网络与信息安全学报 (Aug 2022)
Encrypted and obfuscation WebShell detection for high-speed network traffic
Abstract
With the gradual development of traffic encryption and text obfuscation technologies, it is increasingly difficult to prevent complicated and malicious WebShell attack events in production environment using traditional detection methods based on text content and network flow features, especially for adversarial samples, variant samples and 0Day vulnerability samples.With the established network traffic collection environment, DPDK technology was used to capture network traffic in the high-speed network environment, and a dataset was marked with label.The dataset consisted of more than 24,000 normal traffic and more than 10,000 malicious WebShell traffic under different platforms, different languages, different tools, different encryption and obfuscation methods.Then Asynchronous traffic analysis system framework and lightweight log collection components were used to efficiently parse raw traffic.Expert knowledge was integrated to analyze HTTP data packets during the communication process of several popular WebShell management tools, and the effective feature set for encrypted and obfuscation WebShell was obtained.Support Vector Machine (SVM) algorithm was used to realize offline training and online detection of complicated WebShell malicious traffic based on the effective feature set.Meanwhile, improving the parameter search method with the genetic algorithm promoted the model training efficiency furthermore.The experimental results showed that the detection efficiency can be guaranteed based on the self-built WebShell attack traffic dataset.Besides, the detection model has a precision rate of 97.21% and a recall rate of 98.01%, and it performed well in the comparative experiments of adversarial WebShell attacks.It can be concluded from the results that the proposed method can significantly reduce the risk of WebShell attack, effectively supplement the existing security monitoring system, and be applied in real network environments.