CN109067696A - Webshell detection method and system based on figure similarity analysis - Google Patents
Webshell detection method and system based on figure similarity analysis Download PDFInfo
- Publication number
- CN109067696A CN109067696A CN201810527915.6A CN201810527915A CN109067696A CN 109067696 A CN109067696 A CN 109067696A CN 201810527915 A CN201810527915 A CN 201810527915A CN 109067696 A CN109067696 A CN 109067696A
- Authority
- CN
- China
- Prior art keywords
- page
- weight
- access
- relation
- similarity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 46
- 238000004458 analytical method Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 16
- 239000011159 matrix material Substances 0.000 claims description 17
- 239000013598 vector Substances 0.000 claims description 12
- 238000004422 calculation algorithm Methods 0.000 claims description 10
- 238000000605 extraction Methods 0.000 claims description 10
- 238000013138 pruning Methods 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 241000700605 Viruses Species 0.000 claims description 2
- 230000003068 static effect Effects 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a kind of webshell detection methods and system based on figure similarity analysis, are related to field of information security technology.Obtain the code file in whole catalogues of system web server to be detected, by obtaining the first weight, drafting first page relationship access figure and second page relationship access is schemed, generates third~the 5th page relation and accesses and schemes, obtains the second weight and third weight, the final weight of acquisition, is achieved in a possibility that detection code file is webshell.Using technical solution provided by the invention, rate of failing to report caused by deforming due to webshell can be effectively reduced, and can be used as and assist other detection means, reduce a kind of method of detection range;In addition, one kind as static detection method, the present invention can reduce the sacrifice in terms of Dynamic Detection Performance, and detection performance is more preferably.
Description
Technical field
The present invention relates to field of information security technology, and in particular to a kind of webshell detection based on figure similarity analysis
Method and system.
Background technique
With the rapid development of Internet technology, the webshell of portal management, server admin is usually used for by the head of a station,
It is usually also utilized now by invader by WEB service port, become its control server or obtains the tool of certain permissions
One of, thus webshell is also referred to as " website back door ".
Webshell can be nested in normal webpage and run, it is not easy to by killing;It can also pass through server fire prevention
Wall will not be intercepted by firewall, and associated safety event is frequent occurrence, cause biggish loss, therefore to webshell
Detection seem and be even more important.
The detection method of webshell is broadly divided into two major classes at present: static detection and dynamic detection.
There are two main classes for static detection, and one is the features according to some known webshell, forms feature database, such as
Characteristic function etc. is matched with feature database, to obtain a result;Another kind is some features according to webshell, example
Comentropy, longest word in such as statistical nature.The webshell that both methods is easy to be deformed is bypassed, thus
In the presence of very big rate of false alarm and rate of failing to report.
There are two main classes for dynamic detection, one is being put in sandbox to run, is examined according to the feature during it
It surveys;Another kind is that pair correlation function carries out hook, to be detected.Although dynamic detection is being detected relative to static detection
Preferably, but due to failing triggering and other reasons, there is also very big rates of failing to report, and cannot be very for the webshell performance deformed
Normal procedure and webshell are distinguished well, thus also have biggish rate of false alarm.In addition dynamic detection aspect of performance also have compared with
Big sacrifice.
Summary of the invention
In order to overcome the above-mentioned deficiencies of the prior art, the present invention provides a kind of webshell inspection based on figure similarity analysis
Survey method, when detecting for the webshell deformed, the method for the present invention both can be used as a kind of auxiliary detection hand
Section reduces detection range for other detection methods, can also reduce the rate of failing to report of webshell.
Technical solution provided by the invention is as follows:
A kind of webshell detection method based on figure similarity analysis, includes the following steps:
Step 1 obtains the first weight;
For system to be detected, code file in acquisition system in whole catalogues of Web server, to code file
It is handled, obtains annotation information, annotation information is matched with " annotation information feature database ", and is assigned according to matching result
Give weight;Canonical matching can be specifically carried out, as soon as being often matched to a character string, weight adds 1, and final weight is the first power
Value, to obtain the first weight.Wherein, " the annotation information feature database " that the present invention establishes almost contains common virus wooden horse
In annotation information, especially disclosed the annotation information in webshell.Obtaining the method that annotation information uses is: according to
The programming language of code file, writes script, obtains annotation information by script, such as: html language <!- and -- > between
Character be exactly annotation information.
