Flow Based Webshell Detection Framework

360 released "China's website situation analysis security report 2017" pointed out that four fifths of 79.4 thousands websites were detected to exist vulnerabilities.Webshell is generally used as the attacker's first step in the post-infiltration attack.The attacker will use vulnerabilities(such as SQL injection,file upload et al.)of the website to write and upload Webshell files to the website directory.After that,the attacker uses Webshell files to perform intranet sniffing and privilege escalation attacks on the target.If the Webshell file or Webshell communication behavior can be quickly and effectively identified,the further attacks will be prevented.At present,domestic security dogs,D shields,cloud locks and other security protection products are focused on Webshell file identification,and the identification algorithms are based on character recognition methods.However,the code of Web shells written in different languages is completely different;there are also many variants of the same language for the same Web shell file.The attacker can easily bypass this type of protection software by deforming the code of the Webshell file.How to effectively identify Webshell isa problem that needs urgent solution.In addition to recognizing files,Webshell recognition can also identify Webshell communications.Attackers will inevitably access Webshell files and will inevitably generate Webshell communication data to make Webshell work.This article focused on how to use identify Webshell from communication data and to blocks the attacker's access to the Web shell.The specific work is as follows:(1)Researched Webshell Communication Principles and Related FeaturesThis paper analyzes the principle of Webshell code execution and the characteristics of the common Webshell client tool's communication data when communicating with Webshell.(2)Designed traffic-based Webshell detection schemeComprehensively summarizes the characteristics of Webshell communication.Based on this,the parameter names and parameter values in the HTTP request are used as features,and machine learning algorithms are used for detection.(3)Verification and evaluation of traffic-based Webshell detection solutionsBy designing a reasonable experiment scheme,the effectiveness of the traffic-based Webshell detection scheme is demonstrated,and the unknown Web shell can also be detected,which meets the design requirements.