HoneyContainer: Container-based Webshell Command Injection Defending and Backtracking

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：84

、訪客IP：18.225.55.42

姓名

城偉竣(Wei-Jun Cheng) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(HoneyContainer: Container-based Webshell Command Injection Defending and Backtracking)

相關論文

★ Dynamic Overlay Construction for Mobile Target Detection in Wireless Sensor Networks	★ 車輛導航的簡易繞路策略
★ 使用傳送端電壓改善定位	★ 利用車輛分類建構車載網路上的虛擬骨幹
★ Why Topology-based Broadcast Algorithms Do Not Work Well in Heterogeneous Wireless Networks?	★ 針對移動性目標物的有效率無線感測網路
★ 適用於無線隨意網路中以關節點為基礎的分散式拓樸控制方法	★ A Review of Existing Web Frameworks
★ 將感測網路切割成貪婪區塊的分散式演算法	★ 無線網路上Range-free的距離測量
★ Inferring Floor Plan from Trajectories	★ An Indoor Collaborative Pedestrian Dead Reckoning System
★ Dynamic Content Adjustment In Mobile Ad Hoc Networks	★ 以影像為基礎的定位系統
★ 大範圍無線感測網路下分散式資料壓縮收集演算法	★ 車用WiFi網路中的碰撞分析

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

網頁伺服器通常被視為一個企業相當重要的門面。然而，由於網際網路上日益
變化、種類繁多的攻擊手段，網頁伺服器也往往淪為企業整體系統中的資安弱點。在這些複雜的攻擊手段中，又以 webshell 攻擊最令人困擾。攻擊者可以經由合法的途徑上傳 webshell 檔案，並且透過與一般使用者相似的流量行為發起 webshell 攻擊。目前學術界有大量研究在探討如何偵測 webshell 攻擊，包含靜態檔案分析以及 HTTP 流量分析，但攻擊者仍可以透過加密 webshell 檔案以及加密其操作 webshell 的 HTTP 封包內容來躲避偵測。為了達成偵測與防禦 webshell 攻擊的目的，我們提出一個架構名叫 HoneyContainer。此架構可以偵測攻擊、反向追蹤攻擊者的來源並且把惡意的流量導向到 honeypot 容器環境中。如此一來，HoneyContainer 可以有效的保護網頁伺服器免於遭受攻擊者入侵。我們實作了 HoneyContainer 的基本架構並使用 214 個真實的 webshell 檔案來驗證其功能，結果顯示 HoneyContainer 可以順利的偵測到所有的攻擊並且將惡意流量導向到 honeypot 環境中。另外，我們的評估結果顯示 HoneyContainer 僅會對整體網頁伺服器系統造成一般使用者無法察覺的細微效能負擔。

摘要(英)

The web server is considered as the face of a company. However, it is exposed
to users on the internet, so the web server is also a weak point in the enterprise’s
system because of the variety of attack strategies. Among those strategies, webshell
attack is one of the most frustrating issues. Webshell can be uploaded through legal
path and launched with the network traffic that is similar to other normal user’s.
Although plenty of research works focus on detecting webshell attacks with various
methods including analyzing source file or content of HTTP requests, the adversary
can encode the source file or encrypt the communications between the webshell in
a server and his browser. To detect and defend webshell-based command injection
attacks, we propose an architecture, namely HoneyContainer, which detects attack
event, backtracks the source of adversary, and redirects the malicious traffic to a
honeypot container. It can efficiently protect the web service from adversary’s in-
trusion. A prototype of HoneyContainer is implemented and validated with 214
webshell files, and the results show that HoneyContainer can detect all of the shell
command injection events and redirect malicious traffic. Furthermore, our evalua-
tions indicate that the overhead caused by HoneyContainer is hardly noticeable for
normal users.

關鍵字(中)

★ 資安

關鍵字(英)

★ security
★ container
★ Linux
★ webshell
★ honeypot

論文目次

1 Introduction 1
2 RelatedWork 4
2.1 Container Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Container Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4 Webshell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Preliminary
3.1 Linux Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2 gVisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Falco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.4 NGINX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Attack Model and Assumption 14
5 Design 15
5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.2 Management Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5.3 System call monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5.4 Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.5 Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.6 Isolated Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6 Performance and Analysis
6.1
24
Experimental Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.2
Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
6.2.1
Statistical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6.3
Security Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7 Conclusions 31
Reference 32