Step 2 draws first page relationship access figure and second page relationship access figure, specifically performs the following operations:
21) according to the relevant information of the examining system to be checked, first page relationship access figure is drawn.
Website can all have one normally to jump logical relation, i.e., each page jumps pass in website at the beginning of writing
It is the figure formed.First page relationship access figure is that normal, all pages of the website jump figure, it is also to have
Xiang Tu, interior joint are each page, the then access path between representing pages of the directed edge between node.
The relevant information of system includes the URL in the exploitation document, service manual, markup language of system etc. information and opens
The opinion of hair personnel.
22) second page relationship access figure is drawn out according to correlation log information.Second page relationship access figure
" the correlation log information " includes: system log, server access log, web log file etc..
It is some IP according to correlation log acquisition of information in special time period that second page relationship, which accesses the node in figure,
The page of access.Drafting second page relationship accesses the method for figure specifically, such as: according to web log file, especially leave
URL record etc., it can be deduced which page some IP has accessed in special time period, thus the normal, institute according to above-mentioned website
Some jumps logic, and that draws out these pages jumps relational graph.
Step 3 generates third page relation access figure, the 4th page relation access figure, the 5th page relation access figure;
31) it is accessed and is schemed according to second page relationship, second page relationship access figure is layered, first layer is is detected
Second page relationship is accessed " database manipulation, file operation, user right operate " etc. involved in figure by the homepage of system
Deng the page respectively as second and third, four layers, remaining page is as layer 5;Access relation, that is, directed edge between the page is not
Become, to form third page relation access figure.
Wherein, the judgment method for being related to " database manipulation, file operation, user right operation " etc. the page is:
A1) judged according to page function;Such as: the function of the page be related to addition delete data, transmitting file in downloading,
Assign different user different rights etc. etc.;
A2) judged according to the code of the page;Such as: according to the page language, by taking java as an example, in the page code
There are getConnection (jdbc, " root ", " ") similar connection database statement or delete from XX where XX class
The similar creation file statement of likelihood data library action statement, createNewFile () or the similar addition of BufferedWriter ()
Character exports object sentence, realizes user right similar approach using shiro.
32) beta pruning is carried out to first page relationship access figure, third page relation access figure.Third page relation is accessed
Node in figure in layer 5 is cut off, and cuts off corresponding directed edge, to form the 5th page relation access figure;Simultaneously
Identical layering, beta pruning measure are taken to first page relationship access figure, to form the 4th page relation access figure.Step
4, the second weight and third weight are obtained;
According to figure similarity algorithm, first page relationship access figure and second page relationship access figure, the 4th are calculated separately
The similarity of page relation access figure and the 5th page relation access figure, and assign corresponding weight according to similarity obtains the
Two weights and third weight.
When it is implemented, similarity is the figure similarity d being calculated according to formula 112;And the figure phase being directly calculated
Like degree d12As weight.
Figure similarity algorithm is: page relation being accessed figure matrixing, forms n × n matrix, wherein n is to do figure similarity
After node in two figures of analysis takes union, the number of the included element of the set.Point-to-point transmission side if it exists, then in matrix
It is 1 at this, is otherwise 0.
And then vectorization is carried out to matrix, i.e., to element in matrix according to sequence from left to right and from top to bottom, according to
Secondary each coordinate as the vector.The distance for calculating two vectors using formula 1 later, thus using its value as the similar of figure
Degree.
Wherein, n is the dimension of vector, the n being also equal in matrix;X1kAnd X2kEach coordinate of respectively two vectors;k
It is serial number, value is (1, n);d12For figure similarity.
Step 5 obtains final weight;According to final weight and the first weight, detect code file be webshell can
It can property;
Wherein, the first weight, the second weight, third weight can be added by weight proportion, obtains final weight;
When it is implemented, final weight calculation method are as follows: final weight=first weight * 30%+ the second weight * 20%+
Third weight * 50%.Be ranked up according to final weight, final weight 30 or more, a possibility that there are webshell then compared with
Greatly.At this time according to the size of the first weight, the code file of all pages is ranked up, page of the ranking within preceding 50%
Face is very big a possibility that there are webshell, can by these code files by other detection methods or manual verification into
One step determines whether it is webshell.
