ShellSight-LLM: Detecting Successful Webshell Intrusions via Optimized LLM

Webshells pose a serious threat to network security, as successful webshell intrusions can lead to full compromise of web servers, underscoring the need for accurate and efficient detection methods. Most prior studies focus on detecting webshell intrusions without assessing their success, potentially overlooking the most urgent and damaging incidents. Existing approaches for detecting successful webshell intrusions typically rely on manually selected features to train machine learning models, which suffer from limited generalization and reduced effectiveness against novel intrusion patterns. To address these challenges, this paper proposes ShellSight-LLM, a framework for detecting successful webshell intrusions via an optimized large language model (LLM). By leveraging LLM’s powerful semantic understanding and pattern recognizing capabilities, our approach utilizes prompt engineering and in-context learning to effectively capture and convey key characteristics of successful webshell intrusions, thereby enhancing generalization. Furthermore, we employ model distillation to develop a lightweight LLM that retains high detection accuracy while accelerating detection, facilitating practical deployment. Experimental results demonstrate that our method achieves an accuracy of 99.76% and an F1 score of 99.74%, significantly outperforming existing methods while providing improved generalization.