Research And Application Of Webshell Detection Method Based On Deep Learning

Today,with the wide application of AI and big data,with the gradual commercialization of 5G,the traditional decentralized network attacks become easy to detect.The attacker's attack mode evolves into the targeted attack of high-level persistent threat,that is,APT attack.Before the attack is launched,the attacker will collect precise information about the business process and target system of the attacked object,and find zero-day vulnerabilities to attack.After gaining system privileges,attackers usually leave behind a backdoor program for emergencies.Webshell is a backdoor program based on Web site.As an important part of APT attack,it is also a common attack method.Up to now,with the increasing harm of backdoor procedures,more and more domestic and foreign scholars and major security companies have studied them.However,the research angle mostly focuses on the penetration stage,which can not take into account that Webshell is still a means of control after the system collapses.The research methods also construct eigenvalues and use machine learning methods to identify,which can not take into account the highdimensional non-linear features of Webshell.In view of the above two shortcomings,the corresponding solutions are designed.The work of this paper is as follows:(1)This paper compares Web hell detection methods from three perspectives,summarizes different application areas,and makes statistical analysis of the features of Web hell,and summarizes the advantages of the method used in this paper with identifying obfuscated codes.(2)This paper deals with Web shell in the way of natural language processing.By analyzing the characteristics of Web shell bytecode,a bytecode corpus is constructed and Word2 vec word vector file is generated.(3)A muti-convolutional neural network detection method based on inverse weight is proposed.This method not only effectively solves the problem that traditional methods are time-consuming and machine learning methods depend on feature selection,but also combines context and reduces the sparsity of features to effectively identify malicious Web shell files.By comparing the experimental results,the experimental methods adopted in this paper have achieved good results in accuracy,recall rate,F1-score and AUC,and further verify the correctness of the model.(4)Based on the characteristics of off-line detection and the control process after system collapse,this paper proposes a increment verification system based on Merkletree,which can detect suspicious Web shell samples in an efficient way.The content of this paper has important academic significance and practical value for further research and classification of Webshell.