Toward a Deep Learning Approach for Detecting PHP Webshell

The most efficient way of securing Web applications is searching and eliminating threats therein (from both malwares and vulnerabilities). In case of having Web application source codes, Web security can be improved by performing the task to detecting malicious codes, such as Web shells. In this paper, we proposed a model using a deep learning approach to detect and identify the malicious codes inside PHP source files. Our method relies on (i) pattern matching techniques by applying Yara rules to build a malicious and benign datasets, (ii) converting the PHP source codes to a numerical sequence of PHP opcodes and (iii) applying the Convolutional Neural Network model to predict a PHP file whether embedding a malicious code such as a webshell. Thus, we validate our approach with different webshell collections from reliable source published in Github. The experiment results show that the proposed method achieved the accuracy of 99.02% with 0.85% false positive rate.