{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,16]],"date-time":"2026-07-16T21:37:24Z","timestamp":1784237844256,"version":"3.55.0"},"reference-count":35,"publisher":"Oxford University Press (OUP)","issue":"5","license":[{"start":{"date-parts":[[2022,4,12]],"date-time":"2022-04-12T00:00:00Z","timestamp":1649721600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/journals\/pages\/open_access\/funder_policies\/chorus\/standard_publication_model"}],"funder":[{"name":"Key Project of Sichuan Science and Technology Bureau","award":["2022YFG0182"],"award-info":[{"award-number":["2022YFG0182"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61872254"],"award-info":[{"award-number":["61872254"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62162057"],"award-info":[{"award-number":["62162057"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Project of Sichuan & ZiGong","award":["2020CDZG-18-SCU"],"award-info":[{"award-number":["2020CDZG-18-SCU"]}]},{"name":"Guangxi Key Laboratory of Cryptography, Information Security","award":["GCIS201914"],"award-info":[{"award-number":["GCIS201914"]}]},{"name":"Sichuan Police Propaganda and Public Opinion Research Center","award":["SPPPORC2021002"],"award-info":[{"award-number":["SPPPORC2021002"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,5,19]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>A web shell is a backdoor used by hackers to control Web servers and perform privilege escalation, and thus it is crucial to detect web shells effectively. However, the detection of obfuscated web shells has always been a challenge. Inspired by adversarial training methods in the field of computer vision, this paper proposes a generative adversarial network (GAN)-based web shell detection model training framework. Since there has been no method that can generate obfuscated web shells effectively, a generator based on the genetic algorithm, which combines and optimizes the pre-set obfuscation methods, is used to obtain new obfuscation combinations and generate obfuscated samples. The whole proposed framework is named the CWSOGG. When training the detection model, the generator generates web shells that can bypass the discriminator, and the discriminator catches the features of obfuscated samples. Through the adversarial training of the discriminator and generator, the detection model improves its ability to detect obfuscated web shells. To verify the proposed framework is flexible to different models, the discriminator based on four main neural networks has been implemented. Meanwhile, to build complete feature extraction models, both statistical and semantic features are extracted. Due to the lack of web shell data, a clean dataset containing 4,375 web shells is constructed and used to evaluate the CWSOGG. The results have shown that the detection accuracy of each model increases by 86.71% on the generated obfuscated web shells on average and by 7.50% on the simulated real-world obfuscated web shells on average.<\/jats:p>","DOI":"10.1093\/comjnl\/bxac040","type":"journal-article","created":{"date-parts":[[2022,3,16]],"date-time":"2022-03-16T12:10:20Z","timestamp":1647432620000},"page":"1295-1309","source":"Crossref","is-referenced-by-count":4,"title":["CWSOGG: Catching Web Shell Obfuscation Based on Genetic Algorithm and Generative Adversarial Network"],"prefix":"10.1093","volume":"66","author":[{"given":"Bo","family":"Pang","sequence":"first","affiliation":[{"name":"School of Cyber Science and Engineering , Sichuan University, Chengdu 610065, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Gang","family":"Liang","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering , Sichuan University, Chengdu 610065, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jin","family":"Yang","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering , Sichuan University, Chengdu 610065, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yijing","family":"Chen","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering , Sichuan University, Chengdu 610065, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xinyi","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering , Sichuan University, Chengdu 610065, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Wenbo","family":"He","sequence":"additional","affiliation":[{"name":"Department of Computing and Software , McMaster University, Hamilton, Canada"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"286","published-online":{"date-parts":[[2022,4,12]]},"reference":[{"key":"2023052000434497600_ref1","doi-asserted-by":"crossref","first-page":"1021","DOI":"10.1145\/2872427.2882992","article-title":"No honor among thieves: A large-scale analysis of malicious web shells","volume-title":"Proceedings