Abstract
Web shell is a malicious script file that can harm web servers. Web shell is often used by intruders to perform a series of malicious operations on website servers, such as privilege escalation and sensitive information leakage. Existing web shell detection methods have some shortcomings, such as viewing a single network traffic behavior, using simple signature comparisons, and adopting easily bypassed regex matches. In view of the above deficiencies, a web shell detection method based on multiview feature fusion is proposed based on the PHP language web shell. Firstly, lexical features, syntactic features, and abstract features that can effectively represent the internal meaning of web shells from multiple levels are integrated and extracted. Secondly, the Fisher score is utilized to rank and filter the most representative features, according to the importance of each feature. Finally, an optimized support vector machine (SVM) is used to establish a model that can effectively distinguish between web shell and normal script. In large-scale experiments, the final classification accuracy of the model on 1056 web shells and 1056 benign web scripts reached 92.18%. The results also surpassed well-known web shell detection tools such as VirusTotal, ClamAV, LOKI, and CloudWalker, as well as the state-of-the-art web shell detectionmethods.
Highlights
Web shell is a kind of malicious script uploaded by an attacker to an infected web server
In response to the above challenges, this paper proposes a web shell detection method based on multiview feature fusion
False positive (FP), the benign web scripts are marked as web shells
Summary
Web shell is a kind of malicious script uploaded by an attacker to an infected web server. The purpose of web shells is to keep persistent access to infected computers/servers in order to perform a series of malicious exploits, such as system sensitive command execution, stealing and tampering with user data, and modifying the website’s homepage. Web shell is an important part of advanced persistent threat (APT) attacks [1], which can cause significant damage to governments and large enterprises. The academic and industrial communities have proposed a series of detection methods and defense solutions for web shell (i.e., auditing the source code before the program is released, real-time monitoring while the program is running), in the enterprise setting, the operating system or application program may not be updated in time, and the unknown software from third-parties can be
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
