| --- |
| language: |
| - en |
| - zh |
| library_name: transformers |
| tags: |
| - security |
| - webshell-detection |
| - malware-detection |
| - cybersecurity |
| - code-classification |
| - php |
| - asp |
| - jsp |
| - python |
| - perl |
| license: mit |
| datasets: |
| - null822/webshell-sample |
| base_model: |
| - microsoft/codebert-base |
| - huawei-noah/TinyBERT_General_4L_312D |
| pipeline_tag: text-classification |
| widget: |
| - text: "<?php eval($_POST['cmd']); ?>" |
| example_title: "Malicious WebShell Example" |
| - text: "<?php echo 'Hello World'; ?>" |
| example_title: "Normal PHP Code" |
| --- |
| |
| # WebShell Detection Models Collection |
|
|
| ## 模型概述 / Model Overview |
|
|
| 这是一个用于检测恶意 WebShell 代码的机器学习模型集合,基于 BERT 架构进行微调。本仓库包含四个模型变体,针对不同的使用场景进行了优化。 |
|
|
| This is a collection of machine learning models for detecting malicious WebShell code, fine-tuned on BERT architectures. The repository contains four model variants optimized for different use cases. |
|
|
| ## 模型变体 / Model Variants |
|
|
| ### 1. full_codebert_model |
| - **基础模型**: microsoft/codebert-base |
| - **训练数据**: 多语言数据集(PHP, ASP, JSP, Python, Perl, HTML, JavaScript, Shell等) |
| - **参数量**: ~125M |
| - **特点**: 高精度,适合准确性要求高的场景 |
|
|
| ### 2. full_tinybert_model |
| - **基础模型**: huawei-noah/TinyBERT_General_4L_312D |
| - **训练数据**: 多语言数据集 |
| - **参数量**: ~14.5M |
| - **特点**: 轻量级,快速推理,适合资源受限环境 |
| |
| ### 3. php_codebert_model |
| - **基础模型**: microsoft/codebert-base |
| - **训练数据**: 仅 PHP 代码数据集 |
| - **参数量**: ~125M |
| - **特点**: 专门针对 PHP WebShell 检测优化 |
| |
| ### 4. php_tinybert_model |
| - **基础模型**: huawei-noah/TinyBERT_General_4L_312D |
| - **训练数据**: 仅 PHP 代码数据集 |
| - **参数量**: ~14.5M |
| - **特点**: PHP 专用轻量级模型 |
|
|
| ## 支持的文件类型 / Supported File Types |
|
|
| - PHP (.php) |
| - ASP (.asp, .aspx) |
| - JSP (.jsp, .jspx) |
| - Python (.py) |
| - Perl (.pl) |
| - HTML (.html, .htm) |
| - JavaScript (.js) |
| - Shell scripts (.sh) |
| - CGI (.cgi) |
| - Java (.java) |
|
|
| ## 使用方法 / Usage |
|
|
| ### 基本使用 / Basic Usage |
|
|
| ```python |
| from transformers import AutoTokenizer, AutoModelForSequenceClassification |
| import torch |
| |
| # 选择模型变体 / Choose model variant |
| model_name = "null822/webshell-detect-bert" |
| subfolder = "full_tinybert_model" # 或其他变体 |
| |
| # 加载模型 / Load model |
| tokenizer = AutoTokenizer.from_pretrained(model_name, subfolder=subfolder) |
| model = AutoModelForSequenceClassification.from_pretrained(model_name, subfolder=subfolder) |
| |
| def detect_webshell(code_text): |
| inputs = tokenizer(code_text, return_tensors="pt", truncation=True, max_length=512) |
| with torch.no_grad(): |
| outputs = model(**inputs) |
| prediction = torch.argmax(outputs.logits, dim=1).item() |
| return "Malicious WebShell" if prediction == 1 else "Normal Code" |
| |
| # 示例 / Example |
| code = "<?php eval($_POST['cmd']); ?>" |
| result = detect_webshell(code) |
| print(result) # 输出: Malicious WebShell |
| ``` |
|
|
| ### 批量检测 / Batch Detection |
|
|
| ```python |
| def batch_detect(code_list): |
| results = [] |
| for code in code_list: |
| result = detect_webshell(code) |
| results.append(result) |
| return results |
| |
| # 示例 / Example |
| codes = [ |
| "<?php echo 'Hello World'; ?>", |
| "<?php eval($_POST['cmd']); ?>", |
| "<?php system($_GET['c']); ?>" |
| ] |
| results = batch_detect(codes) |
| ``` |
|
|
| ### 文件检测 / File Detection |
|
|
| ```python |
| def detect_file(file_path): |
| try: |
| with open(file_path, 'r', encoding='utf-8', errors='ignore') as f: |
| content = f.read() |
| return detect_webshell(content) |
| except Exception as e: |
| return f"Error reading file: {e}" |
| |
| # 示例 / Example |
| result = detect_file("suspicious_file.php") |
| ``` |
|
|
| ## 模型选择指南 / Model Selection Guide |
|
|
| | 使用场景 | 推荐模型 | 理由 | |
| |---------|---------|------| |
| | 生产环境,高精度要求 | `full_codebert_model` | 最高准确率 | |
| | 资源受限,需要快速响应 | `full_tinybert_model` | 平衡性能和资源消耗 | |
| | 专门检测PHP WebShell | `php_codebert_model` | PHP优化,高精度 | |
| | PHP检测,资源受限 | `php_tinybert_model` | PHP专用轻量级 | |
|
|
| ## 性能指标 / Performance Metrics |
|
|
| 模型在测试集上的表现: |
|
|
| - **Accuracy**: >95% |
| - **Precision**: >94% |
| - **Recall**: >96% |
| - **F1-Score**: >95% |
|
|
| *具体指标可能因测试数据集而异* |
|
|
| ## 训练数据 / Training Data |
|
|
| - **数据集**: [null822/webshell-sample](https://huggingface.co/datasets/null822/webshell-sample) |
| - **样本数量**: 5000+ 代码样本 |
| - **数据来源**: |
| - 正常代码:开源项目和合法代码仓库 |
| - 恶意代码:已知的 WebShell 样本和恶意脚本 |
| - **数据处理**: Base64编码确保安全传输和存储 |
|
|
| ## 限制和注意事项 / Limitations |
|
|
| 1. **上下文长度**: 最大支持512个token |
| 2. **语言支持**: 主要针对英文代码和常见编程语言 |
| 3. **误报**: 复杂的正常代码可能被误判为恶意 |
| 4. **更新需求**: 需要定期使用新的威胁样本重新训练 |
|
|
| ## 部署建议 / Deployment Recommendations |
|
|
| 1. **生产环境**: 建议使用 `full_codebert_model` 以获得最佳准确性 |
| 2. **边缘设备**: 使用 TinyBERT 变体以减少资源消耗 |
| 3. **实时检测**: 考虑批处理以提高效率 |
| 4. **安全集成**: 结合其他安全工具使用,不应作为唯一防护手段 |
|
|
| ## 引用 / Citation |
|
|
| 如果您使用了这些模型,请引用: |
|
|
| ```bibtex |
| @misc{webshell-detect-bert, |
| title={WebShell Detection Models based on BERT}, |
| author={null822}, |
| year={2025}, |
| publisher={Hugging Face}, |
| howpublished={\url{https://huggingface.co/null822/webshell-detect-bert}} |
| } |
| ``` |
|
|
| ## 许可证 / License |
|
|
| MIT License |
|
|
| ## 联系方式 / Contact |
|
|
| 如有问题或建议,请通过 GitHub Issues 联系。 |
|
|
