WS-LSMR: Malicious WebShell Detection Algorithm Based on Ensemble Learning

Ai, Zhuang; Luktarhan, Nurbol; Zhao, Yongxia; Tang, Chaofei

doi:10.1109/access.2020.2989304

Cited by 11 publications

(1 citation statement)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Each of these methods has its advantages and disadvantages. Ai et al [51] proposed a webshell detection method based on ensemble learning, which constructed a differentiated ensemble detection model, WS-LSMR, composed of Logistic Regression (LR), Support Vector Machine (SVM), Multilayer Perceptron (MLP), and Random Forest (RF). Given the four basic classifiers (LR, SVC, MLP, RF), this model adaptively assigns weights to the four classifiers, and algorithms with high accuracy will have high weights to better reflect the effect of good algorithms.…”

Section: Static Methodsmentioning

confidence: 99%

WTA: A Static Taint Analysis Framework for PHP Webshell

Zhao

Wang

et al. 2021

Applied Sciences

View full text Add to dashboard Cite

Webshells are a malicious scripts that can remotely control a webserver to execute arbitrary commands, steal sensitive files, and further invade the internal network. Existing webshell detection methods, such as using pattern matching for webshell detection, can be easily bypassed by attackers using the file include and user-defined functions. Furthermore, detecting unknown webshells has always been a problem in the field of webshell detection. In this paper, we propose a static webshell detection method based on taint analysis, which realizes accurate taint analysis based on ZendVM. We first converted the PHP code into Opline sequences, analyzed the Opline sequences in order, and marked the externally imported taint source. Then, the propagation of the taint variables was tracked, and the interprocedural analysis of the taint variables was performed. Finally, considering the dangerous functions’ call and the referencing of the taint variables at the point of the taint sink, we completed the webshell judgment. Based on this method, we constructed a taint analysis prototype system named WTA and evaluated it with a benchmark dataset by comparing its performance with popular webshell detection tools. The results showed that our method supports interprocedural analysis and has the ability to detect unknown webshells and that WTA’s performance surpasses well-known webshell detection tools such as D-shield, SHELLPUB, WebshellKiller, CloudWalker, ClamAV, LoKi, and findbot.pl.

show abstract

Section: Static Methodsmentioning

confidence: 99%