Research Of Webshell Detection Method Based On LSTM

The Internet is developing rapidly,therefore the security of server is crucial.As a network backdoor,Webshell is implanted into the server by attacker through server vulnerabilities,and attacker use this backdoor to attack and steal data.At present,the methods of Webshell detection in the industry and academia contain the rule matching method and machine learning method.The rule-based detection method is simple to implement,but the rate of missing report and false alarm are poor.Conventional machine learning methods,such as support vector machines,gradient boosting decision tree,multi-layer perceptron,random forest,and others,which is more complex than rule-based matching methods,is not effective for Webshell detection with the escape technique because of not extracting deep features.And these methods are mostly detected after the Webshell invades the server,that is,post-intrusion detection.In addition,the rate of false alarm and the missing report are always contradictory,when high rate of false alarm the missing report rate is low,on the other hand false alarm rate is low,while high rate of missing report.Therefore,in this paper,a detection method based on rule matching and deep learning and a new performance metric BFMC are proposed.The detection method based on deep learning combines LSTM with Transformer.Transformer further extracts features from different LSTM output vectors.On the condition of unidirectional LSTM,Transformer leverages the output vectors of LSTM by two different methods.One is MLT that the input of Transformer is the final output vectors of each LSTM in LSTM layers.The other is MLST that the input of Transformer is all output vector of each LSTM in LSTM layers.The BFMC evaluate the model,combining the rate of false alarm and missing report,the degree of convergence of the model.The experimental results and analysis shows that the detection method based on deep learning is obviously superior to the conventional machine learning method,and MLST is the best,followed by MLT.But the performance gaps of several deep learning methods in this paper are unobvious.When these methods are assessed with BFMC,obtaining the same reseults,but there is a clear gap between the different methods.