Anomalous HTTP Traffic Detection And Backdoor Identification In Web Applications

Due to the high availability and convenience,web applications have become the main provider of many information services.While the rapid growth of web appli-cations has brought convenience,service data and user information have become the targets of profit-making for criminals.How to do security protection and ensure the sta-ble operation of the network and system have become a problem that service providers and security companies have to solve.Intrusion detection realizes real-time detection of network attack behavior through active bypass analysis during service operation,it has become one of the main protection methods for current web applications.The widely used misuse detection technology cannot meet the performance requirements in the high-bandwidth traffic environment,and as the increasing enrichment of the attack mode,the maintenance difficulty of the rules also increases dramatically.Applying machine learning algorithms for anomaly detection has the advantage of identifying unknown attacks,and it is becoming part of many security solutions.The research con-tent of this dissertation is based on two problems in web applications:abnormal HTTP request traffic detection and Webshell sample identification.The specific work is as follows:1.Due to the existence of whitelist and the incomplete definition of rules,the rule matching method can only label the abnormal training data accurately.This dis?sertation uses the PU Learning method to detect abnormal HTTP requests.For solving the performance bottleneck of traffic packet collection in high-bandwidth network environment,the bypass data acquisition module of DPDK is designed to realize zero-copy data capture.In the performance test,DPDK can capture the full amount of packets in a 10G bandwidth environment.The anomaly detection pro-cess optimizes the sample selection process in the two-stage PU learning method through the ensemble algorithm called Bagging,and selects the high-confidence normal HTTP request data training model.Experiments on real scene data show that the PU learning method can effectively improve the detection performance of abnormal HTTP requests.The detection recall of this method is 99.47%,and the F1 score of the model is increased by 3.9%compared with the direct training without sample selection.2.The word segmentation of traditional model has two problems:high dimension and unable to deal with the words out of bag.A character-level Webshell identi-fication model based on deep learning is designed in this dissertation.The model accepts the character encoding sequence input of Webshell samples,then learns the local word level feature through the convolution layers,and extracts the long sequence context association feature from the loop layer.In order to express the high contribution features,the attention mechanism is applied to optimize the weight of features to obtain a more accurate sample representation.The model has achieved good detection result without input preprocessing.The detection re-call of Webshell samples is 98.86%,and the overall detection accuracy is 98.4%.