<![CDATA[Backdoor shell attacks pose a critical threat to web server security, allowing attackers to bypass authentication and gain persistent, unauthorized control. Conventional signature-based detection methods often fail against these attacks due to their polymorphic and obfuscation techniques. To address this, we propose an integrated detection approach leveraging Splunk as a log management platform combined with Search Processing Language (SPL)-based machine learning (ML) models. This study collected and preprocessed web server log data using SPL queries, transforming it into structured features for classification. We evaluated two supervised learning algorithms, Logistic Regression and Random Forest, on a labeled dataset comprising both normal traffic and simulated backdoor shell attacks. The evaluation showed that while Logistic Regression achieved a solid performance with 93.5% accuracy and 87.8% recall, the Random Forest model significantly outperformed it. Random Forest reached an accuracy of 97.2%, with a precision of 95.8%, recall of 94.1%, and an F1-score of 94.9%. Crucially, it also reduced the false negative rate (FNR) to 2.3% and the false positive rate (FPR) to 3.5%, making it more reliable for real-time applications. Our findings demonstrate that Random Forest, when integrated with Splunk's SPL, provides a highly robust and practical detection mechanism that effectively distinguishes malicious activities. The primary contribution of this research is an end-to-end architecture that combines scalable log management, effective feature engineering, and advanced ML detection, offering a scalable and practical solution for enterprise-level security monitoring.]]>
Copyrights © 2026
