Webshell Traffic Detection With Character-Level Features Based on Deep Learning

Webshell is a kind of backdoor programs based on Web services. Network-based detection could monitor the request and response traffic to find abnormal behaviors and detect the existence of Webshell. Some machine learning and deep learning methods have been used in this field, but the current methods need to be further explored in discovering new attacks and performance. In order to detect large-scale unknown Webshell events, we propose a Webshell traffic detection model combining the characteristics of convolutional neural network and long short-term memory network. At the same time, we propose a character-level traffic content feature transformation method. We apply the method in our proposed model and evaluate our approach on a Webshell detection testbed. The experiment result indicates that the model has a high precision rate and recall rate, and the generalization ability can be guaranteed.