CN107689940A - WebShell detection method and device - Google Patents

WebShell detection method and device Download PDF

Info

Publication number
CN107689940A
CN107689940A CN201610635353.8A CN201610635353A CN107689940A CN 107689940 A CN107689940 A CN 107689940A CN 201610635353 A CN201610635353 A CN 201610635353A CN 107689940 A CN107689940 A CN 107689940A
Authority
CN
China
Prior art keywords
data
webshell
flows
behavioural characteristics
present
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610635353.8A
Other languages
Chinese (zh)
Other versions
CN107689940B (en
Inventor
杨力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Shenxinfu Electronic Technology Co Ltd
Original Assignee
Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Shenxinfu Electronic Technology Co Ltd filed Critical Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority to CN201610635353.8A priority Critical patent/CN107689940B/en
Publication of CN107689940A publication Critical patent/CN107689940A/en
Application granted granted Critical
Publication of CN107689940B publication Critical patent/CN107689940B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The invention discloses a kind of WebShell detection methods, including:Data on flows between detection service device and client, to judge to whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in the data on flows, wherein, if the suspicious data with WebShell features in the data on flows be present, it is determined that WebShell be present in the data on flows;If the suspicious data with WebShell behavioural characteristics in the data on flows be present, the WebShell behavioural characteristics corresponding to the suspicious data are analyzed, and according to analysis result, judge to whether there is WebShell in the data on flows.The invention also discloses a kind of WebShell detection means.The present invention is analyzed based on flow detection and operation behavior, so as to realize the detection to WebShell to prevent that server from being invaded, ensures data safety on server.

