CN105100065B - Webshell attack detection methods, device and gateway based on cloud - Google Patents

Webshell attack detection methods, device and gateway based on cloud Download PDF

Info

Publication number
CN105100065B
CN105100065B CN201510363767.5A CN201510363767A CN105100065B CN 105100065 B CN105100065 B CN 105100065B CN 201510363767 A CN201510363767 A CN 201510363767A CN 105100065 B CN105100065 B CN 105100065B
Authority
CN
China
Prior art keywords
script file
sentence
feature
default
vestige
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510363767.5A
Other languages
Chinese (zh)
Other versions
CN105100065A (en
Inventor
田进山
姚熙
李纪峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Original Assignee
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qianxin Technology Co Ltd filed Critical Beijing Qianxin Technology Co Ltd
Priority to CN201510363767.5A priority Critical patent/CN105100065B/en
Publication of CN105100065A publication Critical patent/CN105100065A/en
Application granted granted Critical
Publication of CN105100065B publication Critical patent/CN105100065B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The invention discloses a kind of webshell attack detection methods, device and gateway based on cloud, it is related to Internet technical field, can solve the problem that the problem of being difficult to deform webshell attacks in the prior art.The method of the present invention includes:Intercept and capture the script file sent to Website server;Based on whether there is default feature distortion vestige in cloud platform detection script file, feature distortion vestige is to carry out vestige caused by form change to the feature sentence in script file;If existing characteristics deform vestige in script file, modified feature sentence is reduced according to default also meta-rule, also meta-rule is characterized the inverse rule of transformation rule;Whether the feature sentence after detection reduction is identical with default essential characteristic sentence, and essential characteristic sentence is attack sensitive statement;If the feature sentence after reduction is identical with essential characteristic sentence, it is determined that script file is that webshell attacks file.The present invention is sent the scene of webshell attack files suitable for hacker to Website server.

