In EDS ansehen

GAShellBreaker: A Novel Method for Java Fileless Webshell Detection Based on Grayscale Images and Deep Learning

Gespeichert in:
Bibliographische Detailangaben
Titel: GAShellBreaker: A Novel Method for Java Fileless Webshell Detection Based on Grayscale Images and Deep Learning
Autoren: Yuan Zhang, Daofeng Li, Yuqin Xie
Quelle: Electronics ; Volume 14 ; Issue 8 ; Pages: 1678
Verlagsinformationen: Multidisciplinary Digital Publishing Institute
Publikationsjahr: 2025
Bestand: MDPI Open Access Publishing
Schlagwörter: fileless Webshell detection, deep learning, malicious code detection
Beschreibung: Webshells are widely used by attackers to maintain access during the post-exploitation phase. As security defenses improve, traditional file-based Webshells are increasingly detectable. To evade detection, attackers are shifting toward fileless Webshells, which reside entirely in memory and present significant challenges to conventional security tools. However, research on fileless Webshell detection remains limited. To address this gap, we analyzed various fileless Webshell samples, summarized their behavioral patterns, and constructed a corresponding threat model. Based on this, we propose a novel detection approach named GAShellBreaker, which leverages grayscale image transformation and deep learning. GAShellBreaker first establishes a dual-layer in-memory monitoring mechanism to capture suspicious classes within the Java Virtual Machine (JVM) and export them as bytecode files. It then extracts opcode sequences from these files, transforms them into grayscale images, and employs a ResNet50-based classifier for detection. Due to the limited availability of fileless samples, we trained and evaluated the model on a larger dataset of 1351 file-based scripts (383 Webshells and 968 benign samples), and used 56 fileless Webshells for validation. Experimental results show that GAShellBreaker achieves 99.10% accuracy on file-based Webshells and 89.29% accuracy on fileless Webshells, outperforming existing algorithms. Moreover, it maintains low computational overhead (6.7%), confirming its practical feasibility.
Publikationsart: text
Dateibeschreibung: application/pdf
Sprache: English
Relation: https://dx.doi.org/10.3390/electronics14081678
DOI: 10.3390/electronics14081678
Verfügbarkeit: https://doi.org/10.3390/electronics14081678
Rights: https://creativecommons.org/licenses/by/4.0/
Dokumentencode: edsbas.9B711581
Datenbank: BASE
Beschreibung
Abstract:Webshells are widely used by attackers to maintain access during the post-exploitation phase. As security defenses improve, traditional file-based Webshells are increasingly detectable. To evade detection, attackers are shifting toward fileless Webshells, which reside entirely in memory and present significant challenges to conventional security tools. However, research on fileless Webshell detection remains limited. To address this gap, we analyzed various fileless Webshell samples, summarized their behavioral patterns, and constructed a corresponding threat model. Based on this, we propose a novel detection approach named GAShellBreaker, which leverages grayscale image transformation and deep learning. GAShellBreaker first establishes a dual-layer in-memory monitoring mechanism to capture suspicious classes within the Java Virtual Machine (JVM) and export them as bytecode files. It then extracts opcode sequences from these files, transforms them into grayscale images, and employs a ResNet50-based classifier for detection. Due to the limited availability of fileless samples, we trained and evaluated the model on a larger dataset of 1351 file-based scripts (383 Webshells and 968 benign samples), and used 56 fileless Webshells for validation. Experimental results show that GAShellBreaker achieves 99.10% accuracy on file-based Webshells and 89.29% accuracy on fileless Webshells, outperforming existing algorithms. Moreover, it maintains low computational overhead (6.7%), confirming its practical feasibility.
DOI:10.3390/electronics14081678