CN109067696B - Webshell detection method and system based on graph similarity analysis - Google Patents
Webshell detection method and system based on graph similarity analysis Download PDFInfo
- Publication number
- CN109067696B CN109067696B CN201810527915.6A CN201810527915A CN109067696B CN 109067696 B CN109067696 B CN 109067696B CN 201810527915 A CN201810527915 A CN 201810527915A CN 109067696 B CN109067696 B CN 109067696B
- Authority
- CN
- China
- Prior art keywords
- weight
- graph
- page
- relation access
- page relation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 46
- 238000004458 analytical method Methods 0.000 title claims abstract description 21
- 238000000034 method Methods 0.000 claims abstract description 27
- 239000011159 matrix material Substances 0.000 claims description 17
- 239000013598 vector Substances 0.000 claims description 12
- 238000004422 calculation algorithm Methods 0.000 claims description 10
- 238000013138 pruning Methods 0.000 claims description 10
- 238000000605 extraction Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000011161 development Methods 0.000 claims description 4
- 230000006870 function Effects 0.000 claims description 4
- 241000700605 Viruses Species 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 2
- 230000003068 static effect Effects 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a webshell detection method and system based on graph similarity analysis, and relates to the technical field of information security. The method comprises the steps of obtaining code files in all directories of a system Web server to be detected, obtaining a first weight, drawing a first page relation access graph and a second page relation access graph, generating third-fifth page relation access graphs, obtaining a second weight and a third weight, and obtaining a final weight, so that the possibility that the code files are webshells is detected. By utilizing the technical scheme provided by the invention, the missing report rate caused by the deformation of the webshell can be effectively reduced, and the method can be used as a method for assisting other detection means and reducing the detection range; in addition, as one of the static detection methods, the invention can reduce the sacrifice in the aspect of dynamic detection performance, and the detection performance is better.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a webshell detection method and system based on graph similarity analysis.
Background
With the rapid development of internet technology, webshells which are often used by WEB owners for website management and server management are also often used by intruders through WEB service ports at present, and become one of tools for controlling servers or acquiring certain permissions, so that webshells are also called as "backdoors of websites".
The webshell can be nested in a normal webpage to run, and is not easy to be searched and killed; the method can also penetrate through a server firewall and cannot be intercepted by the firewall, and related security events occur frequently, so that great loss is caused, and the method is particularly important for detecting the webshell.
Currently, webshell detection methods are mainly divided into two main categories: static detection and dynamic detection.
Static detection mainly comprises two types, one is to form a feature library according to some known features of webshell, such as feature functions and the like, and match the feature library to obtain a result; the other is based on some features of the webshell, such as entropy of information in statistical features, longest words, and so on. The two methods are easy to bypass by the deformed webshell, so that a large false alarm rate and a large false missing rate exist.
The dynamic detection mainly comprises two types, one is that the dynamic detection is put in a sandbox to operate and is detected according to the characteristics in the process; another is to take a hook of the correlation function and thus perform the detection. Although dynamic detection is better than static detection in detecting deformed webshells, the dynamic detection also has a high false alarm rate due to the reasons of failure in triggering and the like, and a normal program and the webshells cannot be well distinguished. In addition, dynamic detection has a large sacrifice in performance.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a webshell detection method based on graph similarity analysis, and when the deformed webshell is detected, the method can be used as an auxiliary detection means, the detection range of other detection methods is reduced, and the false alarm rate of the webshell can also be reduced.
The technical scheme provided by the invention is as follows:
a webshell detection method based on graph similarity analysis comprises the following steps:
step 1, obtaining a first weight;
aiming at a system to be detected, code files in all directories of a Web server in the system are obtained, the code files are processed, annotation information is obtained, the annotation information is matched with an annotation information feature library, and a weight is given according to a matching result; specifically, regular matching can be performed, each time a character string is matched, the weight is increased by 1, and the final weight is the first weight, so that the first weight is obtained. The 'annotation information feature library' established by the invention almost contains annotation information in common virus horses, particularly annotation information in the published webshell. The method for acquiring the annotation information comprises the following steps: writing a script according to the programming language of the code file, and acquiring annotation information by the script, for example: < | for html language! The characters between-and- > are the annotation information.
Step 2, drawing the first page relation access graph and the second page relation access graph, and specifically executing the following operations:
21) and drawing a first page relation access graph according to the relevant information of the system to be detected.
At the beginning of programming, the website has a normal jump logic relationship, namely, a graph formed by the jump relationship of each page in the website. The first page relation access graph is a normal jump graph of all pages of the website and is also a directed graph, wherein nodes are all pages, and directed edges among the nodes represent access paths among the pages.
The relevant information of the system comprises development documents, instruction manuals, URLs in label languages and the like of the system and opinions of developers.
22) And drawing a second page relation access graph according to the related log information. Second Page relationship Access graph
The related log information comprises: system logs, server access logs, website logs, and the like.
The nodes in the second page relation access graph are pages accessed in a specific time period by a certain IP (Internet protocol) acquired according to the related log information. The method for drawing the second page relation access graph specifically includes: according to the website log, particularly the reserved URL record and the like, which pages are visited by a certain IP in a specific time period can be obtained, so that a skip relation graph of the pages is drawn according to the normal and all skip logics of the website.
Step 3, generating a third page relation access graph, a fourth page relation access graph and a fifth page relation access graph;
31) according to the second page relation access graph, layering the second page relation access graph, wherein the first layer is a main page of the detected system, pages related to database operation, file operation, user authority operation and the like in the second page relation access graph are respectively used as a second layer, a third layer and a fourth layer, and the rest pages are used as a fifth layer; and the access relation between the pages, namely the directed edge is not changed, so that a third page relation access graph is formed.
The judgment method of pages related to database operation, file operation, user authority operation and the like is as follows:
a1) judging according to the page function; for example: the function of the page relates to the aspects of adding and deleting data, downloading and uploading files, giving different permissions to different users and the like;
a2) judging according to the code of the page; for example: according to the page language, java is taken as an example, the page code has getConnection (jdbc, "root") similar connection database statement or delete from XX work XX similar database operation statement, createenefile () similar creation file statement or buffer write () similar character adding output object statement, and shiro is used for realizing a user permission similar method.
32) And pruning the first page relation access graph and the third page relation access graph. Cutting off nodes at the fifth layer in the third page relation access graph, and cutting off corresponding directed edges, thereby forming a fifth page relation access graph; and simultaneously, the same layering and pruning measures are taken for the first page relation access graph, so that a fourth page relation access graph is formed. Step 4, acquiring a second weight and a third weight;
according to the graph similarity algorithm, the similarity between the first page relation access graph and the second page relation access graph and the similarity between the fourth page relation access graph and the fifth page relation access graph are calculated respectively, corresponding weight values are given according to the similarity, and a second weight value and a third weight value are obtained.
In specific implementation, the similarity is a graph similarity d calculated according to formula 112(ii) a And directly calculating the similarity d of the obtained graphs12As a weight.
The graph similarity algorithm is: and matrixing the page relation access graphs to form an n multiplied by n matrix, wherein n is the number of elements contained in a set after the nodes in the two graphs are subjected to graph similarity analysis are merged. If there is an edge between two points, then there is a1 in the matrix, otherwise it is a 0.
And then vectorizing the matrix, namely sequentially taking the elements in the matrix as each coordinate of the vector according to the sequence from left to right and from top to bottom. The distance between the two vectors is then calculated using equation 1, and the value is taken as the similarity of the graphs.
Wherein n is the dimension of the vector and is also equal to n in the matrix; x1kAnd X2kRespectively being each coordinate of the two vectors; k is a serial number and takes the value of (1, n); d12Is the graph similarity.
Step 5, obtaining a final weight value; detecting the possibility that the code file is webshell according to the final weight and the first weight;
wherein, the first weight, the second weight and the third weight can be added according to the weight proportion to obtain the final weight;
in specific implementation, the final weight calculation method comprises the following steps: the final weight is 30% of the first weight, 20% of the second weight and 50% of the third weight. And (4) sorting according to the final weight value, wherein the final weight value is more than 30, and the possibility of webshell existence is high. At this time, the code files of all the pages are sorted according to the size of the first weight, the probability that the webshell exists in the pages ranked within the top 50% is very high, and whether the code files are webshells can be further determined through other detection methods or manual verification.
The invention also provides a webshell detection system based on graph similarity analysis, which is realized by the webshell detection method based on graph similarity analysis, and comprises the following steps: the system comprises an annotation information extraction module, an annotation information feature library, first to fifth page relation access graph acquisition modules, a first weight acquisition module, a second weight acquisition module, a third weight acquisition module and a judgment module; wherein:
the annotation information extraction module is used for extracting annotation information of the code files in all directories of the Web server;
the annotation information feature library is used for matching annotation information extracted by the annotation information extraction module;
the first page relation access graph acquisition module: drawing a first page relation access graph according to the relevant information of the system;
the second page relation access graph acquisition module: drawing according to the related log information, and drawing a second page relation access graph;
the third page relation access graph acquisition module: layering the second page relation access graph, and drawing a third page relation access graph;
the fourth page relation access graph acquisition module: layering and pruning the first page relation access graph, and drawing a fourth page relation access graph;
a fifth page relation access graph obtaining module: pruning the third page relation access graph, and drawing a fifth page relation access graph;
the first weight obtaining module is used for performing regular matching on the annotation information extracted by the annotation information feature library and the annotation information extraction module and obtaining a first weight according to a matching result;
the second weight value obtaining module is used for calculating the similarity of the first page relationship access graph and the second page relationship access graph according to a graph similarity algorithm and obtaining a second weight value according to a calculation result;
the third weight obtaining module is used for calculating the similarity between the fourth page relation access graph and the fifth page relation access graph according to a graph similarity algorithm and obtaining a third weight according to a calculation result;
and the judging module is used for obtaining the final weight and judging the possibility that the detection code file is the webshell according to the final weight and the first weight.
Compared with the prior art, the invention has the beneficial effects that:
by utilizing the technical scheme provided by the invention, the false alarm rate caused by the deformation of the webshell can be effectively reduced, and the method can be used as a method for assisting other detection means and reducing the detection range; in addition, as one of the static detection methods, the invention can reduce the sacrifice in the aspect of dynamic detection performance, and the detection performance is better.
Drawings
FIG. 1 is a block flow diagram of the method of the present invention.
FIG. 2 is a block diagram showing the structure of the detecting system according to the present invention.
Detailed Description
The invention will be further described by way of examples, without in any way limiting the scope of the invention, with reference to the accompanying drawings.
The invention provides a webshell detection method based on graph similarity analysis, and in order to better understand the technical scheme of the invention, the technical scheme of the invention is further described in detail with reference to the attached drawings. The invention realizes the webshell detection system based on the graph similarity analysis by using the webshell detection method based on the graph similarity analysis, which comprises the following steps: the system comprises an annotation information extraction module, an annotation information feature library, first to fifth page relation access graph acquisition modules, a first weight acquisition module, a second weight acquisition module, a third weight acquisition module and a judgment module; the data flow relationships between the modules are shown in fig. 2.
The specific embodiment of the invention is as follows:
1. the method comprises the steps of obtaining code files in all directories of the Web server, processing the code files by a comment information extraction module, obtaining comment information, performing regular matching on the comment information and a comment information feature library, adding 1 to a weight value every time a character string is matched, and obtaining a final weight value which is a first weight value.
The annotation information feature library contains annotation information in common virus trojans, in particular code annotations in published webshells.
2. 21) drawing a first page relation access graph according to the relevant information of the system. The first page relation access graph is a normal all-page jump graph of the website and is a directed graph, wherein nodes are all pages, and directed edges among the nodes represent jump paths among the pages.
The related information of the system comprises development documents, instruction manuals, URLs (uniform resource locators) in a label language and the like of the system and opinions of developers.
22) And drawing a second page relation access graph of the system according to the related log information, wherein the second page relation access graph is an actual webpage jump path graph.
The related log information comprises: system logs, server access logs, website logs, and the like.
Step 3,
31) According to the second page relation access graph, layering the second page relation access graph, wherein the first layer is a main page of the system, pages related to database operation, file operation, user authority operation and the like in the access relation graph are respectively used as a second layer, a third layer and a fourth layer, and the rest pages are used as a fifth layer; the access relation between the pages, namely the directed edges, is not changed, so that a page relation access graph is formed.
