| WebShell is a common web script intrusion tool.It can be seen that online service sites in all walks of life are still facing severe Web Shell attacks.In academia,the research object of Web Shell detection mainly focuses on the text content of files and the content of traffic packets.In the industrial world,enterprises mainly rely on security device alarms for external Web Shell attacks to build an indepth security protection system.Whether in industry or academia,mainstream Web Shell detection focuses on content detection,while ignoring the characteristics of Web Shell traffic mining from the perspective of abnormal behavior.For this issue,this thesis proposes a detection method for obfuscated encrypted Web Shell content and behavior characteristics.First of all,the current public datasets about WebShell detection are almost all focused on malicious file samples,and lack of Web Shell communication traffic datasets.This thesis is based on the current status of red-blue confrontation and the usage habits of Web Shell management tools.We collect extensive and comprehensive Web Shell communication traffic data in different environments.A set of encrypted and obfuscated Web Shell malicious traffic data are labelled to verify the validity and timeliness of the detection model.Secondly,this thesis implements an improved SVM detection model with abnormal behavior as the core detection point.The core of this process is to combine expert knowledge to analyze the content and behavior characteristics of the attack behavior of Web Shell management tools in traffic packets.In order to make the model find and respond quickly to Web Shell attack events in time while maintaining a good hit rate,this thesis optimizes the detection model through algorithm complexity.The experimental results show that the detection model based on the improved SVM proposed in this paper maintains a good hit rate.Compared with other models,the detection efficiency does not decrease significantly,but it can identify potential Web Shell threat that cannot be detected by other methods.However,during the experiment,it is found that the improved SVM detection model has a false positive rate of more than 6%.Finally,in order to solve the problem of the above-mentioned high false alarm rate of the SVM model,which leads to additional security operation costs,this thesis implements a CNN Web Shell offline detection model with two-layer network and global pooling as the core for the Web Shell traffic.On the one hand,the double-layer network global pooling model is adopted to solve the problem of the sparsity of the sample data feature matrix through the double-layer network.At the same time,in order to allow the model to cover and adapt to the context of different attack behaviors,convolution kernels of different sizes are used to capture more feature sets.Finally,in order to avoid the overfitting problem caused by convolution kernels of different sizes,the convolution is merged first and then global pooling is performed to reduce the number of features in the fully connected layer.The experimental results show that the false positive rate of the improved CNN model for Web Shell malicious traffic is reduced to about 2%,and the ACC is about 98%.Compared with the improved SVM model,the false positive rate is significantly reduced,which effectively reduces the extra cost that enterprises need to pay in the process of detecting risk events. |
PDF Full Text Request