A Rapid Method for WebShell Attack Success Determination Based on Web Page Structural Similarity

Journal of Information Security Reserach ›› 2026, Vol. 12 ›› Issue (3): 255-.

Previous Articles Next Articles

A Rapid Method for WebShell Attack Success Determination Based on Web Page Structural Similarity

Wei Jiadong1,2, Wei Jinxia1,2, Fu Yuhao1, Huang Pan1, Sun Degang1,2, and Long Chun1,2

1(Computer Network Information Center, Chinese Academy of Sciences, Beijing 100083)
2(University of Chinese Academy of Sciences, Beijing 100049)

Online:2026-03-12 Published:2026-03-12

基于网页结构相似性的WebShell攻击成功快速判别方法

魏家栋1,2魏金侠1,2付豫豪1黄潘1孙德刚1,2龙春1,2

1(中国科学院计算机网络信息中心北京100083)
2(中国科学院大学北京100049)

通讯作者: 龙春博士，正高级工程师，CCF会员.主要研究方向为基于人工智能的网络未知攻击检测、恶意域名检测、网络流量分析. anquanip@cnic.cn
作者简介:魏家栋硕士研究生.主要研究方向为网络空间安全、入侵检测. jdwei@cnic.cn 魏金侠博士，高级工程师.主要研究方向为网络空间安全. weijinxia@cnic.cn 付豫豪硕士，高级工程师.主要研究方向为网络空间安全. fuyuhao@cnic.cn 黄潘工程师.主要研究方向为流量检测、网络攻击. huangpan@cnic.cn 孙德刚博士，正高级工程师.主要研究方向为高安全等级系统防护技术、网络空间安全. dgs@cnic.cn 龙春博士，正高级工程师，CCF会员.主要研究方向为基于人工智能的网络未知攻击检测、恶意域名检测、网络流量分析. anquanip@cnic.cn

Abstract

Abstract: WebShell attack, a type of network attack, can control the website completely for a long time after a successful attack, which is extremely harmful. Most of the previous studies have concentrated on detecting and alerting WebShell attack traffic without distinguishing whether the attack is ultimately successful. As a result, in actual network security protection and monitoring work, security personnel are overwhelmed by a large number of WebShell attack alerts and are prone to alert fatigue, making it difficult to filter out successful WebShell attacks which are truly threatening. To address the problem, this paper proposes an anomaly detection method based on Web page structural similarity to quickly determine whether WebShell attacks are successful. Based on the structural information of the response pages of failed WebShell attack traffic, this method uses the HuntSzymanski algorithm to calculate structural similarity and then generate Web page templates. During the detection phase, this method uses the generated Web page templates for pattern matching and similarity assessment to determine whether the WebShell attacks are successful. It can well distinguish between successful and failed WebShell attack traffic, achieving an accuracy rate of 99.02% and a recall rate of 99.37%. This method has been applied to Wukong network security defense system and realizes rapid identification of successful WebShell attacks.

Key words: WebShell, anomaly traffic detection, alert fatigue, structural similarity, Web page template

摘要： WebShell攻击作为网络攻击的一种，攻击成功后可对网站进行长期完全控制，具有极大的危害性.目前检测WebShell攻击流量的研究只对WebShell攻击行为进行告警，不考虑WebShell攻击是否成功，导致在实际的网络安全保障及监测工作中，安全运营人员疲于应对海量WebShell攻击告警，容易产生告警疲劳，难以筛选出告警中真正有威胁的WebShell攻击成功流量.针对该问题，提出了一种基于网页结构相似性的异常检测方法，实现WebShell攻击成功的快速判别.该方法基于WebShell攻击失败流量响应页面的结构信息，使用HuntSzymanski算法计算结构相似度生成网页模板；检测阶段将待测试流量与生成的网页模板进行模式匹配和相似度评估，以判断WebShell攻击流量是否攻击成功.该方法能够很好地区分WebShell攻击成功与失败流量，达到了99.02%的准确率和99.37%的召回率.目前该方法已经应用于悟空网络安全防御系统，实现对WebShell攻击成功的快速判断.

