CN104468477A - WebShell detection method and system - Google Patents
WebShell detection method and system Download PDFInfo
- Publication number
- CN104468477A CN104468477A CN201310423483.1A CN201310423483A CN104468477A CN 104468477 A CN104468477 A CN 104468477A CN 201310423483 A CN201310423483 A CN 201310423483A CN 104468477 A CN104468477 A CN 104468477A
- Authority
- CN
- China
- Prior art keywords
- webshell
- url
- detection
- path
- remote detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Virology (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a WebShell detection method and system. The system comprises a log auditing module, a local detection module, a remote detection module and a result output module. The system executes the following processing flow: A, collecting a server access log, and analyzing a URL (Uniform Resource Locator) with suspicious access behaviors; B, performing local detection and remote detection on the analyzed URL with suspicious access behaviors in combination with a WebShell feature library; C, and performing judgment according to the detection, reporting a WebShell path if WebShell is found, and meanwhile adding the path identified as WebShell into a WebShell path library. Through adoption of the method and the system, the detection rate and detection efficiency of WebShell detection in network Web application are increased, and the missing report rate and false report rate are lowered.
Description
Technical field
The present invention relates to internet security technical field, particularly relate to detection method and the system of a kind of WebShell.
Background technology
Along with Web2.0, social networks, the birth of the internet product of microblogging etc. series of new, the internet, applications of sing on web environment is more and more extensive, in the process of IT application in enterprises, various application is all erected on Web platform, Web service develop the strong interest also causing hackers rapidly, what come one after another is exactly highlighting of Web security threat, hacker utilizes the SQL injection loophole etc. of the leak of website operation system and Web service program to obtain the control authority of Web server, light then distort web page contents, heavy then steal important internal data, even more serious is then implant malicious code in webpage, website caller is encroached on.This also makes increasing user pay close attention to the safety problem of application layer, also heats up gradually to the attention rate of Web application safety.
Usual hacker can experience following step when an attack Web site, is first information, finds the relevant information of targeted website; Then be vulnerability exploit, utilize the information collected, find utilizable leak, such as SQL injection loophole, files passe leak etc., carry out data and to steal or WebShell uploads.
Simple, WebShell is exactly an asp or php wooden horse back door, and WebShell is the script attack tool of Web invasion.Instrument is after uploading WebShell, and hacker just can be manipulated target website server by WebShell later very easily, and without the need to again repeating the process found website vulnerability and utilize website vulnerability.As can be seen here, the harm of WebShell to website is very huge, if there is WebShell on a website, that so can affirm says, this website there is very serious leak, finds timely under fire in website, and do necessary leak repairing to target website server, loss being dropped to of can trying one's best like this is minimum, finds afterwards and defends also to be the important ring in security defensive system.
In existing technical scheme, the detection for WebShell mainly contains local detection and remote detection two kinds.Local detect the normally software run on the target system, this software can the root of access websites, and the WebShell directly carrying out source code level detects.Because existing local detection method needs to run executable program on destination server, and need the authority of access and reading website root, there is very large security risk in this scheme, is unallowed under the application scenarios stricter to security audit.
Another remote detection is reptile Network Based mainly, relies on path dictionary and WebShell fingerprint characteristic storehouse identify and detect WebShell.Remote detection does not need extra authority, but due to the disguise of WebShell, and spiders can only capture the limitation of the page that there is adduction relationship, the detection mode based on path dictionary is caused to there is significant limitation, because WebShell upload path and upload file name is specified arbitrarily by assailant, once assailant employs a very complicated path, and this path is not in the path dictionary of remote detection, so remote detection just cannot detect this WebShell, so remote detection can only detect more common WebShell.
Summary of the invention
In view of this, the invention provides detection method and the system of a kind of WebShell, this invention does not need to run executable program at destination server end, and adopts the detection mode combined with detection by log audit, compensate in prior art and detects problem comprehensively.
Specifically, the detection method of a kind of WebShell of the present invention, said method comprising the steps of:
A, collects server access daily record, analyzes the URL of suspicious access behavior.
B, carries out this locality by the URL analyzing suspicious access behavior in conjunction with WebShell feature database and detects.
C, carries out remote detection by the URL analyzing suspicious access behavior in conjunction with WebShell feature database.
D, judges as found WebShell, then to perform step e according to detection.
E, reports WebShell path, the path being identified as WebShell is added to storehouse, WebShell path simultaneously.
