Research And Implementation Of WebShell Detection Method Based On Deep Learning

Network technology has two sides.On the one hand,it promotes the development of social economy,on the other hand,it brings about network security problems.Since the Cybersecurity Law of the People’s Republic of China came into force in June 2017,the domestic network environment has been greatly improved,but the international network environment is complex,and transnational cyber-attacks emerge in endlessly.WebShell is a tool most commonly used by hackers,and it has the characteristics of strong stealth and great harm.Researchers have conducted some research on WebShell detection methods,but the models proposed in existing studies have shortcomings such as low overall performance,poor applicability,insufficient feature extraction,and dependence on intermediate codes.In order to overcome the above shortcomings,this paper first studies the sample pre-processing strategy,and then designs and implements two deep learning-based WebShell detection models.Experiments show that the proposed method has the advantages of strong applicability and high detection performance.Specifically,the research contributions mainly include three aspects:(1)Study the sample pre-processing strategy to enhance the performance and applicability of model detection.This paper extracts features directly from the source code,alleviating the shortcomings of existing methods that rely on OPCODE or bytecodes that are strongly related to programming languages.At the source code level,the sample cleaning strategy,sample de-obfuscation method,sample word segmentation method,sample padding method and sample vectorization method are studied.It is verified by experiments that the optimized pre-processing strategy can improve the performance of the subsequent design method.(2)A WebShell detection method based on Bi-GRU with attention mechanism is designed and implemented.This method can extract features from the front and back of the sample in both directions,which overcomes the problem of poor model performance caused by single-direction feature extraction in existing research.First,execute the pre-processing strategy in the sample,and further use the Word2 Vec pre-training model to convert the sample into a vector.The vector is input to the Bi-GRU neural network to extract contextual features in both directions,and the attention mechanism is further used to screen favorable information,and finally the fully connected network is used to complete WebShell detection.Experimental results show that the optimized method achieves 99.40%,99.23% and 99.68% accuracy on PHP,JSP and ASPX\ASP sample data sets respectively.(3)On the basis of the method proposed in(2),a WebShell detection method combining multiple types of features is designed and implemented.By fusing static features,abstract local features and abstract context features,the detection performance of the model is further improved.This method extracts nine kinds of static features from the source code,and then completes three types of feature fusion by connecting the static feature fusion network,convolutional neural network and Bi-GRU network,and finally uses the fully connected network to complete WebShell detection.After careful structure and parameter optimization,the accuracy,precision and recall of this method on PHP datasets are 99.68%,99.60% and 98.80%,respectively,and the overall performance is better than the baseline model.