
ATBShellFinder: A Bytecode-Level Webshell Detector Based on Adversarial Training
Author(s) -
Yuan Zhang,
Daofeng Li,
Yuqin Xie,
Guoren Xiong
Publication year - 2025
Publication title -
ieee access
Language(s) - English
Resource type - Magazines
SCImago Journal Rank - 0.587
H-Index - 127
eISSN - 2169-3536
DOI - 10.1109/access.2025.3575263
Subject(s) - aerospace , bioengineering , communication, networking and broadcast technologies , components, circuits, devices and systems , computing and processing , engineered materials, dielectrics and plasmas , engineering profession , fields, waves and electromagnetics , general topics for engineers , geoscience , nuclear engineering , photonics and electrooptics , power, energy and industry applications , robotics and control systems , signal processing and analysis , transportation
Webshell is a malicious server-side script that attackers can upload to a server to execute commands, steal sensitive data, and maintain persistent access. With the rapid evolution of evasion techniques, existing detection methods fail to effectively capture the contextual semantics and abstract features of webshell variants. This allows some webshells to evade detection and cause significant damage to target systems. To address these challenges, this study proposesATBShellFinder, an enhanced detection framework based on adversarial training. ATBShellFinder applies adversarial training techniques from computer vision to the embedding layer of the Bidirectional Encoder Representations from Transformers (BERT) to generate adversarial word embeddings. These adversarial embeddings are then combined with normal embeddings for model training, significantly improving the robustness and generalization of the model even with limited webshell samples. Furthermore, the framework performs detection at the bytecode level, which can effectively mitigate the interference of encryption and obfuscation, and introduces a bidirectional long short-term memory network (BiLSTM) as the detector. To validate the generalizability of our method, experiments were conducted on two widely used web programming languages. Experimental results demonstrate that ATBShellFinder achieves detection accuracy of 99.07% for PHP-based Webshells and 98.97% for Java-based Webshells, outperforming existing detection models and tools.
Empowering knowledge with every search
Robert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom
Address
John Eccles HouseRobert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom