Chinese Journal of Network and Information Security ›› 2021, Vol. 7 ›› Issue (6): 143-154.doi: 10.11959/j.issn.2096-109x.2021103

• Papers • Previous Articles    

Webshell malicious traffic detection method based on multi-feature fusion

Yuan LI, Yunpeng WANG, Tao LI, Baoqiang MA   

  1. School of Cyber Science and Engineering, Sichuan University, Chengdu 610065, China
  • Revised:2021-10-18 Online:2021-12-01 Published:2021-12-01
  • Supported by:
    The National Key R&D Program of China(2020YFB1805400);The National Natural Science Foundation of China(U1736212);The National Natural Science Foundation of China(U19A2068);The National Natural Science Foundation of China(62002248);The National Natural Science Foundation of China(62032002);The China Postdoctoral Science Foundation(2019TQ0217);The China Postdoctoral Science Foundation(2020M673277);The Fundamental Research Funds for the Central Universities(YJ201933);The Provincial Key Research and Development Program of Sichuan(20ZDYF3145)


Webshell is the most common malicious backdoor program for persistent control of Web application systems, which poses a huge threat to the safe operation of Web servers.For most Webshell detection method based on the request packet data for training, the method for web-based Webshell recognition effect is poorer, and the model of training efficiency is low.In response to the above problems, a Webshell malicious traffic detection method based on multi-feature fusion was proposed.The method was characterized by the three dimensions of Webshell packet meta information, packet payload content and traffic access behavior.Combining domain knowledge, feature extraction of request and response packets in the data stream.Transformed into feature extraction information for information fusion, forming a discriminant model that could detect different types of attacks.Compared with the previous research method, the accuracy rate of the method here in the two classification of normal and malicious traffic has been improved to 99.25%.The training efficiency and detection efficiency have also been significantly improved, and the training time and detection time have been reduced by 95.73% and 86.14%.

Key words: multi-feature, feature fusion, Webshell detection, ensemble learning

CLC Number: 

No Suggested Reading articles found!