CN110855661A - WebShell detection method, device, equipment and medium - Google Patents

WebShell detection method, device, equipment and medium Download PDF

Info

Publication number
CN110855661A
CN110855661A CN201911094291.4A CN201911094291A CN110855661A CN 110855661 A CN110855661 A CN 110855661A CN 201911094291 A CN201911094291 A CN 201911094291A CN 110855661 A CN110855661 A CN 110855661A
Authority
CN
China
Prior art keywords
detected
webshell
training sample
flow data
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911094291.4A
Other languages
Chinese (zh)
Other versions
CN110855661B (en
Inventor
毛润华
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201911094291.4A priority Critical patent/CN110855661B/en
Publication of CN110855661A publication Critical patent/CN110855661A/en
Application granted granted Critical
Publication of CN110855661B publication Critical patent/CN110855661B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The application discloses a WebShell detection method, a WebShell detection device, equipment and a WebShell detection medium, wherein the WebShell detection method comprises the following steps: acquiring flow data to be detected in real time; inputting flow data to be detected into a pre-acquired trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, the characteristic extraction is carried out on the context relation of the training sample, and then the trained model is obtained by utilizing the context relation; and acquiring a detection result which is output by the trained model and corresponds to the flow data to be detected. Therefore, the real-time performance of Webshell detection can be guaranteed, the problem that flow data are identified as Webshell only by preset keywords is avoided, and the false alarm rate of Webshell detection is reduced.

