一种基于多视角特征融合的Webshell检测方法

doi:10.11959/j.issn.1000-0801.2020158

电信科学 ›› 2020, Vol. 36 ›› Issue (6): 125-132.doi: 10.11959/j.issn.1000-0801.2020158

一种基于多视角特征融合的Webshell检测方法

林锋¹,徐柳婧²,陈晓华³,戚伟强²,陈可²,朱添田⁴

¹ 浙江经贸职业技术学院信息技术系，浙江杭州310018
² 国网浙江省电力有限公司信息通信分公司，浙江杭州 310007
³ 湖州师范学院信息工程学院，浙江湖州 313002
⁴ 浙江工业大学计算机科学与技术学院，浙江杭州 310023

修回日期:2020-05-15 出版日期:2020-06-20 发布日期:2020-06-18
作者简介:林锋（1979- ），男，浙江经贸职业技术学院信息技术系副教授，主要研究方向为网络安全|徐柳婧（1989- ），女，现就职于国网浙江省电力有限公司信息通信分公司，主要研究方向为信号与信息技术、信息技术管理|陈晓华（1977- ），男，湖州师范学院信息工程学院副教授，主要研究方向为网络资源分配与安全|戚伟强（1984- ），男，现就职于国网浙江省电力有限公司信息通信分公司，主要研究方向为网络安全和信息运维|陈可（1988- ），男，现就职于国网浙江省电力有限公司信息通信分公司，主要研究方向为电力信息技术|朱添田（1992- ），男，博士，浙江工业大学讲师，主要研究方向为网络安全
基金资助:
国家自然科学基金资助项目(61772026);国家自然科学基金资助项目(U1936215)

Method of Webshell detection based on multi-view feature fusion

Feng LIN¹,Liujing XU²,Xiaohua CHEN³,Weiqiang QI²,Ke CHEN²,Tiantian ZHU⁴

¹ Department of Science and Technology,Zhejiang Institute of Economics and Trade,Hangzhou 310018,China
² Information and Communications Branch,State Grid Zhejiang Electric Power Company,Hangzhou 310007,China
³ School of Information and Engineering,Huzhou Teachers College,Huzhou 313002,China
⁴ College of Computer Science and Technology,Zhejiang University of Technology,Hangzhou 310023,China

Revised:2020-05-15 Online:2020-06-20 Published:2020-06-18
Supported by:
The National Natural Science Foundation of China(61772026);The National Natural Science Foundation of China(U1936215)

摘要/Abstract

摘要：

Webshell是一种Web端的恶意脚本文件。它通常由攻击者上传至目标服务器来达成其非法的访问控制的目的。现有Webshell检测方法存在诸多不足，如单一的网络流量行为、简易被绕过的签名比对、单一的正则匹配等。针对上述不足之处，基于PHP语言的Webshell，提出了一种基于多视角特征融合的Webshell检测方法，首先，提取包括词法特征、句法特征、抽象特征在内的多种特征；其次，利用费舍尔评分对特征进行重要程度的排序与筛选；最后，通过 SVM 建立能有效区分 Webshell 和正常脚本的模型。在大规模的实验中，模型对Webshell和正常样本的最终分类精度达到了92.1%。

关键词: Webshell检测, 多视角特征融合, 特征选择与提取, 机器学习

Abstract:

Webshell is a malicious script file on the Web.It is usually uploaded by the attacker to the target server to achieve the purpose of illegal access control.In order to overcome the shortcoming of the existing Webshell detection methods,such as single network traffic behavior,simple by passed signature comparison,and easily bypassed signature comparison,a method of Webshell detection based on multi-view feature fusion for PHP Webshell detecting was proposed.Firstly,multiple features including lexical features,syntactic features,and abstract features were extracted.Secondly,fisher score was used to sort and filter all features according to the degree of importance.Finally,a model that can effectively distinguish Webshell from normal scripts was established through SVM.The large-scale experiment in real-world scenario shows that the final accuracy of our model can reach 92.1%.

Key words: Webshell detection, multi-view feature fusion, feature selection and filtering, machine learning

中图分类号:

TP309.5

林锋,徐柳婧,陈晓华,戚伟强,陈可,朱添田. 一种基于多视角特征融合的Webshell检测方法[J]. 电信科学, 2020, 36(6): 125-132.

Feng LIN,Liujing XU,Xiaohua CHEN,Weiqiang QI,Ke CHEN,Tiantian ZHU. Method of Webshell detection based on multi-view feature fusion[J]. Telecommunications Science, 2020, 36(6): 125-132.

