Method and device for detection of malignant document

Abstract

The application relates to computer technologies and discloses a method and device for detection of a malignant document. The method and device are used to increase detection accuracy of WEBSHELL. The method comprises the steps that a stain mark is set for a key parameter; the key parameter is then taken as an input parameter to execute a target script document; and through Hook of a key function in the target script document, whether the key parameter with the set spot mark is used during key function execution can be judged. In this way, whether deformed WEBSHELL exists in the target script document can be judged. Hence, running keys of the WEBSHELL can be grasped from the essence of the WEBSHELL; no matter how the WEBSHELL gets deformed, the WEBSHELL can be detected accurately; detection accuracy and detection efficiency are increased effectively; leak detection and wrong reporting are avoided; and meanwhile, detection complexity and later-stage running maintenance cost are also reduced.

Description

technical field [0001] The present application relates to computer technology, in particular to a method and device for detecting malicious files. Background technique [0002] The Hypertext Preprocessor (PHP) language is a weakly typed programming language that supports a large number of flexible syntax formats. Malicious attackers who are proficient in the PHP programming language can write a large number of web pages by making full use of the language features of PHP. The backdoor (WEBSHELL) file attacks the target script file. [0003] Under the existing technology, the cloud server usually uses the WEBSHELL detection engine to detect WEBSHELL at the host level, and the operating principle of the WEBSHELL detection engine is to check the target script file based on preset strings and regular rules to determine whether it contains There is WEBSHELL. [0004] However, whether it is a character string or a regular rule, its configuration method depends too much on the und...

AI Technical Summary

Problems solved by technology

[0004] However, whether it is a character string or a regular rule, its configuration method depends too much on the understanding of the management personnel on the PHP language itself and the deformation method of WEBSHELL, and there is a certain degree of subjectivity. Therefore, the WEBSHELL detection engine uses the preset string and Regular rules cannot cover all types of WEBSHELL when checking WEBSHELL, and there are certain missed detection procedures.

[0005] On the other hand, there are still a large number of "bypass" technologies, that is, through special grammatical structures, to avoid the detection of WEBSHELL detection engine, which will also cause missed detection by WEBSHELL detection engine

[0006] It can be seen that under the existing technology, the detection accuracy of the WEBSHELL detection engine is not high and needs to be optimized

Images