Research On Webshell Traffic Detection Technology Based On Deep Learning

Webshell is a kind of backdoor in the form of scripts such as asp,jsp,php and so on,which is used for hacking and controlling servers.There are illegal execution permissions.Webshell detection on the network side has attracted much attention because of its early detection and early response.At present,the detection on the network side mainly takes measures of monitoring network traffic,and then uses black boxes such as deep learning.However,there are still problems such as poor detection effect stability and poor solvability.This thesis has proposed a new deep learning Webshell detection framework,which not only improves the accuracy and recall of Webshell detection,but also can point out the basis for discrimination based on Webshell discrimination,that is,the value of the Webshell payload for the model discrimination.Finally,a Webshell communication traffic detection and positioning system is established.This thesis has proposed a new refined detection model for Webshell communication traffic.This model designs customized modules for feature extraction based on different presentation forms of different parts of Webshell in HTTP traffic.The deep learning feature extraction part is aiming at the variable size and form of the payload of the Webshell attack uses a network of multiple parallel convolution units that can more flexibly extract multiple features for detection.Because the network has multiple convolution units of different sizes to extract features in parallel,it can extract Webshell features of various scales.Our model effectively solves the problem that the feature extraction network form of the previous deep learning Webshell detection model is too simple,and improve the accuracy,recall rate,and stability of the detection of Webshell communication traffic.Aiming at the shortcomings of existing various models that use deep learning for Webshell detection,this thesis has proposed a network structure with a classification head and a regression head.The classification head is responsible for detecting Webshell communication traffic,while the regression header is responsible for the positioning of the Webshell payload.The regression header is responsible for the positioning of the Webshell payload,so that the model can not only accurately detect whether the communication traffic is Webshell,but also restore the model discrimination basis,which provides good interpretability for the model's Webshell discrimination.This thesis has built a integrated Webshell communication traffic detection and location system.In this system,the entire process from traffic collection and analysis to Webshell detection using deep learning in the real environment has been completed.And the Refined Detection Model for Webshell and Webshell Payload Positioning Model proposed in this thesis will be used as the core detection and positioning model in the real environment.