Welcome to Francis Academic Press

Academic Journal of Computing & Information Science, 2019, 2(1); doi: 10.25236/AJCIS.010021.

A Method of Detecting Webshell Based on Multi-layer Perception


Zihao Wang1, Jingjing Yang1, Mengjie Dai1, Ruoyu Xu2, and Xiujuan Liang1

Corresponding Author:
Zihao Wang

1. School of Cybersecurity, Chengdu University of Information Technology, Shuangliu District, Chengdu, Sichuan Province, 610225, China
2. University of Toronto Mississauga Campus, University of Toronto, Mississauga, Ontario, L5L 1C6, Canada


WebShell is a commonly used tool for network intrusion. It has the characteristics of high, concealment, great harm and so on. The existing WebShell detection method has higher detection accuracy when detecting a known WebShell, but the accuracy of detection is low when it faces complex and flexible unknown and variant WebShell. To solve this problem, a WebShell detection method based on Multi-Layer Perceptron (MLP) neural network is proposed. Firstly, the sample source code is converted into a sample byte code by a compiler tool, and then the sample byte code is divided into byte code sequences using Bi-Gram. Secondly, TF-IDF is used to calculate the word frequency matrix, and on this basis, the feature matrix of trained sample set is selected. Finally, the detection model is obtained through multi-layer neural network training. The experimental results indicate that compared with the existing methods, the constructed detection model can significantly improve the detection accuracy, accuracy, and recall rate, and the detection, accuracy of unknown and variant samples can reach over 90%.


Multi-layer perception, WebShell, machine learning, cyber security, intrusion detection

Cite This Paper

Zihao Wang, Jingjing Yang, Mengjie Dai, Ruoyu Xu, and Xiujuan Liang, A Method of Detecting Webshell Based on Multi-layer Perception. Academic Journal of Computing & Information Science (2019) Vol. 2: 81-91. https://doi.org/10.25236/AJCIS.010021.


[1] National Internet Emergency Center. China Internet Network Security Report in 2016 [EB/OL]. (2017-05-27) [2018-01-12]. http://www.cert.org.cn/publish/main/ 46/2017/20170527151228908822757/ 20170527151228908822757_.html
[2] Hansen R J, Patterson M L.Guns and Butter:Towards Formal Axioms of Input Validation[J].Black Hat USA, 2005 (08): 1-6.
[3] Wrench P M, Irwin B V W.Towards a PHP Webshell Taxonomy Using Deobfuscation-assisted Similarity Analysis [C]. 2015 Information Security for South Africa (ISSA), 2015.
[4] Deng L Y,Lee D L,Chen Y H,et al.Lexical Analysis for the Webshell Attacks [C]. 2016 International Symposium on Computer, Consumer and Control (IS3C), 2016.
[5] Kelly K. O’Brien, Colquhoun H, Levac D , et al. Advancing scoping study methodology: a web-based survey and consultation of perceptions on terminology, definition and methodological steps [J]. Bmc Health Services Research, 2016, 16 (1): 305.
[6] Byczkowski T L, Munafo J K, Britto M T . Family perceptions of the usability and value of chronic disease web-based patient portals [J]. Health Informatics Journal, 2014, 20 (2): 151-162.
[7] Zhang Yanjun, Yang Xiaodong, Liu Yi, Zheng Dayuan, Bi Shujun. Research on the Construction of Wisdom Auditing Platform Based on Spatio-temporal Big Data [J]. Computer and Digital Engineering, 2019, 47 (03): 616-619+637.
[8] Yi Liu, Jiawen Peng, and Zhihao Yu. 2018. Big Data Platform Architecture under the Background of Financial Technology: In the Insurance Industry as an Example. In Proceedings of the 2018 International Conference on Big Data Engineering and Technology (BDET 2018). ACM, New York, NY, USA, 31-35.
[9] Y. Wu, Y. Liu, A. Alghamdi, K. Polat, and J. Peng, \Dominant dataset selection algorithms for time-series data based on linear transformation," CoRR, vol. abs/1903.00237, 2019. [Online]. Available: http://arxiv.org/abs/1903.00237
[10] YE Fei, GONG Jian, YANG Wang. Black Box Detection of Webshell Based on Support Vector Machine [J]. Journal of Nanjing University of Aeronautics & Astronautics, 2015 (06): 924-930.