关键词: WebShell, 异常流量检测, 告警疲劳, 结构相似性, 网页模板

CLC Number:

TP393.08

魏家栋, 魏金侠, 付豫豪, 黄潘, 孙德刚, 龙春, . 基于网页结构相似性的WebShell攻击成功快速判别方法[J]. 信息安全研究, 2026, 12(3): 255-.

References

［1］中国网安协会. 2024年上半年度网络安全态势研判分析报告［EBOL］. (20240731) ［20250107］. https:www.thepaper.cnnewsDetail_forward_28267884［2］Hannousse A, Yahiouche S. Handling WebShell attacks: A systematic mapping and survey［J］. Computers & Security, 2021, 108(C): 102366［3］Fang Yong, Qiu Yaoyao, Liu Liang, et al. Detecting WebShell based on random forest with FastText［C］ Proc of the 2018 Int Conf on Computing and Artificial Intelligence. New York: ACM, 2018: 5256［4］Zhang Zijian, Li Meng, Zhu Liehuang, et al. SmartDetect: A smart detection scheme for malicious Web shell codes via ensemble learning［C］ Proc of the 3rd Int Conf on Smart Computing and Communication. Berlin: Springer, 2018: 196205［5］Li Tingting, Ren Chunhui, Fu Yusheng, et al. WebShell detection based on the word attention mechanism［J］. IEEE Access, 2019, 7: 185140185147［6］Yong Binbin, Liu Xin , Liu Yan, et al. Web behavior detection based on deep neural network［C］ Proc of the 2018 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computing, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation. Piscataway, NJ: IEEE, 2018: 19111916［7］Li Yu, Huang Jin, Ikusan Ademola, et al. ShellBreaker: Automatically detecting PHPbased malicious Web shells［J］. Computers & Security, 2019, 87: 101595［8］Liu Zhiqiang, Li Daofeng, Wei Lulu. A new method for WebShell detection based on bidirectional GRU and attention mechanism［J］. Security and Communication Networks, 2022, 2022(1): 3434920［9］Hannousse A, NaitHamoud M C, Yahiouche S. A deep learner model for multilanguage WebShell detection［J］. International Journal of Information Security, 2022, 22(1): 4761［10］Pu Ao, Feng Xia, Zhang Yuhan, et al. BERTembeddingbased JSP WebShell detection on bytecode level using XGBoost［J］. Security and Communication Networks, 2022, 2022(1): 4315829［11］Zhao Zihao, Liu Qixu, Song Tiantian, et al. WSLD: Detecting unknown WebShell using fuzzy matching and deep learning［C］ Proc of the 2nd Int Conf on Information and Communications Security. Berlin: Springer, 2020: 725745［12］Pan Zulie, Chen Yuanchao, Chen Yu, et al. WebShell detection based on executable data characteristics of PHP code［J］. Wireless Communications & Mobile Computing, 2021, 2021(1): 5533963［13］Huang Weiqing, Jia Chenggang, Yu Min, et al. UTANSA: Static approach for multilanguage malicious Web scripts detection［C］ Proc of the 2021 IEEE Symp on Computers and Communications. Los Alamitos, CA: IEEE Computer Society, 2021: 17［14］Zhang Han, Liu Ming, Yue Zihan, et al. A PHP and JSP Web shell detection system with text processing based on machine learning［C］ Proc of the 19th IEEE Int Conf on Trust, Security and Privacy in Computing and Communications.Piscataway, NJ: IEEE, 2020: 15841591［15］Wu Yalun, Song Minglu, Li Yike, et al. Improving convolutional neural networkbased WebShell detection through reinforcement learning［C］ Proc of the 23rd Int Conf on Information and Communications Security. Berlin: Springer, 2021: 368383［16］Le H V, Nguyen T N, Nguyen H N, et al. An efficient hybrid WebShell detection method for webserver of marine transportation systems［J］. IEEE Trans on Intelligent Transportation Systems, 2023, 24(2): 26302642［17］An Tongjian, Shui Xuefei, Gao Hongkui. Deep learning based WebShell detection coping with long text and lexical ambiguity［C］ Proc of the 24th Int Conf on Information and Communications Security. Berlin: Springer, 2022: 438457［18］李永刚, 潘善民. 