Description

WebShell detection method and device
Technical field
The present invention relates to field of information security technology, more particularly to WebShell detection method and device.
Background technology
WebShell is the backdoor programs being mounted after website is successfully invaded, so as to facilitate invader's control to be entered The main frame (or server) invaded is to steal sensitive data or authority or the springboard as attack intranet host.WebShell is usually Disguised oneself as normal procedure site, if the WebShell installed can not be found, then even if having repaired the leakage of website Hole, invader still can continue the main frame that control is invaded using the WebShell being hidden in procedure site.Therefore, examine The WebShell for finding to have installed is surveyed to have very important significance.
Currently available technology mainly detects or defendd WebShell by following several ways:
1st, directly the source code of WebShell files is detected, but because WebShell is compiled with dynamic language mostly Write, be very easy to be deformed or obscured, while also have the interface of some web servers, as CGI or Java Servlet can be with Binary program after operation compiling, thus be difficult to detect.
2nd, detected by the crucial api function for changing web server and hook WebShell are used, but due to Most API that WebShell is used can also be used in normal procedure site, and the data for being only collected into API Calls may deficiency To differentiate WebShell.
3rd, detected according to the access log of web server
WebShell is found from the access log of web server record, but because access log typically only have recorded A small amount of information such as URL, IP address, thus be also not enough to for differentiating WebShell, therefore this method is usually and other methods It is used in combination.
The content of the invention
It is a primary object of the present invention to provide a kind of WebShell detection method and device, it is intended to by new WebShell detection modes are to solve the insufficient technical problem in existing WebShell detection techniques.
To achieve the above object, the present invention provides a kind of WebShell detection methods, the WebShell detection methods bag Include:
Data on flows between detection service device and client, have to judge to whether there is in the data on flows The suspicious data of WebShell features or WebShell behavioural characteristics, wherein, if existing in the data on flows has The suspicious data of WebShell features, it is determined that WebShell be present in the data on flows;
If the suspicious data with WebShell behavioural characteristics in the data on flows be present, the suspicious data institute is analyzed Corresponding WebShell behavioural characteristics, and according to analysis result, judge to whether there is WebShell in the data on flows.
Preferably, the data on flows between the detection service device and client, with judge in the data on flows whether Include in the presence of the suspicious data with WebShell features or WebShell behavioural characteristics:
Read the packet between the server and the client and carry out data flow restructuring, obtain the packet Corresponding data on flows after restructuring;
The data on flows is parsed, obtains corresponding parsing data, the parsing data comprise at least URL numbers According to, form data, the server feedback to the client data in one or more;
The parsing data are compared with data in preset WebShell feature databases, and institute is judged according to comparison result State and whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in data on flows.
Preferably, it is described by it is described parsing data be compared with data in preset WebShell feature databases, and according to than Result is judged to whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in the data on flows Also include:
According to the parsing data, judge whether the data on flows is transmitted by the client to the server Access request;
If the access request, then the parsing data are compared with data in the WebShell feature databases, The WebShell feature databases include some WebShell features and WebShell behavioural characteristics;
If the data for meeting the WebShell features be present in the parsing data, it is determined that deposited in the data on flows In the suspicious data with the WebShell features, meet the WebShell behavioural characteristics if existing in the parsing data Data, it is determined that in the data on flows exist with the WebShell behavioural characteristics suspicious data.
Preferably, it is described by it is described parsing data be compared with data in preset WebShell feature databases, and according to than Result is judged to whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in the data on flows Including:
According to the parsing data, judge that the whether described server of the data on flows is returned to the client Feedback response;
If the feedback response, then judge whether to have cached the access request corresponding to the feedback response;
It is if the access request corresponding to the uncached feedback response, the parsing data and the WebShell are special Data are compared in sign storehouse;
If the data for meeting the WebShell features be present in the parsing data, it is determined that deposited in the data on flows In the suspicious data with the WebShell features, meet the WebShell behavioural characteristics if existing in the parsing data Data, it is determined that in the data on flows exist with the WebShell behavioural characteristics suspicious data;Or
If having cached the access request corresponding to the feedback response, read corresponding to the feedback response of caching Access request, and the parsing data are compared with WebShell behavioural characteristics possessed by the access request;
If the data for meeting WebShell behavioural characteristics possessed by the access request be present in the parsing data, really The suspicious data with the WebShell behavioural characteristics be present in the fixed data on flows.
Preferably, if the suspicious data with WebShell behavioural characteristics in the data on flows be present, analyze WebShell behavioural characteristics corresponding to the suspicious data, and according to analysis result, judge to whether there is in the data on flows WebShell includes:
If the suspicious data with WebShell behavioural characteristics in the data on flows be present, by the data on flows WebShell behavioural characteristics carry out the book of final entry;
According to the one or many books of final entry carried out to WebShell behavioural characteristics, record is judged Whether the operation behavior corresponding to WebShell behavioural characteristics is abnormal behaviour, if corresponding to the WebShell behavioural characteristics of record Operation behavior be abnormal behaviour, it is determined that WebShell be present in the data on flows;
Wherein, the WebShell behavioural characteristics comprise at least and list catalogue and file, upper transmitting file, download sensitivity number According to, inquiry database, performs order, execution any of code, if two or more be present in the book of final entry The WebShell behavioural characteristics, it is determined that the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal row For.
Further, to achieve the above object, the present invention also provides a kind of WebShell detection means, the WebShell Detection means includes:
Detection module, for the data on flows between detection service device and client, to judge to be in the data on flows The no suspicious data existed with WebShell features or WebShell behavioural characteristics, wherein, if existing in the data on flows Suspicious data with WebShell features, it is determined that WebShell be present in the data on flows;
Analysis module, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present, divide The WebShell behavioural characteristics corresponding to the suspicious data are analysed, and the WebShell behaviors are had according to analysis result, judgement Whether the operation of feature is to access WebShell operations.
Preferably, the detection module includes:
Reading submodule, for reading the packet between the server and the client and carrying out data flow weight Group, obtain corresponding data on flows after the data package-restructuring;
Analyzing sub-module, for being parsed to the data on flows, obtain corresponding parsing data, the parsing data Including at least url data, form data, the server feedback to the one or more in the data of the client;
Submodule is compared, for the parsing data to be compared with data in preset WebShell feature databases, and root Judge to whether there is in the data on flows according to comparison result suspicious with WebShell features or WebShell behavioural characteristics Data.
Preferably, the comparison submodule includes:
Judging unit, for according to the parsing data, judging whether the data on flows is the client to described Access request transmitted by server;
Comparing unit, if being the access request for the data on flows, by it is described parsing data with it is described Data are compared in WebShell feature databases, the WebShell feature databases include some WebShell features with WebShell behavioural characteristics;
Determining unit, if for the data for meeting the WebShell features be present in the parsing data, it is determined that institute State and the suspicious data with the WebShell features in data on flows be present, if described in the presence of meeting in the parsing data The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics Data.