The webshell detection method that the present invention also provides a kind of using above-mentioned based on figure similarity analysis realize based on
The webshell detection system of figure similarity analysis, comprising: annotation information extraction module, annotation information feature database, the first~the
Five page relations access figure obtains module, the first weight obtains module, the second weight obtains module, third weight obtains module,
Judgment module;Wherein:
Annotation information extraction module is used to extract the annotation information of code file in Web server whole catalogue;
The annotation information that annotation information feature database is used to extract with " annotation information extraction module " is matched;
First page relationship access figure obtains module: according to the relevant information of the system, drawing the access of first page relationship
Figure;
Second page relationship access figure obtains module: being drawn according to correlation log information, draws the access of second page relationship
Figure;
Third page relation access figure obtains module: second page relationship access figure being layered, the third page is drawn
Relationship access figure;
4th page relation access figure obtains module: first page relationship access figure being layered, beta pruning, draws the 4th
Page relation access figure;
5th page relation access figure obtains module: third page relation being accessed figure and carries out beta pruning, draws the 5th page
Relationship access figure;
First weight obtains the note that module is used to extract " annotation information feature database " and " annotation information extraction module "
It releases information and carries out canonical matching, the first weight is obtained according to matching result;
Second weight obtains module and is used to calculate first page relationship access figure and second page according to figure similarity algorithm
Relationship accesses the similarity of figure, and obtains the second weight according to calculated result;
Third weight obtains module and is used to calculate the 4th page relation access figure and the 5th page according to figure similarity algorithm
Relationship accesses the similarity of figure, and obtains third weight according to calculated result;
Judgment module is for obtaining final weight, according to final weight and the first weight, judges that detecting code file is
A possibility that webshell.
Compared with prior art, the beneficial effects of the present invention are:
Using technical solution provided by the invention, rate of failing to report caused by deforming due to webshell can be effectively reduced,
And can be used as and assist other detection means, reduce a kind of method of detection range;In addition, as static detection method
One kind, the present invention can reduce the sacrifice in terms of Dynamic Detection Performance, and detection performance is more preferably.
Detailed description of the invention
Fig. 1 is the flow diagram of the method for the present invention.
Fig. 2 is the structural block diagram of detection system composed structure of the present invention.
Specific embodiment
With reference to the accompanying drawing, the present invention, the model of but do not limit the invention in any way are further described by embodiment
It encloses.
The present invention gives a kind of webshell detection method based on figure similarity analysis, this hair in order to better understand
Bright technical solution is with reference to the accompanying drawing described in further detail technical solution in the present invention.The present invention utilizes above-mentioned
Webshell detection method based on figure similarity analysis realizes the webshell detection system based on figure similarity analysis,
It include: annotation information extraction module, annotation information feature database, the first~the 5th page relation access figure acquisition module, the first power
Value obtains module, the second weight obtains module, third weight obtains module, judgment module;Data flow relation between each module
See attached drawing 2.
A specific embodiment of the invention is as follows:
1, the code file in whole catalogues of Web server is obtained, by " annotation information extraction module " to code file
It is handled, obtains annotation information, annotation information and " annotation information feature database " are subjected to canonical matching, are often matched to one
Character string, weight just add 1, and final weight is the first weight.
The annotation information feature database includes the annotation information in normal viral wooden horse, has especially disclosed webshell
In code annotation.
2,21) first page relationship access figure is drawn according to the relevant information of the system.Wherein first page relationship accesses
Figure is the page jump figure that the website is normal, all, and it is digraph, and interior joint is each page, between node
Directed edge then jumps path between representing pages.
The relevant information of the system includes the URL etc. in the exploitation document, service manual, markup language of the system
Etc. information and developer opinion.
22) the second page relationship access figure of the system, the access of second page relationship are drawn out according to correlation log information
Figure is that real web pages jump path profile.
The correlation log information includes: system log, server access log, web log file etc..
