Qing Yang,Xiaoliang Wang,Jing Zheng,Wenqi Ge,Ming Bai,Frank Jiang

DOI: https://doi.org/10.3837/tiis.2021.06.014

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid development of mobile Internet, smart phones have been widely popularized, among which Android platform dominates. Due to it is open source, malware on the Android platform is rampant. In order to improve the efficiency of malware detection, this paper proposes deep learning Android malicious detection system based on behavior features. First of all, the detection system adopts the static analysis method to extract different types of behavior features from Android applications, and extract sensitive behavior features through Term frequency-inverse Document Frequency algorithm for each extracted behavior feature to construct detection features through unified abstract expression. Secondly, Long Short-Term Memory neural network model is established to select and learn from the extracted attributes and the learned attributes are used to detect Android malicious applications, Analysis and further optimization of the application behavior parameters, so as to build a deep learning Android malicious detection method based on feature analysis. We use different types of features to evaluate our method and compare it with various machine learning-based methods. Study shows that it outperforms most existing machine learning based approaches and detects 95.31% of the malware.

Chengfeng Dong,Daofeng Li

DOI: https://doi.org/10.3390/electronics13081482

IF: 2.9

2024-04-13

Electronics

Abstract:Webshell is a kind of web-language-based website backdoor, which is usually used by attackers to control web servers. Due to its dangerous nature, how to detect Webshell effectively has become a hot research topic in current Web security research. With the rapid development of Webshell evasion technology, the existing Webshell detection methods have the problem of insufficient ability to detect unknown Webshells. In order to solve the above problems and achieve effective Webshell detection, this study proposes a Webshell detection method based on the abstract syntax tree (AST) and deep forest (DF) model called AST-DF. AST-DF first extracts the abstract syntax tree from the PHP code; then, the abstract syntax tree sequence is feature extracted and vectorized using N-gram and TF-IDF. Finally, the vectors are imported into the deep forest model for classification to determine whether the PHP code to be detected is a Webshell or not. The experimental results show that AST-DF achieves remarkable effects in the task of detecting PHP-type Webshells, with a 99.61% accuracy rate, and the values of precision, recall, and F1 score are more than 99%.

engineering, electrical & electronic,computer science, information systems,physics, applied

Pengbin Feng,Dawei Wei,Qiaoyang Li,Qin Wang,Youbing Hu,Ning Xi,Jianfeng Ma

DOI: https://doi.org/10.1016/j.comnet.2024.110406

IF: 5.493

2024-04-12

Computer Networks

Abstract:With the explosive growth of the Industrial Internet scale, cyberattacks targeting industrial control systems also increased. The management and operation of Industrial Internet are usually performed via web servers which retain a large attack surface. In the Industrial Internet, attackers usually exploit vulnerabilities to inject malicious codes for remotely executing commands, stealing confidential data, and invading web servers. Existing approaches capture statistical and contextual dependence information from Webshell using machine learning (ML) or deep learning (DL) algorithms. However, the semantic feature mining of program code within Weshell is not sufficient when entering new types of Webshell. In this paper, we propose a graph learning-based PHP Webshell detection framework, GlareShell, using the word embedding technique, a risk weight allocation mechanism, and the graph neural network (GNN). First, GlareShell leverages static analysis to extract interprocedural control flow graphs (ICFGs) from PHP script files and then prunes these ICFGs to remove noisy statements. Then, word embedding techniques are employed to generate semantic representations from PHP statements. Next, we design a risk weight allocation mechanism to derive the risk levels of statements and concatenate them with word embeddings as attributions. The identified risk levels could guide the passing of potential attack patterns inside GNN models. Finally, GlareShell builds a GNN classifier directly from the ICFG with corresponding node attributions to identify the malicious PHP scripts. Experiment results on collected datasets prove the promise of our graph learning framework in the Webshell detection domain.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Ao Pu,Xia Feng,Yuhan Zhang,Xuelin Wan,Jiaxuan Han,Cheng Huang

