ShellBreaker: Automatically detecting PHP-based malicious web shells

被引：14

作者：

Li, Yu ^{[1
]}

Huang, Jin ^{[1
]}

Ikusan, Ademola ^{[3
]}

Mitchell, Milliken ^{[2
]}

Zhang, Junjie ^{[1
]}

Dai, Rui ^{[3
]}

机构：

[1] Wright State Univ, Dept Comp Sci & Engn, Dayton, OH 45435 USA

[2] Miami Univ, Dept Comp Sci & Software Engn, Oxford, OH 45056 USA

[3] Univ Cincinnati, Dept Elect Engn & Comp Sci, Cincinnati, OH 45221 USA

来源：

COMPUTERS & SECURITY | 2019年 / 87卷

关键词：

Intrusion detection; Web security; Web shells; Data flows; Taint analysis;

D O I：

10.1016/j.cose.2019.101595

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

A web shell is a server-side script uploaded by an attacker to enable persistent access on a compromised machine. Detecting web shells is therefore of significant importance. In this paper, we present a novel system named ShellBreaker to detect web shells written in PHP, one of the leading languages used for server-side script development. ShellBreaker performs detection by correlating syntactical and semantic features that systematically characterize web shells through three aspects including (i) their communication with external users/attackers, (ii) their adaption to the run-time environment, and (iii) their usage of sensitive operations. We have evaluated ShellBreaker using real-world, PHP-based web shells and benign PHP scripts. Experimental results have demonstrated that ShellBreaker can achieve a high detection rate of 91.7% at a low false positive rate of 1%. (C) 2019 Elsevier Ltd. All rights reserved.

引用

页数：11

共 50 条

[1] UChecker: Automatically Detecting PHP-Based Unrestricted File Upload Vulnerabilities
Huang, Jin
Li, Yu
Zhang, Junjie
Dai, Rui
[J]. 2019 49TH ANNUAL IEEE/IFIP INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS AND NETWORKS (DSN 2019), 2019, : 581 - 592
[2] An Architecture of Dynamically Adaptive PHP-based Web Applications
Nakajima, Shin
[J]. 2011 18TH ASIA-PACIFIC SOFTWARE ENGINEERING CONFERENCE (APSEC 2011), 2011, : 203 - 210
[3] Use of Design Patterns in PHP-Based Web Application Frameworks
Paikens, Andris
Arnicans, Guntis
[J]. BALTIC JOURNAL OF MODERN COMPUTING, 2008, 733 : 53 - 71
[4] DRC: A Detection Tool for Dangling References in PHP-Based Web Applications
Hung Viet Nguyen
Hoan Anh Nguyen
Tung Thanh Nguyen
Nguyen, Tien N.
[J]. PROCEEDINGS OF THE 35TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING (ICSE 2013), 2013, : 1299 - 1302
[5] Output-oriented Refactoring in PHP-based Dynamic Web Applications
Hoan Anh Nguyen
Hung Viet Nguyen
Tung Thanh Nguyen
Nguyen, Tien N.
[J]. 2013 29TH IEEE INTERNATIONAL CONFERENCE ON SOFTWARE MAINTENANCE (ICSM), 2013, : 150 - 159
[6] Dangling References in Multi-configuration and Dynamic PHP-Based Web Applications
Hung Viet Nguyen
Hoan Anh Nguyen
Tung Thanh Nguyen
Anh Tuan Nguyen
Nguyen, Tien N.
[J]. 2013 28TH IEEE/ACM INTERNATIONAL CONFERENCE ON AUTOMATED SOFTWARE ENGINEERING (ASE), 2013, : 399 - 409
[7] Dangling references in multi-configuration and dynamic PHP-based Web applications
Nguyen, Hung Viet
Nguyen, Hoan Anh
Nguyen, Tung Thanh
Nguyen, Anh Tuan
Nguyen, Tien N.
[J]. 2013 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013 - Proceedings, 2013, : 399 - 409
[8] PHP-based malicious webshell detection based on abstract syntax tree simplification and explicit duration recurrent networks
Xie, Bailin
Li, Qi
Wang, Yu
[J]. COMPUTERS & SECURITY, 2024, 146
[9] On Automatically Detecting Malicious Impostor Emails
Kartaltepe, Erhan J.
Xu, Shouhuai
[J]. APPLIED PUBLIC KEY INFRASTRUCTURE, 2005, 128 : 33 - 47
[10] phpMs: A PHP-Based Mass Spectrometry Utilities Library
Collins, Andrew
Jones, Andrew R.
[J]. JOURNAL OF PROTEOME RESEARCH, 2018, 17 (03) : 1309 - 1313

← 1 2 3 4 5 →