Preferably, the judging unit is additionally operable to:According to the parsing data, judge whether the data on flows is described The feedback response that server is returned to the client;If the data on flows is the feedback response, judge whether Cache the access request corresponding to the feedback response;
The comparing unit is additionally operable to:If the access request corresponding to the uncached feedback response, by the parsing Data are compared with data in the WebShell feature databases;
The determining unit is additionally operable to:If the data for meeting the WebShell features be present in the parsing data, Determine the suspicious data with the WebShell features in the data on flows be present, meet if existing in the parsing data The data of the WebShell behavioural characteristics, it is determined that exist in the data on flows with the WebShell behavioural characteristics Suspicious data;
The comparing unit is additionally operable to:If having cached the access request corresponding to the feedback response, caching is read Access request corresponding to the feedback response, and parse data and WebShell behaviors possessed by the access request by described Feature is compared;
The determining unit is additionally operable to:If exist in the parsing data and meet WebShell possessed by the access request The data of behavioural characteristic, it is determined that the suspicious data with the WebShell behavioural characteristics in the data on flows be present.
Preferably, the analysis module includes:
Taxon, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present, will WebShell behavioural characteristics in the data on flows carry out the book of final entry;
Analytic unit, the one or many books of final entry carried out for basis to WebShell behavioural characteristics, Judge whether the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour, if the WebShell behaviors of record Operation behavior corresponding to feature is abnormal behaviour, it is determined that WebShell be present in the data on flows, wherein, it is described WebShell behavioural characteristics, which comprise at least, to be listed catalogue and file, upper transmitting file, downloads sensitive data, inquiry database, performs Order, any of code is performed, if two or more the WebShell behaviors in the book of final entry be present Feature, it is determined that the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour.
The present invention is directed to the deficiency of existing WebShell detection techniques, passes through the flow between detection service device and client Data carry out WebShell Preliminary detections, and the operation behavior feature for combining WebShell is analysed in depth, so as to judge really Determine to operate with the presence or absence of WebShell programs on server or with the presence or absence of the WebShell of external client, and then avoid existing There is the shortcomings that WebShell detections detection method is easily bypassed, while nor affect on the job stability of server, in addition Substantially increase the accuracy rate of WebShell detections.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of WebShell detection methods first embodiment of the present invention;
Fig. 2 is the refinement schematic flow sheet of step S10 in Fig. 1;
Fig. 3 is the refinement schematic flow sheet of step S103 first embodiments in Fig. 2;
Fig. 4 is the refinement schematic flow sheet of step S103 second embodiments in Fig. 2;
Fig. 5 is the schematic flow sheet of WebShell detection methods second embodiment of the present invention;
Fig. 6 is the high-level schematic functional block diagram of the embodiment of WebShell detection means one of the present invention;
Fig. 7 is the refinement high-level schematic functional block diagram of detection module in Fig. 6;
Fig. 8 is the refinement high-level schematic functional block diagram that submodule is compared in Fig. 7;
Fig. 9 is the refinement high-level schematic functional block diagram of analysis module in Fig. 6.
The realization, functional characteristics and advantage of the object of the invention will be described further referring to the drawings in conjunction with the embodiments.
Embodiment
It should be appreciated that specific embodiment described herein is not intended to limit the present invention only to explain the present invention.
Reference picture 1, Fig. 1 are the schematic flow sheet of WebShell detection methods first embodiment of the present invention.In the present embodiment, The WebShell detection methods include:
Step S10, the data on flows between detection service device and client, to judge to whether there is in the data on flows Suspicious data with WebShell features or WebShell behavioural characteristics, wherein, if existing in the data on flows has The suspicious data of WebShell features, it is determined that WebShell be present in the data on flows;
WebShell generally has obvious interactivity.For example, when carrying out file management using WebShell, in general Process is:Invader lists catalogue and file on server by WebShell, is then further determined according to these information Fix and carry some files therein or some catalogue uploads malicious code etc. thereto, and this process can then produce it is multiple Web request and response.Therefore, as long as the order in these requests or response by network delivery or data can be identified, so that it may To detect WebShell access process.Therefore, in the present embodiment, especially by between detection service device and client Web flow amount data identify WebShell, by being analysed in depth to web flow amount data and combine WebShell behavioural characteristics It whether there is WebShell in data on flows to identify.
It should be noted that the WebShell features described in the present embodiment specifically refer to the spy of WebShell program files Sign, WebShell behavioural characteristics specifically refer to the behavioural characteristic in WebShell program operation process.
, can be true if the suspicious data with WebShell features in the data on flows of detection be present in the present embodiment WebShell be present in the fixed data on flows, specific identification method and process are unlimited, are configured with specific reference to being actually needed.
The above-mentioned judgment mode for the suspicious data with WebShell features accesses only in general WebShell It is useful, and access for some special WebShell and then can not more accurately be identified, but it is special by WebShell behaviors Sign analysis then can at least carry out indirect analysis in terms of operation behavior intention and purpose and judge to there may be WebShell behaviors The suspicious data of feature, it can also be determined whether indirectly according to the operation behavior corresponding to operational order in data on flows WebShell behavioural characteristics, such as upper transmitting file, execution appointment codes etc. be present.
Step S20, if the suspicious data with WebShell behavioural characteristics in the data on flows be present, analyzing this can The WebShell behavioural characteristics corresponding to data are doubted, and according to analysis result, judge to whether there is in the data on flows WebShell。
In the present embodiment, if the suspicious data with WebShell behavioural characteristics in data on flows be present, while to avoid Erroneous judgement, thus also need to further there is the suspicious data of WebShell behavioural characteristics to analyze this, and tied according to analysis Fruit determines to have whether the operation of WebShell behavioural characteristics is to access WebShell operations, namely judges the flow number of detection It whether there is WebShell in.The present embodiment is unlimited for the mode for analyzing suspicious data, is carried out with specific reference to being actually needed Set.
The present embodiment is directed to the deficiency of existing WebShell detection techniques, passes through the stream between detection service device and client Measure data and carry out WebShell Preliminary detections, and the operation behavior feature for combining WebShell is analysed in depth, so as to judge Determine to operate with the presence or absence of WebShell programs on server or with the presence or absence of the access WebShell of external client, and then The shortcomings that avoiding existing WebShell detections detection method from being easily bypassed, while the job stability of server is nor affected on, In addition the accuracy rate of WebShell detections is also substantially increased.
Reference picture 2, Fig. 2 are the refinement schematic flow sheet of step S10 in Fig. 1.Based on above method first embodiment, this reality Apply in example, above-mentioned steps S10 includes:
Step S101, packet between server and client simultaneously carry out data flow restructuring, obtain the packet weight Corresponding data on flows after group;
Step S102, the data on flows is parsed, obtain corresponding parsing data, the parsing data are at least wrapped Url data, form data, the server feedback are included to the one or more in the data of the client;
Step S103, the parsing data are compared with data in preset WebShell feature databases, and according to comparison As a result judge to whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in the data on flows.
