CN107689940A - WebShell detection method and device - Google Patents
WebShell detection method and device Download PDFInfo
- Publication number
- CN107689940A CN107689940A CN201610635353.8A CN201610635353A CN107689940A CN 107689940 A CN107689940 A CN 107689940A CN 201610635353 A CN201610635353 A CN 201610635353A CN 107689940 A CN107689940 A CN 107689940A
- Authority
- CN
- China
- Prior art keywords
- data
- webshell
- flows
- behavioural characteristics
- present
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a kind of WebShell detection methods, including:Data on flows between detection service device and client, to judge to whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in the data on flows, wherein, if the suspicious data with WebShell features in the data on flows be present, it is determined that WebShell be present in the data on flows;If the suspicious data with WebShell behavioural characteristics in the data on flows be present, the WebShell behavioural characteristics corresponding to the suspicious data are analyzed, and according to analysis result, judge to whether there is WebShell in the data on flows.The invention also discloses a kind of WebShell detection means.The present invention is analyzed based on flow detection and operation behavior, so as to realize the detection to WebShell to prevent that server from being invaded, ensures data safety on server.
Description
Technical field
The present invention relates to field of information security technology, more particularly to WebShell detection method and device.
Background technology
WebShell is the backdoor programs being mounted after website is successfully invaded, so as to facilitate invader's control to be entered
The main frame (or server) invaded is to steal sensitive data or authority or the springboard as attack intranet host.WebShell is usually
Disguised oneself as normal procedure site, if the WebShell installed can not be found, then even if having repaired the leakage of website
Hole, invader still can continue the main frame that control is invaded using the WebShell being hidden in procedure site.Therefore, examine
The WebShell for finding to have installed is surveyed to have very important significance.
Currently available technology mainly detects or defendd WebShell by following several ways:
1st, directly the source code of WebShell files is detected, but because WebShell is compiled with dynamic language mostly
Write, be very easy to be deformed or obscured, while also have the interface of some web servers, as CGI or Java Servlet can be with
Binary program after operation compiling, thus be difficult to detect.
2nd, detected by the crucial api function for changing web server and hook WebShell are used, but due to
Most API that WebShell is used can also be used in normal procedure site, and the data for being only collected into API Calls may deficiency
To differentiate WebShell.
3rd, detected according to the access log of web server
WebShell is found from the access log of web server record, but because access log typically only have recorded
A small amount of information such as URL, IP address, thus be also not enough to for differentiating WebShell, therefore this method is usually and other methods
It is used in combination.
The content of the invention
It is a primary object of the present invention to provide a kind of WebShell detection method and device, it is intended to by new
WebShell detection modes are to solve the insufficient technical problem in existing WebShell detection techniques.
To achieve the above object, the present invention provides a kind of WebShell detection methods, the WebShell detection methods bag
Include:
Data on flows between detection service device and client, have to judge to whether there is in the data on flows
The suspicious data of WebShell features or WebShell behavioural characteristics, wherein, if existing in the data on flows has
The suspicious data of WebShell features, it is determined that WebShell be present in the data on flows;
If the suspicious data with WebShell behavioural characteristics in the data on flows be present, the suspicious data institute is analyzed
Corresponding WebShell behavioural characteristics, and according to analysis result, judge to whether there is WebShell in the data on flows.
Preferably, the data on flows between the detection service device and client, with judge in the data on flows whether
Include in the presence of the suspicious data with WebShell features or WebShell behavioural characteristics:
Read the packet between the server and the client and carry out data flow restructuring, obtain the packet
Corresponding data on flows after restructuring;
The data on flows is parsed, obtains corresponding parsing data, the parsing data comprise at least URL numbers
According to, form data, the server feedback to the client data in one or more;
The parsing data are compared with data in preset WebShell feature databases, and institute is judged according to comparison result
State and whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in data on flows.
Preferably, it is described by it is described parsing data be compared with data in preset WebShell feature databases, and according to than
Result is judged to whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in the data on flows
Also include:
According to the parsing data, judge whether the data on flows is transmitted by the client to the server
Access request;
If the access request, then the parsing data are compared with data in the WebShell feature databases,
The WebShell feature databases include some WebShell features and WebShell behavioural characteristics;
If the data for meeting the WebShell features be present in the parsing data, it is determined that deposited in the data on flows
In the suspicious data with the WebShell features, meet the WebShell behavioural characteristics if existing in the parsing data
Data, it is determined that in the data on flows exist with the WebShell behavioural characteristics suspicious data.
Preferably, it is described by it is described parsing data be compared with data in preset WebShell feature databases, and according to than
Result is judged to whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in the data on flows
Including:
According to the parsing data, judge that the whether described server of the data on flows is returned to the client
Feedback response;
If the feedback response, then judge whether to have cached the access request corresponding to the feedback response;
It is if the access request corresponding to the uncached feedback response, the parsing data and the WebShell are special
Data are compared in sign storehouse;
If the data for meeting the WebShell features be present in the parsing data, it is determined that deposited in the data on flows
In the suspicious data with the WebShell features, meet the WebShell behavioural characteristics if existing in the parsing data
Data, it is determined that in the data on flows exist with the WebShell behavioural characteristics suspicious data;Or
If having cached the access request corresponding to the feedback response, read corresponding to the feedback response of caching
Access request, and the parsing data are compared with WebShell behavioural characteristics possessed by the access request;
If the data for meeting WebShell behavioural characteristics possessed by the access request be present in the parsing data, really
The suspicious data with the WebShell behavioural characteristics be present in the fixed data on flows.
Preferably, if the suspicious data with WebShell behavioural characteristics in the data on flows be present, analyze
WebShell behavioural characteristics corresponding to the suspicious data, and according to analysis result, judge to whether there is in the data on flows
WebShell includes:
If the suspicious data with WebShell behavioural characteristics in the data on flows be present, by the data on flows
WebShell behavioural characteristics carry out the book of final entry;
According to the one or many books of final entry carried out to WebShell behavioural characteristics, record is judged
Whether the operation behavior corresponding to WebShell behavioural characteristics is abnormal behaviour, if corresponding to the WebShell behavioural characteristics of record
Operation behavior be abnormal behaviour, it is determined that WebShell be present in the data on flows;
Wherein, the WebShell behavioural characteristics comprise at least and list catalogue and file, upper transmitting file, download sensitivity number
According to, inquiry database, performs order, execution any of code, if two or more be present in the book of final entry
The WebShell behavioural characteristics, it is determined that the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal row
For.
