CN104468477B - A kind of WebShell detection method and system - Google Patents

A kind of WebShell detection method and system Download PDF

Info

Publication number
CN104468477B
CN104468477B CN201310423483.1A CN201310423483A CN104468477B CN 104468477 B CN104468477 B CN 104468477B CN 201310423483 A CN201310423483 A CN 201310423483A CN 104468477 B CN104468477 B CN 104468477B
Authority
CN
China
Prior art keywords
webshell
url
detection
remote detection
access behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310423483.1A
Other languages
Chinese (zh)
Other versions
CN104468477A (en
Inventor
李小龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPtech Information Technology Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201310423483.1A priority Critical patent/CN104468477B/en
Publication of CN104468477A publication Critical patent/CN104468477A/en
Application granted granted Critical
Publication of CN104468477B publication Critical patent/CN104468477B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The present invention provides a kind of WebShell detection method and system.The system includes log audit module, and local detection module, remote detection module, as a result output module, the system perform following handling process:A, server access daily record is collected, analyze the URL of suspicious access behavior;B, the URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to local detection and remote detection;C, judged to report WebShell paths if finding WebShell according to detection, while the path for being identified as WebShell is added into WebShell paths storehouse.The present invention improves the recall rate and detection efficiency that WebShell is detected in network Web applications, reduces rate of failing to report and rate of false alarm.

Description

A kind of WebShell detection method and system
Technical field
The present invention relates to the detection method and system of internet security technical field, more particularly to a kind of WebShell.
Background technology
With the birth of the internet product of Web2.0, social networks, microblogging etc. a series of new, based on Web environment The Internet, applications it is more and more extensive, during IT application in enterprises it is various application be all erected on Web platforms, Web service Develop the strong interest for also causing hackers rapidly, what is come one after another is exactly highlighting for Web security threats, and hacker is grasped using website Make the leak of system and the SQL injection leak of Web service program etc. and obtain the control authority of Web server, gently then distort webpage Content, heavy then steal important internal data, even more serious is then that malicious code is implanted into webpage so that website caller by To infringement.This also causes increasing user to pay close attention to the safety problem of application layer, also gradual to the attention rate of Web application safety Heating.
Usual hacker can undergo following steps when attacking a Web site, be information first, find target The relevant information of website;Followed by vulnerability exploit, using the information being collected into, find utilizable leak, such as SQL injection Leak, file upload leak etc., carry out data are stolen or WebShell is uploaded etc..
For simple, WebShell is exactly an asp or php wooden horses back door, and WebShell is that the script of Web invasions is attacked Hit instrument.Instrument is after WebShell is uploaded, and the later can of hacker is by WebShell very easily to targeted website Server is manipulated, without repeating to find website vulnerability and the process using website vulnerability again.As can be seen here, Harm of the WebShell to website is very huge, if WebShell be present on a website, then can be certainly Say, this website is very serious leak be present, is timely found after under fire in website, and target website server is done Loss, can so be preferably minimized by necessary leak repairing as far as possible, find and defend to be also in security defensive system afterwards An important ring.
In existing technical scheme, mainly there are two kinds of local detection and remote detection for WebShell detection.It is local Detection is typically the software of an operation on the target system, and the software can access the root of website, and directly carry out The WebShell detections of source code level.Because existing local detection method needs to run executable program on destination server, And the authority for accessing and reading website root is needed, this scheme has very big security risk, to security audit Compare does not allow under strict application scenarios.
Another remote detection is mainly based upon web crawlers, by path dictionary and WebShell fingerprint characteristics storehouse To identify and detect WebShell.Remote detection does not need extra authority, but due to WebShell disguise, and net Page reptile can only capture the limitation for the page that adduction relationship be present, cause the detection mode based on path dictionary to exist very big Limitation, because WebShell upload path and upload filename are arbitrarily designated by attacker, once attacker uses One extremely complex path, and this path is not in the path dictionary of remote detection, then remote detection just can not This WebShell is detected, so remote detection can only detect relatively common WebShell.
The content of the invention
In view of this, the present invention provides a kind of WebShell detection method and system, and the invention need not take in target Business device end operation executable program, and the detection mode by log audit and detection combination is used, it compensate in the prior art The not comprehensive problem of detection.
Specifically, a kind of WebShell detection method of the present invention, the described method comprises the following steps:
A, server access daily record is collected, analyze the URL of suspicious access behavior.
B, the URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to local detection.
C, the URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to remote detection.
D, judged as found WebShell, then to perform step E according to detection.
E, WebShell paths are reported, while the path for being identified as WebShell is added into WebShell paths storehouse.
Further, the local detection described in step B, including configure destination server information and be remotely logged into target clothes Device progress source code level of being engaged in WebShell is checked.
Further, described source code level WebShell inspections are combining sources in the local detection of WebShell feature databases Fingerprint base is by way of fingerprint comparison to obtaining in Web server root file and the URL files of suspicious access behavior The source code of various language carries out WebShell inspections.
Further, the remote detection described in step C, including remote detection configuration and spiders and remote detection webpage Code.
Further, described spiders is basis source in the WebShell paths storehouse of WebShell feature databases and can The URL of access behavior is doubted as remote detection path and obtains the reply data in the remote detection path.
Further, described remote detection web page code is that combining source refers in the remote detection of WebShell feature databases Line storehouse carries out WebShell detections by way of fingerprint comparison to the reply data obtained in remote detection path.
Further, the URL of the suspicious access behavior described in step A is to be analyzed by the URL frequency accessed and parameter URL, the URL occurred, it is low to give a level of suspicion;The minimum URL of visiting frequency, giving a level of suspicion is In;There is the URL of hostile content, give a level of suspicion as height.
Present invention simultaneously provides a kind of WebShell detecting systems, the system includes,
Log audit module:For collecting server access daily record, the URL of suspicious access behavior is analyzed.
Local detection module:For the URL combination WebShell feature databases for analyzing suspicious access behavior to be carried out.
Remote detection module:For the URL combination WebShell feature databases for analyzing suspicious access behavior to be carried out.
As a result output module:For judging as found WebShell, then to report WebShell paths, will according to detection simultaneously The path for being identified as WebShell adds to WebShell paths storehouse.
Further, described local detection module, specifically for configuration destination server information and it is remotely logged into mesh Mark server and carry out source code level WebShell inspections.
Further, described source code level WebShell inspections are combining sources in the local detection of WebShell feature databases Fingerprint base is by way of fingerprint comparison to obtaining in Web server root file and the URL files of suspicious access behavior The source code of various language carries out WebShell inspections
Further, described remote detection module, specifically for remote detection configuration and spiders and remote detection Web page code.
Further, described spiders is basis source in the WebShell paths storehouse of WebShell feature databases and can The URL of access behavior is doubted as remote detection path and obtains the reply data in the remote detection path.
Further, described remote detection web page code is that combining source refers in the remote detection of WebShell feature databases Line storehouse carries out WebShell detections by way of fingerprint comparison to the reply data obtained in remote detection path.
Further, the URL of described suspicious access behavior is come the URL analyzed, institute by the URL frequency accessed and parameter The URL occurred, it is low to give a level of suspicion;The minimum URL of visiting frequency, during a given level of suspicion is;Go out The URL of existing hostile content, a level of suspicion is given as height.
