CN105100065A - Cloud-based webshell attack detection method, cloud-based webshell attack detection device and gateway - Google Patents

Cloud-based webshell attack detection method, cloud-based webshell attack detection device and gateway Download PDF

Info

Publication number
CN105100065A
CN105100065A CN201510363767.5A CN201510363767A CN105100065A CN 105100065 A CN105100065 A CN 105100065A CN 201510363767 A CN201510363767 A CN 201510363767A CN 105100065 A CN105100065 A CN 105100065A
Authority
CN
China
Prior art keywords
feature
script file
statement
characteristic
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510363767.5A
Other languages
Chinese (zh)
Other versions
CN105100065B (en
Inventor
田进山
姚熙
李纪峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qax Technology Group Inc
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510363767.5A priority Critical patent/CN105100065B/en
Publication of CN105100065A publication Critical patent/CN105100065A/en
Application granted granted Critical
Publication of CN105100065B publication Critical patent/CN105100065B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a cloud-based webshell attack detection method, a cloud-based webshell attack detection device and a gateway, relating to the technical field of internets. The cloud-based webshell attack detection method, the cloud-based webshell attack detection device and the gateway can solve the problem that deformed webshell attacks are difficult to identify in the prior art. The method disclosed by the invention comprises the following steps: intercepting and capturing a script file sent to a website server; detecting whether a pre-set characteristic deformation mark exists in the script file or not on the basis of a cloud platform, wherein the characteristic deformation mark is a mark generated by changing the form of a characteristic sentence in the script file; reducing the changed characteristic sentence according to a pre-set reducing rule if the characteristic deformation mark exists in the script file, wherein the reducing rule is an inverse rule of a characteristic deformation rule; detecting whether the reduced characteristic sentence is the same to a pre-set basic characteristic sentence, wherein the basic characteristic sentence is an attack sensitive sentence; and determining that the script file is a webshell attack file if the reduced characteristic sentence is the same to the basic characteristic sentence. The cloud-based webshell attack detection method, the cloud-based webshell attack detection device and the gateway disclosed by the invention are applicable to a scene that a hacker sends the webshell attack file to the website server.

Description

基于云的webshell攻击检测方法、装置及网关Cloud-based webshell attack detection method, device and gateway

技术领域technical field

本发明涉及互联网技术领域,尤其涉及一种基于云的webshell攻击检测方法、装置及网关。The invention relates to the technical field of the Internet, in particular to a cloud-based webshell attack detection method, device and gateway.

背景技术Background technique

webshell是一种以asp(activeserverpages,动态服务器页面)、php(hypertextpreprocessor,超文本预处理器)、jsp(javaserverpages,java服务器页面)或者cgi(commongatewayinterface,公共网关接口)等网页文件形式存在的命令执行环境。由于webshell是一种网页后门,所以就成为黑客入侵网站服务器的脚本攻击工具。在实际应用中,黑客在入侵了一个网站后,通常会将这些asp或php等后门文件与网站服务器web目录下正常的网页文件混在一起,然后通过浏览器来访问这些asp或php等后门文件,从而控制网站服务器。Webshell is a command execution that exists in the form of web files such as asp (active server pages, dynamic server pages), php (hypertext preprocessor, hypertext preprocessor), jsp (java server pages, java server pages) or cgi (commongateway interface, public gateway interface) environment. Since webshell is a web backdoor, it becomes a script attack tool for hackers to invade web servers. In practical applications, after a hacker has invaded a website, he usually mixes these asp or php and other backdoor files with the normal webpage files in the web directory of the website server, and then accesses these asp or php and other backdoor files through a browser. Thereby controlling the web server.

因此,防护webshell攻击对于网站安全十分重要。在现有的webshell攻击检测技术中,网关在获得外部发送给网站服务器的脚本文件后,通过检测脚本文件中是否存在基本攻击特征来确定是否有webshell攻击。然而,黑客们为了避免webshell攻击被检测出来,编写出许多特征变形的webshell攻击方法。例如,在一些特征字符串中添加“%”、“*”等其他非字母符号,以使得该特征字符串变成一个新的自定义的字符串。在这种情况下,由于webshell攻击的基本攻击特征已被打乱,所以很难根据基本攻击特征将其检测出来,从而webshell攻击的检测成为如今一大难题。Therefore, protecting against webshell attacks is very important for website security. In the existing webshell attack detection technology, after the gateway obtains the script file externally sent to the website server, it determines whether there is a webshell attack by detecting whether there are basic attack characteristics in the script file. However, in order to avoid webshell attacks being detected, hackers have written many webshell attack methods with deformed features. For example, adding other non-letter symbols such as "%" and "*" to some feature strings, so that the feature strings become a new custom string. In this case, since the basic attack characteristics of webshell attacks have been disrupted, it is difficult to detect them according to the basic attack characteristics, so the detection of webshell attacks has become a major problem today.

发明内容Contents of the invention

有鉴于此,本发明提供一种基于云的webshell攻击检测方法、装置及网关,能够解决现有技术中难以识别变形webshell攻击的问题。In view of this, the present invention provides a cloud-based webshell attack detection method, device and gateway, which can solve the problem in the prior art that it is difficult to identify deformed webshell attacks.

第一方面,本发明提供了一种基于云的webshell攻击检测方法,所述方法包括:In a first aspect, the present invention provides a cloud-based webshell attack detection method, the method comprising:

截获向网站服务器发送的脚本文件;Intercept script files sent to the website server;

基于云平台检测所述脚本文件中是否存在预设的特征变形痕迹,所述特征变形痕迹为对所述脚本文件中的特征语句进行形式改动所产生的痕迹;Detecting whether there is a preset feature deformation trace in the script file based on the cloud platform, the feature deformation trace is a trace produced by modifying the form of the feature statement in the script file;

若所述脚本文件中存在所述特征变形痕迹,则根据预设的还原规则对改动过的特征语句进行还原,所述还原规则为特征变形规则的逆规则;If there are traces of the characteristic deformation in the script file, the modified characteristic sentence is restored according to a preset restoration rule, and the restoration rule is an inverse rule of the characteristic deformation rule;

检测还原后的特征语句是否与预设的基本特征语句相同,所述基本特征语句为攻击敏感语句;Detecting whether the restored characteristic sentence is the same as the preset basic characteristic sentence, and the basic characteristic sentence is an attack sensitive sentence;

若所述还原后的特征语句与所述基本特征语句相同,则确定所述脚本文件为webshell攻击文件。If the restored feature statement is the same as the basic feature statement, it is determined that the script file is a webshell attack file.

第二方面,本发明提供了一种基于云的webshell攻击检测装置,所述装置包括:In a second aspect, the present invention provides a cloud-based webshell attack detection device, the device comprising:

截获单元,用于截获向网站服务器发送的脚本文件;An intercepting unit, configured to intercept script files sent to the website server;

检测单元,用于基于云平台检测所述截获单元截获的所述脚本文件中是否存在预设的特征变形痕迹,所述特征变形痕迹为对所述脚本文件中的特征语句进行形式改动所产生的痕迹;The detection unit is used to detect whether there is a preset characteristic deformation trace in the script file intercepted by the intercepting unit based on the cloud platform, and the characteristic deformation trace is generated by modifying the form of the characteristic sentence in the script file trace;

还原单元,用于当所述检测单元检测到所述脚本文件中存在所述特征变形痕迹时,根据预设的还原规则对改动过的特征语句进行还原,所述还原规则为特征变形规则的逆规则;A restoration unit, configured to restore the changed characteristic sentence according to a preset restoration rule when the detection unit detects that there are traces of the characteristic deformation in the script file, and the restoration rule is the inverse of the characteristic deformation rule rule;

所述检测单元,还用于检测所述还原单元还原后的特征语句是否与预设的基本特征语句相同,所述基本特征语句为攻击敏感语句;The detection unit is also used to detect whether the characteristic sentence restored by the reduction unit is the same as the preset basic characteristic sentence, and the basic characteristic sentence is an attack-sensitive sentence;

确定单元,用于当所述检测单元检测到所述还原后的特征语句与所述基本特征语句相同时,确定所述脚本文件为webshell攻击文件。A determination unit is configured to determine that the script file is a webshell attack file when the detection unit detects that the restored characteristic statement is identical to the basic characteristic statement.

第三方面,本发明提供了一种基于云的webshell攻击检测网关,所述网关包括如第二方面所述的装置。In a third aspect, the present invention provides a cloud-based webshell attack detection gateway, where the gateway includes the device as described in the second aspect.