Description

Webshell attack detection methods, device and gateway based on cloud
Technical field
The present invention relates to Internet technical field, more particularly to a kind of webshell attack detection methods based on cloud, dress Put and gateway.
Background technology
Webshell is one kind with asp (active server pages, Active Server Pages), php (hypertext Preprocessor, HyperText Preprocessor), jsp (java server pages, the java servers page) or cgi Order performing environments existing for web page files form such as (common gateway interface, CGI).Due to Webshell is a kind of webpage back door, so just turning into the script attack tool of hacker attacks Website server.In practical application In, hacker is after a website has been invaded, it will usually by under the backdoor files such as these asp or php and Website server web catalogues Normal web page files mix, and then the backdoor files such as these asp or php are accessed by browser, so as to control net Site server.
Therefore, protect webshell attacks particularly significant for web portal security.In existing webshell attack detectings skill In art, after gateway is sent to the script file of Website server outside acquisition, by whether there is base in detection script file This attack signature come determine whether webshell attack.However, hackers are detected in order to avoid webshell attacks, Write out the webshell attack methods of many features deformation.For example, added in some feature strings " % ", " * " etc. its His non-letter character, to cause this feature character string to become a new customized character string.In this case, due to The basic attack feature of webshell attacks has been disturbed, so it is difficult to detected according to basic attack feature, so as to The detection of webshell attacks turns into nowadays a great problem.
The content of the invention
In view of this, the present invention provides a kind of webshell attack detection methods, device and gateway based on cloud, can solve The problem of being certainly difficult to deform webshell attacks in the prior art.
In a first aspect, the invention provides a kind of webshell attack detection methods based on cloud, methods described includes:
Intercept and capture the script file sent to Website server;
Detected based on cloud platform in the script file and whether there is default feature distortion vestige, the feature distortion trace Mark is to carry out vestige caused by form change to the feature sentence in the script file;
If the feature distortion vestige in the script file be present, according to default also meta-rule to modified spy Sign sentence is reduced, and the also meta-rule is characterized the inverse rule of transformation rule;
Whether the feature sentence after detection reduction is identical with default essential characteristic sentence, and the essential characteristic sentence is to attack Hit sensitive statement;
If the feature sentence after the reduction is identical with the essential characteristic sentence, it is determined that the script file is Webshell attacks file.
Second aspect, the invention provides a kind of webshell attack detecting devices based on cloud, described device includes:
Unit is intercepted and captured, for intercepting and capturing the script file sent to Website server;
Detection unit, for pre- based on whether there is in the cloud platform detection script file intercepted and captured unit and intercepted and captured If feature distortion vestige, the feature distortion vestige by the script file feature sentence carry out form change produced Raw vestige;
Reduction unit, for the feature distortion vestige be present when the detection unit is detected in the script file When, modified feature sentence is reduced according to default also meta-rule, the also meta-rule is characterized transformation rule Inverse rule;
The detection unit, be additionally operable to detect feature sentence after the reduction unit reduction whether with it is default substantially special It is identical to levy sentence, the essential characteristic sentence is attack sensitive statement;
Determining unit, for the feature sentence after detection unit detects the reduction and the essential characteristic language When sentence is identical, determine that the script file attacks file for webshell.
The third aspect, the invention provides a kind of webshell attack detecting gateways based on cloud, the gateway is included such as Device described in second aspect.
By above-mentioned technical proposal, webshell attack detection methods, device and gateway provided by the invention based on cloud, When can send script file to Website server in outside, the script file is intercepted and captured, and based on cloud platform first to script text Part carries out the detection of feature distortion vestige, then modified feature sentence is reduced, finally by the feature sentence after reduction Compared with essential characteristic sentence, if identical, judge that the script file attacks file for webshell.With in the prior art The detection method for only carrying out essential characteristic sentence is compared, and the present invention is by first being reduced the feature sentence after change so that The feature sentence being disturbed is reduced to original feature sentence, then is compared with essential characteristic sentence so that is hidden in script Essential characteristic sentence in file is detected, so that it is determined that the script file, which is webshell, attacks file.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of webshell attack detection methods based on cloud provided in an embodiment of the present invention;
Fig. 2 shows a kind of composition frame of webshell attack detecting devices based on cloud provided in an embodiment of the present invention Figure;
Fig. 3 shows the composition frame of another webshell attack detecting devices based on cloud provided in an embodiment of the present invention Figure.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.
The embodiments of the invention provide a kind of webshell attack detection methods based on cloud, as shown in figure 1, this method bag Include:
101st, the script file sent to Website server is intercepted and captured.
When outside (including general user, hacker etc.) sends script file to Website server, it is necessary to by gateway, because , when the script file reaches gateway, gateway can be intercepted and captured to the script file, to pacify to the script file for this The detection of full property, so as to which the script file for ensureing to reach Website server side is safe.
It should be noted that above-mentioned script file can be asp (active server pages, dynamic server page Face) file, php (hypertext preprocessor, HyperText Preprocessor) file, jsp (java server pages, The java servers page) file, cgi (common gateway interface, CGI) file, or other lattice The web page files of formula.
102nd, based on whether there is default feature distortion vestige in cloud platform detection script file.