Further, to achieve the above object, the present invention also provides a kind of WebShell detection means, the WebShell
Detection means includes:
Detection module, for the data on flows between detection service device and client, to judge to be in the data on flows
The no suspicious data existed with WebShell features or WebShell behavioural characteristics, wherein, if existing in the data on flows
Suspicious data with WebShell features, it is determined that WebShell be present in the data on flows;
Analysis module, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present, divide
The WebShell behavioural characteristics corresponding to the suspicious data are analysed, and the WebShell behaviors are had according to analysis result, judgement
Whether the operation of feature is to access WebShell operations.
Preferably, the detection module includes:
Reading submodule, for reading the packet between the server and the client and carrying out data flow weight
Group, obtain corresponding data on flows after the data package-restructuring;
Analyzing sub-module, for being parsed to the data on flows, obtain corresponding parsing data, the parsing data
Including at least url data, form data, the server feedback to the one or more in the data of the client;
Submodule is compared, for the parsing data to be compared with data in preset WebShell feature databases, and root
Judge to whether there is in the data on flows according to comparison result suspicious with WebShell features or WebShell behavioural characteristics
Data.
Preferably, the comparison submodule includes:
Judging unit, for according to the parsing data, judging whether the data on flows is the client to described
Access request transmitted by server;
Comparing unit, if being the access request for the data on flows, by it is described parsing data with it is described
Data are compared in WebShell feature databases, the WebShell feature databases include some WebShell features with
WebShell behavioural characteristics;
Determining unit, if for the data for meeting the WebShell features be present in the parsing data, it is determined that institute
State and the suspicious data with the WebShell features in data on flows be present, if described in the presence of meeting in the parsing data
The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics
Data.
Preferably, the judging unit is additionally operable to:According to the parsing data, judge whether the data on flows is described
The feedback response that server is returned to the client;If the data on flows is the feedback response, judge whether
Cache the access request corresponding to the feedback response;
The comparing unit is additionally operable to:If the access request corresponding to the uncached feedback response, by the parsing
Data are compared with data in the WebShell feature databases;
The determining unit is additionally operable to:If the data for meeting the WebShell features be present in the parsing data,
Determine the suspicious data with the WebShell features in the data on flows be present, meet if existing in the parsing data
The data of the WebShell behavioural characteristics, it is determined that exist in the data on flows with the WebShell behavioural characteristics
Suspicious data;
The comparing unit is additionally operable to:If having cached the access request corresponding to the feedback response, caching is read
Access request corresponding to the feedback response, and parse data and WebShell behaviors possessed by the access request by described
Feature is compared;
The determining unit is additionally operable to:If exist in the parsing data and meet WebShell possessed by the access request
The data of behavioural characteristic, it is determined that the suspicious data with the WebShell behavioural characteristics in the data on flows be present.
Preferably, the analysis module includes:
Taxon, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present, will
WebShell behavioural characteristics in the data on flows carry out the book of final entry;
Analytic unit, the one or many books of final entry carried out for basis to WebShell behavioural characteristics,
Judge whether the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour, if the WebShell behaviors of record
Operation behavior corresponding to feature is abnormal behaviour, it is determined that WebShell be present in the data on flows, wherein, it is described
WebShell behavioural characteristics, which comprise at least, to be listed catalogue and file, upper transmitting file, downloads sensitive data, inquiry database, performs
Order, any of code is performed, if two or more the WebShell behaviors in the book of final entry be present
Feature, it is determined that the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour.
The present invention is directed to the deficiency of existing WebShell detection techniques, passes through the flow between detection service device and client
Data carry out WebShell Preliminary detections, and the operation behavior feature for combining WebShell is analysed in depth, so as to judge really
Determine to operate with the presence or absence of WebShell programs on server or with the presence or absence of the WebShell of external client, and then avoid existing
There is the shortcomings that WebShell detections detection method is easily bypassed, while nor affect on the job stability of server, in addition
Substantially increase the accuracy rate of WebShell detections.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of WebShell detection methods first embodiment of the present invention;
Fig. 2 is the refinement schematic flow sheet of step S10 in Fig. 1;
Fig. 3 is the refinement schematic flow sheet of step S103 first embodiments in Fig. 2;
Fig. 4 is the refinement schematic flow sheet of step S103 second embodiments in Fig. 2;
Fig. 5 is the schematic flow sheet of WebShell detection methods second embodiment of the present invention;
Fig. 6 is the high-level schematic functional block diagram of the embodiment of WebShell detection means one of the present invention;
Fig. 7 is the refinement high-level schematic functional block diagram of detection module in Fig. 6;
Fig. 8 is the refinement high-level schematic functional block diagram that submodule is compared in Fig. 7;
Fig. 9 is the refinement high-level schematic functional block diagram of analysis module in Fig. 6.
The realization, functional characteristics and advantage of the object of the invention will be described further referring to the drawings in conjunction with the embodiments.
Embodiment
It should be appreciated that specific embodiment described herein is not intended to limit the present invention only to explain the present invention.
Reference picture 1, Fig. 1 are the schematic flow sheet of WebShell detection methods first embodiment of the present invention.In the present embodiment,
The WebShell detection methods include:
Step S10, the data on flows between detection service device and client, to judge to whether there is in the data on flows
Suspicious data with WebShell features or WebShell behavioural characteristics, wherein, if existing in the data on flows has
The suspicious data of WebShell features, it is determined that WebShell be present in the data on flows;
WebShell generally has obvious interactivity.For example, when carrying out file management using WebShell, in general
Process is:Invader lists catalogue and file on server by WebShell, is then further determined according to these information
Fix and carry some files therein or some catalogue uploads malicious code etc. thereto, and this process can then produce it is multiple
Web request and response.Therefore, as long as the order in these requests or response by network delivery or data can be identified, so that it may
To detect WebShell access process.Therefore, in the present embodiment, especially by between detection service device and client
Web flow amount data identify WebShell, by being analysed in depth to web flow amount data and combine WebShell behavioural characteristics
It whether there is WebShell in data on flows to identify.
It should be noted that the WebShell features described in the present embodiment specifically refer to the spy of WebShell program files
Sign, WebShell behavioural characteristics specifically refer to the behavioural characteristic in WebShell program operation process.
, can be true if the suspicious data with WebShell features in the data on flows of detection be present in the present embodiment
WebShell be present in the fixed data on flows, specific identification method and process are unlimited, are configured with specific reference to being actually needed.
The above-mentioned judgment mode for the suspicious data with WebShell features accesses only in general WebShell
It is useful, and access for some special WebShell and then can not more accurately be identified, but it is special by WebShell behaviors
Sign analysis then can at least carry out indirect analysis in terms of operation behavior intention and purpose and judge to there may be WebShell behaviors
The suspicious data of feature, it can also be determined whether indirectly according to the operation behavior corresponding to operational order in data on flows
WebShell behavioural characteristics, such as upper transmitting file, execution appointment codes etc. be present.
Step S20, if the suspicious data with WebShell behavioural characteristics in the data on flows be present, analyzing this can
The WebShell behavioural characteristics corresponding to data are doubted, and according to analysis result, judge to whether there is in the data on flows
WebShell。
In the present embodiment, if the suspicious data with WebShell behavioural characteristics in data on flows be present, while to avoid
Erroneous judgement, thus also need to further there is the suspicious data of WebShell behavioural characteristics to analyze this, and tied according to analysis
Fruit determines to have whether the operation of WebShell behavioural characteristics is to access WebShell operations, namely judges the flow number of detection
It whether there is WebShell in.The present embodiment is unlimited for the mode for analyzing suspicious data, is carried out with specific reference to being actually needed
Set.
The present embodiment is directed to the deficiency of existing WebShell detection techniques, passes through the stream between detection service device and client
Measure data and carry out WebShell Preliminary detections, and the operation behavior feature for combining WebShell is analysed in depth, so as to judge
Determine to operate with the presence or absence of WebShell programs on server or with the presence or absence of the access WebShell of external client, and then
The shortcomings that avoiding existing WebShell detections detection method from being easily bypassed, while the job stability of server is nor affected on,
In addition the accuracy rate of WebShell detections is also substantially increased.
Reference picture 2, Fig. 2 are the refinement schematic flow sheet of step S10 in Fig. 1.Based on above method first embodiment, this reality
Apply in example, above-mentioned steps S10 includes:
Step S101, packet between server and client simultaneously carry out data flow restructuring, obtain the packet weight
Corresponding data on flows after group;
Step S102, the data on flows is parsed, obtain corresponding parsing data, the parsing data are at least wrapped
Url data, form data, the server feedback are included to the one or more in the data of the client;
Step S103, the parsing data are compared with data in preset WebShell feature databases, and according to comparison
As a result judge to whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in the data on flows.
It is usual between server and client based on the communication protocol between server and client, such as http protocol
Transmission is all packet, and corresponding data on flows can just be obtained by carrying out data flow restructuring in server or client, such as
Http traffic.
Meanwhile further to obtain the characteristic in http traffic, therefore, it is also desirable to be solved to data on flows
Analysis, for example carry out TLS/SSL decryption, remove protocol code etc., and then obtain such as original url data, form data, service
Device feeds back to data of client etc..
In the present embodiment, the related URL, Cookie of WebShell, list number have been included in preset WebShell feature databases
According to etc. characteristic or characteristic behavior data, be compared so as to which obtained parsing data will be parsed with feature database, and according to than
To result, judge to whether there is the suspicious number with WebShell features or WebShell behavioural characteristics in the data on flows of detection
According to.
In the present embodiment, optional comparison result includes following three kinds of situations:
The first situation:Data on flows meets certain known WebShell feature, then it is assumed that has been detected by
WebShell;
Second of situation:In data on flows containing the common behaviors of WebShell (such as list catalogue and file, upper transmitting file,
Download sensitive data, perform order, execution code etc.) feature, then need this section of data on flows to make further behavioral value,
And judge to have whether the operation of WebShell behavioural characteristics is to access WebShell operations again according to behavioral value result;
The third situation:Data on flows and any of WebShell features or WebShell behavioural characteristics are not
Match somebody with somebody, then it is assumed that WebShell is not present in the data on flows or in the absence of the operation for accessing WebShell.
Reference picture 3, Fig. 3 are the refinement schematic flow sheet of step S103 first embodiments in Fig. 2.Based on above-mentioned steps S10
Refinement embodiment, in the present embodiment, above-mentioned steps S103 further comprises:
Step S1031, according to the parsing data, judge whether the data on flows is the client to the service
Access request transmitted by device;
Step S1032, if the access request, then by the parsing data and data in the WebShell feature databases
It is compared, the WebShell feature databases include some WebShell features and WebShell behavioural characteristics;
Step S1033, if the data for meeting the WebShell features be present in the parsing data, it is determined that the stream
Measure and the suspicious data with the WebShell features in data be present, if described in the presence of meeting in the parsing data
The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics
Data.
In the present embodiment, the data on flows of detection is probably the access request transmitted by user end to server, Huo Zheye
It is probably the feedback response that server is sent to client, can be specifically based on http protocol, by parses the related category in data
Property is determined.
, can if the data on flows of detection corresponds to the access request transmitted by user end to server in the present embodiment
Directly met by the way that parsing data are compared with data in WebShell feature databases to determine to parse to whether there is in data
The data of the WebShell features.
In the present embodiment, if the data for meeting WebShell features be present in parsing data, it is determined that the parsing data institute
The suspicious data with WebShell features be present in corresponding data on flows;And if exist in the parsing data and meet WebShell
The data of behavioural characteristic, it is determined that exist in data on flows corresponding to the parsing data suspicious with WebShell behavioural characteristics
Data.In addition, for ease of carrying out WebShell detections to the feedback response corresponding to access request and judging, therefore, this implementation
In example, optionally, when it is determined that access request has WebShell behavioural characteristics, the access request can be cached so as to integrative feedback
The feature of response carries out comprehensive descision.
Reference picture 4, Fig. 4 are the refinement schematic flow sheet of step S103 second embodiments in Fig. 2.Based on above-mentioned steps S103
First embodiment, in the present embodiment, above-mentioned steps S103 further comprises:
Step S1034, according to the parsing data, judge whether the data on flows is the server to the client
The returned feedback response in end;
Step S1035, if the feedback response, then the access for judging whether to have cached corresponding to the feedback response please
Ask;
Step S1036, if the access request corresponding to the uncached feedback response, by it is described parsing data with it is described
Data are compared in WebShell feature databases;
Step S1037, if the data for meeting the WebShell features be present in the parsing data, it is determined that the stream
Measure and the suspicious data with the WebShell features in data be present, if described in the presence of meeting in the parsing data
The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics
Data;
In the present embodiment, if the data on flows of detection corresponds to the feedback response transmitted by server to client, first
Judge whether the access request corresponding to the feedback response is buffered, namely determine that the access corresponding to the feedback response please
Seeking Truth is no to have WebShell behavioural characteristics, if so, the WebShell behavioural characteristics according to corresponding to access request are then needed, it is comprehensive
Close analysis and determine that the feedback response whether there is WebShell features or WebShell behavioural characteristics.
, will parsing data and data in WebShell feature databases if the access request corresponding to the uncached feedback response
It is compared to determine to parse in data with the presence or absence of the data for meeting WebShell features.In the present embodiment, if parsing data
It is middle the data for meeting WebShell features to be present, it is determined that existing in data on flows corresponding to the parsing data has WebShell
The suspicious data of feature;And if the data for meeting WebShell behavioural characteristics in the parsing data be present, it is determined that the parsing number
The suspicious data that there is WebShell behavioural characteristics according to existing in corresponding data on flows.
Step S1038, if having cached the access request corresponding to the feedback response, the feedback for reading caching is rung
Corresponding access request is answered, and the parsing data are compared with WebShell behavioural characteristics possessed by the access request
It is right;
Step S1039, meet WebShell behavioural characteristics possessed by the access request if existing in the parsing data
Data, it is determined that in the data on flows exist with the WebShell behavioural characteristics suspicious data.
In addition, in the present embodiment, if having cached the access request corresponding to the feedback response, the feedback response institute is read
Corresponding access request, and then by WebShell rows possessed by the parsing data corresponding to the feedback response and the access request
It is characterized and is compared, meets if existing in the parsing data corresponding to the feedback response possessed by the access request
The data of WebShell behavioural characteristics, it is determined that the suspicious number with WebShell behavioural characteristics in the data on flows of detection be present
According to.
In the present embodiment, usual WebShell behaviors are initiated by client, therefore, are carried out to feedback response
, it is necessary to which WebShell behavioural characteristics possessed by access request according to corresponding to feedback response, come true when WebShell is detected
Whether the fixed feedback response is WebShell, and then lifts the accuracy for WebShell detections, meanwhile, to access request with
Feedback response all carries out WebShell detections, and then improves the comprehensive of detection.
Reference picture 5, Fig. 5 are the schematic flow sheet of WebShell detection methods second embodiment of the present invention.Based on above-mentioned side
Method first embodiment, in the present embodiment, above-mentioned steps S20 includes:
Step S201, if the suspicious data with WebShell behavioural characteristics in the data on flows be present, this is flowed
The WebShell behavioural characteristics measured in data carry out the book of final entry;
Step S202, according to the one or many books of final entry carried out to WebShell behavioural characteristics, judge
Whether the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour, if the WebShell behavioural characteristics of record
Corresponding operation behavior is abnormal behaviour, it is determined that WebShell be present in the data on flows;
Wherein, the WebShell behavioural characteristics comprise at least and list catalogue and file, upper transmitting file, download sensitivity number
According to, inquiry database, performs order, execution any of code, if two or more be present in the book of final entry
The WebShell behavioural characteristics, it is determined that the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal row
For.
In the present embodiment, for the suspicious data with WebShell behavioural characteristics, it is necessary to carry out behavioural analysis processing, tool
Body is:The book of final entry first is carried out to the WebShell behavioural characteristics in data on flows, for example is divided into following a few classes:List catalogue
And file, upper transmitting file, download sensitive data, inquiry database, perform order, execution code etc., record is then analyzed again
The quantity of above-mentioned behavior classification is, it is necessary to which explanation, the normal behaviour in practical operation behavior generally only understand WebShell rows
A kind of behavior in being characterized, therefore, if detection finds to record in the analysis record corresponding to one or many datas on flows
WebShell behavioural characteristics more than two classes or two classes, then operation with the WebShell behavioural characteristics is can determine that to visit
Ask that WebShell is operated.
Certainly, the behavioural analysis in the present embodiment for the suspicious data with WebShell behavioural characteristics is not limited to
Mode is stated, for example can also be the sequencing for the behavior execution for analyzing all kinds of WebShell behavioural characteristics, in the unit interval
Perform frequency etc. and determine whether the operations of the WebShell behavioural characteristics is to access WebShell operations to integrate.
Reference picture 6, Fig. 6 are the high-level schematic functional block diagram of the embodiment of WebShell detection means one of the present invention.The present embodiment
In, the WebShell detection means includes:
Detection module 10, for the data on flows between detection service device and client, to judge in the data on flows
With the presence or absence of the suspicious data with WebShell features or WebShell behavioural characteristics, wherein, if being deposited in the data on flows
In the suspicious data with WebShell features, it is determined that WebShell be present in the data on flows;
In the present embodiment, WebShell is identified especially by the web flow amount data between detection service device and client,
It whether there is by being analysed in depth to web flow amount data and combining WebShell behavioural characteristics to identify in data on flows
WebShell。
, can be true if the suspicious data with WebShell features in the data on flows of detection be present in the present embodiment
WebShell be present in the fixed data on flows, specific identification method and process are unlimited, are configured with specific reference to being actually needed.
The above-mentioned judgment mode for the suspicious data with WebShell features accesses only in general WebShell
It is useful, and access for some special WebShell and then can not more accurately be identified, but it is special by WebShell behaviors
Sign analysis then can at least carry out indirect analysis in terms of operation behavior intention and purpose and judge to there may be WebShell behaviors
The suspicious data of feature, it can also be determined whether indirectly according to the operation behavior corresponding to operational order in data on flows
WebShell behavioural characteristics, such as upper transmitting file, execution appointment codes etc. be present.
Analysis module 20, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present,
The WebShell behavioural characteristics corresponding to the suspicious data are analyzed, and the WebShell rows are had according to analysis result, judgement
Whether the operation being characterized is to access WebShell operations.
In the present embodiment, if the suspicious data with WebShell behavioural characteristics in data on flows be present, while to avoid
Erroneous judgement, thus also need to further there is the suspicious data of WebShell behavioural characteristics to analyze this, and tied according to analysis
Fruit determines to have whether the operation of WebShell behavioural characteristics is to access WebShell operations.The present embodiment is suspicious for analyzing
The mode of data is unlimited, is configured with specific reference to being actually needed.