Description

WebShell detection method, device, equipment and medium
Technical Field
The application relates to the technical field of WebShell detection, in particular to a WebShell detection method, device, equipment and medium.
Background
At present, after a hacker invades a website, an asp or php backdoor file and a normal webpage file under a WEB directory of a website server are mixed together, and then a browser can be used for accessing the asp or php backdoor to obtain a command execution environment so as to achieve the purpose of controlling the website server. After the Webshell is implanted, a hacker can check, take away and destroy any object in the website just like a family. According to data analysis, 99% of websites with anti-common, dark chain and black page events exist in backdoor, and Webshell is difficult to find due to strong concealment.
In the prior art, generally, a terminal tool is deployed on a server for searching and killing, but the implementation difficulty is high, detection mainly depends on rules, the false alarm rate and the missing report rate are high, and real-time discovery and interception cannot be realized.
Disclosure of Invention
In view of this, an object of the present application is to provide a WebShell detection method, apparatus, device, and medium, which can ensure real-time performance of WebShell detection, and avoid a problem that traffic data is recognized as WebShell only by a preset keyword, thereby reducing a false alarm rate of WebShell detection. The specific scheme is as follows:
in a first aspect, the application discloses a WebShell detection method, which includes:
acquiring flow data to be detected in real time;
inputting the flow data to be detected into a pre-acquired trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, the feature extraction is carried out on the context relation of the training sample, and then the trained model is obtained by utilizing the context relation;
and acquiring a detection result which is output by the trained model and corresponds to the flow data to be detected.
Optionally, the acquiring flow data to be detected in real time includes:
acquiring access flow initiated by a user terminal in real time;
and determining the flow data meeting a first preset condition in the access flow as the flow data to be detected.
Optionally, determining, as the traffic data to be detected, traffic data meeting a first preset condition in the access traffic, includes:
judging the data type of the access flow;
if the data type is an uploaded file, determining the uploaded file as the flow data to be detected;
if the data type is the access URL, judging whether the access URL meets a second preset condition or not by using a suffix of the access URL and a Referer state of an HTTP head, if so, determining the return content of the access URL as the to-be-detected flow data, otherwise, sending the return content of the access URL to a corresponding access terminal.
Optionally, after obtaining the detection result output by the trained model and corresponding to the traffic data to be detected, the method further includes:
if the detection result is that the traffic data to be detected is a Webshell file and the traffic data to be detected is the return content of the access URL, shielding the corresponding access URL and generating a corresponding event alarm to notify a manager;
and if the detection result is that the traffic data to be detected is a non-Webshell file and the traffic data to be detected is the return content of the access URL, sending the return content of the access URL to a corresponding access terminal.
Optionally, after obtaining the detection result output by the trained model and corresponding to the traffic data to be detected, the method further includes:
if the detection result is that the flow data to be detected is a Webshell file and the flow data to be detected is the uploaded file, intercepting the uploaded file;
and if the detection result is that the flow data to be detected is the non-Webshell file and the flow data to be detected is the uploaded file, allowing the uploaded file to be uploaded.
Optionally, after obtaining the detection result output by the trained model and corresponding to the traffic data to be detected, the method further includes:
and if the detection result is that the flow data to be detected is the Webshell file, shielding the access IP corresponding to the Webshell file within preset time.
In a second aspect, the present application discloses a WebShell detection apparatus, including:
the flow data acquisition module is used for acquiring flow data to be detected in real time;
the flow data detection module is used for inputting the flow data to be detected into a pre-acquired trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, the feature extraction is carried out on the context relation of the training sample, and then the trained model is obtained by utilizing the context relation;
and the detection result output module is used for acquiring the detection result which is output by the trained model and corresponds to the flow data to be detected.
Optionally, the WebShell detection apparatus further includes:
and the access IP shielding module is used for shielding the access IP corresponding to the Webshell file within preset time if the detection result indicates that the flow data to be detected is the Webshell file.
In a third aspect, the application discloses a WebShell detection device, comprising a processor and a memory; wherein the content of the first and second substances,
the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the foregoing WebShell detection method.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the aforementioned WebShell detection method.
Therefore, the flow data to be detected are obtained in real time, and then the flow data to be detected are input to the pre-obtained trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, feature extraction is carried out on the context of the training sample, then the trained model is obtained by utilizing the context, and finally the detection result which is output by the trained model and corresponds to the flow data to be detected is obtained. Therefore, real-time flow data are detected through the trained model obtained by utilizing the upper and lower relations between the Webshell file and the non-Webshell file, the real-time performance of Webshell detection can be guaranteed, the problem that the flow data are only identified as Webshell by preset keywords is avoided, and the false alarm rate of the Webshell detection is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a WebShell detection method disclosed in the present application;
