Webshell detection techniques in web applications

Tu, Truong Dinh; Guang, Cheng; Guo, Xin; Pan, Wubin

doi:10.1109/icccnt.2014.6963152

Cited by 14 publications

(10 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The long short-term memory and hidden Markov model were used to construct the framework and detect it. Webshell detection techniques in web applications [3] proposed a novel method based on an optimal threshold to identify files containing malicious code in web applications. The detection system finds all the files in classifiers target folder and provides suspicious files to the administrator for inspection.…”

Section: Related Workmentioning

confidence: 99%

WebShell Attack Detection Based on a Deep Super Learner

Luktarhan

Zhou

et al. 2020

Symmetry

View full text Add to dashboard Cite

WebShell is a common network backdoor attack that is characterized by high concealment and great harm. However, conventional WebShell detection methods can no longer cope with complex and flexible variations of WebShell attacks. Therefore, this paper proposes a deep super learner for attack detection. First, the collected data are deduplicated to prevent the influence of duplicate data on the result. Second, to detect the results of the algorithm, static and dynamic feature are taken as the feature of the algorithm to construct a comprehensive feature set. We then use the Word2Vec algorithm to vectorize the features. During this period, to prevent the outbreak of the number of features, we use a genetic algorithm to extract the validity of the feature dimension. Finally, we use a deep super learner to detect WebShell. The experimental results show that this algorithm can effectively detect WebShell, and its accuracy and recall are greatly improved.

show abstract

Section: Related Workmentioning

confidence: 99%

WebShell Attack Detection Based on a Deep Super Learner

Luktarhan

Zhou

et al. 2020

Symmetry

View full text Add to dashboard Cite

show abstract

“…With 500 webshell samples and 1200 normal samples, we set the ngram_range value to (2,2), and other parameters were unchanged. When setting max_features to 1000, 2500, 5000, 7500, 10,000, 12,500, 17,500, 20,000, 40,000, and 50,000, respectively, we calculated the accuracy rate and recall rate.…”

Section: Impact Of Max_features Value On Resultsmentioning

confidence: 99%

“…Attackers often exploit vulnerabilities in the system or web applications to upload a malicious file or malicious code to the webserver. This malicious file is called a webshell [2]. Once the webshell is executed, it can provide remote attackers with an interface to operate the server, including command execution, file manipulation, and database connection [3].…”

Section: Introductionmentioning

confidence: 99%

Mitigating Webshell Attacks through Machine Learning Techniques

2020

View full text Add to dashboard Cite

A webshell is a command execution environment in the form of web pages. It is often used by attackers as a backdoor tool for web server operations. Accurately detecting webshells is of great significance to web server protection. Most security products detect webshells based on feature-matching methods—matching input scripts against pre-built malicious code collections. The feature-matching method has a low detection rate for obfuscated webshells. However, with the help of machine learning algorithms, webshells can be detected more efficiently and accurately. In this paper, we propose a new PHP webshell detection model, the NB-Opcode (naïve Bayes and opcode sequence) model, which is a combination of naïve Bayes classifiers and opcode sequences. Through experiments and analysis on a large number of samples, the experimental results show that the proposed method could effectively detect a range of webshells. Compared with the traditional webshell detection methods, this method improves the efficiency and accuracy of webshell detection.

show abstract

“…Although a small web site can be quickly located, and files can be excluded with weak features, using a combination of static features and manual work, for large web sites, the total amount of human effort is too large at this time. Therefore, Webshell detection techniques in web applications [15] proposes a new method to identify WebShells based on the optimal threshold of malicious signatures, malicious function samples and the longest characters at the beginning and end of file labels. The malicious code in each file of the Web application is scanned and found, and then a list of suspect files and a detailed log analysis table for each suspect file are automatically provided by the administrator for further inspection.…”

Section: A Detection Based On Static Featuresmentioning

confidence: 99%

WS-LSMR: Malicious WebShell Detection Algorithm Based on Ensemble Learning

Luktarhan

Zhao

et al. 2020

IEEE Access

View full text Add to dashboard Cite

To solve the problem that the features produced by hidden means, such as code obfuscation and compression, in encrypted malicious WebShell files are not the same as those produced by nonencrypted files, a WebShell attack detection algorithm based on ensemble learning is proposed. First, this algorithm extracted the feature vocabulary of the unigrams and 4-grams based on opcode; subsequently, the 4-gram feature word weights were obtained according to the calculated Gini coefficient of the unigram feature words and used to select the features, which will be selected again based on the Gini coefficient of the 4-gram feature words. Consequently, a feature vocabulary that can detect encrypted and unencrypted WebShell files was constructed. Second, in order to improve the adaptability and accuracy of the detection method, an ensemble detection model called WS-LSMR, consisting of a Logistic Regression, Support Vector Machine, Multi-layer Perceptron and Random Forest, was constructed. The model uses a weighted voting method to determine the WebShell classification. This experiment demonstrated that compared with the traditional single WebShell detection algorithm, the recall rate and accuracy rate improved to 99.14% and 94.28%, respectively, which proves that this method has better detection performance.

show abstract

Webshell detection techniques in web applications

Cited by 14 publications

References 6 publications

WebShell Attack Detection Based on a Deep Super Learner

WebShell Attack Detection Based on a Deep Super Learner

Mitigating Webshell Attacks through Machine Learning Techniques

WS-LSMR: Malicious WebShell Detection Algorithm Based on Ensemble Learning

Contact Info

Product

Resources

About