Webshell Detection Based on Executable Data Characteristics of PHP Code

Pan, Zhengqiang; Chen, Yuanchao; Shen, Yi; Guo, Xiaohui

doi:10.1155/2021/5533963

Cited by 10 publications

(7 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, a webshell detection method based on statistical characteristics loses its original advantages. Pan et al [14] proposed a webshell detection method based on executable data features in PHP code. This method combines the characteristics of executable data from the PHP code with the characteristics of the static text to detect webshells.…”

Section: Static Methodsmentioning

confidence: 99%

See 1 more Smart Citation

WTA: A Static Taint Analysis Framework for PHP Webshell

Zhao

Wang

et al. 2021

Applied Sciences

View full text Add to dashboard Cite

Webshells are a malicious scripts that can remotely control a webserver to execute arbitrary commands, steal sensitive files, and further invade the internal network. Existing webshell detection methods, such as using pattern matching for webshell detection, can be easily bypassed by attackers using the file include and user-defined functions. Furthermore, detecting unknown webshells has always been a problem in the field of webshell detection. In this paper, we propose a static webshell detection method based on taint analysis, which realizes accurate taint analysis based on ZendVM. We first converted the PHP code into Opline sequences, analyzed the Opline sequences in order, and marked the externally imported taint source. Then, the propagation of the taint variables was tracked, and the interprocedural analysis of the taint variables was performed. Finally, considering the dangerous functions’ call and the referencing of the taint variables at the point of the taint sink, we completed the webshell judgment. Based on this method, we constructed a taint analysis prototype system named WTA and evaluated it with a benchmark dataset by comparing its performance with popular webshell detection tools. The results showed that our method supports interprocedural analysis and has the ability to detect unknown webshells and that WTA’s performance surpasses well-known webshell detection tools such as D-shield, SHELLPUB, WebshellKiller, CloudWalker, ClamAV, LoKi, and findbot.pl.

show abstract

Section: Static Methodsmentioning

confidence: 99%

“…Regular expressions [13] were the earliest method used for webshell content detection. Its disadvantage is that it can only extract features from the existing known webshells, and it needs to be constantly updated [14]. D-Shield [15] is a currently popular static webshell detection tool.…”

Section: Introductionmentioning

confidence: 99%

WTA: A Static Taint Analysis Framework for PHP Webshell

Zhao

Wang

et al. 2021

Applied Sciences

View full text Add to dashboard Cite

show abstract

“…ey innovatively used the FastText text classifier to characterize PHP's opcode sequence, integrating its classification results and statistical features as the Random Forest classifier's input. In addition to the statistical and opcode features mentioned above, Pan et al's [23] detection method of webshell used AST to obtain executable data features of PHP code, fully considering the execution data flow and function parameter characteristics of common system commands. e opcode sequence should be combined with the best n-gram value to effectively ensure the detection effect.…”

Section: Static Detectionmentioning

confidence: 99%

PBDT: Python Backdoor Detection Model Based on Combined Features

Fang

Xie

Huang

2021

Security and Communication Networks

View full text Add to dashboard Cite

Application security is essential in today’s highly development period. Backdoor is a means by which attackers can invade the system to achieve illegal purposes and damage users’ rights. It has posed a serious threat to network security. Thus, it is urgent to take adequate measures to defend such attacks. Previous research work was mainly focused on numerous PHP webshells, with less research on Python backdoor files. Language differences make the method not entirely applicable. This paper proposes a Python backdoor detection model named PBDT based on combined features. The model summarizes the common functional modules and functions in the backdoor files and extracts the number of calls in the text to form sample features. What is more, we consider the text’s statistical characteristics, including the information entropy, the longest string, etc., to identify the obfuscated Python code. Besides, the opcode sequence is used to represent code characteristics, such as TF-IDF vector and FastText classifier, to eliminate the influence of interference items. Finally, we introduce the Random Forest algorithm to build a classifier. Covering most types of backdoors, some samples are obfuscated, the model achieves an accuracy of 97.70%, and the TNR index is as high as 98.66%, showing a good classification performance in Python backdoor detection.

show abstract

“…e majority of susceptible websites at this level are those that have been online for an extended period of time and heavily utilize PHP and JSP. Current research on PHP-type webshell attack [2][3][4][5][6][7] is enough, but research on JSP-type webshell detection is much lower than that on PHP-type webshell detection, so we need to propose a detection technique for JSP-type webshell. At the moment, webshell research is concentrated on static and dynamic detection.…”

Section: Introductionmentioning

confidence: 99%

“…Additionally, we produced some JSP webshells artificially to augment the real dataset, increase the number of data samples, and boost the detection effect. (4) We analyze and detect JSP files on the bytecode level to effectively identify obfuscated and encrypted webshells.…”

Section: Introductionmentioning

confidence: 99%

BERT-Embedding-Based JSP Webshell Detection on Bytecode Level Using XGBoost

Xing

Zhang

et al. 2022

Security and Communication Networks

View full text Add to dashboard Cite

Webshell is a malicious program that might result in data theft, file modification, or other damaging behaviors once uploaded to a server. Detecting webshells is a key security concern for website administrators. In recent years, techniques such as obfuscation and encryption have been deployed on webshell technology, and classic detection approaches such as static feature matching are gradually underperforming on webshell detection. Meanwhile, there are variations between languages such as JSP and PHP, and researchers have proposed webshell detection methods primarily for languages such as PHP. At the same time, there are fewer detection techniques for JSP webshells. In this case, a detection approach for the JSP webshells is needed. This paper provides a novel webshell detection model for the JSP language. The model’s fundamental premise is that it introduces the BERT-based word vector extraction method, which has been shown in experiments to be more effective at detecting obfuscation, encryption, and other means of evading detection than the traditional Word2vec word vector extraction method. Meanwhile, we introduce the XGBoost algorithm as the model classifier. The experimental results reveal that present model has achieved 99.14% accuracy, 98.68% precision, 98.03% recall, and 98.35% f1 score, and the overall effect is better than the already existing JSP webshell detection approaches.

show abstract

Webshell Detection Based on Executable Data Characteristics of PHP Code

Cited by 10 publications

References 18 publications

WTA: A Static Taint Analysis Framework for PHP Webshell

WTA: A Static Taint Analysis Framework for PHP Webshell

PBDT: Python Backdoor Detection Model Based on Combined Features

BERT-Embedding-Based JSP Webshell Detection on Bytecode Level Using XGBoost

Contact Info

Product

Resources

About