ZenIDS: Introspective Intrusion Detection for PHP Applications

Since its first appearance more than 20 years ago, PHP has steadily increased in popularity, and has become the foundation of the Internet's most popular content management systems (CMS). Of the world's 1 million most visited websites, nearly half use a CMS, and WordPress alone claims 25% market share of all websites. While their easy-to-use templates and components have greatly simplified the work of developing high quality websites, it comes at the cost of software vulnerabilities that are inevitable in such large and rapidly evolving frameworks. Intrusion Detection Systems (IDS) are often used to protect Internet-facing applications, but conventional techniques struggle to keep up with the fast pace of development in today's web applications. Rapid changes to application interfaces increase the workload of maintaining an IDS whitelist, yet the broad attack surface of a web application makes for a similarly verbose blacklist. We developed ZenIDS to dynamically learn the trusted execution paths of an application during a short online training period and report execution anomalies as potential intrusions. We implement ZenIDS as a PHP extension supported by 8 hooks instrumented in the PHP interpreter. Our experiments demonstrate its effectiveness monitoring live web traffic for one year to 3 large PHP applications, detecting malicious requests with a false positive rate of less than .01% after training on fewer than 4,000 requests. ZenIDS excludes the vast majority of deployed PHP code from the whitelist because it is never used for valid requests–yet could potentially be exploited by a remote adversary. We observe 5% performance overhead (or less) for our applications vs. an optimized vanilla LAMP stack.