It is usual between server and client based on the communication protocol between server and client, such as http protocol Transmission is all packet, and corresponding data on flows can just be obtained by carrying out data flow restructuring in server or client, such as Http traffic.
Meanwhile further to obtain the characteristic in http traffic, therefore, it is also desirable to be solved to data on flows Analysis, for example carry out TLS/SSL decryption, remove protocol code etc., and then obtain such as original url data, form data, service Device feeds back to data of client etc..
In the present embodiment, the related URL, Cookie of WebShell, list number have been included in preset WebShell feature databases According to etc. characteristic or characteristic behavior data, be compared so as to which obtained parsing data will be parsed with feature database, and according to than To result, judge to whether there is the suspicious number with WebShell features or WebShell behavioural characteristics in the data on flows of detection According to.
In the present embodiment, optional comparison result includes following three kinds of situations:
The first situation:Data on flows meets certain known WebShell feature, then it is assumed that has been detected by WebShell;
Second of situation:In data on flows containing the common behaviors of WebShell (such as list catalogue and file, upper transmitting file, Download sensitive data, perform order, execution code etc.) feature, then need this section of data on flows to make further behavioral value, And judge to have whether the operation of WebShell behavioural characteristics is to access WebShell operations again according to behavioral value result;
The third situation:Data on flows and any of WebShell features or WebShell behavioural characteristics are not Match somebody with somebody, then it is assumed that WebShell is not present in the data on flows or in the absence of the operation for accessing WebShell.
Reference picture 3, Fig. 3 are the refinement schematic flow sheet of step S103 first embodiments in Fig. 2.Based on above-mentioned steps S10 Refinement embodiment, in the present embodiment, above-mentioned steps S103 further comprises:
Step S1031, according to the parsing data, judge whether the data on flows is the client to the service Access request transmitted by device;
Step S1032, if the access request, then by the parsing data and data in the WebShell feature databases It is compared, the WebShell feature databases include some WebShell features and WebShell behavioural characteristics;
Step S1033, if the data for meeting the WebShell features be present in the parsing data, it is determined that the stream Measure and the suspicious data with the WebShell features in data be present, if described in the presence of meeting in the parsing data The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics Data.
In the present embodiment, the data on flows of detection is probably the access request transmitted by user end to server, Huo Zheye It is probably the feedback response that server is sent to client, can be specifically based on http protocol, by parses the related category in data Property is determined.
, can if the data on flows of detection corresponds to the access request transmitted by user end to server in the present embodiment Directly met by the way that parsing data are compared with data in WebShell feature databases to determine to parse to whether there is in data The data of the WebShell features.
In the present embodiment, if the data for meeting WebShell features be present in parsing data, it is determined that the parsing data institute The suspicious data with WebShell features be present in corresponding data on flows;And if exist in the parsing data and meet WebShell The data of behavioural characteristic, it is determined that exist in data on flows corresponding to the parsing data suspicious with WebShell behavioural characteristics Data.In addition, for ease of carrying out WebShell detections to the feedback response corresponding to access request and judging, therefore, this implementation In example, optionally, when it is determined that access request has WebShell behavioural characteristics, the access request can be cached so as to integrative feedback The feature of response carries out comprehensive descision.
Reference picture 4, Fig. 4 are the refinement schematic flow sheet of step S103 second embodiments in Fig. 2.Based on above-mentioned steps S103 First embodiment, in the present embodiment, above-mentioned steps S103 further comprises:
Step S1034, according to the parsing data, judge whether the data on flows is the server to the client The returned feedback response in end;
Step S1035, if the feedback response, then the access for judging whether to have cached corresponding to the feedback response please Ask;
Step S1036, if the access request corresponding to the uncached feedback response, by it is described parsing data with it is described Data are compared in WebShell feature databases;
Step S1037, if the data for meeting the WebShell features be present in the parsing data, it is determined that the stream Measure and the suspicious data with the WebShell features in data be present, if described in the presence of meeting in the parsing data The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics Data;
In the present embodiment, if the data on flows of detection corresponds to the feedback response transmitted by server to client, first Judge whether the access request corresponding to the feedback response is buffered, namely determine that the access corresponding to the feedback response please Seeking Truth is no to have WebShell behavioural characteristics, if so, the WebShell behavioural characteristics according to corresponding to access request are then needed, it is comprehensive Close analysis and determine that the feedback response whether there is WebShell features or WebShell behavioural characteristics.
, will parsing data and data in WebShell feature databases if the access request corresponding to the uncached feedback response It is compared to determine to parse in data with the presence or absence of the data for meeting WebShell features.In the present embodiment, if parsing data It is middle the data for meeting WebShell features to be present, it is determined that existing in data on flows corresponding to the parsing data has WebShell The suspicious data of feature;And if the data for meeting WebShell behavioural characteristics in the parsing data be present, it is determined that the parsing number The suspicious data that there is WebShell behavioural characteristics according to existing in corresponding data on flows.
Step S1038, if having cached the access request corresponding to the feedback response, the feedback for reading caching is rung Corresponding access request is answered, and the parsing data are compared with WebShell behavioural characteristics possessed by the access request It is right;
Step S1039, meet WebShell behavioural characteristics possessed by the access request if existing in the parsing data Data, it is determined that in the data on flows exist with the WebShell behavioural characteristics suspicious data.
In addition, in the present embodiment, if having cached the access request corresponding to the feedback response, the feedback response institute is read Corresponding access request, and then by WebShell rows possessed by the parsing data corresponding to the feedback response and the access request It is characterized and is compared, meets if existing in the parsing data corresponding to the feedback response possessed by the access request The data of WebShell behavioural characteristics, it is determined that the suspicious number with WebShell behavioural characteristics in the data on flows of detection be present According to.
In the present embodiment, usual WebShell behaviors are initiated by client, therefore, are carried out to feedback response , it is necessary to which WebShell behavioural characteristics possessed by access request according to corresponding to feedback response, come true when WebShell is detected Whether the fixed feedback response is WebShell, and then lifts the accuracy for WebShell detections, meanwhile, to access request with Feedback response all carries out WebShell detections, and then improves the comprehensive of detection.
Reference picture 5, Fig. 5 are the schematic flow sheet of WebShell detection methods second embodiment of the present invention.Based on above-mentioned side Method first embodiment, in the present embodiment, above-mentioned steps S20 includes:
Step S201, if the suspicious data with WebShell behavioural characteristics in the data on flows be present, this is flowed The WebShell behavioural characteristics measured in data carry out the book of final entry;
Step S202, according to the one or many books of final entry carried out to WebShell behavioural characteristics, judge Whether the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour, if the WebShell behavioural characteristics of record Corresponding operation behavior is abnormal behaviour, it is determined that WebShell be present in the data on flows;
Wherein, the WebShell behavioural characteristics comprise at least and list catalogue and file, upper transmitting file, download sensitivity number According to, inquiry database, performs order, execution any of code, if two or more be present in the book of final entry The WebShell behavioural characteristics, it is determined that the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal row For.