of the 25th International Conference on World Wide Web","author":"Starov","year":"2016"},{"key":"2023052000434497600_ref2","volume-title":"Ghost in the shell: Investigating web shell attacks","author":"Microsoft"},{"key":"2023052000434497600_ref3","volume-title":"annual security review","author":"SiteLock","year":"2020"},{"key":"2023052000434497600_ref4","article-title":"Rips-a static source code analyser for vulnerabilities in php scripts","volume-title":"Seminar Work (Seminer \u00c7alismasi). Horst G\u00f6rtz Institute Ruhr-University Bochum","author":"Dahse","year":"2010"},{"key":"2023052000434497600_ref5","first-page":"989","article-title":"Static detection of Second-Order vulnerabilities in web applications","volume-title":"23rd USENIX Security Symposium (USENIX Security 14)","author":"Dahse","year":"2014"},{"key":"2023052000434497600_ref6","doi-asserted-by":"crossref","first-page":"1849","DOI":"10.1145\/3319535.3363199","article-title":"Malmax: Multi-aspect execution for automated dynamic web server malware analysis","volume-title":"Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security","author":"Naderi-Afooshteh","year":"2019"},{"key":"2023052000434497600_ref7","doi-asserted-by":"crossref","DOI":"10.1155\/2019\/3093809","article-title":"Session-based webshell detection using machine learning in web logs","volume":"2019","author":"Wu","year":"2019","journal-title":"Security and Communication Networks"},{"key":"2023052000434497600_ref8","doi-asserted-by":"crossref","first-page":"579","DOI":"10.1109\/IS3C.2016.149","article-title":"Lexical analysis for the webshell attacks","volume-title":"2016 International Symposium on Computer, Consumer and Control (IS3C)","author":"Deng","year":"2016"},{"key":"2023052000434497600_ref9","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2019.101595","article-title":"Shellbreaker: Automatically detecting php-based malicious web shells","volume":"87","author":"Li","year":"2019","journal-title":"Comput. Secur."},{"key":"2023052000434497600_ref10","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1145\/3194452.3194470","article-title":"Detecting webshell based on random forest with fasttext","volume-title":"Proceedings of the 2018 International Conference on Computing and Artificial Intelligence","author":"Fang","year":"2018"},{"key":"2023052000434497600_ref11","doi-asserted-by":"crossref","first-page":"153","DOI":"10.1109\/DSC.2018.00030","article-title":"Webshell detection based on random forest\u2013gradient boosting decision tree algorithm","volume-title":"2018 IEEE Third International Conference on Data Science in Cyberspace (DSC)","author":"Cui","year":"2018"},{"key":"2023052000434497600_ref12","doi-asserted-by":"crossref","first-page":"196","DOI":"10.1007\/978-3-030-05755-8_20","article-title":"Smartdetect: a smart detection scheme for malicious web shell codes via ensemble learning","volume-title":"International Conference on Smart Computing and Communication","author":"Zhang","year":"2018"},{"key":"2023052000434497600_ref13","doi-asserted-by":"crossref","first-page":"12","DOI":"10.3390\/fi12010012","article-title":"Mitigating webshell attacks through machine learning techniques","volume":"12","author":"Guo","year":"2020","journal-title":"Future Internet"},{"key":"2023052000434497600_ref14","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ICMCIS.2019.8842705","article-title":"Training a multi-criteria decision system and application to the detection of php webshells","volume-title":"2019 International Conference on Military Communications and Information Systems (ICMCIS)","author":"Croix","year":"2019"},{"key":"2023052000434497600_ref15","doi-asserted-by":"crossref","first-page":"75785","DOI":"10.1109\/ACCESS.2020.2989304","article-title":"Ws-lsmr: malicious webshell detection algorithm based on ensemble learning","volume":"8","author":"Ai","year":"2020","journal-title":"IEEE Access"},{"key":"2023052000434497600_ref16","doi-asserted-by":"crossref","first-page":"75","DOI":"10.1145\/3171592.3171593","article-title":"Cnn-webshell: malicious web shell detection with convolutional neural network","volume-title":"Proceedings of the 2017 VI International Conference on Network, Communication and Computing","author":"Tian","year":"2017"},{"key":"2023052000434497600_ref17","doi-asserted-by":"crossref","first-page":"283","DOI":"10.1145\/3195106.3195107","article-title":"Evaluating cnn and lstm for web attack detection","volume-title":"Proceedings of the 2018 10th International Conference on Machine Learning and Computing","author":"Wang","year":"2018"},{"key":"2023052000434497600_ref18","first-page":"408","article-title":"Webshell detection model based on deep learning","volume-title":"International Conference on Artificial