{"id":"https://openalex.org/W4414170762","doi":"https://doi.org/10.1109/iwqos65803.2025.11143530","title":"Distilling Benign Knowledge with Fine-Grained AST Fragments for Precise Real-World Web Shell Detection","display_name":"Distilling Benign Knowledge with Fine-Grained AST Fragments for Precise Real-World Web Shell Detection","publication_year":2025,"publication_date":"2025-07-02","ids":{"openalex":"https://openalex.org/W4414170762","doi":"https://doi.org/10.1109/iwqos65803.2025.11143530"},"language":"en","primary_location":{"id":"doi:10.1109/iwqos65803.2025.11143530","is_oa":false,"landing_page_url":"https://doi.org/10.1109/iwqos65803.2025.11143530","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE/ACM 33rd International Symposium on Quality of Service (IWQoS)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5055635068","display_name":"Ming-Xin Gao","orcid":"https://orcid.org/0009-0005-5334-4717"},"institutions":[{"id":"https://openalex.org/I45928872","display_name":"Alibaba Group (China)","ror":"https://ror.org/00k642b80","country_code":"CN","type":"company","lineage":["https://openalex.org/I45928872"]},{"id":"https://openalex.org/I4210144487","display_name":"Cloud Computing Center","ror":"https://ror.org/04aa0zm65","country_code":"CN","type":"facility","lineage":["https://openalex.org/I4210144487"]},{"id":"https://openalex.org/I4210090971","display_name":"Southeast University","ror":"https://ror.org/00cf0ab87","country_code":"BD","type":"education","lineage":["https://openalex.org/I4210090971"]}],"countries":["BD","CN"],"is_corresponding":true,"raw_author_name":"Mingzhe Gao","raw_affiliation_strings":["Alibaba Cloud Computing, Southeast University"],"affiliations":[{"raw_affiliation_string":"Alibaba Cloud Computing, Southeast University","institution_ids":["https://openalex.org/I45928872","https://openalex.org/I4210144487","https://openalex.org/I4210090971"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5036356449","display_name":"Ligeng Chen","orcid":null},"institutions":[{"id":"https://openalex.org/I4210150693","display_name":"The Medical Device (United Kingdom)","ror":"https://ror.org/059mrwr24","country_code":"GB","type":"company","lineage":["https://openalex.org/I4210150693"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Ligeng Chen","raw_affiliation_strings":["Honor Device Co., Ltd, Nanjing University"],"affiliations":[{"raw_affiliation_string":"Honor Device Co., Ltd, Nanjing University","institution_ids":["https://openalex.org/I4210150693"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101935489","display_name":"Yiling He","orcid":"https://orcid.org/0000-0002-5977-1489"},"institutions":[{"id":"https://openalex.org/I45129253","display_name":"University College London","ror":"https://ror.org/02jx3x895","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947","https://openalex.org/I45129253"]},{"id":"https://openalex.org/I2800173700","display_name":"UCL Australia","ror":"https://ror.org/024atcf19","country_code":"AU","type":"education","lineage":["https://openalex.org/I2800173700"]}],"countries":["AU","GB"],"is_corresponding":false,"raw_author_name":"Yiling He","raw_affiliation_strings":["University College,London"],"affiliations":[{"raw_affiliation_string":"University College,London","institution_ids":["https://openalex.org/I2800173700","https://openalex.org/I45129253"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5083239066","display_name":"Yuhang Chen","orcid":"https://orcid.org/0009-0007-5743-2516"},"institutions":[{"id":"https://openalex.org/I4210090971","display_name":"Southeast University","ror":"https://ror.org/00cf0ab87","country_code":"BD","type":"education","lineage":["https://openalex.org/I4210090971"]}],"countries":["BD"],"is_corresponding":false,"raw_author_name":"Yuhang Chen","raw_affiliation_strings":["School of Cyber Science and Engineering, Southeast University"],"affiliations":[{"raw_affiliation_string":"School of Cyber Science and Engineering, Southeast University","institution_ids":["https://openalex.org/I4210090971"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100414046","display_name":"Lingyun Ying","orcid":"https://orcid.org/0000-0001-7445-9103"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lingyun Ying","raw_affiliation_strings":["QI-ANXIN Technology Research Institute"],"affiliations":[{"raw_affiliation_string":"QI-ANXIN Technology Research Institute","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100626207","display_name":"Yang Wang","orcid":"https://orcid.org/0000-0002-6855-7097"},"institutions":[{"id":"https://openalex.org/I45928872","display_name":"Alibaba Group (China)","ror":"https://ror.org/00k642b80","country_code":"CN","type":"company","lineage":["https://openalex.org/I45928872"]},{"id":"https://openalex.org/I4210144487","display_name":"Cloud Computing Center","ror":"https://ror.org/04aa0zm65","country_code":"CN","type":"facility","lineage":["https://openalex.org/I4210144487"]},{"id":"https://openalex.org/I4210090971","display_name":"Southeast University","ror":"https://ror.org/00cf0ab87","country_code":"BD","type":"education","lineage":["https://openalex.org/I4210090971"]}],"countries":["BD","CN"],"is_corresponding":false,"raw_author_name":"Wang Yang","raw_affiliation_strings":["Alibaba Cloud Computing, Southeast University"],"affiliations":[{"raw_affiliation_string":"Alibaba Cloud Computing, Southeast University","institution_ids":["https://openalex.org/I45928872","https://openalex.org/I4210144487","https://openalex.org/I4210090971"]}]}],"institutions":[],"countries_distinct_count":4,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5055635068"],"corresponding_institution_ids":["https://openalex.org/I4210090971","https://openalex.org/I4210144487","https://openalex.org/I45928872"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.3719988,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"10"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12016","display_name":"Web Data Mining and Analysis","score":0.9987999796867371,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9980000257492065,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/false-positive-paradox","display_name":"False positive paradox","score":0.7516999840736389},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.6830999851226807},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5777999758720398},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.5116000175476074},{"id":"https://openalex.org/keywords/false-positives-and-false-negatives","display_name":"False positives and false negatives","score":0.42170000076293945},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.36809998750686646},{"id":"https://openalex.org/keywords/precision-and-recall","display_name":"Precision and recall","score":0.3456000089645386},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.3434999883174896},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.3361000120639801}],"concepts":[{"id":"https://openalex.org/C64869954","wikidata":"https://www.wikidata.org/wiki/Q1859747","display_name":"False positive paradox","level":2,"score":0.7516999840736389},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7143999934196472},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.6830999851226807},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5777999758720398},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.5116000175476074},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.49950000643730164},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.45089998841285706},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4388999938964844},{"id":"https://openalex.org/C112789634","wikidata":"https://www.wikidata.org/wiki/Q18207010","display_name":"False positives and false negatives","level":3,"score":0.42170000076293945},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.36809998750686646},{"id":"https://openalex.org/C81669768","wikidata":"https://www.wikidata.org/wiki/Q2359161","display_name":"Precision and recall","level":2,"score":0.3456000089645386},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.3434999883174896},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.3361000120639801},{"id":"https://openalex.org/C11392498","wikidata":"https://www.wikidata.org/wiki/Q11288","display_name":"Web server","level":3,"score":0.33329999446868896},{"id":"https://openalex.org/C177606310","wikidata":"https://www.wikidata.org/wiki/Q5674297","display_name":"Adaptability","level":2,"score":0.31119999289512634},{"id":"https://openalex.org/C165064840","wikidata":"https://www.wikidata.org/wiki/Q1321061","display_name":"Matching (statistics)","level":2,"score":0.3102000057697296},{"id":"https://openalex.org/C58328972","wikidata":"https://www.wikidata.org/wiki/Q184609","display_name":"Expert system","level":2,"score":0.3000999987125397},{"id":"https://openalex.org/C152752567","wikidata":"https://www.wikidata.org/wiki/Q116877","display_name":"Code refactoring","level":3,"score":0.29980000853538513},{"id":"https://openalex.org/C105002631","wikidata":"https://www.wikidata.org/wiki/Q4833645","display_name":"Subject-matter expert","level":3,"score":0.28630000352859497},{"id":"https://openalex.org/C2989486834","wikidata":"https://www.wikidata.org/wiki/Q3808900","display_name":"True positive