FIG. 2 is a diagram of a particular model training process disclosed herein;
FIG. 3 is a flowchart of a specific WebShell detection method disclosed in the present application;
FIG. 4 is a flowchart of a specific WebShell detection method disclosed in the present application;
fig. 5 is a schematic structural diagram of a WebShell detection apparatus disclosed in the present application;
fig. 6 is a structural diagram of a WebShell detection apparatus disclosed in the present application;
fig. 7 is a diagram of a server structure disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, an embodiment of the present application discloses a WebShell detection method, including:
step S11: and acquiring the flow data to be detected in real time.
In a specific implementation manner, the present embodiment may obtain, in real time, the access traffic initiated by the user terminal at the front end of the Web server, and it can be understood that all the access traffic initiated by the client may be included in the detection range. And then determining the flow data meeting a first preset condition in the access flow as the flow data to be detected. Specifically, the data type of the access traffic is determined first, and if the data type is an uploaded file, such as an uploaded document, an uploaded picture, and the like, the uploaded file is determined as the traffic data to be detected, that is, when the client initiates a file uploading action, the embodiment may determine the uploaded file as the traffic data to be detected, and then cache the uploaded file; if the data type is an access URL (i.e., Uniform Resource Locator), determining whether the access URL meets a second preset condition by using a suffix of the access URL and a Referer state of an HTTP header, if the access URL meets the second preset condition, determining a return content of the access URL as the traffic data to be detected, specifically, if the file suffix of the access URL is asp, aspx, jsp, jspx, php, cgi, asa, and the like, and if the file suffix of the access URL lacks a Referer field, determining the return content of the access URL as the traffic data to be detected, and then caching and performing delay processing on the access session. Therefore, the behavior of uploading the webshell can be found in real time by detecting the uploaded file, and the existing access of the webshell can be found in real time by detecting the access URL meeting the second preset condition.
Step S12: inputting the flow data to be detected into a pre-acquired trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, the feature extraction is carried out on the context relation of the training sample, and then the trained model is obtained by utilizing the context relation.
Step S13: and acquiring a detection result which is output by the trained model and corresponds to the flow data to be detected.
In a specific implementation mode, the flow data to be detected is input into a pre-acquired trained model, then a corresponding detection result can be acquired, and the trained model is obtained by training based on a deep learning technology according to the difference and the sameness of the context of each program source code and the context of a normal document, namely according to the difference and the sameness of the context of a Webshell file and a non-Webshell file, so that the problem that only one keyword is triggered to identify the Webshell is solved, a jieba word segmentation technology is adopted in the training process to process a training sample to extract features, and a long-short term memory convolutional neural network algorithm is used for training. The first training sample is webshell data captured by an APT (Advanced Persistent Threat attack) device, open source codes and popular open source codes of related items on the Github, such as PHPCMS, phpMyAdmin, WordPress and the like, and the second training sample is a captured non-webshell URL. Referring to fig. 2, fig. 2 is a diagram of a specific model training process disclosed in the present application. Training is carried out by using the LSTM (Long Short-Term Memory) of the recurrent neural network and combining the context logic. And reducing the dimension by using Embedding layer Embedding to reduce the dimension of the 500-dimensional one-hot word vector to a 64-dimensional space for operation. Neighborhood filtering on the input signal was performed using convolutional layer Conv1D and maximum pooling of data was performed using pooling layer MaxPooling 1D. The recursion layer uses a long-time memory neural network in a cyclic convolution network for training. To prevent overfitting, the Dropout parameter is set to 0.1 and the full connectivity layer activation function employs SoftMax.
Therefore, the flow data to be detected are obtained in real time, and then the flow data to be detected are input to the pre-obtained trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, feature extraction is carried out on the context of the training sample, then the trained model is obtained by utilizing the context, and finally the detection result which is output by the trained model and corresponds to the flow data to be detected is obtained. Therefore, real-time flow data are detected through the trained model obtained by utilizing the upper and lower relations between the Webshell file and the non-Webshell file, the real-time performance of Webshell detection can be guaranteed, the problem that the flow data are only identified as Webshell by preset keywords is avoided, and the false alarm rate of the Webshell detection is reduced.
Referring to fig. 3, fig. 3 is a specific WebShell detection method disclosed in the present application, including:
step S21: and acquiring the flow data to be detected in real time.
Step S22: inputting the flow data to be detected into a pre-acquired trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, the feature extraction is carried out on the context relation of the training sample, and then the trained model is obtained by utilizing the context relation.
Step S23: and acquiring a detection result which is output by the trained model and corresponds to the flow data to be detected.
Step S24: and carrying out corresponding processing on the detection result.
