Webshell Detection Based on Executable Data Characteristics of PHP Code

<table class="algorithm-group"><tr><td><table class="algorithm" id="alg1"><tr><td colspan="2"><b>Input</b>: PHP language samples files</td></tr><tr><td colspan="2"><b>Output</b>: one-dimensional matrix of executable data characteristics of the sample</td></tr><tr><td colspan="2">  1. Convert PHP code to abstract syntax tree, turn to step 2.</td></tr><tr><td colspan="2">  2. Judges whether there are Eval, FuncCall, MethodCall, or ShellExec nodes under Expr nodes in the abstract grammar tree, and if matched, turn to step 3; else, return 0.</td></tr><tr><td colspan="2">  3. Judges whether the functions in the nodes above are functions that can execute the data as PHP code or system commands, such as eval, exec, system, etc. If the answer is yes, turn to step 4; else, return 0.</td></tr><tr><td colspan="2">  4. Judge the type of parameter in the function, whether the parameter is variable. If it is, return 1, if not, return 0.</td></tr></table></td></tr></table>

<div> Executable data characteristic extraction of PHP code.</div>

Wireless Communications and Mobile Computing

alg1

Algorithm 1

Algorithm 1: Webshell Detection Based on Executable Data Characteristics of PHP Code 