基于特征工程与威胁情报的Webshell检测方法研究  

作　　者：许波 姜政伟[2] 辛丽玲 周宇飞 XU Bo;JIANG Zhengwei;XIN Liling;ZHOU Yufei(People's Public Security University of China,School of Information Networking Security,Bejing 100038,China;Institute of lnformation Engineering,Chinese Academy of Seciences,Bejing 100093,China;Chengdu Municipal Public Security Bureau,Chengdiu,Sichuan 610017,China;Shandong Province,Binhai Public Security Bureau,Dongying,Shandong 257013,China)

机构地区：[1]中国人民公安大学信息网络安全学院,北京1000382 [2]中国科学院信息工程研究所,北京100093 [3]成都市公安局,四川成都610017 [4]山东省滨海公安局,山东东营257013

出　　处：《数据与计算发展前沿》2022年第5期77-86,共10页Frontiers of Data & Computing

基　　金：国家重点研发计划(2018YFB0805005);中国科学院青年创新促进会(2020166)。

摘　　要：【目的】Webshell是一种通过注入、XSS、上传等漏洞渗透手段植入木马产生的可执行脚本,因其构造语言种类不同、利用方法多变、隐秘性强,研究其检测方式能够准确发现渗透入侵网站的恶意攻击行为,在预警、研判、打击非法入侵计算机信息系统等黑客类案件中具有积极意义。【方法】本文提出了一种基于Webshell恶意代码进行行为数据研究并提取特征的创新方法,针对HTTP流量实现基于特征的Webshell检测及网络安全威胁情报建模实验与应用。【结果】通过实际部署应用与实验结果表明,基于提取的特征值识别Webshell的准确度较高,能够有效地发现恶意攻击行为。【结论】基于特征工程的检测方法虽有维护量大的缺点,但对已知特定攻击行为检测精度和效率较高,在预防、打击黑客犯罪的实际应用中是非常有价值的。[Objective]Webshell is an executable script generated by implanting a Trojan horse through injection,XSS,upload,and other vulnerability penetration means.Because of the difference in construction language,variable exploitation methods,and stealthy nature,the study of the Webshell detection methods is demanded,which can accurately discover the malicious attack behavior of infiltrating and invading websites,and is of positive significance in early warning,research and judgment,and combating hacker-like cases such as illegal invasion of computer information systems.[Methods]This paper proposes an innovative method to study behavioral data and extract features based on Webshell malicious code,and implements the feature-based Webshell detection and network security threat intelligence modeling experiments and applications for HTTP traffic.[Results]The results from experiments and actual deployment show that the extracted feature values can identify Webshells with high accuracy and can effectively detect malicious attacks.[Conclusions]Although the detection method based on feature engineering has the disadvantage of heavy maintenance,it achieves higher accuracy and efficiency in detecting known specific attacks,which is very valuable in the practical application of preventing and combating hacking crimes.

关 键 词：黑客犯罪 WEBSHELL HTTP协议 特征工程 网络安全威胁 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]