The present embodiment is directed to the deficiency of existing WebShell detection techniques, passes through the stream between detection service device and client
Measure data and carry out WebShell Preliminary detections, and the operation behavior feature for combining WebShell is analysed in depth, so as to judge
Determine to operate with the presence or absence of WebShell programs on server or with the presence or absence of the access WebShell of external client, and then
The shortcomings that avoiding existing WebShell detections detection method from being easily bypassed, while the job stability of server is nor affected on,
In addition the accuracy rate of WebShell detections is also substantially increased.
Reference picture 7, Fig. 7 are the refinement high-level schematic functional block diagram of detection module in Fig. 6.Implemented based on said apparatus first
, in the present embodiment, above-mentioned detection module 10 includes:
Reading submodule 101, for reading the packet between the server and the client and carrying out data flow
Restructuring, obtain corresponding data on flows after the data package-restructuring;
Analyzing sub-module 102, for being parsed to the data on flows, obtain corresponding parsing data, the parsing
Data comprise at least url data, form data, the server feedback to the one or more in the data of the client;
Submodule 103 is compared, for the parsing data to be compared with data in preset WebShell feature databases, and
According to comparison result judge to whether there is in the data on flows with WebShell features or WebShell behavioural characteristics can
Doubt data.
It is usual between server and client based on the communication protocol between server and client, such as http protocol
Transmission is all packet, and corresponding data on flows can just be obtained by carrying out data flow restructuring in server or client, such as
Http traffic.
Meanwhile further to obtain the characteristic in http traffic, therefore, it is also desirable to be solved to data on flows
Analysis, for example carry out TLS/SSL decryption, remove protocol code etc., and then obtain such as original url data, form data, service
Device feeds back to data of client etc..
In the present embodiment, the related URL, Cookie of WebShell, list number have been included in preset WebShell feature databases
According to etc. characteristic or characteristic behavior data, be compared so as to which obtained parsing data will be parsed with feature database, and according to than
To result, judge to whether there is the suspicious number with WebShell features or WebShell behavioural characteristics in the data on flows of detection
According to.
In the present embodiment, optional comparison result includes following three kinds of situations:
The first situation:Data on flows meets certain known WebShell feature, then it is assumed that has been detected by
WebShell;
Second of situation:In data on flows containing the common behaviors of WebShell (such as list catalogue and file, upper transmitting file,
Download sensitive data, perform order, execution code etc.) feature, then need this section of data on flows to make further behavioral value,
And judge to have whether the operation of WebShell behavioural characteristics is to access WebShell operations again according to behavioral value result;
The third situation:Data on flows and any of WebShell features or WebShell behavioural characteristics are not
Match somebody with somebody, then it is assumed that WebShell is not present in the data on flows or accesses WebShell operation.
Reference picture 8, Fig. 8 are the refinement high-level schematic functional block diagram that submodule is compared in Fig. 7.Based on the thin of above-mentioned detection module
Change embodiment, in the present embodiment, above-mentioned comparison submodule 103 includes:
Judging unit 1031, for according to the parsing data, judge the data on flows whether be the client to
Access request transmitted by the server;
Comparing unit 1032, if being the access request for the data on flows, by it is described parsing data with it is described
Data are compared in WebShell feature databases, the WebShell feature databases include some WebShell features with
WebShell behavioural characteristics;
Determining unit 1033, if for the data for meeting the WebShell features be present in the parsing data, really
The suspicious data with the WebShell features be present in the fixed data on flows, meet institute if existing in the parsing data
State the data of WebShell behavioural characteristics, it is determined that in the data on flows exist with the WebShell behavioural characteristics can
Doubt data.
In the present embodiment, the data on flows of detection is probably the access request transmitted by user end to server, Huo Zheye
It is probably the feedback response that server is sent to client, can be specifically based on http protocol, by parses the related category in data
Property is determined.
, can if the data on flows of detection corresponds to the access request transmitted by user end to server in the present embodiment
Directly met by the way that parsing data are compared with data in WebShell feature databases to determine to parse to whether there is in data
The data of the WebShell features.
In the present embodiment, if the data for meeting WebShell features be present in parsing data, it is determined that the parsing data institute
The suspicious data with WebShell features be present in corresponding data on flows;And if exist in the parsing data and meet WebShell
The data of behavioural characteristic, it is determined that exist in data on flows corresponding to the parsing data suspicious with WebShell behavioural characteristics
Data.In addition, for ease of carrying out WebShell detections to the feedback response corresponding to access request and judging, therefore, this implementation
In example, when it is determined that access request has WebShell behavioural characteristics, it will cache what the access request responded so as to integrative feedback
Feature carries out comprehensive descision.
Optionally, in the embodiment of WebShell detection means one of the present invention, the refinement based on above-mentioned comparison submodule is real
Apply example, in the present embodiment, the judging unit 1031 is additionally operable to:According to the parsing data, whether the data on flows is judged
The feedback response returned by the server to the client;If the data on flows is the feedback response, judge
Whether the access request feedback response corresponding to has been cached;
The comparing unit 1032 is additionally operable to:If the access request corresponding to the uncached feedback response, by described in
Parsing data are compared with data in the WebShell feature databases;
The determining unit 1033 is additionally operable to:If the number for meeting the WebShell features be present in the parsing data
According to, it is determined that the suspicious data with the WebShell features in the data on flows be present, if being deposited in the parsing data
Meeting the data of the WebShell behavioural characteristics, it is determined that existing in the data on flows has the WebShell behaviors
The suspicious data of feature;
In the present embodiment, if the data on flows of detection corresponds to the feedback response transmitted by server to client, first
Judge whether the access request corresponding to the feedback response is buffered, namely determine that the access corresponding to the feedback response please
Seeking Truth is no to have WebShell behavioural characteristics, if so, the WebShell behavioural characteristics according to corresponding to access request are then needed, it is comprehensive
Close analysis and determine that the feedback response whether there is WebShell features or WebShell behavioural characteristics.
, will parsing data and data in WebShell feature databases if the access request corresponding to the uncached feedback response
It is compared to determine to parse in data with the presence or absence of the data for meeting WebShell features.In the present embodiment, if parsing data
It is middle the data for meeting WebShell features to be present, it is determined that existing in data on flows corresponding to the parsing data has WebShell
The suspicious data of feature;And if the data for meeting WebShell behavioural characteristics in the parsing data be present, it is determined that the parsing number
The suspicious data that there is WebShell behavioural characteristics according to existing in corresponding data on flows.
