| WebShell is a backdoor based on Web site.After implanting the back door,the attacker can launch the attack through specific management tools or direct access and other ways,which brings serious harm to the website.Existing detection methods such as machine learning have been applied in WebShell,but for different kinds of WebShell,their detection effect needs to be improved.At the same time,the existing traffic-based inspection methods have been studied on whether WebShell attacks are successful,but the detection accuracy is low,and the attack behavior of successful traffic is not studied after recognizing the attack,which leads to the failure to completely eliminate WebShell.In order to solve the above problems,this thesis builds corresponding WebShell detection methods respectively for HTTP request and response traffic,and studies the behaviors of successful WebShell attacks.This thesis proposes WebShell request traffic detection method.We separate the current mainstream one-word webshell traffic from the large WebShell.We research the features of one-word webshell,and put forward a rule-based detection method to improve the accuracy of detection.For the large WebShell,a detection method based on machine learning is proposed by slicing traffic fields and extracting features from multiple perspectives such as statistics,structure and content.The XG-Boost model was constructed through characteristic study for detection and comparison with other models.The experimental results show that the model has significant effects in the evaluation indexes such as accuracy,recall rate and F1.This thesis proposes WebShell response traffic detection method.Based on the request traffic,the response traffic characteristics of the one-word class are studied,and a rule-based detection method is constructed to determine whether the attack is successful.A comprehensive detection method based on character matching and machine learning is proposed for the large WebShell.The functional and output character features of each type of the large WebShell were studied and extracted,and feature optimization and improvement were proposed for the existing machine learning models from the content dimension to effectively solve the problem of low detection accuracy of the existing single model.This thesis proposes a research scheme of WebShell attack behavior.Aiming at the successful attack of WebShell,this thesis proposes a semi-automated attack behavior research process,and proposes relevant schemes for the two core work of full traffic filtering and behavior-related key traffic extraction in the process.Through the experimental data of simulated attacks,the importance of each filtering scheme is evaluated.And the data extracted from the key traffic is studied to determine its specific attack behavior,so as to repair the relevant vulnerabilities. |
PDF Full Text Request