Further, this locality described in step B is detected, and comprises configuration target server info and be remotely logged into destination server carrying out source code level WebShell and checking.
Further, described source code level WebShell checks be combining source in this locality of WebShell feature database detect fingerprint base by the mode of fingerprint comparison to the URL file of Web server root file and suspicious access behavior in the source code of various language that obtains carry out WebShell inspection.
Further, the remote detection described in step C, comprises remote detection configuration and spiders and remote detection web page code.
Further, described spiders is that basis source is remote detection path in the URL of the storehouse, WebShell path of WebShell feature database and suspicious access behavior and obtains the reply data in this remote detection path.
Further, described remote detection web page code be combining source in WebShell feature database remote detection fingerprint base by the mode of fingerprint comparison to remote detection path in the reply data that obtains carry out WebShell detection.
Further, the URL of the suspicious access behavior described in steps A is the URL analyzed by frequency and the parameter of URL access, the URL that occurred, a given level of suspicion is low; The URL that visiting frequency is minimum, during a given level of suspicion is; Occur the URL of hostile content, a given level of suspicion is high.
The present invention provides a kind of WebShell detection system simultaneously, and described system comprises,
Log audit module: for collecting server access daily record, analyzes the URL of suspicious access behavior.
Local detection module: for the URL analyzing suspicious access behavior is carried out in conjunction with WebShell feature database.
Remote detection module: for the URL analyzing suspicious access behavior is carried out in conjunction with WebShell feature database.
Result output module: as found WebShell for judging according to detection, then report WebShell path, the path being identified as WebShell is added to storehouse, WebShell path simultaneously.
Further, described local detection module, is remotely logged into destination server and carries out source code level WebShell specifically for configuration target server info and check.
Further, described source code level WebShell checks be combining source in this locality of WebShell feature database detect fingerprint base by the mode of fingerprint comparison to the URL file of Web server root file and suspicious access behavior in the source code of various language that obtains carry out WebShell inspection
Further, described remote detection module, specifically for remote detection configuration and spiders and remote detection web page code.
Further, described spiders is that basis source is remote detection path in the URL of the storehouse, WebShell path of WebShell feature database and suspicious access behavior and obtains the reply data in this remote detection path.
Further, described remote detection web page code be combining source in WebShell feature database remote detection fingerprint base by the mode of fingerprint comparison to remote detection path in the reply data that obtains carry out WebShell detection.
Further, the URL of described suspicious access behavior is the URL analyzed by frequency and the parameter of URL access, the URL that occurred, a given level of suspicion is low; The URL that visiting frequency is minimum, during a given level of suspicion is; Occur the URL of hostile content, a given level of suspicion is high.
As can be seen here, for the limitation that WebShell in prior art detects, the present invention is by the accuracy rate detected with local by the URL of suspicious access behavior and remote detection coordinates this comprehensive WebShell detection mode further to improve WebShell to detect, improve recall rate and detection efficiency, reduce rate of failing to report and rate of false alarm, and the present invention is detected this locality and is performed by the mode of Telnet, avoid local detection in prior art and need the problem in destination server installation and operation program, and make the convenient execution of detection.
Accompanying drawing explanation
Fig. 1 is the flow chart of the detection method of WebShell in one embodiment of the present invention;
Fig. 2 is the detection system building-block of logic of WebShell in one embodiment of the present invention.
Embodiment
Below in conjunction with Fig. 1 and Fig. 2, technical solution of the present invention is described in further detail.
The present invention is by presetting suspicious storehouse, WebShell path, and local detection fingerprint base and remote detection fingerprint base, as the basic foundation detected.Below in conjunction with network security detection technique, the process how the present invention realizes comprehensive WebShell detection is described.
Fig. 1 is the flow chart of the detection method of a kind of WebShell of the present invention.In a preferred embodiment, the inventive method is specific as follows:
A, collects server access daily record, analyzes the URL of suspicious access behavior.
Particularly, Web middleware (apache is obtained by SSH logon server, tomcat, the softwares such as iis) access log that produces, the URL that user accesses each time is recorded in access log, parameter etc., by to access the frequency of URL and the inspection of parameter, find out the page of the most doubtful WebShell, then Inspection and analysis is carried out to these pages, analyze the bibliographic structure of website and suspicious access behavior, and access behavior suspicious in website is added up, the frequency of accessing by URL and parameter are added up, the URL that occurred, a given level of suspicion is low, the URL that visiting frequency is minimum, during a given level of suspicion is, occur the URL of hostile content, a given level of suspicion is high.