Wherein, feature distortion vestige is to carry out vestige caused by form change to the feature sentence in script file.It is special It can be the sentence in exemplary position, such as the sentence containing function to levy sentence, or have the language of other features Sentence, can also refer to executable code statement.
Specifically, feature distortion vestige can be the combination of following one or any number of:Comment statement, variable assignments word Symbol, default characteristic character and default characteristic function name.If feature distortion vestige only includes a content (as only included default feature Function name), then gateway only carries out the detection of this content to script file;If feature distortion vestige includes at least two contents, Then gateway can carry out the detection of each single item content to script file respectively.In actual applications, gateway can be according to default detection Order carries out the detection of all the elements in feature distortion vestige to script file successively, can also carry out institute to script file simultaneously Substantial detection.
It should be noted that what is referred in this step is primarily referred to as gateway needs first from the acquisition of cloud platform side based on cloud platform Newest feature distortion vestige, also meta-rule and essential characteristic sentence, can just be detected to script file.Wherein, it is newest Feature distortion vestige, the acquisition modes of also meta-rule and essential characteristic sentence can be directly to be obtained from cloud platform, can also To be updated by cloud platform to the feature distortion vestige of local, also meta-rule and essential characteristic sentence, its specific acquisition side Formula is not limited thereto.
If the 103, existing characteristics deform vestige in script file, according to default also meta-rule to modified feature language Sentence is reduced.
Wherein, also meta-rule is characterized the inverse rule of transformation rule.When gateway detects that existing characteristics become in script file During shape vestige, illustrate that feature sentence is changed according to default feature distortion rule.Now, gateway becomes according to feature The inverse rule (also meta-rule) of shape rule can be reduced modified feature sentence, so as to obtain original (before change) Feature sentence, to carry out the operation of subsequent step 104,105.
For example, gateway detects that a sentence is " e/*aaaa*/val ($ _ POST [' a ']);", by with default spy Sign deformation vestige matches, it is known that a kind of feature distortion vestige, i.e. comment statement in the sentence be present.The rule of this feature deformation To add comment statement in sentence, therefore the inverse rule (also meta-rule) of this feature transformation rule is the annotation language of deletion addition Sentence.
Whether the feature sentence the 104th, after detection reduction is identical with default essential characteristic sentence.
Wherein, essential characteristic sentence is attack sensitive statement, i.e., can directly determine exist by programming personnel's statistics The sentence of webshell attack signatures.After by also meta-rule by modified feature sentence reduction, it can obtain original Feature sentence, now, gateway with essential characteristic sentence again by being compared, it is possible to judges that the feature sentence after reduction is No is default essential characteristic sentence, so as to show whether script file is webshell attack files.
If the feature sentence after the 105th, reducing is identical with essential characteristic sentence, it is determined that script file is attacked for webshell File.
Because essential characteristic sentence is attack sensitive statement, thus feature sentence after gateway detects reduction with it is basic When feature sentence is identical, it may be determined that the feature sentence after the reduction is attack sensitive statement, is deposited so as to learn in script file In attack sensitive statement, and then determine that the script file attacks file for webshell.Conversely, after gateway detects reduction When feature sentence is with essential characteristic sentence difference, it may be determined that the feature sentence after the reduction is not attack sensitive statement, so as to Learn and attack sensitive statement is not present in script file, and then determine that the script file is not webshell attack files.
Exemplary, gateway detects " eval ($/* xyz*/{ " _ P " " OST " } [' op ']);" middle in the presence of two kinds of features Vestige, respectively comment statement and default characteristic character are deformed, so gateway needs to deform the reduction of vestige according to character pair Rule reduces to it.In actual applications, the also meta-rule for comment statement and default characteristic character is to delete behaviour Make, so after comment statement and default characteristic character are all deleted, the feature sentence after obtained reduction is " eval ($ _ POST [‘op’]);”.By this feature sentence compared with essential characteristic sentence, it can determine whether out whether script file is that webshell is attacked Hit file.If " eval ($ _ POST [' op ']) is included in essential characteristic sentence;", then feature sentence and essential characteristic after reducing Sentence is identical, so as to show that the script file attacks file for webshell;If do not include in essential characteristic sentence " eval ($ _ POST[‘op’]);", then the feature sentence after reducing is different from essential characteristic sentence, so as to also need to continue in script file Other feature sentences judged, just can determine that the script file whether be webshell attack file.
It should be noted that in actual applications, only when gateway determines that its script file intercepted and captured is not When webshell attacks file, just the script file is continued to upload to Website server, and when the script file is When webshell attacks file, the script file is no longer uploaded into Website server, website service is uploaded to so as to ensure that The script file of device is safe file.
Webshell attack detection methods provided in an embodiment of the present invention based on cloud, can be in outside to Website server When sending script file, the script file is intercepted and captured, and first carries out the inspection of feature distortion vestige to the script file based on cloud platform Survey, then modified feature sentence is reduced, finally by the feature sentence after reduction compared with essential characteristic sentence, If identical, judge that the script file attacks file for webshell.Inspection with only carrying out essential characteristic sentence in the prior art Survey method is compared, and the present invention is by first being reduced the feature sentence after change so that the feature sentence being disturbed is reduced to Original feature sentence, then be compared with essential characteristic sentence so that the essential characteristic sentence quilt being hidden in script file Detect, so that it is determined that the script file, which is webshell, attacks file.
