Abstract
A web shell is a server-side script uploaded by an attacker to enable persistent access on a compromised machine. Detecting web shells is therefore of significant importance. In this paper, we present a novel system named ShellBreaker to detect web shells written in PHP, one of the leading languages used for server-side script development. ShellBreaker performs detection by correlating syntactical and semantic features that systematically characterize web shells through three aspects including (i) their communication with external users/attackers, (ii) their adaption to the run-time environment, and (iii) their usage of sensitive operations. We have evaluated ShellBreaker using real-world, PHP-based web shells and benign PHP scripts. Experimental results have demonstrated that ShellBreaker can achieve a high detection rate of 91.7% at a low false positive rate of 1%.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
