Title | HoneyBog: A Hybrid Webshell Honeypot Framework against Command Injection |
Publication Type | Conference Paper |
Year of Publication | 2021 |
Authors | Liu, Songsong, Feng, Pengbin, Sun, Kun |
Conference Name | 2021 IEEE Conference on Communications and Network Security (CNS) |
Keywords | Bidirectional control, command injection, command injection attacks, composability, Computer architecture, Computers, Conferences, Hybrid Honeypot, Metrics, Network security, PHP, Prototypes, pubcrawl, Resiliency, Web servers, Webshell |
Abstract | Web server is an appealing target for attackers since it may be exploited to gain access to an organization's internal network. After compromising a web server, the attacker can construct a webshell to maintain a long-term and stealthy access for further attacks. Among all webshell-based attacks, command injection is a powerful attack that can be launched to steal sensitive data from the web server or compromising other computers in the network. To monitor and analyze webshell-based command injection, we develop a hybrid webshell honeypot framework called HoneyBog, which intercepts and redirects malicious injected commands from the front-end honeypot to the high-fidelity back-end honeypot for execution. HoneyBog can achieve two advantages by using the client-server honeypot architecture. First, since the webshell-based injected commands are transferred from the compromised web server to a remote constrained execution environment, we can prevent the attacker from launching further attacks in the protected network. Second, it facilitates the centralized management of high-fidelity honeypots for remote honeypot service providers. Moreover, we increase the system fidelity of HoneyBog by synchronizing the website files between the front-end and back-end honeypots. We implement a prototype of HoneyBog using PHP and the Apache web server. Our experiments on 260 PHP webshells show that HoneyBog can effectively intercept and redirect injected commands with a low performance overhead. |
DOI | 10.1109/CNS53000.2021.9705039 |
Citation Key | liu_honeybog_2021 |