WebShell detection method

Abstract

The invention relates to a WebShell detection method. A web log generated by a web server accessed by a user is preprocessed, an IP field in the web log is used as the unique identifier of the accessuser to calculate the intrusion access frequency and the maximum access continuity, and adopt the N URLs having the maximum value as the URL of the suspected WebShell, and then a suspected attack IP is acquired by carrying out the location in the Web log, and the suspected attack IP is transmitted to the security server in a form of a file, and the security server is used to review the corresponding attack time according to the suspected WebShell and the access IP, and at last, an attack behavior can be collected and output. According to the invention, attacks and even non-dynamic webpage attacks can be effectively detected, and a problem of a parsing result difference is prevented, and therefore detection of various browser attacks can be realized, a problem of a high false alarm rate caused by detection of a single index is prevented, and effective detection of unknown WebShell also can be realized.

Description

technical field [0001] The present invention relates to the technical field of a security device for protecting a computer, its components, programs or data from unauthorized actions, and in particular to a WebShell detection method that quickly and accurately finds a WebShell from a large number of log files by characterizing attack behavior . Background technique [0002] With the development of network technology, the network is increasingly inseparable from people's lives, so many illegal elements implant WebShell into the website server, which will cause great harm to the website. [0003] WebShell is a common web backdoor, which is often used by attackers to obtain the operation authority of the web server. When attackers invade a website, they usually place the WebShell file together with normal webpages in the Web directory, and then access the WebShell file through a browser to obtain the command execution environment and finally achieve the purpose of controlling ...

AI Technical Summary

Problems solved by technology

[0005] At present, most of the WebShell detection tools are realized through the feature library matching method. For example, the document "Research on Webshell Detection Method Based on Web Log" proposes to start WebShell detection from the log. After analysis, it can be analyzed from the text pattern characteristics, access frequency characteristics, and Detecting WebShell from the perspective of isolated pages, etc. However, there is a high rate of false alarms only based on the characteristics of access frequency. It also needs to be considered comprehensively in combination with the depth of the web page file directory and the number of independent visits. The proportion of each feature and each The feature is not easy to determine the detection result. At the same time, when the method detects WebShell through the Web log, it also needs to rely on the feature library. It has a good detection effect

Images