图/表 7

图1

表1

图2

表2

图3

图4

表3

参考文献 28

[1]	Compromised web servers and web Shells[Z]. 2017.
[2]	YANG W , SUN B , CUI B . A Webshell detection technology based on http traffic analysis[C]// Proceedings of International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing. Berlin:Springer, 2018.
[3]	赵运弢, 徐春雨, 薄波 ,等. 基于流量的 Webshell 行为分析与检测方法[J]. 网络安全技术与应用, 2018 (4): 8-9.
	ZHAO Y T , XU C Y , BAO B ,et al. Webshell behavior analysis and detection method based on traffic[J]. Network Security Technology and Application, 2018 (4): 8-9.
[4]	王应军 . 基于流量的 Webshell 通信识别[D]. 武汉:武汉大学, 2018.
	WANG Y J . Webshell communication recognition based on traffic[D]. Wuhan:Wuhan University, 2018.
[5]	TIAN Y , WANG J , ZHOU Z ,et al. CNN-Webshell:malicious Webshell detection with convolutional neural network[C]// Proceedings of the 2017 VI International Conference.[S.l.:s.n. ], 2017.
[6]	KIM J , YOO D H , JANG H ,et al. WebShark 1.0:a benchmark collection for malicious Webshell detection[J]. Journal of Information Processing Systems, 2015,11(2): 229-238.
[7]	TU D T , CHENG G , GUO X J , ,et al. Webshell detection techniques in Web applications[C]// Proceedings of International Conference on Computing,Communication and Networking Technologies (ICCCNT). Piscataway:IEEE Press, 2014.
[8]	HUANG Y W , TSAI C H , LIN T P ,et al. A testing framework for Web application security assessment[J]. Computer Networks, 2005,48(5): 739-761.
[9]	SOOEL S , VITALY S . Saferphp:finding semantic vulnerabilities in PHP applications[C]// Proceedings of ACM SIGPLAN Workshop on Programming Languages ＆ Analysis for Security. New York:ACM Press, 2011.
[10]	WASSERMANN G , SU Z . Sound and precise analysis of web applications for injection vulnerabilities[J]. ACM SIGPLAN Notices, 2007,42(6):32.
[11]	GARY W , SU Z D . Static detection of cross-site scripting vulnerabilities[C]// Proceedings of ACM/IEEE International Conference on Software Engineering. Piscataway:IEEE Press, 2008.
[12]	XIE Y , AIKEN A . Static detection of security vulnerabilities in scripting languages[J]. USENIX Security Symposium, 2006(15): 179-192.
[13]	EE M , LEE Y , YOON H . An enhanced rule-based web scanner based on similarity score[J]. Advances in Electrical and Computer Engineering, 2016,16(3): 9-14.
[14]	ANG X , WANG L , WEI G ,et al. Hidden web crawling for SQL injection detection[C]// Proceedings of IEEE International Conference on Broadband Network and Multimedia Technology (IC-BNMT). Piscataway:IEEE Press, 2010.
[15]	ALMGREN M , DEBAR H , DACIER M . A lightweight tool for detecting web server attacks[C]// Proceedings of ISOC Network and Distributed System Security Symposium.[S.l.:s.n]. 2000.
[16]	KRUEGEL C , VIGNA G . Anomaly detection of web-based attacks[C]// Proceedings of the 10th ACM Conference on Computer and Communications Security. New York:ACM Press, 2003: 251-261.
[17]	ROBERTSON W , VIGNA G , KRUEGEL C ,et al. Using generalization and characterization techniques in the anomaly-based detection of Web attacks[C]// Proceedings of ISOC Network and Distributed System Security Symposium.[S.l.:s.n. ], 2006.
[18]	KO C , RUSCHITZKA M , LECITTK . Execution monitoring of security-critical programs in distributed systems:A specification-based approach[C]// Proceedings of 1997 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 1997: 175-187.
[19]	PREM U , SEKAR R . Experiences with specification-based intrusion detection[C]// Proceedings of International Workshop on Recent Advances in Intrusion Detection. Berlin:Springer, 2001: 172-189.
[20]	HOSSAIN M N , MILAJERDI S M , WANG J ,et al. Sleuth:real-time attack scenario reconstruction from cots audit data[C]// Proceedings of 26th Security Symposium.[S.l.:s.n]. 2017: 487-504.
[21]	STAROV O , DAHSE J , AHMADS S ,et al. No honor among thieves:A large-scale analysis of malicious Webshells[C]// Proceedings of the 25th International Conference on World Wide Web.[S.l.:s.n]. 2016: 1021-1032.
[22]	CUI H , HUANG D , FANG Y ,et al. Webshell detection based on random forest–gradient boosting decision tree algorithm[C]// Proceedings of 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC). Piscataway:IEEE Press, 2018: 153-160.
[23]	OHN T . JohnTroony’s php-Webshells repository[EB]. 2016.
[24]	IKICAT. Nikicat’s web-malware-collection repository[EB]. 2016.
[25]	Ennc’s Webshell Repository. Tennc’s Webshell repository[EB]. 2016.
[26]	HANG Z , LI M , ZHU L ,et al. Smart detect:a smart detection scheme for malicious Webshell codes via ensemble learning[C]// Proceedings of International Conference on Smart Computing and Communication. Berlin:Springer, 2018.
[27]	HAITIN. Webshell detector[EB]. 2018.
[28]	HU T , QU Z , XU H ,et al. Risk Cog:unobtrusive real-time user authentication on mobile devices in the wild[J]. IEEE Transactions on Mobile Computing, 2019,19(2): 466-483.

家族名字	有效个数/个
c99	152
r57	97
WSO	65
B374k	31
NST	24
NCC	19
Crystal	19

参数	数值
r_n	2.423
r_m	2.951
dc_mn	17.394

对比项	Webshell脚本	正常脚本
Webshell脚本	TP = 369	FN=38
正常脚本	FP=26	TN=381

一种基于多视角特征融合的Webshell检测方法

Method of Webshell detection based on multi-view feature fusion

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 28

相关文章 15

Metrics

推荐阅读 0

[1]	郭泽华, 朱昊文, 徐同文. 面向分布式机器学习的网络模态创新[J]. 电信科学, 2023, 39(6): 44-51.
[2]	刘雅琼, 吕哲, 赵亚飞, 寿国础. AI技术在卫星通信/互联网领域的应用综述[J]. 电信科学, 2023, 39(2): 10-24.
[3]	章坚武, 安彦军, 邓黄燕. DNS攻击检测与安全防护研究综述[J]. 电信科学, 2022, 38(9): 1-17.
[4]	周志超, 冯毅, 夏小涵, 冯瑜瑶, 蔡超, 邱佳慧, 杨立辉, 乌云霄. 基于移动蜂窝网的机器学习室外指纹定位方案[J]. 电信科学, 2021, 37(8): 85-95.
[5]	李想,李原,张子飞,杨哲. 基于密度聚类的网络性能故障大数据分析方法[J]. 电信科学, 2020, 36(9): 51-58.
[6]	肖子玉. 面向2030的未来网络关键技术综述——Beyond 5G[J]. 电信科学, 2020, 36(9): 114-121.
[7]	邱亚星,王希栋,边森,岳磊. 基于聚类分析和深度学习的多频多模网络负载均衡优化[J]. 电信科学, 2020, 36(7): 156-162.
[8]	欧阳晔,杨爱东,孟凡语. 一种博弈论辅助的机器学习算法检测用户流失行为[J]. 电信科学, 2020, 36(6): 79-89.
[9]	盛剑涛,陈茂飞,刘东鑫,汪来富,史国水,金华敏. 基于组合分类器的恶意域名检测技术[J]. 电信科学, 2020, 36(5): 47-55.
[10]	庞涛,丘海华,潘碧莹. 手机终端人工智能关键技术研究[J]. 电信科学, 2020, 36(5): 145-151.
[11]	钟其柱. 基于机器学习分析VoLTE视频通话质量的研究及应用[J]. 电信科学, 2020, 36(3): 156-165.
[12]	刘姿杉,程强,吕博. 面向机器学习的隐私保护关键技术研究综述[J]. 电信科学, 2020, 36(11): 18-27.
[13]	陈孝莲,秦奕,张杰,李亚杰,宋浩鲲,张会彬. 基于机器学习的光纤窃听检测方法[J]. 电信科学, 2020, 36(11): 61-67.
[14]	桂飞,程阳,李丹,洪思虹. 互联网智能路由架构及算法[J]. 电信科学, 2020, 36(10): 12-20.
[15]	李佳,丛犁,姜华,胡杨,徐梦. 基于DBN-Softmax的电力通信网络带宽预测[J]. 电信科学, 2020, 36(10): 153-158.