AST-DF: A New Webshell Detection Method Based on Abstract Syntax Tree and Deep Forest-Reference-Cited by-同舟云学术

AST-DF: A New Webshell Detection Method Based on Abstract Syntax Tree and Deep Forest

Published:2024-04-13 Issue:8 Volume:13 Page:1482
ISSN:2079-9292
Container-title:Electronics
language:en
Short-container-title:Electronics

Author:

Dong Chengfeng¹²,Li Daofeng¹²

Affiliation:

1. School of Computer and Electronic Information, Guangxi University, Nanning 530004, China

2. Guangxi Colleges and Universities Key Laboratory of Multimedia Communications and Information Processing, Guangxi University, Nanning 530004, China

Abstract

Webshell is a kind of web-language-based website backdoor, which is usually used by attackers to control web servers. Due to its dangerous nature, how to detect Webshell effectively has become a hot research topic in current Web security research. With the rapid development of Webshell evasion technology, the existing Webshell detection methods have the problem of insufficient ability to detect unknown Webshells. In order to solve the above problems and achieve effective Webshell detection, this study proposes a Webshell detection method based on the abstract syntax tree (AST) and deep forest (DF) model called AST-DF. AST-DF first extracts the abstract syntax tree from the PHP code; then, the abstract syntax tree sequence is feature extracted and vectorized using N-gram and TF-IDF. Finally, the vectors are imported into the deep forest model for classification to determine whether the PHP code to be detected is a Webshell or not. The experimental results show that AST-DF achieves remarkable effects in the task of detecting PHP-type Webshells, with a 99.61% accuracy rate, and the values of precision, recall, and F1 score are more than 99%.

Funder

National Natural Science Foundation of China

Publisher

MDPI AG

Link

https://www.mdpi.com/2079-9292/13/8/1482/pdf

Reference37 articles.

1. Developing web applications;Int. J. Softw. Eng. Appl.,2011

2. WebSHArk 1.0: A benchmark collection for malicious web shell detection;Kim;J. Inf. Process. Syst.,2015

3. Qian, L., Zhu, Z., Hu, J., and Liu, S. (2015, January 10–11). Research of SQL injection attack and prevention technology. Proceedings of the 2015 International Conference on Estimation, Detection and Information Fusion (ICEDIF), Harbin, China.

4. Dahse, J., and Holz, T. (2014, January 20–22). Static Detection of {Second-Order} Vulnerabilities in Web Applications. Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, USA.

5. Zheng, Y., and Zhang, X. (2013, January 18–26). Path sensitive static analysis of web applications for remote code execution vulnerability detection. Proceedings of the 2013 35th International Conference on Software Engineering (ICSE), San Francisco, CA, USA.