Further, understood according to above method embodiment, when default feature distortion vestige only becomes comprising a kind of feature During shape vestige, with the presence or absence of this feature deformation vestige in gateway only detection script file;Wrapped when in default feature distortion vestige When including various features deformation vestige, with the presence or absence of various features deformation vestige in gateway meeting while detection script file, or Detect successively in sequence in the script file with the presence or absence of various features deformation vestige.Detecting feature distortion vestige Afterwards, it is necessary to which modified feature sentence is reduced, but there is different reduction sides for different types of feature distortion vestige Method, it is introduced below for different situations:
Situation one:When feature distortion vestige includes comment statement, gateway can be based on cloud platform detection script file in be It is no comment statement to be present.If comment statement in script file be present, comment statement is deleted;If note is not present in script file Sentence is released, then need not carry out the deletion action of comment statement.
Due to comment statement and it is not involved in the execution of program, so after hacker adds comment statement in feature sentence, Nor affect on the function of this feature sentence in itself.When this feature sentence is essential characteristic sentence, the script file is exactly Webshell attacks file.But after with the addition of comment statement in this feature sentence, feature sentence after change just no longer with Essential characteristic sentence is identical, it is therefore desirable to deletes the comment statement of addition, original feature sentence can be just obtained, so as to more Accurately detect out substantially with essential characteristic sentence identical sentence, file missing inspection is attacked so as to avoid occurring webshell Phenomenon.
In actual applications, the detection of comment statement is mainly identified by detecting annotation, such as:“//”、“/*”、“*/” Deng.For example, gateway detects a feature sentence " eva/*xxxxx*/l ($ _ POST [' a ']);" in comprising "/* " and " */" are noted Mark is released, then is deleted the comment statement for carrying annotation mark, so as to obtain the sentence before addition comment statement, i.e. " eval ($_POST[‘a’]);”.After the feature sentence before being changed, it is compared with essential characteristic sentence.Ruo Jibente " eval ($ _ POST [' a ']) is included in sign sentence;", then the feature sentence after reducing is identical with essential characteristic sentence, so as to Go out the script file and attack file for webshell;If " eval ($ _ POST [' a ']) is not included in essential characteristic sentence;", then Feature sentence after reduction is different from essential characteristic sentence, so as to also need to continue to enter other feature sentences in script file Row judges, just can determine that whether the script file is webshell attack files.
Situation two:When feature distortion vestige includes variable assignments character, gateway can be based on cloud platform detection script file In whether there is variable assignments character.If variable assignments character in script file be present, the variable being assigned is reduced;If pin Variable assignments character is not present in this document, then need not carry out variable restoring operation.
In actual applications, programming personnel is often through to the variable assignments in feature sentence, i.e., with new variable come generation For old variable, so that formal change occurs for this feature sentence, and actual functional capability is constant.In this case, only will Feature sentence after variable assignments is compared with essential characteristic sentence, is that can not detect that its hiding webshell attack is special Sign.Therefore, gateway needs first to reduce the variable being assigned, and to obtain original feature sentence, can just accurately judge that out Whether this feature sentence is essential characteristic sentence, and so as to correctly judge, whether the script file is webshell attack texts Part.
Identified specifically, variable assignments character mainly includes variable assignments, i.e., "=", can also include other has assignment The character of function, is not limited thereto.
For example, there is following code in script file:
$ aaa=e;
$ bbb=v;
$ ccc=a;
$ ddd=l;
$ xsser=$ _ POST [' op '];
“$aaa”.“$bbb”.“$ccc”.“$ddd”($xsser);
Gateway detects characteristics of variables character (i.e. "=") in above-mentioned code, and detects " " $ aaa " " $ bbb " “$ccc”.“$ddd”($xsser);" $ aaa, $ bbb, $ ccc, $ ddd and $ xsser in sentence be respectively to e, v, a, l and The new variables that $ _ POST [' op '] is assigned, therefore gateway needs these new variables being reduced to original variable, the code after reduction becomes For " eval ($ _ POST [' op ']);", then by this feature sentence compared with essential characteristic sentence.If in essential characteristic sentence Include " eval ($ _ POST [' op ']);", then the script file is that webshell attacks file;If do not wrapped in essential characteristic sentence Containing " eval ($ _ POST [' op ']);", then need to continue to judge other feature sentences in script file, just can determine that Whether the script file is webshell attack files.
Situation three:When feature distortion vestige includes default characteristic character, gateway can be based on cloud platform detection script file In with the presence or absence of default characteristic character.If default characteristic character in script file be present, default characteristic character is deleted;If pin Default characteristic character is not present in this document, then need not carry out default characteristic character deletion action.
In actual applications, it is complete to upset one often through the characters such as splicing symbol are added in feature sentence by hacker Function name or variable name etc., so as to can not only be detected present in this feature sentence by essential characteristic sentence Webshell attack signatures, it is therefore desirable to the feature sentence containing default characteristic character is reduced, just can further be detected Go out whether this feature sentence is the sentence containing webshell attack signatures, so as to judge whether the script file is webshell Attack file.
