webshells are programs that are written for a specific purpose in web scripting languages, such as PHP, ASP, ASP. NET, JSP, PERL-CGI, etc. webshells provide a means to communicate with the server's operating sys...
详细信息
webshells are programs that are written for a specific purpose in web scripting languages, such as PHP, ASP, ASP. NET, JSP, PERL-CGI, etc. webshells provide a means to communicate with the server's operating system via the interpreter of the web scripting languages. Hence, webshells can execute OS specific commands over HTTP. Usually, web attacks by malicious users are made by uploading one of these webshells to compromise the target web servers. Though there have been several approaches to detect such malicious webshells, no standard dataset has been built to compare various web shell detection techniques. In this paper, we present a collection of webshell files, webSHArk 1.0, as a standard dataset for current and future studies in malicious web shell detection. To provide baseline results for future studies and for the improvement of current tools, we also present some benchmark results by scanning the webSHArk dataset directory with three webshell scanning tools that are publicly available on the Internet. The webSHArk 1.0 dataset is only available upon request via email to one of the authors, due to security and legal issues.
Amid escalating cyber threats, websites have emerged as predominant targets for attackers employing webshells to maintain extended control. webshells, frequently used by Advanced Persistent Threat (APT) groups, ofte...
详细信息
ISBN:
(纸本)9798350358261;9798350358278
Amid escalating cyber threats, websites have emerged as predominant targets for attackers employing webshells to maintain extended control. webshells, frequently used by Advanced Persistent Threat (APT) groups, often result in significant damage, despite the conspicuous lack of focused academic research on their detection. This paper illuminates the stealth variant of the webshell, covertly embedded within benign files, and addresses the unique detection challenges presented by their covert nature and the dearth of targeted datasets. In response to these challenges, we construct three datasets: small webshells, benign files, and stealth webshells, subsequently proposing an innovative triplet network detection model for the stealth webshell. This model excels in differentiating stealth webshells from benign files while simultaneously aligning them more closely with small webshells, thereby refining classification precision. Our methodology transforms samples into opcode sequences through a series of processing steps, and then integrates them into the specially designed triplet network. Benchmarked against a cutting-edge deep learning network model and recognized detection tools, our detection methodology yields superior performance, delivering a high accuracy of 92.56% and a robust F1-score of 89.17%. These results substantiate the potency of our approach in countering the mounting threat posed by stealth webshells.
In order to detect webshells that hackers inject into web servers by exploiting system vulnerabilities or web page open sources, a novel web shell detection system based on the scoring scheme is proposed, named Evil-...
详细信息
In order to detect webshells that hackers inject into web servers by exploiting system vulnerabilities or web page open sources, a novel web shell detection system based on the scoring scheme is proposed, named Evil-hunter. First, a large set of malicious function samples normally used in webshells are collected from various sources on the Internet and security forums. Secondly, according to the danger level and the frequency of using these malicious functions in the webshells as well as in legal web applications, an assigning score strategy for each malicious sample is devised. Then, the appropriate score threshold value for each sample is obtained from the results of a statistical analysis. Finally, based on the threshold value, a simple algorithm is presented to identify files that contain webshells in web applications. The experimental results show that compared with other approaches, Evil-hunter can identify webshells more efficiently and accurately.
A webshell is a backdoor used by hackers to control web servers and perform privilege escalation, and thus it is crucial to detect webshells effectively. However, the detection of obfuscated webshells has always be...
详细信息
A webshell is a backdoor used by hackers to control web servers and perform privilege escalation, and thus it is crucial to detect webshells effectively. However, the detection of obfuscated webshells has always been a challenge. Inspired by adversarial training methods in the field of computer vision, this paper proposes a generative adversarial network (GAN)-based web shell detection model training framework. Since there has been no method that can generate obfuscated webshells effectively, a generator based on the genetic algorithm, which combines and optimizes the pre-set obfuscation methods, is used to obtain new obfuscation combinations and generate obfuscated samples. The whole proposed framework is named the CWSOGG. When training the detection model, the generator generates webshells that can bypass the discriminator, and the discriminator catches the features of obfuscated samples. Through the adversarial training of the discriminator and generator, the detection model improves its ability to detect obfuscated webshells. To verify the proposed framework is flexible to different models, the discriminator based on four main neural networks has been implemented. Meanwhile, to build complete feature extraction models, both statistical and semantic features are extracted. Due to the lack of webshell data, a clean dataset containing 4,375 webshells is constructed and used to evaluate the CWSOGG. The results have shown that the detection accuracy of each model increases by 86.71% on the generated obfuscated webshells on average and by 7.50% on the simulated real-world obfuscated webshells on average.
The most efficient way of securing web applications is searching and eliminating threats therein (from both malwares and vulnerabilities). In case of having web application source codes, web security can be improved b...
详细信息
ISBN:
(纸本)9781450372459
The most efficient way of securing web applications is searching and eliminating threats therein (from both malwares and vulnerabilities). In case of having web application source codes, web security can be improved by performing the task to detecting malicious codes, such as webshells. In this paper, we proposed a model using a deep learning approach to detect and identify the malicious codes inside PHP source files. Our method relies on (i) pattern matching techniques by applying Yara rules to build a malicious and benign datasets, (ii) converting the PHP source codes to a numerical sequence of PHP opcodes and (iii) applying the Convolutional Neural Network model to predict a PHP file whether embedding a malicious code such as a webshell. Thus, we validate our approach with different webshell collections from reliable source published in Github. The experiment results show that the proposed method achieved the accuracy of 99.02% with 0.85% false positive rate.
暂无评论