As can be seen here, for the limitation of the detections of WebShell in the prior art, the present invention is by by suspicious access behavior URL and local detection and remote detection coordinate this comprehensive WebShell detection modes further to improve WebShell The accuracy rate of detection, improves recall rate and detection efficiency, reduces rate of failing to report and rate of false alarm, and local detection of the present invention is led to The mode for crossing Telnet performs, and avoiding local detection in the prior art needs asking in destination server installation and operation program Topic, and make detection is more convenient to perform.
Brief description of the drawings
Fig. 1 is the flow chart of WebShell detection method in one embodiment of the present invention;
Fig. 2 is the detecting system building-block of logic of WebShell in one embodiment of the present invention.
Embodiment
Technical solution of the present invention is described in further detail with reference to Fig. 1 and Fig. 2.
The present invention is by presetting suspicious WebShell paths storehouse, local detection fingerprint base and remote detection fingerprint Storehouse, the basic foundation as detection.It is comprehensive below in conjunction with how the network security detection technology description present invention realizes The process of WebShell detections.
Fig. 1 is a kind of flow chart of WebShell detection method of the present invention.In a preferred embodiment, present invention side Method is specific as follows:
A, server access daily record is collected, analyze the URL of suspicious access behavior.
Specifically, Web middlewares are obtained by SSH login services device(The softwares such as apache, tomcat, iis)It is caused Access log, record has the URL that user accesses each time, parameter etc. in access log, by the frequency of the URL to access and The inspection of parameter, the WebShell the most doubtful page is found out, Inspection and analysis then is carried out to these pages, analyzes website Bibliographic structure and suspicious access behavior, and counted to access behavior suspicious in website, by the URL frequency accessed and Parameter counts, the URL occurred, gives a level of suspicion to be low;The minimum URL of visiting frequency, giving one can During doubtful rank is;There is the URL of hostile content, give a level of suspicion as height.
The method for obtaining server access daily record in present embodiment can also have various ways, as configured hair on server Daily record is sent to Syslog modes, configuration file sharing mode on server, ftp uploads downloading mode, passes through SSH, T elnet etc. Or other long-range modes for reading journal file.Hostile content includes executable command, SQL statement, sensitive document name and file Content, script etc..
B, the URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to local detection and remote detection.
Specifically, local detection, opens SSH remote login services, and configuration destination server information such as user accesses account Password and backup website root etc., and destination server is remotely logged into, combining source is in the local of WebShell feature databases Fingerprint base is detected by way of fingerprint comparison to being obtained in Web server root file and the URL files of suspicious access behavior The source code of the various language obtained carries out WebShell inspections.The purpose that website root is backed up in configuration information is for not shadow Ring other users and access server.The source code of various language, includes, such as asp (Active more commonly used at present Server Page),jsp(Java Server Pages), the page script language such as php (Hypertext Preprocessor) Source code.In the present embodiment, the user profile that local detection configuration needs to configure is demand and ring of the user according to oneself Specified by the needs of border, the user profile of configuration mentioned here is not whole user profile, and simply partial content information. SSH is the service routine that standard server can all be installed, and also can voluntarily be installed as system is fitted without.Local detection fingerprint base can To be the fingerprint characteristic extracted from source code.Fingerprint includes some dangerous method calls, some common character strings etc..
In a preferred embodiment Telnet mode can be by SSH mode Telnets, it is certainly, described long-range Login mode can also be other Telnet modes that can realize the above method, such as Telnet or other Telnet sides Formula.It is not limited herein.
Specifically, remote detection, including remote detection configuration and spiders and remote detection web page code.
Website URL is configured, simulation normal client remote access targeted website, spiders basis source is in WebShell The URL of the WebShell paths storehouse of feature database and suspicious access behavior is remote detection path and obtained in the remote detection path Reply data, remote detection web page code combining source passes through fingerprint ratio in the remote detection fingerprint base of WebShell feature databases To mode WebShell detections are carried out to the reply data that is obtained in remote detection path.Preferably described reply data is Client terminal web page source code is typically html codes.The remote detection fingerprint base can be the finger extracted from webpage html codes Line feature.
C, judged as found WebShell, then to perform step D according to detection.
D, WebShell paths are reported, while the path for being identified as WebShell is added into WebShell paths storehouse.
In embodiment described above, operating system is not particularly limited, under the operating systems such as windows, linux It is all executable, wherein any a part of detection can also be only carried out according further to needs, such as only carries out local detection and daily record Audit coordinate or only carry out remote detection and log audit cooperation any of which part can complete its it is corresponding detect it is complete WebShell testing processes.
Based on the above method, Fig. 2 gives WebShell of the present invention detecting system building-block of logic.The detecting system should For PC, as the operation carrier of the logic detection system, the hardware environment of the PC equipment typically at least all includes CPU, Internal memory and other hardware.Logic module is stored in internal memory.
Log audit module:Server access daily record is collected, the URL of suspicious access behavior is analyzed, specifically, passing through SSH login services device obtains Web middlewares(The softwares such as apache, tomcat, iis)Caused access log, in access log Record has the url that user accesses each time, parameter etc., is counted by the URL frequency accessed and parameter, the URL occurred, A given level of suspicion is low;The minimum URL of visiting frequency, during a given level of suspicion is;There is hostile content URL, a level of suspicion is given as height.
Local detection module:The URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to local detection, Specifically, being remotely logged into destination server, combining source passes through fingerprint in the local detection fingerprint base of WebShell feature databases The mode of comparison is to the source generation of the various language obtained in Web server root file and the URL files of suspicious access behavior Code carries out WebShell inspections.
Remote detection module:The URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to remote detection, Specifically, configuration website URL, simulation normal client remote access targeted website, spiders basis source is in WebShell The URL of the WebShell paths storehouse of feature database and suspicious access behavior is remote detection path and obtained in the remote detection path Reply data, remote detection web page code combining source passes through fingerprint ratio in the remote detection fingerprint base of WebShell feature databases To mode WebShell detections are carried out to the reply data that is obtained in remote detection path.
As a result output module:Judged such as to find WebShell according to detection, then report WebShell paths, while will identification For WebShell path add to WebShell paths storehouse after.
Described above is only the preferable implementation of the present invention, not to limit protection scope of the present invention, Any equivalent changes and modifications all because being included within the scope of the present invention.