In addition, the comparing unit 1032 is additionally operable to:If having cached the access request corresponding to the feedback response, read
The access request corresponding to the feedback response of caching is taken, and by possessed by the parsing data and the access request
WebShell behavioural characteristics are compared;
The determining unit 1033 is additionally operable to:Meet if existing in the parsing data possessed by the access request
The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics
Data.
In the present embodiment, if having cached the access request corresponding to the feedback response, read corresponding to the feedback response
Access request, it is and then WebShell behaviors possessed by the parsing data corresponding to the feedback response and the access request is special
Sign is compared, and meets WebShell rows possessed by the access request if existing in the parsing data corresponding to the feedback response
The data being characterized, it is determined that the suspicious data with WebShell behavioural characteristics in the data on flows of detection be present.
In the present embodiment, usual WebShell behaviors are initiated by client, therefore, are carried out to feedback response
, it is necessary to which WebShell behavioural characteristics possessed by access request according to corresponding to feedback response, come true when WebShell is detected
Whether the fixed feedback response is WebShell, and then lifts the accuracy for WebShell detections, meanwhile, to access request with
Feedback response all carries out WebShell detections, and then improves the comprehensive of detection.
Reference picture 9, Fig. 9 are the refinement high-level schematic functional block diagram of analysis module in Fig. 6.Implemented based on said apparatus first
, in the present embodiment, the analysis module 20 includes:
Taxon 201, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present,
WebShell behavioural characteristics in the data on flows are subjected to the book of final entry;
Analytic unit 202, for according to the one or many classification notes carried out to WebShell behavioural characteristics
Record, judge whether the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour, if the WebShell of record
Operation behavior corresponding to behavioural characteristic is abnormal behaviour, it is determined that WebShell be present in the data on flows, wherein, it is described
WebShell behavioural characteristics, which comprise at least, to be listed catalogue and file, upper transmitting file, downloads sensitive data, inquiry database, performs
Order, any of code is performed, if two or more the WebShell behaviors in the book of final entry be present
Feature, it is determined that the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour.
In the present embodiment, for the suspicious data with WebShell behavioural characteristics, it is necessary to carry out behavioural analysis processing, tool
Body is:The book of final entry first is carried out to the WebShell behavioural characteristics in data on flows, for example is divided into following a few classes:List catalogue
And file, upper transmitting file, download sensitive data, inquiry database, perform order, execution code etc., record is then analyzed again
The quantity of above-mentioned behavior classification is, it is necessary to which explanation, the normal behaviour in practical operation behavior generally only understand WebShell rows
A kind of behavior in being characterized, therefore, if detection finds to record in the analysis record corresponding to one or many datas on flows
WebShell behavioural characteristics more than two classes or two classes, then operation with the WebShell behavioural characteristics is can determine that to access
WebShell is operated.Certainly, the behavioural analysis in the present embodiment for the suspicious data with WebShell behavioural characteristics is not
When being limited to aforesaid way, for example can also be the sequencing analyzed the behavior of all kinds of WebShell behavioural characteristics and performed, unit
In executions frequency etc. determine whether the operations of the WebShell behavioural characteristics is to access WebShell to operate to integrate.
The preferred embodiments of the present invention are these are only, are not intended to limit the scope of the invention, it is every to utilize this hair
The equivalent structure or equivalent flow conversion that bright specification and accompanying drawing content are made, or directly or indirectly it is used in other related skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of WebShell detection methods, it is characterised in that the WebShell detection methods include:
Data on flows between detection service device and client, there is WebShell to judge to whether there is in the data on flows
The suspicious data of feature or WebShell behavioural characteristics, wherein, if existing in the data on flows with WebShell features
Suspicious data, it is determined that WebShell be present in the data on flows;
If the suspicious data with WebShell behavioural characteristics in the data on flows be present, analyze corresponding to the suspicious data
WebShell behavioural characteristics, and according to analysis result, judge to whether there is WebShell in the data on flows.
2. WebShell detection methods as claimed in claim 1, it is characterised in that between the detection service device and client
Data on flows, with judge to whether there is in the data on flows with WebShell features or WebShell behavioural characteristics can
Doubtful data include:
Read the packet between the server and the client and carry out data flow restructuring, obtain the data package-restructuring
Corresponding data on flows afterwards;
The data on flows is parsed, obtains corresponding parsing data, the parsing data comprise at least url data, table
Forms data, the server feedback are to the one or more in the data of the client;
The parsing data are compared with data in preset WebShell feature databases, and the stream is judged according to comparison result
Measure and whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in data.
3. WebShell detection methods as claimed in claim 2, it is characterised in that it is described by it is described parsing data with it is preset
Data are compared in WebShell feature databases, and are judged according to comparison result in the data on flows with the presence or absence of having
The suspicious data of WebShell features or WebShell behavioural characteristics includes:
According to the parsing data, judge whether the data on flows is access transmitted by from the client to the server
Request;
If the access request, then the parsing data are compared with data in the WebShell feature databases, it is described
WebShell feature databases include some WebShell features and WebShell behavioural characteristics;
If the data for meeting the WebShell features be present in the parsing data, it is determined that tool in the data on flows be present
There is the suspicious data of the WebShell features, if the number for meeting the WebShell behavioural characteristics be present in the parsing data
According to, it is determined that the suspicious data with the WebShell behavioural characteristics in the data on flows be present.
4. WebShell detection methods as claimed in claim 2, it is characterised in that it is described by it is described parsing data with it is preset
Data are compared in WebShell feature databases, and are judged according to comparison result in the data on flows with the presence or absence of having
The suspicious data of WebShell features or WebShell behavioural characteristics includes:
According to the parsing data, judge the data on flows whether the feedback returned by the server to the client
Response;
If the feedback response, then judge whether to have cached the access request corresponding to the feedback response;
If the access request corresponding to the uncached feedback response, by the parsing data and the WebShell feature databases
Middle data are compared;
If the data for meeting the WebShell features be present in the parsing data, it is determined that tool in the data on flows be present
There is the suspicious data of the WebShell features, if the number for meeting the WebShell behavioural characteristics be present in the parsing data
According to, it is determined that the suspicious data with the WebShell behavioural characteristics in the data on flows be present;Or
If having cached the access request corresponding to the feedback response, the access corresponding to the feedback response of caching is read
Request, and the parsing data are compared with WebShell behavioural characteristics possessed by the access request;
If the data for meeting WebShell behavioural characteristics possessed by the access request be present in the parsing data, it is determined that institute
State and the suspicious data with the WebShell behavioural characteristics in data on flows be present.