借由上述技术方案,本发明提供的基于云的webshell攻击检测方法、装置及网关,能够在外部向网站服务器发送脚本文件时,截获该脚本文件,并基于云平台先对该脚本文件进行特征变形痕迹的检测,再将改动过的特征语句进行还原,最后将还原后的特征语句与基本特征语句进行比较,若相同,则判定该脚本文件为webshell攻击文件。与现有技术中仅进行基本特征语句的检测方法相比,本发明通过先将改动后的特征语句进行还原,使得被打乱的特征语句还原为原有的特征语句,再与基本特征语句进行比对,使得隐藏在脚本文件中的基本特征语句被检测出来,从而确定该脚本文件为webshell攻击文件。By means of the above-mentioned technical scheme, the cloud-based webshell attack detection method, device and gateway provided by the present invention can intercept the script file when the script file is sent to the website server externally, and perform feature deformation on the script file based on the cloud platform Trace detection, and then restore the modified characteristic statement, and finally compare the restored characteristic statement with the basic characteristic statement, if they are the same, it is determined that the script file is a webshell attack file. Compared with the detection method of only basic feature sentences in the prior art, the present invention restores the changed feature sentences first, so that the disrupted feature sentences are restored to the original feature sentences, and then the basic feature sentences are combined Comparison, so that the basic feature statement hidden in the script file is detected, thereby determining that the script file is a webshell attack file.

上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

附图说明Description of drawings

通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same components. In the attached picture:

图1示出了本发明实施例提供的一种基于云的webshell攻击检测方法的流程图;Fig. 1 shows a flow chart of a cloud-based webshell attack detection method provided by an embodiment of the present invention;

图2示出了本发明实施例提供的一种基于云的webshell攻击检测装置的组成框图;Fig. 2 shows a block diagram of a cloud-based webshell attack detection device provided by an embodiment of the present invention;

图3示出了本发明实施例提供的另一种基于云的webshell攻击检测装置的组成框图。FIG. 3 shows a block diagram of another cloud-based webshell attack detection device provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

本发明实施例提供了一种基于云的webshell攻击检测方法,如图1所示,该方法包括:Embodiments of the present invention provide a cloud-based webshell attack detection method, as shown in Figure 1, the method includes:

101、截获向网站服务器发送的脚本文件。101. Intercepting the script file sent to the website server.

当外部(包括一般用户、黑客等)向网站服务器发送脚本文件时,需要经过网关,因此当该脚本文件到达网关时,网关可以对该脚本文件进行截获,以便对该脚本文件进行安全性的检测,从而保证达到网站服务器侧的脚本文件是安全的。When the outside (including ordinary users, hackers, etc.) sends a script file to the website server, it needs to go through the gateway, so when the script file reaches the gateway, the gateway can intercept the script file so as to perform security detection on the script file , so as to ensure that the script files reaching the server side of the website are safe.

需要说明的是,上述脚本文件可以为asp(activeserverpages,动态服务器页面)文件、php(hypertextpreprocessor,超文本预处理器)文件、jsp(javaserverpages,java服务器页面)文件、cgi(commongatewayinterface,公共网关接口)文件,或者其他格式的网页文件。It should be noted that the above-mentioned script files can be asp (active server pages, dynamic server pages) files, php (hypertext preprocessor, hypertext preprocessor) files, jsp (java server pages, java server pages) files, cgi (commongateway interface, public gateway interface) files, or web files in other formats.

102、基于云平台检测脚本文件中是否存在预设的特征变形痕迹。102. Based on the cloud platform, it is detected whether there are preset characteristic deformation traces in the script file.

其中,特征变形痕迹为对脚本文件中的特征语句进行形式改动所产生的痕迹。特征语句可以为位于典型位置上的语句,例如含有函数的语句,也可以为具有其他特征的语句,还可以泛指可执行的代码语句。Wherein, the feature deformation trace is a trace produced by modifying the form of the feature statement in the script file. The feature statement may be a statement at a typical position, such as a statement containing a function, or a statement with other characteristics, and may generally refer to an executable code statement.

具体的,特征变形痕迹可以为以下一个或任意多个的组合:注释语句、变量赋值字符、预设特征字符和预设特征函数名。若特征变形痕迹仅包括一项内容(如仅包括预设特征函数名),则网关仅对脚本文件进行该项内容的检测;若特征变形痕迹包括至少两项内容,则网关会分别对脚本文件进行每一项内容的检测。在实际应用中,网关可以根据预设检测顺序依次对脚本文件进行特征变形痕迹中所有内容的检测,也可以同时对脚本文件进行所有内容的检测。Specifically, the characteristic deformation trace may be one or any combination of the following: comment statement, variable assignment character, preset characteristic character and preset characteristic function name. If the feature deformation trace includes only one content (such as only including the preset feature function name), the gateway will only detect the content of the script file; if the feature deformation trace includes at least two contents, the gateway will respectively check the script file Check each item. In practical applications, the gateway can sequentially detect all content in the feature deformation trace of the script file according to the preset detection order, or can simultaneously detect all content of the script file.

需要说明的是,本步骤中提及的基于云平台主要是指网关需要先从云平台侧获取最新的特征变形痕迹、还原规则和基本特征语句,才可以对脚本文件进行检测。其中,最新的特征变形痕迹、还原规则和基本特征语句的获取方式可以为直接从云平台获取,也可以为通过云平台对本地的特征变形痕迹、还原规则和基本特征语句进行更新,其具体获取方式在此不作限定。It should be noted that the cloud-based platform mentioned in this step mainly means that the gateway needs to obtain the latest feature deformation traces, restoration rules, and basic feature statements from the cloud platform before it can detect script files. Among them, the latest feature deformation traces, restoration rules, and basic feature sentences can be obtained directly from the cloud platform, or through the cloud platform to update the local feature deformation traces, restoration rules, and basic feature sentences. The method is not limited here.

103、若脚本文件中存在特征变形痕迹,则根据预设的还原规则对改动过的特征语句进行还原。103. If there are traces of characteristic deformation in the script file, restore the modified characteristic statement according to a preset restoration rule.

其中,还原规则为特征变形规则的逆规则。当网关检测到脚本文件中存在特征变形痕迹时,说明特征语句已经按照预设的特征变形规则进行了改动。此时,网关按照特征变形规则的逆规则(还原规则)即可将改动过的特征语句进行还原,从而得到原始(改动前)的特征语句,以便进行后续步骤104、105的操作。Among them, the restoration rule is the inverse rule of the feature deformation rule. When the gateway detects that there are traces of feature deformation in the script file, it means that the feature statement has been changed according to the preset feature deformation rules. At this time, the gateway can restore the modified feature sentence according to the inverse rule (restoration rule) of the feature deformation rule, so as to obtain the original (before modification) feature sentence, so as to perform the operations of subsequent steps 104 and 105 .

例如,网关检测到一条语句为“e/*aaaa*/val($_POST[‘a’]);”,通过与预设的特征变形痕迹相匹配,可知该语句中存在一种特征变形痕迹,即注释语句。该特征变形的规则为在语句中添加注释语句,因此该特征变形规则的逆规则(还原规则)为删除添加的注释语句。For example, the gateway detects a sentence as "e/*aaaa*/val($_POST['a']);", by matching with the preset characteristic deformation trace, it can be known that there is a characteristic deformation trace in the sentence, That is, the comment statement. The rule of this feature deformation is to add a comment sentence in the sentence, so the inverse rule (reverting rule) of this feature deformation rule is to delete the added comment sentence.

104、检测还原后的特征语句是否与预设的基本特征语句相同。104. Detect whether the restored feature sentence is the same as the preset basic feature sentence.

其中,基本特征语句为攻击敏感语句,即由编程人员统计的能够直接确定存在webshell攻击特征的语句。在通过还原规则将改动过的特征语句还原后,可以获得原始的特征语句,此时,网关再通过与基本特征语句进行比对,就可以判断出还原后的特征语句是否为预设的基本特征语句,从而得出脚本文件是否为webshell攻击文件。Among them, the basic feature statement is an attack-sensitive statement, that is, a statement that can directly determine the presence of a webshell attack feature calculated by a programmer. After the modified feature sentence is restored through the restoration rule, the original feature sentence can be obtained. At this time, the gateway can judge whether the restored feature sentence is a preset basic feature by comparing it with the basic feature sentence statement, so as to determine whether the script file is a webshell attack file.

105、若还原后的特征语句与基本特征语句相同,则确定脚本文件为webshell攻击文件。105. If the restored feature statement is the same as the basic feature statement, determine that the script file is a webshell attack file.

由于基本特征语句为攻击敏感语句,所以当网关检测出还原后的特征语句与基本特征语句相同时,可以确定该还原后的特征语句为攻击敏感语句,从而得知脚本文件中存在攻击敏感语句,进而确定该脚本文件为webshell攻击文件。反之,当网关检测出还原后的特征语句与基本特征语句不同时,可以确定该还原后的特征语句不是攻击敏感语句,从而得知脚本文件中不存在攻击敏感语句,进而确定该脚本文件不是webshell攻击文件。Since the basic characteristic sentence is an attack-sensitive sentence, when the gateway detects that the restored characteristic sentence is the same as the basic characteristic sentence, it can determine that the restored characteristic sentence is an attack-sensitive sentence, thereby knowing that there is an attack-sensitive sentence in the script file, Then it is determined that the script file is a webshell attack file. Conversely, when the gateway detects that the restored feature statement is different from the basic feature statement, it can be determined that the restored feature statement is not an attack-sensitive statement, thereby knowing that there is no attack-sensitive statement in the script file, and then determining that the script file is not a webshell attack file.

