Automatic and Accurate Detection of Webshell Based on Convolutional Neural Network

Lv, Zhuo-Hang; Yan, Haowen; Rui, Mei

doi:10.1007/978-981-13-6621-5_6

Cited by 12 publications

(10 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Machine learning and deep learning methods [25][26][27] are used in webshell detection. Among the deep learning methods used, CNN [28][29][30] is often used for webshell detection. Tian et al [31] first applied CNN to webshell detection.…”

Section: Methods Of Webshell Detectionmentioning

confidence: 99%

BERT-Embedding-Based JSP Webshell Detection on Bytecode Level Using XGBoost

Xing

Zhang

et al. 2022

Security and Communication Networks

View full text Add to dashboard Cite

Webshell is a malicious program that might result in data theft, file modification, or other damaging behaviors once uploaded to a server. Detecting webshells is a key security concern for website administrators. In recent years, techniques such as obfuscation and encryption have been deployed on webshell technology, and classic detection approaches such as static feature matching are gradually underperforming on webshell detection. Meanwhile, there are variations between languages such as JSP and PHP, and researchers have proposed webshell detection methods primarily for languages such as PHP. At the same time, there are fewer detection techniques for JSP webshells. In this case, a detection approach for the JSP webshells is needed. This paper provides a novel webshell detection model for the JSP language. The model’s fundamental premise is that it introduces the BERT-based word vector extraction method, which has been shown in experiments to be more effective at detecting obfuscation, encryption, and other means of evading detection than the traditional Word2vec word vector extraction method. Meanwhile, we introduce the XGBoost algorithm as the model classifier. The experimental results reveal that present model has achieved 99.14% accuracy, 98.68% precision, 98.03% recall, and 98.35% f1 score, and the overall effect is better than the already existing JSP webshell detection approaches.

show abstract

Section: Methods Of Webshell Detectionmentioning

confidence: 99%

BERT-Embedding-Based JSP Webshell Detection on Bytecode Level Using XGBoost

Xing

Zhang

et al. 2022

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…is is the oldest and most traditional way to detect webshells, which places high demands on the administrators of the website. Administrators are supposed to have a comprehensive grasp of the website files and have a high recognition ability for some newly added exception files [13], such as some naming files, passby.php, pass.asp, and a.jsp. Besides, these small files should be treated carefully because there are probably one word Trojans.…”

Section: Methods Of Webshell Detectionmentioning

confidence: 99%

Session-Based Webshell Detection Using Machine Learning in Web Logs

Sun

Huang

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

Attackers upload webshell into a web server to achieve the purpose of stealing data, launching a DDoS attack, modifying files with malicious intentions, etc. Once these objects are accomplished, it will bring huge losses to website managers. With the gradual development of encryption and confusion technology, the most common detection approach using taint analysis and feature matching might become less useful. Instead of applying source file codes, POST contents, or all received traffic, this paper demonstrated an intelligent and efficient framework that employs precise sessions derived from the web logs to detect webshell communication. Features were extracted from the raw sequence data in web logs while a statistical method based on time interval was proposed to identify sessions specifically. Besides, the paper leveraged long short-term memory and hidden Markov model to constitute the framework, respectively. Finally, the framework was evaluated with real data. The experiment shows that the LSTM-based model can achieve a higher accuracy rate of 95.97% with a recall rate of 96.15%, which has a much better performance than the HMM-based model. Moreover, the experiment demonstrated the high efficiency of the proposed approach in terms of the quick detection without source code, especially when it only considers detecting for a period of time, as it takes 98.5% less time than the cited related approach to get the result. As long as the webshell behavior is detected, we can pinpoint the anomaly session and utilize the statistical method to find the webshell file accurately.

show abstract

“…Since only one path in the code sequences of a malicious sample may be malicious, there is considerable interference by non-malicious paths on the features. This also explains why researchers have suggested that the Doc2Vec detection performance is below par [6].…”

Section: Encrypted Communicationmentioning

confidence: 98%

“…Analysis of the hash values revealed that a little over one-half of the malicious samples (1,031 samples) were included in the benign samples. Manual analysis of the 1,031 samples revealed that they were, in fact, benign -this raises questions about the results presented by researchers who have used these datasets [4,6,14]. In any case, these 1,031 samples were eliminated to leave only 1,019 malicious samples.…”

Section: Data Processingmentioning

confidence: 99%

Enhancing the Feature Profiles of Web Shells by Analyzing the Performance of Multiple Detectors

Huang

Jia

et al. 2020

Advances in Digital Forensics XVI

View full text Add to dashboard Cite

Web shells are commonly used to transfer malicious scripts in order to control web servers remotely. Malicious web shells are detected by extracting the feature profiles of known web shells and creating a learning model that classifies malicious samples. This chapter proposes a novel feature profile scheme for characterizing malicious web shells based on the opcode sequences and static properties of PHP scripts. A real-world dataset is employed to compare the performance of the feature profile scheme against state-of-art schemes using various machine learning algorithms. The experimental results demonstrate that the new feature profile scheme significantly reduces the false positive rate.

show abstract

Automatic and Accurate Detection of Webshell Based on Convolutional Neural Network

Cited by 12 publications

References 2 publications

BERT-Embedding-Based JSP Webshell Detection on Bytecode Level Using XGBoost

BERT-Embedding-Based JSP Webshell Detection on Bytecode Level Using XGBoost

Session-Based Webshell Detection Using Machine Learning in Web Logs

Enhancing the Feature Profiles of Web Shells by Analyzing the Performance of Multiple Detectors

Contact Info

Product

Resources

About