5. the WebShell detection methods as any one of Claims 1-4, it is characterised in that if the flow
The suspicious data with WebShell behavioural characteristics in data be present, then analyze the WebShell behaviors corresponding to the suspicious data
Feature, and according to analysis result, judge with the presence or absence of WebShell to include in the data on flows:
If the suspicious data with WebShell behavioural characteristics in the data on flows be present, by the data on flows
WebShell behavioural characteristics carry out the book of final entry;
According to the one or many books of final entry carried out to WebShell behavioural characteristics, the WebShell recorded is judged
Whether the operation behavior corresponding to behavioural characteristic is abnormal behaviour, if the operation row corresponding to the WebShell behavioural characteristics of record
To be abnormal behaviour, it is determined that WebShell be present in the data on flows;
Wherein, the WebShell behavioural characteristics, which comprise at least, lists catalogue and file, upper transmitting file, downloads sensitive data, looks into
Database is ask, order is performed, performs any of code, if the described of two or more in the book of final entry be present
WebShell behavioural characteristics, it is determined that the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour.
6. a kind of WebShell detection means, it is characterised in that the WebShell detection means includes:
Detection module, for the data on flows between detection service device and client, to judge whether deposited in the data on flows
In the suspicious data with WebShell features or WebShell behavioural characteristics, wherein, if existing in the data on flows has
The suspicious data of WebShell features, it is determined that WebShell be present in the data on flows;
Analysis module, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present, analysis should
WebShell behavioural characteristics corresponding to suspicious data, and according to analysis result, judge to whether there is in the data on flows
WebShell。
7. WebShell detection means as claimed in claim 6, it is characterised in that the detection module includes:
Reading submodule, for reading the packet between the server and the client and carrying out data flow restructuring, obtain
Corresponding data on flows after to the data package-restructuring;
Analyzing sub-module, for being parsed to the data on flows, corresponding parsing data are obtained, the parsing data are at least
Including url data, form data, the server feedback to the one or more in the data of the client;
Compare submodule, for by it is described parsing data be compared with data in preset WebShell feature databases, and according to than
Result is judged to whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in the data on flows.
8. WebShell detection means as claimed in claim 7, it is characterised in that the comparison submodule includes:
Judging unit, for according to the parsing data, judging whether the data on flows is the client to the service
Access request transmitted by device;
Comparing unit, if being the access request for the data on flows, by the parsing data and the WebShell
Data are compared in feature database, and it is special with WebShell behaviors that the WebShell feature databases include some WebShell features
Sign;
Determining unit, if for the data for meeting the WebShell features be present in the parsing data, it is determined that the stream
Measure and the suspicious data with the WebShell features in data be present, if described in the presence of meeting in the parsing data
The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics
Data.
9. WebShell detection means as claimed in claim 7, it is characterised in that
The judging unit is additionally operable to:According to the parsing data, judge whether the data on flows is the server to institute
State the feedback response that client is returned;If the data on flows is the feedback response, judge whether to have cached described anti-
The corresponding access request of feedback response;
The comparing unit is additionally operable to:If the access request corresponding to the uncached feedback response, by the parsing data
It is compared with data in the WebShell feature databases;
The determining unit is additionally operable to:If the data for meeting the WebShell features be present in the parsing data, it is determined that
The suspicious data with the WebShell features in the data on flows be present, if described in the presence of meeting in the parsing data
The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics
Data;
The comparing unit is additionally operable to:If having cached the access request corresponding to the feedback response, the described of caching is read
Access request corresponding to feedback response, and parse data and WebShell behavioural characteristics possessed by the access request by described
It is compared;
The determining unit is additionally operable to:If exist in the parsing data and meet WebShell behaviors possessed by the access request
The data of feature, it is determined that the suspicious data with the WebShell behavioural characteristics in the data on flows be present.
10. the WebShell detection means as any one of claim 6 to 9, it is characterised in that the analysis module bag
Include:
Taxon, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present, this is flowed
The WebShell behavioural characteristics measured in data carry out the book of final entry;
Analytic unit, for according to the one or many books of final entry carried out to WebShell behavioural characteristics, judging
Whether the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour, if the WebShell behavioural characteristics of record
Corresponding operation behavior is abnormal behaviour, it is determined that WebShell be present in the data on flows, wherein, the WebShell
Behavioural characteristic, which comprises at least, to be listed catalogue and file, upper transmitting file, downloads sensitive data, inquiry database, perform order, perform
Any of code, if two or more the WebShell behavioural characteristics in the book of final entry be present, really
Surely the operation behavior corresponding to WebShell behavioural characteristics recorded is abnormal behaviour.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610635353.8A CN107689940B (en) | 2016-08-04 | 2016-08-04 | WebShell detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610635353.8A CN107689940B (en) | 2016-08-04 | 2016-08-04 | WebShell detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107689940A true CN107689940A (en) | 2018-02-13 |
CN107689940B CN107689940B (en) | 2021-03-09 |
Family
ID=61151707
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610635353.8A Active CN107689940B (en) | 2016-08-04 | 2016-08-04 | WebShell detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107689940B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110602030A (en) * | 2019-05-16 | 2019-12-20 | 上海云盾信息技术有限公司 | Network intrusion blocking method, server and computer readable medium |
