摘要
Webshell是一种以ASP、PHP和JSP等网页文件形式存在的命令执行环境,可以用于Web服务器的远程访问控制.Webshell采用混淆和加密,增加了分析难度和检测难度.基于特征值匹配的Webshell检测方法难以有效对抗混淆加密,且无法检测未知的Webshell,为此提出了一种基于CNN的Webshell检测方法.该方法首先编译PHP文件获取opcode,再利用词汇表模型提取词序特征,最后训练得到CNN检测模型.实验结果表明,该方法在精确率、召回率、F1值都优于传统的机器学习算法,且检测率也高于现有的安全工具,证明了该方法的有效性.
Webshell was a command execution environment in the form of Web file such as ASP,PHP,and JSP,which was used for remote access control of Web servers. It often disguised itself through obfuscation and encryption,which increased the difficulty of analysis and detection. Based on the feature value matching,the existing Webshell detection methods couldn’t effectively prevent obfuscation and encryption,and couldn ’t detect unknown Webshell neither. Therefore,a novel Webshell detection method based on CNN was proposed. Firstly,this method compiled PHP files to obtain opcodes,then vocabulary model was used to extract word order features,and finally the CNN detection model was established based on the extracted feature vectors. Experiment results showed that the accuracy,recall rate and F1 score of this method were better than the traditional machine learning algorithms,and the detection rate was higher than the existing security tools,which proved the effectiveness of the proposed method.
作者
傅建明
黎琳
王应军
FU Jianming;LI Lin;WANG Yingjun(School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,China;Key Laboratory of Aerospace Information Security and Trusted Computing,Wuhan University,Wuhan 430072,China)
出处
《郑州大学学报(理学版)》
CAS
北大核心
2019年第2期1-8,共8页
Journal of Zhengzhou University:Natural Science Edition
基金
国家自然科学基金项目(61373168
U1636107)
中国科学院信息工程研究所中国科学院网络测评技术重点实验室开放课题
