| 基于余弦相似计算原理的Webshell检测方法 |
| |
| 引用本文: | 卢冬海 王洋洋 杨春艳. 基于余弦相似计算原理的Webshell检测方法[J]. 宁波大学学报(理工版), 2017, 0(6): 12-15 |
| |
| 作者姓名: | 卢冬海 王洋洋 杨春艳 |
| |
| 作者单位: | (宁波大学 图书馆与信息中心, 浙江 宁波 315211) |
| |
| 摘 要: | 常规Webshell检测方法一般基于代码特征库和基于通信特征. 代码混淆和虚假通信等反检测技术的出现, 提升了Webshell隐蔽度, 常规方法难于发现. 为了检测此类隐蔽度较高的Webshell, 采用了抽取程序代码多维Webshell特征, 用余弦相似计算原理度量代码文件间的相似度, 平均相似度极低的文件即为可疑Webshell文件. 实验表明, 正常代码文件间的平均相似度在10-1~10-2量级, 而Webshell文件和正常代码文件的平均相似度在10-4量级, 此方法可以有效地检测出Webshell.
|
| 关 键 词: | Webshell 相似度 余弦定理 网站安全 |
A method of detecting Webshell based on cosine similarity calculation principle |
| |
| LU Dong-hai,WANG Yang-yang,YANG Chun-yan. A method of detecting Webshell based on cosine similarity calculation principle[J]. Journal of Ningbo University(Natural Science and Engineering Edition), 2017, 0(6): 12-15 |
| |
| Authors: | LU Dong-hai WANG Yang-yang YANG Chun-yan |
| |
| Affiliation: | ( Library and Information Center, Ningbo University, Ningbo 315211, China ) |
| |
| Abstract: | The conventional Webshell detection method is based on code feature library or on the characteristics of communication. With the hidden degree increasing, the difficulty with Webshell detection grows using the conventional method. In order to detect the Webshell that has higher hidden degrees, we make multidimensional vectors of Webshell feature from the code files, then compare the similarity between code files using cosine similarity calculation principle. The code file which has very low average similarity is considered a good candidate for Webshell file. Experiment shows that the average similarity between the normal code files is in order of magnitude ranging from 10-1 to 10-2, whereas the average similarity between the normal code file and Webshell file is in the range of 10-4. Therefore, this method can effectively detect Webshell. |
| |
| Keywords: | Webshell similarity cosine theorem web security |
| 本文献已被 CNKI 等数据库收录! |
| 点击此处可从《宁波大学学报(理工版)》浏览原始摘要信息 |
|
点击此处可从《宁波大学学报(理工版)》下载免费的PDF全文 |