32) And pruning the third page relation access graph of the first page relation access graph. Cutting off nodes at the fifth layer in the third page relation access graph, and cutting off corresponding directed edges, thereby forming a fifth page relation access graph; and simultaneously, the same pruning measures are taken for the first page relation access graph, so that a fourth page relation access graph is formed.
And 4, respectively calculating the similarity between the first page relationship access graph and the second page relationship access graph and the similarity between the fourth page relationship access graph and the fifth page relationship access graph according to a graph similarity algorithm, and endowing corresponding weight values to obtain a third weight value of a second weight value.
The graph similarity algorithm is as follows: and matrixing the page relation access graph to form an n multiplied by n matrix, wherein n is the number of elements contained in a set after the nodes in the two graphs are subjected to graph similarity analysis are merged. If there is an edge in the matrix, the position in the matrix is 1, otherwise, the position is 0.
And then vectorizing the matrix, namely sequentially taking the elements in the matrix as each coordinate of the vector according to the sequence from left to right and from top to bottom. The distance between the two vectors is then calculated using the following formula, and its value is taken as the similarity of the graphs.
Wherein n is the dimension of the vector and is also equal to n in the matrix; x1kAnd X2kRespectively being each coordinate of the two vectors; k is a serial number and takes the value of (1, n); d12Is the graph similarity.
Step 5, obtaining a final weight value; detecting the possibility that the code file is a webshell according to the final weight and the first weight;
wherein, the first weight, the second weight and the third weight can be added according to the weight proportion to obtain the final weight;
in specific implementation, the final weight calculation method comprises the following steps: the final weight is 30% of the first weight, 20% of the second weight and 50% of the third weight. And (4) sorting according to the final weight value, wherein the final weight value is more than 30, and the possibility of webshell existence is high. At this time, the code files of all the pages are sorted according to the size of the first weight, the probability that the webshell exists in the pages ranked within the top 50% is very high, and whether the code files are webshell can be further determined through other detection methods or manual verification.
It is noted that the disclosed embodiments are intended to aid in further understanding of the invention, but those skilled in the art will appreciate that: various substitutions and modifications are possible without departing from the spirit and scope of the invention and appended claims. Therefore, the invention should not be limited to the embodiments disclosed, but the scope of the invention is defined by the appended claims.
Claims (8)
1. A webshell detection method based on graph similarity analysis is characterized by comprising the steps of obtaining code files in all directories of a system Web server to be detected, generating third-fifth page relation access graphs by obtaining a first weight, drawing a first page relation access graph and a second page relation access graph, obtaining a second weight and a third weight, obtaining a final weight, and detecting the possibility that the code files are webshells; the method comprises the following steps:
step 1, obtaining a first weight, including:
11) establishing an annotation information feature library;
12) processing the code file to acquire annotation information;
13) matching the annotation information with an annotation information feature library, and endowing a weight according to a matching result to obtain a first weight;
step 2, drawing the first page relation access graph and the second page relation access graph, and specifically executing the following operations:
21) drawing a first page relation access graph according to the relevant information of the system to be detected; the first page relation access graph is a directed graph, nodes of the graph are all pages of a website, and directed edges among the nodes represent access paths among the pages; the relevant information of the system comprises development documents, an instruction manual, URL information in a label language and opinions of developers of the system;
22) drawing a second page relation access graph according to the related log information; the nodes in the second page relation access graph are pages accessed in a specific time period and acquired according to the related log information;
step 3, generating a third page relation access graph, a fourth page relation access graph and a fifth page relation access graph; the following operations are performed:
31) layering a second page relation access graph, wherein the first layer is a main page of the system to be detected, pages related to database operation, file operation and user permission operation in the second page relation access graph are respectively used as a second layer, a third layer and a fourth layer, and the rest pages are used as fifth layers; the access relation among the pages, namely the directed edge, is unchanged, so that a third page relation access graph is formed;
32) pruning the first page relation access graph and the third page relation access graph: cutting off nodes at the fifth layer in the third page relation access graph, and cutting off corresponding directed edges, thereby forming a fifth page relation access graph; meanwhile, the pruning method is adopted for the first page relation access graph, so that a fourth page relation access graph is formed;
step 4, acquiring a second weight and a third weight;
according to a graph similarity algorithm, respectively calculating the similarity between a first page relation access graph and a second page relation access graph and the similarity between a fourth page relation access graph and a fifth page relation access graph, and endowing corresponding weight values according to the similarity to obtain a second weight value and a third weight value;
step 5, adding the first weight, the second weight and the third weight according to the weight proportion to obtain a final weight; and detecting the code file according to the final weight and the first weight to obtain the possibility that the code file is the webshell.