In the present embodiment, for the suspicious data with WebShell behavioural characteristics, it is necessary to carry out behavioural analysis processing, tool Body is:The book of final entry first is carried out to the WebShell behavioural characteristics in data on flows, for example is divided into following a few classes:List catalogue And file, upper transmitting file, download sensitive data, inquiry database, perform order, execution code etc., record is then analyzed again The quantity of above-mentioned behavior classification is, it is necessary to which explanation, the normal behaviour in practical operation behavior generally only understand WebShell rows A kind of behavior in being characterized, therefore, if detection finds to record in the analysis record corresponding to one or many datas on flows WebShell behavioural characteristics more than two classes or two classes, then operation with the WebShell behavioural characteristics is can determine that to visit Ask that WebShell is operated.
Certainly, the behavioural analysis in the present embodiment for the suspicious data with WebShell behavioural characteristics is not limited to Mode is stated, for example can also be the sequencing for the behavior execution for analyzing all kinds of WebShell behavioural characteristics, in the unit interval Perform frequency etc. and determine whether the operations of the WebShell behavioural characteristics is to access WebShell operations to integrate.
Reference picture 6, Fig. 6 are the high-level schematic functional block diagram of the embodiment of WebShell detection means one of the present invention.The present embodiment In, the WebShell detection means includes:
Detection module 10, for the data on flows between detection service device and client, to judge in the data on flows With the presence or absence of the suspicious data with WebShell features or WebShell behavioural characteristics, wherein, if being deposited in the data on flows In the suspicious data with WebShell features, it is determined that WebShell be present in the data on flows;
In the present embodiment, WebShell is identified especially by the web flow amount data between detection service device and client, It whether there is by being analysed in depth to web flow amount data and combining WebShell behavioural characteristics to identify in data on flows WebShell。
, can be true if the suspicious data with WebShell features in the data on flows of detection be present in the present embodiment WebShell be present in the fixed data on flows, specific identification method and process are unlimited, are configured with specific reference to being actually needed.
The above-mentioned judgment mode for the suspicious data with WebShell features accesses only in general WebShell It is useful, and access for some special WebShell and then can not more accurately be identified, but it is special by WebShell behaviors Sign analysis then can at least carry out indirect analysis in terms of operation behavior intention and purpose and judge to there may be WebShell behaviors The suspicious data of feature, it can also be determined whether indirectly according to the operation behavior corresponding to operational order in data on flows WebShell behavioural characteristics, such as upper transmitting file, execution appointment codes etc. be present.
Analysis module 20, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present, The WebShell behavioural characteristics corresponding to the suspicious data are analyzed, and the WebShell rows are had according to analysis result, judgement Whether the operation being characterized is to access WebShell operations.
In the present embodiment, if the suspicious data with WebShell behavioural characteristics in data on flows be present, while to avoid Erroneous judgement, thus also need to further there is the suspicious data of WebShell behavioural characteristics to analyze this, and tied according to analysis Fruit determines to have whether the operation of WebShell behavioural characteristics is to access WebShell operations.The present embodiment is suspicious for analyzing The mode of data is unlimited, is configured with specific reference to being actually needed.
The present embodiment is directed to the deficiency of existing WebShell detection techniques, passes through the stream between detection service device and client Measure data and carry out WebShell Preliminary detections, and the operation behavior feature for combining WebShell is analysed in depth, so as to judge Determine to operate with the presence or absence of WebShell programs on server or with the presence or absence of the access WebShell of external client, and then The shortcomings that avoiding existing WebShell detections detection method from being easily bypassed, while the job stability of server is nor affected on, In addition the accuracy rate of WebShell detections is also substantially increased.
Reference picture 7, Fig. 7 are the refinement high-level schematic functional block diagram of detection module in Fig. 6.Implemented based on said apparatus first , in the present embodiment, above-mentioned detection module 10 includes:
Reading submodule 101, for reading the packet between the server and the client and carrying out data flow Restructuring, obtain corresponding data on flows after the data package-restructuring;
Analyzing sub-module 102, for being parsed to the data on flows, obtain corresponding parsing data, the parsing Data comprise at least url data, form data, the server feedback to the one or more in the data of the client;
Submodule 103 is compared, for the parsing data to be compared with data in preset WebShell feature databases, and According to comparison result judge to whether there is in the data on flows with WebShell features or WebShell behavioural characteristics can Doubt data.
It is usual between server and client based on the communication protocol between server and client, such as http protocol Transmission is all packet, and corresponding data on flows can just be obtained by carrying out data flow restructuring in server or client, such as Http traffic.
Meanwhile further to obtain the characteristic in http traffic, therefore, it is also desirable to be solved to data on flows Analysis, for example carry out TLS/SSL decryption, remove protocol code etc., and then obtain such as original url data, form data, service Device feeds back to data of client etc..
In the present embodiment, the related URL, Cookie of WebShell, list number have been included in preset WebShell feature databases According to etc. characteristic or characteristic behavior data, be compared so as to which obtained parsing data will be parsed with feature database, and according to than To result, judge to whether there is the suspicious number with WebShell features or WebShell behavioural characteristics in the data on flows of detection According to.
In the present embodiment, optional comparison result includes following three kinds of situations:
The first situation:Data on flows meets certain known WebShell feature, then it is assumed that has been detected by WebShell;
Second of situation:In data on flows containing the common behaviors of WebShell (such as list catalogue and file, upper transmitting file, Download sensitive data, perform order, execution code etc.) feature, then need this section of data on flows to make further behavioral value, And judge to have whether the operation of WebShell behavioural characteristics is to access WebShell operations again according to behavioral value result;
The third situation:Data on flows and any of WebShell features or WebShell behavioural characteristics are not Match somebody with somebody, then it is assumed that WebShell is not present in the data on flows or accesses WebShell operation.
Reference picture 8, Fig. 8 are the refinement high-level schematic functional block diagram that submodule is compared in Fig. 7.Based on the thin of above-mentioned detection module Change embodiment, in the present embodiment, above-mentioned comparison submodule 103 includes:
Judging unit 1031, for according to the parsing data, judge the data on flows whether be the client to Access request transmitted by the server;
Comparing unit 1032, if being the access request for the data on flows, by it is described parsing data with it is described Data are compared in WebShell feature databases, the WebShell feature databases include some WebShell features with WebShell behavioural characteristics;
Determining unit 1033, if for the data for meeting the WebShell features be present in the parsing data, really The suspicious data with the WebShell features be present in the fixed data on flows, meet institute if existing in the parsing data State the data of WebShell behavioural characteristics, it is determined that in the data on flows exist with the WebShell behavioural characteristics can Doubt data.
In the present embodiment, the data on flows of detection is probably the access request transmitted by user end to server, Huo Zheye It is probably the feedback response that server is sent to client, can be specifically based on http protocol, by parses the related category in data Property is determined.
, can if the data on flows of detection corresponds to the access request transmitted by user end to server in the present embodiment Directly met by the way that parsing data are compared with data in WebShell feature databases to determine to parse to whether there is in data The data of the WebShell features.
In the present embodiment, if the data for meeting WebShell features be present in parsing data, it is determined that the parsing data institute The suspicious data with WebShell features be present in corresponding data on flows;And if exist in the parsing data and meet WebShell The data of behavioural characteristic, it is determined that exist in data on flows corresponding to the parsing data suspicious with WebShell behavioural characteristics Data.In addition, for ease of carrying out WebShell detections to the feedback response corresponding to access request and judging, therefore, this implementation In example, when it is determined that access request has WebShell behavioural characteristics, it will cache what the access request responded so as to integrative feedback Feature carries out comprehensive descision.
Optionally, in the embodiment of WebShell detection means one of the present invention, the refinement based on above-mentioned comparison submodule is real Apply example, in the present embodiment, the judging unit 1031 is additionally operable to:According to the parsing data, whether the data on flows is judged The feedback response returned by the server to the client;If the data on flows is the feedback response, judge Whether the access request feedback response corresponding to has been cached;
The comparing unit 1032 is additionally operable to:If the access request corresponding to the uncached feedback response, by described in Parsing data are compared with data in the WebShell feature databases;
The determining unit 1033 is additionally operable to:If the number for meeting the WebShell features be present in the parsing data According to, it is determined that the suspicious data with the WebShell features in the data on flows be present, if being deposited in the parsing data Meeting the data of the WebShell behavioural characteristics, it is determined that existing in the data on flows has the WebShell behaviors The suspicious data of feature;
In the present embodiment, if the data on flows of detection corresponds to the feedback response transmitted by server to client, first Judge whether the access request corresponding to the feedback response is buffered, namely determine that the access corresponding to the feedback response please Seeking Truth is no to have WebShell behavioural characteristics, if so, the WebShell behavioural characteristics according to corresponding to access request are then needed, it is comprehensive Close analysis and determine that the feedback response whether there is WebShell features or WebShell behavioural characteristics.
, will parsing data and data in WebShell feature databases if the access request corresponding to the uncached feedback response It is compared to determine to parse in data with the presence or absence of the data for meeting WebShell features.In the present embodiment, if parsing data It is middle the data for meeting WebShell features to be present, it is determined that existing in data on flows corresponding to the parsing data has WebShell The suspicious data of feature;And if the data for meeting WebShell behavioural characteristics in the parsing data be present, it is determined that the parsing number The suspicious data that there is WebShell behavioural characteristics according to existing in corresponding data on flows.
In addition, the comparing unit 1032 is additionally operable to:If having cached the access request corresponding to the feedback response, read The access request corresponding to the feedback response of caching is taken, and by possessed by the parsing data and the access request WebShell behavioural characteristics are compared;
The determining unit 1033 is additionally operable to:Meet if existing in the parsing data possessed by the access request The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics Data.
In the present embodiment, if having cached the access request corresponding to the feedback response, read corresponding to the feedback response Access request, it is and then WebShell behaviors possessed by the parsing data corresponding to the feedback response and the access request is special Sign is compared, and meets WebShell rows possessed by the access request if existing in the parsing data corresponding to the feedback response The data being characterized, it is determined that the suspicious data with WebShell behavioural characteristics in the data on flows of detection be present.
In the present embodiment, usual WebShell behaviors are initiated by client, therefore, are carried out to feedback response , it is necessary to which WebShell behavioural characteristics possessed by access request according to corresponding to feedback response, come true when WebShell is detected Whether the fixed feedback response is WebShell, and then lifts the accuracy for WebShell detections, meanwhile, to access request with Feedback response all carries out WebShell detections, and then improves the comprehensive of detection.
Reference picture 9, Fig. 9 are the refinement high-level schematic functional block diagram of analysis module in Fig. 6.Implemented based on said apparatus first , in the present embodiment, the analysis module 20 includes:
Taxon 201, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present, WebShell behavioural characteristics in the data on flows are subjected to the book of final entry;
Analytic unit 202, for according to the one or many classification notes carried out to WebShell behavioural characteristics Record, judge whether the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour, if the WebShell of record Operation behavior corresponding to behavioural characteristic is abnormal behaviour, it is determined that WebShell be present in the data on flows, wherein, it is described WebShell behavioural characteristics, which comprise at least, to be listed catalogue and file, upper transmitting file, downloads sensitive data, inquiry database, performs Order, any of code is performed, if two or more the WebShell behaviors in the book of final entry be present Feature, it is determined that the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour.
In the present embodiment, for the suspicious data with WebShell behavioural characteristics, it is necessary to carry out behavioural analysis processing, tool Body is:The book of final entry first is carried out to the WebShell behavioural characteristics in data on flows, for example is divided into following a few classes:List catalogue And file, upper transmitting file, download sensitive data, inquiry database, perform order, execution code etc., record is then analyzed again The quantity of above-mentioned behavior classification is, it is necessary to which explanation, the normal behaviour in practical operation behavior generally only understand WebShell rows A kind of behavior in being characterized, therefore, if detection finds to record in the analysis record corresponding to one or many datas on flows WebShell behavioural characteristics more than two classes or two classes, then operation with the WebShell behavioural characteristics is can determine that to access WebShell is operated.Certainly, the behavioural analysis in the present embodiment for the suspicious data with WebShell behavioural characteristics is not When being limited to aforesaid way, for example can also be the sequencing analyzed the behavior of all kinds of WebShell behavioural characteristics and performed, unit In executions frequency etc. determine whether the operations of the WebShell behavioural characteristics is to access WebShell to operate to integrate.
The preferred embodiments of the present invention are these are only, are not intended to limit the scope of the invention, it is every to utilize this hair The equivalent structure or equivalent flow conversion that bright specification and accompanying drawing content are made, or directly or indirectly it is used in other related skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of WebShell detection methods, it is characterised in that the WebShell detection methods include:
Data on flows between detection service device and client, there is WebShell to judge to whether there is in the data on flows The suspicious data of feature or WebShell behavioural characteristics, wherein, if existing in the data on flows with WebShell features Suspicious data, it is determined that WebShell be present in the data on flows;
If the suspicious data with WebShell behavioural characteristics in the data on flows be present, analyze corresponding to the suspicious data WebShell behavioural characteristics, and according to analysis result, judge to whether there is WebShell in the data on flows.
2. WebShell detection methods as claimed in claim 1, it is characterised in that between the detection service device and client Data on flows, with judge to whether there is in the data on flows with WebShell features or WebShell behavioural characteristics can Doubtful data include:
Read the packet between the server and the client and carry out data flow restructuring, obtain the data package-restructuring Corresponding data on flows afterwards;
The data on flows is parsed, obtains corresponding parsing data, the parsing data comprise at least url data, table Forms data, the server feedback are to the one or more in the data of the client;
The parsing data are compared with data in preset WebShell feature databases, and the stream is judged according to comparison result Measure and whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in data.
3. WebShell detection methods as claimed in claim 2, it is characterised in that it is described by it is described parsing data with it is preset Data are compared in WebShell feature databases, and are judged according to comparison result in the data on flows with the presence or absence of having The suspicious data of WebShell features or WebShell behavioural characteristics includes:
According to the parsing data, judge whether the data on flows is access transmitted by from the client to the server Request;
If the access request, then the parsing data are compared with data in the WebShell feature databases, it is described WebShell feature databases include some WebShell features and WebShell behavioural characteristics;
If the data for meeting the WebShell features be present in the parsing data, it is determined that tool in the data on flows be present There is the suspicious data of the WebShell features, if the number for meeting the WebShell behavioural characteristics be present in the parsing data According to, it is determined that the suspicious data with the WebShell behavioural characteristics in the data on flows be present.
4. WebShell detection methods as claimed in claim 2, it is characterised in that it is described by it is described parsing data with it is preset Data are compared in WebShell feature databases, and are judged according to comparison result in the data on flows with the presence or absence of having The suspicious data of WebShell features or WebShell behavioural characteristics includes:
According to the parsing data, judge the data on flows whether the feedback returned by the server to the client Response;
If the feedback response, then judge whether to have cached the access request corresponding to the feedback response;
If the access request corresponding to the uncached feedback response, by the parsing data and the WebShell feature databases Middle data are compared;
If the data for meeting the WebShell features be present in the parsing data, it is determined that tool in the data on flows be present There is the suspicious data of the WebShell features, if the number for meeting the WebShell behavioural characteristics be present in the parsing data According to, it is determined that the suspicious data with the WebShell behavioural characteristics in the data on flows be present;Or
If having cached the access request corresponding to the feedback response, the access corresponding to the feedback response of caching is read Request, and the parsing data are compared with WebShell behavioural characteristics possessed by the access request;
If the data for meeting WebShell behavioural characteristics possessed by the access request be present in the parsing data, it is determined that institute State and the suspicious data with the WebShell behavioural characteristics in data on flows be present.
5. the WebShell detection methods as any one of Claims 1-4, it is characterised in that if the flow The suspicious data with WebShell behavioural characteristics in data be present, then analyze the WebShell behaviors corresponding to the suspicious data Feature, and according to analysis result, judge with the presence or absence of WebShell to include in the data on flows:
If the suspicious data with WebShell behavioural characteristics in the data on flows be present, by the data on flows WebShell behavioural characteristics carry out the book of final entry;
According to the one or many books of final entry carried out to WebShell behavioural characteristics, the WebShell recorded is judged Whether the operation behavior corresponding to behavioural characteristic is abnormal behaviour, if the operation row corresponding to the WebShell behavioural characteristics of record To be abnormal behaviour, it is determined that WebShell be present in the data on flows;
Wherein, the WebShell behavioural characteristics, which comprise at least, lists catalogue and file, upper transmitting file, downloads sensitive data, looks into Database is ask, order is performed, performs any of code, if the described of two or more in the book of final entry be present WebShell behavioural characteristics, it is determined that the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour.
6. a kind of WebShell detection means, it is characterised in that the WebShell detection means includes:
Detection module, for the data on flows between detection service device and client, to judge whether deposited in the data on flows In the suspicious data with WebShell features or WebShell behavioural characteristics, wherein, if existing in the data on flows has The suspicious data of WebShell features, it is determined that WebShell be present in the data on flows;
Analysis module, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present, analysis should WebShell behavioural characteristics corresponding to suspicious data, and according to analysis result, judge to whether there is in the data on flows WebShell。
7. WebShell detection means as claimed in claim 6, it is characterised in that the detection module includes:
Reading submodule, for reading the packet between the server and the client and carrying out data flow restructuring, obtain Corresponding data on flows after to the data package-restructuring;
Analyzing sub-module, for being parsed to the data on flows, corresponding parsing data are obtained, the parsing data are at least Including url data, form data, the server feedback to the one or more in the data of the client;
Compare submodule, for by it is described parsing data be compared with data in preset WebShell feature databases, and according to than Result is judged to whether there is the suspicious data with WebShell features or WebShell behavioural characteristics in the data on flows.
8. WebShell detection means as claimed in claim 7, it is characterised in that the comparison submodule includes:
Judging unit, for according to the parsing data, judging whether the data on flows is the client to the service Access request transmitted by device;
Comparing unit, if being the access request for the data on flows, by the parsing data and the WebShell Data are compared in feature database, and it is special with WebShell behaviors that the WebShell feature databases include some WebShell features Sign;
Determining unit, if for the data for meeting the WebShell features be present in the parsing data, it is determined that the stream Measure and the suspicious data with the WebShell features in data be present, if described in the presence of meeting in the parsing data The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics Data.
9. WebShell detection means as claimed in claim 7, it is characterised in that
The judging unit is additionally operable to:According to the parsing data, judge whether the data on flows is the server to institute State the feedback response that client is returned;If the data on flows is the feedback response, judge whether to have cached described anti- The corresponding access request of feedback response;
The comparing unit is additionally operable to:If the access request corresponding to the uncached feedback response, by the parsing data It is compared with data in the WebShell feature databases;
The determining unit is additionally operable to:If the data for meeting the WebShell features be present in the parsing data, it is determined that The suspicious data with the WebShell features in the data on flows be present, if described in the presence of meeting in the parsing data The data of WebShell behavioural characteristics, it is determined that exist in the data on flows suspicious with the WebShell behavioural characteristics Data;
The comparing unit is additionally operable to:If having cached the access request corresponding to the feedback response, the described of caching is read Access request corresponding to feedback response, and parse data and WebShell behavioural characteristics possessed by the access request by described It is compared;
The determining unit is additionally operable to:If exist in the parsing data and meet WebShell behaviors possessed by the access request The data of feature, it is determined that the suspicious data with the WebShell behavioural characteristics in the data on flows be present.
10. the WebShell detection means as any one of claim 6 to 9, it is characterised in that the analysis module bag Include:
Taxon, if for the suspicious data with WebShell behavioural characteristics in the data on flows be present, this is flowed The WebShell behavioural characteristics measured in data carry out the book of final entry;
Analytic unit, for according to the one or many books of final entry carried out to WebShell behavioural characteristics, judging Whether the operation behavior corresponding to the WebShell behavioural characteristics of record is abnormal behaviour, if the WebShell behavioural characteristics of record Corresponding operation behavior is abnormal behaviour, it is determined that WebShell be present in the data on flows, wherein, the WebShell Behavioural characteristic, which comprises at least, to be listed catalogue and file, upper transmitting file, downloads sensitive data, inquiry database, perform order, perform Any of code, if two or more the WebShell behavioural characteristics in the book of final entry be present, really Surely the operation behavior corresponding to WebShell behavioural characteristics recorded is abnormal behaviour.
CN201610635353.8A 2016-08-04 2016-08-04 WebShell detection method and device Active CN107689940B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610635353.8A CN107689940B (en) 2016-08-04 2016-08-04 WebShell detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610635353.8A CN107689940B (en) 2016-08-04 2016-08-04 WebShell detection method and device

