SmartDetect: A Smart Detection Scheme for Malicious Web Shell Codes via Ensemble Learning

  • Zijian Zhang
  • Meng Li
  • Liehuang ZhuEmail author
  • Xinyi Li
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11344)


The rapid global spread of the web technology has led to an increase in unauthorized intrusions into computers and networks. Malicious web shell codes used by hackers can often cause extremely harmful consequences. However, the existing detection methods cannot precisely distinguish between the bad codes and the good codes. To solve this problem, we first detected the malicious web shell codes by applying the traditional data mining algorithms: Support Vector Machine, K-Nearest Neighbor, Naive Bayes, Decision Tree, and Convolutional Neural Network. Then, we designed an ensemble learning classifier to further improve the accuracy. Our experimental analysis proved that the accuracy of SmartDetect—our proposed smart detection scheme for malicious web shell codes—was higher than the accuracy of Shell Detector and NeoPI on the dataset collected from Github. Also, the equal-error rate of the detection result of SmartDetect was lower than those of Shell Detector and NeoPI.


Smart detection Malicious web shell code Data mining 



This work is partially supported by China National Key Research and Development Program No. 2016YFB0800301 and National Natural Science Foundation of China No. 61872041.


  1. 1.
    Canali, D., Balzarotti, D.: Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In: NDSS 2013, 20th Annual Network and Distributed System Security Symposium, San Diego, CA, United States, 24–27 February 2013 (2011)Google Scholar
  2. 2.
    Starov, O., Dahse, J., Ahmad, S.S., Holz, T., Nikiforakis, N.: No honor among thieves: a large-scale analysis of malicious web shells. In: Proceedings of the 25th International Conference on World Wide Web, International World Wide Web Conferences Steering Committee, pp. 1021–1032 (2016)Google Scholar
  3. 3.
    Xue, L., Ma, X., Luo, X., Chan, E.W.W., Miu, T.T.N., Gu, G.: LinkScope: toward detecting target link flooding attacks. IEEE Trans. Inf. Forensics Secur. 13(10), 2423–2438 (2018)CrossRefGoogle Scholar
  4. 4.
  5. 5.
    Tu, T.D., Guang, C., Xiaojun, G., Wubin, P.: Webshell detection techniques in web applications. In: Proceedings of the International Conference on Computing, Communication and Networking Technologies (ICCCNT), pp. 1-7 (2014)Google Scholar
  6. 6.
    Yi Nan, H.C.L.L., Yong, F.: Semantics-based webshell detection method research. Res. Inf. Secur. 3(2), 145–150 (2017)Google Scholar
  7. 7.
    Wrench, P.M., Irwin, B.V.: Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis. In: Proceedings of the Information Security for South Africa (ISSA), pp. 1-8 (2015)Google Scholar
  8. 8.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of the IEEE Symposium on Security and Privacy 2012, pp. 443-457 (2012)Google Scholar
  9. 9.
  10. 10.
    Dietterich, T.G.: Ensemble methods in machine learning. In: Kittler, J., Roli, F. (eds.) MCS 2000. LNCS, vol. 1857, pp. 1–15. Springer, Heidelberg (2000). Scholar
  11. 11.
    Miranda Dos Santos, E.: Static and dynamic overproduction and selection of classifier ensembles with genetic algorithms. Ph.D. thesis, École de technologie supérieure (2008)Google Scholar
  12. 12.
    Breiman, L.: Bagging predictors. Mach. Learn. 24(2), 123–140 (1996)zbMATHGoogle Scholar
  13. 13.
    Webshell open source project.
  14. 14.
  15. 15.
    Nikicat’s webshells collection project.
  16. 16.
    Gai, K., Qiu, M.: Blend arithmetic operations on tensor-based fully homomorphic encryption over real numbers. IEEE Trans. Ind. Inform. 4(8), 3590–3598 (2018)CrossRefGoogle Scholar
  17. 17.
    Wrench, P.M., Irwin, B.V.: Towards a sandbox for the deobfuscation and dissection of PHP malware. In: Proceedings of the Information Security for South Africa (ISSA), pp. 1–8 (2014)Google Scholar
  18. 18.
  19. 19.
    Gai, K., Choo, K.-K.R., Qiu, M., Zhu, L.: Privacy-preserving content-oriented wireless communication in internet-of-things. IEEE Internet Things J. 5(4), 3059–3067 (2018)CrossRefGoogle Scholar
  20. 20.
  21. 21.
    A PHP blogging platform.
  22. 22.
    A web interface for MySQL and MariaDB.
  23. 23.
    A PHP framework for web artisans.
  24. 24.
    The symfony PHP framework.
  25. 25.
    Yii 2: the fast, secure and professional PHP framework.
  26. 26.
  27. 27.
    Visual leak detector.
  28. 28.
    Gai, K., Qiu, M., Xiong, Z., Liu, M.: Privacy-preserving multi-channel communication in edge-of-things. Futur. Gener. Comput. Syst. 85, 190–200 (2018)CrossRefGoogle Scholar
  29. 29.
    Zhu, L., Li, M., Zhang, Z., Zhan, Q.: ASAP: an anonymous smart-parking and payment scheme in vehicular networks. IEEE Trans. Dependable Secur. Comput. (TDSC) PP(99) (2018)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.School of Computer Science and TechnologyBeijing Institute of TechnologyBeijingChina

Personalised recommendations