CN104765883A - Detection method used for Webshell - Google Patents
Detection method used for Webshell Download PDFInfo
- Publication number
- CN104765883A CN104765883A CN201510213186.3A CN201510213186A CN104765883A CN 104765883 A CN104765883 A CN 104765883A CN 201510213186 A CN201510213186 A CN 201510213186A CN 104765883 A CN104765883 A CN 104765883A
- Authority
- CN
- China
- Prior art keywords
- file
- monitoring agent
- administrative center
- agent program
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a comprehensive detection method used for Webshell. The detection method is a high-order WEB file detection method which supports combination of multiple detection means, covers the full-life cycle of a website and can achieve pre-event detection, in-event warning and after-event tracing in order to solve the security problems of website Trojan embedding and website invisible back door implanting and perform website file security audit. Through installing a monitoring agent program on a WEB server, WEB file detection results are dynamically sent to a cloud management enter so that a comprehensive risk analysis can be performed on the results, and the cloud management center performs the comprehensive analysis according to data of multiple sources and establishes a statistics model for each file for dynamically detecting the changes of the files, so that WEB file risk management is achieved.
Description
Technical field
The present invention relates to the method for comprehensive detection of a kind of Webshell, by excavation access websites Visitor Logs for all websites and site file set up the threat value that statistical models carrys out tracking website file.
Background technology
The disguise such as implanted back door, website is attacked in growing trend year by year in recent years, " China's Internet security postures summary in 2013 " title national Internet emergency center in 2013 that national Internet emergency center is issued is monitored altogether and is found that implanted back door is overseas passed through in domestic 6.1 ten thousand websites of China, comparatively within 2012, increases by 62.1%.Hacker, after utilizing WEB application leak success attack, can utilize script wooden horse to realize distorting application system, controlling and stealing sensitive data in database operating system usually.Typical system connection diagram in prior art as shown in Figure 1.Assailant exchanges data by browser or between control end and controlled WEB application system by the legal port opened, and disguise is very high, and traditional firewall cannot be tackled, and generally in system journal without operation note.
The implication of " WEB " obviously needs the open WEB service of server, and the implication of " shell " obtains server operating right in a way.Webshell is usually called as anonymous (invader) by the authority that in a way operate of website port to Website server.Because Webshell occurs with the form of dynamic script, be generally also referred to as Backdoor Tools or the WEB application script back door of website.
Simple understanding: Webshell is exactly the page of in website one, but its function is very powerful differs from conventional Website page, the authority that some keepers do not wish acquisition can be obtained, such as: executive system order, operation third party application, steal files, deletion WEB page, amendment homepage etc. by this page.
Because Webshell also must observe the programming rule of dynamic WEB application script file as ASP, PHP, JSP etc.The function having needed some special just inevitably uses function special accordingly, and then amplify a kind of comparatively common static detection method and locate Webshell, same Webshell author also can hide this detection by the mode of encryption.Therefore need to invent a kind of comprehensive Webshell detection algorithm and finally determine the threat value of file in conjunction with the result that statistical models and depth data excavate.
Summary of the invention
The object of the invention is to: invention is a kind of is hung horse, the concealed safety problem such as back door, site file security audit in website for website, propose support multiple detection means and use, cover website Life cycle, can accomplish to detect in advance, in thing the high-order WEB file in alarm, afterwards north source method and finally determine the comprehensive Webshell detection algorithm of the threat value of file in conjunction with the result that statistical models and depth data are excavated.
The present invention is achieved in that a kind of comprehensive Webshell detection method, comprises the steps:
Step one: initialization
Configuration monitoring Agent; Compile and run a monitoring agent example; Monitoring agent program completes initializes itself and sets up the connection of safety with cloud administrative center; Send monitoring agent procedure basis information to cloud administrative center; The scanning strategy synchronously up-to-date from cloud administrative center and feature database; Monitoring agent program must use the instrument of " monitoring agent program generator " to generate monitoring agent program in cloud administrative center by keeper before being deployed to server, and cloud administrative center also can preserve the checking data of this monitoring agent program file a; Monitoring agent program starts self related service, finger daemon and oracle listener etc.; On the server after operation monitoring Agent, program starts to search cloud administrative center according to configuration and the mode of use safety is connected to cloud administrative center; The rear exclusive data receiving interface to cloud administrative center being connected to cloud administrative center sends monitoring agent procedure basis information; The scanning strategy synchronously up-to-date from cloud administrative center and feature database.
