采用随机森林改进算法的Webshell检测方法*

为解决Webshell检测特征覆盖不全、检测算法有待完善的问题,论文提出一种基于随机森林的Webshell检测方法。首先对三种类型的Webshell进行深入特征分析,构建多维特征向量较全面的覆盖静态属性和动态行为,改进随机森林特征选取方法,依据Fisher比度量特征重要性,对子类的依赖特征进行划分,按比例和顺序从中选择特征,克服特征选择完全随机带来的弊端,提高决策树分类强度,降低树间相关度。实验对随机森林改进算法和标准算法进行了对比分析,结果表明改进算法依靠更少的决策树就能达到很好效果,并进一步与SVM算法进行比较,证明了该方法在Webshell检测问题上具有一定优越性。

A Webshell Detection Method Based on Random Forest Improved Algorithm

To improve the Webshell detection feature coverage and the ability of detection algorithm, a Webshell detection method based on random forest was proposed. First of all, features of three kinds Webshell were analyzed, and multidimensional eigenvector was built which had comprehensive coverage of static attributes and dynamic behaviors. The method of random forest feature selection was improved. Features were partitioned according to the importance measured based on Fisher criterion and selected in proportion and order, to overcome the drawbacks brought by completely random feature selection, which increased the intensity of the decision tree classification and reduced the relevance between decision trees. The results of the experiment of random forest improved algorithm and standard algorithm showed that the improved algorithm with less decision trees can achieve very good effect, and another contrast experiment proved that the random forest improved algorithm had superiority compared with SVM algorithm in dealing with Webshell detection problem.