AI-Based Webshell Detection Model – Detailed Overview

While injection vulnerabilities are on the rise, Webshells have become a serious concern.

They allow attackers to gain unauthorized access and run malicious code on web servers

For the correct detection of webshells with various forms, obfuscation techniques, and stealthy features, it is necessary to identify unique characteristics that differentiate them from innocent data. 

The following cybersecurity researchers discovered that the AI and deep learning models can outperform traditional static and rule-based methods by using abstract features extracted from vectorized representations of code, opcodes, or network traffic:-

  • Mingrui Ma
  • Lansheng Han
  • Chunjie Zhou

However, an extensive examination of these AI-powered techniques should be conducted to understand their strengths, weaknesses, and future potential in fighting the ever-changing landscape of Webshells.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Technical Analysis

There has been a boom in artificial intelligence (AI) webshell detection recently, with every stage being optimized from data preparation to model creation. 

Techniques range from attention mechanisms and word embeddings to abstract syntax tree analysis, opcode vectorization, pattern matching, session modeling from weblogs, and ensembling static and dynamic features. 

Although these methods have surpassed traditional ones in terms of detection rate, they are still limited by their inflexible filtering rules and reliance on specific languages. 

Unknown approaches combine unclear matching with recurrent neural networks to identify key webshell behaviors relating to data transmission or execution across different implementations. 

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

To keep up with evolving webshell threats, feature engineering should be further improved while new model architectures must be designed for better detection accuracy and reliability.

Besides this, to mine feature languages, authors used 1-gram and 4-gram opcodes and selected features using algorithms with the same n-grams. 

They observed that integrating LR, SVM, MLP, and RF classifiers with weighted values to detect webshells caused slow detection speeds.

They also noted some limitations of both static and dynamic methods based on features consequently requiring a more complete set of these methods. 

The major challenges encountered were unbalanced datasets, irrelevant features, and limitations in the detection algorithm.

Data imbalances were resolved through de-duplication, SMOTE, and ensemble learning. 

Different deep learning approaches such as CNN and LSTM were tried out together with various fusion methods.

New techniques were designed to deal with issues like long script identification as well as feature engineering constraints taking into account privacy concerns surrounding data usage. 

However, problems remained related to performance comparison among different systems and the large amount of data required for processing purposes. 

Finally, at the source code level, where opcode conversion is limited, detection accuracy was found to be higher than any other level and layer according to them, but this might not always hold true.

The data representation for detecting webshells is still a topic of debate.

While source code contains more semantic information, it also encounters interlanguage problems, on the other hand, opcode, and static features can recognize new kinds at the cost of losing some data. 

ASTs and flow traffic information have been suggested as other options because they can overcome the limitations imposed by programming languages, but these require elaborate pre-processing steps. 

Although deep learning is good at capturing generalizations from concrete examples, it cannot handle very large inputs. 

It has been found that models trained on imbalanced datasets perform poorly when presented with new instances.

Therefore, industries need to work together to create fairer representations, which will lead to better AI training sets for future use.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.