Step 3,
31) it is accessed and is schemed according to second page relationship, it is layered, first layer is the homepage of the system, will be accessed
Involved in relational graph " database manipulation, file operation, user right operation " etc. the page respectively as second and third, four
Layer, remaining page is as layer 5;Access relation, that is, directed edge between the page is constant, to form page relation access figure.
32) beta pruning is carried out to first page relationship access figure third page relation access figure.Third page relation is accessed
Node in figure in layer 5 is cut off, and cuts off corresponding directed edge, to form the 5th page relation access figure;Simultaneously
Identical beta pruning measure is taken to first page relationship access figure, to form the 4th page relation access figure.
Step 4, according to figure similarity algorithm, calculate separately first page relationship access figure and second page relationship access
The similarity of figure, the 4th page relation access the 5th page relation of figure access figure, and corresponding weight is assigned, obtain the second power
It is worth third weight.
The figure similarity algorithm is: page relation being accessed figure matrixing, forms n × n matrix, wherein n is to do figure
After node in two figures of similarity analysis takes union, the number of the included element of the set.Side if it exists in matrix, then
It is 1 at this in matrix, is otherwise 0.
And then vectorization is carried out to matrix, i.e., to element in matrix according to sequence from left to right and from top to bottom, according to
Secondary each coordinate as the vector.The distance for calculating two vectors using following equation later, thus using its value as figure
Similarity.
Wherein, n is the dimension of vector, the n being also equal in matrix;X1kAnd X2kEach coordinate of respectively two vectors;k
It is serial number, value is (1, n);d12For figure similarity.
Step 5 obtains final weight;According to final weight and the first weight, detect code file be webshell can
It can property;
Wherein, the first weight, the second weight, third weight can be added by weight proportion, obtains final weight;
When it is implemented, final weight calculation method are as follows: final weight=first weight * 30%+ the second weight * 20%+
Third weight * 50%.Be ranked up according to final weight, final weight 30 or more, a possibility that there are webshell then compared with
Greatly.At this time according to the size of the first weight, the code file of all pages is ranked up, page of the ranking within preceding 50%
Face is very big a possibility that there are webshell, can by these code files by other detection methods or manual verification into
One step determines whether it is webshell.
It should be noted that the purpose for publicizing and implementing example is to help to further understand the present invention, but the skill of this field
Art personnel, which are understood that, not to be departed from the present invention and spirit and scope of the appended claims, and various substitutions and modifications are all
It is possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is wanted with right
Subject to the range for asking book to define.
Claims (8)
1. a kind of webshell detection method based on figure similarity analysis, obtains the whole of system web server to be detected
Code file in catalogue, schemed by the first weight of acquisition, drafting first page relationship access figure and second page relationship access,
Third~the 5th page relation access figure is generated, the second weight and third weight is obtained, obtains final weight, detects code file
A possibility that being webshell;Include the following steps:
Step 1 obtains the first weight, comprising:
11) annotation information feature database is established;
12) code file is handled, obtains annotation information;
13) annotation information is matched with annotation information feature database, and assigns weight according to matching result, obtain the first power
Value;
Step 2 draws first page relationship access figure and second page relationship access figure, specifically performs the following operations:
21) according to the relevant information of the examining system to be checked, first page relationship access figure is drawn.First page relationship access figure is
Digraph, the node of figure are each page in website, the access path between directed edge representing pages between node;
22) second page relationship access figure is drawn out according to correlation log information;Node in second page relationship access figure is
According to the page in special time period access of correlation log acquisition of information;
Step 3 generates third page relation access figure, the 4th page relation access figure, the 5th page relation access figure;It executes such as
Lower operation:
31) second page relationship access figure is layered, first layer is the homepage of examining system to be checked, by second page relationship
The page that database manipulation involved in access figure, file operation, user right operate is respectively as the second layer, third layer, the 4th
Layer, remaining page is as layer 5;Access relation, that is, directed edge between the page is constant, to form the access of third page relation
Figure;
32) figure is accessed to first page relationship and third page relation access figure carries out beta pruning: third page relation being accessed and is schemed
In cut off in the node of layer 5, and corresponding directed edge is cut off, to form the 5th page relation access figure;Simultaneously to the
One page relation access figure uses above-mentioned pruning method, to form the 4th page relation access figure;
Step 4 obtains the second weight and third weight;
According to figure similarity algorithm, calculate separately first page relationship access figure and second page relationship access figure similarity,
The similarity of 4th page relation access figure and the 5th page relation access figure, and corresponding weight is assigned according to similarity, it obtains
To the second weight and third weight;
First weight, the second weight, third weight are added by step 5 by weight proportion, obtain final weight;According to final power
Value and the first weight, detect code file, obtain a possibility that code file is webshell.
