CWSOGG: Catching Web Shell Obfuscation Based on Genetic Algorithm and Generative Adversarial Network

Abstract A web shell is a backdoor used by hackers to control Web servers and perform privilege escalation, and thus it is crucial to detect web shells effectively. However, the detection of obfuscated web shells has always been a challenge. Inspired by adversarial training methods in the field of computer vision, this paper proposes a generative adversarial network (GAN)-based web shell detection model training framework. Since there has been no method that can generate obfuscated web shells effectively, a generator based on the genetic algorithm, which combines and optimizes the pre-set obfuscation methods, is used to obtain new obfuscation combinations and generate obfuscated samples. The whole proposed framework is named the CWSOGG. When training the detection model, the generator generates web shells that can bypass the discriminator, and the discriminator catches the features of obfuscated samples. Through the adversarial training of the discriminator and generator, the detection model improves its ability to detect obfuscated web shells. To verify the proposed framework is flexible to different models, the discriminator based on four main neural networks has been implemented. Meanwhile, to build complete feature extraction models, both statistical and semantic features are extracted. Due to the lack of web shell data, a clean dataset containing 4,375 web shells is constructed and used to evaluate the CWSOGG. The results have shown that the detection accuracy of each model increases by 86.71% on the generated obfuscated web shells on average and by 7.50% on the simulated real-world obfuscated web shells on average.