SWIDE: A Semantic-aware Detection Engine for Successful Web Injection Attacks

SWIDE: A Semantic-aware Detection Engine for Successful Web Injection Attacks

연구 분야: Safety

학회: CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

Web attacks, a primary vector for system breaches, pose a significant challenge within the cybersecurity landscape. The growing intensity of web attack attempts has led to "alert fatigue" where enterprises are inundated by excessive alerts. Although extensive research is being conducted on automated methods for detecting web attacks, it remains an open problem to identify whether the attacks are successful. Towards this end, we present SWIDE (Successful Web Injection Detection Engine), an engine to pinpoint successful web injection attacks (e.g., PHP command injection, SQL injection). This enables enterprises to focus exclusively on those crucial threats. Our methodology builds on two insights: Firstly, while attackers tend to apply payload obfuscation techniques to evade detection, all successful web injection attacks must comply with the programming language syntax to be executable; Secondly, these attacks inevitably produce observable effects, such as returning execution result or creating backdoors for future access by the attacker. Consequently, we leverage advanced syntactic and semantic analysis to 1) detect malicious syntax features in obfuscated payloads and 2) perform semantic analysis of the payload to recover the intention of the attack. With a two-stage design, namely, attack identification and confirmation mechanisms, SWIDE can accurately identify successful attacks, even amidst intricate obfuscations. Unlike proof-of-concept studies, SWIDE has been deployed and validated in real-world environments through collaborations with a cybersecurity firm. Serving 5,045 enterprise users, our system identifies that roughly 15% of enterprises have suffered from successful attacks on a weekly basis - an alarmingly high rate. Moreover, we perform a detailed analysis of six months' data and discover 60 zero-day vulnerabilities exploited in the wild, including 12 high-risk ones acknowledged by relevant authorities. These findings underscore the practical effectiveness of SWIDE.