Shellbreaker: Automatically Detecting PHP-Based Malicious Web Shells

Authors

Yu Li, Wright State University - Main Campus
Jin Huang, Wright State University - Main CampusFollow
Ademola Ikusan
Milliken Mitchell
Junjie Zhang, Wright State University - Main CampusFollow
Rui Dai

Document Type

Article

Publication Date

11-1-2019

Abstract

A web shell is a server-side script uploaded by an attacker to enable persistent access on a compromised machine. Detecting web shells is therefore of significant importance. In this paper, we present a novel system named ShellBreaker to detect web shells written in PHP, one of the leading languages used for server-side script development. ShellBreaker performs detection by correlating syntactical and semantic features that systematically characterize web shells through three aspects including (i) their communication with external users/attackers, (ii) their adaption to the run-time environment, and (iii) their usage of sensitive operations. We have evaluated ShellBreaker using real-world, PHP-based web shells and benign PHP scripts. Experimental results have demonstrated that ShellBreaker can achieve a high detection rate of 91.7% at a low false positive rate of 1%.

Repository Citation

Li, Y., Huang, J., Ikusan, A., Mitchell, M., Zhang, J., & Dai, R. (2019). Shellbreaker: Automatically Detecting PHP-Based Malicious Web Shells. Computers and Security, 87, 101595.
https://corescholar.libraries.wright.edu/cse/520

DOI

10.1016/j.cose.2019.101595