基于PCA和极限梯度提升的Web后门型漏洞检测研究［J］. 信息安全研究, 2023, 9(E1): 145148［19］Yang Wenchuan, Sun Bang, Cui Baojiang. A WebShell detection technology based on HTTP traffic analysis［C］ Proc of the 12th Int Conf on Innovative Mobile and Internet Services in Ubiquitous Computing. Berlin: Springer, 2018: 336342［20］Zhang Hua, Guan Hongchao, Yan Hanbing, et al. WebShell traffic detection with characterlevel features based on deep learning［J］. IEEE Access, 2018, 6: 7526875277［21］Tian Yifan, Wang Jiabao, Zhou Zhenji, et al. CNNWebShell: Malicious Web shell detection with convolutional neural network［C］ Proc of the 2017 VI Int Conf on Network, Communication and Computing. New York: ACM, 2017: 7579［22］Wu Yixin, Sun Yuqiang, Huang Cheng, et al. Sessionbased WebShell detection using machine learning in Web logs［J］. Security and Communication Networks, 2019, 2019 (1): 3093809［23］Liu Hongyu, Lang Bo, Liu Ming, et al. CNN and RNN based payload classification methods for attack detection［J］. KnowledgeBased Systems, 2019, 163: 332341［24］关洪超. 基于HTTP流量的WebShell检测研究［D］. 北京: 北京邮电大学, 2019［25］王世通. 基于HTTP协议的WebShell检测研究［D］. 北京: 北京邮电大学, 2021［26］Vieira K, Da Silva A S, Pinto N, et al. A fast and robust method for Web page template detection and removal［C］ Proc of the 15th ACM Int Conf on Information and Knowledge Management. New York: ACM, 2006: 258267［27］Vieira K, Da Costa Carvalho A L, Berlt K, et al. On finding templates on Web collections［J］. World Wide Web, 2009, 12(2): 171211［28］Zhang K, Shasha D. Simple fast algorithms for the editing distance between trees and related problems［J］. SIAM Journal on Computing, 1989, 18(6): 12451262［29］Pawlik M, Augsten N. RTED: A robust algorithm for the tree edit distance［J］. Proceedings of the VLDB Endowment, 2011, 5(4): 334345［30］Wagner R A, Fischer M J. The stringtostring correction problem［J］. Journal of the ACM, 1974, 21(1): 168173［31］Hunt J W, Szymanski T G. A fast algorithm for computing longest common subsequences［J］. Communications of the ACM, 1977, 20(5): 350353［32］王跃达, 黄潘, 荆涛, 等. 一种基于高速网络的WebShell综合检测溯源技术研究与实现［J］. 信息网络安全, 2021, 21(1): 6571

[1]	. Insider Threat Detection Model Based on SSIMGAN and Time Series Transformer [J]. Journal of Information Security Reserach, 2025, 11(12): 1108-.
[2]	. Research on Memory Webshell Detection in Docker Container Based on RASP Technology [J]. Journal of Information Security Reserach, 2023, 9(10): 947-.
[3]	. Advanced Threat Protection with Memory as the Target [J]. Journal of Information Security Reserach, 2021, 7(E1): 46-.
[4]	. Research on Webshell Detection Method Based on Logistic Regression Algorithm [J]. Journal of Information Security Research, 2019, 5(4): 298-302.
[5]	. Webshell Detection Method Based on Correlation Analysis [J]. Journal of Information Security Research, 2018, 4(3): 251-255.
[6]	. Semantics Based Webshell Detection Method Research [J]. Journal of Information Security Research, 2017, 3(2): 145-150.
[7]	. Webshell Detection Method Research Based on Web Log [J]. Journal of Information Security Research, 2016, 2(1): 66-73.

A Rapid Method for WebShell Attack Success Determination Based on Web Page Structural Similarity

基于网页结构相似性的WebShell攻击成功快速判别方法

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 7

Recommended Articles

Metrics