Publications (2)

Publication Number Publication Date
CN107689940A true CN107689940A (en) 2018-02-13
CN107689940B CN107689940B (en) 2021-03-09

Family

ID=61151707

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610635353.8A Active CN107689940B (en) 2016-08-04 2016-08-04 WebShell detection method and device

Country Status (1)

Country Link
CN (1) CN107689940B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110602030A (en) * 2019-05-16 2019-12-20 上海云盾信息技术有限公司 Network intrusion blocking method, server and computer readable medium
CN111800405A (en) * 2020-06-29 2020-10-20 深信服科技股份有限公司 Detection method, detection device and storage medium
CN112491882A (en) * 2020-11-27 2021-03-12 泰康保险集团股份有限公司 Webshell detection method, webshell detection device, webshell detection medium and electronic equipment
CN113132341A (en) * 2020-01-16 2021-07-16 深信服科技股份有限公司 Network attack behavior detection method and device, electronic equipment and storage medium
CN113132329A (en) * 2019-12-31 2021-07-16 深信服科技股份有限公司 WEBSHELL detection method, device, equipment and storage medium
CN113746784A (en) * 2020-05-29 2021-12-03 深信服科技股份有限公司 Data detection method, system and related equipment
CN113961913A (en) * 2021-09-27 2022-01-21 北京东方通科技股份有限公司 Detection method and system applied to cross-domain security
CN114465741A (en) * 2020-11-09 2022-05-10 腾讯科技(深圳)有限公司 Anomaly detection method and device, computer equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102647421A (en) * 2012-04-09 2012-08-22 北京百度网讯科技有限公司 Web back door detection method and device based on behavioral characteristics
CN103607413A (en) * 2013-12-05 2014-02-26 北京奇虎科技有限公司 Method and device for detecting website backdoor program
CN103839008A (en) * 2014-03-21 2014-06-04 彭岸峰 Immune safety service for one-word script backdoors and PHP variable function backdoors
CN105812196A (en) * 2014-12-30 2016-07-27 中国移动通信集团公司 WebShell detection method and electronic device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102647421A (en) * 2012-04-09 2012-08-22 北京百度网讯科技有限公司 Web back door detection method and device based on behavioral characteristics
CN103607413A (en) * 2013-12-05 2014-02-26 北京奇虎科技有限公司 Method and device for detecting website backdoor program
CN103839008A (en) * 2014-03-21 2014-06-04 彭岸峰 Immune safety service for one-word script backdoors and PHP variable function backdoors
CN105812196A (en) * 2014-12-30 2016-07-27 中国移动通信集团公司 WebShell detection method and electronic device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
迷路的指南针: ""Webshell安全检测篇(1)-基于流量的检测方式"", 《HTTPS://WWW.SEC-UN.ORG/WEBSHELL-SECURITY-TESTING-1-BASED-TRAFFIC-DETECTION/》 *
迷路的指南针: ""Webshell安全检测篇(3)-基于行为分析来发现"未知的Webshel""", 《HTTPS://WWW.SEC-UN.ORG/WEBSHELL-SECURITY-DETECTION-3-BASED-ON-BEHAVIORAL-ANALYSIS-TO-DISCOVER-UNKNOWN-WEBSHELL/》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110602030A (en) * 2019-05-16 2019-12-20 上海云盾信息技术有限公司 Network intrusion blocking method, server and computer readable medium
CN113132329A (en) * 2019-12-31 2021-07-16 深信服科技股份有限公司 WEBSHELL detection method, device, equipment and storage medium
CN113132341A (en) * 2020-01-16 2021-07-16 深信服科技股份有限公司 Network attack behavior detection method and device, electronic equipment and storage medium
CN113132341B (en) * 2020-01-16 2023-03-21 深信服科技股份有限公司 Network attack behavior detection method and device, electronic equipment and storage medium
CN113746784A (en) * 2020-05-29 2021-12-03 深信服科技股份有限公司 Data detection method, system and related equipment
CN113746784B (en) * 2020-05-29 2023-04-07 深信服科技股份有限公司 Data detection method, system and related equipment
CN111800405A (en) * 2020-06-29 2020-10-20 深信服科技股份有限公司 Detection method, detection device and storage medium
CN114465741A (en) * 2020-11-09 2022-05-10 腾讯科技(深圳)有限公司 Anomaly detection method and device, computer equipment and storage medium
CN114465741B (en) * 2020-11-09 2023-09-26 腾讯科技(深圳)有限公司 Abnormality detection method, abnormality detection device, computer equipment and storage medium
CN112491882A (en) * 2020-11-27 2021-03-12 泰康保险集团股份有限公司 Webshell detection method, webshell detection device, webshell detection medium and electronic equipment
CN113961913A (en) * 2021-09-27 2022-01-21 北京东方通科技股份有限公司 Detection method and system applied to cross-domain security

Also Published As

Publication number Publication date
CN107689940B (en) 2021-03-09

Similar Documents

Publication Publication Date Title
CN107689940A (en) WebShell detection method and device
US10104095B2 (en) Automatic stability determination and deployment of discrete parts of a profile representing normal behavior to provide fast protection of web applications
JP4358188B2 (en) Invalid click detection device in Internet search engine
CN109922052A (en) A kind of malice URL detection method of combination multiple characteristics
US9215245B1 (en) Exploration system and method for analyzing behavior of binary executable programs
CN110602029B (en) Method and system for identifying network attack
US20070255818A1 (en) Method of detecting unauthorized access to a system or an electronic device
US20240015173A1 (en) Techniques for clickstream tracking across browser tabs
US20100153539A1 (en) Algorithm for classification of browser links
RU2697950C2 (en) System and method of detecting latent behaviour of browser extension
CN108156131A (en) Webshell detection methods, electronic equipment and computer storage media
CN108337269B (en) WebShell detection method
CN101964026A (en) Method and system for detecting web page horse hanging
WO2010065991A1 (en) System and method for adapting an internet and intranet filtering system
JP4935274B2 (en) Server and program
CN104935601B (en) Web log file safety analytical method based on cloud, apparatus and system
US11356433B2 (en) System and method for detecting unauthorized activity at an electronic device
US20190289085A1 (en) System and method for tracking online user behavior across browsers or devices
CN103095693A (en) Method for positioning and accessing database user host information
CN108632219A (en) A kind of website vulnerability detection method, detection service device and system
Hess Discovering digital library user behavior with google analytics
WO2018145637A1 (en) Method and device for recording web browsing behavior, and user terminal
Buyukkayhan et al. What's in an Exploit? An Empirical Analysis of Reflected Server {XSS} Exploitation Techniques
CN111031025B (en) Method and device for automatically detecting and verifying Webshell
US9723017B1 (en) Method, apparatus and computer program product for detecting risky communications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 518000 the first floor of A1 building, Nanshan Zhiyuan 1001, Nanshan District Xue Yuan Avenue, Shenzhen, Guangdong.

Applicant after: SANGFOR TECHNOLOGIES Inc.

Address before: 518052 the first floor of A1 building, Nanshan Zhiyuan 1001, Nanshan District Xue Yuan Avenue, Shenzhen, Guangdong.

Applicant before: Sangfor Technologies Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant