{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T18:07:20Z","timestamp":1772042840178,"version":"3.50.1"},"reference-count":27,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2020,1,14]],"date-time":"2020-01-14T00:00:00Z","timestamp":1578960000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>A webshell is a command execution environment in the form of web pages. It is often used by attackers as a backdoor tool for web server operations. Accurately detecting webshells is of great significance to web server protection. Most security products detect webshells based on feature-matching methods\u2014matching input scripts against pre-built malicious code collections. The feature-matching method has a low detection rate for obfuscated webshells. However, with the help of machine learning algorithms, webshells can be detected more efficiently and accurately. In this paper, we propose a new PHP webshell detection model, the NB-Opcode (na\u00efve Bayes and opcode sequence) model, which is a combination of na\u00efve Bayes classifiers and opcode sequences. Through experiments and analysis on a large number of samples, the experimental results show that the proposed method could effectively detect a range of webshells. Compared with the traditional webshell detection methods, this method improves the efficiency and accuracy of webshell detection.<\/jats:p>","DOI":"10.3390\/fi12010012","type":"journal-article","created":{"date-parts":[[2020,1,15]],"date-time":"2020-01-15T10:30:27Z","timestamp":1579084227000},"page":"12","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":29,"title":["Mitigating Webshell Attacks through Machine Learning Techniques"],"prefix":"10.3390","volume":"12","author":[{"given":"You","family":"Guo","sequence":"first","affiliation":[{"name":"School of Computing Science and Engineering, Xi\u2019an Technological University, Xi\u2019an 710021, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6976-5763","authenticated-orcid":false,"given":"Hector","family":"Marco-Gisbert","sequence":"additional","affiliation":[{"name":"School of Computing, Engineering and Physical Sciences, University of the West of Scotland, High Street, Paisley PA1 2BE, UK"}]},{"given":"Paul","family":"Keir","sequence":"additional","affiliation":[{"name":"School of Computing, Engineering and Physical Sciences, University of the West of Scotland, High Street, Paisley PA1 2BE, UK"}]}],"member":"1968","published-online":{"date-parts":[[2020,1,14]]},"reference":[{"key":"ref_1","unstructured":"Acunetix (2019, August 14). Web Application Vulnerability Report 2019. Available online: https:\/\/cdn2.hubspot.net\/hubfs\/4595665\/Acunetix_web_application_vulnerability_report_2019.pdf."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Dinh Tu, T., Guang, C., Xiaojun, G., and Wubin, P. (2014, January 11\u201313). Webshell detection techniques in web applications. Proceedings of the Fifth International Conference on Computing, Communications and Networking Technologies (ICCCNT), Hefei, China.","DOI":"10.1109\/ICCCNT.2014.6963152"},{"key":"ref_3","first-page":"229","article-title":"WebSHArk 1.0: A Benchmark Collection for Malicious Web Shell Detection","volume":"11","author":"Kim","year":"2015","journal-title":"J. Inf. Process. Syst."},{"key":"ref_4","unstructured":"Oleksii, S., Ahmad, J., Sharique, S., Thorsten, H., and Nick, N. (2016, January 11\u201315). No Honor Among Thieves: A Large-Scale Analysis of Malicious Web Shells. Proceedings of the 25th International Conference on World Wide Web (WWW \u201916), Montreal, QC, Canada."},{"key":"ref_5","unstructured":"Jing, Y., Liming, W., and Zhen, X. (2018). A Novel Semantic-Aware Approach for Detecting Malicious Web Traffic. Information and Communications Security, Springer International Publishing."},{"key":"ref_6","unstructured":"RSA (2019, June 07). Webshell. Available online: https:\/\/www.rsa.com\/content\/dam\/en\/solution-brief\/asoc-threat-solution-series-webshells.pdf."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"829","DOI":"10.3758\/BF03196342","article-title":"Comparing supervised and unsupervised category learning","volume":"9","author":"Bradley","year":"2002","journal-title":"Psychon. Bull. Rev."},{"key":"ref_8","unstructured":"(2019, August 14). Shelldetector. Available online: https:\/\/www.shelldetector.com."},{"key":"ref_9","unstructured":"Zhuohang, L., Hanbing, Y., and Rui, M. (2019). Automatic and Accurate Detection of Webshell Based on Convolutional Neural Network. Cyber Security, Springer Singapore."