In a specific implementation manner, if the detection result is that the traffic data to be detected is a Webshell file and the traffic data to be detected is the return content of the access URL, generating a URL access control rule and shielding the corresponding access URL, so as to prevent an attacker from successfully accessing the next time and generate a corresponding event alarm to notify a manager; and if the detection result is that the traffic data to be detected is a non-Webshell file and the traffic data to be detected is the return content of the access URL, sending the return content of the access URL to a corresponding access terminal. If the detection result is that the flow data to be detected is a Webshell file and the flow data to be detected is the uploaded file, intercepting the uploaded file; and if the detection result is that the flow data to be detected is the non-Webshell file and the flow data to be detected is the uploaded file, allowing the uploaded file to be uploaded.
In addition, if the detection result is that the flow data to be detected is the Webshell file, the access IP corresponding to the Webshell file is shielded within the preset time. That is, no matter the IP uploaded to the webshell file or the IP corresponding to the existing webshell determined by accessing the URL is temporarily masked, the specific time may be preset as needed, for example, the temporary masking time is 1 hour.
Referring to fig. 4, as shown in a flowchart of a specific WebShell detection method disclosed in the embodiment of the present application, in the embodiment, access traffic can be monitored in real time, a behavior of uploading WebShell can be found in real time by detecting an uploaded file, an access URL meeting a second preset condition can be detected, an existing access of the WebShell can be found in real time, and when the WebShell file is detected, a shielding process of the access URL and an access IP is correspondingly performed, so that real-time detection and isolation protection of the WebShell are realized. Moreover, the implementation of the embodiment is convenient, the protection real-time performance is high, the webshell file can be detected within 1 second, and the shielding is carried out in time.
Referring to fig. 5, an embodiment of the present application discloses a WebShell detection apparatus, including:
the flow data acquisition module 11 is used for acquiring flow data to be detected in real time;
the flow data detection module 12 is configured to input the flow data to be detected to a pre-acquired trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, the feature extraction is carried out on the context relation of the training sample, and then the trained model is obtained by utilizing the context relation;
and the detection result acquisition module 13 is configured to acquire a detection result, which is output by the trained model and corresponds to the flow data to be detected.
Therefore, the flow data to be detected are obtained in real time, and then the flow data to be detected are input to the pre-obtained trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, feature extraction is carried out on the context of the training sample, then the trained model is obtained by utilizing the context, and finally the detection result which is output by the trained model and corresponds to the flow data to be detected is obtained. Therefore, real-time flow data are detected through the trained model obtained by utilizing the upper and lower relations between the Webshell file and the non-Webshell file, the real-time performance of Webshell detection can be guaranteed, the problem that the flow data are only identified as Webshell by preset keywords is avoided, and the false alarm rate of the Webshell detection is reduced.
The traffic data obtaining module 11 may specifically include:
the access flow acquisition module is used for acquiring access flow initiated by the user terminal in real time;
and the to-be-detected flow determining module is used for determining the flow data meeting a first preset condition in the access flow as the to-be-detected flow data.
The to-be-detected flow determining module is specifically configured to determine a data type of the access flow; if the data type is an uploaded file, determining the uploaded file as the flow data to be detected; if the data type is the access URL, judging whether the access URL meets a second preset condition or not by using a suffix of the URL and a Referer state of an HTTP head, if so, determining the return content of the access URL as the to-be-detected flow data, otherwise, sending the return content of the access URL to a corresponding access terminal.
The WebShell detection device further comprises a URL shielding module used for shielding the corresponding access URL and generating a corresponding event alarm to inform a manager if the detection result is that the flow data to be detected is the WebShell file and the flow data to be detected is the return content of the access URL.
The WebShell detection device further comprises a URL releasing module used for sending the return content of the access URL to the corresponding access terminal if the detection result is that the traffic data to be detected is a non-WebShell file and the traffic data to be detected is the return content of the access URL.
The WebShell detection device also comprises an upload file interception module, which is used for intercepting the uploaded file if the detection result is that the flow data to be detected is the WebShell file and the flow data to be detected is the uploaded file;
the WebShell detection device further comprises an uploaded file releasing module used for allowing the uploaded file to be uploaded if the detection result is that the flow data to be detected is the non-WebShell file and the flow data to be detected is the uploaded file.
The WebShell detection device also comprises an access IP shielding module, and if the detection result is that the flow data to be detected is a Webshell file, the access IP corresponding to the Webshell file is shielded within preset time.
Referring to fig. 6, the present application discloses a WebShell detection device, including a processor 21 and a memory 22; wherein, the memory 22 is used for saving computer programs; the processor 21 is configured to execute the computer program to implement the following steps:
acquiring flow data to be detected in real time; inputting the flow data to be detected into a pre-acquired trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, the feature extraction is carried out on the context relation of the training sample, and then the trained model is obtained by utilizing the context relation; and acquiring a detection result which is output by the trained model and corresponds to the flow data to be detected.
