Advertisement

SmartDetect: A Smart Detection Scheme for Malicious Web Shell Codes via Ensemble Learning

  • Zijian Zhang
  • Meng Li
  • Liehuang Zhu
  • Xinyi Li
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11344)

Abstract

The rapid global spread of the web technology has led to an increase in unauthorized intrusions into computers and networks. Malicious web shell codes used by hackers can often cause extremely harmful consequences. However, the existing detection methods cannot precisely distinguish between the bad codes and the good codes. To solve this problem, we first detected the malicious web shell codes by applying the traditional data mining algorithms: Support Vector Machine, K-Nearest Neighbor, Naive Bayes, Decision Tree, and Convolutional Neural Network. Then, we designed an ensemble learning classifier to further improve the accuracy. Our experimental analysis proved that the accuracy of SmartDetect—our proposed smart detection scheme for malicious web shell codes—was higher than the accuracy of Shell Detector and NeoPI on the dataset collected from Github. Also, the equal-error rate of the detection result of SmartDetect was lower than those of Shell Detector and NeoPI.

Keywords

Smart detection Malicious web shell code Data mining 

Notes

Acknowledgment

This work is partially supported by China National Key Research and Development Program No. 2016YFB0800301 and National Natural Science Foundation of China No. 61872041.

References

  1. 1.
    Canali, D., Balzarotti, D.: Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In: NDSS 2013, 20th Annual Network and Distributed System Security Symposium, San Diego, CA, United States, 24–27 February 2013 (2011)Google Scholar
  2. 2.
    Starov, O., Dahse, J., Ahmad, S.S., Holz, T., Nikiforakis, N.: No honor among thieves: a large-scale analysis of malicious web shells. In: Proceedings of the 25th International Conference on World Wide Web, International World Wide Web Conferences Steering Committee, pp. 1021–1032 (2016)Google Scholar
  3. 3.
    Xue, L., Ma, X., Luo, X., Chan, E.W.W., Miu, T.T.N., Gu, G.: LinkScope: toward detecting target link flooding attacks. IEEE Trans. Inf. Forensics Secur. 13(10), 2423–2438 (2018)CrossRefGoogle Scholar
  4. 4.
  5. 5.
    Tu, T.D., Guang, C., Xiaojun, G., Wubin, P.: Webshell detection techniques in web applications. In: Proceedings of the International Conference on Computing, Communication and Networking Technologies (ICCCNT), pp. 1-7 (2014)Google Scholar
  6. 6.
    Yi Nan, H.C.L.L., Yong, F.: Semantics-based webshell detection method research. Res. Inf. Secur. 3(2), 145–150 (2017)Google Scholar
  7. 7.
    Wrench, P.M., Irwin, B.V.: Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis. In: Proceedings of the Information Security for South Africa (ISSA), pp. 1-8 (2015)Google Scholar
  8. 8.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of the IEEE Symposium on Security and Privacy 2012, pp. 443-457 (2012)Google Scholar
  9. 9.
  10. 10.
    Dietterich, T.G.: Ensemble methods in machine learning. In: Kittler, J., Roli, F. (eds.) MCS 2000. LNCS, vol. 1857, pp. 1–15. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45014-9_1CrossRefGoogle Scholar
  11. 11.
    Miranda Dos Santos, E.: Static and dynamic overproduction and selection of classifier ensembles with genetic algorithms. Ph.D. thesis, École de technologie supérieure (2008)Google Scholar
  12. 12.
    Breiman, L.: Bagging predictors. Mach. Learn. 24(2), 123–140 (1996)zbMATHGoogle Scholar
  13. 13.
    Webshell open source project. https://github.com/tennc/webshell
  14. 14.
  15. 15.
    Nikicat’s webshells collection project. https://github.com/nikicat/web-malware-collection
  16. 16.
    Gai, K., Qiu, M.: Blend arithmetic operations on tensor-based fully homomorphic encryption over real numbers. IEEE Trans. Ind. Inform. 4(8), 3590–3598 (2018)CrossRefGoogle Scholar
  17. 17.
    Wrench, P.M., Irwin, B.V.: Towards a sandbox for the deobfuscation and dissection of PHP malware. In: Proceedings of the Information Security for South Africa (ISSA), pp. 1–8 (2014)Google Scholar
  18. 18.
  19. 19.
    Gai, K., Choo, K.-K.R., Qiu, M., Zhu, L.: Privacy-preserving content-oriented wireless communication in internet-of-things. IEEE Internet Things J. 5(4), 3059–3067 (2018)CrossRefGoogle Scholar
  20. 20.
  21. 21.
    A PHP blogging platform. https://github.com/typecho/typecho
  22. 22.
    A web interface for MySQL and MariaDB. https://github.com/phpmyadmin/phpmyadmin
  23. 23.
    A PHP framework for web artisans. https://github.com/laravel/laravel
  24. 24.
    The symfony PHP framework. https://github.com/symfony/symfony
  25. 25.
    Yii 2: the fast, secure and professional PHP framework. https://github.com/yiisoft/yii2
  26. 26.
  27. 27.
    Visual leak detector. https://github.com/KindDragon/vld
  28. 28.
    Gai, K., Qiu, M., Xiong, Z., Liu, M.: Privacy-preserving multi-channel communication in edge-of-things. Futur. Gener. Comput. Syst. 85, 190–200 (2018)CrossRefGoogle Scholar
  29. 29.
    Zhu, L., Li, M., Zhang, Z., Zhan, Q.: ASAP: an anonymous smart-parking and payment scheme in vehicular networks. IEEE Trans. Dependable Secur. Comput. (TDSC) PP(99) (2018)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.School of Computer Science and TechnologyBeijing Institute of TechnologyBeijingChina

Personalised recommendations