[1] Truong Dinh Tu, , Cheng Guang, et al. Evil-hunter: a novel web shell detection systembased on scoring scheme [J]. Journal of Southeast University (English Edition), 2014, 30 (3): 278-284. [doi:10.3969/j.issn.1003-7985.2014.03.004]

Copy

Evil-hunter: a novel web shell detection systembased on scoring scheme()

Evil-hunter:基于评分机制的web shell检测系统

Share：

Journal of Southeast University (English Edition)[ISSN:1003-7985/CN:32-1325/N]

Volumn:

30

Issue:

2014 3

Page:

278-284

Research Field:

Computer Science and Engineering

Publishing date:

2014-09-30

Info

Title:

Evil-hunter: a novel web shell detection systembased on scoring scheme

Evil-hunter:基于评分机制的web shell检测系统

Author(s):

Truong Dinh Tu^{1, 2, 3}, Cheng Guang^{1, 3}, Guo Xiaojun^{1, 3}, Pan Wubin^{1, 3}

¹School of Computer Science and Engineering, Southeast University, Nanjing 210096, China
²Department of Information Technology, Tuyhoa Industrial College, Phuyen 620900, Vietnam
³ Key Laboratory of Computer Network and Information Integration of Ministry of Education, Southeast University, Nanjing 210096, China

张庭秀^{1, 2, 3}, 程光^{1, 3}, 郭晓军^{1, 3}, 潘吴斌^{1, 3}

¹东南大学计算机科学与工程学院, 南京210096; ²绥和工业学院信息技术部门, 富安 620900, 越南; ³东南大学计算机网络和信息集成教育部重点实验室, 南京210096

Keywords:

web shell detection;  scoring scheme;  malicious code identification

web shell 检测;  评分策略;  恶意代码检测

PACS:

TP393.08

DOI:

10.3969/j.issn.1003-7985.2014.03.004

Abstract:

In order to detect web shells that hackers inject into web servers by exploiting system vulnerabilities or web page open sources, a novel web shell detection system based on the scoring scheme is proposed, named Evil-hunter. First, a large set of malicious function samples normally used in web shells are collected from various sources on the Internet and security forums. Secondly, according to the danger level and the frequency of using these malicious functions in the web shells as well as in legal web applications, an assigning score strategy for each malicious sample is devised. Then, the appropriate score threshold value for each sample is obtained from the results of a statistical analysis. Finally, based on the threshold value, a simple algorithm is presented to identify files that contain web shells in web applications. The experimental results show that compared with other approaches, Evil-hunter can identify web shells more efficiently and accurately.

针对及时检测攻击者利用系统漏洞或篡改网页开源代码秘密地在web服务器上嵌入的恶意代码web shell问题, 提出了一种基于评分机制的web shell检测系统Evil-hunter.首先, 从互联网和各种安全论坛上收集了大量的web shell经常使用的恶意函数样本数据.其次, 根据恶意函数在web shell 和正常web应用中的不同危险级别和使用频度, 利用所提出的评分策略对所收集的样本数据进行评分, 并分析统计结果以得出适当的分数阈值.最后, 根据所得出的分数阈值, 借用简单的检测算法来对web 应用中所包含的恶意代码web shell进行识别.实验结果表明, 与其他方法相比Evil-hunter具有更高的识别率和准确度.

References:

