| 引用本文: |
-
翟江涛,王涛,周桥,董燚,王子豪.基于动态词向量和图卷积的WebShell检测方法[J].信息安全学报,已采用 [点击复制]
- zhaijiangtao,wangtao,zhouqiao,dongyi,wangzihao.WebShell Detection Method Based on Dynamic Word Embeddings and Graph Convolution[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 随着数字化转型的加速,Web服务器已成为网络攻击的重灾区。WebShell是一种通过Web脚本编写的恶意程序,它允许攻击者远程控制服务器执行非法活动,对网络安全构成了严重威胁。现有的WebShell检测方法由于难以处理WebShell代码的复杂性和多样性,因此无法达到理想的检测效果。为了解决现有方法在处理代码的多义性、上下文理解及结构特征识别方面的不足,本文提出了一种WebShell检测方法JLBertGCN。该方法采用Bert模型生成动态词向量,同时结合图卷积网络(Graph convolutional network, GCN),将代码视为图结构进行特征提取。具体而言,Bert模型能够从大规模未标注的文本中学习到通用的语言表示,特别是在捕捉词汇的多义性和上下文关系方面表现出色。GCN则通过捕捉文本中的不规则结构和语义信息,进一步增强了模型的特征提取能力。此外,本文还采用了双通道联合训练策略,有效结合了Bert和BertGCN的输出,提高模型检测性能。通过这种双通道联合训练策略,模型能够充分利用Bert的预训练能力和GCN的图结构学习优势,形成精确的文本表示。实验结果表明,JLBertGCN方法在WebShell检测任务上的准确率和F1分数分别达到了99.26%和99.05%,显著优于现有方法。这表明,本文提出的方法在处理复杂的代码语义和结构特征方面表现优越,能够有效应对高度混淆和动态变化的WebShell攻击场景。JLBertGCN在准确识别WebShell的同时,具有较强的泛化能力和鲁棒性,为提升网络安全提供了新的思路和技术手段。 |
| 关键词: WebShell 深度学习 动态词向量 图卷积网络 联合训练 |
| DOI: |
| 投稿时间:2024-06-24修订日期:2024-07-18 |
| 基金项目:国家重点研发计划(2021QY0700)、国家自然科学基金(U21B2003,62072250) |
|
| WebShell Detection Method Based on Dynamic Word Embeddings and Graph Convolution |
|
zhaijiangtao1,2, wangtao1,2, zhouqiao1,3,3,2, dongyi1,3,3,2, wangzihao1,3,3,2
|
| (1.Nanjing University of Information Science &2.Technology;3.amp) |
| Abstract: |
| With the acceleration of digital transformation, Web servers have become a major disaster area for cyber attacks. WebShell is a malicious program written through Web scripts, which allows attackers to remotely control servers to perform illegal activities, posing a serious threat to network security. Existing WebShell detection methods cannot achieve ideal detection results because they are difficult to handle the complexity and diversity of WebShell codes. In order to address the shortcomings of existing methods in dealing with the ambiguity of code, context understanding and structural feature recognition, this paper proposes a WebShell detection method JLBertGCN. This method uses the Bert model to generate dynamic word vectors, and combines the graph convolutional network (GCN) to treat the code as a graph structure for feature extraction. Specifically, the Bert model can learn a general language representation from large-scale unlabeled text, especially in capturing the ambiguity and contextual relationship of vocabulary. GCN further enhances the feature extraction ability of the model by capturing the irregular structure and semantic information in the text. In addition, this paper also adopts a dual-channel joint training strategy to effectively combine the outputs of Bert and BertGCN to improve the model detection performance. Through this dual-channel joint training strategy, the model can fully utilize the pre-training ability of Bert and the graph structure learning advantages of GCN to form an accurate text representation. Experimental results show that the accuracy and F1 score of the JLBertGCN method on the WebShell detection task reached 99.26% and 99.05% respectively, which is significantly better than the existing methods. This shows that the method proposed in this paper is superior in processing complex code semantics and structural features, and can effectively deal with highly obfuscated and dynamically changing WebShell attack scenarios. While accurately identifying WebShell, JLBertGCN has strong generalization ability and robustness, providing new ideas and technical means for improving network security. |
| Key words: WebShell deep learning dynamic word embeddings GCN joint training |
