@inproceedings{f7983a4bb0bc4afa9a394e249a732e06,
title = "HoneyContainer: Container-based Webshell Command Injection Defending and Backtracking",
abstract = "The web server is a vulnerable component in enterprise systems, susceptible to a variety of attack strategies. Of these, webshell attacks are particularly insidious, as they can be uploaded through legitimate paths and executed using network traffic that is indistinguishable from that of normal users. Despite the existence of several proposed detection methods for identifying webshell attacks, attackers can still easily evade them. To address this issue, we present HoneyContainer, an architecture designed to detect webshell-based command injection attacks, trace the origin of the attacker, and redirect malicious traffic to a honeypot container. Our prototype implementation of Honey-Container has been validated using 214 webshell files, with results demonstrating its ability to detect all shell command injection events and redirect malicious traffic. Our evaluations also indicate that the overhead caused by HoneyContainer is minimal and unlikely to be noticeable by normal users. The source code is released at https://github.com/wei-juncheng/webshell",
keywords = "command injection, container, honeypot, webshell",
author = "Wang, {Kuan Chien} and Cheng, {Wei Jun} and Jie Zhang and Sun, {Min Te} and Kazuya Sakai and Ku, {Wei Shinn}",
note = "Publisher Copyright: {\textcopyright} 2023 IEEE.; 2023 IEEE Silicon Valley Cybersecurity Conference, SVCC 2023 ; Conference date: 17-05-2023 Through 19-05-2023",
year = "2023",
doi = "10.1109/SVCC56964.2023.10165511",
language = "???core.languages.en_GB???",
series = "2023 Silicon Valley Cybersecurity Conference, SVCC 2023",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
booktitle = "2023 Silicon Valley Cybersecurity Conference, SVCC 2023",
}