Detection of the Remote Code Execution Attacks Using the PHP Web Application Intrusion Detection System

Document Type : Original Article

Authors

1 Master's student, Imam Hossein University, Tehran, Iran

2 Associate Professor, Imam Hossein University, Tehran, Iran

Abstract

With the development of web application software, the lack of access to the application layer and web platform features has become the challenge of conventional intrusion detection systems against web-based attacks. The proliferation of PHP server-side languages has led to the creation of unreliable applications and security issues in this language’s software. Remote code execution attack is one of the most important web attacks due to allowing remote access to the processor device and executing the operating system shell commands. Modifying the architecture of network layer intrusion detection systems to the application layer and applying a layered detection approach using the detections methods based on the signature and behavior in PHP application software, facilitates the detection of remote code execution attacks. In this research, remote code execution attacks are detected using the layered approach of PHP web application intrusion detection system, with 90.4% and 95% accuracy in the signature and behavior based approaches respectively.

Keywords


Smiley face

[1] "Server-side Programming Languages, "April 1 2021. [Online]. Available: https://w3techs.com.
[2] I. Ristic, Apache Security (The Complete Guide to Securing Your Apache Web Server), O’Reilly, 2005. 
[3] M. Amerei and A. Beigi, "Intrusion Detection System with Hybrid Method," A collection of the fifteenth Conference of Iran's secret conference, In Persian, 2018. 
[4] "Acunetix Web Application Vulnerability Report 2020," 2020. [Online]. Available: https://www.acunetix.com/acunetix-web-application-vulnerability-report/. [Accessed 2020].
[5] S. Biswas, M. M. H. K. Sajal, T. Afrin, T. Bhuiyan, and M. M. Hassan, "A Study on Remote Code Execution Vulnerability in Web Application," in International Conference on Cyber Security and Computer Science (ICONCS’18), 2018. 
[6] R. Chauhan, "PHP Code: Top Ten Security Vulnerabilities," DZone - Web Dev Zone, [Online]. Available: https://dzone.com/articles/php-code-top-ten-security-vuln. [Accessed 2018].
[7] B. Hawkins and B. Demsky, "ZENIDS: Introspective Intrusion Detection for PHP Applications," IEEE/ACM 39th International Conference on Software Engineering, 2017. 
[8] N. Agarwal and S. Z. Hussain, "A Closer Look at Intrusion Detection System for Web Applications," Department of Computer Science, 2018. 
[9] M. Alahmad, A. Alkandari, and N. Alawadhi, "Survey of Os Command Injection Web Application Vulnerability Attack," Journal of Engineering Science and Technology, vol. 17, no. 1, pp 1-5, 2022. 
[10] J. Díaz-Verdejo, J. Muñoz-Calle; and A. E. Alonso, "On the Detection Capabilities of Signature-Based Intrusion Detection System in the Context of Web Attacks," mdpi, vol. 9, no. 1, pp 2-10, 2022. 
[11] B. Harsh, Log based Dynamic Intrusion Detection of Web Application, M.S. Thesis, Department of Computer Science and Engineering Indian Institute of Technology Kanpur, 2019. 
[12] "PHP Security Cheat Sheet, Draft Cheatsheet, OWASP_Code_Review_Guide-V1_1," 2016. [Online]. Available: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet.
[13] l. Alshanersky, php | Architect’s Guide to PHP Security, A Step-by-Step Guide to Writing Secure and Reliable PHP Applications, 2005. 
[14] "PHP Manual," PHP, [Online]. Available: https://www.php.net/manual/en/. [Accessed 3 2020].
[15] K. Kowsari, K. Jafari Meimandi, M. Heidarysafa, S. Mendu, L. Barnes, and D. Brown, "Text Classification Algorithms: A Survey," Information, vol. 10, no. 4, pp 1-8, 2019. 
[16] K. L. Ingham, Anomaly Detection for HTTP Intrusion Detection: Algorithm Comparisons and the Effect of Generalization on Accuracy, M.S. Thesis, The University of New Mexico, 2007. 
[17] D. Jurafsky and J. Martin, Speech and Language Processing, stanford, 2019. 
[18] K. R. Suneetha and D. R. Krishnamoorthi, "Identifying User Behavior by Analyzing Web Server Access Log File," IJCSNS International Journal of Computer Science and Network Security, vol. 58, no. 2, pp 1-10, 2009. 
[19] K. U. Raut, "Log Based Intrusion Detection System," IOSR Journal of Computer Engineering (IOSR-JCE), vol. 20, no. 5, pp 1-5,  2018. 
[20] İ. Taşdelen, "Command Injection Payload List," Nov 2018. [Online]. Available: https://github.com/payloadbox/command-injection-payload-list. [Accessed 10 2019].
[21] "Exploit Database," [Online]. Available: https://www.exploit-db.com. [Accessed 21 1 2021].
[22] "Expose: An IDS for PHP," Github, 2017. [Online]. Available: https://github.com/enygma/expose. [Accessed 2021].
[23] "OWASP ModSecurity Core Rule Set," OWASP, 2020. [Online]. Available: https://coreruleset.org. [Accessed 4 2020].
[24] V. G. Le and H. T. Nguyen, "GuruWS: A Hybrid Platform for Detecting Malicious Web Shells and Web Application Vulnerabilities," Springer-Verlag GmbH Germany, vol. ?, no. ?, pp ?, 2019. 
[25] "web-application-attacks-datasets," [Online]. Available: https://gitlab.fing.edu.uy/gsi/web-application-attacks-datasets. [Accessed 21 1 2021].
[26] "OWASP (2014). Owasp Modsecurity Core Rule Set," [Online]. Available: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_40_generic_attack.conf.
  • Receive Date: 08 June 2021
  • Revise Date: 01 February 2022
  • Accept Date: 09 August 2022
  • Publish Date: 23 September 2022