示例性的,网关检测到“eval($/*xyz*/{“_P”.“OST”}[‘op’]);”中存在两种特征变形痕迹,分别为注释语句和预设特征字符,所以网关需要根据对应特征变形痕迹的还原规则对其进行还原。在实际应用中,对于注释语句和预设特征字符的还原规则均为删除操作,所以将注释语句与预设特征字符都删除后,得到的还原后的特征语句为“eval($_POST[‘op’]);”。将该特征语句与基本特征语句进行比较,可判断出脚本文件是否为webshell攻击文件。若基本特征语句中包含“eval($_POST[‘op’]);”,则还原后的特征语句与基本特征语句相同,从而得出该脚本文件为webshell攻击文件;若基本特征语句中不包含“eval($_POST[‘op’]);”,则还原后的特征语句与基本特征语句不同,从而还需要继续对脚本文件中的其他特征语句进行判断,才可确定该脚本文件是否为webshell攻击文件。Exemplarily, the gateway detects that there are two kinds of characteristic deformation traces in "eval($/*xyz*/{“_P".“OST"}['op']);", which are comment sentences and preset characteristic characters , so the gateway needs to restore it according to the restoration rules of the corresponding feature deformation traces. In practical applications, the restoration rules for comment statements and preset characteristic characters are all deletion operations, so after deleting both comment statements and preset characteristic characters, the restored characteristic statement obtained is "eval($_POST['op ']);". Comparing the characteristic statement with the basic characteristic statement can determine whether the script file is a webshell attack file. If the basic feature statement contains "eval($_POST['op']);", the restored feature statement is the same as the basic feature statement, so that the script file is a webshell attack file; if the basic feature statement does not contain "eval($_POST['op']);", the restored characteristic statement is different from the basic characteristic statement, so it is necessary to continue to judge other characteristic statements in the script file to determine whether the script file is a webshell attack file.

需要说明的是,在实际应用中,只有当网关确定其所截获的脚本文件不是webshell攻击文件时,才将该脚本文件继续上传到网站服务器,而当该脚本文件是webshell攻击文件时,不再将该脚本文件上传到网站服务器,从而保证了上传到网站服务器的脚本文件为安全的文件。It should be noted that, in practical applications, only when the gateway determines that the script file intercepted by it is not a webshell attack file, it continues to upload the script file to the website server, and when the script file is a webshell attack file, no longer The script file is uploaded to the website server, thereby ensuring that the script file uploaded to the website server is a safe file.

本发明实施例提供的基于云的webshell攻击检测方法,能够在外部向网站服务器发送脚本文件时,截获该脚本文件,并基于云平台先对该脚本文件进行特征变形痕迹的检测,再将改动过的特征语句进行还原,最后将还原后的特征语句与基本特征语句进行比较,若相同,则判定该脚本文件为webshell攻击文件。与现有技术中仅进行基本特征语句的检测方法相比,本发明通过先将改动后的特征语句进行还原,使得被打乱的特征语句还原为原有的特征语句,再与基本特征语句进行比对,使得隐藏在脚本文件中的基本特征语句被检测出来,从而确定该脚本文件为webshell攻击文件。The cloud-based webshell attack detection method provided by the embodiment of the present invention can intercept the script file when the script file is sent to the website server externally, and first detect the characteristic deformation trace of the script file based on the cloud platform, and then convert the modified The characteristic statement is restored, and finally the restored characteristic statement is compared with the basic characteristic statement. If they are the same, the script file is determined to be a webshell attack file. Compared with the detection method of only basic feature sentences in the prior art, the present invention restores the changed feature sentences first, so that the disrupted feature sentences are restored to the original feature sentences, and then the basic feature sentences are combined Comparison, so that the basic feature statement hidden in the script file is detected, thereby determining that the script file is a webshell attack file.

进一步的,依据上述方法实施例可知,当预设的特征变形痕迹只包含一种特征变形痕迹时,网关仅检测脚本文件中是否存在该特征变形痕迹;当预设的特征变形痕迹中包括多种特征变形痕迹时,网关会同时检测脚本文件中是否存在该多种特征变形痕迹,或者按照顺序依次检测该脚本文件中是否存在该多种特征变形痕迹。在检测出特征变形痕迹后,需要将改动过的特征语句还原,然而对于不同类型的特征变形痕迹具有不同的还原方法,下面针对不同情况进行介绍:Further, according to the above method embodiment, when the preset characteristic deformation trace only contains one kind of characteristic deformation trace, the gateway only detects whether the characteristic deformation trace exists in the script file; when the preset characteristic deformation trace includes multiple When the feature deformation traces are detected, the gateway will simultaneously detect whether the multiple feature deformation traces exist in the script file, or detect whether the multiple feature deformation traces exist in the script file in sequence. After the feature deformation traces are detected, the modified feature sentences need to be restored. However, there are different restoration methods for different types of feature deformation traces. The following is an introduction for different situations:

情况一:当特征变形痕迹包括注释语句时,网关会基于云平台检测脚本文件中是否存在注释语句。若脚本文件中存在注释语句,则将注释语句删除;若脚本文件中不存在注释语句,则无需进行注释语句的删除操作。Situation 1: When the feature deformation trace includes a comment statement, the gateway will detect whether there is a comment statement in the script file based on the cloud platform. If there is a comment statement in the script file, delete the comment statement; if there is no comment statement in the script file, then there is no need to delete the comment statement.

由于注释语句并不参与程序的执行,所以当黑客在特征语句中添加注释语句后,也不影响该特征语句本身的功能。当该特征语句为基本特征语句时,该脚本文件就是webshell攻击文件。但是在该特征语句中添加了注释语句后,改动后的特征语句就不再与基本特征语句相同了,因此需要将添加的注释语句删除,才能得到原始的特征语句,以便更精确地检测出本质上与基本特征语句相同的语句,从而避免发生webshell攻击文件漏检的现象。Since the comment statement does not participate in the execution of the program, when a hacker adds a comment statement to a feature statement, the function of the feature statement itself will not be affected. When the feature statement is a basic feature statement, the script file is a webshell attack file. However, after the comment statement is added to the feature statement, the changed feature statement is no longer the same as the basic feature statement. Therefore, the added comment statement needs to be deleted to obtain the original feature statement in order to detect the essence more accurately. The above statement is the same as the basic feature statement, so as to avoid the phenomenon of missed detection of webshell attack files.

在实际应用中,注释语句的检测主要是通过检测注释标识,例如:“//”、“/*”、“*/”等。例如,网关检测到一条特征语句“eva/*xxxxx*/l($_POST[‘a’]);”中包含“/*”和“*/”注释标识,则将携带有注释标识的注释语句删除,从而获得添加注释语句前的语句,即“eval($_POST[‘a’]);”。在获得改动前的特征语句后,将其与基本特征语句进行比对。若基本特征语句中包含“eval($_POST[‘a’]);”,则还原后的特征语句与基本特征语句相同,从而得出该脚本文件为webshell攻击文件;若基本特征语句中不包含“eval($_POST[‘a’]);”,则还原后的特征语句与基本特征语句不同,从而还需要继续对脚本文件中的其他特征语句进行判断,才可确定该脚本文件是否为webshell攻击文件。In practical applications, the detection of comment statements is mainly through the detection of comment marks, for example: "//", "/*", "*/" and so on. For example, if the gateway detects that a feature statement "eva/*xxxxx*/l($_POST['a']);" contains "/*" and "*/" annotations, it will carry the annotations with annotations Delete, so as to obtain the statement before adding the comment statement, that is, "eval($_POST['a']);". After obtaining the feature sentence before modification, compare it with the basic feature sentence. If the basic feature statement contains "eval($_POST['a']);", the restored feature statement is the same as the basic feature statement, so that the script file is a webshell attack file; if the basic feature statement does not contain "eval($_POST['a']);", the restored characteristic statement is different from the basic characteristic statement, so it is necessary to continue to judge other characteristic statements in the script file to determine whether the script file is a webshell attack file.

情况二:当特征变形痕迹包括变量赋值字符时,网关会基于云平台检测脚本文件中是否存在变量赋值字符。若脚本文件中存在变量赋值字符,则将被赋值的变量还原;若脚本文件中不存在变量赋值字符,则无需进行变量还原操作。Case 2: When the feature deformation traces include variable assignment characters, the gateway will detect whether there are variable assignment characters in the script file based on the cloud platform. If there is a variable assignment character in the script file, the assigned variable will be restored; if there is no variable assignment character in the script file, there is no need to restore the variable.

在实际应用中,编程人员常常通过给特征语句中的变量赋值,即用新的变量来代替旧变量,从而使得该特征语句发生形式上的改变,而实际功能不变。在这种情况下,仅将变量赋值后的特征语句与基本特征语句进行比对,是无法检测出其隐藏的webshell攻击特征的。因此,网关需要先将被赋值的变量还原,以获得原始的特征语句,才可精确地判断出该特征语句是否为基本特征语句,从而正确地判断出该脚本文件是否为webshell攻击文件。In practical applications, programmers often assign values to the variables in the feature statement, that is, replace the old variable with a new variable, so that the form of the feature statement changes, but the actual function remains unchanged. In this case, it is impossible to detect its hidden webshell attack characteristics only by comparing the characteristic statement after variable assignment with the basic characteristic statement. Therefore, the gateway needs to restore the assigned variable first to obtain the original characteristic statement, and then it can accurately determine whether the characteristic statement is a basic characteristic statement, thereby correctly judging whether the script file is a webshell attack file.