For example, gateway detects " " e " " v " " a " " l " ($ _ POST [' a ']);" in containing splicing symbol double quotation marks and point, So by after the double quotation marks and point deletion in this feature sentence, original sentence can be obtained, i.e. " eval ($ _ POST [‘a’]);”.Now, by " eval ($ _ POST [' a ']);" compared with essential characteristic sentence, if being included in essential characteristic sentence “eval($_POST[‘a’]);", then the script file is that webshell attacks file, if not including in essential characteristic sentence “eval($_POST[‘a’]);", then need to continue to judge other feature sentences in script file, just can determine that this Whether script file is webshell attack files.
Situation four:When feature distortion vestige includes default characteristic function name, gateway can be based on cloud platform detection script text With the presence or absence of default characteristic function name in part.If default characteristic function name in script file be present, according to characteristic function function Reverse function the sentence of character pair function is reduced;, need not if default characteristic function name is not present in script file Enter the reduction of row characteristic functions.
In practical application, hacker is usually deformed using some special functions to feature sentence so that feature sentence The function of itself does not change, and is only detected by essential characteristic sentence, often can not be by its hiding webshell Attack signature detects.Therefore, gateway needs first to reduce the feature sentence changed through characteristic function, just can be more accurately Hiding webshell attack signatures are detected, so as to complete the identification of webshell attack files.
Specifically, default characteristic function name includes str_replace, preg_replace, pack, chr, base64_ decode、strrev、str_rot13、rot_13、create_function、urldecode、strtr、gzuncompress、 Gzinflate and gzdecode etc..Characteristic function corresponding to each characteristic function name has certain function, therefore gateway The feature sentence after change is reduced by the reverse function can of characteristic function function, so as to obtain original feature sentence, To carry out the detection of follow-up essential characteristic sentence.
For example, there is following code in script file
$ abcd=str_repalce (" abc ", " eva ", " abcl ");
$abcd($_POST[‘a’]);
Gateway detects str_repalce in above-mentioned code be present, and what str_repalce functions were realized in this sentence Function is:Abc in abcl is replaced with eva, therefore " $ abcd ($ _ POST [' a ']);" it is actually " eval ($ _ POST [‘a’]);”.It can thus be appreciated that, it is necessary to using the reverse function of str_repalce function performances by " abcd (_ POST [' a ']);” Reduction, so as to obtain " eval ($ _ POST [' a ']);", then by " eval ($ _ POST [' a ']);" compared with essential characteristic sentence. If essential characteristic sentence includes eval ($ _ POST [' a ']);", then the script file is that webshell attacks file;It is if basic Do not include eval ($ _ POST [' a ']) in feature sentence;", then it can not judge that the script file is according to above-mentioned code Webshell attacks file.
And for example, there is following code in script file
$ xxyz=strtr (" exyz ", " xyz ", " val ");
$xxyz($_POST[‘a’]);
Gateway, which detects, has strtr in above-mentioned code, and the function that strtr functions are realized in this sentence is:Will X, y, z in exyz is replaced with v, a, l respectively, therefore " $ xxyz ($ _ POST [' a ']);" it is actually " eval ($ _ POST [‘a’]);”.It can thus be appreciated that, it is necessary to using the reverse function of strtr function performances by " xxyz (_ POST [' a ']);" reduction, from And obtain " eval ($ _ POST [' a ']);", then by " eval ($ _ POST [' a ']);" compared with essential characteristic sentence.It is if basic Feature sentence includes eval ($ _ POST [' a ']);", then the script file is that webshell attacks file;If essential characteristic language Do not include eval ($ _ POST [' a ']) in sentence;", then it can not judge that the script file is attacked for webshell according to above-mentioned code Hit file.
Further, before whether there is default feature distortion vestige in detection script file, gateway side needs elder generation Feature distortion vestige, also meta-rule and essential characteristic sentence are obtained, the operation such as follow-up detection or reduction could be carried out.
Specifically, file is attacked because cloud platform side is stored with the webshell occurred in different web sites, so cloud is put down Platform side has the most full feature distortion vestige for being related to webshell attacks, also meta-rule and essential characteristic sentence.Therefore gateway Newest feature distortion vestige, also meta-rule and essential characteristic sentence can be obtained from cloud platform side.
Specifically, if feature distortion vestige, also meta-rule and essential characteristic sentence is locally not present in gateway, to script Before file carries out the detection of feature distortion vestige, gateway can obtain from cloud platform side and carry newest feature distortion trace Mark, the also file of meta-rule and essential characteristic sentence;If gateway local existing characteristics deformation vestige, also meta-rule and essential characteristic Sentence, then gateway can directly be updated by cloud platform local feature distortion vestige, also meta-rule and essential characteristic sentence, example Such as, by obtaining renewal bag to cloud platform to update local feature distortion vestige, also meta-rule and essential characteristic sentence.
In addition, in actual applications, after gateway intercepts and captures script file, script file directly can be reported into cloud and put down Platform, cloud platform is allowed to be detected using above-mentioned detection method to the script file, so as to which testing result is sent into gateway, so as to Gateway determines whether the script file can continue to be sent to Website server.
Further, because cloud platform side needs constantly renewal and improves local feature distortion vestige, also meta-rule With the file of essential characteristic sentence, so gateway determine script file for webshell attack file after, it is necessary to Xiang Yunping Platform reports the webshell script files that this is detected, so that cloud platform is to feature distortion vestige, also meta-rule and basic The file of feature sentence is updated.
Further, a kind of webshell based on cloud is additionally provided according to above method embodiment, the embodiment of the present invention Attack detecting device, as shown in Fig. 2 the device includes:Intercept and capture unit 21, detection unit 22, reduction unit 23 and determining unit 24.Wherein,
Unit 21 is intercepted and captured, for intercepting and capturing the script file sent to Website server;
Detection unit 22, for being detected based on cloud platform in the script file for intercepting and capturing the intercepting and capturing of unit 21 with the presence or absence of default Feature distortion vestige, feature distortion vestige are to carry out vestige caused by form change to the feature sentence in script file;
