Research on WebShell Detection Method Based on Regularized Neighborhood Component Analysis (RNCA)

The variant, encryption, and confusion of WebShell results in problems in the detection method based on feature selection, such as poor detection effect and weak generalization ability. In order to solve this problem, a method of WebShell detection based on regularized neighborhood component analysis (RNCA) is proposed. The RNCA algorithm can effectively reduce the dimension of data while ensuring the accuracy of classification. In this paper, it is innovatively applied to a WebShell detection neighborhood, taking opcode behavior sequence features as the main research object, constructing vocabulary by using opcode sequence features with variable length, and effectively reducing the dimension of WebShell features from the perspective of feature selection. The opcode sequence selected by the algorithm is symmetrical with the source code file, which has great reference value for WebShell classification. On the issue of the single feature, this paper uses the fusion of behavior sequence features and text static features to construct a feature combination with stronger representation ability, which effectively improves the recognition rate of WebShell to a certain extent.