Claims (10)

1. a kind of WebShell detection method, it is characterised in that comprise the following steps:
A, server access daily record is collected, analyze the URL of suspicious access behavior;
B, the URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to local detection;
C, the URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to remote detection;
D, judged as found WebShell, then to perform step E according to detection;
E, WebShell paths are reported, while the path for being identified as WebShell is added into WebShell paths storehouse;
Wherein, the local detection described in step B, including configure destination server information and be remotely logged into destination server progress Source code level WebShell is checked;
Remote detection described in step C, including remote detection configuration and spiders and remote detection web page code.
2. the method as described in claim 1, it is characterised in that described source code level WebShell is checked be combining source in The local detection fingerprint base of WebShell feature databases is by way of fingerprint comparison to Web server root file and suspicious visit Ask that the source code of the various language obtained in the URL files of behavior carries out WebShell inspections.
3. the method as described in claim 1, it is characterised in that described spiders is basis source in WebShell features The URL of the WebShell paths storehouse in storehouse and suspicious access behavior is remote detection path and obtains answering in the remote detection path Answer evidence.
4. the method as described in claim 1, it is characterised in that described remote detection web page code be combining source in Answer number of the remote detection fingerprint base of WebShell feature databases by way of fingerprint comparison to being obtained in remote detection path According to progress WebShell detections.
5. the method as described in claim 1, it is characterised in that the URL of the suspicious access behavior described in step A is to be visited by URL The frequency and parameter asked are come the URL analyzed, the URL occurred, and it is low to give a level of suspicion;Visiting frequency is minimum URL, during a given level of suspicion is;There is the URL of hostile content, give a level of suspicion as height.
6. a kind of WebShell detecting systems, it is characterised in that the system includes:
Log audit module:For collecting server access daily record, the URL of suspicious access behavior is analyzed;
Local detection module:For the URL combination WebShell feature databases for analyzing suspicious access behavior to be carried out;
Remote detection module:For the URL combination WebShell feature databases for analyzing suspicious access behavior to be carried out;
As a result output module:For judging such as to find WebShell according to detection, then WebShell paths are reported, while will identification WebShell paths storehouse is added to for WebShell path;
Wherein, described local detection module, specifically for configuration destination server information and it is remotely logged into destination server Source code level WebShell is carried out to check;
Described remote detection module, specifically for remote detection configuration and spiders and remote detection web page code.
7. system as claimed in claim 6, it is characterised in that described source code level WebShell is checked be combining source in The local detection fingerprint base of WebShell feature databases is by way of fingerprint comparison to Web server root file and suspicious visit Ask that the source code of the various language obtained in the URL files of behavior carries out WebShell inspections.
8. system as claimed in claim 6, it is characterised in that described spiders is basis source in WebShell features The URL of the WebShell paths storehouse in storehouse and suspicious access behavior is remote detection path and obtains answering in the remote detection path Answer evidence.
9. system as claimed in claim 6, it is characterised in that described remote detection web page code be combining source in Answer number of the remote detection fingerprint base of WebShell feature databases by way of fingerprint comparison to being obtained in remote detection path According to progress WebShell detections.
10. system as claimed in claim 6, it is characterised in that the URL of described suspicious access behavior is to be accessed by URL Frequency and parameter are come the URL analyzed, the URL occurred, and it is low to give a level of suspicion;The minimum URL of visiting frequency, During a given level of suspicion is;There is the URL of hostile content, give a level of suspicion as height.
CN201310423483.1A 2013-09-16 2013-09-16 A kind of WebShell detection method and system Active CN104468477B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310423483.1A CN104468477B (en) 2013-09-16 2013-09-16 A kind of WebShell detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310423483.1A CN104468477B (en) 2013-09-16 2013-09-16 A kind of WebShell detection method and system