Reduction unit 23, for when detection unit 22 detects in script file that existing characteristics deform vestige, according to pre- If also meta-rule modified feature sentence is reduced, also meta-rule is characterized the inverse rule of transformation rule;
Detection unit 22, be additionally operable to detect reduction unit 23 reduce after feature sentence whether with default essential characteristic language Sentence is identical, and essential characteristic sentence is attack sensitive statement;
Determining unit 24 is identical with essential characteristic sentence for feature sentence after detection unit 22 detects reduction When, determine that script file attacks file for webshell.
Further, the feature distortion vestige that detection unit 22 detects is with next or any number of combination:
Comment statement, variable assignments character, default characteristic character and default characteristic function name.
Specifically, as shown in figure 3, detection unit 22, including:
First detection module 221, for when feature distortion vestige includes comment statement, based on cloud platform detection script text It whether there is comment statement in part;
Reduction unit 23, including:
First removing module 231, for when comment statement in script file be present, comment statement to be deleted.
Further, as shown in figure 3, detection unit 22, including:
Second detection module 222, for when feature distortion vestige includes variable assignments character, pin to be detected based on cloud platform It whether there is variable assignments character in this document;
Reduction unit 23, including:
First recovery module 232, for when variable assignments character in script file be present, by the variable being assigned also It is former.
Further, as shown in figure 3, detection unit 22, including:
3rd detection module 223, for when feature distortion vestige includes default characteristic character, pin to be detected based on cloud platform With the presence or absence of default characteristic character in this document;
Reduction unit 23, including:
Second removing module 233, for when default characteristic character in script file be present, default characteristic character to be deleted Remove.
Further, as shown in figure 3, detection unit 22, including:
4th detection module 224, for when feature distortion vestige includes default characteristic function name, being detected based on cloud platform With the presence or absence of default characteristic function name in script file;
Reduction unit 23, including:
Second recovery module 234, when default characteristic function name in script file be present, according to the inverse of characteristic function function Function reduces to the sentence of character pair function.
Further, as shown in figure 3, the device further comprises:
Acquiring unit 25, in the detection script file of detection unit 22 whether there is default feature distortion vestige it Before, obtain feature distortion vestige, also meta-rule and essential characteristic sentence to cloud platform;
Updating block 26, in the detection script file of detection unit 22 whether there is default feature distortion vestige it Before, the feature distortion vestige of local cache is updated by cloud platform, goes back meta-rule and essential characteristic sentence.
Further, as shown in figure 3, the device further comprises:
Reporting unit 27, for determining that script file is Xiang Yunping after webshell attacks file in determining unit 24 Platform reports script file.
Webshell attack detecting devices provided in an embodiment of the present invention based on cloud, can be in outside to Website server When sending script file, the script file is intercepted and captured, and first carries out the inspection of feature distortion vestige to the script file based on cloud platform Survey, then modified feature sentence is reduced, finally by the feature sentence after reduction compared with essential characteristic sentence, If identical, judge that the script file attacks file for webshell.Inspection with only carrying out essential characteristic sentence in the prior art Survey method is compared, and the present invention is by first being reduced the feature sentence after change so that the feature sentence being disturbed is reduced to Original feature sentence, then be compared with essential characteristic sentence so that the essential characteristic sentence quilt being hidden in script file Detect, so that it is determined that the script file, which is webshell, attacks file.
Further, a kind of webshell based on cloud is additionally provided according to said apparatus embodiment, the embodiment of the present invention Attack detecting gateway, the gateway include device as shown in figures 2 and 3.
Webshell attack detecting gateways provided in an embodiment of the present invention based on cloud, can be in outside to Website server When sending script file, the script file is intercepted and captured, and first carries out the inspection of feature distortion vestige to the script file based on cloud platform Survey, then modified feature sentence is reduced, finally by the feature sentence after reduction compared with essential characteristic sentence, If identical, judge that the script file attacks file for webshell.Inspection with only carrying out essential characteristic sentence in the prior art Survey method is compared, and the present invention is by first being reduced the feature sentence after change so that the feature sentence being disturbed is reduced to Original feature sentence, then be compared with essential characteristic sentence so that the essential characteristic sentence quilt being hidden in script file Detect, so that it is determined that the script file, which is webshell, attacks file.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiment.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment " first ", " second " etc. be to be used to distinguish each embodiment, and do not represent the quality of each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice Microprocessor or digital signal processor (DSP) realize the state of accompanied electronic anti-theft device according to embodiments of the present invention The some or all functions of some or all parts in detection method, equipment, server and system equipment.The present invention is also Some or all equipment by performing method as described herein or program of device be can be implemented as (based on for example, Calculation machine program and computer program product).Such program for realizing the present invention can store on a computer-readable medium, or Person can have the form of one or more signal.Such signal can be downloaded from internet website and obtained, Huo Zhe There is provided on carrier signal, or provided in the form of any other.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.