The method obtaining server access daily record in present embodiment can also have various ways, as configuration on server sends daily record to Syslog mode, configuration file sharing mode on server, ftp uploads downloading mode, by the mode of SSH, T elnet etc. or other long-range reading journal files.Hostile content comprises executable command, SQL statement, sensitive document name and file content, script etc.
B, carries out this locality by the URL analyzing suspicious access behavior in conjunction with WebShell feature database and detects and remote detection.
Particularly, local detection, open SSH remote login service, configuration target server info such as user accesses account password and backup website root etc., and be remotely logged into destination server, combining source in this locality of WebShell feature database detect fingerprint base by the mode of fingerprint comparison to the URL file of Web server root file and suspicious access behavior in the source code of various language that obtains carry out WebShell inspection.The object backing up website root in configuration information is to not affect other user access server.The source code of various language, includes, as asp (Active Server Page) relatively more conventional at present, jsp(JavaServer Pages), the page script language source code such as php (Hypertext Preprocessor).In the present embodiment, local detect configuration need the user profile of configuration be user specified by the demand of oneself and need for environment, the user profile of configuration mentioned here is not whole user profile, and just partial content information.SSH is the service routine that standard server all can be installed, and does not install also can install voluntarily as system.Local detection fingerprint base can be the fingerprint characteristic extracted from source code.Fingerprint comprises the method call of some danger, some common character strings etc.
Telnet mode in a preferred embodiment can be by the Telnet of SSH mode, and certainly, described Telnet mode can be also other Telnet modes that can realize said method, as Telnet or other Telnet modes.Do not limit at this.
Particularly, remote detection, comprises remote detection configuration and spiders and remote detection web page code.
Configuration website URL, simulation normal client remote access targeted website, spiders basis source is remote detection path in the URL of the storehouse, WebShell path of WebShell feature database and suspicious access behavior and obtains the reply data in this remote detection path, remote detection web page code combining source in WebShell feature database remote detection fingerprint base by the mode of fingerprint comparison to remote detection path in the reply data that obtains carry out WebShell detection.Preferred described reply data is client terminal web page source code normally html code.This remote detection fingerprint base can be the fingerprint characteristic extracted from webpage html code.
C, judges as found WebShell, then to perform step D according to detection.
D, reports WebShell path, the path being identified as WebShell is added to storehouse, WebShell path simultaneously.
In the above execution mode, operating system is not particularly limited, as windows, all can perform under the operating systems such as linux, only can also perform the detection of a wherein part arbitrarily in addition as required, as only perform local detect to coordinate to log audit or only perform remote detection coordinate wherein any portion can complete the complete WebShell testing process of its corresponding detection with log audit.
Based on said method, Fig. 2 gives the detection system building-block of logic of WebShell of the present invention.This detection system is applied on PC, and as the operation carrier of this logic detection system, the hardware environment of described PC equipment at least all comprises CPU usually, internal memory and other hardware.Logic module is stored in internal memory.
Log audit module: collect server access daily record, analyze the URL of suspicious access behavior, be specially, obtain Web middleware (apache, tomcat by SSH logon server, the softwares such as iis) access log that produces, record the url that user accesses each time in access log, parameter etc., the frequency of accessing by URL and parameter are added up, the URL that occurred, a given level of suspicion is low; The URL that visiting frequency is minimum, during a given level of suspicion is; Occur the URL of hostile content, a given level of suspicion is high.
Local detection module: the URL analyzing suspicious access behavior is carried out this locality in conjunction with WebShell feature database and detects, be specially, be remotely logged into destination server, combining source in this locality of WebShell feature database detect fingerprint base by the mode of fingerprint comparison to the URL file of Web server root file and suspicious access behavior in the source code of various language that obtains carry out WebShell inspection.
Remote detection module: the URL analyzing suspicious access behavior is carried out remote detection in conjunction with WebShell feature database, be specially, configuration website URL, simulation normal client remote access targeted website, spiders basis source is remote detection path in the URL of the storehouse, WebShell path of WebShell feature database and suspicious access behavior and obtains the reply data in this remote detection path, remote detection web page code combining source in WebShell feature database remote detection fingerprint base by the mode of fingerprint comparison to remote detection path in the reply data that obtains carry out WebShell detection.
Result output module: judge as found WebShell, then to report WebShell path, after simultaneously the path being identified as WebShell being added to storehouse, WebShell path according to detection.
Described above is only the present invention's preferably implementation, and not in order to limit protection scope of the present invention, any equivalent change and amendment are all because being encompassed within protection scope of the present invention.
Claims (14)
1. a detection method of WebShell, is characterized in that, comprises the following steps:
A, collects server access daily record, analyzes the URL of suspicious access behavior;
B, carries out this locality by the URL analyzing suspicious access behavior in conjunction with WebShell feature database and detects;
C, carries out remote detection by the URL analyzing suspicious access behavior in conjunction with WebShell feature database;
D, judges as found WebShell, then to perform step e according to detection;
E, reports WebShell path, the path being identified as WebShell is added to storehouse, WebShell path simultaneously.
2. the method for claim 1, is characterized in that, this locality described in step B is detected, and comprises configuration target server info and be remotely logged into destination server carrying out source code level WebShell and checking.
3. method as claimed in claim 2, it is characterized in that, described source code level WebShell checks be combining source in this locality of WebShell feature database detect fingerprint base by the mode of fingerprint comparison to the URL file of Web server root file and suspicious access behavior in the source code of various language that obtains carry out WebShell inspection.
4. the method for claim 1, is characterized in that, the remote detection described in step C, comprises remote detection configuration and spiders and remote detection web page code.
5. method as claimed in claim 4, it is characterized in that, described spiders is that basis source is remote detection path in the URL of the storehouse, WebShell path of WebShell feature database and suspicious access behavior and obtains the reply data in this remote detection path.
6. method as claimed in claim 4, it is characterized in that, described remote detection web page code be combining source in WebShell feature database remote detection fingerprint base by the mode of fingerprint comparison to remote detection path in the reply data that obtains carry out WebShell detection.
7. the method for claim 1, is characterized in that, the URL of the suspicious access behavior described in steps A is the URL analyzed by frequency and the parameter of URL access, the URL that occurred, a given level of suspicion is low; The URL that visiting frequency is minimum, during a given level of suspicion is; Occur the URL of hostile content, a given level of suspicion is high.
8. a WebShell detection system, is characterized in that, this system comprises:
Log audit module: for collecting server access daily record, analyzes the URL of suspicious access behavior;
Local detection module: for the URL analyzing suspicious access behavior is carried out in conjunction with WebShell feature database;
Remote detection module: for the URL analyzing suspicious access behavior is carried out in conjunction with WebShell feature database;
Result output module: as found WebShell for judging according to detection, then report WebShell path, the path being identified as WebShell is added to storehouse, WebShell path simultaneously.
9. system as claimed in claim 8, is characterized in that, described local detection module, is remotely logged into destination server and carries out source code level WebShell specifically for configuration target server info and check.
10. system as claimed in claim 9, it is characterized in that, described source code level WebShell checks be combining source in this locality of WebShell feature database detect fingerprint base by the mode of fingerprint comparison to the URL file of Web server root file and suspicious access behavior in the source code of various language that obtains carry out WebShell inspection.
11. systems as claimed in claim 8, is characterized in that, described remote detection module, specifically for remote detection configuration and spiders and remote detection web page code.
12. systems as claimed in claim 11, it is characterized in that, described spiders is that basis source is remote detection path in the URL of the storehouse, WebShell path of WebShell feature database and suspicious access behavior and obtains the reply data in this remote detection path.
13. systems as claimed in claim 11, it is characterized in that, described remote detection web page code be combining source in WebShell feature database remote detection fingerprint base by the mode of fingerprint comparison to remote detection path in the reply data that obtains carry out WebShell detection.
14. systems as claimed in claim 8, is characterized in that, the URL of described suspicious access behavior is the URL analyzed by frequency and the parameter of URL access, the URL that occurred, a given level of suspicion is low; The URL that visiting frequency is minimum, during a given level of suspicion is; Occur the URL of hostile content, a given level of suspicion is high.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310423483.1A CN104468477B (en) | 2013-09-16 | 2013-09-16 | A kind of WebShell detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310423483.1A CN104468477B (en) | 2013-09-16 | 2013-09-16 | A kind of WebShell detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104468477A true CN104468477A (en) | 2015-03-25 |
| CN104468477B CN104468477B (en) | 2018-04-06 |
Family
ID=52913859
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310423483.1A Active CN104468477B (en) | 2013-09-16 | 2013-09-16 | A kind of WebShell detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104468477B (en) |
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104765883A (en) * | 2015-04-30 | 2015-07-08 | 中电运行(北京)信息技术有限公司 | Detection method used for Webshell |
| CN105791308A (en) * | 2016-04-11 | 2016-07-20 | 北京网康科技有限公司 | Active identification domain user registration event information method, device and system |
| CN105933268A (en) * | 2015-11-27 | 2016-09-07 | 中国银联股份有限公司 | Webshell detection method and apparatus based on total access log analysis |
| CN106203095A (en) * | 2016-07-07 | 2016-12-07 | 众安在线财产保险股份有限公司 | The detection method of a kind of webshell and detecting system |
| CN106911636A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device of detection website with the presence or absence of backdoor programs |
| CN106911686A (en) * | 2017-02-20 | 2017-06-30 | 杭州迪普科技股份有限公司 | WebShell detection methods and device |
| CN106911635A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device of detection website with the presence or absence of backdoor programs |
| CN106992981A (en) * | 2017-03-31 | 2017-07-28 | 北京知道创宇信息技术有限公司 | A kind of website back door detection method, device and computing device |
| CN107229865A (en) * | 2016-03-25 | 2017-10-03 | 阿里巴巴集团控股有限公司 | A kind of method and device of parsing Webshell the cause of invasion |
| CN107239704A (en) * | 2017-05-24 | 2017-10-10 | 国家计算机网络与信息安全管理中心 | Malicious web pages find method and device |
| CN107302586A (en) * | 2017-07-12 | 2017-10-27 | 深信服科技股份有限公司 | A kind of Webshell detection methods and device, computer installation, readable storage medium storing program for executing |
| CN107332804A (en) * | 2016-04-29 | 2017-11-07 | 阿里巴巴集团控股有限公司 | The detection method and device of webpage leak |
| CN107404497A (en) * | 2017-09-05 | 2017-11-28 | 成都知道创宇信息技术有限公司 | A kind of method that WebShell is detected in massive logs |
| CN107508829A (en) * | 2017-09-20 | 2017-12-22 | 杭州安恒信息技术有限公司 | A kind of webshell detection methods of non-intrusion type |
| CN107590227A (en) * | 2017-09-05 | 2018-01-16 | 成都知道创宇信息技术有限公司 | A kind of log analysis method of combination reptile |
| CN107770133A (en) * | 2016-08-19 | 2018-03-06 | 北京升鑫网络科技有限公司 | A kind of adaptability webshell detection methods and system |
| CN107888554A (en) * | 2016-09-30 | 2018-04-06 | 腾讯科技(深圳)有限公司 | The detection method and device of server attack |
| CN107888616A (en) * | 2017-12-06 | 2018-04-06 | 北京知道创宇信息技术有限公司 | The detection method of construction method and Webshell the attack website of disaggregated model based on URI |
| CN107911355A (en) * | 2017-11-07 | 2018-04-13 | 杭州安恒信息技术有限公司 | A kind of website back door based on attack chain utilizes event recognition method |
| CN108040036A (en) * | 2017-11-22 | 2018-05-15 | 江苏翼企云通信科技有限公司 | A kind of industry cloud Webshell safety protecting methods |
| CN108062474A (en) * | 2016-11-08 | 2018-05-22 | 阿里巴巴集团控股有限公司 | The detection method and device of file |
| WO2018107784A1 (en) * | 2016-12-16 | 2018-06-21 | 华为技术有限公司 | Method and device for detecting webshell |
| CN108322420A (en) * | 2017-01-17 | 2018-07-24 | 阿里巴巴集团控股有限公司 | The detection method and device of backdoor file |
| WO2018166365A1 (en) * | 2017-03-15 | 2018-09-20 | 阿里巴巴集团控股有限公司 | Method and device for recording website access log |
| CN108616538A (en) * | 2018-04-28 | 2018-10-02 | 北京网思科平科技有限公司 | Attacker's formation gathering method, system, terminal, server and its storage medium |
| CN109845228A (en) * | 2017-09-28 | 2019-06-04 | 量子位安全有限公司 | Network traffic recording system and method for the attack of real-time detection network hacker |
| CN110868410A (en) * | 2019-11-11 | 2020-03-06 | 恒安嘉新(北京)科技股份公司 | Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium |
| CN110909350A (en) * | 2019-11-16 | 2020-03-24 | 杭州安恒信息技术股份有限公司 | Method for remotely and accurately identifying WebShell backdoor |
| CN111046351A (en) * | 2019-12-13 | 2020-04-21 | 支付宝(杭州)信息技术有限公司 | Method and device for managing application permission in office network |
| CN113779571A (en) * | 2020-06-10 | 2021-12-10 | 中国电信股份有限公司 | WebShell detection device, WebShell detection method and computer-readable storage medium |
| CN114430348A (en) * | 2022-02-07 | 2022-05-03 | 云盾智慧安全科技有限公司 | Web site search engine optimization backdoor identification method and device |
| US11824840B1 (en) * | 2019-02-04 | 2023-11-21 | Meixler Technologies, Inc. | System and method for web-browser based end-to-end encrypted messaging and for securely implementing cryptography using client-side scripting in a web browser |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080269921A1 (en) * | 2007-04-30 | 2008-10-30 | Accenture Global Services Gmbh | System and Method for Providing Support Assistance |
| CN103036871A (en) * | 2012-11-19 | 2013-04-10 | 北京奇虎科技有限公司 | Support device and method of application plug-in of browser |
| CN103065095A (en) * | 2013-01-29 | 2013-04-24 | 四川大学 | WEB vulnerability scanning method and vulnerability scanner based on fingerprint recognition technology |
-
2013
- 2013-09-16 CN CN201310423483.1A patent/CN104468477B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080269921A1 (en) * | 2007-04-30 | 2008-10-30 | Accenture Global Services Gmbh | System and Method for Providing Support Assistance |
| CN103036871A (en) * | 2012-11-19 | 2013-04-10 | 北京奇虎科技有限公司 | Support device and method of application plug-in of browser |
| CN103065095A (en) * | 2013-01-29 | 2013-04-24 | 四川大学 | WEB vulnerability scanning method and vulnerability scanner based on fingerprint recognition technology |
Cited By (55)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104765883A (en) * | 2015-04-30 | 2015-07-08 | 中电运行(北京)信息技术有限公司 | Detection method used for Webshell |
| CN105933268B (en) * | 2015-11-27 | 2019-05-10 | 中国银联股份有限公司 | A kind of website back door detection method and device based on the analysis of full dose access log |
| CN105933268A (en) * | 2015-11-27 | 2016-09-07 | 中国银联股份有限公司 | Webshell detection method and apparatus based on total access log analysis |
| CN106911636B (en) * | 2015-12-22 | 2020-09-04 | 北京奇虎科技有限公司 | Method and device for detecting whether backdoor program exists in website |
| CN106911636A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device of detection website with the presence or absence of backdoor programs |
| CN106911635A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device of detection website with the presence or absence of backdoor programs |
| CN106911635B (en) * | 2015-12-22 | 2020-07-28 | 北京奇虎科技有限公司 | Method and device for detecting whether backdoor program exists in website |
| CN107229865A (en) * | 2016-03-25 | 2017-10-03 | 阿里巴巴集团控股有限公司 | A kind of method and device of parsing Webshell the cause of invasion |
| CN107229865B (en) * | 2016-03-25 | 2020-06-05 | 阿里巴巴集团控股有限公司 | Method and device for analyzing Webshell intrusion reason |
| CN105791308B (en) * | 2016-04-11 | 2019-12-31 | 北京网康科技有限公司 | Method, device and system for actively identifying domain user login event information |
| CN105791308A (en) * | 2016-04-11 | 2016-07-20 | 北京网康科技有限公司 | Active identification domain user registration event information method, device and system |
| CN107332804A (en) * | 2016-04-29 | 2017-11-07 | 阿里巴巴集团控股有限公司 | The detection method and device of webpage leak |
| CN107332804B (en) * | 2016-04-29 | 2021-01-26 | 阿里巴巴集团控股有限公司 | Method and device for detecting webpage bugs |
| CN106203095A (en) * | 2016-07-07 | 2016-12-07 | 众安在线财产保险股份有限公司 | The detection method of a kind of webshell and detecting system |
| CN107770133B (en) * | 2016-08-19 | 2020-08-14 | 北京升鑫网络科技有限公司 | Adaptive webshell detection method and system |
| CN107770133A (en) * | 2016-08-19 | 2018-03-06 | 北京升鑫网络科技有限公司 | A kind of adaptability webshell detection methods and system |
| CN107888554A (en) * | 2016-09-30 | 2018-04-06 | 腾讯科技(深圳)有限公司 | The detection method and device of server attack |
| CN108062474A (en) * | 2016-11-08 | 2018-05-22 | 阿里巴巴集团控股有限公司 | The detection method and device of file |
| CN108062474B (en) * | 2016-11-08 | 2022-01-11 | 阿里巴巴集团控股有限公司 | File detection method and device |
| US11863587B2 (en) | 2016-12-16 | 2024-01-02 | Huawei Technologies Co., Ltd. | Webshell detection method and apparatus |
| WO2018107784A1 (en) * | 2016-12-16 | 2018-06-21 | 华为技术有限公司 | Method and device for detecting webshell |
| CN108206802A (en) * | 2016-12-16 | 2018-06-26 | 华为技术有限公司 | The method and apparatus for detecting webpage back door |
| CN108206802B (en) * | 2016-12-16 | 2020-11-17 | 华为技术有限公司 | Method and device for detecting webpage backdoor |
| CN108322420B (en) * | 2017-01-17 | 2020-12-29 | 阿里巴巴集团控股有限公司 | Method and device for detecting backdoor file |
| CN108322420A (en) * | 2017-01-17 | 2018-07-24 | 阿里巴巴集团控股有限公司 | The detection method and device of backdoor file |
| CN106911686A (en) * | 2017-02-20 | 2017-06-30 | 杭州迪普科技股份有限公司 | WebShell detection methods and device |
| CN106911686B (en) * | 2017-02-20 | 2020-07-07 | 杭州迪普科技股份有限公司 | WebShell detection method and device |
| WO2018166365A1 (en) * | 2017-03-15 | 2018-09-20 | 阿里巴巴集团控股有限公司 | Method and device for recording website access log |
| CN106992981A (en) * | 2017-03-31 | 2017-07-28 | 北京知道创宇信息技术有限公司 | A kind of website back door detection method, device and computing device |
| CN106992981B (en) * | 2017-03-31 | 2020-04-07 | 北京知道创宇信息技术股份有限公司 | Website backdoor detection method and device and computing equipment |
| CN107239704A (en) * | 2017-05-24 | 2017-10-10 | 国家计算机网络与信息安全管理中心 | Malicious web pages find method and device |
| CN107302586A (en) * | 2017-07-12 | 2017-10-27 | 深信服科技股份有限公司 | A kind of Webshell detection methods and device, computer installation, readable storage medium storing program for executing |
| CN107302586B (en) * | 2017-07-12 | 2020-06-26 | 深信服科技股份有限公司 | Webshell detection method and device, computer device and readable storage medium |
| CN107590227A (en) * | 2017-09-05 | 2018-01-16 | 成都知道创宇信息技术有限公司 | A kind of log analysis method of combination reptile |
| CN107404497A (en) * | 2017-09-05 | 2017-11-28 | 成都知道创宇信息技术有限公司 | A kind of method that WebShell is detected in massive logs |
| CN107508829A (en) * | 2017-09-20 | 2017-12-22 | 杭州安恒信息技术有限公司 | A kind of webshell detection methods of non-intrusion type |
| CN107508829B (en) * | 2017-09-20 | 2019-11-29 | 杭州安恒信息技术股份有限公司 | A kind of webshell detection method of non-intrusion type |
| CN109845228B (en) * | 2017-09-28 | 2021-08-31 | 量子位安全有限公司 | Network flow recording system and method for detecting network hacker attack in real time |
| CN109845228A (en) * | 2017-09-28 | 2019-06-04 | 量子位安全有限公司 | Network traffic recording system and method for the attack of real-time detection network hacker |
| CN107911355B (en) * | 2017-11-07 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | Website backdoor utilization event identification method based on attack chain |
| CN107911355A (en) * | 2017-11-07 | 2018-04-13 | 杭州安恒信息技术有限公司 | A kind of website back door based on attack chain utilizes event recognition method |
| CN108040036A (en) * | 2017-11-22 | 2018-05-15 | 江苏翼企云通信科技有限公司 | A kind of industry cloud Webshell safety protecting methods |
| CN107888616A (en) * | 2017-12-06 | 2018-04-06 | 北京知道创宇信息技术有限公司 | The detection method of construction method and Webshell the attack website of disaggregated model based on URI |
| CN107888616B (en) * | 2017-12-06 | 2020-06-05 | 北京知道创宇信息技术股份有限公司 | Construction method of classification model based on URI and detection method of Webshell attack website |
| CN108616538A (en) * | 2018-04-28 | 2018-10-02 | 北京网思科平科技有限公司 | Attacker's formation gathering method, system, terminal, server and its storage medium |
| US11824840B1 (en) * | 2019-02-04 | 2023-11-21 | Meixler Technologies, Inc. | System and method for web-browser based end-to-end encrypted messaging and for securely implementing cryptography using client-side scripting in a web browser |
