Research on WebShell encrypted communication detection based on machine learning

Webshell is a backdoor program based on web services. Attackers can use WebShell to gain administrative privileges for web services, thereby achieving penetration and control of web applications. With the gradual development of traffic encryption technology, traditional detection methods that match text content features and network traffic features are becoming increasingly difficult to prevent complex WebShell malicious attacks in production environments, especially variant samples, adversarial samples or 0Day vulnerability samples, and the detection effect is not ideal. This article constructs a network collection environment and collects malicious Webshell traffic samples using different platforms, languages, and tools; A WebShell encrypted traffic recognition method based on Relie F feature extraction was proposed, which assigns weights to multiple features through the Relie F algorithm and selects feature groups with strong classification ability based on the size of the weights; Finally, use the LightGBM classification algorithm to identify normal encrypted traffic and WebShell encrypted traffic, and distinguish the management tools to which WebShell password traffic belongs. The experimental results indicate that this method can effectively distinguish between normal encrypted traffic and Webshell malicious traffic. The recognition accuracy and recall rate of Webshell management tool software are both higher than 92%.