Claims (17)

1. a kind of webshell attack detection methods based on cloud, it is characterised in that methods described includes:
Intercept and capture the script file sent to Website server;
Detected based on cloud platform in the script file and whether there is default feature distortion vestige, the feature distortion vestige is To in the script file feature sentence carry out form change caused by vestige, it is described based on cloud platform refer to needs elder generation from Cloud platform side obtains newest feature distortion vestige, also meta-rule and essential characteristic sentence;
If the feature distortion vestige in the script file be present, according to default also meta-rule to modified feature language Sentence is reduced, and the also meta-rule is characterized the inverse rule of transformation rule;
Whether the feature sentence after detection reduction is identical with default essential characteristic sentence, and the essential characteristic sentence is quick to attack Feel sentence;
If the feature sentence after the reduction is identical with the essential characteristic sentence, it is determined that the script file is webshell Attack file.
2. according to the method for claim 1, it is characterised in that the feature distortion vestige is with next or any number of Combination:
Comment statement, variable assignments character, default characteristic character and default characteristic function name.
3. according to the method for claim 2, it is characterised in that if the feature distortion vestige includes comment statement, institute State to detect in the script file based on cloud platform and whether there is default feature distortion vestige, including:
Detected based on the cloud platform in the script file and whether there is the comment statement;
If the feature distortion vestige in the script file be present, according to default also meta-rule to modified spy Sign sentence is reduced, including:
If the comment statement in the script file be present, the comment statement is deleted.
4. according to the method for claim 2, it is characterised in that if the feature distortion vestige includes variable assignments character, Then described detected based on cloud platform in the script file whether there is default feature distortion vestige, including:
Detected based on the cloud platform in the script file and whether there is the variable assignments character;
If the feature distortion vestige in the script file be present, according to default also meta-rule to modified spy Sign sentence is reduced, including:
If the variable assignments character in the script file be present, the variable being assigned is reduced.
5. according to the method for claim 2, it is characterised in that if the feature distortion vestige includes default characteristic character, Then described detected based on cloud platform in the script file whether there is default feature distortion vestige, including:
Detected based on the cloud platform in the script file and whether there is the default characteristic character;
If the feature distortion vestige in the script file be present, according to default also meta-rule to modified spy Sign sentence is reduced, including:
If the default characteristic character in the script file be present, the default characteristic character is deleted.
6. according to the method for claim 2, it is characterised in that if the feature distortion vestige includes default characteristic function Name, then it whether there is default feature distortion vestige in the script file based on cloud platform detection, including:
Detected based on the cloud platform in the script file and whether there is the default characteristic function name;
If the feature distortion vestige in the script file be present, according to default also meta-rule to modified spy Sign sentence is reduced, including:
If the default characteristic function name in the script file be present, according to the reverse function of characteristic function function to corresponding special The sentence of sign function is reduced.
7. method according to any one of claim 1 to 6, it is characterised in that in the detection script file Before default feature distortion vestige, methods described further comprises:
The feature distortion vestige, also meta-rule and the essential characteristic sentence are obtained to the cloud platform;
Or the feature distortion vestige of local cache, also meta-rule and the base are updated by the cloud platform Eigen sentence.
8. method according to any one of claim 1 to 6, it is characterised in that determine that the script file is described After webshell attack files, methods described further comprises:
The script file is reported to the cloud platform.
9. a kind of webshell attack detecting devices based on cloud, it is characterised in that described device includes:
Unit is intercepted and captured, for intercepting and capturing the script file sent to Website server;
Detection unit, for default based on whether there is in the cloud platform detection script file intercepted and captured unit and intercepted and captured Feature distortion vestige, the feature distortion vestige are that the feature sentence in the script file is carried out caused by form change Vestige, it is described to refer to that needs first obtain newest feature distortion vestige, also meta-rule and basic from cloud platform side based on cloud platform Feature sentence;
Reduction unit, for when the detection unit detects and the feature distortion vestige be present in the script file, root Modified feature sentence is reduced according to default also meta-rule, the also meta-rule is characterized the inverse rule of transformation rule Then;
The detection unit, be additionally operable to detect feature sentence after the reduction unit reduction whether with default essential characteristic language Sentence is identical, and the essential characteristic sentence is attack sensitive statement;
Determining unit, for the feature sentence after detection unit detects the reduction and the essential characteristic sentence phase Meanwhile determine that the script file attacks file for webshell.
10. device according to claim 9, it is characterised in that the feature distortion vestige of the detection unit detection For with next or any number of combination:
Comment statement, variable assignments character, default characteristic character and default characteristic function name.
11. device according to claim 10, it is characterised in that the detection unit, including:First detection module, use In when the feature distortion vestige includes comment statement, detected based on the cloud platform in the script file and whether there is institute State comment statement;
The reduction unit, including:
First removing module, for when the comment statement be present in the script file, the comment statement to be deleted.
12. device according to claim 10, it is characterised in that the detection unit, including:
Second detection module, for when the feature distortion vestige includes variable assignments character, being detected based on the cloud platform It whether there is the variable assignments character in the script file;
The reduction unit, including:
First recovery module, for when the variable assignments character in the script file be present, by the variable being assigned also It is former.
13. device according to claim 10, it is characterised in that the detection unit, including:
3rd detection module, for when the feature distortion vestige includes default characteristic character, being detected based on the cloud platform It whether there is the default characteristic character in the script file;
The reduction unit, including:
Second removing module, for when the default characteristic character be present in the script file, by the default tagged word Symbol is deleted.
14. device according to claim 10, it is characterised in that the detection unit, including:
4th detection module, for when the feature distortion vestige includes default characteristic function name, being examined based on the cloud platform Survey and whether there is the default characteristic function name in the script file;
The reduction unit, including:
Second recovery module, when the default characteristic function name in the script file be present, according to characteristic function function Reverse function reduces to the sentence of character pair function.
15. the device according to any one of claim 9 to 14, it is characterised in that described device further comprises:
Acquiring unit, in detecting the script file in the detection unit with the presence or absence of default feature distortion vestige it Before, obtain the feature distortion vestige, also meta-rule and the essential characteristic sentence to the cloud platform;
Updating block, in detecting the script file in the detection unit with the presence or absence of default feature distortion vestige it Before, the feature distortion vestige of local cache, also meta-rule and the essential characteristic are updated by the cloud platform Sentence.
16. the device according to any one of claim 9 to 14, it is characterised in that described device further comprises:
Reporting unit, after determining the script file for weshell attack files in the determining unit, to the cloud Platform reports the script file.
A kind of 17. webshell attack detecting gateways based on cloud, it is characterised in that the gateway include as claim 9 to Device any one of 16.
CN201510363767.5A 2015-06-26 2015-06-26 Webshell attack detection methods, device and gateway based on cloud Active CN105100065B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510363767.5A CN105100065B (en) 2015-06-26 2015-06-26 Webshell attack detection methods, device and gateway based on cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510363767.5A CN105100065B (en) 2015-06-26 2015-06-26 Webshell attack detection methods, device and gateway based on cloud