CN111800405A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Detection method, detection device and storage medium |
CN112491882A (en) * | 2020-11-27 | 2021-03-12 | 泰康保险集团股份有限公司 | Webshell detection method, webshell detection device, webshell detection medium and electronic equipment |
CN113132341A (en) * | 2020-01-16 | 2021-07-16 | 深信服科技股份有限公司 | Network attack behavior detection method and device, electronic equipment and storage medium |
CN113132329A (en) * | 2019-12-31 | 2021-07-16 | 深信服科技股份有限公司 | WEBSHELL detection method, device, equipment and storage medium |
CN113746784A (en) * | 2020-05-29 | 2021-12-03 | 深信服科技股份有限公司 | Data detection method, system and related equipment |
CN113961913A (en) * | 2021-09-27 | 2022-01-21 | 北京东方通科技股份有限公司 | Detection method and system applied to cross-domain security |
CN114465741A (en) * | 2020-11-09 | 2022-05-10 | 腾讯科技(深圳)有限公司 | Anomaly detection method and device, computer equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102647421A (en) * | 2012-04-09 | 2012-08-22 | 北京百度网讯科技有限公司 | Web back door detection method and device based on behavioral characteristics |
CN103607413A (en) * | 2013-12-05 | 2014-02-26 | 北京奇虎科技有限公司 | Method and device for detecting website backdoor program |
CN103839008A (en) * | 2014-03-21 | 2014-06-04 | 彭岸峰 | Immune safety service for one-word script backdoors and PHP variable function backdoors |
CN105812196A (en) * | 2014-12-30 | 2016-07-27 | 中国移动通信集团公司 | WebShell detection method and electronic device |
-
2016
- 2016-08-04 CN CN201610635353.8A patent/CN107689940B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102647421A (en) * | 2012-04-09 | 2012-08-22 | 北京百度网讯科技有限公司 | Web back door detection method and device based on behavioral characteristics |
CN103607413A (en) * | 2013-12-05 | 2014-02-26 | 北京奇虎科技有限公司 | Method and device for detecting website backdoor program |
CN103839008A (en) * | 2014-03-21 | 2014-06-04 | 彭岸峰 | Immune safety service for one-word script backdoors and PHP variable function backdoors |
CN105812196A (en) * | 2014-12-30 | 2016-07-27 | 中国移动通信集团公司 | WebShell detection method and electronic device |
Non-Patent Citations (2)
Title |
---|
迷路的指南针: ""Webshell安全检测篇(1)-基于流量的检测方式"", 《HTTPS://WWW.SEC-UN.ORG/WEBSHELL-SECURITY-TESTING-1-BASED-TRAFFIC-DETECTION/》 * |
迷路的指南针: ""Webshell安全检测篇(3)-基于行为分析来发现"未知的Webshel""", 《HTTPS://WWW.SEC-UN.ORG/WEBSHELL-SECURITY-DETECTION-3-BASED-ON-BEHAVIORAL-ANALYSIS-TO-DISCOVER-UNKNOWN-WEBSHELL/》 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110602030A (en) * | 2019-05-16 | 2019-12-20 | 上海云盾信息技术有限公司 | Network intrusion blocking method, server and computer readable medium |
CN113132329A (en) * | 2019-12-31 | 2021-07-16 | 深信服科技股份有限公司 | WEBSHELL detection method, device, equipment and storage medium |
CN113132341A (en) * | 2020-01-16 | 2021-07-16 | 深信服科技股份有限公司 | Network attack behavior detection method and device, electronic equipment and storage medium |
CN113132341B (en) * | 2020-01-16 | 2023-03-21 | 深信服科技股份有限公司 | Network attack behavior detection method and device, electronic equipment and storage medium |
CN113746784A (en) * | 2020-05-29 | 2021-12-03 | 深信服科技股份有限公司 | Data detection method, system and related equipment |
CN113746784B (en) * | 2020-05-29 | 2023-04-07 | 深信服科技股份有限公司 | Data detection method, system and related equipment |
CN111800405A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Detection method, detection device and storage medium |
CN114465741A (en) * | 2020-11-09 | 2022-05-10 | 腾讯科技(深圳)有限公司 | Anomaly detection method and device, computer equipment and storage medium |
CN114465741B (en) * | 2020-11-09 | 2023-09-26 | 腾讯科技(深圳)有限公司 | Abnormality detection method, abnormality detection device, computer equipment and storage medium |
CN112491882A (en) * | 2020-11-27 | 2021-03-12 | 泰康保险集团股份有限公司 | Webshell detection method, webshell detection device, webshell detection medium and electronic equipment |
CN113961913A (en) * | 2021-09-27 | 2022-01-21 | 北京东方通科技股份有限公司 | Detection method and system applied to cross-domain security |
Also Published As
Publication number | Publication date |
---|---|
CN107689940B (en) | 2021-03-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107689940A (en) | WebShell detection method and device | |
US10104095B2 (en) | Automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications | |
JP4358188B2 (en) | Invalid click detection device in Internet search engine | |
CN109922052A (en) | A kind of malice URL detection method of combination multiple characteristics | |
US9215245B1 (en) | Exploration system and method for analyzing behavior of binary executable programs | |
CN110602029B (en) | Method and system for identifying network attack | |
US20070255818A1 (en) | Method of detecting unauthorized access to a system or an electronic device | |
US20240015173A1 (en) | Techniques for clickstream tracking across browser tabs | |
US20100153539A1 (en) | Algorithm for classification of browser links | |
RU2697950C2 (en) | System and method of detecting latent behaviour of browser extension | |
CN108156131A (en) | Webshell detection methods, electronic equipment and computer storage media | |
CN108337269B (en) | WebShell detection method | |
CN101964026A (en) | Method and system for detecting web page horse hanging | |
WO2010065991A1 (en) | System and method for adapting an internet and intranet filtering system | |
JP4935274B2 (en) | Server and program | |
CN104935601B (en) | Web log file safety analytical method based on cloud, apparatus and system | |
US11356433B2 (en) | System and method for detecting unauthorized activity at an electronic device | |
US20190289085A1 (en) | System and method for tracking online user behavior across browsers or devices | |
CN103095693A (en) | Method for positioning and accessing database user host information | |
CN108632219A (en) | A kind of website vulnerability detection method, detection service device and system | |
Hess | Discovering digital library user behavior with google analytics | |
WO2018145637A1 (en) | Method and device for recording web browsing behavior, and user terminal | |
Buyukkayhan et al. | What's in an Exploit? An Empirical Analysis of Reflected Server {XSS} Exploitation Techniques | |
CN111031025B (en) | Method and device for automatically detecting and verifying Webshell | |
US9723017B1 (en) | Method, apparatus and computer program product for detecting risky communications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 518000 the first floor of A1 building, Nanshan Zhiyuan 1001, Nanshan District Xue Yuan Avenue, Shenzhen, Guangdong. Applicant after: SANGFOR TECHNOLOGIES Inc. Address before: 518052 the first floor of A1 building, Nanshan Zhiyuan 1001, Nanshan District Xue Yuan Avenue, Shenzhen, Guangdong. Applicant before: Sangfor Technologies Co.,Ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |