An Efficient Hybrid Webshell Detection Method for Webserver of Marine Transportation Systems

An increase in the number of Maritime Intelligent Transport Systems (MITSs) also means an increase in the number of information security risks. Usually, the administration and operation of MITSs are done through web servers that are frequently targeted by hackers. In marine transportation industry, malicious code injection attacks (webshell) has been widely exploited by hackers to take full control of Web servers. Traditional webshell detection methods based on pattern matching that are no longer effective against new types of webshell. This motivates us to investigate the problem of detecting obfuscation or unknown webshells, termed OUW problem. In this work, we propose a pattern-matching-deep-learning hybrid ASP.NET webshell detection method (H-DLPMWD) to address the OUW problem. H-DLPMWD is based on Yara-based pattern matching to clean dataset; modeling ASP.NET code files as an operation code index (OCI) vectors; and applying CNN method to train and predict webshell in OCI vectors. To validate H-DLPMWD, our rigorous experimentation demonstrates that H-DLPMWD achieves an excellent accuracy of 98.49%, F1-score of 99.01%, and a low false positive rate of 1.75%.