HoneyContainer: Container-based Webshell Command Injection Defending and Backtracking

2023 Silicon Valley Cybersecurity Conference (SVCC) Pub Date : 2023-05-17 DOI:10.1109/SVCC56964.2023.10165511

Kuan-Chien Wang, Wei Cheng, J. Zhang, Minmin Sun, Kazuya Sakai, Wei-Shinn Ku

{"title":"HoneyContainer: Container-based Webshell Command Injection Defending and Backtracking","authors":"Kuan-Chien Wang, Wei Cheng, J. Zhang, Minmin Sun, Kazuya Sakai, Wei-Shinn Ku","doi":"10.1109/SVCC56964.2023.10165511","DOIUrl":null,"url":null,"abstract":"The web server is a vulnerable component in enterprise systems, susceptible to a variety of attack strategies. Of these, webshell attacks are particularly insidious, as they can be uploaded through legitimate paths and executed using network traffic that is indistinguishable from that of normal users. Despite the existence of several proposed detection methods for identifying webshell attacks, attackers can still easily evade them. To address this issue, we present HoneyContainer, an architecture designed to detect webshell-based command injection attacks, trace the origin of the attacker, and redirect malicious traffic to a honeypot container. Our prototype implementation of Honey-Container has been validated using 214 webshell files, with results demonstrating its ability to detect all shell command injection events and redirect malicious traffic. Our evaluations also indicate that the overhead caused by HoneyContainer is minimal and unlikely to be noticeable by normal users. The source code is released at https://github.com/wei-juncheng/webshell php5 demo","PeriodicalId":243155,"journal":{"name":"2023 Silicon Valley Cybersecurity Conference (SVCC)","volume":"18 5part1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 Silicon Valley Cybersecurity Conference (SVCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SVCC56964.2023.10165511","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The web server is a vulnerable component in enterprise systems, susceptible to a variety of attack strategies. Of these, webshell attacks are particularly insidious, as they can be uploaded through legitimate paths and executed using network traffic that is indistinguishable from that of normal users. Despite the existence of several proposed detection methods for identifying webshell attacks, attackers can still easily evade them. To address this issue, we present HoneyContainer, an architecture designed to detect webshell-based command injection attacks, trace the origin of the attacker, and redirect malicious traffic to a honeypot container. Our prototype implementation of Honey-Container has been validated using 214 webshell files, with results demonstrating its ability to detect all shell command injection events and redirect malicious traffic. Our evaluations also indicate that the overhead caused by HoneyContainer is minimal and unlikely to be noticeable by normal users. The source code is released at https://github.com/wei-juncheng/webshell php5 demo

查看原文本刊更多论文

HoneyContainer:基于容器的Webshell命令注入防御和回溯

web服务器是企业系统中的一个易受攻击的组件，容易受到各种攻击策略的攻击。其中，webshell攻击尤其阴险，因为它们可以通过合法路径上传，并使用与普通用户无法区分的网络流量执行。尽管存在几种用于识别webshell攻击的检测方法，攻击者仍然可以很容易地逃避它们。为了解决这个问题，我们提出了HoneyContainer，这是一种架构，旨在检测基于webshell的命令注入攻击，跟踪攻击者的来源，并将恶意流量重定向到蜜罐容器。我们的Honey-Container原型实现已经使用214个webshell文件进行了验证，结果表明它能够检测所有shell命令注入事件并重定向恶意流量。我们的评估还表明，HoneyContainer造成的开销是最小的，不太可能被普通用户注意到。源代码在https://github.com/wei-juncheng/webshell php5 demo上发布

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 Silicon Valley Cybersecurity Conference (SVCC)

自引率

0.00%

发文量