DOI: https://doi.org/10.1155/2022/4315829

IF: 1.968

2022-09-01

Security and Communication Networks

Abstract:Webshell is a malicious program that might result in data theft, file modification, or other damaging behaviors once uploaded to a server. Detecting webshells is a key security concern for website administrators. In recent years, techniques such as obfuscation and encryption have been deployed on webshell technology, and classic detection approaches such as static feature matching are gradually underperforming on webshell detection. Meanwhile, there are variations between languages such as JSP and PHP, and researchers have proposed webshell detection methods primarily for languages such as PHP. At the same time, there are fewer detection techniques for JSP webshells. In this case, a detection approach for the JSP webshells is needed. This paper provides a novel webshell detection model for the JSP language. The model's fundamental premise is that it introduces the BERT-based word vector extraction method, which has been shown in experiments to be more effective at detecting obfuscation, encryption, and other means of evading detection than the traditional Word2vec word vector extraction method. Meanwhile, we introduce the XGBoost algorithm as the model classifier. The experimental results reveal that present model has achieved 99.14% accuracy, 98.68% precision, 98.03% recall, and 98.35% f1 score, and the overall effect is better than the already existing JSP webshell detection approaches.

computer science, information systems,telecommunications

Hisham Alasmary,Afsah Anwar,Ahmed Abusnaina,Abdulrahman Alabduljabbar,Mohammed Abuhamad,An Wang,Daehun Nyang,Amro Awad,David Mohaisen

DOI: https://doi.org/10.1109/jiot.2021.3086398

IF: 10.6

2022-02-15

IEEE Internet of Things Journal

Abstract:The Linux shell is a command-line interpreter that provides users with a command interface to the operating system, allowing them to perform various functions. Although very useful in building capabilities at the edge, the Linux shell can be exploited, giving adversaries a prime opportunity to use them for malicious activities. With access to Internet of Things (IoT) devices, malware authors can abuse the Linux shell of those devices to propagate infections and launch large-scale attacks, e.g., Distributed Denial of Service. In this work, we provide a first look at the tasks managed by shell commands in Linux-based IoT malware toward detection. We analyze malicious shell commands found in IoT malware and build a neural network-based model, ShellCore, to detect malicious shell commands. Namely, we collected a large data set of shell commands, including malicious commands extracted from 2891 IoT malware samples and benign commands collected from real-world network traffic analysis and volunteered data from Linux users. Using conventional machine and deep learning-based approaches trained with a term- and character-level features, ShellCore is shown to achieve an accuracy of more than 99% in detecting malicious shell commands and files (i.e., binaries).

computer science, information systems,telecommunications,engineering, electrical & electronic

Hisham Alasmary,Afsah Anwar,Ahmed Abusnaina,Abdulrahman Alabduljabbar,Mohammad Abuhamad,An Wang,DaeHun Nyang,Amro Awad,David Mohaisen

DOI: https://doi.org/10.48550/arXiv.2103.14221

2021-03-26

Cryptography and Security

Abstract:The Linux shell is a command-line interpreter that provides users with a command interface to the operating system, allowing them to perform a variety of functions. Although very useful in building capabilities at the edge, the Linux shell can be exploited, giving adversaries a prime opportunity to use them for malicious activities. With access to IoT devices, malware authors can abuse the Linux shell of those devices to propagate infections and launch large-scale attacks, e.g., DDoS. In this work, we provide a first look at shell commands used in Linux-based IoT malware towards detection. We analyze malicious shell commands found in IoT malware and build a neural network-based model, ShellCore, to detect malicious shell commands. Namely, we collected a large dataset of shell commands, including malicious commands extracted from 2,891 IoT malware samples and benign commands collected from real-world network traffic analysis and volunteered data from Linux users. Using conventional machine and deep learning-based approaches trained with term- and character-level features, ShellCore is shown to achieve an accuracy of more than 99% in detecting malicious shell commands and files (i.e., binaries).

Mingrui Ma,Lansheng Han,Chunjie Zhou

2024-04-28

Abstract:Webshell, as the "culprit" behind numerous network attacks, is one of the research hotspots in the field of cybersecurity. However, the complexity, stealthiness, and confusing nature of webshells pose significant challenges to the corresponding detection schemes. With the rise of Artificial Intelligence (AI) technology, researchers have started to apply different intelligent algorithms and neural network architectures to the task of webshell detection. However, the related research still lacks a systematic and standardized methodological process, which is confusing and redundant. Therefore, following the development timeline, we carefully summarize the progress of relevant research in this field, dividing it into three stages: Start Stage, Initial Development Stage, and In-depth Development Stage. We further elaborate on the main characteristics and core algorithms of each stage. In addition, we analyze the pain points and challenges that still exist in this field and predict the future development trend of this field from our point of view. To the best of our knowledge, this is the first review that details the research related to AI-based webshell detection. It is also hoped that this paper can provide detailed technical information for more researchers interested in AI-based webshell detection tasks.

Cryptography and Security,Artificial Intelligence

Yao Wang,Wan‐dong Cai,Peng‐cheng Wei,Wan-dong Cai,Peng-cheng Wei

DOI: https://doi.org/10.1002/sec.1441

IF: 1.968

2016-02-11

Security and Communication Networks

Abstract:Abstract Malicious JavaScript code in webpages on the Internet is an emergent security issue because of its universality and potentially severe impact. Because of its obfuscation and complexities, detecting it has a considerable cost. Over the last few years, several machine learning‐based detection approaches have been proposed; most of them use shallow discriminating models with features that are constructed with artificial rules. However, with the advent of the big data era for information transmission, these existing methods already cannot satisfy actual needs. In this paper, we present a new deep learning framework for detection of malicious JavaScript code, from which we obtained the highest detection accuracy compared with the control group. The architecture is composed of a sparse random projection, deep learning model, and logistic regression. Stacked denoising auto‐encoders were used to extract high‐level features from JavaScript code; logistic regression as a classifier was used to distinguish between malicious and benign JavaScript code. Experimental results indicated that our architecture, with over 27 000 labeled samples, can achieve an accuracy of up to 95%, with a false positive rate less than 4.2% in the best case. Copyright © 2016 John Wiley & Sons, Ltd.

computer science, information systems,telecommunications

Bocheng Zhang,Liang Chen,Jie Li

DOI: https://doi.org/10.1109/CBFD52659.2021.00048

2021-04-01

Abstract:At present, there are some security risks existing in power web system, such as large number of systems, low efficiency of vulnerability identification, poor intelligence level of vulnerability penetration and so on. To solve the problems, this paper studies parallel crawler and multithreaded crawler scanning technology to effectively improve the code and data crawling speed of power web system, so as to improve the efficiency of vulnerability scanning identification. Furthermore, the paper studies the decision-making selection technology of vulnerability feature pattern recognition and vulnerability intelligent detection model of power web system based on LSTM, breaks through the key technologies of semi-automatic outlier sample detection and intelligent vulnerability location and identification, effectively improves the efficiency of vulnerability location and identification, and reduces the labor cost in the process of data processing. Then, based on neural network algorithm, combined with expert experience and exploitation characteristics, the combination rules of parallel and chain are trained. Finally, the deep neural network algorithm is used to judge the feasibility of vulnerability exploitation path, eliminate those paths that cannot be successfully attacked, and improve the success of vulnerability exploitation, so as to improve the ability of intelligent discovery of vulnerability risks.

Engineering,Computer Science

Aidong Xu,Lin Chen,Xiaoyun Kuang,Huahui Lv,Hang Yang,Yixin Jiang,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00021

2020-01-01

Abstract:In recent years, malicious programs seriously threaten the security of information system. Because of its particularity, complexity and vulnerability, power information system is difficult to detect and kill by traditional anti-virus software. To solve the above problems, this paper proposes a malicious behavior detection method based on deep learning, which can identify malicious programs and attack types according to the activities of malicious programs and malicious software behaviors. In this paper, a hybrid deep learning structure based on convolutional neural network (CNN) and long-and-short term memory (LSTM) network is proposed. The call sequence of API is combined with other statistical features. The vector information obtained is input into LSTM unit through convolution, and the classification results are obtained through the above model. Compared with the existing methods, this method significantly improves the preparation rate and execution efficiency.

Lijia Shi,Shihao Dong

2024-06-18

Abstract:The challenge of WAD (web attack detection) is growing as hackers continuously refine their methods to evade traditional detection. Deep learning models excel in handling complex unknown attacks due to their strong generalization and adaptability. However, they are vulnerable to backdoor attacks, where contextually irrelevant fragments are inserted into requests, compromising model stability. While backdoor attacks are well studied in image recognition, they are largely unexplored in WAD. This paper introduces backdoor attacks in WAD, proposing five methods and corresponding defenses. Testing on textCNN, biLSTM, and tinybert models shows an attack success rate over 87%, reducible through fine-tuning. Future research should focus on backdoor defenses in WAD. All the code and data of this paper can be obtained at https://anonymous.4open.science/r/attackDefenceinDL-7E05

Machine Learning,Cryptography and Security

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Xinyu Wang,Jiqiang Zhai,Hailu Yang