Therefore, the flow data to be detected are obtained in real time, and then the flow data to be detected are input to the pre-obtained trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, feature extraction is carried out on the context of the training sample, then the trained model is obtained by utilizing the context, and finally the detection result which is output by the trained model and corresponds to the flow data to be detected is obtained. Therefore, real-time flow data are detected through the trained model obtained by utilizing the upper and lower relations between the Webshell file and the non-Webshell file, the real-time performance of Webshell detection can be guaranteed, the problem that the flow data are only identified as Webshell by preset keywords is avoided, and the false alarm rate of the Webshell detection is reduced.
In this embodiment, when the processor 21 executes the computer subprogram stored in the memory 22, the following steps may be specifically implemented: acquiring access flow initiated by a user terminal in real time; and determining the flow data meeting a first preset condition in the access flow as the flow data to be detected.
In this embodiment, when the processor 21 executes the computer subprogram stored in the memory 22, the following steps may be specifically implemented: judging the data type of the access flow; if the data type is an uploaded file, determining the uploaded file as the flow data to be detected; if the data type is the access URL, judging whether the access URL meets a second preset condition or not by using a suffix of the URL and a Referer state of an HTTP head, if so, determining the return content of the access URL as the to-be-detected flow data, otherwise, sending the return content of the access URL to a corresponding access terminal.
In this embodiment, when the processor 21 executes the computer subprogram stored in the memory 22, the following steps may be specifically implemented: if the detection result is that the traffic data to be detected is a Webshell file and the traffic data to be detected is the return content of the access URL, shielding the corresponding access URL and generating a corresponding event alarm to notify a manager; and if the detection result is that the traffic data to be detected is a non-Webshell file and the traffic data to be detected is the return content of the access URL, sending the return content of the access URL to a corresponding access terminal.
In this embodiment, when the processor 21 executes the computer subprogram stored in the memory 22, the following steps may be specifically implemented: if the detection result is that the flow data to be detected is a Webshell file and the flow data to be detected is the uploaded file, intercepting the uploaded file; and if the detection result is that the flow data to be detected is the non-Webshell file and the flow data to be detected is the uploaded file, allowing the uploaded file to be uploaded.
In this embodiment, when the processor 21 executes the computer subprogram stored in the memory 22, the following steps may be specifically implemented: and if the detection result is that the flow data to be detected is the Webshell file, shielding the access IP corresponding to the Webshell file within preset time.
The memory 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, and the storage mode may be a transient storage mode or a permanent storage mode.
Referring to fig. 7, an embodiment of the present application discloses a server 20 including a WebShell detection device including a processor 21 and a memory 22 disclosed in the foregoing embodiments. For the steps that the processor 21 can specifically execute, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not described herein again.
Further, the server 20 in this embodiment may further specifically include a power supply 23, a communication interface 24, an input/output interface 25, and a communication bus 26; the power supply 23 is configured to provide a working voltage for each hardware device on the terminal 20; the communication interface 24 can create a data transmission channel with an external device for the terminal 20, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to a specific application requirement, which is not specifically limited herein.
Further, an embodiment of the present application also discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the following steps:
acquiring flow data to be detected in real time; inputting the flow data to be detected into a pre-acquired trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, the feature extraction is carried out on the context relation of the training sample, and then the trained model is obtained by utilizing the context relation; and acquiring a detection result which is output by the trained model and corresponds to the flow data to be detected.
Therefore, the flow data to be detected are obtained in real time, and then the flow data to be detected are input to the pre-obtained trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, feature extraction is carried out on the context of the training sample, then the trained model is obtained by utilizing the context, and finally the detection result which is output by the trained model and corresponds to the flow data to be detected is obtained. Therefore, real-time flow data are detected through the trained model obtained by utilizing the upper and lower relations between the Webshell file and the non-Webshell file, the real-time performance of Webshell detection can be guaranteed, the problem that the flow data are only identified as Webshell by preset keywords is avoided, and the false alarm rate of the Webshell detection is reduced.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: acquiring access flow initiated by a user terminal in real time; and determining the flow data meeting a first preset condition in the access flow as the flow data to be detected.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: judging the data type of the access flow; if the data type is an uploaded file, determining the uploaded file as the flow data to be detected; if the data type is the access URL, judging whether the access URL meets a second preset condition or not by using a suffix of the URL and a Referer state of an HTTP head, if so, determining the return content of the access URL as the to-be-detected flow data, otherwise, sending the return content of the access URL to a corresponding access terminal.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: if the detection result is that the traffic data to be detected is a Webshell file and the traffic data to be detected is the return content of the access URL, shielding the corresponding access URL and generating a corresponding event alarm to notify a manager; and if the detection result is that the traffic data to be detected is a non-Webshell file and the traffic data to be detected is the return content of the access URL, sending the return content of the access URL to a corresponding access terminal.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: if the detection result is that the flow data to be detected is a Webshell file and the flow data to be detected is the uploaded file, intercepting the uploaded file; and if the detection result is that the flow data to be detected is the non-Webshell file and the flow data to be detected is the uploaded file, allowing the uploaded file to be uploaded.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: and if the detection result is that the flow data to be detected is the Webshell file, shielding the access IP corresponding to the Webshell file within preset time.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The WebShell detection method, the WebShell detection device, the WebShell detection equipment and the WebShell detection medium provided by the application are introduced in detail, specific examples are applied in the detailed description to explain the principles and the implementation of the application, and the descriptions of the embodiments are only used for helping to understand the method and the core ideas of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. A WebShell detection method is characterized by comprising the following steps:
acquiring flow data to be detected in real time;
inputting the flow data to be detected into a pre-acquired trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, the feature extraction is carried out on the context relation of the training sample, and then the trained model is obtained by utilizing the context relation;
and acquiring a detection result which is output by the trained model and corresponds to the flow data to be detected.
2. The WebShell detection method according to claim 1, wherein the acquiring flow data to be detected in real time comprises:
acquiring access flow initiated by a user terminal in real time;
and determining the flow data meeting a first preset condition in the access flow as the flow data to be detected.
3. The WebShell detection method according to claim 2, wherein determining traffic data meeting a first preset condition in the access traffic as the traffic data to be detected comprises:
judging the data type of the access flow;
if the data type is an uploaded file, determining the uploaded file as the flow data to be detected;
if the data type is the access URL, judging whether the access URL meets a second preset condition or not by using a suffix of the access URL and a Referer state of an HTTP head, if so, determining the return content of the access URL as the to-be-detected flow data, otherwise, sending the return content of the access URL to a corresponding access terminal.
4. The WebShell detection method according to claim 3, wherein after obtaining the detection result corresponding to the traffic data to be detected and output by the trained model, the method further comprises:
if the detection result is that the traffic data to be detected is a Webshell file and the traffic data to be detected is the return content of the access URL, shielding the corresponding access URL and generating a corresponding event alarm to notify a manager;
and if the detection result is that the traffic data to be detected is a non-Webshell file and the traffic data to be detected is the return content of the access URL, sending the return content of the access URL to a corresponding access terminal.
5. The WebShell detection method according to claim 3, wherein after obtaining the detection result corresponding to the traffic data to be detected and output by the trained model, the method further comprises:
if the detection result is that the flow data to be detected is a Webshell file and the flow data to be detected is the uploaded file, intercepting the uploaded file;
and if the detection result is that the flow data to be detected is the non-Webshell file and the flow data to be detected is the uploaded file, allowing the uploaded file to be uploaded.
6. The WebShell detection method according to any one of claims 1 to 5, wherein after obtaining the detection result corresponding to the traffic data to be detected and output by the trained model, the method further comprises:
and if the detection result is that the flow data to be detected is the Webshell file, shielding the access IP corresponding to the Webshell file within preset time.
7. A WebShell detection device, comprising:
the flow data acquisition module is used for acquiring flow data to be detected in real time;
the flow data detection module is used for inputting the flow data to be detected into a pre-acquired trained model; the trained model is obtained by utilizing a preset training sample to train a long-term and short-term memory neural network model, the training sample comprises a first training sample and a second training sample, the first training sample comprises a webshell file and corresponding label information, the second training sample comprises a non-webshell file and corresponding label information, in addition, in the training process, the feature extraction is carried out on the context relation of the training sample, and then the trained model is obtained by utilizing the context relation;
and the detection result output module is used for acquiring the detection result which is output by the trained model and corresponds to the flow data to be detected.
8. The WebShell detection device of claim 7, further comprising:
and the access IP shielding module is used for shielding the access IP corresponding to the Webshell file within preset time if the detection result indicates that the flow data to be detected is the Webshell file.
9. A WebShell detection device comprising a processor and a memory; wherein the content of the first and second substances,
the memory is used for storing a computer program;
the processor configured to execute the computer program to implement the WebShell detection method of any of claims 1 to 6.
10. A computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the WebShell detection method of any of claims 1 to 6.
CN201911094291.4A 2019-11-11 2019-11-11 WebShell detection method, device, equipment and medium Active CN110855661B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911094291.4A CN110855661B (en) 2019-11-11 2019-11-11 WebShell detection method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911094291.4A CN110855661B (en) 2019-11-11 2019-11-11 WebShell detection method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN110855661A true CN110855661A (en) 2020-02-28
CN110855661B CN110855661B (en) 2022-05-13

Family

ID=69601260

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911094291.4A Active CN110855661B (en) 2019-11-11 2019-11-11 WebShell detection method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN110855661B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111740946A (en) * 2020-05-09 2020-10-02 郑州启明星辰信息安全技术有限公司 Webshell message detection method and device
CN112118225A (en) * 2020-08-13 2020-12-22 紫光云(南京)数字技术有限公司 Webshell detection method and device based on RNN
CN112651025A (en) * 2021-01-20 2021-04-13 广东工业大学 Webshell detection method based on character-level embedded code
CN113591074A (en) * 2021-06-21 2021-11-02 北京邮电大学 Webshell detection method and device
CN113761522A (en) * 2021-09-02 2021-12-07 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for detecting webshell flow
CN114462033A (en) * 2021-12-21 2022-05-10 天翼云科技有限公司 Method and device for constructing script file detection model and storage medium
CN114465741A (en) * 2020-11-09 2022-05-10 腾讯科技(深圳)有限公司 Anomaly detection method and device, computer equipment and storage medium
CN115344859A (en) * 2022-10-18 2022-11-15 北京华云安信息技术有限公司 Training method and detection method of computer intrusion behavior detection model
CN115398861A (en) * 2020-05-07 2022-11-25 深圳市欢太科技有限公司 Abnormal file detection method and related product
CN116248413A (en) * 2023-05-09 2023-06-09 山东云天安全技术有限公司 Flow detection method, device and medium for webshell file

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20170140049A (en) * 2016-06-10 2017-12-20 주식회사 케이티 Method for detecting webshell, server and computer readable medium
CN107516041A (en) * 2017-08-17 2017-12-26 北京安普诺信息技术有限公司 WebShell detection methods and its system based on deep neural network
CN108337269A (en) * 2018-03-28 2018-07-27 杭州安恒信息技术股份有限公司 A kind of WebShell detection methods
CN108985061A (en) * 2018-07-05 2018-12-11 北京大学 A kind of webshell detection method based on Model Fusion
CN109743311A (en) * 2018-12-28 2019-05-10 北京神州绿盟信息安全科技股份有限公司 A kind of WebShell detection method, device and storage medium
CN110086788A (en) * 2019-04-17 2019-08-02 杭州安恒信息技术股份有限公司 Deep learning WebShell means of defence based on cloud WAF

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20170140049A (en) * 2016-06-10 2017-12-20 주식회사 케이티 Method for detecting webshell, server and computer readable medium
CN107516041A (en) * 2017-08-17 2017-12-26 北京安普诺信息技术有限公司 WebShell detection methods and its system based on deep neural network
CN108337269A (en) * 2018-03-28 2018-07-27 杭州安恒信息技术股份有限公司 A kind of WebShell detection methods
CN108985061A (en) * 2018-07-05 2018-12-11 北京大学 A kind of webshell detection method based on Model Fusion
CN109743311A (en) * 2018-12-28 2019-05-10 北京神州绿盟信息安全科技股份有限公司 A kind of WebShell detection method, device and storage medium
CN110086788A (en) * 2019-04-17 2019-08-02 杭州安恒信息技术股份有限公司 Deep learning WebShell means of defence based on cloud WAF