2. The webshell detection method based on graph similarity analysis as claimed in claim 1, wherein step 13) specifically adopts a regular matching method, and every time a character string is matched, the weight is added by 1, and the finally obtained weight is used as the first weight.
3. The method of claim 1, wherein the annotated information feature library comprises annotated information from common virus trees and horses; the method for acquiring the annotation information comprises the following steps: and compiling a script according to the programming language of the code file, and acquiring annotation information through the script.
4. The method for detecting webshell based on graph similarity analysis as claimed in claim 1, wherein in step 31), the judgment related to database operation, file operation, user authority operation page comprises a method for judging according to page function and a method for judging according to page code.
5. The webshell detection method based on graph similarity analysis as claimed in claim 1, wherein in step 4, the graph similarity algorithm is:
matrixing a page relation access graph to form an n multiplied by n matrix, wherein n is the number of elements contained in a set obtained after a node in two graphs for graph similarity analysis is subjected to union set; if an edge exists between the two nodes, the value of the two nodes in the matrix is 1, otherwise, the value is 0;
vectorizing the matrix, namely sequentially taking the elements in the matrix as each coordinate of the matrix vector according to the sequence from left to right and from top to bottom;
calculating the distance between two vectors according to formula 1 to obtain the similarity d of the image12;
Wherein n is the dimension of the vector and is equal to n in the matrix; x1kAnd X2kRespectively being each coordinate of the two vectors; k is a serial number and takes the value of (1, n); d12Is the graph similarity;
the calculated graph similarity d12As a weight.
6. The method for detecting webshell based on graph similarity analysis according to claim 1, wherein the detection in step 5 is specifically:
calculating the final weight, wherein the calculating method specifically comprises the following steps: the final weight is 30% of the first weight, 20% of the second weight and 50% of the third weight;
setting a final weight threshold; sorting according to the final weight value, wherein the probability of webshell existence is high for code files with the final weight value above the final weight value threshold;
setting a first weight sorting threshold; and sorting the code files of all the pages according to the size of the first weight, wherein the probability that the webshell exists in the pages ranked within the sorting threshold is high.
7. The method of claim 6, wherein the code file is further verified by other detection methods or by manual verification to determine whether the code file is a webshell.
8. A webshell detection system based on graph similarity analysis and realized by the webshell detection method based on graph similarity analysis of any claim 1-7, comprising: the system comprises an annotation information extraction module, an annotation information feature library, first to fifth page relation access graph acquisition modules, a first weight acquisition module, a second weight acquisition module, a third weight acquisition module and a judgment module; wherein:
the annotation information extraction module is used for extracting annotation information of the code files in all directories of the Web server;
the annotation information feature library is used for matching the annotation information extracted by the annotation information extraction module;
the first page relation access graph acquisition module: drawing a first page relation access graph according to the system related information;
the second page relation access graph acquisition module: drawing a second page relation access graph according to the related log information;
the third page relation access graph acquisition module: layering the second page relation access graph, and drawing a third page relation access graph;
the fourth page relation access graph acquisition module: layering and pruning the first page relation access graph, and drawing a fourth page relation access graph;
a fifth page relation access graph obtaining module: pruning the third page relation access graph, and drawing a fifth page relation access graph;
the first weight obtaining module is used for performing regular matching on the annotation information feature library and the annotation information extracted by the annotation information extracting module, and obtaining a first weight according to a matching result;
the second weight value obtaining module is used for calculating the similarity of the first page relation access graph and the second page relation access graph according to a graph similarity algorithm and obtaining a second weight value according to a calculation result;
