Research And Implementation Of Webshell Detection System Based On File And Behavior Characteristics

With the rapid development of Internet technology,Web application systems provide more and more services.More and more Web application systems are widely used in all walks of life.The security problem of Web application systems has become increasingly prominent.After successful attacks on Web systems,attackers often use SQL injection,file upload vulnerabilities and other upload Web Shells to achieve long-term control of servers.Therefore,it is of great significance to study how to effectively detect Web Shell for protecting Web systems.This paper mainly studies the Webshell detection method.By analyzing the advantages and disadvantages of current detection methods,static detection and dynamic detection methods are proposed based on file and behavior characteristics.Among them,static detection adopts BP neural network detection model optimized by improved genetic algorithm and dynamic detection uses Hook mechanism to realize real-time monitoring of the system.Finally,Web hell detection system is designed based on two methods to ensure the security of Web sites.Provide security.The main work of this paper is as follows:1.By studying the properties and functions of Web shell files,aiming at the problems of single feature extraction and poor coverage in current detection methods,multi-dimensional features are extracted from two levels of document attributes and operation attributes of documents,and the experimental comparison proves that the extracted features can improve the detection rate of classification algorithm.2.By studying the static detection method of Web hell,aiming at the problem that the generalization ability of traditional machine learning classifier is weak in the face of complex non-linear environment,a Web hell detection method based on BP neural network is proposed,and the genetic algorithm is used to initialize the weight and threshold of BP neural network to improve the global search ability of the algorithm.At the same time,a new method is proposed.At the same time,an improved roulette selection operator based on sorting is proposed to improve the quality of the population,and thus improve the detection performance of the detection model.3.By studying the behavior characteristics of WebShell and aiming at the drawbacks of single detection method,a dynamic detection scheme based on Hook mechanism is proposed.The sensitive functions invoked by WebShell runtime are Hook,and the malicious behavior is judged by combining the stain marking tracing technology and the black-and-white list mechanism to protect the system in real time.4.Implement and test WebShell detection system.TSwo detection methods are applied to the system to realize not only the scanning and detection of specific files,but also the real-time protection function of the Web system.Finally,the detection performance and function of the system are tested.By testing the system,it shows that the detection scheme in this paper can effectively improve the detection rate of WebShell,and play a protective role on the system.