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115398861A (en) * 2020-05-07 2022-11-25 深圳市欢太科技有限公司 Abnormal file detection method and related product
CN115398861B (en) * 2020-05-07 2023-06-27 深圳市欢太科技有限公司 Abnormal file detection method and related product
CN111740946A (en) * 2020-05-09 2020-10-02 郑州启明星辰信息安全技术有限公司 Webshell message detection method and device
CN112118225A (en) * 2020-08-13 2020-12-22 紫光云(南京)数字技术有限公司 Webshell detection method and device based on RNN
CN114465741B (en) * 2020-11-09 2023-09-26 腾讯科技(深圳)有限公司 Abnormality detection method, abnormality detection device, computer equipment and storage medium
CN114465741A (en) * 2020-11-09 2022-05-10 腾讯科技(深圳)有限公司 Anomaly detection method and device, computer equipment and storage medium
CN112651025A (en) * 2021-01-20 2021-04-13 广东工业大学 Webshell detection method based on character-level embedded code
CN113591074A (en) * 2021-06-21 2021-11-02 北京邮电大学 Webshell detection method and device
CN113761522A (en) * 2021-09-02 2021-12-07 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for detecting webshell flow
CN114462033A (en) * 2021-12-21 2022-05-10 天翼云科技有限公司 Method and device for constructing script file detection model and storage medium
CN115344859A (en) * 2022-10-18 2022-11-15 北京华云安信息技术有限公司 Training method and detection method of computer intrusion behavior detection model
CN116248413A (en) * 2023-05-09 2023-06-09 山东云天安全技术有限公司 Flow detection method, device and medium for webshell file
CN116248413B (en) * 2023-05-09 2023-07-28 山东云天安全技术有限公司 Flow detection method, device and medium for webshell file

Also Published As

Publication number Publication date
CN110855661B (en) 2022-05-13

Similar Documents

Publication Publication Date Title
CN110855661B (en) WebShell detection method, device, equipment and medium
US11727114B2 (en) Systems and methods for remote detection of software through browser webinjects
US9756068B2 (en) Blocking domain name access using access patterns and domain name registrations
CN104767775B (en) Web application information push method and system
US8819819B1 (en) Method and system for automatically obtaining webpage content in the presence of javascript
US10262341B2 (en) Resource downloading method and device
CN111835777B (en) Abnormal flow detection method, device, equipment and medium
CN104956372A (en) Determining coverage of dynamic security scans using runtime and static code analyses
CN107463844B (en) WEB Trojan horse detection method and system
CN114024728B (en) Honeypot building method and application method
CN113518077A (en) Malicious web crawler detection method, device, equipment and storage medium
CN107562426B (en) Method and system for collecting and analyzing Trace of browser in non-embedded cloud
Liu et al. Fingerprinting web browser for tracing anonymous web attackers
CN105635064A (en) CSRF attack detection method and device
CN103401861B (en) Proxy surfing recognition methods and device
CN113810381B (en) Crawler detection method, web application cloud firewall device and storage medium
CN111143722A (en) Method, device, equipment and medium for detecting webpage hidden link
EP3789890A1 (en) Fully qualified domain name (fqdn) determination
CN106789413A (en) A kind of method and apparatus for detecting proxy surfing
CN112351009B (en) Network security protection method and device, electronic equipment and readable storage medium
CN103986616A (en) Method and device for recognizing number of machines having access to internet through proxy
CN114039741A (en) Sniffing method, system and device for internet surfing behavior and readable storage medium
CN112929369A (en) Distributed real-time DDoS attack detection method
CN109495538B (en) Method and device for detecting number of shared access terminals
CN114826959B (en) Vulnerability analysis method and system aiming at audio data anticreeper technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant