Webshell malicious family clustering analysis method

Abstract

The invention discloses a webshell malicious family clustering analysis method, and relates to the technical field of information security. The method comprises the following steps: step 1, obtaining function call information, parameter values and return value information during Webshell operation; step 2, cleaning, splicing and sequencing the function call information; 3, vectorizing the function call sequence information in the step 2; 4, calculating information entropies of the parameter values and the return values, and sorting according to a function calling sequence; 5, according to the func_seq, the argv_seq and the return_seq obtained in the step 2 and the step 4, building an RNN model to predict the three types of sequences respectively, and learning code family features; 6, after minhash processing is carried out on the original sequence data and the predicted sequence data, mapping the original sequence data and the predicted sequence data into pixel points, and thus, a pixel map is formed; 7, superposing the original pixel image obtained in the step 6 and the predicted pixel image, and drawing a final pixel image; and step 8, clustering the pixel image obtained in the step 7 by using a DBSCAN clustering algorithm.

Description

technical field [0001] The invention belongs to the technical field of information security, and in particular relates to a method for clustering and analyzing webshell malicious families. Background technique [0002] Webshell is a command execution environment written in a scripting language. An attacker can manipulate the server by uploading the script file to the server and hiding it in a benign file. At present, WebShell has become the primary source of harm affecting the security of cloud hosts. In order to prevent the intrusion of hackers and ensure the asset security of cloud users in real time, a high-accuracy and high-efficiency malicious Webshell detection method is very important. [0003] Traditional WebShell prevention and control methods are mostly based on predefined rules. The creation of new rules and the update of old rules are always slower than the speed of WebShell variants, making it easy for malicious files to bypass rule detection. In order to solv...

AI Technical Summary

Problems solved by technology

However, there are still some problems that need to be solved urgently in the practical application of Webshell. First, the variant speed of Webshell is fast. Because WebShell can be written in a variety of development languages, and it is easy to adapt it through program development methods such as obfuscation, encryption, and packing, resulting in The rapid variation of WebShell malicious files has greatly affected the accuracy and efficiency of malicious file detection methods; secondly, the traditional API call information-based malicious file detection methods have ignored some security vulnerabilities caused by function parameters. Lack of effective webshell malicious family clustering analysis methods to detect, compare and analyze malicious webshells

Images