Enhancing the Feature Profiles of Web Shells by Analyzing the Performance of Multiple Detectors

Huang, Weiqing; Jia, Chenggang; Yu, Min; Chow, Kam-Pui; Chen, Jiuming; Liu, Chao; Jiang, Jianguo

doi:10.1007/978-3-030-56223-6_4

Cited by 5 publications

(1 citation statement)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, the dataset used in the experiments is not limited to 100 files, so more data is needed to validate the model. Huang et al [12] used 2 statistical features, 21 high-risk functions, and term frequency-inverse document frequency (TF-IDF) vectorization of PHP opcode sequences. They found that the random forest (RF) classifier outperformed the SVM and k-nearest neighbors (KNN) algorithms.…”

Section: Static Webshell Detectionmentioning

confidence: 99%

JShellDetector: A Java Fileless Webshell Detector Based on Program Analysis

Song¹,

Qin²,

Liu³

et al. 2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

Fileless webshell attacks against Java web applications have become more frequent in recent years as Java has gained market share. Webshell is a malicious script that can remotely execute commands and invade servers. It is widely used in attacks against web applications. In contrast to traditional file-based webshells, fileless webshells leave no traces on the hard drive, which means they are invisible to most antivirus software. To make matters worse, although there are some studies on fileless webshells, almost all of them are aimed at web applications developed in the PHP language. The complex mechanism of Java makes researchers face more challenges. To mitigate this attack, this paper proposes JShellDetector, a fileless webshell detector for Java web applications based on program analysis. JShellDetector uses method probes to capture dynamic characteristics of web applications in the Java Virtual Machine (JVM). When a suspicious class tries to call a specific sensitive method, JShellDetector catches it and converts it from the JVM to a bytecode file. Then, JShellDetector builds a Jimple-based control flow graph and processes it using taint analysis techniques. A suspicious class is considered malicious if there is a valid path from sources to sinks. To demonstrate the effectiveness of the proposed approach, we manually collect 35 test cases (all open source on GitHub) and test JShellDetector and only two other Java fileless webshell detection tools. The experimental results show that the detection rate of JShellDetector reaches 77.1%, which is about 11% higher than the other two tools.

show abstract

Section: Static Webshell Detectionmentioning

confidence: 99%