| WebShell is a backdoor based on Web services.An attacker can attack a web server through a WebShell tool such as a "China Chopper." Network-based detection can monitor request and response traffic,discover anomalous behavior,and detect the existence of a Webshell.Some machine learning and deep learning methods have been applied in this field.However,the current method cannot detect the unknown WebShell attack behavior.At the same time,the detection speed of the existing research model needs to be improved.In order to solve these problems,this paper proposes a Webshell traffic detection system based on request packets and return packet traffic.This paper constructs a framework for detecting WebShell attacks based on HTTP traffic.The framework is based on HTTP request traffic and response traffic to identify attacks.It can identify WebShell attack traffic and judge whether the attack is successful.It can realize traffic data analysis,data processing,model training and prediction under a small amount of manual intervention.It can be applied to actual traffic detection scenarios.In this paper,a character level traffic content feature transformation method is proposed,which makes full use of the request field information in HTTP traffic message.This paper proposes a model architecture based on CNN and LSTM,which can get rid of the dependence on prior information and expert knowledge,and is superior to other models in various detection indicators.In this paper,a method for extracting content and structure features of response traffic is proposed,and the rationality of feature extraction method is verified by experiments.This paper uses the deep learning detection model and XG-Boost model to judge whether the WebShell attack is successful or not.The experimental results show that the proposed model has more significant detection effect than other machine learning models. |
PDF Full Text Request