Webshell detection method based on weighted fuzzy hash

Abstract

The invention belongs to the technical field of network space security, and discloses a webshell detection method and system based on a weighted fuzzy hash algorithm. A file to be detected is fragmented, the hash and weight of each fragment are solved, the weight is given to each fragment, the core fragment with the danger function is provided with a large weight, the information entropy of each fragment is considered at the same time, and the larger the information entropy value is, the smaller the given weight is; the hash of each fragment is spliced into a fuzzy hash string, and a total weight value is calculated to obtain a weighted fuzzy hash value; and the weighted fuzzy hash value of the to-be-detected file is compared with the weighted fuzzy hash value of each webshell pre-stored in the fingerprint database in sequence. Compared with a traditional fuzzy Hash algorithm, the method can effectively adapt to the situation that the size of a detected object changes greatly, has goodadaptability, greatly improves the detection accuracy of a variety sample, and improves the anti-interference performance.

Description

technical field [0001] The invention belongs to the technical field of network space security, and in particular relates to a webshell detection method and system based on weighted fuzzy hash. Background technique [0002] Currently, the closest prior art: [0003] Webshell is a malicious backdoor written in scripting languages ​​such as jsp, asp, php, etc. After an attacker uses website vulnerabilities such as sql injection and file upload to upload the webshell backdoor to obtain permissions, he can modify, delete or add server files by remotely executing commands. You can also view user data directly in the server database. [0004] Since the webshell operation will not leave records in the system security log and is mixed with normal webpage files, it is difficult for general administrators to see the traces of intrusion. Advanced webshell backdoors will also use various techniques to evade detection, so the research is efficient and accurate The demand for the webshel...

AI Technical Summary

Problems solved by technology

The traditional fuzzy hash algorithm directly applied to webshell detection can only resist a certain range of disturbances, generally within 6%, but for a larger range of redundant additions (more than 20%), its detection effect becomes very poor and its adaptability is not good it is good

Since the size of webshells varies greatly, changes in small webshell files can easily exceed the detection range of traditional fuzzy hash algorithms

[0014] (2) The traditional fuzzy hash algorithm is a universal algorithm for text similarity comparison. As a text with special functions, the key difference between webshell and ordinary text is the dangerous function. The traditional fuzzy hash algorithm does not didn't take this into account

Images