參考文獻

[1] Amazon Web Services. https://aws.amazon.com/tw/. Accessed: 2022-06-28.
[2] AWS Fargate. https://aws.amazon.com/tw/fargate/. Accessed: 2022-06-28.
[3] AWS Lambda. https://aws.amazon.com/tw/lambda/. Accessed: 2022-06-28.
[4] containerd. https://containerd.io/. Accessed: 2022-06-28.
[5] cri-o: LIGHTWEIGHT CONTAINER RUNTIME FOR KUBERNETES. https:
//cri-o.io/. Accessed: 2022-06-28.
[6] Docker. https://www.docker.com/. Accessed: 2022-06-28.
[7] Falcosecurity/Falco:
Cloud Native Runtime Security.
https://github.com/
falcosecurity/falco. Accessed: 2022-06-04.
[8] Google Cloud Platform. https://cloud.google.com/. Accessed: 2022-06-28.
[9] gVisor. https://gvisor.dev/. Accessed: 2022-05-14.
[10] Introduction to linux containers. https://access.redhat.com/documentation/
en-us/red_hat_enterprise_linux_atomic_host/7/html/overview_of_
containers_in_red_hat_systems/introduction_to_linux_containers.
Ac-
cessed: 2022-02-24.
[11] Linux
Control
Groups.
https://www.kernel.org/doc/html/latest/
admin-guide/cgroup-v1/cgroups.html. Accessed: 2022-06-28.
[12] Microsoft Azure. https://azure.microsoft.com/zh-tw/. Accessed: 2022-06-28.
32[13] Open Container Initiative. https://opencontainers.org/about/overview/. Ac-
cessed: 2022-06-28.
[14] ptrace(2) — Linux manual page.
https://man7.org/linux/man-pages/man2/
ptrace.2.html. Accessed: 2022-06-28.
[15] Python Flask Framework. https://flask.palletsprojects.com/en/2.1.x/. Ac-
cessed: 2022-06-24.
[16] runc. https://github.com/opencontainers/runc. Accessed: 2022-06-28.
[17] Seccomp Security Profiles for Docker.
https://docs.docker.com/engine/
security/seccomp. Accessed: 2022-02.
[18] tsenart/vegeta: HTTP load testing tool and library. https://github.com/tsenart/
vegeta. Accessed: 2022-06-25.
[19] Union Filesystem. https://linux.die.net/man/8/unionfs. Accessed: 2022-06-28.
[20] Alexandru Agache, Marc Brooker, Alexandra Iordache, Anthony Liguori, Rolf Neuge-
bauer, Phil Piwonka, and Diana-Maria Popa. Firecracker: Lightweight virtualization
for serverless applications. In 17th USENIX symposium on networked systems design
and implementation (NSDI 20), pages 419–434, 2020.
[21] Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif, and Felix Freil-
ing. The nepenthes platform: An efficient approach to collect malware. In Interna-
tional Workshop on Recent Advances in Intrusion Detection, pages 165–184. Springer,
2006.
[22] Ioana Baldini, Paul Castro, Kerry Chang, Perry Cheng, Stephen Fink, Vatche
Ishakian, Nick Mitchell, Vinod Muthusamy, Rodric Rabbah, Aleksander Slominski,
33et al. Serverless computing: Current trends and open problems. In Research advances
in cloud computing, pages 1–20. Springer, 2017.
[23] Fabrice Bellard. Qemu, a fast and portable dynamic translator. In USENIX annual
technical conference, FREENIX Track, volume 41, pages 10–5555. Califor-nia, USA,
2005.
[24] Thanh Bui. Analysis of docker security. arXiv preprint arXiv:1501.02967, 2015.
[25] Brendan Burns, Joe Beda, and Kelsey Hightower. Kubernetes: up and running: dive
into the future of infrastructure. O’Reilly Media, 2019.
[26] Tyler Caraza-Harter and Michael M Swift. Blending containers and virtual machines:
a study of firecracker and gvisor. In Proceedings of the 16th ACM SIGPLAN/SIGOPS
International Conference on Virtual Execution Environments, pages 101–113, 2020.
[27] Jeeva Chelladhurai, Pethuru Raj Chelliah, and Sathish Alampalayam Kumar. Secur-
ing docker containers from denial of service (dos) attacks. In 2016 IEEE International
Conference on Services Computing (SCC), pages 856–859. IEEE, 2016.
[28] Jessie YC Chen and Jennifer E Thropp. Review of low frame rate e↵ects on human
performance. IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems
and Humans, 37(6):1063–1076, 2007.
[29] Kenneth Ward Church. Word2vec. Natural Language Engineering, 23(1):155–162,
2017.
[30] Fred Cohen. The use of deception techniques: Honeypots and decoys. Handbook of
Information Security, 3(1):646–655, 2006.
34[31] Handong Cui, Delu Huang, Yong Fang, Liang Liu, and Cheng Huang. Webshell
detection based on random forest–gradient boosting decision tree algorithm. In 2018
IEEE Third International Conference on Data Science in Cyberspace (DSC), pages
153–160. IEEE, 2018.
[32] Lennart Espe, Anshul Jindal, Vladimir Podolskiy, and Michael Gerndt. Performance
evaluation of container runtimes. In CLOSER, pages 273–281, 2020.