the third weight obtaining module is used for calculating the similarity between the fourth page relation access graph and the fifth page relation access graph according to a graph similarity algorithm and obtaining a third weight according to a calculation result;
the judging module is used for obtaining the final weight; and judging the possibility that the detection code file is the webshell according to the final weight and the first weight.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810527915.6A CN109067696B (en) | 2018-05-29 | 2018-05-29 | Webshell detection method and system based on graph similarity analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810527915.6A CN109067696B (en) | 2018-05-29 | 2018-05-29 | Webshell detection method and system based on graph similarity analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109067696A CN109067696A (en) | 2018-12-21 |
| CN109067696B true CN109067696B (en) | 2020-12-08 |
Family
ID=64819756
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810527915.6A Expired - Fee Related CN109067696B (en) | 2018-05-29 | 2018-05-29 | Webshell detection method and system based on graph similarity analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109067696B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104967616A (en) * | 2015-06-05 | 2015-10-07 | 北京安普诺信息技术有限公司 | WebShell file detection method in Web server |
| CN107241296A (en) * | 2016-03-28 | 2017-10-10 | 阿里巴巴集团控股有限公司 | A kind of Webshell detection method and device |
| CN107888571A (en) * | 2017-10-26 | 2018-04-06 | 江苏省互联网行业管理服务中心 | A kind of various dimensions webshell intrusion detection methods and detecting system based on HTTP daily records |
-
2018
- 2018-05-29 CN CN201810527915.6A patent/CN109067696B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104967616A (en) * | 2015-06-05 | 2015-10-07 | 北京安普诺信息技术有限公司 | WebShell file detection method in Web server |
| CN107241296A (en) * | 2016-03-28 | 2017-10-10 | 阿里巴巴集团控股有限公司 | A kind of Webshell detection method and device |
| CN107888571A (en) * | 2017-10-26 | 2018-04-06 | 江苏省互联网行业管理服务中心 | A kind of various dimensions webshell intrusion detection methods and detecting system based on HTTP daily records |
Non-Patent Citations (1)
| Title |
|---|
| PDF文件漏洞检测;文伟平;王永剑;孟正;《清华大学学报(自然科学版)》;20170115;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109067696A (en) | 2018-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102542201B (en) | Detection method and system for malicious codes in web pages | |
| US9003529B2 (en) | Apparatus and method for identifying related code variants in binaries | |
| CN104881607B (en) | A kind of XSS leakage locations based on simulation browser behavior | |
| US11263062B2 (en) | API mashup exploration and recommendation | |
| Zhu et al. | Android malware detection based on multi-head squeeze-and-excitation residual network | |
| Yandrapally et al. | Near-duplicate detection in web app model inference | |
| CN112989348B (en) | Attack detection method, model training method, device, server and storage medium | |
| Haruta et al. | Visual similarity-based phishing detection scheme using image and CSS with target website finder | |
| CN113139192B (en) | Third party library security risk analysis method and system based on knowledge graph | |
| KR101696694B1 (en) | Method And Apparatus For Analysing Source Code Vulnerability By Using TraceBack | |
| CN111460803B (en) | Equipment identification method based on Web management page of industrial Internet of things equipment | |
| CN111597422A (en) | Buried point mapping method and device, computer equipment and storage medium | |
| CN116186759A (en) | Sensitive data identification and desensitization method for privacy calculation | |
| CN101895517A (en) | Method and device for extracting script semantics | |
| US10339207B2 (en) | Identifying a functional fragment of a document object model tree | |
| CN104778232A (en) | Searching result optimizing method and device based on long query | |
| CN103838865A (en) | Method and device for mining timeliness seed page | |
| CN109067696B (en) | Webshell detection method and system based on graph similarity analysis | |
| KR102411383B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| CN115186240A (en) | Social network user alignment method, device and medium based on relevance information | |
| CN111475812B (en) | Webpage backdoor detection method and system based on data executable characteristics | |
| KR101005871B1 (en) | B-Tree Index Vector Based Web-Log Restoration Method For Huge Web Log Mining And Web Attack Detection | |
| KR100989320B1 (en) | B-Tree Index Vector Based Web-Log High-Speed Search Method For Huge Web Log Mining And Web Attack Detection and B-tree based indexing log processor | |
| Han | Detection of web application attacks with request length module and regex pattern analysis | |
| CN111191235A (en) | Suspicious file analysis method and device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20201208 |