Publications (2)

Publication Number Publication Date
CN104468477A CN104468477A (en) 2015-03-25
CN104468477B true CN104468477B (en) 2018-04-06

Family

ID=52913859

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310423483.1A Active CN104468477B (en) 2013-09-16 2013-09-16 A kind of WebShell detection method and system

Country Status (1)

Country Link
CN (1) CN104468477B (en)

Families Citing this family (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104765883A (en) * 2015-04-30 2015-07-08 中电运行(北京)信息技术有限公司 Detection method used for Webshell
CN105933268B (en) * 2015-11-27 2019-05-10 中国银联股份有限公司 A kind of website back door detection method and device based on the analysis of full dose access log
CN106911636B (en) * 2015-12-22 2020-09-04 北京奇虎科技有限公司 Method and device for detecting whether backdoor program exists in website
CN106911635B (en) * 2015-12-22 2020-07-28 北京奇虎科技有限公司 Method and device for detecting whether backdoor program exists in website
CN107229865B (en) * 2016-03-25 2020-06-05 阿里巴巴集团控股有限公司 Method and device for analyzing Webshell intrusion reason
CN105791308B (en) * 2016-04-11 2019-12-31 北京网康科技有限公司 Method, device and system for actively identifying domain user login event information
CN107332804B (en) * 2016-04-29 2021-01-26 阿里巴巴集团控股有限公司 Method and device for detecting webpage bugs
CN106203095A (en) * 2016-07-07 2016-12-07 众安在线财产保险股份有限公司 The detection method of a kind of webshell and detecting system
CN107770133B (en) * 2016-08-19 2020-08-14 北京升鑫网络科技有限公司 Adaptive webshell detection method and system
CN107888554B (en) * 2016-09-30 2020-09-01 腾讯科技(深圳)有限公司 Method and device for detecting server attack
CN108062474B (en) * 2016-11-08 2022-01-11 阿里巴巴集团控股有限公司 File detection method and device
CN108206802B (en) * 2016-12-16 2020-11-17 华为技术有限公司 Method and device for detecting webpage backdoor
CN108322420B (en) * 2017-01-17 2020-12-29 阿里巴巴集团控股有限公司 Method and device for detecting backdoor file
CN106911686B (en) * 2017-02-20 2020-07-07 杭州迪普科技股份有限公司 WebShell detection method and device
CN108632050B (en) * 2017-03-15 2021-03-02 阿里巴巴集团控股有限公司 Method and device for recording website access log
CN106992981B (en) * 2017-03-31 2020-04-07 北京知道创宇信息技术股份有限公司 Website backdoor detection method and device and computing equipment
CN107239704A (en) * 2017-05-24 2017-10-10 国家计算机网络与信息安全管理中心 Malicious web pages find method and device
CN107302586B (en) * 2017-07-12 2020-06-26 深信服科技股份有限公司 Webshell detection method and device, computer device and readable storage medium
CN107590227A (en) * 2017-09-05 2018-01-16 成都知道创宇信息技术有限公司 A kind of log analysis method of combination reptile
CN107404497A (en) * 2017-09-05 2017-11-28 成都知道创宇信息技术有限公司 A kind of method that WebShell is detected in massive logs
CN107508829B (en) * 2017-09-20 2019-11-29 杭州安恒信息技术股份有限公司 A kind of webshell detection method of non-intrusion type
WO2019066295A1 (en) * 2017-09-28 2019-04-04 큐비트시큐리티 주식회사 Web traffic logging system and method for detecting web hacking in real time
CN107911355B (en) * 2017-11-07 2020-05-01 杭州安恒信息技术股份有限公司 Website backdoor utilization event identification method based on attack chain
CN108040036A (en) * 2017-11-22 2018-05-15 江苏翼企云通信科技有限公司 A kind of industry cloud Webshell safety protecting methods
CN107888616B (en) * 2017-12-06 2020-06-05 北京知道创宇信息技术股份有限公司 Construction method of classification model based on URI and detection method of Webshell attack website
CN108616538A (en) * 2018-04-28 2018-10-02 北京网思科平科技有限公司 Attacker's formation gathering method, system, terminal, server and its storage medium
US11824840B1 (en) * 2019-02-04 2023-11-21 Meixler Technologies, Inc. System and method for web-browser based end-to-end encrypted messaging and for securely implementing cryptography using client-side scripting in a web browser
CN110868410B (en) * 2019-11-11 2022-05-10 恒安嘉新(北京)科技股份公司 Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium
CN110909350B (en) * 2019-11-16 2022-02-11 杭州安恒信息技术股份有限公司 Method for remotely and accurately identifying WebShell backdoor
CN111046351A (en) * 2019-12-13 2020-04-21 支付宝(杭州)信息技术有限公司 Method and device for managing application permission in office network
CN113779571B (en) * 2020-06-10 2024-04-26 天翼云科技有限公司 WebShell detection device, webShell detection method and computer readable storage medium
CN114430348B (en) * 2022-02-07 2023-12-05 云盾智慧安全科技有限公司 Web site search engine optimization backdoor identification method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103036871A (en) * 2012-11-19 2013-04-10 北京奇虎科技有限公司 Support device and method of application plug-in of browser
CN103065095A (en) * 2013-01-29 2013-04-24 四川大学 WEB vulnerability scanning method and vulnerability scanner based on fingerprint recognition technology

