Kuan-Chien Wang, Wei Cheng, J. Zhang, Minmin Sun, Kazuya Sakai, Wei-Shinn Ku
{"title":"HoneyContainer:基于容器的Webshell命令注入防御和回溯","authors":"Kuan-Chien Wang, Wei Cheng, J. Zhang, Minmin Sun, Kazuya Sakai, Wei-Shinn Ku","doi":"10.1109/SVCC56964.2023.10165511","DOIUrl":null,"url":null,"abstract":"The web server is a vulnerable component in enterprise systems, susceptible to a variety of attack strategies. Of these, webshell attacks are particularly insidious, as they can be uploaded through legitimate paths and executed using network traffic that is indistinguishable from that of normal users. Despite the existence of several proposed detection methods for identifying webshell attacks, attackers can still easily evade them. To address this issue, we present HoneyContainer, an architecture designed to detect webshell-based command injection attacks, trace the origin of the attacker, and redirect malicious traffic to a honeypot container. Our prototype implementation of Honey-Container has been validated using 214 webshell files, with results demonstrating its ability to detect all shell command injection events and redirect malicious traffic. Our evaluations also indicate that the overhead caused by HoneyContainer is minimal and unlikely to be noticeable by normal users. The source code is released at https://github.com/wei-juncheng/webshell php5 demo","PeriodicalId":243155,"journal":{"name":"2023 Silicon Valley Cybersecurity Conference (SVCC)","volume":"18 5part1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"HoneyContainer: Container-based Webshell Command Injection Defending and Backtracking\",\"authors\":\"Kuan-Chien Wang, Wei Cheng, J. Zhang, Minmin Sun, Kazuya Sakai, Wei-Shinn Ku\",\"doi\":\"10.1109/SVCC56964.2023.10165511\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The web server is a vulnerable component in enterprise systems, susceptible to a variety of attack strategies. Of these, webshell attacks are particularly insidious, as they can be uploaded through legitimate paths and executed using network traffic that is indistinguishable from that of normal users. Despite the existence of several proposed detection methods for identifying webshell attacks, attackers can still easily evade them. To address this issue, we present HoneyContainer, an architecture designed to detect webshell-based command injection attacks, trace the origin of the attacker, and redirect malicious traffic to a honeypot container. Our prototype implementation of Honey-Container has been validated using 214 webshell files, with results demonstrating its ability to detect all shell command injection events and redirect malicious traffic. Our evaluations also indicate that the overhead caused by HoneyContainer is minimal and unlikely to be noticeable by normal users. The source code is released at https://github.com/wei-juncheng/webshell php5 demo\",\"PeriodicalId\":243155,\"journal\":{\"name\":\"2023 Silicon Valley Cybersecurity Conference (SVCC)\",\"volume\":\"18 5part1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-05-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2023 Silicon Valley Cybersecurity Conference (SVCC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SVCC56964.2023.10165511\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 Silicon Valley Cybersecurity Conference (SVCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SVCC56964.2023.10165511","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
HoneyContainer: Container-based Webshell Command Injection Defending and Backtracking
The web server is a vulnerable component in enterprise systems, susceptible to a variety of attack strategies. Of these, webshell attacks are particularly insidious, as they can be uploaded through legitimate paths and executed using network traffic that is indistinguishable from that of normal users. Despite the existence of several proposed detection methods for identifying webshell attacks, attackers can still easily evade them. To address this issue, we present HoneyContainer, an architecture designed to detect webshell-based command injection attacks, trace the origin of the attacker, and redirect malicious traffic to a honeypot container. Our prototype implementation of Honey-Container has been validated using 214 webshell files, with results demonstrating its ability to detect all shell command injection events and redirect malicious traffic. Our evaluations also indicate that the overhead caused by HoneyContainer is minimal and unlikely to be noticeable by normal users. The source code is released at https://github.com/wei-juncheng/webshell php5 demo
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
