关键词: Webshell检测, 关联分析, 混淆特征

Abstract: Webshell current detection tools are mostly based on feature library matching detection, while the accuracy of confusion encryption webshell is low. In this paper, a webshell detection method based on correlation analysis is proposed according to the obfuscation statistical characteristics of webshells. The method uses correlation analysis algorithm to derive the potential implicit relationship of feature parameters, through the adjustment of support and confidence thresholds, and setting up a feature correlationrule that satisfies minimum support and confidence, then using the cross-validation to test the effect. The results show that this method can achieve the detection of obfuscated Webshell. It proves that this method improves the detection efficiency and accuracy compared with the two correlation analysis methods and detection tools.

Key words: Webshell detection, correlation analysis, confusing characteristics