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080269921A1 (en) * 2007-04-30 2008-10-30 Accenture Global Services Gmbh System and Method for Providing Support Assistance

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103036871A (en) * 2012-11-19 2013-04-10 北京奇虎科技有限公司 Support device and method of application plug-in of browser
CN103065095A (en) * 2013-01-29 2013-04-24 四川大学 WEB vulnerability scanning method and vulnerability scanner based on fingerprint recognition technology

Also Published As

Publication number Publication date
CN104468477A (en) 2015-03-25

Similar Documents

Publication Publication Date Title
CN104468477B (en) A kind of WebShell detection method and system
Zhang et al. Crawlphish: Large-scale analysis of client-side cloaking techniques in phishing
Liu et al. A novel approach for detecting browser-based silent miner
CN102104601B (en) Web vulnerability scanning method and device based on infiltration technology
Alosefer et al. Honeyware: a web-based low interaction client honeypot
US9681304B2 (en) Network and data security testing with mobile devices
KR100894331B1 (en) Anomaly Detection System and Method of Web Application Attacks using Web Log Correlation
CN105491053A (en) Web malicious code detection method and system
CN103279710B (en) Method and system for detecting malicious codes of Internet information system
CN104967628B (en) A kind of decoy method of protection web applications safety
Sagar et al. Studying open source vulnerability scanners for vulnerabilities in web applications
RU2762528C1 (en) Method for processing information security events prior to transmission for analysis
Dalai et al. Neutralizing SQL injection attack using server side code modification in web applications
Nagpal et al. SECSIX: security engine for CSRF, SQL injection and XSS attacks
Gupta et al. CSSXC: Context-sensitive sanitization framework for Web applications against XSS vulnerabilities in cloud environments
Djanali et al. SQL injection detection and prevention system with raspberry Pi honeypot cluster for trapping attacker
Long et al. An efficient algorithm and tool for detecting dangerous website vulnerabilities
Nursetyo et al. Website and network security techniques against brute force attacks using honeypot
Roopak et al. On effectiveness of source code and SSL based features for phishing website detection
JP6527111B2 (en) Analysis device, analysis method and analysis program
Gupta et al. System cum program-wide lightweight malicious program execution detection scheme for cloud
Gurjar et al. WebSecAsst-A machine learning based Chrome extension
Hao et al. JavaScript malicious codes analysis based on naive bayes classification
Welch et al. Two-stage classification model to detect malicious web pages
Doshi et al. SQL FILTER–SQL Injection prevention and logging using dynamic network filter

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant after: Hangzhou Dipu Polytron Technologies Inc

Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant before: Hangzhou Dipu Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210624

Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang.

Patentee after: Hangzhou Dip Information Technology Co.,Ltd.

Address before: 310051, 6 floor, Chung Cai mansion, 68 Tong he road, Binjiang District, Hangzhou, Zhejiang.

Patentee before: Hangzhou DPtech Technologies Co.,Ltd.