Enhancing Webshell Detection With Deep Learning-Powered Methods

TL;DR

This paper presents a comprehensive approach to webshell detection using deep learning, including source code analysis with a new framework and real-time HTTP traffic analysis, demonstrating improved accuracy and attack prevention.

Contribution

It introduces ASAF, a novel deep learning-powered source code scanning framework, and a real-time HTTP traffic detection model, both validated with experimental results.

Findings

ASAF effectively detects known and unknown webshells.

The HTTP traffic model improves detection accuracy on CSE-CIC-IDS2018.

Integrated system enables automatic IP blacklisting and attack prevention.

Abstract

Webshell attacks are becoming more common, requiring robust detection mechanisms to protect web applications. The dissertation clearly states two research directions: scanning web application source code and analyzing HTTP traffic to detect webshells. First, the dissertation proposes ASAF, an advanced DL-Powered Source-Code Scanning Framework that uses signature-based methods and deep learning algorithms to detect known and unknown webshells. We designed the framework to enable programming language-specific detection models. The dissertation used PHP for interpreted language and ASP.NET for compiled language to build a complete ASAF-based model for experimentation and comparison with other research results to prove its efficacy. Second, the dissertation introduces a deep neural network that detects webshells using real-time HTTP traffic analysis of web applications. The study proposes an algorithm to improve the deep learning model's loss function to address data imbalance. We tested and compared the model to other studies on the CSE-CIC-IDS2018 dataset to prove its efficacy. We integrated the model with NetIDPS to improve webshell identification. Automatically blacklist attack source IPs and block URIs querying webshells on the web server to prevent these attacks.