DOI: https://doi.org/10.1038/s41598-024-74350-3

IF: 4.6

2024-10-28

Scientific Reports

Abstract:Web command injection attacks pose significant security threats to web applications, leading to potential server information leakage or severe server disruption. Traditional detection methods struggle with the increasing complexity and obfuscation of these attacks, resulting in poor identification of malicious code, complicated feature extraction processes, and low detection efficiency. To address these challenges, a novel detection model, the Convolutional Channel-BiLSTM Attention (CCBA) model, is proposed, leveraging deep learning techniques to enhance the identification of web command injection attacks. The model utilizes dual CNN convolutional channels for comprehensive feature extraction and employs a BiLSTM network for bidirectional recognition of temporal features. An attention mechanism is also incorporated to assign weights to critical features, improving the model's detection performance. Experimental results demonstrate that the CCBA model achieves 99.3% accuracy and 98.2% recall on a real-world dataset. To validate the robustness and generalization of the model, tests were conducted on two widely recognized public cybersecurity datasets, consistently achieving over 98% accuracy. Compared to existing methods, the proposed model offers a more effective solution for identifying web command injection attacks.

multidisciplinary sciences

Li Siyi

DOI: https://doi.org/10.1109/APCT58752.2023.00009

2023-01-01

Abstract:Currently, methods to prevent common high-risk Web intrusion technologies such as SQL injection, XSS cross-site scripting, Webshell, etc., include precompiled SQL statements, Httponly, feature matching, regular filtering, global filtering of user input, etc. However, based on traditional intrusion detection models, complex Web intrusion technologies cannot be effectively identified. High false alarm rate, poor timeliness and other problems. Therefore, a one-layer RBM structure training model for common high-risk Web intrusion detection techniques is proposed in this paper, and the effectiveness and superiority of the proposed model are verified by experiments. It only needs to analyze and extract the required features of the model, and these features can be input into the model to detect the attack behavior in real time. The attack characteristics of these intrusion techniques are analyzed and the requests obtained from the URL are used as training data, including the SQL injection data set obtained by Tamper injection in the secondary development of SQLMAP. The deep Belief network (DBN) model is used to train the selected features and the collected sample data. Finally, an optimal model of SQL injection, XSS cross-site scripting, Webshell attack can be recognized, and real-time detection can be realized online.

Computer Science

Victor Adewopo,Bilal Gonen,Nelly Elsayed,Murat Ozer,Zaghloul Saad Elsayed

DOI: https://doi.org/10.48550/arXiv.2202.01448

2022-02-03

Cryptography and Security

Abstract:In our current society, the inter-connectivity of devices provides easy access for netizens to utilize cyberspace technology for illegal activities. The deep web platform is a consummative ecosystem shielded by boundaries of trust, information sharing, trade-off, and review systems. Domain knowledge is shared among experts in hacker's forums which contain indicators of compromise that can be explored for cyberthreat intelligence. Developing tools that can be deployed for threat detection is integral in securing digital communication in cyberspace. In this paper, we addressed the use of TOR relay nodes for anonymizing communications in deep web forums. We propose a novel approach for detecting cyberthreats using a deep learning algorithm Long Short-Term Memory (LSTM). The developed model outperformed the experimental results of other researchers in this problem domain with an accuracy of 94\% and precision of 90\%. Our model can be easily deployed by organizations in securing digital communications and detection of vulnerability exposure before cyberattack.

Zhihua Cui,Fei Xue,Xingjuan Cai,Yang Cao,Gai-ge Wang,Jinjun Chen

DOI: https://doi.org/10.1109/tii.2018.2822680

IF: 12.3

2018-07-01

IEEE Transactions on Industrial Informatics

Abstract:With the development of the Internet, malicious code attacks have increased exponentially, with malicious code variants ranking as a key threat to Internet security. The ability to detect variants of malicious code is critical for protection against security breaches, data theft, and other dangers. Current methods for recognizing malicious code have demonstrated poor detection accuracy and low detection speeds. This paper proposed a novel method that used deep learning to improve the detection of malware variants. In prior research, deep learning demonstrated excellent performance in image recognition. To implement our proposed detection method, we converted the malicious code into grayscale images. Then, the images were identified and classified using a convolutional neural network (CNN) that could extract the features of the malware images automatically. In addition, we utilized a bat algorithm to address the data imbalance among different malware families. To test our approach, we conducted a series of experiments on malware image data from Vision Research Lab. The experimental results demonstrated that our model achieved good accuracy and speed as compared with other malware detection models.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Do Thi Thu Hien,Pham Van Hau

DOI: https://doi.org/10.54654/isj.v3i20.1008

2023-12-31

Journal of Science and Technology on Information security

Abstract:Abstract— Nowadays, web attacks have become more complicated, leading to the difficulty of traditional web application firewalls (WAFs) in recognizing those threats, especially when dealing with new attacks. Hence, machine learning/deep learning (ML/DL) approaches have been applied to the field of web attack detection with proven success. However, most existing ML/DL-based web attack detectors focus on a specific type of attack due to the difference in the payload of various attacks, which sets a border to the capability of those solutions in detecting new attack types. In this paper, we propose a novel DL-based solution for web attack detection, named DL-WAD, leveraging deep learning and natural language processing techniques. Moreover, DL-WAD is designed with a data preprocessing mechanism aimed at differentiating between regular web requests and malicious ones that carry attack payloads encompassing multiple types of web attacks. The experiment results indicate the effectiveness of our solution in protecting the target web services from a wide range of attacks with high accuracy.