具体的,变量赋值字符主要包括变量赋值标识,即“=”,也可以包括其他具有赋值功能的字符,在此不作限定。Specifically, the variable assignment characters mainly include variable assignment identifiers, namely "=", and may also include other characters with assignment functions, which are not limited here.

例如,脚本文件中有如下代码:For example, the script file has the following code:

$aaa=e;$aaa=e;

$bbb=v;$bbb = v;

$ccc=a;$ccc = a;

$ddd=l;$ddd = l;

$xsser=$_POST[‘op’];$xsser = $_POST['op'];

“$aaa”.“$bbb”.“$ccc”.“$ddd”($xsser);"$aaa"."$bbb"."$ccc"."$ddd"($xsser);

网关在上述代码中检测到变量特征字符(即“=”),并且检测到““$aaa”.“$bbb”.“$ccc”.“$ddd”($xsser);”语句中的$aaa、$bbb、$ccc、$ddd和$xsser分别是给e、v、a、l、和$_POST[‘op’]赋的新变量,因此网关需要将这些新变量还原为原始变量,还原后的代码变为“eval($_POST[‘op’]);”,再将此特征语句与基本特征语句进行比较。若基本特征语句中包含“eval($_POST[‘op’]);”,则该脚本文件为webshell攻击文件;若基本特征语句中不包含“eval($_POST[‘op’]);”,则需要继续对脚本文件中的其他特征语句进行判断,才能确定该脚本文件是否为webshell攻击文件。The gateway detects the variable characteristic character (that is, "=") in the above code, and detects the $ aaa, $bbb, $ccc, $ddd, and $xsser are new variables assigned to e, v, a, l, and $_POST['op'] respectively, so the gateway needs to restore these new variables to the original variables, restore The following code becomes "eval($_POST['op']);", and then compares this characteristic statement with the basic characteristic statement. If the basic feature statement contains "eval($_POST['op']);", the script file is a webshell attack file; if the basic feature statement does not contain "eval($_POST['op']);", It is necessary to continue to judge other characteristic statements in the script file to determine whether the script file is a webshell attack file.

情况三:当特征变形痕迹包括预设特征字符时,网关会基于云平台检测脚本文件中是否存在预设特征字符。若脚本文件中存在预设特征字符,则将预设特征字符删除;若脚本文件中不存在预设特征字符,则无需进行预设特征字符删除操作。Case 3: When the characteristic deformation trace includes preset characteristic characters, the gateway will detect whether there are preset characteristic characters in the script file based on the cloud platform. If the preset characteristic characters exist in the script file, the preset characteristic characters are deleted; if the preset characteristic characters do not exist in the script file, the operation of deleting the preset characteristic characters does not need to be performed.

在实际应用中,黑客常常通过在特征语句中添加拼接符等字符来打乱一个完整的函数名或者变量名等等,从而仅通过基本特征语句无法检测出来该特征语句中存在的webshell攻击特征,因此需要将含有预设特征字符的特征语句还原,才可更进一步地检测出该特征语句是否是含有webshell攻击特征的语句,从而判断该脚本文件是否为webshell攻击文件。In practical applications, hackers often scramble a complete function name or variable name by adding characters such as splicing characters in the feature statement, so that the webshell attack characteristics existing in the feature statement cannot be detected only through the basic feature statement. Therefore, it is necessary to restore the characteristic statement containing the preset characteristic characters, so as to further detect whether the characteristic statement is a statement containing webshell attack characteristics, thereby judging whether the script file is a webshell attack file.

例如,网关检测到““e”.“v”.“a”.“l”($_POST[‘a’]);”中含有拼接符双引号和点,所以将该特征语句中的双引号和点删除后,可以获得原始的语句,即“eval($_POST[‘a’]);”。此时,将“eval($_POST[‘a’]);”与基本特征语句比对,若基本特征语句中包含“eval($_POST[‘a’]);”,则该脚本文件为webshell攻击文件,若基本特征语句中不包含“eval($_POST[‘a’]);”,则需要继续对脚本文件中的其他特征语句进行判断,才能确定该脚本文件是否为webshell攻击文件。For example, the gateway detects that ""e". "v". "a". "l"($_POST['a']);" contains splicing double quotes and dots, so the double quotes in the feature statement After the and point are deleted, the original statement can be obtained, namely "eval($_POST['a']);". At this point, compare "eval($_POST['a']);" with the basic feature statement, if the basic feature statement contains "eval($_POST['a']);", then the script file is webshell For an attack file, if the basic feature statement does not contain "eval($_POST['a']);", you need to continue to judge other feature statements in the script file to determine whether the script file is a webshell attack file.

情况四:当特征变形痕迹包括预设特征函数名时,网关会基于云平台检测脚本文件中是否存在预设特征函数名。若脚本文件中存在预设特征函数名,则根据特征函数功能的逆功能对对应特征函数的语句进行还原;若脚本文件中不存在预设特征函数名,则无需进行特征函数的还原。Situation 4: When the feature deformation trace includes the preset feature function name, the gateway will detect whether the preset feature function name exists in the script file based on the cloud platform. If there is a preset feature function name in the script file, the statement corresponding to the feature function is restored according to the inverse function of the feature function function; if there is no preset feature function name in the script file, there is no need to restore the feature function.

实际应用中,黑客常常利用一些特殊函数来对特征语句进行变形,使得特征语句本身的功能不发生改变,而仅通过基本特征语句进行检测,往往无法将其隐藏的webshell攻击特征检测出来。因此,网关需要先将经特征函数改动的特征语句还原,才可以更精确地将隐藏的webshell攻击特征检测出来,从而完成webshell攻击文件的鉴定。In practical applications, hackers often use some special functions to transform the feature statement, so that the function of the feature statement itself does not change, but only through the basic feature statement, it is often impossible to detect its hidden webshell attack features. Therefore, the gateway needs to restore the characteristic statement changed by the characteristic function before it can more accurately detect the hidden webshell attack characteristics, thereby completing the identification of the webshell attack file.

具体的,预设特征函数名包括str_replace、preg_replace、pack、chr、base64_decode、strrev、str_rot13、rot_13、create_function、urldecode、strtr、gzuncompress、gzinflate和gzdecode等。每个特征函数名所对应的特征函数都具有一定的功能,因此网关通过特征函数功能的逆功能就可以将改动后的特征语句还原,从而获得原始的特征语句,以便进行后续基本特征语句的检测。Specifically, the preset feature function names include str_replace, preg_replace, pack, chr, base64_decode, strrev, str_rot13, rot_13, create_function, urldecode, strtr, gzuncompress, gzinflate, and gzdecode. The feature function corresponding to each feature function name has a certain function, so the gateway can restore the changed feature sentence through the inverse function of the feature function function, so as to obtain the original feature sentence for subsequent basic feature sentence detection.

例如,脚本文件中有如下代码For example, the script file has the following code

$abcd=str_repalce(“abc”,“eva”,“abcl”);$abcd = str_repalce("abc", "eva", "abcl");

$abcd($_POST[‘a’]);$abcd($_POST['a']);

网关检测到上述代码中存在str_repalce,而str_repalce函数在本语句中实现的功能为:将abcl中的abc用eva来代替,因此“$abcd($_POST[‘a’]);”实际上为“eval($_POST[‘a’]);”。由此可知,需要利用str_repalce函数功能的逆功能将“$abcd($_POST[‘a’]);”还原,从而得到“eval($_POST[‘a’]);”,再将“eval($_POST[‘a’]);”与基本特征语句比对。若基本特征语句中包括eval($_POST[‘a’]);”,则该脚本文件为webshell攻击文件;若基本特征语句中不包括eval($_POST[‘a’]);”,则不能根据上述代码判断出该脚本文件为webshell攻击文件。The gateway detects that str_repalce exists in the above code, and the str_repalce function implemented in this statement is: replace abc in abcl with eva, so "$abcd($_POST['a']);" is actually " eval($_POST['a']);". It can be seen from this that it is necessary to use the inverse function of the str_repalce function to restore "$abcd($_POST['a']);" to obtain "eval($_POST['a']);", and then "eval( $_POST['a']);" is compared with the basic feature statement. If the basic feature statement includes eval($_POST['a']);", then the script file is a webshell attack file; if the basic feature statement does not include eval($_POST['a']);", then it cannot According to the above code, it is judged that the script file is a webshell attack file.

