Fileless webshell attacks against Java web applications have becomemore frequent in recent years as Java has gained market share. Webshell is amalicious script that can remotely execute commands and invade servers. It...Fileless webshell attacks against Java web applications have becomemore frequent in recent years as Java has gained market share. Webshell is amalicious script that can remotely execute commands and invade servers. Itis widely used in attacks against web applications. In contrast to traditionalfile-based webshells, fileless webshells leave no traces on the hard drive, whichmeans they are invisible to most antivirus software. To make matters worse,although there are some studies on fileless webshells, almost all of themare aimed at web applications developed in the PHP language. The complexmechanism of Java makes researchers face more challenges. To mitigate thisattack, this paper proposes JShellDetector, a fileless webshell detector forJava web applications based on program analysis. JShellDetector uses methodprobes to capture dynamic characteristics of web applications in the JavaVirtual Machine (JVM). When a suspicious class tries to call a specificsensitive method, JShellDetector catches it and converts it from the JVMto a bytecode file. Then, JShellDetector builds a Jimple-based control flowgraph and processes it using taint analysis techniques. A suspicious classis considered malicious if there is a valid path from sources to sinks. Todemonstrate the effectiveness of the proposed approach, we manually collect35 test cases (all open source on GitHub) and test JShellDetector and onlytwo other Java fileless webshell detection tools. The experimental results showthat the detection rate of JShellDetector reaches 77.1%, which is about 11%higher than the other two tools.展开更多
In today's interconnected world,network traffic is replete with adversarial attacks.As technology evolves,these attacks are also becoming increasingly sophisticated,making them even harder to detect.Fortunately,ar...In today's interconnected world,network traffic is replete with adversarial attacks.As technology evolves,these attacks are also becoming increasingly sophisticated,making them even harder to detect.Fortunately,artificial intelli-gence(Al)and,specifically machine learning(ML),have shown great success in fast and accurate detection,classifica-tion,and even analysis of such threats.Accordingly,there is a growing body of literature addressing how subfields of Al/ML(e.g.,natural language processing(NLP))are getting leveraged to accurately detect evasive malicious patterns in network traffic.In this paper,we delve into the current advancements in ML-based network traffic classification using image visualization.Through a rigorous experimental methodology,we first explore the process of network traffic to image conversion.Subsequently,we investigate how machine learning techniques can effectively leverage image visualization to accurately classify evasive malicious traces within network traffic.Through the utilization of production-level tools and utilities in realistic experiments,our proposed solution achieves an impressive accuracy rate of 99.48%in detecting fileless malware,which is widely regarded as one of the most elusive classes of malicious software.展开更多
With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware d...With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware does not use traditional executables to carry-out its activities.So,it does not use the file system,thereby evading signature-based detection system.The fileless malware attack is catastrophic for any enterprise because of its persistence,and power to evade any anti-virus solutions.The malware leverages the power of operating systems,trusted tools to accomplish its malicious intent.To analyze such malware,security professionals use forensic tools to trace the attacker,whereas the attacker might use anti-forensics tools to erase their traces.This survey makes a comprehensive analysis of fileless malware and their detection techniques that are available in the literature.We present a process model to handle fileless malware attacks in the incident response process.In the end,the specific research gaps present in the proposed process model are identified,and associated challenges are highlighted.展开更多
With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware d...With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware does not use traditional executables to carry-out its activities.So,it does not use the file system,thereby evading signature-based detection system.The fileless malware attack is catastrophic for any enterprise because of its persistence,and power to evade any anti-virus solutions.The malware leverages the power of operating systems,trusted tools to accomplish its malicious intent.To analyze such malware,security professionals use forensic tools to trace the attacker,whereas the attacker might use anti-forensics tools to erase their traces.This survey makes a comprehensive analysis of fileless malware and their detection techniques that are available in the literature.We present a process model to handle fileless malware attacks in the incident response process.In the end,the specific research gaps present in the proposed process model are identified,and associated challenges are highlighted.展开更多
基金supported by the National Natural Science Foundation of China under Grant Number 62001055.
文摘Fileless webshell attacks against Java web applications have becomemore frequent in recent years as Java has gained market share. Webshell is amalicious script that can remotely execute commands and invade servers. Itis widely used in attacks against web applications. In contrast to traditionalfile-based webshells, fileless webshells leave no traces on the hard drive, whichmeans they are invisible to most antivirus software. To make matters worse,although there are some studies on fileless webshells, almost all of themare aimed at web applications developed in the PHP language. The complexmechanism of Java makes researchers face more challenges. To mitigate thisattack, this paper proposes JShellDetector, a fileless webshell detector forJava web applications based on program analysis. JShellDetector uses methodprobes to capture dynamic characteristics of web applications in the JavaVirtual Machine (JVM). When a suspicious class tries to call a specificsensitive method, JShellDetector catches it and converts it from the JVMto a bytecode file. Then, JShellDetector builds a Jimple-based control flowgraph and processes it using taint analysis techniques. A suspicious classis considered malicious if there is a valid path from sources to sinks. Todemonstrate the effectiveness of the proposed approach, we manually collect35 test cases (all open source on GitHub) and test JShellDetector and onlytwo other Java fileless webshell detection tools. The experimental results showthat the detection rate of JShellDetector reaches 77.1%, which is about 11%higher than the other two tools.
基金supported in part by NSF Grants#2113945 and#2200538 and a generous financial and technical support from Palo Alto Networks,Inc.
文摘In today's interconnected world,network traffic is replete with adversarial attacks.As technology evolves,these attacks are also becoming increasingly sophisticated,making them even harder to detect.Fortunately,artificial intelli-gence(Al)and,specifically machine learning(ML),have shown great success in fast and accurate detection,classifica-tion,and even analysis of such threats.Accordingly,there is a growing body of literature addressing how subfields of Al/ML(e.g.,natural language processing(NLP))are getting leveraged to accurately detect evasive malicious patterns in network traffic.In this paper,we delve into the current advancements in ML-based network traffic classification using image visualization.Through a rigorous experimental methodology,we first explore the process of network traffic to image conversion.Subsequently,we investigate how machine learning techniques can effectively leverage image visualization to accurately classify evasive malicious traces within network traffic.Through the utilization of production-level tools and utilities in realistic experiments,our proposed solution achieves an impressive accuracy rate of 99.48%in detecting fileless malware,which is widely regarded as one of the most elusive classes of malicious software.
文摘With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware does not use traditional executables to carry-out its activities.So,it does not use the file system,thereby evading signature-based detection system.The fileless malware attack is catastrophic for any enterprise because of its persistence,and power to evade any anti-virus solutions.The malware leverages the power of operating systems,trusted tools to accomplish its malicious intent.To analyze such malware,security professionals use forensic tools to trace the attacker,whereas the attacker might use anti-forensics tools to erase their traces.This survey makes a comprehensive analysis of fileless malware and their detection techniques that are available in the literature.We present a process model to handle fileless malware attacks in the incident response process.In the end,the specific research gaps present in the proposed process model are identified,and associated challenges are highlighted.
文摘With the evolution of cybersecurity countermeasures,the threat landscape has also evolved,especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware.Fileless malware does not use traditional executables to carry-out its activities.So,it does not use the file system,thereby evading signature-based detection system.The fileless malware attack is catastrophic for any enterprise because of its persistence,and power to evade any anti-virus solutions.The malware leverages the power of operating systems,trusted tools to accomplish its malicious intent.To analyze such malware,security professionals use forensic tools to trace the attacker,whereas the attacker might use anti-forensics tools to erase their traces.This survey makes a comprehensive analysis of fileless malware and their detection techniques that are available in the literature.We present a process model to handle fileless malware attacks in the incident response process.In the end,the specific research gaps present in the proposed process model are identified,and associated challenges are highlighted.
文摘近些年来,随着计算机技术的不断发展和应用,Web应用技术也在快速更迭,与其一起发展的还有木马后门技术,但传统的木马后门技术已经不能满足攻击者的需求,因而基于内存攻击的方式不断涌现,包括powershell内存载入攻击、.NET assembly托管代码注入攻击以及内存马(Memory WebShell,MemShell)攻击等,这些攻击方式为现有的安全防御检测机制带来了极大的挑战。因而业界对面向解决基于内存的攻击尤其是内存马的攻击展现出了强烈的需求。但当前业内针对内存马的检测能力较弱,学术界也缺乏对该领域的研究工作,所以本文提出了一种针对Tomcat Filter型的内存马检测方法。通过研究发现,内存马其最核心技术便是无文件(Fileless)及不落地(Living off the Land),但尽管如此,内存马最终会在内存中展现其功能并执行命令,所以内存是所有威胁的交汇点,因此本文将Java虚拟机(Java Virtual Machine,JVM)作为起始点,首先利用JVM内存扫描技术遍历出JVM内存中加载的所有Filter类型对象,但需要注意的是这些对象并非都是有威胁的,并且每一个对象都具有一定的特征,所以可以对这些特征通过人工经验进行分类并且筛选出具有代表性的特征向量,然后获取每一个Filter类型对象的所有代表特征向量,并根据特征向量的值梳理出异常表现序列;最后,利用朴素贝叶斯算法将大量正常和异常的Filter对象的异常表现序列作为训练样本,计算出对应项的条件概率并形成贝叶斯分类器。利用训练出的贝叶斯分类器就可以构建出一个内存马检测模型,该模型能够有效得针对该类型的内存马进行检测。实验结果表明,本文提出的方法针对Tomcat Filter型内存马的检测,实现了零误报率和94.07%的召回率。
