RF-DNN2: An ensemble learner for effective detection of PHP Webshells

What is it about?

The explosion of web services has been accompanied by a rapid development of dangerous cyberattack methods. Webshells are considered among the easiest and most persistent cyberattack methods targeting web servers in the last few years. Webshells are malicious scripts injected into web servers to gain illegal persistent and remote access through simple and benign HTTP requests. Through webshells, hackers can access confidential data, execute system commands and compromise more machines connected to the target server. All those dangerous actions can be performed without being noticed by administrators and malware detectors. In this paper, we propose an ensemble learner model named RF-DNN2 for the detection of webshells written in PHP scripting language. The proposed model combines the predictions of two deep neural network models and uses Random Forest as a stacking meta classifier. The first deep neural network model is trained on vectorized source codes of webshells and the second deep neural network model is trained on vectorized opcode sequences generated from webshell sources. Individual deep neural network models and RF-DNN2 are compared with a set of traditional classifiers and other ensemble learners. The experiments show that the RF-DNN2 model has the best accuracy 98% and macro F1-score 97.45%.

Featured Image