Visible to the public HoneyBog: A Hybrid Webshell Honeypot Framework against Command Injection

TitleHoneyBog: A Hybrid Webshell Honeypot Framework against Command Injection
Publication TypeConference Paper
Year of Publication2021
AuthorsLiu, Songsong, Feng, Pengbin, Sun, Kun
Conference Name2021 IEEE Conference on Communications and Network Security (CNS)
KeywordsBidirectional control, command injection, command injection attacks, composability, Computer architecture, Computers, Conferences, Hybrid Honeypot, Metrics, Network security, PHP, Prototypes, pubcrawl, Resiliency, Web servers, Webshell
AbstractWeb server is an appealing target for attackers since it may be exploited to gain access to an organization's internal network. After compromising a web server, the attacker can construct a webshell to maintain a long-term and stealthy access for further attacks. Among all webshell-based attacks, command injection is a powerful attack that can be launched to steal sensitive data from the web server or compromising other computers in the network. To monitor and analyze webshell-based command injection, we develop a hybrid webshell honeypot framework called HoneyBog, which intercepts and redirects malicious injected commands from the front-end honeypot to the high-fidelity back-end honeypot for execution. HoneyBog can achieve two advantages by using the client-server honeypot architecture. First, since the webshell-based injected commands are transferred from the compromised web server to a remote constrained execution environment, we can prevent the attacker from launching further attacks in the protected network. Second, it facilitates the centralized management of high-fidelity honeypots for remote honeypot service providers. Moreover, we increase the system fidelity of HoneyBog by synchronizing the website files between the front-end and back-end honeypots. We implement a prototype of HoneyBog using PHP and the Apache web server. Our experiments on 260 PHP webshells show that HoneyBog can effectively intercept and redirect injected commands with a low performance overhead.
DOI10.1109/CNS53000.2021.9705039
Citation Keyliu_honeybog_2021