Title

Shellbreaker: Automatically Detecting PHP-Based Malicious Web Shells

Document Type

Article

Publication Date

11-1-2019

Abstract

A web shell is a server-side script uploaded by an attacker to enable persistent access on a compromised machine. Detecting web shells is therefore of significant importance. In this paper, we present a novel system named ShellBreaker to detect web shells written in PHP, one of the leading languages used for server-side script development. ShellBreaker performs detection by correlating syntactical and semantic features that systematically characterize web shells through three aspects including (i) their communication with external users/attackers, (ii) their adaption to the run-time environment, and (iii) their usage of sensitive operations. We have evaluated ShellBreaker using real-world, PHP-based web shells and benign PHP scripts. Experimental results have demonstrated that ShellBreaker can achieve a high detection rate of 91.7% at a low false positive rate of 1%.

DOI

10.1016/j.cose.2019.101595

Find in your library

Off-Campus WSU Users


Share

COinS