摘要
Webshell是一种基于Web服务的后门程序。攻击者通过Webshell获得Web服务的管理权限,从而达到对Web应用的渗透和控制。由于Webshell和普通Web页面特征几乎一致,所以可逃避传统防火墙和杀毒软件的检测。而且随着各种用于反检测特征混淆隐藏技术应用到Webshell上,使得传统基于特征码匹配的检测方式很难及时检测出新的变种。本文将讨论Webshell的特点和机理,分析其混淆隐藏技术,发掘其重要特征,提出并实现了一种基于决策树的检测模型。该模型是一种监督的机器学习系统,对先验网页样本进行学习,可有效检测出变异Webshell,弥补了传统基于特征匹配检测方法的不足,而结合集体学习方法 Boosting,可以增强该模型的稳定性,提高分类准确率。
Webshell is a kind of backdoors based on web service. The attacker can obtain Web service management authority by Webshell, so as to achieve the goal of Web service penetration and control. There is little difference between malicious webshell pages and normal webpage, and it can easily escape from detection of traditional firewall and antivirus software. As Webshell has applied various antifinding techniques to hide its characteristics, it is not effective to use traditional way based on feature matching to detect variant Webshell. This paper discusses the characteristics and mechanism of Webshell, explores its important features, proposes and im- plements a detection model based on decision tree algorithm. This model is a kind of supervised machine learning system, it can detect variant Webshell by prior training webpage learning, to make up for the defects of traditional detection method based on feature matching. Combined with Boosting, which is a kind of collective learning method, the stability of this model is further enhanced, and the classification accuracy rate is improved as well.
出处
《网络新媒体技术》
2012年第6期15-19,共5页
Network New Media Technology
基金
海云信息安全体系研究
编号XDA06010701
