Abstract: Based on Webshell detection in AWD offensive and defensive competition, fuzzy C-means clustering is used to analyze Webshell in hyperspace, and find that the attack vector is globally sparse and locally closely related. Two deep learning models are proposed for Webshell detection. Since most of the Webshells collected by GitHub are obtained randomly and are not well targeted, the length of the training data is limited and a limited number of relevant samples are retained. Because one attack is closely related to the adjacent 2 to 4 operations, the attack vector has obvious correlation characteristics in the vertical direction, and the horizontal direction is relatively stable, considering that the scale of the feature vector will be reduced during the transfer process, the zero padding of the convolutional layer is increased. Aiming at the sawtooth oscillation phenomenon of the deep learning training curve, the fast calculation formula of the Adam optimization algorithm is proved, and the learning parameters are corrected, which continuously eliminates the sawtooth in the training Loss curve, and maks the training curve drop smoothly according to the exponential law. The training results are obtained soon. Experiments are conducted to compare the two deep learning models with existing similar detection models. The experimental results show that the proposed deep learning models can better detect Webshell attacks in AWD.

Key words: deep learning, Web security, Webshell