又如,脚本文件中有如下代码As another example, the script file has the following code

$xxyz=strtr(“exyz”,“xyz”,“val”);$xxyz = strtr("exyz", "xyz", "val");

$xxyz($_POST[‘a’]);$xxyz($_POST['a']);

网关检测到上述代码中存在strtr,而strtr函数在本语句中实现的功能为:将exyz中的x、y、z分别用v、a、l来代替,因此“$xxyz($_POST[‘a’]);”实际上为“eval($_POST[‘a’]);”。由此可知,需要利用strtr函数功能的逆功能将“$xxyz($_POST[‘a’]);”还原,从而得到“eval($_POST[‘a’]);”,再将“eval($_POST[‘a’]);”与基本特征语句比对。若基本特征语句中包括eval($_POST[‘a’]);”,则该脚本文件为webshell攻击文件;若基本特征语句中不包括eval($_POST[‘a’]);”,则不能根据上述代码判断出该脚本文件为webshell攻击文件。The gateway detects that strtr exists in the above code, and the function of strtr function in this statement is: replace x, y, and z in exyz with v, a, and l respectively, so "$xxyz($_POST['a ']);" is actually "eval($_POST['a']);". It can be seen from this that it is necessary to use the inverse function of the strtr function to restore "$xxyz($_POST['a']);" to obtain "eval($_POST['a']);", and then "eval( $_POST['a']);" is compared with the basic feature statement. If the basic feature statement includes eval($_POST['a']);", then the script file is a webshell attack file; if the basic feature statement does not include eval($_POST['a']);", then it cannot According to the above code, it is judged that the script file is a webshell attack file.

进一步的,在检测脚本文件中是否存在预设的特征变形痕迹之前,网关侧需要先获取特征变形痕迹、还原规则和基本特征语句,才能进行后续的检测或还原等操作。Furthermore, before detecting whether there are preset feature deformation traces in the script file, the gateway side needs to obtain the feature deformation traces, restoration rules and basic feature statements before performing subsequent detection or restoration operations.

具体的,由于云平台侧存储有在不同网站中出现的webshell攻击文件,所以云平台侧具有最全的涉及webshell攻击的特征变形痕迹、还原规则和基本特征语句。因此网关可以从云平台侧获取最新的特征变形痕迹、还原规则和基本特征语句。Specifically, since the cloud platform side stores webshell attack files appearing in different websites, the cloud platform side has the most complete feature deformation traces, restoration rules and basic feature sentences related to webshell attacks. Therefore, the gateway can obtain the latest feature deformation traces, restoration rules and basic feature statements from the cloud platform.

具体的,若网关本地不存在特征变形痕迹、还原规则和基本特征语句,则在对脚本文件进行特征变形痕迹的检测之前,网关可以从云平台侧获取携带有最新的特征变形痕迹、还原规则和基本特征语句的文件;若网关本地存在特征变形痕迹、还原规则和基本特征语句,则网关可以通过云平台直接更新本地的特征变形痕迹、还原规则和基本特征语句,例如,通过向云平台获取更新包来更新本地的特征变形痕迹、还原规则和基本特征语句。Specifically, if the gateway does not have feature deformation traces, restoration rules, and basic feature statements locally, the gateway can obtain the latest feature deformation traces, restoration rules, and The file of the basic feature statement; if there are feature deformation traces, restoration rules, and basic feature sentences locally in the gateway, the gateway can directly update the local feature deformation traces, restoration rules, and basic feature sentences through the cloud platform, for example, by obtaining updates from the cloud platform package to update local feature deformation traces, restoration rules, and basic feature statements.

此外,在实际应用中,在网关截获脚本文件以后,可以直接将脚本文件上报给云平台,让云平台采用上述检测方法对该脚本文件进行检测,从而将检测结果发送给网关,以便网关确定该脚本文件是否可以继续发送给网站服务器。In addition, in practical applications, after the gateway intercepts the script file, it can directly report the script file to the cloud platform, let the cloud platform use the above detection method to detect the script file, and then send the detection result to the gateway, so that the gateway can determine the script file. Whether the script file can continue to be sent to the web server.

进一步的,由于云平台侧需要不断的更新和完善本地的特征变形痕迹、还原规则和基本特征语句的文件,所以在网关确定脚本文件为webshell攻击文件之后,需要向云平台上报本次检测出来的webshell脚本文件,以便云平台对特征变形痕迹、还原规则和基本特征语句的文件进行更新。Furthermore, since the cloud platform side needs to continuously update and improve the local feature deformation traces, restoration rules and basic feature statement files, after the gateway determines that the script file is a webshell attack file, it needs to report the detected results to the cloud platform. The webshell script file, so that the cloud platform can update the files of feature deformation traces, restoration rules and basic feature statements.

进一步的,依据上述方法实施例,本发明实施例还提供了一种基于云的webshell攻击检测装置,如图2所示,该装置包括:截获单元21、检测单元22、还原单元23和确定单元24。其中,Further, according to the above-mentioned method embodiment, the embodiment of the present invention also provides a cloud-based webshell attack detection device, as shown in Figure 2, the device includes: an interception unit 21, a detection unit 22, a restoration unit 23 and a determination unit twenty four. in,

截获单元21,用于截获向网站服务器发送的脚本文件;An intercepting unit 21, configured to intercept the script file sent to the website server;

检测单元22,用于基于云平台检测截获单元21截获的脚本文件中是否存在预设的特征变形痕迹,特征变形痕迹为对脚本文件中的特征语句进行形式改动所产生的痕迹;The detection unit 22 is used to detect whether there is a preset feature deformation trace in the script file intercepted by the interception unit 21 based on the cloud platform, and the feature deformation trace is a trace produced by modifying the form of the feature sentence in the script file;

还原单元23,用于当检测单元22检测到脚本文件中存在特征变形痕迹时,根据预设的还原规则对改动过的特征语句进行还原,还原规则为特征变形规则的逆规则;The restoration unit 23 is used to restore the changed characteristic sentence according to the preset restoration rule when the detection unit 22 detects that there are characteristic deformation traces in the script file, and the restoration rule is the inverse rule of the characteristic deformation rule;

检测单元22,还用于检测还原单元23还原后的特征语句是否与预设的基本特征语句相同,基本特征语句为攻击敏感语句;The detection unit 22 is also used to detect whether the characteristic sentence restored by the reduction unit 23 is the same as the preset basic characteristic sentence, and the basic characteristic sentence is an attack sensitive sentence;

确定单元24,用于当检测单元22检测到还原后的特征语句与基本特征语句相同时,确定脚本文件为webshell攻击文件。The determination unit 24 is configured to determine that the script file is a webshell attack file when the detection unit 22 detects that the restored characteristic statement is identical to the basic characteristic statement.

进一步的,检测单元22检测的特征变形痕迹为以下一个或任意多个的组合:Further, the characteristic deformation trace detected by the detection unit 22 is one or any combination of the following:

注释语句、变量赋值字符、预设特征字符和预设特征函数名。Comment statement, variable assignment character, default characteristic character and default characteristic function name.

具体的,如图3所示,检测单元22,包括:Specifically, as shown in Figure 3, the detection unit 22 includes:

第一检测模块221,用于当特征变形痕迹包括注释语句时,基于云平台检测脚本文件中是否存在注释语句;The first detection module 221 is used to detect whether there is an annotation sentence in the script file based on the cloud platform when the feature deformation trace includes the annotation sentence;

还原单元23,包括:Reducing unit 23, comprising:

第一删除模块231,用于当脚本文件中存在注释语句时,将注释语句删除。The first deletion module 231 is configured to delete the comment statement when there is a comment statement in the script file.

进一步的,如图3所示,检测单元22,包括:Further, as shown in Figure 3, the detection unit 22 includes:

第二检测模块222,用于当特征变形痕迹包括变量赋值字符时,基于云平台检测脚本文件中是否存在变量赋值字符;The second detection module 222 is used to detect whether there is a variable assignment character in the script file based on the cloud platform when the characteristic deformation trace includes a variable assignment character;

还原单元23,包括:Reducing unit 23, comprising:

第一还原模块232,用于当脚本文件中存在变量赋值字符时,将被赋值的变量还原。The first restoration module 232 is configured to restore the assigned variable when there is a variable assignment character in the script file.

进一步的,如图3所示,检测单元22,包括:Further, as shown in Figure 3, the detection unit 22 includes:

第三检测模块223,用于当特征变形痕迹包括预设特征字符时,基于云平台检测脚本文件中是否存在预设特征字符;The third detection module 223 is used to detect whether there is a preset feature character in the script file based on the cloud platform when the feature deformation trace includes a preset feature character;

还原单元23,包括:Reducing unit 23, comprising:

第二删除模块233,用于当脚本文件中存在预设特征字符时,将预设特征字符删除。The second deletion module 233 is configured to delete the preset characteristic characters when there are preset characteristic characters in the script file.

进一步的,如图3所示,检测单元22,包括:Further, as shown in Figure 3, the detection unit 22 includes:

第四检测模块224,用于当特征变形痕迹包括预设特征函数名时,基于云平台检测脚本文件中是否存在预设特征函数名;The fourth detection module 224 is used to detect whether there is a preset feature function name in the script file based on the cloud platform when the feature deformation trace includes a preset feature function name;

还原单元23,包括:Reducing unit 23, comprising:

第二还原模块234,当脚本文件中存在预设特征函数名时,根据特征函数功能的逆功能对对应特征函数的语句进行还原。The second restoration module 234 restores the statement corresponding to the characteristic function according to the inverse function of the characteristic function when there is a preset characteristic function name in the script file.

