基于XGBoost算法的Webshell检测方法研究

为解决加密型Webshell与非加密型Webshell的代码特征不统一、难以提取的问题,提出一种基于XGBoost算法的Webshell检测方法。首先,对Webshell进行功能分析,发现绝大部分Webshell都具有代码执行、文件操作、数据库操作和压缩与混淆编码等特点,这些特征全面地描述了Webshell的行为。因此,对于非加密型的Webshell,将其主要特征划分为相关函数出现的次数。对于加密型的Webshell,根据代码的静态特性,将文件重合指数、信息熵、最长字符串长度、压缩比4个参数作为其特征。最后,将两种特征统一起来作为Webshell特征,改善了Webshell特征覆盖不全的问题。实验结果表明,所提方法能有效地对两种Webshell进行检测;与传统的单一类型Webshell检测方法相比,该方法提高了Webshell检测的效率与准确率。

Research of Webshell Detection Method Based on XGBoost Algorithm

To solve problem of uniform code characteristics and difficulty to extract of the encrypted Webshell and non-encrypted Webshell ,this paper proposed a Webshell detection method based on XGBoost algorithm.First of all,this paper analyzed features of Webshell,and found that most of the Webshell have code execution,file operations,database operations,compression,obfuscation coding and so on,which describe the behaviors of Webshell comprehensively.Therefore,for non-encrypted Webshell,its main feature is divided into the number of occurrences of correlation functions.For encrypted Webshell,according to the statistical characteristics of the code,file coincidence index,information entropy,the length of the longest string,compression ratio are taken as four parameters as its features.Finally,these two type of features are gregarded together as a Webshell features,improving the problem of lack of Webshell feature coverage.The experimental results show that the proposed method can achieve high performance,compared with the traditional single-type Webshell detection,it improves the efficiency and accuracy of Webshell detection.