Step 2: scanning and detection
WEB files all under scans web sites root directory the information that takes the fingerprint, compare with the information in the local file fingerprint storehouse stored and retrieve the unmatched file of finger print information; Call detecting and alarm to rescan the file execution that finger print information is unworthy of; Read the local web log summary info stored, search web log and extract Incremental Log according to summary info: resetting " scanning idle timer " and " daily record synchrotimer "; The file of all monitored websites of monitoring agent program scanning, extraction document finger print information also carries out contrasting with the file fingerprint storehouse that this locality stores and retrieves the unmatched file of finger print information, the file newly increased and the file lacked, and calls detecting and alarm and detect the file that finger print information do not mate and newly increase; File detects, monitoring agent routine package is containing the file detecting and alarm of complete set, detecting and alarm can utilize the multiple means such as the detection of static file feature detection, condition monitoring, Corpus--based Method method to detect, accurately can detect file characteristic, the General Properties of testing result include file, static nature, operation characteristic, statistics feature, the naive Bayesian result of decision and the listed files lacked; Static nature testing result, operation characteristic testing result, statistics feature detection result and the naive Bayesian result of decision etc., accurately can detect that file comprises specific keyword, the high-risk function used, whether carried out dangerous play, whether file is encrypt file, whether is obfuscated codes file etc., the listed files lacked be exist in file scan process last time but in present scan non-existent listed files, this list take from last scan after file fingerprint storehouse; Monitoring agent program looks access log summary info, searches web log file according to configuration and extracts Incremental Log according to the journal file deviation post preserved; " scanning idle timer " and " daily record synchrotimer " is reset after above-mentioned steps completes.
Step 3: send result
Testing result is sent to cloud administrative center by monitoring agent program; Upgrade local file fingerprint base and web log summary info; " busy waiting " task of operation is until above-mentioned timer expiration; Monitoring agent program is by file detection result, and Incremental Log original text is sent to cloud administrative center.File detection result comprises: file General Properties, file detection result, newly-increased listed files, disappearance listed files etc.; Monitoring agent program updates local file fingerprint base and Log Summary information; " busy waiting " task of operation.
Step 4: cloud administrative center initialization
Cloud administrative center starts host process, infrastructure service and communication interface etc.; Reading database is searched monitoring agent procedure basis information and is contacted monitoring agent program; Cloud administrative center can start database instance, communication service, management engine, analysis engine, WEB container etc. when starting simultaneously; Monitoring agent procedure basis information in management engine read data storehouse, and attempt carrying out communicating to determine whether monitoring agent program survives with monitoring agent program.
Step 5: value-at-risk analysis
Cloud administrative center analysis process reads the raw data that monitoring agent program sends from database; The association log analysis result decision-making documentation risk value that cloud administrative center analysis process sends according to monitoring agent program; Cloud administrative center analysis engine reads the testing result, the original Incremental Log that send from monitoring agent program; Cloud administrative center analysis engine is analyzed original Incremental Log information and is comprehensively analyzed with file detection result, final analysis result is: all monitored site file acess control, as: the access originator IP of high-risk documentation risk value, a certain file adds up, submitted the statistics etc. of malicious link and malice access type to.
Step 6: saving result
By analysis result stored in public database; Cloud administrative center foreground handling procedure reads public database, shows testing result to final user.Cloud administrative center analysis engine by analysis result stored in public database; Cloud administrative center foreground user interface reads common data database data to be shown to final user.
The good effect that the present invention has compared to prior art is: passage is deployed in the static nature attribute of the detection WEB file that the execution of monitoring agent program scans and testing process is next static on Website server, by WEB access logs all on monitoring agent program search server, carry out the degree of depth by cloud administrative center to WEB access log to excavate and malice URL attack recognition, and be the running status attribute that all WEB file set up statistical models detect WEB file dynamically.The security of WEB file is determined by the result of Integrated Static feature detection, dynamic behaviour detection, statistics modeling and WEB Web log mining.
Before security incident occurs, leak and defects detection can be carried out to website Problems existing by above-mentioned testing process, real time monitoring can be accomplished when security incident occurs and attack perception, the effect of tracking and quick position threat point can be reached by the testing result in early stage and log recording after security incident occurs.
In the management process in the face of extensive website cluster, feature of the present invention is particularly outstanding, and it can access by the highest support 1000 large-scale websites, and the security features of the above-mentioned all websites of continual detection, monitoring and perception always WEB file.Considerably reduce webmaster's maintenance difficulties, improve work efficiency.
Accompanying drawing explanation
Fig. 1 is typical system connection diagram in prior art.
Fig. 2 is agent monitors program flow chart in a kind of Webshell detection method disclosed by the invention.
Fig. 3 is a kind of Webshell detection method medium cloud processing enter operational flow diagram disclosed by the invention.
Embodiment
The present invention detects website Webshell to provide a kind of comprehensive detection method.In order to method in the present invention and technology are better described, The present invention gives the legend that some are concrete.It should be noted that, legend given here is a kind of example of the present invention, for those skilled in the art, can obtain other examples easily according to these examples.Below in conjunction with the accompanying drawing in the present invention, carry out clear to the technical scheme in the present invention, intactly describe.
The invention discloses a kind of method for comprehensive detection detected for Webshell, treatment scheme is as shown in agent monitors program flow chart in Fig. 2 detection method and Fig. 3 detection method medium cloud of the present invention processing enter process flow diagram:
Initialization: dispose monitoring agent program in Website server; The process that the scanning of monitoring agent program execution files and file security detect and extraction web log are to cloud administrative center.Concrete steps are as follows:
1, monitoring agent program is generated by cloud administrative center, this monitoring agent program must utilize a name to be called in cloud administrative center by keeper before being deployed to server: the instrument of " monitoring agent program generator " generates monitoring agent program, after inserting configuration information, a special monitoring agent program of compiling can only be run and the encrypted compiling of all codes at the server of specifying by " monitoring agent program generator ", cannot decompiling, configuration cannot be revised, the demons discharged in operational process can ensure that monitoring agent program cannot maliciously be stopped, cloud administrative center also can preserve the checking data of this monitoring agent program file a.
2, monitored Website server deploy monitoring agent program is being needed;
3, monitoring agent program sends monitoring agent procedure basis information to cloud administrative center;
4, monitoring agent program is from the synchronously up-to-date scanning strategy of cloud administrative center and detected rule.
Scanning and detecting: monitoring agent program is scanned by file scan engine, file detecting and alarm, the security of log scan engine to site file and detected, scans web log and to extract Incremental Log concrete steps as follows:
1, " scanning idle timer " in monitoring agent program expires;
2, the file that file scan engine is all under rescaning website root directory also contrasts with the local file fingerprint storehouse stored file, deleted file, the unmatched file of finger print information determining to be increased, and file fingerprint storehouse is the expansion of file verification algorithm for MD5 algorithm comprising site file proof test value stored with document form data;
3, monitoring agent routine call detecting and alarm detects the file of file and the finger print information exception newly increased again;
4, " daily record synchrotimer " in monitoring agent program is to the journal file of after date monitoring agent Program extraction increment;
5, monitoring agent program resets " scanning idle timer " and " daily record synchrotimer ".
Monitoring agent program mainly completes following task:
File scan and detection, all files under the root directory of monitoring agent program scanning website the finger print information of calculation document, compare with the information be kept in fingerprint base, the file of retrieval anomalies also calls detecting and alarm execute file and detects, detecting and alarm detects the feature of abnormal document determination file by detected rule, as: include eval ($ _ POST [xxx]) in file, here the process of monitoring agent program scanning file is not use simple system command, but the mode directly by driving obtains system kernel output, carry out the accuracy of maximized guarantee scanning result.
Incremental Log extracts, and monitoring agent program also reads the local Log Summary information stored according to configuration scans web sites access log, and reads Incremental Log content according to Log Summary information.Log Summary information is a kind of document misregistration mark, after having read a journal file, finally add a distinctive mark in the ending of file, and this mark and last 1000 characters will be comprised be cached to hard disk as Log Summary information for extracting Incremental Log starting point and foundation next time.
Send result: monitoring agent program transmission file detection result and Incremental Log information are to cloud administrative center; Upgrade file fingerprint storehouse and the Log Summary information of local storage, concrete steps are as follows;
1, monitoring agent program sends testing result to cloud administrative center;
2, monitoring agent program updates this locality store file fingerprint storehouse and Log Summary information;
3, " busy waiting " task of running is until some timer expiration;
The testing result that monitoring agent program sends comprises two large divisions, file detection result and Incremental Log.Wherein file detection result comprises: file General Properties, file characteristic testing result, condition monitoring result, statistics test result, the listed files etc. of newly-increased listed files, deletion, cloud administrative center receive monitoring agent program send data after can stored in database in and be associated with monitoring agent program, perform " busy waiting " task until timer expiration.
Cloud administrative center initialization: mainly start cloud administrative center the carrying out of being correlated with example and complete preliminary information interaction.Concrete steps are as follows:
1, cloud administrative center starts host process, communication service, database instance, management engine and analysis engine etc.;
2, management engine reads monitoring agent procedure basis information from database, and attempts contact monitoring agent program;
Cloud administrative center comprises three main assemblies: master routine, WEB container and database instance.Master routine comprises numerous communication and data-interface, management engine and analysis engine etc.; WEB container comprises the interface shown to final user; Database instance can start multiple data, as raw data base, public database etc.
Value-at-risk is analyzed: cloud administrative center analysis engine from database, read the testing result of agent monitors program transmission and just to the documentation risk value evaluation that testing result is final at first, concrete steps are as follows:
1, the file detection result that analysis engine reading monitoring agent program sends judges the value-at-risk of file;
2, analysis engine reads the Incremental Log that monitoring agent program sends, and the entry in daily record is carried out to excavation and the statistics of the degree of depth;
The file detection result being dealt into cloud administrative center from monitoring agent program is a series of characteristic set, the value-at-risk that analysis engine is different according to each characteristic set assignment, thus calculates the value-at-risk of All Files.Analysis engine extracts web log original text from database, adds up all Visitor Logs and counts the Visitor Logs of all high-risk files according to file detection result.
Saving result: cloud administrative center preserves all analysis results and stored in database; Cloud administrative center front end shows that interface extracts data and towards final user.According to analysis and statistics classification preservation all analysis results and by analysis result stored in public database.
Claims (7)
1. for a method for comprehensive detection of Webshell, it is characterized in that, described method comprises the steps:
Step one: initialization
Configuration monitoring Agent;
Compile and run a monitoring agent example;
Monitoring agent program completes initializes itself and sets up the connection of safety with cloud administrative center;
Send monitoring agent procedure basis information to cloud administrative center;
The scanning strategy synchronously up-to-date from cloud administrative center and feature database;
Step 2: scanning and detection
Files all under scans web sites root directory the information that takes the fingerprint, carry out with the information in the local file fingerprint storehouse stored
Comparison retrieves the unmatched file of finger print information;
Call detecting and alarm to rescan the file execution that finger print information is unworthy of;
Read the local web log summary info stored, search web log and extract Incremental Log according to summary info;
Reset " scanning idle timer " and " daily record synchrotimer ";
Step 3: send result
Testing result is sent to cloud administrative center by monitoring agent program;
Upgrade local file fingerprint base and web log summary info;
" busy waiting " task of operation is until above-mentioned timer expiration;
Step 4: cloud administrative center initialization
Cloud administrative center starts host process, infrastructure service and communication interface etc.;
Reading database is searched monitoring agent procedure basis information and is contacted monitoring agent program;
Step 5: value-at-risk analysis
Cloud administrative center analysis process reads the raw data that monitoring agent program sends from database;
The association log analysis result decision-making documentation risk value that cloud administrative center analysis process sends according to monitoring agent program;
Step 6: saving result
By analysis result stored in public database;
Cloud administrative center foreground handling procedure reads public database, shows testing result to final user.
2. the detection method according to right 1, is characterized in that the idiographic flow of described step one is as follows:
1. monitoring agent program must use the instrument of " monitoring agent program generator " to generate monitoring agent program in cloud administrative center by keeper before being deployed to server, and cloud administrative center also can preserve the checking data of this monitoring agent program file a;
2. monitoring agent program starts self related service, finger daemon and oracle listener etc.;
3., on the server after operation monitoring Agent, program starts to search cloud administrative center according to configuration and the mode of use safety is connected to cloud administrative center;
4. the rear exclusive data receiving interface to cloud administrative center being connected to cloud administrative center sends monitoring agent procedure basis information;
5. from the synchronously up-to-date scanning strategy of cloud administrative center and feature database.
3. the detection method according to right 1, is characterized in that, the idiographic flow of described step 2 is as follows:
1. the WEB file of all monitored websites of monitoring agent program scanning, extraction document finger print information also carries out contrasting with the file fingerprint storehouse that this locality stores and retrieves the unmatched file of finger print information, the file newly increased and the file lacked, and calls detecting and alarm and detect the file that finger print information do not mate and newly increase;
2. file detects, and monitoring agent routine package is containing the file detecting and alarm of complete set, and detecting and alarm can utilize the multiple means such as the detection of static file feature detection, condition monitoring, Corpus--based Method method to detect, and accurately can detect the feature of file.The General Properties of testing result include file, static nature, operation characteristic, statistics feature, the naive Bayesian result of decision and the listed files lacked;
3. static nature testing result, operation characteristic testing result, statistics feature detection result and the naive Bayesian result of decision etc., accurately can detect that file comprises specific keyword, the high-risk function comprised, whether carried out dangerous play, whether file is encrypt file, whether is obfuscated codes file etc., the listed files lacked be exist in file scan process last time but in present scan non-existent listed files, this list take from last scan after file fingerprint storehouse;
4. monitoring agent program looks access log summary info, searches web log file according to configuration and extracts Incremental Log according to the journal file deviation post preserved;
5. above-mentioned steps resets " scanning idle timer " and " daily record synchrotimer " after completing.
4. the management-control method according to right 1, is characterized in that, the idiographic flow of described step 3 is as follows:
1. monitoring agent program is by file detection result, and Incremental Log original text is sent to cloud administrative center.File detection result comprises: file General Properties, file detection result, newly-increased listed files, disappearance listed files etc.;
2. monitoring agent program updates local file fingerprint base and Log Summary information;
3. " busy waiting " task is run.
5. the management-control method according to right 1, is characterized in that, the idiographic flow of described step 4 is as follows:
①Yun administrative center can start database instance, communication service, management engine, analysis engine, WEB container etc. when starting simultaneously;
2. monitoring agent procedure basis information in management engine read data storehouse, and attempt carrying out communicating to determine whether monitoring agent program survives with monitoring agent program.
6. the management-control method according to right 1, is characterized in that, described step 5 idiographic flow is as follows:
①Yun administrative center analysis engine reads the testing result, the original Incremental Log that send from monitoring agent program;
②Yun administrative center analysis engine is analyzed original Incremental Log information and is comprehensively analyzed with file detection result, final analysis result is: all monitored site file acess control, as: the access originator IP of high-risk documentation risk value, a certain file adds up, submitted the statistics etc. of malicious link and malice access type to.
