李景, 卢新岱 ,等. 智能检测Webshell的机器学习算法[J]. 网络与信息安全学报, 2017,3(4): 51-57.
	DAI H , LI J , LU X D ,et al. Machine learning algorithm for intelligent detection of Webshell[J]. Chinese Journal of Network and Information Security, 2017,3(4): 51-57.
[4]	XU M K , CHEN X , HU Y . Design of software to search ASP Web shell[J]. Procedia Engineering, 2012,29: 123-127.
[5]	AI Z , LUKTARHAN N , ZHAO Y X ,et al. WS-LSMR:malicious WebShell detection algorithm based on ensemble learning[J]. IEEE Access, 2020,8: 75785-75797.
[6]	崔艳鹏, 史科杏, 胡建伟 . 基于XGBoost算法的Webshell检测方法研究[J]. 计算机科学, 2018,45(S1): 375-379.
	CUI Y P , SHI K X , HU J W . Research of webshell detection method based on XGBoost algorithm[J]. Computer Science, 2018,45(S1): 375-379.
[7]	LI T T , REN C H , FU Y S ,et al. Webshell detection based on the word attention mechanism[J]. IEEE Access, 2019,7: 185140-185147.
[8]	WU Y X , SUN Y Q , HUANG C ,et al. Session-based Webshell detection using machine learning in web logs[J]. Security and Communication Networks, 2019,2019: 1-11.
[9]	YANG W C , SUN B , CUI B J . A Webshell detection technology based on HTTP traffic analysis[M]// Innovative Mobile and Internet Services in Ubiquitous Computing. Cham： Springer International Publishing， 2018, 336-342.
[10]	ZHANG H , GUAN H C , YAN H B ,et al. Webshell traffic detection with character-level features based on deep learning[J]. IEEE Access, 2018,6: 75268-75277.
[11]	RODOFILE N , RADKE K , FOO E . Real-time and interactive attacks on DNP3 critical infrastructure using Scapy[R]. 2015.
[12]	BERNERS-LEE T , FIELDING R , MASINTER L . Uniform resource identifier (URI):generic syntax[R]. RFC Editor, 2005.
[13]	STAROV O , DAHSE J , AHMAD S S ,et al. No honor among thieves:a large-scale analysis of malicious Web shells[C]// Proceedings of the 25th International Conference on World Wide Web. 2016: 1021-1032.
[14]	BEAL M J , GHAHRAMANI Z , RASMUSSEN C E . The infinite hidden Markov model[C]// Advances in Neural Information Processing Systems. 2002: 577-584.
[15]	ZHANG J , LI Z Y , NAI K ,et al. DELR:a double-level ensemble learning method for unsupervised anomaly detection[J]. Knowledge-Based Systems, 2019,181: 104783.
[16]	GIACINTO G , ROLI F . An approach to the automatic design of multiple classifier systems[J]. Pattern Recognition Letters, 2001,22(1): 25-33.
[17]	Scikit-learn website[EB].
[18]	CHAWLA N V , BOWYER K W , HALL L O ,et al. SMOTE:synthetic minority over-sampling technique[J]. Journal of Artificial Intelligence Research, 2002,16: 321-357.
[19]	KRSTINI? D , BRAOVI? M , ?ERI? L . Multi-label classifier performance evaluation with confusion matrix[C]// Proceedings of Computer Science ＆ Information Technology. 2020: 1-14.

函数类型	行为描述	函数名
代码执行	将传入的字符串按照PHP代码执行	eval、assert、preg_replace、create_function、call_user_func、call_user_func_array、array_map
命令执行	将传入的字符串当作外部操作系统命令执行	exec、shell_exec、passthru、system、proc_open、popen
信息泄露	输出PHP版本、环境变量等相关信息	phpinfo、scandir
文件操作	对文件的添加、删除、新建等操作	copy、file_get_contents、file_put_contents、file、fopen、move_uploaded_file、readfile、rename、rmdir、unlink、include、require

	数据类型	数量	共计
	简单型Webshell	5 732
恶意流量	文件上传型Webshell	354	31 672
	网页型Webshell	25 586
正常流量	正常通信流量	45 585	45 585

方法	平均训练时间/s	平均检测时间/s
文献[9]方法	1914.351	363.743
文献[10]方法	13 068.012	12.891
本文方法	557.558	1.786

基于多特征融合的Webshell恶意流量检测方法

Webshell malicious traffic detection method based on multi-feature fusion

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 14

参考文献 19

相关文章 5

Metrics

推荐阅读 0

[1]	朱宇航, 吉立新, 李英乐, 李海涛, 刘树新. 基于社团多特征融合嵌入表示的时序链路预测方法[J]. 网络与信息安全学报, 2023, 9(1): 67-82.
[2]	谢绒娜, 马铸鸿, 李宗俞, 田野. 基于卷积神经网络的加密流量分类方法[J]. 网络与信息安全学报, 2022, 8(6): 84-91.
[3]	卢翼翔, 耿光刚, 延志伟, 朱效民, 张新常. CAT-RFE：点击欺诈的集成检测框架[J]. 网络与信息安全学报, 2022, 8(5): 158-166.
[4]	江玉朝,吉立新,高超,李邵梅. 基于卷积神经网络的多尺度Logo检测算法[J]. 网络与信息安全学报, 2020, 6(2): 116-124.
[5]	戴桦,李景,卢新岱,孙歆. 智能检测WebShell的机器学习算法[J]. 网络与信息安全学报, 2017, 3(4): 51-57.