Webshell Detection Based on Random Forest–Gradient Boosting Decision Tree Algorithm

Cui, Handong; Huang, Delu; Fang, Yong; Liu, Liang; Huang, Cheng

doi:10.1109/dsc.2018.00030

Cited by 41 publications

(30 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If the feature database is not regularly updated, the alarm failure rate will be high. Webshell Detection Based on Random Forest-Gradient Boosting Decision Tree Algorithm [4] extracts static features from .php source files and uses the TF-IDF vector and hash vector to extract dynamic features under the opcode. The two features are unified as WebShell features.…”

Section: Related Workmentioning

confidence: 99%

WebShell Attack Detection Based on a Deep Super Learner

Luktarhan

Zhou

et al. 2020

Symmetry

View full text Add to dashboard Cite

WebShell is a common network backdoor attack that is characterized by high concealment and great harm. However, conventional WebShell detection methods can no longer cope with complex and flexible variations of WebShell attacks. Therefore, this paper proposes a deep super learner for attack detection. First, the collected data are deduplicated to prevent the influence of duplicate data on the result. Second, to detect the results of the algorithm, static and dynamic feature are taken as the feature of the algorithm to construct a comprehensive feature set. We then use the Word2Vec algorithm to vectorize the features. During this period, to prevent the outbreak of the number of features, we use a genetic algorithm to extract the validity of the feature dimension. Finally, we use a deep super learner to detect WebShell. The experimental results show that this algorithm can effectively detect WebShell, and its accuracy and recall are greatly improved.

show abstract

Section: Related Workmentioning

confidence: 99%

WebShell Attack Detection Based on a Deep Super Learner

Luktarhan

Zhou

et al. 2020

Symmetry

View full text Add to dashboard Cite

show abstract

“…Comprehensive comparison analysis is carried out through parameters such as file coincidence index; information entropy; longest string; compression ratio; and other features. H et al [21] detected obfuscated webshells by extracting four characteristics, namely file coincidence index; information entropy; variance of the longest string length; and compression ratio. They adopted a naïve Bayes classifier to detect obfuscated webshells.…”

Section: Discussionmentioning

confidence: 99%

Mitigating Webshell Attacks through Machine Learning Techniques

2020

View full text Add to dashboard Cite

A webshell is a command execution environment in the form of web pages. It is often used by attackers as a backdoor tool for web server operations. Accurately detecting webshells is of great significance to web server protection. Most security products detect webshells based on feature-matching methods—matching input scripts against pre-built malicious code collections. The feature-matching method has a low detection rate for obfuscated webshells. However, with the help of machine learning algorithms, webshells can be detected more efficiently and accurately. In this paper, we propose a new PHP webshell detection model, the NB-Opcode (naïve Bayes and opcode sequence) model, which is a combination of naïve Bayes classifiers and opcode sequences. Through experiments and analysis on a large number of samples, the experimental results show that the proposed method could effectively detect a range of webshells. Compared with the traditional webshell detection methods, this method improves the efficiency and accuracy of webshell detection.

show abstract

“…Cui et al proposed the model of webshell detection based on random forest-gradient boosting decision tree algorithm [17]. First attain opcode hash vector and text vector library features extracted from PHP opcode processed by the TF-IDF (term frequency-inverse document frequency) [18] vector.…”

Section: Related Workmentioning

confidence: 99%

Webshell Detection Based on Executable Data Characteristics of PHP Code

Pan

Chen

Shen

et al. 2021

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

A webshell is a malicious backdoor that allows remote access and control to a web server by executing arbitrary commands. The wide use of obfuscation and encryption technologies has greatly increased the difficulty of webshell detection. To this end, we propose a novel webshell detection model leveraging the grammatical features extracted from the PHP code. The key idea is to combine the executable data characteristics of the PHP code with static text features for webshell classification. To verify the proposed model, we construct a cleaned data set of webshell consisting of 2,917 samples from 17 webshell collection projects and conduct extensive experiments. We have designed three sets of controlled experiments, the results of which show that the accuracy of the three algorithms has reached more than 99.40%, the highest reached 99.66%, the recall rate has been increased by at least 1.8%, the most increased by 6.75%, and the F1 value has increased by 2.02% on average. It not only confirms the efficiency of the grammatical features in webshell detection but also shows that our system significantly outperforms several state-of-the-art rivals in terms of detection accuracy and recall rate.

show abstract

Webshell Detection Based on Random Forest–Gradient Boosting Decision Tree Algorithm

Cited by 41 publications

References 15 publications

WebShell Attack Detection Based on a Deep Super Learner

WebShell Attack Detection Based on a Deep Super Learner

Mitigating Webshell Attacks through Machine Learning Techniques

Webshell Detection Based on Executable Data Characteristics of PHP Code

Contact Info

Product

Resources

About