网络与信息安全学报 (Jun 2025)
FLWD:A Webshell detection method based on federated learning
Abstract
Webshell attacks were a common technique where attackers gained partial control over the Web server through a Webshell to carry out malicious activities. Due to the covert nature of Webshell operations and the continuous creation of new Webshell variants by attackers to evade security detection, coupled with the lack of information sharing and coordination between servers, uneven detection capabilities in responding to Webshell attacks emerged, making it difficult to establish a comprehensive and effective defense system. To address these challenges, a Webshell detection method based on federated learning was proposed. The method integrated the abstract syntax tree node value sequence features, code structure features, text obfuscation features, and cybersecurity expertise and experience features of Webshells. A TextCNN - based network model was designed to learn the malicious behaviors of Webshell samples. Meanwhile, the FedAvg algorithm of federated learning and the DP-SGD algorithm were employed for collaborative training across multiple participants without data leaving their domains. This ensured data privacy and prevented sensitive information leakage. Experimental results on the AMWD’22 dataset show that the model’s accuracy is 99.47%, with an F1 score of 99.67%, indicating better detection performance compared to basic algorithm models and existing research algorithm models. In the federated learning experiments, the proposed model could learn from the data of each participant without leaving the domain, increasing the detection accuracy from 98.01% to 99.01%.