| CN110868410A (en) * | 2019-11-11 | 2020-03-06 | 恒安嘉新(北京)科技股份公司 | Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium |
| CN110868410B (en) * | 2019-11-11 | 2022-05-10 | 恒安嘉新(北京)科技股份公司 | Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium |
| CN110909350A (en) * | 2019-11-16 | 2020-03-24 | 杭州安恒信息技术股份有限公司 | Method for remotely and accurately identifying WebShell backdoor |
| CN110909350B (en) * | 2019-11-16 | 2022-02-11 | 杭州安恒信息技术股份有限公司 | Method for remotely and accurately identifying WebShell backdoor |
| CN111046351A (en) * | 2019-12-13 | 2020-04-21 | 支付宝(杭州)信息技术有限公司 | Method and device for managing application permission in office network |
| CN113779571A (en) * | 2020-06-10 | 2021-12-10 | 中国电信股份有限公司 | WebShell detection device, WebShell detection method and computer-readable storage medium |
| CN113779571B (en) * | 2020-06-10 | 2024-04-26 | 天翼云科技有限公司 | WebShell detection device, webShell detection method and computer readable storage medium |
| CN114430348A (en) * | 2022-02-07 | 2022-05-03 | 云盾智慧安全科技有限公司 | Web site search engine optimization backdoor identification method and device |
| CN114430348B (en) * | 2022-02-07 | 2023-12-05 | 云盾智慧安全科技有限公司 | Web site search engine optimization backdoor identification method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104468477B (en) | 2018-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104468477A (en) | WebShell detection method and system | |
| US11785040B2 (en) | Systems and methods for cyber security alert triage | |
| CN102104601B (en) | Web vulnerability scanning method and device based on infiltration technology | |
| KR100894331B1 (en) | Anomaly Detection System and Method of Web Application Attacks using Web Log Correlation | |
| US20160065600A1 (en) | Apparatus and method for automatically detecting malicious link | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| CN105491053A (en) | Web malicious code detection method and system | |
| Alosefer et al. | Honeyware: a web-based low interaction client honeypot | |
| KR101902747B1 (en) | Method and Apparatus for Analyzing Web Vulnerability for Client-side | |
| Dalai et al. | Neutralizing SQL injection attack using server side code modification in web applications | |
| CN108351941B (en) | Analysis device, analysis method, and computer-readable storage medium | |
| CN110851838A (en) | Cloud testing system and security testing method based on Internet | |
| CN111625821A (en) | Application attack detection system based on cloud platform | |
| Riadi et al. | Vulnerability analysis of E-voting application using open web application security project (OWASP) framework | |
| Bronte et al. | Information theoretic anomaly detection framework for web application | |
| Priyawati et al. | Website vulnerability testing and analysis of website application using OWASP | |
| Zamiri-Gourabi et al. | Gas what? I can see your GasPots. Studying the fingerprintability of ICS honeypots in the wild | |
| Kishore et al. | Browser JS Guard: Detects and defends against Malicious JavaScript injection based drive by download attacks | |
| Roopak et al. | On effectiveness of source code and SSL based features for phishing website detection | |
| KR101968633B1 (en) | Method for providing real-time recent malware and security handling service | |
| Hao et al. | JavaScript malicious codes analysis based on naive bayes classification | |
| Basso et al. | Analysis of the effect of Java software faults on security vulnerabilities and their detection by commercial web vulnerability scanner tool | |
| Bhosale et al. | Testing Web Application using Vulnerability Scan | |
| Jatinkushwah et al. | Web application security using VAPT | |
| Mushlihudin et al. | Vulnerability Analysis and Prevention on Software as a Service (SaaS) of Archive Websites |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210624 Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang. Patentee after: Hangzhou Dip Information Technology Co.,Ltd. Address before: 310051, 6 floor, Chung Cai mansion, 68 Tong he road, Binjiang District, Hangzhou, Zhejiang. Patentee before: Hangzhou DPtech Technologies Co.,Ltd. |