Unlock instant, AI-driven research and patent intelligence for your innovation.

WEBSHELL detection method and device, equipment and storage medium

A detection method and detection model technology, applied in the field of network security, can solve the problems of lag, the detection method of requesting data, the detection rate is not high, and the false alarm rate is high.

Pending Publication Date: 2021-07-16
SANGFOR TECH INC
View PDF6 Cites 2 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Only when the WebShell tool is exposed, can the corresponding fingerprint be extracted. Therefore, there is a vacuum period in this detection scheme, which always lags behind the attacker
Moreover, with the enhancement of WebShell's obfuscation and encryption capabilities, it is difficult to extract strong features from the new WebShell communication, which is likely to cause false positives or false negatives
2. Extract the characteristics of WebShell request traffic to detect WebShell backdoor communication, but the request traffic of many WebShell backdoors (especially Malaysia and encrypted WebShell) is similar to normal business and does not contain obvious attack characteristics, so detection based on request data The detection rate of the method is not high, and the false positive rate is also high

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • WEBSHELL detection method and device, equipment and storage medium
  • WEBSHELL detection method and device, equipment and storage medium
  • WEBSHELL detection method and device, equipment and storage medium

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0052] Please refer to figure 1 , figure 1 A flow chart of a WEBSHELL detection method provided in this embodiment; the method mainly includes:

[0053] Step s110, after the client sends the request data to the server, obtain the response data fed back by the server to the client according to the request data;

[0054] Wherein, the request data refers to the data in the request information packet initiated by the client to the server, including: request line, request header, request body and so on. Response data refers to the data in the response information packet from the server to the client, including: response line, response header, response body, etc. In this embodiment, the response data refers to the server receiving the request data and sending the request data to the client according to the request data. The feedback response data, that is, the request data and the response data in this embodiment are data correspondingly generated in a complete interaction.

[00...

Embodiment 2

[0062] Since the request data sent by the client to the server also contains certain WEBSHELL feature data, in order to improve the detection accuracy, WEBSHELL feature recognition can be carried out based on the request data and response data at the same time, so as to realize the two-way detection when the client interacts with the server. In order to more accurately identify WebShell. Correspondingly, in addition to the above steps, the following steps can be further performed: obtaining request data. Specifically, step s110 in Embodiment 1 can be adjusted to: obtain the request data sent by the client to the server and the server send the request data to the client according to the request data. correspondingly, step s120 specifically includes: identifying service traffic WEBSHELL features according to the request data and response data. Then the model recognition result includes two parts, that is, the request recognition result and the response recognition result.

[00...

Embodiment 3

[0097] In the second embodiment above, there is no limitation on the types of features specifically identified in each model (which may include a request detection model, a response detection model, and an interaction model). set up. In order to deepen the understanding of the feature recognition process under various models, several ways of implementing feature recognition are introduced in this embodiment.

[0098] Optionally, a request data feature identification method of a request detection model is as follows:

[0099] (1) Input the request data into the request detection model;

[0100] (2) The request detection model performs WEBSHELL identification on the request data according to the pre-set dangerous request characteristics; among them, the dangerous request characteristics include: specifying dangerous function calls, specifying dangerous commands, specifying special characters, specifying characteristics of well-known backdoors, specifying request traffic At lea...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a WEBSHELL detection method, and the method comprises the steps: obtaining response data fed back to a client side by a server according to request data, and carrying out the business flow WEBSHELL feature recognition of the response data. In order to improve the detection accuracy, WEBSHELL feature recognition can be carried out according to the request data and the response data at the same time, and bidirectional detection during interaction between the client and the server is achieved. According to the WEBSHELL detection mode, WEBSHELL recognition is carried out by combining the WEBSHELL response features, the detection capability and generalization capability are high, the false alarm rate is low, and the backdoor detection effect can be improved. The invention also provides a WEBSHELL detection device, computer equipment and a readable storage medium, which have the above beneficial effects.

Description

technical field [0001] The invention relates to the field of network security, in particular to a WEBSHELL detection method, device, computer equipment and readable storage medium. Background technique [0002] In order to ensure the security of the website server, it is necessary to monitor illegal access behaviors. Among them, WEBSHELL refers to a command execution environment in the form of web pages such as asp, php, jsp or cgi, which is an important tool for hackers to further infiltrate websites and hosts, and can also be called a web backdoor. After an illegal access user invades a website, he usually mixes the asp or php backdoor file with the normal webpage file in the web directory of the website server, and then he can use the browser to access the asp or php backdoor to obtain a command execution environment. In this way, operations such as file reading and writing, database query, and intranet sniffing can be realized. [0003] The traffic data generated by ac...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06
CPCH04L63/1416H04L63/1425
Inventor 张宏飞王大伟
Owner SANGFOR TECH INC