Danny Hendler,Shay Kels,Amir Rubin

DOI: https://doi.org/10.1145/3196494.3196511

2018-05-29

Abstract:Microsoft's PowerShell is a command-line shell and scripting language that is installed by default on Windows machines. Based on Microsoft's .NET framework, it includes an interface that allows programmers to access operating system services. While PowerShell can be configured by administrators for restricting access and reducing vulnerabilities, these restrictions can be bypassed. Moreover, PowerShell commands can be easily generated dynamically, executed from memory, encoded and obfuscated, thus making the logging and forensic analysis of code executed by PowerShell challenging. For all these reasons, PowerShell is increasingly used by cybercriminals as part of their attacks' tool chain, mainly for downloading malicious contents and for lateral movement. Indeed, a recent comprehensive technical report by Symantec dedicated to PowerShell's abuse by cybercrimials [52] reported on a sharp increase in the number of malicious PowerShell samples they received and in the number of penetration tools and frameworks that use PowerShell. This highlights the urgent need of developing effective methods for detecting malicious PowerShell commands. In this work, we address this challenge by implementing several novel detectors of malicious PowerShell commands and evaluating their performance. We implemented both "traditional" natural language processing (NLP) based detectors and detectors based on character-level convolutional neural networks (CNNs). Detectors' performance was evaluated using a large real-world dataset. Our evaluation results show that, although our detectors (and especially the traditional NLP-based ones) individually yield high performance, an ensemble detector that combines an NLP-based classifier with a CNN-based classifier provides the best performance, since the latter classifier is able to detect malicious commands that succeed in evading the former. Our analysis of these evasive commands reveals that some obfuscation patterns automatically detected by the CNN classifier are intrinsically difficult to detect using the NLP techniques we applied. Our detectors provide high recall values while maintaining a very low false positive rate, making us cautiously optimistic that they can be of practical value.

Jaydeep R. Tadhani,Vipul Vekariya,Vishal Sorathiya,Samah Alshathri,Walid El-Shafai

DOI: https://doi.org/10.1038/s41598-023-48845-4

IF: 4.6

2024-01-21

Scientific Reports

Abstract:Modern web application development involves handling enormous amounts of sensitive and consequential data. Security is, therefore, a crucial component of developing web applications. A web application's security is concerned with safeguarding the data it processes. The web application framework must have safeguards to stop and find application vulnerabilities. Among all web application attacks, SQL injection and XSS attacks are common, which may lead to severe damage to Web application data or web functionalities. Currently, there are many solutions provided by various study for SQLi and XSS attack detection, but most of the work shown have used either SQL/XSS payload-based detection or HTTP request-based detection. Few solutions available can detect SQLi and XSS attacks, but these methods provide very high false positive rates, and the accuracy of these models can further be improved. We proposed a novel approach for securing web applications from both cross-site scripting attacks and SQL injection attacks using decoding and standardization of SQL and XSS payloads and HTTP requests and trained our model using hybrid deep learning networks in this paper. The proposed hybrid DL model combines the strengths of CNNs in extracting features from input data and LSTMs in capturing temporal dependencies in sequential data. The soundness of our approach lies in the use of deep learning techniques that can identify subtle patterns in the data that traditional machine learning-based methods might miss. We have created a testbed dataset of Normal and SQLi/XSS HTTP requests and evaluated the performance of our model on this dataset. We have also trained and evaluated the proposed model on the Benchmark dataset HTTP CSIC 2010 and another SQL/XSS payload dataset. The experimental findings show that our proposed approach effectively identifies these attacks with high accuracy and a low percentage of false positives. Additionally, our model performed better than traditional machine learning-based methods. This soundness approach can be applied to various network security applications such as intrusion detection systems and web application firewalls. Using our model, we achieved an accuracy of 99.84%, 99.23% and 99.77% on the SQL-XSS Payload dataset, Testbed dataset and HTTP CSIC 2010 dataset, respectively.

multidisciplinary sciences