A high-performance Webshell detection model

Abstract

Webshell exists as a command execution environment in the form of a web page file, which is often referred to as a backdoor. After hacking a website, hackers usually upload it to the web directory of the web server and mix it with the normal web files, and then access the backdoor program through the browser, which can achieve the purpose of controlling the browser. Since there are many kinds of web backdoors in the form of asp, php, jsp or cgi files, here we choose the more popular php file as the research object. In this paper, the Webshell dataset comes from common Webshell samples on the Internet, and the white samples mainly use common open source software developed based on PHP. We use bag-of-words and TF-IDF models for feature extraction, and construct Webshell detection models based on the LightGBM algorithm. The results show that our model is more than 98% accurate and has higher performance in space and time compared to the current popular classification models.