Intelligence and Security","author":"Tao","year":"2019"},{"key":"2023052000434497600_ref19","first-page":"73","article-title":"Automatic and accurate detection of webshell based on convolutional neural network","volume-title":"China Cyber Security Annual Conference","author":"Lv","year":"2018"},{"key":"2023052000434497600_ref20","doi-asserted-by":"crossref","first-page":"185140","DOI":"10.1109\/ACCESS.2019.2959950","article-title":"Webshell detection based on the word attention mechanism","volume":"7","author":"Li","year":"2019","journal-title":"IEEE Access"},{"key":"2023052000434497600_ref21","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow","year":"2014"},{"key":"2023052000434497600_ref22","volume-title":"Adversarial examples in the physical world","author":"Kurakin","year":"2016"},{"key":"2023052000434497600_ref23","first-page":"2574","article-title":"Deepfool: a simple and accurate method to fool deep neural networks","author":"Moosavi-Dezfooli","year":"2016","journal-title":"Proceedings of the IEEE conference on computer vision and pattern recognition"},{"key":"2023052000434497600_ref24","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1109\/SP.2017.49","article-title":"Towards evaluating the robustness of neural networks","volume-title":"2017 ieee symposium on security and privacy (sp)","author":"Carlini","year":"2017"},{"key":"2023052000434497600_ref25","doi-asserted-by":"crossref","DOI":"10.24963\/ijcai.2018\/543","article-title":"Generating adversarial examples with adversarial networks","author":"Xiao","year":"2018"},{"key":"2023052000434497600_ref26","article-title":"Learning to evade static pe machine learning malware models via reinforcement learning","author":"Anderson","year":"1801"},{"key":"2023052000434497600_ref27","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1109\/INFOMAN.2019.8714698","article-title":"Armed: How automatic malware modifications can evade static detection?","volume-title":"2019 5th International Conference on Information Management (ICIM)","author":"Castro","year":"2019"},{"key":"2023052000434497600_ref28","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1109\/SPW.2018.00020","article-title":"Adversarial deep learning for robust detection of binary encoded malware","volume-title":"2018 IEEE Security and Privacy Workshops (SPW)","author":"Al-Dujaili","year":"2018"},{"key":"2023052000434497600_ref29","article-title":"Fence: Feasible evasion attacks on neural networks in constrained environments","author":"Chernikova","year":"2019"},{"key":"2023052000434497600_ref30","doi-asserted-by":"crossref","first-page":"1513","DOI":"10.1145\/3449726.3463125","article-title":"Ai programmer: autonomously creating software programs using genetic algorithms","author":"Becker","year":"2021","journal-title":"Proceedings of the Genetic and Evolutionary Computation Conference Companion"},{"key":"2023052000434497600_ref31","first-page":"27","article-title":"Generative adversarial nets","volume-title":"Advances in neural information processing systems","author":"Goodfellow","year":"2014"},{"key":"2023052000434497600_ref32","volume-title":"The genetic and evolutionary algorithm toolbox for python","author":"G. core team, G"},{"key":"2023052000434497600_ref33","first-page":"2021","article-title":"Webshell detection based on executable data characteristics of php code","author":"Pan","year":"2021","journal-title":"Wireless communications and mobile computing"},{"key":"2023052000434497600_ref34","article-title":"Dos and don\u2019ts of machine learning in computer security","volume-title":"Proc. of the USENIX Security Symposium","author":"Arp","year":"2022"},{"key":"2023052000434497600_ref35","doi-asserted-by":"crossref","first-page":"2182","DOI":"10.1109\/IJCNN.2016.7727469","article-title":"Tackling class imbalance with ranking","volume-title":"2016 International joint conference on neural networks (IJCNN)","author":"Cruz","year":"2016"}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/66\/5\/1295\/50397640\/bxac040.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/66\/5\/1295\/50397640\/bxac040.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,5,20]],"date-time":"2023-05-20T00:46:02Z","timestamp":1684543562000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/66\/5\/1295\/6566841"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,12]]},"references-count":35,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2022,4,12]]},"published-print":{"date-parts":[[2023,5,19]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxac040","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"value":"0010-4620","type":"print"},{"value":"1460-2067","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2023,5]]},"published":{"date-parts":[[2022,4,12]]}}}