7. the management-control method according to right 1, is characterized in that, described step 6 idiographic flow is as follows:
①Yun administrative center analysis engine by analysis result stored in public database;
②Yun administrative center foreground user interface reads common data database data to be shown to final user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510213186.3A CN104765883A (en) | 2015-04-30 | 2015-04-30 | Detection method used for Webshell |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510213186.3A CN104765883A (en) | 2015-04-30 | 2015-04-30 | Detection method used for Webshell |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104765883A true CN104765883A (en) | 2015-07-08 |
Family
ID=53647710
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510213186.3A Pending CN104765883A (en) | 2015-04-30 | 2015-04-30 | Detection method used for Webshell |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104765883A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105069355A (en) * | 2015-08-26 | 2015-11-18 | 厦门市美亚柏科信息股份有限公司 | Static detection method and apparatus for webshell deformation |
| CN105516151A (en) * | 2015-12-15 | 2016-04-20 | 北京奇虎科技有限公司 | Scanning-killing method and device of backdoor file |
| CN107294982A (en) * | 2017-06-29 | 2017-10-24 | 深信服科技股份有限公司 | Webpage back door detection method, device and computer-readable recording medium |
| CN107404497A (en) * | 2017-09-05 | 2017-11-28 | 成都知道创宇信息技术有限公司 | A kind of method that WebShell is detected in massive logs |
| CN107508829A (en) * | 2017-09-20 | 2017-12-22 | 杭州安恒信息技术有限公司 | A kind of webshell detection methods of non-intrusion type |
| CN107612925A (en) * | 2017-10-12 | 2018-01-19 | 成都知道创宇信息技术有限公司 | A kind of WebShell method for digging based on access behavioural characteristic |
| CN107770133A (en) * | 2016-08-19 | 2018-03-06 | 北京升鑫网络科技有限公司 | A kind of adaptability webshell detection methods and system |
| WO2018166365A1 (en) * | 2017-03-15 | 2018-09-20 | 阿里巴巴集团控股有限公司 | Method and device for recording website access log |
| CN108920959A (en) * | 2018-07-21 | 2018-11-30 | 杭州安恒信息技术股份有限公司 | A kind of webshell detection method based on Bayesian model optimization |
| CN108985061A (en) * | 2018-07-05 | 2018-12-11 | 北京大学 | A kind of webshell detection method based on Model Fusion |
| CN110674163A (en) * | 2019-08-26 | 2020-01-10 | 天津浪淘科技股份有限公司 | Heterogeneous data query system and method based on BS framework |
| CN110868419A (en) * | 2019-11-18 | 2020-03-06 | 杭州安恒信息技术股份有限公司 | Method and device for detecting WEB backdoor attack event and electronic equipment |
| CN113507439A (en) * | 2021-06-07 | 2021-10-15 | 广发银行股份有限公司 | JSP file security monitoring method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103294952A (en) * | 2012-11-29 | 2013-09-11 | 北京安天电子设备有限公司 | Method and system for detecting webshell based on page relation |
| CN104468477A (en) * | 2013-09-16 | 2015-03-25 | 杭州迪普科技有限公司 | WebShell detection method and system |
-
2015
- 2015-04-30 CN CN201510213186.3A patent/CN104765883A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103294952A (en) * | 2012-11-29 | 2013-09-11 | 北京安天电子设备有限公司 | Method and system for detecting webshell based on page relation |
| CN104468477A (en) * | 2013-09-16 | 2015-03-25 | 杭州迪普科技有限公司 | WebShell detection method and system |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105069355B (en) * | 2015-08-26 | 2018-09-11 | 厦门市美亚柏科信息股份有限公司 | The static detection method and device of webshell deformations |
| CN105069355A (en) * | 2015-08-26 | 2015-11-18 | 厦门市美亚柏科信息股份有限公司 | Static detection method and apparatus for webshell deformation |
| CN105516151A (en) * | 2015-12-15 | 2016-04-20 | 北京奇虎科技有限公司 | Scanning-killing method and device of backdoor file |
| WO2017101751A1 (en) * | 2015-12-15 | 2017-06-22 | 北京奇虎科技有限公司 | Checking and killing method and apparatus for backdoor file, program, and readable medium |
| CN105516151B (en) * | 2015-12-15 | 2019-02-12 | 北京奇虎科技有限公司 | The checking and killing method and device of backdoor file |
| US10678915B2 (en) | 2015-12-15 | 2020-06-09 | Beijing Qihoo Technology Company Limited | Method, device and program for checking and killing a backdoor file, and readable medium |
| CN107770133B (en) * | 2016-08-19 | 2020-08-14 | 北京升鑫网络科技有限公司 | Adaptive webshell detection method and system |
| CN107770133A (en) * | 2016-08-19 | 2018-03-06 | 北京升鑫网络科技有限公司 | A kind of adaptability webshell detection methods and system |
| WO2018166365A1 (en) * | 2017-03-15 | 2018-09-20 | 阿里巴巴集团控股有限公司 | Method and device for recording website access log |
| TWI750252B (en) * | 2017-03-15 | 2021-12-21 | 香港商阿里巴巴集團服務有限公司 | Method and device for recording website access log |
| CN108632050A (en) * | 2017-03-15 | 2018-10-09 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of record web log |
| CN108632050B (en) * | 2017-03-15 | 2021-03-02 | 阿里巴巴集团控股有限公司 | Method and device for recording website access log |
| CN107294982A (en) * | 2017-06-29 | 2017-10-24 | 深信服科技股份有限公司 | Webpage back door detection method, device and computer-readable recording medium |
| CN107404497A (en) * | 2017-09-05 | 2017-11-28 | 成都知道创宇信息技术有限公司 | A kind of method that WebShell is detected in massive logs |
| CN107508829A (en) * | 2017-09-20 | 2017-12-22 | 杭州安恒信息技术有限公司 | A kind of webshell detection methods of non-intrusion type |
| CN107508829B (en) * | 2017-09-20 | 2019-11-29 | 杭州安恒信息技术股份有限公司 | A kind of webshell detection method of non-intrusion type |
| CN107612925A (en) * | 2017-10-12 | 2018-01-19 | 成都知道创宇信息技术有限公司 | A kind of WebShell method for digging based on access behavioural characteristic |
| CN108985061A (en) * | 2018-07-05 | 2018-12-11 | 北京大学 | A kind of webshell detection method based on Model Fusion |
| CN108920959B (en) * | 2018-07-21 | 2020-12-01 | 杭州安恒信息技术股份有限公司 | Webshell detection method based on Bayesian model optimization |
| CN108920959A (en) * | 2018-07-21 | 2018-11-30 | 杭州安恒信息技术股份有限公司 | A kind of webshell detection method based on Bayesian model optimization |
| CN110674163A (en) * | 2019-08-26 | 2020-01-10 | 天津浪淘科技股份有限公司 | Heterogeneous data query system and method based on BS framework |
| CN110868419A (en) * | 2019-11-18 | 2020-03-06 | 杭州安恒信息技术股份有限公司 | Method and device for detecting WEB backdoor attack event and electronic equipment |
| CN113507439A (en) * | 2021-06-07 | 2021-10-15 | 广发银行股份有限公司 | JSP file security monitoring method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104765883A (en) | Detection method used for Webshell | |
| Conlan et al. | Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy | |
| CN102254111B (en) | Malicious site detection method and device | |
| CN109361643B (en) | Deep tracing method for malicious sample | |
| Wang et al. | Virus detection using data mining techinques | |
| CN102110198B (en) | Anti-counterfeiting method for web page | |
| Rathnayaka et al. | An efficient approach for advanced malware analysis using memory forensic technique | |
| CN107688743B (en) | Malicious program detection and analysis method and system | |
| CN102111267A (en) | Website safety protection method based on digital signature and system adopting same | |
| CN111600856A (en) | Safety system of operation and maintenance of data center | |
| CA2883090A1 (en) | Systems and methods for automated memory and thread execution anomaly detection in a computer network | |
| CN111953697A (en) | APT attack identification and defense method | |
| CN111510463B (en) | Abnormal behavior recognition system | |
| CN109347808B (en) | Safety analysis method based on user group behavior activity | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| Dalai et al. | Neutralizing SQL injection attack using server side code modification in web applications | |
| CN104657665A (en) | File processing method | |
| CN114117432A (en) | APT attack chain restoration system based on data tracing graph | |
| CN107302530B (en) | Industrial control system attack detection device based on white list and detection method thereof | |
| CN107231364B (en) | Website vulnerability detection method and device, computer device and storage medium | |
| CN103716394A (en) | Downloaded file management method and device | |
| CN101540704B (en) | Unreliable DBMS malicious intrusion detection system and method | |
| Le Jamtel | Swimming in the Monero pools | |
| CN102592078B (en) | Method for identifying self-propagation of malicious software by extracting function call sequence chacteristics | |
| Liang et al. | Malicious packages lurking in user-friendly python package index |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150708 |
|
| WD01 | Invention patent application deemed withdrawn after publication |