智能检测WebShell的机器学习算法

doi:10.11959/j.issn.2096-109x.2017.00126

Abstract

Abstract:

WebShell is a common tool for network intrusions,which has the characteristics of great harm and good concealment.The current detection method is relatively simple,and easy to be bypassed,so it is difficult to deal with complex and flexible WebShell.To solve these problems,a supervised machine learning algorithm was put forward to detect WebShell intelligently.By learning the features of existing WebShell and non-existing WebShell pages,the algorithm can make prediction of the unknown pages,and the flexibility and adaptability were both very good.Compared with the traditional WebShell detection methods,the experiment proves that the algorithm has higher detection efficiency and accuracy,and at the same time there is a certain probability to detect new types of WebShell.

Key words: WebShell detection, matrix decomposition, feature training

CLC Number:

TP309

Hua DAI,Jing LI,Xin-dai LU,Xin SUN. Machine learning algorithm for intelligent detection of WebShell[J]. Chinese Journal of Network and Information Security, 2017, 3(4): 51-57.

Figures/Tables 5

References 16

[1]	MENG Z , MEI R , ZHANG T ,et al. Research of Linux WebShell detection based on SVM classifier[J].Netinfo Security, 2014.
[2]	MINGKUN X , XI C , YAN H . Design of software to search ASP WebShell[J]. Procedia Engineering, 2012,29: 123-127.
[3]	叶飞, 龚俭, 杨望 . 基于支持向量机的 WebShell 黑盒检测[J]. 南京航空航天大学学报, 2015,47(6): 924-930.
	YE F , GONG J , YANG W . Black box detection of WebShell based on support vector machine[J]. Journal of Nanjing University of Aeronautics and Astronautics, 2015,47(6): 924-930.
[4]	胡建康, 徐震, 马多贺 ,等. 基于决策树的 WebShell 检测方法研究[J]. 网络新媒体技术, 2012(6): 15-19.
	HU J K , XU Z , MA D H ,et al. A decision tree based research on Webshell detection method[J]. Network and New Media Technology, 2012(6): 15-19.
[5]	马立军 . 基于行为监测的窃密型木马检测研究[J]. 广西民族大学学报, 2014,20(2): 70-74.
	MA L J . A behavior monitoring based theft Trojan detection[J]. Journal of Guangxi University for Nationalities, 2014,20(2): 70-74.
[6]	石刘洋, 方勇 . 基于 Web 日志的 Webshell 检测方法研究[J]. 信息安全研究, 2016(1).
	SHI L Y , FANG Y . Webshell detection method research based on Web log[J]. Information Security Research, 2016(1).
[7]	马艳发 . 基于WAF入侵检测和变异WebShell检测算法的Web安全研究[D]. 天津:天津理工大学, 2016.
	MA Y F . Web security research based on WAF intrusion detection and mutation WebShell detection algorithm[D]. Tianjin:Tianjin University of Technology, 2016.
[8]	DENG L Y , DONG L L , CHEN Y H ,et al. Lexical analysis for the WebShell attacks[C]// The International Symposium on Computer,Consumer and Control,IEEE Computer Society. 2016: 579-582.
[9]	MURPHY K P . Machine learning:a probabilistic perspective[M]. Massachusetts: MIT pressPress, 2012.
[10]	BISHOP C M . Pattern recognition[J]. Machine Learning, 2006,128.
[11]	HOU Y T , CHANG Y , CHEN T ,et al. Malicious Web content detection by machine learning[J]. Expert Systems with Applications, 2010,37(1): 55-60.
[12]	路永和, 李焰锋 . 改进TE-IDF算法的文本特征项权值计算方法[J]. 图书情报工作, 2013,57(3): 90-95.
	LU Y H , LI Y F . An improved TE-IDF algorithm for calculating the weight of text feature[J]. Library and Information Service, 2013,57(3): 90-95.
[13]	KHALID S , KHALIL T , NASREEN S . A survey of feature selection and feature extraction techniques in machine learning[C]// Science and Information. 2014: 372-378.
[14]	彭行雄, 肖如良, 张桂刚 . 基于自适应提升的概率矩阵分解算法[J]. 计算机应用, 2015,35(12): 3497-3501.
	PENG X X , XIAO R L , ZHANG G G . Probabilistic matrix factorization algorithm based on Ada Boost[J]. Computer Application, 2015,35(12): 3497-3501.
[15]	李航 . 统计学习方法[M]. 北京: 清华大学出版社, 2012.
	LI H . Statistical learning method[M]. Beijing: Tsinghua University PressPress, 2012.
[16]	SCHEIN A I , UNGAR L H . Active learning for logistic regression:an evaluation[J]. Machine Learning, 2004,68(3): 235-265.

Metrics

Recommended 0

No Suggested Reading articles found!

特征类型	特征描述
	单词数量
文本特征	不同单词的数量最大单词长度文本总长度注释数量
	特殊字符数量
其他特征	字符操作函数调用关键函数调用加解密函数调用系统函数调用文件调用
	ActiveX控件调用数据库调用
	脚本数量

实际结果	预测结果
实际结果	0	1
0	False Negative (FN)	False Positive (FP)
1	True Negative (TN)	True Positive (TP)

检测方法	RMSE
矩阵分解	0.211
Logistic	0.238
某安全产品	0.520

检测方法	准确率	召回率	F值
矩阵分解	0.982	0.813	0.890
Logistic	0.880	0.601	0.714
某安全产品	0.497	0.411	0.450

Machine learning algorithm for intelligent detection of WebShell

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 16

Related Articles 1

Metrics

Recommended 0