Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

WebShell detection method

A detection method and technology of hadoop cluster, applied in electrical components, transmission systems, etc., can solve the problems of high false alarm rate and false alarm rate, high false alarm rate, influence of detection results, etc., to achieve effective detection and avoid false alarm rate higher effect

Active Publication Date: 2018-07-27
HANGZHOU ANHENG INFORMATION TECH CO LTD +1
View PDF8 Cites 10 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] At present, most of the WebShell detection tools are realized through the feature library matching method. For example, the document "Research on Webshell Detection Method Based on Web Log" proposes to start WebShell detection from the log. After analysis, it can be analyzed from the text pattern characteristics, access frequency characteristics, and Detecting WebShell from the perspective of isolated pages, etc. However, there is a high rate of false alarms only based on the characteristics of access frequency. It also needs to be considered comprehensively in combination with the depth of the web page file directory and the number of independent visits. The proportion of each feature and each The feature is not easy to determine the detection result. At the same time, when the method detects WebShell through the Web log, it also needs to rely on the feature library. It has a good detection effect on the known WebShell. When the feature library is not updated Under the circumstances, this method is basically useless for unknown WebShell detection
[0006] Patent CN105812196A "A WebShell Detection Method and Electronic Equipment" proposes a WebShell detection method starting from the log access resource URL, and detects WebShell by analyzing the URL. Perform corresponding encryption, deformation, obfuscation, etc. This method only detects dynamic web page URLs, which are easily bypassed by attackers. For example, if an attacker disguises WebShell as a picture, this method will fail, and the URL will be parsed based on the browser There are also situations where different browsers may have different parsing results, which will affect the detection results. Therefore, the existing WebShell detection technology has a high false positive rate and a high false negative rate for the detection of such files.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • WebShell detection method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0037] The present invention will be described in further detail below in conjunction with the examples, but the protection scope of the present invention is not limited thereto.

[0038]The present invention relates to a WebShell detection method. In the embodiment, the operating system adopted is centos7_x64, and the operating system has been installed and configured with auditd. The Web server software adopted in this embodiment is ApacheTomcat, and the Web log used comes from a real website. In order to facilitate evidence collection, auditd is configured with rules so that auditd can monitor key system file directories. In the evidence collection stage, this embodiment also uses Other files include auditd log files.

[0039] In the present invention, auditd is an audit tool on the Linux system, and its basic function is to monitor the operation of files and directories through configuration rules.

[0040] The method includes the following steps.

[0041] Step 1: The us...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to a WebShell detection method. A web log generated by a web server accessed by a user is preprocessed, an IP field in the web log is used as the unique identifier of the accessuser to calculate the intrusion access frequency and the maximum access continuity, and adopt the N URLs having the maximum value as the URL of the suspected WebShell, and then a suspected attack IP is acquired by carrying out the location in the Web log, and the suspected attack IP is transmitted to the security server in a form of a file, and the security server is used to review the corresponding attack time according to the suspected WebShell and the access IP, and at last, an attack behavior can be collected and output. According to the invention, attacks and even non-dynamic webpage attacks can be effectively detected, and a problem of a parsing result difference is prevented, and therefore detection of various browser attacks can be realized, a problem of a high false alarm rate caused by detection of a single index is prevented, and effective detection of unknown WebShell also can be realized.

Description

technical field [0001] The present invention relates to the technical field of a security device for protecting a computer, its components, programs or data from unauthorized actions, and in particular to a WebShell detection method that quickly and accurately finds a WebShell from a large number of log files by characterizing attack behavior . Background technique [0002] With the development of network technology, the network is increasingly inseparable from people's lives, so many illegal elements implant WebShell into the website server, which will cause great harm to the website. [0003] WebShell is a common web backdoor, which is often used by attackers to obtain the operation authority of the web server. When attackers invade a website, they usually place the WebShell file together with normal webpages in the Web directory, and then access the WebShell file through a browser to obtain the command execution environment and finally achieve the purpose of controlling ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06H04L29/08
CPCH04L63/1416H04L63/1466H04L67/02
Inventor 谷勇浩范渊王永非刘博林明峰周纪元郭振洋李凯悦
Owner HANGZHOU ANHENG INFORMATION TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com