[33] Francisco Javier Thayer Fábrega, Francisco Javier, and Joshua D Guttman. Copy
on write. 1995.
[34] Xing Gao, Zhongshu Gu, Zhengfa Li, Hani Jamjoom, and Cong Wang. Houdini’s
escape: Breaking the resource rein of linux control groups. In Proceedings of the
2019 ACM SIGSAC Conference on Computer and Communications Security, pages
1073–1086, 2019.
[35] Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychron-
akis. Confine: Automated system call policy generation for container attack surface
reduction. In 23rd International Symposium on Research in Attacks, Intrusions and
Defenses (RAID 2020), pages 443–458, 2020.
[36] You Guo, Hector Marco-Gisbert, and Paul Keir. Mitigating webshell attacks through
machine learning techniques. Future Internet, 12(1):12, 2020.
[37] Miyoung Kim, Misun Kim, and Youngsong Mun. Design and implementation of the
honeypot system with focusing on the session redirection. In International Conference
on Computational Science and Its Applications, pages 262–269. Springer, 2004.
[38] Ioannis Koniaris, Georgios Papadimitriou, and Petros Nicopolitidis. Analysis and
35visualization of ssh attacks using honeypots. In Eurocon 2013, pages 65–72. IEEE,
2013.
[39] Guoqing Li, Keichi Takahashi, Kohei Ichikawa, Hajimu Iida, Pree Thiengbu-
ranathum, and Passakorn Phannachitta.
Comparative performance study of
lightweight hypervisors used in container environment. In CLOSER, pages 215–223,
2021.
[40] Songsong Liu, Pengbin Feng, and Kun Sun. Honeybog: A hybrid webshell honeypot
framework against command injection. In 2021 IEEE Conference on Communications
and Network Security (CNS), pages 218–226. IEEE, 2021.
[41] Filipe Manco, Costin Lupu, Florian Schmidt, Jose Mendes, Simon Kuenzer, Sumit
Sati, Kenichi Yasukata, Costin Raiciu, and Felipe Huici. My vm is lighter (and safer)
than your container. In Proceedings of the 26th Symposium on Operating Systems
Principles, pages 218–233, 2017.
[42] Jaehyun Nam, Seungsoo Lee, Hyunmin Seo, Phil Porras, Vinod Yegneswaran, and
Seungwon Shin. {BASTION}: A security enforcement network stack for container
networks. In 2020 USENIX Annual Technical Conference (USENIX ATC 20), pages
81–95, 2020.
[43] Rob Pike, Dave Presotto, Sean Dorward, Bob Flandrena, Ken Thompson, Howard
Trickey, and Phil Winterbottom. Plan 9 from bell labs. Computing systems, 8(3):221–
254, 1995.
[44] Alessandro Randazzo and Ilenia Tinnirello. Kata containers: An emerging architec-
ture for enabling mec services in fast and secure way. In 2019 Sixth International
36Conference on Internet of Things: Systems, Management and Security (IOTSMS),
pages 209–214. IEEE, 2019.
[45] Jörg Thalheim, Pramod Bhatotia, Pedro Fonseca, and Baris Kasikci.
Lightweight {OS} containers.
Cntr:
In 2018 USENIX Annual Technical Conference
(USENIX ATC 18), pages 199–212, 2018.
[46] Yifan Tian, Jiabao Wang, Zhenji Zhou, and Shengli Zhou. Cnn-webshell: malicious
web shell detection with convolutional neural network. In Proceedings of the 2017 VI
International Conference on Network, Communication and Computing, pages 75–79,
2017.
[47] Truong Dinh Tu, Cheng Guang, Guo Xiaojun, and Pan Wubin. Webshell detection
techniques in web applications. In Fifth International Conference on Computing,
Communications and Networking Technologies (ICCCNT), pages 1–7. IEEE, 2014.
[48] Wenchuan Yang, Bang Sun, and Baojiang Cui. A webshell detection technology
based on http traffic analysis. In International Conference on Innovative Mobile and
Internet Services in Ubiquitous Computing, pages 336–342. Springer, 2018.
[49] Tatu Ylonen and Chris Lonvick. The secure shell (ssh) transport layer protocol.
Technical report, 2006.
[50] Hua Zhang, Hongchao Guan, Hanbing Yan, Wenmin Li, Yuqi Yu, Hao Zhou, and
Xingyu Zeng. Webshell traffic detection with character-level features based on deep
learning. IEEE Access, 6:75268–75277, 2018.
[51] Qi Zhang, Ling Liu, Calton Pu, Qiwei Dou, Liren Wu, and Wei Zhou. A comparative
study of containers and virtual machines in big data environment. In 2018 IEEE
3711th International Conference on Cloud Computing (CLOUD), pages 178–185. IEEE,
2018.
[52] Danyang Zhuo, Kaiyuan Zhang, Yibo Zhu, Hongqiang Harry Liu, Matthew Rockett,
Arvind Krishnamurthy, and Thomas Anderson. Slim:{OS} kernel support for a {Low-
Overhead} container overlay network. In 16th USENIX Symposium on Networked
Systems Design and Implementation (NSDI 19), pages 331–344, 2019.

指導教授

孫敏德(Min-Te Sun)

審核日期

2022-7-25

推文