},{"key":"ref_10","first-page":"5","article-title":"Research of Linux WebShell Detection based on SVM Classifier","volume":"5","author":"Zheng","year":"2014","journal-title":"Netinfo Secur."},{"key":"ref_11","unstructured":"Jiankang, H., Zhen, X., Duohe, M., and Jing, Y. (2012). Research of Webshell Detection Based on Decision Tree. J. Netw. New Media, 6."},{"key":"ref_12","unstructured":"Quinlan, J.R. (1993). C4.5: Programs for Machine Learning, Morgan Kaufmann Publishers Inc."},{"key":"ref_13","first-page":"924","article-title":"Black box detection of webshell based on support vector machine","volume":"47","author":"Ye","year":"2015","journal-title":"J. Netw. New Media"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Jia, W., Hu, R., and Shi, F. (2016, January 21\u201323). Feature Design and Selection Based on Web Application-Oriented Active Threat Awareness Model. Proceedings of the 2016 Sixth International Conference on Instrumentation Measurement, Computer, Communication and Control (IMCCC), Harbin, China.","DOI":"10.1109\/IMCCC.2016.64"},{"key":"ref_15","unstructured":"Wenchuan, Y., Bang, S., and Baojiang, C. (2018). A Webshell Detection Technology Based on HTTP Traffic Analysis. Innovative Mobile and Internet Services in Ubiquitous Computing, Proceedings of the 11th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS-2017), Springer International Publishing."},{"key":"ref_16","first-page":"11","article-title":"Webshell Detection Method Research Based on Web Log","volume":"2","author":"Liuyang","year":"2016","journal-title":"J. Netw. New Media"},{"key":"ref_17","unstructured":"Xin, S., Xindai, L., and Hua, D. (2017). A Matrix Decomposition Based Webshell Detection Method. Proceedings of the 2017 International Conference on Cryptography, Security and Privacy (ICCSP \u201917), Wuhan, China, 5 January 2017, ACM."},{"key":"ref_18","first-page":"62","article-title":"The Research and Improvement in the Detection of PHP Variable WebShell based on Information Entropy","volume":"28","author":"Wang","year":"2016","journal-title":"J. Comput."},{"key":"ref_19","first-page":"81","article-title":"A Method of Detecting Webshell Based on Multi-layer Perception","volume":"2","author":"Wang","year":"2019","journal-title":"Acad. J. Comput. Inf. Sci."},{"key":"ref_20","unstructured":"FORENSICS (2019, August 14). Neopi. Available online: https:\/\/resources.infosecinstitute.com\/web-shell-detection."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Cui, H., Huang, D., Fang, Y., Liu, L., and Huang, C. (2018, January 18\u201321). Webshell Detection Based on Random Forest\u2013Gradient Boosting Decision Tree Algorithm. Proceedings of the 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC), Guangzhou, China.","DOI":"10.1109\/DSC.2018.00030"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Croix, A., Debatty, T., and Mees, W. (2019, January 14\u201315). Training a multi-criteria decision system and application to the detection of PHP webshells. Proceedings of the 2019 International Conference on Military Communications and Information Systems (ICMCIS), Budva, Montenegro.","DOI":"10.1109\/ICMCIS.2019.8842705"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Wrench, P.M., and Irwin, B.V.W. (2015, January 12\u201313). Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis. Proceedings of the 2015 Information Security for South Africa (ISSA), Johannesburg, South Africa.","DOI":"10.1109\/ISSA.2015.7335066"},{"key":"ref_24","unstructured":"KALI (2019, August 14). Weevely. Available online: https:\/\/tools.kali.org\/maintaining-access\/weevely."},{"key":"ref_25","unstructured":"OWASP (2019, August 14). RFI Vulnerability. Available online: https:\/\/www.owasp.org\/index.php\/Testing_for_Remote_File_Inclusion."},{"key":"ref_26","unstructured":"Igor, S., Felix, B., Javier, N., Yoseba, P., Borja, S., Carlos, L., and Pablo, B. (2010). Idea: Opcode-Sequence-Based Malware Detection. Engineering Secure Software and Systems, Springer."},{"key":"ref_27","unstructured":"php.net (2019, August 14). VLD. Available online: http:\/\/pecl.php.net\/package\/vld."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/12\/1\/12\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,13]],"date-time":"2025-10-13T13:43:02Z","timestamp":1760362982000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/12\/1\/12"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,14]]},"references-count":27,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2020,1]]}},"alternative-id":["fi12010012"],"URL":"https:\/\/doi.org\/10.3390\/fi12010012","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,1,14]]}}}