A static PHP analysis tool to aid intrusion detection

About F-SPAN (Fast Static Php ANalyzer)

The Internet, and in particular the world-wide web, have become part of the everyday life of millions of people. Unfortunately, the success of the web has recently been overshadowed by frequent reports of security breaches. Attackers have discovered that poorly written web applications are the Achilles heel of many organizations. The reason is that these applications are directly available through firewalls and are often developed by programmers who focus on features and tight schedules instead of security.
To prevent the exploitation of potentially insecure web applications companies often use Intrusion Detection Systems (IDSs). IDSs can detect traces of malicius activities targeted against the network and its resources. There are, in general, two types of IDSs, misuse-based and anomaly-based. While misuse-based systems try to detect attacks based on models of malicious behavior, anomaly-based systems record "normal" user bahavior and raise an alert when a deviation from this behavior is detected.
F-SPAN is an utility which tries to extract the names, types, and sets of possible values for the parameters that are passed to a web application. F-SPAN analyzes PHP files, since PHP is arguably the most popular web programming language as of today. The gained knowledge can then be used during the training phase of a anomaly-based IDS. More precisely, by providing the IDS with knowledge about the types, structures, or even concrete values that can be expected for request parameters, more concise models can be built. This reduces the false negative rate of the system. Moreover, by providing the IDS with information about all the parameter names expected by the application, false positives can be reduced. In particular, a valid parameter that does not appear in the training set is not flagged as anomalous when the IDS knows that the application can process it.


Paper submitted, accepted and presented at DIMVA 2006.

Documentation / Publications

So far, there is no documentaion available. Short documentation in form of a man page migth be released together with the source code.
The DIMVA paper was published in the DIMVA 2006 proceedings (July 13, 2006). You can download it here.


The source code will be released at some point in the future when someone takes the time to clean it up a little.


F-SPAN was developed by Manuel Egele and Martin Szydlowski.

Last Modified: Mon Oct 9 12:10:43 CEST 2006

Distributed Systems Group / Automation Systems Group/ Technical University of Vienna www.seclab.tuwien.ac.at