2. as described in claim 1 based on the webshell detection method of figure similarity analysis, characterized in that step 13 is specifically adopted
With canonical matching process, it is often matched to a character string, weight adds 1, and finally obtained weight is as the first weight.
3. as described in claim 1 based on the webshell detection method of figure similarity analysis, characterized in that the annotation information
Feature database includes the annotation information in common virus wooden horse;Obtaining the method that annotation information uses is: according to the volume of code file
Cheng Yuyan writes script, obtains annotation information by script.
4. as described in claim 1 based on the webshell detection method of figure similarity analysis, characterized in that in step 31), relate to
And database manipulation, file operation, the judgement of user right operation pages include the method judged according to page function and
The method judged according to page code.
5. as described in claim 1 based on the webshell detection method of figure similarity analysis, characterized in that described in step 4
Figure similarity algorithm is:
Page relation is accessed into figure matrixing, forms n × n matrix, wherein n is for the section in two figures of figure similarity analysis
After point takes union, the number of the included element of the set;If value is 1 at two nodes in matrix, no there are side between two nodes
Then value is 0;
Vectorization is carried out to matrix, i.e., to element in matrix according to sequence from left to right and from top to bottom, is successively used as matrix
Each coordinate of vector;
The distance that two vectors are calculated according to formula 1, obtains figure similarity d12;
Wherein, n is the dimension of vector, equal to the n in matrix;X1kAnd X2kEach coordinate of respectively two vectors;K is serial number,
Value is (1, n);d12For figure similarity;
The figure similarity d that will be calculated12As weight.
6. as described in claim 1 based on the webshell detection method of figure similarity analysis, characterized in that examined described in step 5
Survey is specifically:
Calculate final weight, calculation method specifically: final weight=first weight * 30%+ the second weight * 20%+ third power
Value * 50%;
Final weight threshold is set;It is ranked up according to final weight, code text of the final weight more than final weight threshold
A possibility that part, there are webshell, is big;
First weight sequence threshold value is set;It is ranked up according to code file of the size of the first weight to all pages, ranking
The page within the threshold value that sorts is big a possibility that there are webshell.
7. as claimed in claim 6 based on the webshell detection method of figure similarity analysis, characterized in that further by code
File passes through other detection methods or manual verification, it is determined whether is webshell.
8. a kind of webshell detection method using described in claim 1~7 based on figure similarity analysis realize based on figure
The webshell detection system of similarity analysis, comprising: annotation information extraction module, annotation information feature database, the first~the 5th
Page relation access figure obtains module, the first weight obtains module, the second weight obtains module, third weight obtains module, sentences
Disconnected module;Wherein:
Annotation information extraction module is used to extract the annotation information of code file in Web server whole catalogue;
The annotation information that annotation information feature database is used to extract with annotation information extraction module is matched;
First page relationship access figure obtains module: drawing first page relationship access figure according to system related information;
Second page relationship access figure obtains module: drawing second page relationship access figure according to correlation log information;
Third page relation access figure obtains module: second page relationship access figure being layered, third page relation is drawn
Access figure;
4th page relation access figure obtains module: first page relationship access figure being layered, beta pruning, draws the 4th page
Relationship access figure;
5th page relation access figure obtains module: third page relation being accessed figure and carries out beta pruning, draws the 5th page relation
Access figure;
First weight obtain annotation information that module is used to extract annotation information feature database and annotation information extraction module into
The matching of row canonical obtains the first weight according to matching result;
Second weight obtains module and is used to calculate first page relationship access figure and second page relationship according to figure similarity algorithm
The similarity of figure is accessed, and the second weight is obtained according to calculated result;
Third weight obtains module and is used to calculate the 4th page relation access figure and the 5th page relation according to figure similarity algorithm
The similarity of figure is accessed, and third weight is obtained according to calculated result;
Judgment module is for obtaining final weight;According to final weight and the first weight, judge that detecting code file is
A possibility that webshell.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810527915.6A CN109067696B (en) | 2018-05-29 | 2018-05-29 | Webshell detection method and system based on graph similarity analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810527915.6A CN109067696B (en) | 2018-05-29 | 2018-05-29 | Webshell detection method and system based on graph similarity analysis |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109067696A true CN109067696A (en) | 2018-12-21 |
CN109067696B CN109067696B (en) | 2020-12-08 |
Family
ID=64819756
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810527915.6A Expired - Fee Related CN109067696B (en) | 2018-05-29 | 2018-05-29 | Webshell detection method and system based on graph similarity analysis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109067696B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104967616A (en) * | 2015-06-05 | 2015-10-07 | 北京安普诺信息技术有限公司 | WebShell file detection method in Web server |
CN107241296A (en) * | 2016-03-28 | 2017-10-10 | 阿里巴巴集团控股有限公司 | A kind of Webshell detection method and device |
CN107888571A (en) * | 2017-10-26 | 2018-04-06 | 江苏省互联网行业管理服务中心 | A kind of various dimensions webshell intrusion detection methods and detecting system based on HTTP daily records |
-
2018
- 2018-05-29 CN CN201810527915.6A patent/CN109067696B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104967616A (en) * | 2015-06-05 | 2015-10-07 | 北京安普诺信息技术有限公司 | WebShell file detection method in Web server |
CN107241296A (en) * | 2016-03-28 | 2017-10-10 | 阿里巴巴集团控股有限公司 | A kind of Webshell detection method and device |
CN107888571A (en) * | 2017-10-26 | 2018-04-06 | 江苏省互联网行业管理服务中心 | A kind of various dimensions webshell intrusion detection methods and detecting system based on HTTP daily records |
Non-Patent Citations (1)
Title |
---|
文伟平;王永剑;孟正: "PDF文件漏洞检测", 《清华大学学报(自然科学版)》 * |
Also Published As
Publication number | Publication date |
---|---|
CN109067696B (en) | 2020-12-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112131882B (en) | Multi-source heterogeneous network security knowledge graph construction method and device | |
US9519718B2 (en) | Webpage information detection method and system | |
WO2022117063A1 (en) | Method and apparatus for training isolation forest, and method and apparatus for recognizing web crawler | |
CN104881608B (en) | A kind of XSS leak detection methods based on simulation browser behavior | |
CN107204960B (en) | Webpage identification method and device and server | |
CN104881607B (en) | A kind of XSS leakage locations based on simulation browser behavior | |
CN107659570A (en) | Webshell detection methods and system based on machine learning and static and dynamic analysis | |
Muppavarapu et al. | Phishing detection using RDF and random forests. | |
CN112199677A (en) | Data processing method and device | |
CN117473571B (en) | Data information security processing method and system | |
CN106203095A (en) | The detection method of a kind of webshell and detecting system | |
CN109918505A (en) | A kind of network security incident visualization method based on text-processing | |
Huang et al. | Deep learning the semantics of change sequences for query expansion | |
Rokon et al. | Repo2vec: A comprehensive embedding approach for determining repository similarity | |
CN105975547A (en) | Approximate web document detection method based on content and position features | |
Liu et al. | Event evolution model for cybersecurity event mining in tweet streams | |
CN110321707A (en) | A kind of SQL injection detection method based on big data algorithm | |
Baek et al. | Efficiently mining erasable stream patterns for intelligent systems over uncertain data | |
Shyni et al. | Phishing detection in websites using parse tree validation | |
Zhang et al. | Flow Chart Generation‐Based Source Code Similarity Detection Using Process Mining | |
Sohan et al. | A systematic literature review and quality analysis of Javascript malware detection | |
CN116361815A (en) | Code sensitive information and hard coding detection method and device based on machine learning | |
CN106330861A (en) | Website detection method and apparatus | |
Yu et al. | A unified malicious documents detection model based on two layers of abstraction | |
Jiang et al. | Tapchain: A rule chain recognition model based on multiple features |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20201208 |