Research On WebShell Attack Analysis And Detection Methods

WebShell is a command execution environment written in a scripting language,and it is also one of the most commonly used network attack tools by hackers.After successfully invading the target website,the attacker can obtain the control authority of the server through WebShell to achieve continuous attacks,which brings a huge threat to the security of the website and user information.Therefore,how to quickly and effectively detect WebShell has become an important research content in the field of information security.In the face of constantly emerging new types of WebShell,existing WebShell detection methods have many deficiencies.Feature-based detection methods cannot effectively detect unknown and encrypted WebShell,while traditional machine learning detection methods suffer from problems such as single-feature extraction and weak generalization ability.To address these challenges,this thesis proposes a method for multiple types of WebShell detection by representing WebShell features from both multidimensional text features and code image perspectives,and then combining with machine learning methods.The main work and innovations of this thesis are as follows:(1)A WebShell detection model based on multidimensional feature fusion.In order to make the selected features characterize both common and cryptographic obfuscated WebShells,thesis analyzes the attack methods of two types of WebShells,PHP and JSP,and extracts WebShell features from three aspects: operational attributes,statistical attributes,and bytecode attributes,and then constructs multiple feature vectors.Then,in order to balance the contribution of different features to the model,a multilayer perceptron network with branching structure is constructed to process the different types of feature vectors separately for training,so as to extract richer and more complex feature representations from different features.The experimental results show that the model method proposed in this thesis has a good detection effect on PHP and JSP type WebShells.(2)A WebShell detection model based on code images.Drawing upon malware visualization techniques,thesis proposes a method of converting WebShell code to grayscale images,thereby transforming the text classification problem into an image classification problem.In contrast to textual features of WebShells,WebShell code images reflect the overall distribution characteristics of the code in addition to its semantics.Furthermore,the WebShell code image generation approach proposed in thesis is language-agnostic,making it suitable for various types of WebShells such as PHP,JSP,and ASP,with high generalization capability.For the code image classification problem,an improved deep residual network model is constructed in thesis.On the one hand,based on the optimization of hybrid attention mechanism,the model focuses more on the key regions with high differentiation of feature images and learns more accurate classification basis;on the other hand,the spatial pyramid pooling module can make the network capture the spatial information of feature maps at different scales and reduce the network parameters to some extent and reduce the training time.The experimental results show that the detection of WebShell is well achieved by code images,and also demonstrate that the Mcs＿SPP＿ResNet model constructed in thesis has excellent detection performance on PHP,JSP,ASP and ASPX type data sets.