进一步的,如图3所示,该装置进一步包括:Further, as shown in Figure 3, the device further includes:

获取单元25,用于在检测单元22检测脚本文件中是否存在预设的特征变形痕迹之前,向云平台获取特征变形痕迹、还原规则以及基本特征语句;Acquisition unit 25, used to obtain feature deformation traces, restoration rules and basic feature sentences from the cloud platform before detection unit 22 detects whether there are preset feature deformation traces in the script file;

更新单元26,用于在检测单元22检测脚本文件中是否存在预设的特征变形痕迹之前,通过云平台更新本地缓存的特征变形痕迹、还原规则以及基本特征语句。The update unit 26 is configured to update the local cached feature deformation traces, restoration rules and basic feature sentences through the cloud platform before the detection unit 22 detects whether there are preset feature deformation traces in the script file.

进一步的,如图3所示,该装置进一步包括:Further, as shown in Figure 3, the device further includes:

上报单元27,用于在确定单元24确定脚本文件为webshell攻击文件之后,向云平台上报脚本文件。The reporting unit 27 is configured to report the script file to the cloud platform after the determining unit 24 determines that the script file is a webshell attack file.

本发明实施例提供的基于云的webshell攻击检测装置,能够在外部向网站服务器发送脚本文件时,截获该脚本文件,并基于云平台先对该脚本文件进行特征变形痕迹的检测,再将改动过的特征语句进行还原,最后将还原后的特征语句与基本特征语句进行比较,若相同,则判定该脚本文件为webshell攻击文件。与现有技术中仅进行基本特征语句的检测方法相比,本发明通过先将改动后的特征语句进行还原,使得被打乱的特征语句还原为原有的特征语句,再与基本特征语句进行比对,使得隐藏在脚本文件中的基本特征语句被检测出来,从而确定该脚本文件为webshell攻击文件。The cloud-based webshell attack detection device provided by the embodiment of the present invention can intercept the script file when the script file is sent to the website server externally, and first detect the characteristic deformation trace of the script file based on the cloud platform, and then convert the modified The characteristic statement is restored, and finally the restored characteristic statement is compared with the basic characteristic statement. If they are the same, the script file is determined to be a webshell attack file. Compared with the detection method of only basic feature sentences in the prior art, the present invention restores the changed feature sentences first, so that the disrupted feature sentences are restored to the original feature sentences, and then performs the detection with the basic feature sentences Comparison, so that the basic feature statement hidden in the script file is detected, thereby determining that the script file is a webshell attack file.

进一步的,依据上述装置实施例,本发明实施例还提供了一种基于云的webshell攻击检测网关,该网关包括如图2或3所示的装置。Further, according to the above device embodiment, the embodiment of the present invention also provides a cloud-based webshell attack detection gateway, which includes the device shown in FIG. 2 or 3 .

本发明实施例提供的基于云的webshell攻击检测网关,能够在外部向网站服务器发送脚本文件时,截获该脚本文件,并基于云平台先对该脚本文件进行特征变形痕迹的检测,再将改动过的特征语句进行还原,最后将还原后的特征语句与基本特征语句进行比较,若相同,则判定该脚本文件为webshell攻击文件。与现有技术中仅进行基本特征语句的检测方法相比,本发明通过先将改动后的特征语句进行还原,使得被打乱的特征语句还原为原有的特征语句,再与基本特征语句进行比对,使得隐藏在脚本文件中的基本特征语句被检测出来,从而确定该脚本文件为webshell攻击文件。The cloud-based webshell attack detection gateway provided by the embodiment of the present invention can intercept the script file when the script file is sent to the website server externally, and first detect the characteristic deformation trace of the script file based on the cloud platform, and then convert the modified The characteristic statement is restored, and finally the restored characteristic statement is compared with the basic characteristic statement. If they are the same, the script file is determined to be a webshell attack file. Compared with the detection method of only basic feature sentences in the prior art, the present invention restores the changed feature sentences first, so that the disrupted feature sentences are restored to the original feature sentences, and then performs the detection with the basic feature sentences Comparison, so that the basic feature statement hidden in the script file is detected, thereby determining that the script file is a webshell attack file.

本发明的实施例公开了:Embodiments of the invention disclose:

A1、一种基于云的webshell攻击检测方法,所述方法包括:A1, a cloud-based webshell attack detection method, said method comprising:

截获向网站服务器发送的脚本文件;Intercept script files sent to the website server;

基于云平台检测所述脚本文件中是否存在预设的特征变形痕迹,所述特征变形痕迹为对所述脚本文件中的特征语句进行形式改动所产生的痕迹;Detecting whether there is a preset feature deformation trace in the script file based on the cloud platform, the feature deformation trace is a trace produced by modifying the form of the feature statement in the script file;

若所述脚本文件中存在所述特征变形痕迹,则根据预设的还原规则对改动过的特征语句进行还原,所述还原规则为特征变形规则的逆规则;If there are traces of the characteristic deformation in the script file, the modified characteristic sentence is restored according to a preset restoration rule, and the restoration rule is an inverse rule of the characteristic deformation rule;

检测还原后的特征语句是否与预设的基本特征语句相同,所述基本特征语句为攻击敏感语句;Detecting whether the restored characteristic sentence is the same as the preset basic characteristic sentence, and the basic characteristic sentence is an attack sensitive sentence;

若所述还原后的特征语句与所述基本特征语句相同,则确定所述脚本文件为webshell攻击文件。If the restored feature statement is the same as the basic feature statement, it is determined that the script file is a webshell attack file.

A2、根据A1所述的方法,所述特征变形痕迹为以下一个或任意多个的组合:A2. According to the method described in A1, the characteristic deformation traces are one or any combination of the following:

注释语句、变量赋值字符、预设特征字符和预设特征函数名。Comment statements, variable assignment characters, default signature characters, and preset signature function names.

A3、根据A2所述的方法,若所述特征变形痕迹包括注释语句,则所述基于云平台检测所述脚本文件中是否存在预设的特征变形痕迹,包括:A3. According to the method described in A2, if the feature deformation trace includes a comment statement, then the cloud-based platform detects whether there is a preset feature deformation trace in the script file, including:

基于所述云平台检测所述脚本文件中是否存在所述注释语句;Detecting whether the comment statement exists in the script file based on the cloud platform;

所述若所述脚本文件中存在所述特征变形痕迹,则根据预设的还原规则对改动过的特征语句进行还原,包括:If there are traces of the characteristic deformation in the script file, the modified characteristic statement is restored according to the preset restoration rules, including:

若所述脚本文件中存在所述注释语句,则将所述注释语句删除。If the comment statement exists in the script file, then delete the comment statement.

A4、根据A2所述的方法,若所述特征变形痕迹包括变量赋值字符,则所述基于云平台检测所述脚本文件中是否存在预设的特征变形痕迹,包括:A4. According to the method described in A2, if the feature deformation traces include variable assignment characters, then the cloud-based platform detects whether there are preset feature deformation traces in the script file, including:

基于所述云平台检测所述脚本文件中是否存在所述变量赋值字符;Detecting whether the variable assignment character exists in the script file based on the cloud platform;

所述若所述脚本文件中存在所述特征变形痕迹,则根据预设的还原规则对改动过的特征语句进行还原,包括:If there are traces of the characteristic deformation in the script file, the modified characteristic statement is restored according to the preset restoration rules, including:

若所述脚本文件中存在所述变量赋值字符,则将被赋值的变量还原。If the variable assignment character exists in the script file, the assigned variable is restored.

A5、根据A2所述的方法,若所述特征变形痕迹包括预设特征字符,则所述基于云平台检测所述脚本文件中是否存在预设的特征变形痕迹,包括:A5. According to the method described in A2, if the feature deformation traces include preset feature characters, then the cloud-based platform detects whether there are preset feature deformation traces in the script file, including:

基于所述云平台检测所述脚本文件中是否存在所述预设特征字符;Detecting whether the preset characteristic characters exist in the script file based on the cloud platform;

所述若所述脚本文件中存在所述特征变形痕迹,则根据预设的还原规则对改动过的特征语句进行还原,包括:If there are traces of the characteristic deformation in the script file, the modified characteristic statement is restored according to the preset restoration rules, including:

若所述脚本文件中存在所述预设特征字符,则将所述预设特征字符删除。If the preset characteristic character exists in the script file, then delete the preset characteristic character.

A6、根据A2所述的方法,若所述特征变形痕迹包括预设特征函数名,则所述基于云平台检测所述脚本文件中是否存在预设的特征变形痕迹,包括:A6. According to the method described in A2, if the feature deformation trace includes a preset feature function name, then the cloud-based platform detects whether there is a preset feature deformation trace in the script file, including:

基于所述云平台检测所述脚本文件中是否存在所述预设特征函数名;Detecting whether the preset feature function name exists in the script file based on the cloud platform;

所述若所述脚本文件中存在所述特征变形痕迹,则根据预设的还原规则对改动过的特征语句进行还原,包括:If there are traces of the characteristic deformation in the script file, the modified characteristic statement is restored according to the preset restoration rules, including:

若所述脚本文件中存在所述预设特征函数名,则根据特征函数功能的逆功能对对应特征函数的语句进行还原。If the preset feature function name exists in the script file, the statement corresponding to the feature function is restored according to the inverse function of the feature function.

A7、根据A1至A6中任一项所述的方法,在所述检测所述脚本文件中是否存在预设的特征变形痕迹之前,所述方法进一步包括:A7. According to the method described in any one of A1 to A6, before the detection of whether there are preset characteristic deformation traces in the script file, the method further includes:

向所述云平台获取所述特征变形痕迹、所述还原规则以及所述基本特征语句;Obtaining the feature deformation trace, the restoration rule, and the basic feature statement from the cloud platform;

或者,通过所述云平台更新本地缓存的所述特征变形痕迹、所述还原规则以及所述基本特征语句。Or, update the locally cached feature deformation traces, the restoring rules, and the basic feature sentences through the cloud platform.

A8、根据A1至A6中任一项所述的方法,在所述确定所述脚本文件为webshell攻击文件之后,所述方法进一步包括:A8, according to the method described in any one in A1 to A6, after described determining described script file is webshell attack file, described method further comprises:

向所述云平台上报所述脚本文件。Reporting the script file to the cloud platform.

B9、一种基于云的webshell攻击检测装置,所述装置包括:B9, a cloud-based webshell attack detection device, said device comprising:

截获单元,用于截获向网站服务器发送的脚本文件;An intercepting unit, configured to intercept script files sent to the website server;

检测单元,用于基于云平台检测所述截获单元截获的所述脚本文件中是否存在预设的特征变形痕迹,所述特征变形痕迹为对所述脚本文件中的特征语句进行形式改动所产生的痕迹;The detection unit is used to detect whether there is a preset characteristic deformation trace in the script file intercepted by the intercepting unit based on the cloud platform, and the characteristic deformation trace is generated by modifying the form of the characteristic sentence in the script file trace;

还原单元,用于当所述检测单元检测到所述脚本文件中存在所述特征变形痕迹时,根据预设的还原规则对改动过的特征语句进行还原,所述还原规则为特征变形规则的逆规则;A restoration unit, configured to restore the changed characteristic sentence according to a preset restoration rule when the detection unit detects that there are traces of the characteristic deformation in the script file, and the restoration rule is the inverse of the characteristic deformation rule rule;

所述检测单元,还用于检测所述还原单元还原后的特征语句是否与预设的基本特征语句相同,所述基本特征语句为攻击敏感语句;The detection unit is also used to detect whether the characteristic sentence restored by the reduction unit is the same as the preset basic characteristic sentence, and the basic characteristic sentence is an attack-sensitive sentence;

确定单元,用于当所述检测单元检测到所述还原后的特征语句与所述基本特征语句相同时,确定所述脚本文件为webshell攻击文件。A determination unit is configured to determine that the script file is a webshell attack file when the detection unit detects that the restored characteristic statement is identical to the basic characteristic statement.

B10、根据B9所述的装置,所述检测单元检测的所述特征变形痕迹为以下一个或任意多个的组合:B10. According to the device described in B9, the characteristic deformation trace detected by the detection unit is one or any combination of the following:

注释语句、变量赋值字符、预设特征字符和预设特征函数名。Comment statement, variable assignment character, default characteristic character and default characteristic function name.

B11、根据B10所述的装置,所述检测单元,包括:第一检测模块,用于当所述特征变形痕迹包括注释语句时,基于所述云平台检测所述脚本文件中是否存在所述注释语句;B11, according to the device described in B10, the detection unit includes: a first detection module, used to detect whether the annotation exists in the script file based on the cloud platform when the characteristic deformation trace includes an annotation sentence statement;

所述还原单元,包括:The reduction unit includes:

第一删除模块,用于当所述脚本文件中存在所述注释语句时,将所述注释语句删除。The first deletion module is configured to delete the comment statement when the comment statement exists in the script file.

B12、根据B10所述的装置,所述检测单元,包括:B12. According to the device described in B10, the detection unit includes:

第二检测模块,用于当所述特征变形痕迹包括变量赋值字符时,基于所述云平台检测所述脚本文件中是否存在所述变量赋值字符;The second detection module is used to detect whether the variable assignment character exists in the script file based on the cloud platform when the characteristic deformation trace includes a variable assignment character;

所述还原单元,包括:The reduction unit includes:

第一还原模块,用于当所述脚本文件中存在所述变量赋值字符时,将被赋值的变量还原。The first restoration module is configured to restore the assigned variable when the variable assignment character exists in the script file.

B13、根据B10所述的装置,所述检测单元,包括:B13, according to the device described in B10, the detection unit includes:

第三检测模块,用于当所述特征变形痕迹包括预设特征字符时,基于所述云平台检测所述脚本文件中是否存在所述预设特征字符;The third detection module is used to detect whether the preset characteristic characters exist in the script file based on the cloud platform when the characteristic deformation traces include preset characteristic characters;

所述还原单元,包括:The reduction unit includes:

第二删除模块,用于当所述脚本文件中存在所述预设特征字符时,将所述预设特征字符删除。The second deletion module is configured to delete the preset characteristic characters when the preset characteristic characters exist in the script file.

B14、根据B10所述的装置,所述检测单元,包括:B14, according to the device described in B10, the detection unit includes:

第四检测模块,用于当所述特征变形痕迹包括预设特征函数名时,基于所述云平台检测所述脚本文件中是否存在所述预设特征函数名;The fourth detection module is used to detect whether the preset feature function name exists in the script file based on the cloud platform when the feature deformation trace includes a preset feature function name;

所述还原单元,包括:The reduction unit includes:

第二还原模块,当所述脚本文件中存在所述预设特征函数名时,根据特征函数功能的逆功能对对应特征函数的语句进行还原。The second restoration module restores the statement corresponding to the characteristic function according to the inverse function of the characteristic function when the preset characteristic function name exists in the script file.

B15、根据B9至B14中任一项所述的装置,所述装置进一步包括:B15. The device according to any one of B9 to B14, further comprising:

获取单元,用于在所述检测单元检测所述脚本文件中是否存在预设的特征变形痕迹之前,向所述云平台获取所述特征变形痕迹、所述还原规则以及所述基本特征语句;An acquisition unit, configured to acquire the feature deformation trace, the restoration rule, and the basic feature statement from the cloud platform before the detection unit detects whether there is a preset feature deformation trace in the script file;

更新单元,用于在所述检测单元检测所述脚本文件中是否存在预设的特征变形痕迹之前,通过所述云平台更新本地缓存的所述特征变形痕迹、所述还原规则以及所述基本特征语句。An update unit, configured to update the locally cached traces of deformation of the features, the restoration rules, and the basic features through the cloud platform before the detection unit detects whether there are preset traces of deformation of the features in the script file statement.

B16、根据B9至B14中任一项所述的装置,所述装置进一步包括:B16. The device according to any one of B9 to B14, said device further comprising:

上报单元,用于在所述确定单元确定所述脚本文件为webshell攻击文件之后,向所述云平台上报所述脚本文件。A reporting unit is configured to report the script file to the cloud platform after the determining unit determines that the script file is a webshell attack file.

C17、一种基于云的webshell攻击检测网关,所述网关包括如B9至B16中任一项所述的装置。C17, a kind of webshell attack detection gateway based on cloud, described gateway comprises the device as described in any one in B9 to B16.

在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the foregoing embodiments, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.

可以理解的是,上述方法及装置中的相关特征可以相互参考。另外,上述实施例中的“第一”、“第二”等是用于区分各实施例,而并不代表各实施例的优劣。It can be understood that related features in the above methods and devices can refer to each other. In addition, "first", "second" and so on in the above embodiments are used to distinguish each embodiment, and do not represent the advantages and disadvantages of each embodiment.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的随身电子防丢设备的状态检测方法、设备、服务器及系统设备中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement the state detection method, device, server, and system device of a portable electronic anti-lost device according to an embodiment of the present invention. Some or all of the functions of some or all of the components. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

Claims (10)

