Webshell Detection Based on Random Forest–Gradient Boosting Decision Tree Algorithm

摘要

Webshell is a type of web backdoor which can be used by hackers to control web servers remotely. It is true that webshell becomes increasingly hard to detect because of the use of more and more hiding technologies, such decoding and encrypting. However, webshell still can be detected with high accuracy by virtue of machine learning algorithms. In this paper, we proposed a PHP webshell detecting model, the RF-GBDT (Random Forest-Gradient Boosting Decision Tree) model, which is the combination of random forest classifier and GBDT classifier. Besides, we not only used the common statistical features of PHP source files, such as information entropy, index of coincidence and so forth, but also extracted opcode sequence features from PHP source files, including TF-IDF vector and hash vector. Based on the RF-GBDT model and those effective features, the RF-GBDT PHP webshell prediction model shows an excellent performance, achieving the accuracy of 99.169% with false positive rate of 0.682%, shadowing several popular webshell detectors.