PHP web shell detection through static analysis of AST using LSTM based deep learning

Web shells are used by attackers to maintain persistent access on a compromised web server. Attackers exploit commonly occurring vulnerabilities like SQL Injection, cross site scripting and uploads a web shell that can be used to execute commands or perform a host of other functions. Web shells are a post-exploitation tactic that allows an attacker to remotely access and possibly control an internet-facing server. A web shell may remain hidden and the attacker can silently use the web shell to maintain remote access to the web server. Common methods of detecting web shells include looking for common strings in PHP source files, analyzing logs etc. But such methods have high false positives as they consider any script with a particular string or a function to be a web shell without taking into account other features of a web shell. In this paper, a machine learning based approach is proposed for the detection of web shells written in PHP language. The proposed approach analyses the function call and the use of super global variables commonly used in PHP web shells using a deep learning technique. The proposed approach has the advantage that it has low false positives and can detect web shells with an accuracy of 0.97.