1. A cloud-based webshell attack detection method is characterized by comprising the following steps:
intercepting a script file sent to a website server;
detecting whether a preset characteristic deformation trace exists in the script file or not based on a cloud platform, wherein the characteristic deformation trace is a trace generated by changing the form of a characteristic statement in the script file;
if the feature deformation trace exists in the script file, reducing the changed feature statement according to a preset reduction rule, wherein the reduction rule is an inverse rule of the feature deformation rule;
detecting whether the restored characteristic statement is the same as a preset basic characteristic statement or not, wherein the basic characteristic statement is an attack sensitive statement;
and if the restored characteristic statement is the same as the basic characteristic statement, determining that the script file is a webshell attack file.
2. The method of claim 1, wherein the characteristic deformation trace is a combination of one or any plurality of:
comment statements, variable assignment characters, preset feature characters, and preset feature function names.
3. The method according to claim 2, wherein if the feature deformation trace comprises an annotation statement, the cloud-based platform detecting whether a preset feature deformation trace exists in the script file comprises:
detecting whether the annotation statement exists in the script file based on the cloud platform;
if the feature deformation trace exists in the script file, restoring the changed feature statement according to a preset restoring rule, including:
and if the comment statement exists in the script file, deleting the comment statement.
4. The method according to claim 2, wherein if the feature deformation trace includes a variable assignment character, the detecting whether a preset feature deformation trace exists in the script file based on the cloud platform includes:
detecting whether the variable assignment characters exist in the script file or not based on the cloud platform;
if the feature deformation trace exists in the script file, restoring the changed feature statement according to a preset restoring rule, including:
if the variable assignment character exists in the script file, the assigned variable is restored.
5. The method according to claim 2, wherein if the feature deformation trace includes a preset feature character, the detecting whether a preset feature deformation trace exists in the script file based on the cloud platform includes:
detecting whether the preset characteristic characters exist in the script file or not based on the cloud platform;
if the feature deformation trace exists in the script file, restoring the changed feature statement according to a preset restoring rule, including:
and if the preset characteristic character exists in the script file, deleting the preset characteristic character.
6. The method according to claim 2, wherein if the feature transformation trace includes a preset feature function name, the detecting whether a preset feature transformation trace exists in the script file based on the cloud platform includes:
detecting whether the preset feature function name exists in the script file or not based on the cloud platform;
if the feature deformation trace exists in the script file, restoring the changed feature statement according to a preset restoring rule, including:
if the preset feature function name exists in the script file, restoring the statement corresponding to the feature function according to the inverse function of the feature function.
7. The method according to any one of claims 1 to 6, wherein before said detecting whether there is a preset feature deformation trace in the script file, the method further comprises:
obtaining the feature deformation trace, the reduction rule and the basic feature statement from the cloud platform;
or updating the locally cached feature deformation trace, the reduction rule and the basic feature statement through the cloud platform.
8. The method of any of claims 1-6, wherein after the determining that the script file is a webshell attack file, the method further comprises:
and reporting the script file to the cloud platform.
9. A cloud-based webshell attack detection apparatus, the apparatus comprising:
the intercepting unit is used for intercepting script files sent to the website server;
the detection unit is used for detecting whether preset characteristic deformation traces exist in the script file intercepted by the interception unit based on a cloud platform, wherein the characteristic deformation traces are traces generated by changing the form of characteristic sentences in the script file;
the restoring unit is used for restoring the changed feature statement according to a preset restoring rule when the detecting unit detects that the feature deformation trace exists in the script file, wherein the restoring rule is an inverse rule of the feature deformation rule;
the detection unit is further configured to detect whether the feature statement restored by the restoration unit is the same as a preset basic feature statement, where the basic feature statement is an attack-sensitive statement;
and the determining unit is used for determining that the script file is a webshell attack file when the detecting unit detects that the restored characteristic statement is the same as the basic characteristic statement.
10. A cloud-based webshell attack detection gateway, comprising the apparatus of claim 9.
CN201510363767.5A 2015-06-26 2015-06-26 Webshell attack detection methods, device and gateway based on cloud Active CN105100065B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510363767.5A CN105100065B (en) 2015-06-26 2015-06-26 Webshell attack detection methods, device and gateway based on cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510363767.5A CN105100065B (en) 2015-06-26 2015-06-26 Webshell attack detection methods, device and gateway based on cloud

Publications (2)

Publication Number Publication Date
CN105100065A true CN105100065A (en) 2015-11-25
CN105100065B CN105100065B (en) 2018-03-16

Family

ID=54579612

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510363767.5A Active CN105100065B (en) 2015-06-26 2015-06-26 Webshell attack detection methods, device and gateway based on cloud

Country Status (1)

Country Link
CN (1) CN105100065B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106911686A (en) * 2017-02-20 2017-06-30 杭州迪普科技股份有限公司 WebShell detection methods and device
CN106982233A (en) * 2017-05-23 2017-07-25 信联安宝(北京)科技有限公司 The discrete integrated security management interchanger of power supply
CN108062474A (en) * 2016-11-08 2018-05-22 阿里巴巴集团控股有限公司 The detection method and device of file
CN108156131A (en) * 2017-10-27 2018-06-12 上海观安信息技术股份有限公司 Webshell detection methods, electronic equipment and computer storage media
CN109992967A (en) * 2019-03-12 2019-07-09 福建拓尔通软件有限公司 A kind of method and system for realizing automatic detection file security when file uploads
CN114925357A (en) * 2022-05-17 2022-08-19 深信服科技股份有限公司 Data detection method, device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895517A (en) * 2009-05-19 2010-11-24 北京启明星辰信息技术股份有限公司 Method and device for extracting script semantics
KR101244945B1 (en) * 2011-06-23 2013-04-05 주식회사 티벨로 Webshell detecting apparatus using meta pattern
KR101291782B1 (en) * 2013-01-28 2013-07-31 인포섹(주) Webshell detection and corresponding system
CN103559441A (en) * 2013-10-28 2014-02-05 中国科学院信息工程研究所 Cross-platform detection method and system for malicious files in cloud environment
CN103577756A (en) * 2013-11-05 2014-02-12 北京奇虎科技有限公司 Virus detection method and device based on script type judgment
CN104394176A (en) * 2014-12-17 2015-03-04 中国人民解放军国防科学技术大学 Webshell prevention method based on mandatory access control mechanism

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895517A (en) * 2009-05-19 2010-11-24 北京启明星辰信息技术股份有限公司 Method and device for extracting script semantics
KR101244945B1 (en) * 2011-06-23 2013-04-05 주식회사 티벨로 Webshell detecting apparatus using meta pattern
KR101291782B1 (en) * 2013-01-28 2013-07-31 인포섹(주) Webshell detection and corresponding system
CN103559441A (en) * 2013-10-28 2014-02-05 中国科学院信息工程研究所 Cross-platform detection method and system for malicious files in cloud environment
CN103577756A (en) * 2013-11-05 2014-02-12 北京奇虎科技有限公司 Virus detection method and device based on script type judgment
CN104394176A (en) * 2014-12-17 2015-03-04 中国人民解放军国防科学技术大学 Webshell prevention method based on mandatory access control mechanism

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108062474A (en) * 2016-11-08 2018-05-22 阿里巴巴集团控股有限公司 The detection method and device of file
CN106911686A (en) * 2017-02-20 2017-06-30 杭州迪普科技股份有限公司 WebShell detection methods and device
CN106911686B (en) * 2017-02-20 2020-07-07 杭州迪普科技股份有限公司 WebShell detection method and device
CN106982233A (en) * 2017-05-23 2017-07-25 信联安宝(北京)科技有限公司 The discrete integrated security management interchanger of power supply
CN108156131A (en) * 2017-10-27 2018-06-12 上海观安信息技术股份有限公司 Webshell detection methods, electronic equipment and computer storage media
CN108156131B (en) * 2017-10-27 2020-08-04 上海观安信息技术股份有限公司 Webshell detection method, electronic device and computer storage medium
CN109992967A (en) * 2019-03-12 2019-07-09 福建拓尔通软件有限公司 A kind of method and system for realizing automatic detection file security when file uploads
CN114925357A (en) * 2022-05-17 2022-08-19 深信服科技股份有限公司 Data detection method, device and storage medium

Also Published As

Publication number Publication date
CN105100065B (en) 2018-03-16

Similar Documents

Publication Publication Date Title
CN105100065B (en) Webshell attack detection methods, device and gateway based on cloud
RU2610254C2 (en) System and method of determining modified web pages
US9614863B2 (en) System and method for analyzing mobile cyber incident
US10164993B2 (en) Distributed split browser content inspection and analysis
US10298599B1 (en) Systems for detecting a headless browser executing on a client computer
US8266700B2 (en) Secure web application development environment
Lekies et al. 25 million flows later: large-scale detection of DOM-based XSS
CN103095681B (en) A kind of method and device detecting leak
US8800042B2 (en) Secure web application development and execution environment
Shar et al. Automated removal of cross site scripting vulnerabilities in web applications
US10223533B2 (en) Systems and methods for analysis of cross-site scripting vulnerabilities
US8474048B2 (en) Website content regulation
CN107896219B (en) Method, system and related device for detecting website vulnerability
CN103279710B (en) Method and system for detecting malicious codes of Internet information system
CN105678170A (en) Method for dynamically detecting cross site scripting (XSS) bugs
CN103744802A (en) Method and device for identifying SQL injection attacks
CN103473501A (en) Malware tracking method based on cloud safety
CN103793649A (en) Method and device for cloud-based safety scanning of files
CN103207970A (en) Virus file scanning method and device
CN106372507A (en) Method and device for detecting malicious document
CN105354494A (en) Detection method and apparatus for web page data tampering
CN104462985A (en) Detecting method and device of bat loopholes
CN110851838A (en) Cloud testing system and security testing method based on Internet
US8935778B2 (en) Maintaining data integrity
Ablahd Using python to detect web application vulnerability

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20161122

Address after: 100088 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3

Applicant after: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Applicant before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing

Patentee after: QAX Technology Group Inc.

Address before: 100088 Floor 15, Floor 17, Floor 1 701-26, Building No. 10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.