Publications (2)

Publication Number Publication Date
CN105100065A CN105100065A (en) 2015-11-25
CN105100065B true CN105100065B (en) 2018-03-16

Family

ID=54579612

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510363767.5A Active CN105100065B (en) 2015-06-26 2015-06-26 Webshell attack detection methods, device and gateway based on cloud

Country Status (1)

Country Link
CN (1) CN105100065B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108062474B (en) * 2016-11-08 2022-01-11 阿里巴巴集团控股有限公司 File detection method and device
CN106911686B (en) * 2017-02-20 2020-07-07 杭州迪普科技股份有限公司 WebShell detection method and device
CN106982233B (en) * 2017-05-23 2023-06-27 信联安宝(北京)科技有限公司 Integrated security management switch with discrete power supply
CN108156131B (en) * 2017-10-27 2020-08-04 上海观安信息技术股份有限公司 Webshell detection method, electronic device and computer storage medium
CN109992967A (en) * 2019-03-12 2019-07-09 福建拓尔通软件有限公司 A kind of method and system for realizing automatic detection file security when file uploads

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895517A (en) * 2009-05-19 2010-11-24 北京启明星辰信息技术股份有限公司 Method and device for extracting script semantics
KR101291782B1 (en) * 2013-01-28 2013-07-31 인포섹(주) Webshell detection and corresponding system
CN103559441A (en) * 2013-10-28 2014-02-05 中国科学院信息工程研究所 Cross-platform detection method and system for malicious files in cloud environment
CN103577756A (en) * 2013-11-05 2014-02-12 北京奇虎科技有限公司 Virus detection method and device based on script type judgment
CN104394176A (en) * 2014-12-17 2015-03-04 中国人民解放军国防科学技术大学 Webshell prevention method based on mandatory access control mechanism

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101244945B1 (en) * 2011-06-23 2013-04-05 주식회사 티벨로 Webshell detecting apparatus using meta pattern

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895517A (en) * 2009-05-19 2010-11-24 北京启明星辰信息技术股份有限公司 Method and device for extracting script semantics
KR101291782B1 (en) * 2013-01-28 2013-07-31 인포섹(주) Webshell detection and corresponding system
CN103559441A (en) * 2013-10-28 2014-02-05 中国科学院信息工程研究所 Cross-platform detection method and system for malicious files in cloud environment
CN103577756A (en) * 2013-11-05 2014-02-12 北京奇虎科技有限公司 Virus detection method and device based on script type judgment
CN104394176A (en) * 2014-12-17 2015-03-04 中国人民解放军国防科学技术大学 Webshell prevention method based on mandatory access control mechanism

Also Published As

Publication number Publication date
CN105100065A (en) 2015-11-25

Similar Documents

Publication Publication Date Title
US20210382949A1 (en) Systems and methods for web content inspection
Melicher et al. Riding out domsday: Towards detecting and preventing dom cross-site scripting
CN105100065B (en) Webshell attack detection methods, device and gateway based on cloud
Gupta et al. PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications
Shar et al. Automated removal of cross site scripting vulnerabilities in web applications
CN103279710B (en) Method and system for detecting malicious codes of Internet information system
Stock et al. From facepalm to brain bender: Exploring client-side cross-site scripting
Shahriar et al. Mutec: Mutation-based testing of cross site scripting
CN107241296B (en) Webshell detection method and device
CN104683328A (en) Method and system for scanning cross-site vulnerability
Deepa et al. DetLogic: A black-box approach for detecting logic vulnerabilities in web applications
CN107896219B (en) Method, system and related device for detecting website vulnerability
CN103647678A (en) Method and device for online verification of website vulnerabilities
WO2015142697A1 (en) Methods for determining cross-site scripting and related vulnerabilities in applications
CN113342639B (en) Applet security risk assessment method and electronic device
CN105404816B (en) Leak detection method based on content and device
CN105430002A (en) Vulnerability detection method and device
CN102855418A (en) Method for discovering Web intranet agent bugs
CN104462985A (en) Detecting method and device of bat loopholes
CN105488400A (en) Comprehensive detection method and system of malicious webpage
CN113032655A (en) Method for extracting and fixing dark network electronic data
CN105373533B (en) A kind of detection method, client and the device of page link address
Bezemer et al. Automated security testing of web widget interactions
Javed et al. Towards elimination of cross-site scripting on mobile versions of web applications
Marashdih et al. An enhanced static taint analysis approach to detect input validation vulnerability

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20161122

Address after: 100088 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3

Applicant after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD.

Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Applicant before: Beijing Qihu Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing

Patentee after: Qianxin Technology Group Co., Ltd.

Address before: 100088 Floor 15, Floor 17, Floor 1 701-26, Building No. 10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD.

CP03 Change of name, title or address