Results and Supplimentaries
Performance Evaluation and Comparison
SWIDE outperforms other commercial NIDS on attack attempts detection tasks (easier than identifying successful attacks) achieves high recall (75% - 90%) on succesful attack dataset with 5 different types of attacks and relative high precision (> 70%) on 500M realworld samples.
Weekly Alarms Triggered in Online Deployment
We deployed SWIDE for 5,000+ enterprise users for more than 28 weeks till the time of paper writing. It generates on average 79,388,689 attack alerts per day (originating from the Attack Payload Identification module), with around 34,107 of these alerts flagged as successful attack incidents (originating from the Consequence Matching module). This implies that one in every 2,328 attacks is deemed successful. On average, around 750 enterprises have been attacked successfully at least once per week.
The below diagram highlights a spike of attack events during two weeks in November 2023, attributed to the extensive exploitation of a zero-day command execution vulnerability in a prevalent IP camera management system.
List of Filtering Keywords for PHP Code Injection
We provide the list for PHP code execution filtering as a sample. More description can be found in Section 3.2 of our paper.
Global Variables
- GLOBALS
- _SERVER
- HTTP_SERVER_VARS
-
_COOKIE
-
_GET
- HTTP_GET_VARS
- _POST
- HTTP_POST_VARS
- _FILES
- HTTP_POST_FILES
- _REQUEST
- HTTP_SESSION_VARS
- _ENV
- HTTP_ENV_VARS
- HTTP_COOKIE_VARS
- HTTP_RAW_POST_DATA
Functions w/o Parentheses
- exit
- echo
- use
- new
- class
- function
- clone
- include
- include_once
- require
- require_once
- __halt_compiler
Characters in Data Fields
- `
- (
- )
- $
- "
- '
- [
- ]
- ;
- {
- }