Frontiers of Data and Computing ›› 2022, Vol. 4 ›› Issue (5): 77-86.

CSTR: 32002.14.jfdc.CN10-1649/TP.2022.05.009

doi: 10.11871/jfdc.issn.2096-742X.2022.05.009

• Special Issue: Call for Papers for the 37th National Conference on Computer Security • Previous Articles     Next Articles

Research on Webshell Detection Methods Based on Feature Engineering and Threat Intelligence

XU Bo1,3,JIANG Zhengwei2,XIN Liling2,*(),ZHOU Yufei1,4   

  1. 1. People’s Public Security University of China, School of Information Networking Security, Beijing 100038, China
    2. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
    3. Chengdu Municipal Public Security Bureau, Chengdu, Sichuan 610017, China
    4. Shandong Province, Binhai Public Security Bureau, Dongying, Shandong 257013, China
  • Received:2022-08-03 Online:2022-10-20 Published:2022-10-27
  • Contact: XIN Liling E-mail:xinliling@iie.ac.cn

Abstract:

[Objective] Webshell is an executable script generated by implanting a Trojan horse through injection, XSS, upload, and other vulnerability penetration means. Because of the difference in construction language, variable exploitation methods, and stealthy nature, the study of the Webshell detection methods is demanded, which can accurately discover the malicious attack behavior of infiltrating and invading websites, and is of positive significance in early warning, research and judgment, and combating hacker-like cases such as illegal invasion of computer information systems. [Methods] This paper proposes an innovative method to study behavioral data and extract features based on Webshell malicious code, and implements the feature-based Webshell detection and network security threat intelligence modeling experiments and applications for HTTP traffic. [Results] The results from experiments and actual deployment show that the extracted feature values can identify Webshells with high accuracy and can effectively detect malicious attacks. [Conclusions] Although the detection method based on feature engineering has the disadvantage of heavy maintenance, it achieves higher accuracy and efficiency in detecting known specific attacks, which is very valuable in the practical application of preventing and combating hacking crimes.

Key words: hacking crime, Webshell, HTTP protocol, feature engineering, cybersecurity threats