Method and apparatus for detecting WebShell file

A detection method and document technology, applied in the field of network security, can solve the problem of high false positive rate and false negative rate, and achieve the effect of low false positive rate, high efficiency, and security assurance.
CN106572117AActive Publication Date: 2017-04-19BEIJING ANPRO INFORMATION TECH
3 Cites 28 Cited by

Patent Information

Authority / Receiving Office
CN · China
Current Assignee / Owner
BEIJING ANPRO INFORMATION TECH
Publication Date
2017-04-19

Smart Images

  • Figure 1
    Figure 1
  • Figure 2
    Figure 2
  • Figure 3
    Figure 3
Patent Text Reader

Abstract

The invention discloses a method and apparatus for detecting a WebShell file. According to the method, on the basis of variable backtracking and an abstract syntax tree, webshell detection is carried out on a plurality of files in a catalogue; a suspicious file screening process, a feature matching detection process, an abstract syntax tree analysis and detection process, an irrelevant code removing process and a mathematical formula detection process are executed successively and then a determined webshell file is outputted. In addition, the detection apparatus comprises a suspicious file screening unit, a feature matching unit, an abstract syntax tree detection analysis unit, an irrelevant code removing unit, and a mathematical formula detection unit; and the units are used for realizing webshell file detection. According to the technical scheme disclosed by the invention, webshell detection can be realized comprehensively, systematically, rapid, and accurately; the detection efficiency is high; and the false alarm rate is low; and thus web service security can be guaranteed.
Need to check novelty before this filing date? Find Prior Art

Description

technical field

[0001] The invention belongs to the technical field of network security and relates to WebShell file detection, in particular to a method and device for Webshell detection based on variable backtracking and an abstract syntax tree. Background technique

[0002] WebShell is a common web backdoor, which is often used by attackers to obtain the operation authority of the web server. When attackers invade a website, they usually place the WebShell file together with normal webpages in the Web directory, and then access the WebShell file through a browser to obtain the command execution environment and finally achieve the purpose of controlling the website server. When the website server is controlled, you can view the database, upload and download files, and execute arbitrary program commands on it. WebShell has the same operating environment and service port as normal web pages. It exchanges data with the remote host through the http protocol (usually port 80),...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More