rate","level":2,"score":0.27869999408721924},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.27140000462532043},{"id":"https://openalex.org/C2776235265","wikidata":"https://www.wikidata.org/wiki/Q18392052","display_name":"Fragment (logic)","level":2,"score":0.26179999113082886},{"id":"https://openalex.org/C2781052500","wikidata":"https://www.wikidata.org/wiki/Q2230313","display_name":"Shell (structure)","level":2,"score":0.2612999975681305},{"id":"https://openalex.org/C32587265","wikidata":"https://www.wikidata.org/wiki/Q1182260","display_name":"Data deduplication","level":2,"score":0.25929999351501465},{"id":"https://openalex.org/C115901376","wikidata":"https://www.wikidata.org/wiki/Q184199","display_name":"Automation","level":2,"score":0.25859999656677246},{"id":"https://openalex.org/C23123220","wikidata":"https://www.wikidata.org/wiki/Q816826","display_name":"Information retrieval","level":1,"score":0.25760000944137573},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.2500999867916107}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/iwqos65803.2025.11143530","is_oa":false,"landing_page_url":"https://doi.org/10.1109/iwqos65803.2025.11143530","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE/ACM 33rd International Symposium on Quality of Service (IWQoS)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":18,"referenced_works":["https://openalex.org/W2065622239","https://openalex.org/W2138756793","https://openalex.org/W2165739648","https://openalex.org/W2172607710","https://openalex.org/W2336291507","https://openalex.org/W2350778671","https://openalex.org/W2598761292","https://openalex.org/W2767717989","https://openalex.org/W2986166181","https://openalex.org/W3097730806","https://openalex.org/W3160804878","https://openalex.org/W3168918750","https://openalex.org/W3193289990","https://openalex.org/W4253029824","https://openalex.org/W4308410314","https://openalex.org/W4384154639","https://openalex.org/W4388856819","https://openalex.org/W4391724777"],"related_works":[],"abstract_inverted_index":{"Web":[0],"shell":[1],"detection":[2,27,38],"has":[3],"become":[4],"increasingly":[5],"crucial":[6],"with":[7,36],"the":[8,31,58,145],"expansion":[9],"of":[10,33,101,136],"cloud":[11],"computing,":[12],"where":[13],"automated":[14],"malware":[15,26],"analysis":[16],"serves":[17],"as":[18],"a":[19,74,157,171],"foundational":[20],"approach.":[21],"A":[22],"key":[23],"challenge":[24],"in":[25,29,118],"lies":[28],"balancing":[30],"reduction":[32],"false":[34,53,177],"positives":[35,54,178],"maintaining":[37],"accuracy":[39],"amid":[40],"rapid":[41],"software":[42,68,124],"ecosystem":[43],"evolution.":[44,125],"Existing":[45],"methods":[46,147],"require":[47],"substantial":[48],"expert":[49,186],"intervention":[50],"to":[51,62,82,108,123,184],"mitigate":[52],"and":[55,94,104,121],"often":[56],"neglect":[57],"resource-intensive":[59],"measures":[60],"required":[61],"address":[63],"model":[64],"degradation":[65],"caused":[66],"by":[67,148,179],"updates.":[69],"This":[70],"study":[71],"introduces":[72],"ASTBAR,":[73],"novel":[75],"method":[76],"that":[77,130],"extracts":[78],"fine-grained":[79],"AST":[80],"fragments":[81],"distill":[83],"benign":[84,102],"behavioral":[85],"knowledge":[86],"from":[87],"webserver":[88],"software.":[89],"By":[90],"leveraging":[91],"program":[92],"structure":[93],"semantic":[95],"analysis,":[96],"ASTBAR":[97,114,131,169],"generates":[98],"fragment-level":[99],"representations":[100],"samples":[103],"employs":[105],"fragment":[106],"matching":[107],"identify":[109],"malware.":[110],"Unlike":[111],"prior":[112],"techniques,":[113],"achieves":[115,132],"simultaneous":[116],"improvements":[117],"precision,":[119],"recall,":[120],"adaptability":[122],"The":[126],"evaluation":[127],"results":[128],"demonstrate":[129],"an":[133],"F1":[134],"score":[135],"<tex":[137,149,158],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[138,150,159],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">$\\mathbf{6":[139],"5.":[140],"3":[141,153],"5":[142],"\\%}$</tex>,":[143],"outperforming":[144],"state-of-theart":[146],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">$\\mathbf{1":[151,160],"0.":[152],"9":[154],"\\%}$</tex>.":[155],"In":[156],"2}$</tex>-month":[161],"industrial":[162],"deployment":[163],"spanning":[164],"over":[165],"one":[166],"million":[167],"users,":[168],"maintained":[170],"97.63%":[172],"recall":[173],"rat":[174],"while":[175],"reducing":[176],"700+":[180],"cases":[181],"daily":[182],"(equivalent":[183],"30":[185],"hours).":[187]},"counts_by_year":[],"updated_date":"2026-03-07T16:01:11.037858","created_date":"2025-10-10T00:00:00"}