[1] Behrens S, Hagen B. Web shell detection using NeoPI [EB/OL].(2012-04-13)[2013-10-10]. http://resources.infosecinstitute.com/web-shell-detection/.
[2] Luczko P, Thornton J. PHP shell detector [EB/OL].(2012-06-12)[2013-10-10]. https://github.com/emposha/PHP-Shell-Detector.
[3] Unix operating system. A manual for grep [EB/OL].(2008-05-20)[2013-09-10].http://www.gnu.org/savannah-checkouts/gnu/grep/manual/grep.html.
[4] Jakobsson M, Ramzan Z. Crimeware: understanding new attacks and defenses [M]. New York: Addison Wesley, 2008: 608.
[5] Canali D, Balzarotti D, Francillon A. The role of web hosting providers in detecting compromised websites [C]//Proceedings of the 22nd International Conference on World Wide Web. Rio de Janeiro, Brazil, 2013: 177-187.
[6] Garg A, Singh S. A review on web application security vulnerabilities [J]. International Journal of Advanced Research in Computer Science and Software Engineering, 2013, 3(1): 222-226.
[7] Mirdula S, Manivannan D. Security vulnerabilities in web application an attack perspective [J]. International Journal of Engineering and Technology, 2013, 5(2): 1806-1811.
[8] Cova M, Kruegel C, Vigna G. Detection and analysis of drive-by-download attacks and malicious javascript code [C]//Proceedings of the 19th International Conference on World Wide Web. Raleigh, NC, USA, 2010: 281-290.
[9] Exploitable PHP functions [EB/OL].(2012-03-22)[2013-09-10].http://stackoverflow.com/questions/3115559/exploitable-php-functions.
[10] Mingkun X, Xi C, Yan H. Design of software to search ASP web shell [J]. Journal of Procedia Engineering, 2012, 29(1): 123-127.
[11] Hu J K, Xu Z, Ma D H, et al. Research of webshell detection based on decision tree [J]. Journal of Network New Media, 2012, 1(6): 15-19.(in Chinese)
[12] Rahul S. Effectiveness of antivirus in detecting web application backdoors [EB/OL].(2012-07-30)[2013-10-10]. http://www.chmag.in/article/feb2011/effectivenessantivirus-detecting-web-appli-cation-backdoors.
[13] Hou Y T, Chang Y, Chen T, et al. Malicious web content detection by machine learning [J]. Expert Systems with Applications, 2010, 37(1): 55-60.
[14] Koo T M, Chang H C, Hsu Y T, et al. Malicious website detection based on honeypot systems [C]//The 2nd International Conference on Advances in Computer Science and Engineering. Paris:Atlantis Press, 2013:76-81.
[15] Canali D, Balzarotti D. Behind the scenes of online attacks: an analysis of exploitation behaviors on the web [C]//Proceedings of the 20th Annual Network & Distributed System Security Symposium. San Diego, CA, USA, 2013:1-18.
[16] Verma A, Insan D S. Signature based detection of web application attacks [J]. International Journal of Advanced Research in Computer Science and Software Engineering, 2013, 3(8): 117-121.
[17] Certified ethical hacker [EB/OL].(2012-02-200[2013-09-10]. http://ceh.vn/@4rum/forumdisplay.php?fid=10.
[18] Alexa—The web information company[EB/OL].(2012-03-30)[2013-09-10].http://www.alexa.com.
[19] Project hosting on google code provides a free collaborative development environment for open source projects [EB/OL].(2012-05-16)[2013-09-10].http://code.google.com/.
[20] VirusTotal—Free online virus, malware and url scanner [EB/OL].(2007-02-01)[2013-09-10].https://www.virustotal.com.
[21] Agbefu R E, Hori Y, Sakurai K. Domain information based blacklisting method for the detection of malicious webpages [J]. International Journal of Cyber-Security and Digital Forensics, 2013, 2(2): 36-47.

Memo

Memo:

Biographies: Truong Dinh Tu(1979—), male, graduate; Cheng Guang(corresponding author), male, doctor, professor, gcheng@njnet.edu.cn.
Foundation items: The Science and Technology Support Program of Jiangsu Province(No.BE2011173), the Future Network Proactive Program of Jiangsu Province(No.BY2013095-5-03), the Program for Special Talent in Six Fields of Jiangsu Province(No.2011-DZ024).
Citation: Truong Dinh Tu, Cheng Guang, Guo Xiaojun, et al. Evil-hunter: a novel web shell detection system based on scoring scheme[J].Journal of Southeast University(English Edition), 2014, 30(3):278-284.[doi:10.3969/j.issn.1003-7985.2014.03.004]

Common functions