网络与信息安全学报 (Dec 2021)

Webshell malicious traffic detection method based on multi-feature fusion

  • LI Yuan, WANG Yunpeng, LI Tao, MA Baoqiang

DOI
https://doi.org/10.11959/j.issn.2096−109x.2021103
Journal volume & issue
Vol. 7, no. 6
pp. 143 – 154

Abstract

Read online

Webshell is the most common malicious backdoor program for persistent control of Web application systems, which poses a huge threat to the safe operation of Web servers. For most Webshell detection method based on the request packet data for training, the method for web-based Webshell recognition effect is poorer, and the model of training efficiency is low. In response to the above problems, a Webshell malicious traffic detection method based on multi-feature fusion was proposed. The method was characterized by the three dimensions of Webshell packet meta information, packet payload content and traffic access behavior. Combining domain knowledge, feature extraction of request and response packets in the data stream. Transformed into feature extraction information for information fusion, forming a discriminant model that could detect different types of attacks. Compared with the previous research method, the accuracy rate of the method here in the two classification of normal and malicious traffic has been improved to 99.25%. The training efficiency and detection efficiency have also been significantly improved, and the training time and detection time have been reduced by 95.73% and 86.14%.

Keywords