面向高速网络流量的加密混淆型WebShell检测

doi:10.11959/j.issn.2096-109x.2022055

Abstract

Abstract:

With the gradual development of traffic encryption and text obfuscation technologies, it is increasingly difficult to prevent complicated and malicious WebShell attack events in production environment using traditional detection methods based on text content and network flow features, especially for adversarial samples, variant samples and 0Day vulnerability samples.With the established network traffic collection environment, DPDK technology was used to capture network traffic in the high-speed network environment, and a dataset was marked with label.The dataset consisted of more than 24,000 normal traffic and more than 10,000 malicious WebShell traffic under different platforms, different languages, different tools, different encryption and obfuscation methods.Then Asynchronous traffic analysis system framework and lightweight log collection components were used to efficiently parse raw traffic.Expert knowledge was integrated to analyze HTTP data packets during the communication process of several popular WebShell management tools, and the effective feature set for encrypted and obfuscation WebShell was obtained.Support Vector Machine (SVM) algorithm was used to realize offline training and online detection of complicated WebShell malicious traffic based on the effective feature set.Meanwhile, improving the parameter search method with the genetic algorithm promoted the model training efficiency furthermore.The experimental results showed that the detection efficiency can be guaranteed based on the self-built WebShell attack traffic dataset.Besides, the detection model has a precision rate of 97.21% and a recall rate of 98.01%, and it performed well in the comparative experiments of adversarial WebShell attacks.It can be concluded from the results that the proposed method can significantly reduce the risk of WebShell attack, effectively supplement the existing security monitoring system, and be applied in real network environments.

Key words: WebShell, DPDK, traffic analysis, abnormal detection

CLC Number:

TP393

Yihuai CAO, Wei CHEN, Fan ZHANG, Lifa WU. Encrypted and obfuscation WebShell detection for high-speed network traffic[J]. Chinese Journal of Network and Information Security, 2022, 8(4): 119-130.

Figures/Tables 17

References 17

[1]	国家互联网应急响应中心. 2020 年我国互联网网络安全态势综述[EB].
	CNCERT/CC. Overview of China’s Internet security posture in 2020[EB].
[2]	BEHRENS S , HAGEN B . Web shell detection using NeoPI[EB].
[3]	石刘洋, 方勇 . 基于Web日志的Webshell检测方法研究[J]. 信息安全研究, 2016,2(1): 66-73.
	SHI L Y , FANG Y . Research on Webshell detection method based on Web log[J]. Journalof Information Security Research, 2016,(1): 66-73.
[4]	YANG C H , SHEN C H . Implement web attack detection engine with snort by using modsecurity core rules[C]// Fourth the E-Learning and Information Technology Symposium (EITS 09). 2009.
[5]	宋明璐 . 基于主动学习的CNN Webshell检测[D]. 北京：北京交通大学, 2021.
	SONG M L . CNN Webshell detection based on active learning[D]. Beijing:Beijing Jiaotong University, 2021.
[6]	龙啸, 方勇, 黄诚 ,等. Webshell 研究综述:检测与逃逸之间的博弈[J]. 网络空间安全, 2018,9(1): 62-68.
	LONG X , FANG Y , HUANG C ,et al. Webshell research review:the confrontation between detection and escape[J]. Cyber Security, 2018,9(1): 62-68.
[7]	STAROV O , DAHSE J , AHMAD S S ,et al. No honor among thieves:A large-scale analysis of malicious web shells[C]// Proceedings of the 25th International Conference on World Wide Web. 2016: 1021-1032.
[8]	赵运弢, 徐春雨, 薄波 ,等. 基于流量的WebShell行为分析与检测方法[J]. 网络安全技术与应用, 2018,18(4): 8-9.
	ZHAO Y T , XU C Y , BAO B ,et al. WebShell behavior analysis and detection method based on traffic[J]. Network Security Technology＆Application, 2018,18(4): 8-9.
[9]	HAAS S , SOMMER R , FISCHER M . Zeek-osquery:host-network correlation for advanced monitoring and intrusion detection[C]// IFIP International Conference on ICT Systems Security and Privacy Protection. Springer,Cham, 2020: 248-262.
[10]	SANJAPPA S , AHMED M . Analysis of logs by using logstash[C]// Proceedings of the 5th International Conference on Frontiers in Intelligent Computing:Theory and Applications. Springer,Singapore, 2017: 579-585.
[11]	CHEN L , LIU J , XIAN M ,et al. Docker container log collection and analysis system based on ELK[C]// 2020 International Conference on Computer Information and Big Data Applications (CIBDA). IEEE, 2020: 317-320.
[12]	HARREMO?S P , TOPSOE F . Inequalities between entropy and index of coincidence derived from information diagrams[J]. IEEE Transactions on Information Theory, 2001,47(7): 2944-2960.
[13]	曾理, 叶晓舟, 王玲芳 . DPDK 技术应用研究综述[J]. 网络新媒体技术, 2020,9(2): 1-8.
	ZENG L , YE X Z , WANG L F . Summary of DPDK Technology Application Research[J]. Journal of Network New Media, 2020,9(2): 1-8.
[14]	刘奕, 李建华, 张一瑫 ,等. 基于特征属性信息熵的网络异常流量检测方法[J]. 信息网络安全, 2021,21(2): 78-86.
	LIU Y , LI J H , ZHANG Y T ,et al. Network abnormal traffic detec-tion method based on characteristic attribute information entropy[J]. Netinfo Security, 2021,21(2): 78-86.
[15]	HESTERMAN J Y , CAUCCI L , KUPINSKI M A ,et al. Maximumlikelihood Estimation With a Contracting-grid Search Algorithm[J]. IEEE Transactions on Nuclear Science, 2010,57(3): 1077-1084.
[16]	SHARAFALDIN I , LASHKARI A H , GHORBANI A A . Toward generating a new intrusion detection dataset and intrusion traffic characterization[C]// International Conference on Information Systems Security ＆ Privacy (ICISSP). 2018: 108-116.
[17]	WU Y , SUN Y , HUANG C ,et al. Session-based webshell detection using machine learning in web logs[J]. Security and Communication Networks,2019, 2019.

Metrics

Recommended 0

No Suggested Reading articles found!

WebShell 工具	特征混淆	编码混淆
	增加若干HTTP Header和Body Data信息	BASE64
AntSword	使用随机英文单词作为参数名	CHR
	在HTTP Body中增加垃圾数据	CHR13
	使用multipart格式进行数据传输	ROT13
Behinder	增加若干HTTP Header信息	AES_BASE64
	在HTTP Body增加若干leftData和rightData	XOR_BASE64
Godzilla	增加若干自定义的HTTP Header信息	无

特征类别	特征名称
基于文本	1) URL特征；
的特征	2) 请求流量中是否有referer字段；
	3) 请求流量中COOKIE个数；
	4) 请求和返回流量中HTTP首部字段个数；
	5) POST BODY长度；
	6) POST BODY参数个数；
	7) POST BODY是否是特殊编码方式
基于统计	1) POST BODY信息熵；
的特征	2) RESPONSE BODY非数字字母的比率；
	3) POST BODY最长参数长度占总长度比率；
	4) POST BODY重合指数

分类	实际异常	实际正常
预测异常	TP	FP
预测正常	FN	TN

特征工程	精确率	召回率	F1分数
本文方法	97.45%	98.91%	98.17%
CICFlowMeter	84.13%	79.52%	81.76%

实验组别	模型名称	训练集	测试集	精确率	召回率	F1分数
第一部分	SVM	Dataset A	Dataset A	97.57%	99.15%	98.35%
	HMM	Dataset A	Dataset A	89.79%	79.46%	84.31%
第二部分	SVM	Dataset A	Dataset B	49.20%	41.89%	45.25%
	SVM	Dataset B	Dataset B	98.74%	96.22%	97.46%
第三部分	SVM	Dataset A+B	Dataset C	97.21%	98.01%	97.61%

Encrypted and obfuscation WebShell detection for high-speed network traffic

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 17

References 17

Related Articles 7

Metrics

Recommended 0

模型名称	文件大小	流量条数	运行时间
SVM	1.4 MB	53条	4.23 s
	88.3 MB	596条	43.57 s

WebShell文件类型	是否混淆加密	FRF-WD	SVM
一句话	否	●	●
小马	否	●	●
大马	否	●	●
	否	●	●
蚁剑	是	○	●
冰蝎	是	○	●
哥斯拉	是	○	●
注：●代表能够检测出 WebShell攻击，○代表不能检测出 WebShell攻击。

[1]	ANTONG P, Wen CHEN, Lifa WU. IoT intrusion detection method for unbalanced samples [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 130-139.
[2]	Yuan LI, Yunpeng WANG, Tao LI, Baoqiang MA. Webshell malicious traffic detection method based on multi-feature fusion [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 143-154.
[3]	Yingjun ZHANG,Ushangqi LI,Mu YANG,Haixia ZHANG,Kezhen HUANG. Survey on anomaly detection technology based on logs [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 1-12.
[4]	Jinhui TENG,Yan GUANG,Hui SHU,Bing ZHANG. Automatic detection method of software upgrade vulnerability based on network traffic analysis [J]. Chinese Journal of Network and Information Security, 2020, 6(1): 94-108.
[5]	Jie DU,Yongzhong HE,Ye DU. Improved method of Tor network flow watermarks based on IPD interval [J]. Chinese Journal of Network and Information Security, 2019, 5(4): 91-98.
[6]	Hua DAI,Jing LI,Xin-dai LU,Xin SUN. Machine learning algorithm for intelligent detection of WebShell [J]. Chinese Journal of Network and Information Security, 2017, 3(4): 51-57.
[7]	Hong-cheng LI,Xiao-ping WU,Hong-hai JIANG. Traffic anomaly detection method in networks based on improved clustering algorithm [J]. Chinese Journal of Network and Information Security, 2015, 1(1): 66-71.