CN111800405A - Detection method, detection device and storage medium - Google Patents

Detection method, detection device and storage medium Download PDF

Info

Publication number
CN111800405A
CN111800405A CN202010608629.XA CN202010608629A CN111800405A CN 111800405 A CN111800405 A CN 111800405A CN 202010608629 A CN202010608629 A CN 202010608629A CN 111800405 A CN111800405 A CN 111800405A
Authority
CN
China
Prior art keywords
target
data
host
target data
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010608629.XA
Other languages
Chinese (zh)
Inventor
王大伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010608629.XA priority Critical patent/CN111800405A/en
Publication of CN111800405A publication Critical patent/CN111800405A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications

Abstract

The embodiment of the application discloses a detection method, detection equipment and a computer storage medium, wherein the method comprises the following steps: acquiring target data, wherein the target data is characterized by data transmitted from a terminal to a host; obtaining a first target feature of target data, wherein the first target feature is characterized by a text feature of the target data and/or a behavior of the target data on the host when the target data is in a receiving stage by the host; obtaining a second target characteristic of the target data, wherein the second target characteristic is characterized by a behavior of the target data on the host in a stage of being utilized by the host; identifying whether the host is attacked by a web script based on the first target feature and the second target feature.

Description

Detection method, detection device and storage medium
Technical Field
The present application relates to detection technologies, and in particular, to a detection method, a detection device, and a computer storage medium.
Background
In the network security technology, WebShell (web script) is an execution script in the form of a web file, and the suffix format of the script is usually php (script language), asp, aspx, jsp, and the like. In the related art, an attacker such as a hacker may attack an intranet (e.g., an enterprise or a unit intranet) in the following manner to achieve illegal use of an intranet host. An attacker uploads WebShell to the intranet host to implant the WebShell into the intranet host, and the embedded WebShell is used for upgrading the authority and carrying out illegal access on the implanted host and other intranet hosts communicated with the host, so that the penetration of the intranet is achieved. In the related technology, regular analysis can be carried out through a WebShell implantation process and an illegal access process, and identification of WebShell attack behaviors is achieved based on the regular analysis. The identification accuracy of the scheme is limited, and the condition of missing detection (identification) exists, so that the safety requirement cannot be met.
Disclosure of Invention
In order to solve the existing technical problem, embodiments of the present application provide a detection method, a detection device, and a computer storage medium.
The technical scheme of the embodiment of the application is realized as follows:
in a first aspect, an embodiment of the present application provides a detection method, where the method includes:
acquiring target data, wherein the target data is characterized by data transmitted from a terminal to a host;
obtaining a first target feature of target data, wherein the first target feature is characterized by a text feature of the target data and/or a behavior of the target data on the host when the target data is in a receiving stage by the host;
obtaining a second target characteristic of the target data, wherein the second target characteristic is characterized by a behavior of the target data on the host in a stage of being utilized by the host;
identifying whether the host is attacked by a web script based on the first target feature and the second target feature.
In the foregoing solution, the identifying whether the host is attacked by the web script based on the first target feature and the second target feature includes:
identifying whether the target data is attack data or not based on the first target characteristic;
under the condition that the target data are non-attack data, obtaining a second target characteristic of the target data;
determining whether the host is attacked by webpage scripts based on the second target characteristic.
In the foregoing solution, in a case where the first target feature is characterized by a text feature of the target data and a behavior of the target data on the host when the target data is received by the host;
correspondingly, the identifying whether the target data is attack data based on the first target feature includes:
judging whether the text features of the target data are matched with preset text features or not, and judging whether the behavior generated under the condition that the target data are received is matched with a preset first behavior or not;
and determining that the target data is non-attack data under the conditions that the text features of the target data are not matched with preset text features and the behavior generated under the condition that the target data are received is not matched with a preset first behavior.
In the foregoing aspect, the method further includes:
in the case where the target data is attack data,
obtaining an identifier of a terminal transmitting the target data to the host;
and controlling the target data transmitted by the terminal with the identification to prohibit the second target characteristic from being generated.
In the foregoing aspect, the method further includes:
determining that the host is attacked by the webpage script at the received stage under the condition that the target data are attack data;
judging whether a second target feature of the target data can be obtained or not;
and if so, determining that the host is attacked by the webpage script in the utilized stage.
In the foregoing solution, the determining whether the host is attacked by the web script based on the second target feature includes:
judging whether the second target characteristic is matched with a preset second behavior;
and under the condition of judging that the two are matched, determining that the host is attacked by the webpage script in the utilized stage.
In a second aspect, an embodiment of the present application provides a detection apparatus, including: a first obtaining unit, a second obtaining unit, a third obtaining unit and an identifying unit; wherein the content of the first and second substances,
the first obtaining unit is used for obtaining target data, and the target data is characterized by data transmitted from a terminal to a host;
the second obtaining unit is used for obtaining a first target feature of the target data, wherein the first target feature is characterized by a text feature of the target data and/or a behavior of the target data on the host when the target data is in a receiving stage by the host;
a third obtaining unit, configured to obtain a second target feature of the target data, where the second target feature is characterized by a behavior of the target data on the host in a stage of being utilized by the host;
and the identification unit is used for identifying whether the host is attacked by the webpage script or not based on the first target characteristic and the second target characteristic.
In the foregoing solution, the identification unit is configured to:
identifying whether the target data is attack data or not based on the first target characteristic;
under the condition that the target data are non-attack data, obtaining a second target characteristic of the target data;
determining whether the host is attacked by webpage scripts based on the second target characteristic.
In a third aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program is configured to, when executed by a processor, implement the steps of the foregoing detection method.
In a fourth aspect, an embodiment of the present application provides a detection apparatus, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the detection method when executing the program.
The embodiment of the application provides a detection method, detection equipment and a computer storage medium, wherein the method comprises the following steps: the method comprises the following steps: acquiring target data, wherein the target data is characterized by data transmitted from a terminal to a host; obtaining a first target feature of target data, wherein the first target feature is characterized by a text feature of the target data and/or a behavior of the target data on the host when the target data is in a receiving stage by the host; obtaining a second target characteristic of the target data, wherein the second target characteristic is characterized by a behavior of the target data on the host in a stage of being utilized by the host; identifying whether the host is attacked by a web script based on the first target feature and the second target feature.
In the embodiment of the application, the target data in the receiving stage of the host can be regarded as in the GetShell stage; the target data being in the hosted utilization phase may be considered to be in the WebShell utilization phase. And identifying whether the WebShell attack exists on the host or not based on the text features of the target data in the GetShell phase and/or the behavior generated on the host and the behavior generated on the host in the WebShell utilization phase. The method is equivalent to the identification of the WebShell attack by combining two different stages of the WebShell attack, so that the identification accuracy can be improved, and the missing detection or the missing identification can be avoided.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flow chart of a first implementation of a detection method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a second implementation flow of the detection method according to the embodiment of the present application;
FIG. 3 is a third schematic flow chart illustrating an implementation of the detection method according to the embodiment of the present application;
FIG. 4 is a schematic diagram of an application scenario according to an embodiment of the present application;
FIG. 5 is a first schematic diagram illustrating module division of a detection device according to an embodiment of the present application;
FIG. 6 is a flow chart of a detection method implemented based on the first module division diagram in the embodiment of the present application;
FIG. 7 is a schematic diagram illustrating a module division of a detection apparatus according to an embodiment of the present application;
fig. 8 is a schematic diagram of a hardware configuration of a detection apparatus according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the embodiments of the present application will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. In the present application, the embodiments and features of the embodiments may be arbitrarily combined with each other without conflict. The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
Before the technical solutions of the embodiments of the present application are introduced, terms of technologies that may be used in the embodiments of the present application are described:
1) WebShell: a command execution program in the form of a web page file, also called a backdoor file. WebShell attack is an important means for hackers to invade a host, and generally exists in the form of webpage files such as asp, php, jsp or cgi.
2) In the related art, the whole life cycle of the WebShell attack includes two phases: a GetShell phase (WebShell intrusion phase) and a WebShell utilization phase. Wherein the content of the first and second substances,
GetShell stage: the method comprises the following steps that when a hacker invades WebShell to a host, the specific hacker can invade the host in a mode of uploading WebShell to the host;
WebShell utilization phase: hackers have successfully hacked the host and used the WebShell hacked into the host to perform a series of illegal operations such as changing databases, raising the use rights of the hacker, etc.
As will be appreciated by those skilled in the art, the GetShell phase is earlier than the WebShell utilization phase from the time axis. The GetShell stage is a stage in which hackers utilize various means to carry out intrusion, and the WebShell utilization stage is a stage in which after hackers successfully invade, the WebShell data is utilized to carry out adverse behavior operations on the host, such as updating a database and upgrading WebShell data rights.
3) And (3) hacker portrayal: a set of descriptions of hacking behaviors, such as common attack tools, attack time, attack mode, etc.
The embodiment of the application provides an embodiment of a detection method, which is applied to detection equipment. It is understood that the detection device may be a gateway, a firewall, a security posture awareness device, and the like. As shown in fig. 1, the method includes:
step (S, Step) 101: acquiring target data, wherein the target data is characterized by data transmitted from a terminal to a host;
it can be understood that, taking enterprise and unit applications as examples, the host may be a device inside an enterprise or unit, such as a server, and the terminal may be a terminal outside the enterprise or unit, or an intranet terminal. Taking an extranet terminal as an example, the terminal may be benign to the host or data transmitted by the host, or may be malicious, such as a hacker intending to invade an enterprise or unit intranet by invading the host. In order to realize the security of the intranet, the data transmitted to the intranet host needs to be monitored in the step, that is, the data transmitted to the intranet host by the extranet terminal needs to be monitored. The data may be transmitted from the terminal to the host in the form of packets, such as data packets or traffic packets.
S102: obtaining a first target feature of target data, wherein the first target feature is characterized by a text feature of the target data and/or a behavior of the target data on the host when the target data is in a receiving stage by the host;
in this step, the target data in the phase received by the host may be regarded as in the GetShell phase. At this stage, textual features of the target data are analyzed and/or behavior to the host computer that is generated at this stage is monitored.
S103: obtaining a second target characteristic of the target data, wherein the second target characteristic is characterized by a behavior of the target data on the host in a stage of being utilized by the host;
in this step, the target data in the utilized-by-host phase can be regarded as in the WebShell utilization phase. And monitoring the behavior of the target data on the host computer at the stage.
S104: identifying whether the host is attacked by WebShell based on the first target feature and the second target feature.
The main body executing S101 to S104 is a detection device.
In the embodiment of the application, whether the WebShell attack exists on the host or not is identified based on the text features of the target data in the GetShell phase and/or the behavior generated on the host and the behavior generated on the host in the WebShell utilization phase. It can be understood that the scheme of the embodiment of the application is equivalent to identifying the WebShell attack by combining data under two different stages of the WebShell attack, namely identifying the WebShell attack by combining the characteristics of the WebShell attack of each stage forming the whole life cycle of the WebShell attack. According to the scheme of combining each stage for identification, on one hand, the identification accuracy can be improved; on the other hand, the missed detection or the missed identification of the WebShell attack can be avoided.
The embodiment of the present application provides a second embodiment of a detection method, which is applied to a detection device, as shown in fig. 2, the method includes:
s201: acquiring target data, wherein the target data is characterized by data transmitted from a terminal to a host;
s202: obtaining a first target feature of target data, wherein the first target feature is characterized by a text feature of the target data and/or a behavior of the target data on the host when the target data is in a receiving stage by the host;
please refer to the related description for the aforementioned S201 to S202, and repeated descriptions are omitted.
S203: identifying whether the target data is attack data or not based on the first target characteristic;
s204: under the condition that the target data are non-attack data, obtaining a second target characteristic of the target data; the second target feature is characterized by the behavior of the target data on the host in the utilization stage of the host;
s205: determining whether the host is attacked by WebShell based on the second target feature.
The main body for executing S201 to S205 is a detection device. S203-S205 can be used as a further description for identifying whether the host is attacked by WebShell based on the first target feature and the second target feature.
In the foregoing scheme, whether the target data is attack data is identified based on data such as text features and/or behaviors of the target data obtained in the GetShell stage. And under the condition of identifying as non-attack data, acquiring behavior data generated by the WebShell to the host by using the target data in the phase, and identifying whether the host is attacked by the WebShell according to the behavior data. Equivalently, the WebShell attack recognition is performed by combining all stages, so that the recognition accuracy can be improved, and the missing recognition can be avoided.
It is understood that the first target feature obtained in the GetShell stage may be only a text feature, may also be only behavior data, and may also be both a text feature and behavior data. In an alternative embodiment, taking the first target feature as a text feature and behavior data at the same time, that is, in a case where the first target feature is characterized by the text feature of the target data when the target data is received by the host and the behavior data generated by the target data to the host, as shown in fig. 3, the identifying (S203) whether the target data is attack data based on the first target feature includes:
s2031: judging whether the text features of the target data are matched with preset text features or not, and judging whether the behavior generated under the condition that the target data are received is matched with a preset first behavior or not;
s2032: determining that the target data is non-attack data under the conditions that the text features of the target data are not matched with preset text features and the behavior generated under the condition that the target data are received is not matched with a preset first behavior;
s2033: and determining the target data as attack data under the condition that the text features of the target data are matched with preset text features and/or the behavior generated under the condition that the target data are received is matched with a preset first behavior.
The main body for executing the schemes of S2031 to S2033 is a detection device.
The scheme of S2031-S2033 is equivalent to that whether the GetShell stage is invaded by WebShell or not is identified based on the acquired text characteristics of the data transmitted from the terminal to the host and the behavior data generated by the host in the GetShell stage. And if the target data is identified as attack data, the GetShell phase is considered to be invaded (attacked) by WebShell. And if the target data is identified to be non-attack data, the GetShell phase is not considered to be invaded (attacked) by WebShell. And the identification of whether the GetShell stage is invaded by WebShell is carried out by combining two aspect characteristics (text characteristics and behavior characteristics) of the target data, so that the identification accuracy can be improved.
It can be understood that the foregoing scheme is to identify whether the GetShell phase is subject to WebShell intrusion (attack) from both the textual features and the behavior of the target data in the GetShell phase. In addition, the text features or the behaviors can be identified, and the specific identification process is similar to that described above and is not described in detail.
In an optional embodiment, the method further comprises: in the case where the target data is identified as attack data, the GetShell phase may be considered to be subject to WebShell intrusion. After recognizing that a WebShell intrusion is suffered at the GetShell stage, this attack data can be blocked or intercepted so that it no longer attacks the host. In addition, alarm information can be generated to remind management personnel that the current host computer is attacked. In addition, the following two ways can be adopted for processing to avoid the damage of the host caused by the intrusion:
a first mode of obtaining an identifier of a terminal transmitting target data to the host; and controlling the target data transmitted by the terminal with the identification to prohibit the second target characteristic from being generated. That is, the target data subjected to WebShell intrusion in the GetShell stage is WebShell data, the target data is intrusion data, the terminal sending the intrusion data to the host can be regarded as an intrusion source, the identification of the intrusion source can be obtained and can be represented by a source IP (internet protocol) address of the intrusion data, the intrusion source is controlled, and adverse behavior operations such as permission upgrading, database changing and the like by using the intrusion data in the WebShell utilization stage are avoided. The host may also be prohibited from receiving data subsequently transmitted by the intruder terminal.
The second mode is to judge whether a second target feature of the target data can be obtained; and if so, determining that the host is attacked by the WebShell in the WebShell utilization stage. That is, for the intrusion data identified in the GetShell phase, most of the intrusion data will generate adverse behavior to the host in the WebShell utilization phase. If the intrusion data can be obtained in the WebShell utilization stage to perform behavior operation on the host, the intrusion data identified in the GetShell stage can be considered to generate adverse behaviors in the WebShell utilization stage. This approach amounts to a strong identification of intrusion data identified in the GetShell phase as to whether it can cause adverse behavior operations on the host.
The scheme in the foregoing S204 is a scheme executed when it is recognized that the target data is not attack data, that is, the data transmitted by the terminal to the host is not WebShell data, and it is not recognized that the target data is attacked by WebShell intrusion (attack) in the GetShell stage. The scheme mainly considers that the missing recognition possibly exists in the GetShell stage, and the WebShell with the missing recognition can cause adverse behaviors to the host in the WebShell utilization stage, such as randomly changing a database of the host, improving the authority of the WebShell in the host and the like. Under the condition that the GetShell stage is identified not to be invaded (attacked) by WebShell, the behavior of the host is monitored when the target data is in the WebShell utilization stage, and the adverse effect on the host caused by the WebShell which is subjected to missed identification and is caused by the missed identification in the GetShell stage after the host is successfully invaded is avoided. On the technical level, judging whether the monitored behavior (second target characteristic) is matched with a preset second behavior; and under the condition of judging that the two phases are matched, determining that the host is attacked by the webpage script in the WebShell utilization phase, thereby realizing that the WebShell attack which is missed in the GetShell phase is identified in the WebShell utilization phase. And the stages of the WebShell (the GetShell stage and the WebShell utilization stage) are combined to identify the WebShell attack, so that the identification accuracy can be improved, and missing identification can be avoided.
The technical solution of the embodiment of the present application is further described below with reference to fig. 4 to 6.
In this embodiment, taking the application scenario shown in fig. 4 as an example, the detection device may be a firewall or a gateway device, and is at least configured to monitor data transmitted from an external network terminal to an internal network host. It will be appreciated that the extranet terminal may be a normal user terminal or a hacked user terminal. It can be understood that if a hacker user terminal generates a WebShell attack on the intranet host, the text characteristics and/or behavior of the data sent by the hacker user terminal to the intranet host will have the characteristics of the WebShell attack. In the application scenario, the whole life cycle of the WebShell attack is considered to comprise a GetShell phase and a WebShell utilization phase. In the embodiment of the present application, as shown in fig. 5, the detection device is divided into at least two modules: the GetShell phase detection module and the WebShell utilization phase detection module. And analyzing text characteristics and/or behaviors (characteristics) of data sent by the external network terminal to the internal network host at the phase by using a GetShell phase detection module so as to identify whether the GetShell phase has the intrusion of WebShell to the host. And analyzing the behavior generated by the data sent by the external network terminal to the internal network host by using the WebShell utilization phase detection module in the phase to identify whether the WebShell attacks on the host exist in the WebShell utilization phase, so as to avoid the missing identification of the WebShell attacks in the GetShell phase. Further, the detection apparatus further includes: the automatic tracing system is at least used for recording relevant information (source IP address, destination IP address and the like of attack data) of data generating WebShell attack at any stage, drawing a picture of a hacker based on the recorded information and outputting the drawn picture of the hacker.
The identification scheme in the embodiment of the present application is described in stages below.
First phase, GetShell phase:
it is to be understood that the execution subject of the GetShell phase is the detection device, in particular the GetShell phase detection module. As shown in fig. 6, the specific implementation flow is as follows:
s601: monitoring a communication flow packet or a data packet sent by an external network terminal to an internal network host;
s602: collecting monitored flow packets or data packets, and judging whether the data packets are files or not;
if yes, continuing to execute the following flow;
if the judgment result is no, the flow ends.
S603: analyzing the text characteristics of the data packet, and judging whether the text characteristics are matched with preset text characteristics;
when the data packets are matched, the data packets are attack data, and S604 is executed;
if not, the data packet is non-attack data, and S605 is executed;
it can be understood that in the application scenario, the data packet for preventing the external network terminal from sending to the internal network host is WebShell data. Text characteristics of WebShell data are stored in the detection equipment in advance and can be directly used when the detection equipment is needed. Textual features of WebShell data include, but are not limited to, the following: the suffix is usually php or asp, the file name usually carries the word "haike", the domain name is usually the usual name of the hacker, etc.
Judging whether the text features of the acquired data packet are matched with preset text features, namely judging whether the data packet contains information consistent with the text features of the WebShell data, and if so, determining that the data packet is matched; otherwise, it is considered as a mismatch. The matching can also be considered when the data packet contains information that the similarity of the text features with the aforementioned WebShell data is higher than a threshold value, such as 80% or 90%. Otherwise, a match is not considered. It can be understood that in practical applications, the data packet may be encrypted data, and the detection device, specifically, the GetShell stage detection module, needs to decrypt the encrypted data and then performs matching judgment.
S604: extracting the relevant information of the data packet, adding the relevant information into an automatic tracing system, and ending the process;
here, the relevant information may be a source IP address and a destination IP address of the packet, and may be recorded using information such as an identifier of a browser and an identifier of the intranet host. Wherein at least the source IP address of the data packet is recorded. It will be appreciated that the source IP address of the packet may be considered as an identification of the external network terminal that sent the packet. The data packet sent by the external network terminal identifies that the data packet is a black file, namely WebShell data, through identifying the text characteristics of the data packet, which is equivalent to identifying that the host is attacked by WebShell only by using the text characteristics of the data packet in the GetShell stage. Aiming at the identified WebShell data, the detection equipment, particularly a GetShell phase detection module intercepts or blocks the data and generates an alarm, and relevant information of the data is recorded to an automatic traceability system.
S605: monitoring the behavior of the data packet on the host computer in the GetShell stage, and judging whether the behavior is matched with a preset first behavior;
when the matching is performed, S604 is executed;
if not, executing S606;
in order to avoid missing identification of the WebShell attack in the GetShell stage only based on the text features of the data packet, in the application scenario, when mismatching is identified through the text features, further identification of whether the data packet is WebShell data or not can be carried out based on behaviors generated in the GetShell stage, so that missing identification is avoided.
It is understood that if the data packet contains the WebShell data, in the GetShell phase it will generate at least one of the following behaviors that the WebShell data generates in the GetShell phase: code execution behavior, WebShell scanning behavior, and/or brute force cracking behavior. The code execution behavior is to write WebShell code data into the host, for example: is the code utilized? cmd $ { fputs (fopen (c.php, w), <. The WebShell scanning behavior is a behavior of verifying whether WebShell data exists using a simple operation. The violent cracking behavior is the behavior that the data packet tries to crack the account number and the password of the host administrator continuously in a short time. The above behavior may be regarded as a preset first behavior. When the data packet generates at least one behavior in the GetShell stage, the behavior of the visual data packet generated to the host in the GetShell stage is matched with the preset first behavior. Otherwise, it is considered as a mismatch.
It should be noted that the preset text features and preset behaviors in the application scenario include, but are not limited to, as described above, and any other reasonable situations.
S606: and recognizing that the intranet host receiving the data packet is not attacked by the WebShell data in the GetShell stage.
The scheme is a process for identifying whether WebShell intrusion exists in a GetShell stage. Meanwhile, the identification of WebShell intrusion is carried out by combining text features of the data packet and behaviors generated in the GetShell stage, so that the accuracy of identifying intrusion in the GetShell stage can be greatly improved. Meanwhile, text features and behaviors are combined for recognition, so that missing recognition in the GetShell stage can be greatly avoided.
The above flow is a description of recognition performed in conjunction with text features and behaviors of a data packet at the phase of GetShell, and further recognition performed from the text features first and then from the behaviors. It will be appreciated that it is also possible to start with the behavior and then with the text features. And the recognition can be performed from the text characteristics and the behaviors aiming at the same data packet. For details, reference is made to the similar descriptions above without repeated descriptions.
Under the condition that the data packet is identified as attack data, the attack data can be regarded as intrusion data, a terminal which sends the intrusion data to a host can be regarded as an intrusion source, and a detection device, particularly a control module (not shown in fig. 4), can obtain an identifier of the intrusion source, such as an IP address of the data packet, control the intrusion source, and avoid using the intrusion data to perform adverse behavior operations, such as permission upgrading, database changing and the like, in a WebShell utilization stage. The control module may also prohibit the host, specifically, the GetShell phase detection module, from receiving data subsequently sent by the intrusion terminal. In addition, for the case of identifying attack data, if the behavior operation of the intrusion data on the host can be obtained in the WebShell utilization stage, it is considered that the intrusion data identified in the GetShell stage generates an adverse operation in the WebShell utilization stage. This approach amounts to a strong identification of intrusion data identified in the GetShell phase as to whether it can cause adverse behavior operations on the host.
Second phase, WebShell utilization phase:
it can be understood that the execution subject of the WebShell utilization phase is a detection device, specifically a WebShell utilization phase detection module. In practical application, a hacker can successfully defend the GetShell stage detection module by using technologies such as deformation, confusion and encryption, namely, the situation that WebShell attacks are missed to be identified exists in the GetShell stage. In order to avoid adverse effects on the host caused by the situation, a processing flow of the WebShell utilization stage needs to be executed.
It can be understood that, for attack data identified in the GetShell stage, the utilization stage can be used as a key monitoring object in the GetShell stage to control the attack data to prohibit the generation of behaviors such as changing a database, upgrading a right and the like. For the non-attack data identified in the GetShell phase, because the GetShell phase has the possibility of missing detection, the non-attack data may be the WebShell data essentially, but the GetShell phase is not detected, or may be the normal data transmitted from the external network terminal to the internal network host. Whether it is normal data or WebShell data may be determined according to the following scheme.
It is understood that after the WebShell data that is not recognized in the GetShell phase is successfully implanted into the host, at least one of the following actions will be generated for the host: the method comprises the following steps of a file modification or new file generation behavior, a database operation behavior, a permission promotion behavior, a behavior of performing the above behaviors with other intranet hosts through an implanted host, and an executable file uploading behavior to the host. Based on the above, in the WebShell utilization stage, the detection device, specifically, the WebShell utilization stage detection module, monitors the above behaviors.
In the concrete implementation, a probe is installed on the host, the probe can be used for reading and monitoring the following data of the host, and the concrete monitoring process is as follows:
(1) monitoring whether there is a file modified or new file generation behavior: the detection device, specifically the WebShell, polls the sensitive file directory by using the phase detection module, and judges whether a new file is generated or not and whether the file is modified or not. The sensitive files may include private files of the host and files recorded with administrator information such as account number, password, and authority. Wherein, whether the file is modified or not can be determined by whether the value of the md5 is changed or not. It will be appreciated that each file has a unique md5 value, and that when a file is created, its md5 value is recorded, and by comparison with the recorded md5 value, the file is considered modified if the comparison md5 changes. Those skilled in the art will appreciate that if the non-attack data causes the host to generate a new file or the file is modified in the WebShell utilization phase, the case may be that normal data causes the host to generate, or that abnormal data, such as WebShell data, may cause the host to generate. And when a new file is generated or the file is modified, performing WebShell killing on the file, and when the killing result is that the new file is generated on the host and the file is modified and is behavior operation generated by WebShell data, blocking the behavior, and extracting relevant information of the WebShell data to an automatic traceability system.
(2) Monitoring whether a behavior of operating the database exists: and monitoring whether the non-attack data identified in the GetShell stage has database access behaviors, such as communication connection with the database, and data modification behaviors, such as addition, deletion, search, change and the like. If the non-attack data is monitored to have the behavior, the non-attack data is determined to be WebShell data, the behavior is blocked, and relevant information of the non-attack data is extracted and added into the automatic tracing system.
(3) Monitoring whether a behavior for promoting the authority exists: and monitoring whether the non-attack data identified in the GetShell stage needs to obtain higher system authority, if yes, determining that the non-attack data is WebShell data, blocking the behavior, extracting relevant information of the non-attack data, and adding the relevant information into an automatic tracing system.
(4) Monitoring whether the behavior of uploading the executable program exists: and monitoring whether the non-attack data identified in the GetShell stage has a behavior of uploading an executable program such as an exe program to the host computer for monitoring, if so, determining that the non-attack data is WebShell data, blocking the behavior, extracting relevant information of the non-attack data, and adding the relevant information into an automatic tracing system.
(5) Monitoring whether behaviors such as file modification, database modification, authority promotion and the like exist through the implanted host and other intranet hosts (the behaviors of ping intranet hosts): and monitoring whether the non-attack data identified in the GetShell stage has the behaviors, if so, determining that the non-attack data is WebShell data, extracting relevant information of the WebShell data, and adding the information into an automatic traceability system.
It is understood that the data recorded to the automatic traceability system can be related data of WebShell, and the related data and the generated behavior can be recorded together in the automatic traceability system. And records the behavior to an automated traceability system. The behaviors can be regarded as preset second behaviors, and as long as the non-attack data identified in the GetShell stage generates at least one behavior in the WebShell utilization stage, the second target characteristics can be regarded as being matched with the second behaviors.
It should be noted that the (second) behavior generated by the WebShell data in the application scenario includes, but is not limited to, the above-mentioned WebShell utilization behavior.
It can be understood that in the foregoing case, it can be considered that the GetShell phase does not detect the attack of the WebShell, and the WebShell detects the attack of the WebShell by using the phase, so as to avoid adverse effects on the host due to missed detection of the GetShell phase. The scheme is equivalent to the recognition of WebShell attack by combining each phase (GetShell phase and WebShell utilization phase) of WebShell, and can improve the recognition accuracy and avoid missing recognition.
In the application scenario, the automatic source tracing system can record a source IP address, a browser identifier, attack time and the like of WebShell data in a GetShell phase, and can also record an attack sequence (such as firstly modifying a file and then modifying a database or firstly modifying the database and then modifying the file and the like) and attack behaviors (modifying the file or modifying the database) of WebShell data in a WebShell utilization phase. In addition, the automatic tracing system can also analyze and summarize based on the recorded data so as to count the behavior of hackers. For example, if most hosts in the intranet are invaded by packets from the same IP address at the same time and the packets are trying to promote the rights and penetrate the intranet on the corresponding hosts, it can be considered that the intranet is attacked by the same hacker or hacker organization at the same time. The automatic tracing system takes information such as an IP address, attack time and a used browser of a data packet as drawing information, draws hacker figures and presents the hacker figures to a manager so that the manager can process the hacker figures, and therefore the security of the intranet host is enhanced. It can be understood that the automatic tracing system also has an automatic alarm function, and can remind the manager through sound, image, vibration and other modes.
In the embodiment of the application, text characteristics are integrated, and whether WebShell attack exists on the host is judged according to behavior characteristics generated by the host at two different stages, so that the method has a lower false alarm rate.
The method has the advantages that the GetShell stage can monitor data transmitted by the intranet host by the intranet terminal in time, judgment timeliness of WebShell attack by utilizing the monitoring is high, and the situation that the WebShell successfully invades the host due to wrong judgment caused by untimely monitoring can be greatly avoided. WebShell utilizes the stage to monitor the behavior of the target data generated by the host, and the method is a method for statically scanning the WebShell script. The embodiment of the application combines the whole life cycle of the WebShell attack, particularly each stage of the whole life cycle to comprehensively identify the WebShell attack, and has stronger detection capability, lower false alarm rate and more comprehensive alarm information. In addition, the automatic tracing system can draw and output the hacker portrait by combining the recorded data so as to play a role of warning prompt.
An embodiment of the present application provides a detection apparatus, as shown in fig. 7, including: a first obtaining unit 701, a second obtaining unit 702, a third obtaining unit 703, and a recognition unit 704; wherein the content of the first and second substances,
a first obtaining unit 701, configured to obtain target data, where the target data is characterized by data transmitted from a terminal to a host;
a second obtaining unit 702, configured to obtain a first target feature of target data, where the first target feature is characterized by a text feature of the target data and/or a behavior of the target data on the host when the target data is in a stage of being received by the host;
a third obtaining unit 703, configured to obtain a second target feature of the target data, where the second target feature is characterized by a behavior of the target data on the host in a stage of being utilized by the host;
an identifying unit 704, configured to identify whether the host is attacked by the web script based on the first target feature and the second target feature.
In an alternative embodiment, the identifying unit 704 is configured to:
identifying whether the target data is attack data or not based on the first target characteristic;
under the condition that the target data are non-attack data, obtaining a second target characteristic of the target data;
determining whether the host is attacked by webpage scripts based on the second target characteristic.
In an alternative embodiment, where the first target feature is characterized by a textual feature of target data and a behavior of the target data on the host that the target data produces when received by the host; the identifying unit 704 is configured to: judging whether the text features of the target data are matched with preset text features or not, and judging whether the behavior generated under the condition that the target data are received is matched with a preset first behavior or not;
and determining that the target data is non-attack data under the conditions that the text features of the target data are not matched with preset text features and the behavior generated under the condition that the target data are received is not matched with a preset first behavior.
In an alternative embodiment, the identifying unit 704 is configured to:
in the case where the target data is attack data,
obtaining an identifier of a terminal transmitting the target data to the host;
and controlling the target data transmitted by the terminal with the identification to prohibit the second target characteristic from being generated.
In an alternative embodiment, the identifying unit 704 is configured to:
determining that the host is attacked by the webpage script at the received stage under the condition that the target data are attack data;
judging whether a second target feature of the target data can be obtained or not;
and if so, determining that the host is attacked by the webpage script in the utilized stage.
In an alternative embodiment, the identifying unit 704 is configured to: judging whether the second target characteristic is matched with a preset second behavior; and under the condition of judging that the two are matched, determining that the host is attacked by the webpage script in the utilized stage.
It can be understood that the first obtaining Unit 701, the second obtaining Unit 702, the third obtaining Unit 703 and the identifying Unit 704 in the detection apparatus may be implemented by a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a Micro Control Unit (MCU) or a Programmable Gate Array (FPGA) of the detection apparatus in practical applications.
It should be noted that, in the detection device according to the embodiment of the present application, because the principle of solving the problem of the detection device is similar to that of the detection method, both the implementation process and the implementation principle of the detection device can be described by referring to the implementation process and the implementation principle of the method, and repeated details are not repeated.
An embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is configured to, when executed by a processor, perform at least the steps of the method shown in any one of fig. 1 to 6. The computer readable storage medium may be specifically a memory. The memory may be the memory 62 as shown in fig. 8.
The embodiment of the application also provides a terminal. Fig. 8 is a schematic diagram of a hardware structure of a detection apparatus according to an embodiment of the present application, and as shown in fig. 8, the detection apparatus includes: a communication component 63 for data transmission, at least one processor 61 and a memory 62 for storing computer programs capable of running on the processor 61. The various components in the terminal are coupled together by a bus system 64. It will be appreciated that the bus system 64 is used to enable communications among the components. The bus system 64 includes a power bus, a control bus, and a status signal bus in addition to the data bus. For clarity of illustration, however, the various buses are labeled as bus system 64 in fig. 8.
Wherein the processor 61 executes the computer program to perform at least the steps of the method of any of fig. 1 to 6.
It will be appreciated that the memory 62 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 62 described in embodiments herein is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the above embodiments of the present application may be applied to the processor 61, or implemented by the processor 61. The processor 61 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 61. The processor 61 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 61 may implement or perform the methods, steps and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 62, and the processor 61 reads the information in the memory 62 and performs the steps of the aforementioned method in conjunction with its hardware.
In an exemplary embodiment, the detection Device may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), FPGAs, general purpose processors, controllers, MCUs, microprocessors (microprocessors), or other electronic components for performing the aforementioned detection method.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The methods disclosed in the several method embodiments provided in the present application may be combined arbitrarily without conflict to obtain new method embodiments.
Features disclosed in several of the product embodiments provided in the present application may be combined in any combination to yield new product embodiments without conflict.
The features disclosed in the several method or apparatus embodiments provided in the present application may be combined arbitrarily, without conflict, to arrive at new method embodiments or apparatus embodiments.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method of detection, the method comprising:
acquiring target data, wherein the target data is characterized by data transmitted from a terminal to a host;
obtaining a first target feature of target data, wherein the first target feature is characterized by a text feature of the target data and/or a behavior of the target data on the host when the target data is in a receiving stage by the host;
obtaining a second target characteristic of the target data, wherein the second target characteristic is characterized by a behavior of the target data on the host in a stage of being utilized by the host;
identifying whether the host is attacked by a web script based on the first target feature and the second target feature.
2. The method of claim 1, wherein identifying whether the host is attacked by web scripting based on the first target feature and the second target feature comprises:
identifying whether the target data is attack data or not based on the first target characteristic;
under the condition that the target data are non-attack data, obtaining a second target characteristic of the target data;
determining whether the host is attacked by webpage scripts based on the second target characteristic.
3. The method of claim 2, wherein the first target characteristic is characterized by a textual characteristic of target data and a behavior of the target data on the host if the target data is received by the host;
correspondingly, the identifying whether the target data is attack data based on the first target feature includes:
judging whether the text features of the target data are matched with preset text features or not, and judging whether the behavior generated under the condition that the target data are received is matched with a preset first behavior or not;
and determining that the target data is non-attack data under the conditions that the text features of the target data are not matched with preset text features and the behavior generated under the condition that the target data are received is not matched with a preset first behavior.
4. A method according to claim 2 or 3, characterized in that the method further comprises:
in the case where the target data is attack data,
obtaining an identifier of a terminal transmitting the target data to the host;
and controlling the target data transmitted by the terminal with the identification to prohibit the second target characteristic from being generated.
5. A method according to claim 2 or 3, characterized in that the method further comprises:
determining that the host is attacked by the webpage script at the received stage under the condition that the target data are attack data;
judging whether a second target feature of the target data can be obtained or not;
and if so, determining that the host is attacked by the webpage script in the utilized stage.
6. The method of claim 2 or 3, wherein determining whether the host is attacked by webpage scripts based on the second target feature comprises:
judging whether the second target characteristic is matched with a preset second behavior;
and under the condition of judging that the two are matched, determining that the host is attacked by the webpage script in the utilized stage.
7. A detection apparatus, comprising: a first obtaining unit, a second obtaining unit, a third obtaining unit and an identifying unit; wherein the content of the first and second substances,
the first obtaining unit is used for obtaining target data, and the target data is characterized by data transmitted from a terminal to a host;
the second obtaining unit is used for obtaining a first target feature of the target data, wherein the first target feature is characterized by a text feature of the target data and/or a behavior of the target data on the host when the target data is in a receiving stage by the host;
a third obtaining unit, configured to obtain a second target feature of the target data, where the second target feature is characterized by a behavior of the target data on the host in a stage of being utilized by the host;
and the identification unit is used for identifying whether the host is attacked by the webpage script or not based on the first target characteristic and the second target characteristic.
8. The apparatus of claim 7, wherein the identification unit is configured to:
identifying whether the target data is attack data or not based on the first target characteristic;
under the condition that the target data are non-attack data, obtaining a second target characteristic of the target data;
determining whether the host is attacked by webpage scripts based on the second target characteristic.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
10. A detection device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1 to 6 are implemented when the processor executes the program.
CN202010608629.XA 2020-06-29 2020-06-29 Detection method, detection device and storage medium Pending CN111800405A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010608629.XA CN111800405A (en) 2020-06-29 2020-06-29 Detection method, detection device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010608629.XA CN111800405A (en) 2020-06-29 2020-06-29 Detection method, detection device and storage medium

Publications (1)

Publication Number Publication Date
CN111800405A true CN111800405A (en) 2020-10-20

Family

ID=72809580

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010608629.XA Pending CN111800405A (en) 2020-06-29 2020-06-29 Detection method, detection device and storage medium

Country Status (1)

Country Link
CN (1) CN111800405A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014601A (en) * 2021-03-26 2021-06-22 深信服科技股份有限公司 Communication detection method, device, equipment and medium
CN113347203A (en) * 2021-06-29 2021-09-03 深信服科技股份有限公司 Network attack detection method and device, electronic equipment and storage medium
CN114143074A (en) * 2021-11-29 2022-03-04 杭州迪普科技股份有限公司 Webshell attack recognition device and method
CN114567480A (en) * 2022-02-28 2022-05-31 天翼安全科技有限公司 Method, device, secure network and storage medium for effective attack alarm recognition
CN115134164A (en) * 2022-07-18 2022-09-30 深信服科技股份有限公司 Uploading behavior detection method, system, equipment and computer storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040181677A1 (en) * 2003-03-14 2004-09-16 Daewoo Educational Foundation Method for detecting malicious scripts using static analysis
CN106487771A (en) * 2015-09-01 2017-03-08 阿里巴巴集团控股有限公司 The acquisition methods of intrusion behavior and device
CN106961419A (en) * 2017-02-13 2017-07-18 深信服科技股份有限公司 WebShell detection methods, apparatus and system
CN107689940A (en) * 2016-08-04 2018-02-13 深圳市深信服电子科技有限公司 WebShell detection method and device
CN108959071A (en) * 2018-06-14 2018-12-07 湖南鼎源蓝剑信息科技有限公司 A kind of detection method and system of the PHP deformation webshell based on RASP
CN109657459A (en) * 2018-10-11 2019-04-19 平安科技(深圳)有限公司 Webpage back door detection method, equipment, storage medium and device
CN110909350A (en) * 2019-11-16 2020-03-24 杭州安恒信息技术股份有限公司 Method for remotely and accurately identifying WebShell backdoor

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040181677A1 (en) * 2003-03-14 2004-09-16 Daewoo Educational Foundation Method for detecting malicious scripts using static analysis
CN106487771A (en) * 2015-09-01 2017-03-08 阿里巴巴集团控股有限公司 The acquisition methods of intrusion behavior and device
CN107689940A (en) * 2016-08-04 2018-02-13 深圳市深信服电子科技有限公司 WebShell detection method and device
CN106961419A (en) * 2017-02-13 2017-07-18 深信服科技股份有限公司 WebShell detection methods, apparatus and system
CN108959071A (en) * 2018-06-14 2018-12-07 湖南鼎源蓝剑信息科技有限公司 A kind of detection method and system of the PHP deformation webshell based on RASP
CN109657459A (en) * 2018-10-11 2019-04-19 平安科技(深圳)有限公司 Webpage back door detection method, equipment, storage medium and device
CN110909350A (en) * 2019-11-16 2020-03-24 杭州安恒信息技术股份有限公司 Method for remotely and accurately identifying WebShell backdoor

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张增波等: "基于行为的政府网站未知Webshel检测方法研究", 《警察技术》 *
龙啸等: "Webshell研究综述:检测与逃逸之间的博弈", 《网络空间安全》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014601A (en) * 2021-03-26 2021-06-22 深信服科技股份有限公司 Communication detection method, device, equipment and medium
CN113347203A (en) * 2021-06-29 2021-09-03 深信服科技股份有限公司 Network attack detection method and device, electronic equipment and storage medium
CN114143074A (en) * 2021-11-29 2022-03-04 杭州迪普科技股份有限公司 Webshell attack recognition device and method
CN114143074B (en) * 2021-11-29 2023-09-22 杭州迪普科技股份有限公司 webshell attack recognition device and method
CN114567480A (en) * 2022-02-28 2022-05-31 天翼安全科技有限公司 Method, device, secure network and storage medium for effective attack alarm recognition
CN114567480B (en) * 2022-02-28 2024-03-12 天翼安全科技有限公司 Method, device, secure network and storage medium for identifying effective attack alarm
CN115134164A (en) * 2022-07-18 2022-09-30 深信服科技股份有限公司 Uploading behavior detection method, system, equipment and computer storage medium
CN115134164B (en) * 2022-07-18 2024-02-23 深信服科技股份有限公司 Uploading behavior detection method, system, equipment and computer storage medium

Similar Documents

Publication Publication Date Title
US11489855B2 (en) System and method of adding tags for use in detecting computer attacks
US10503904B1 (en) Ransomware detection and mitigation
US10447730B2 (en) Detection of SQL injection attacks
US10032025B1 (en) Behavior-based ransomware detection
JP6334069B2 (en) System and method for accuracy assurance of detection of malicious code
US10230750B2 (en) Secure computing environment
CN111800405A (en) Detection method, detection device and storage medium
US10142343B2 (en) Unauthorized access detecting system and unauthorized access detecting method
KR20180120157A (en) Data set extraction based pattern matching
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
CN107347057B (en) Intrusion detection method, detection rule generation method, device and system
US20100251371A1 (en) Real-time malicious code inhibitor
JP2016503936A (en) System and method for identifying and reporting application and file vulnerabilities
CN106982188B (en) Malicious propagation source detection method and device
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
CN110138731B (en) Network anti-attack method based on big data
CN107666464B (en) Information processing method and server
Yamada et al. RAT-based malicious activities detection on enterprise internal networks
CN113411297A (en) Situation awareness defense method and system based on attribute access control
CN113411295A (en) Role-based access control situation awareness defense method and system
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
Atapour et al. Modeling Advanced Persistent Threats to enhance anomaly detection techniques
CN107231365B (en) Evidence obtaining method, server and firewall
TWI711939B (en) Systems and methods for malicious code detection
Wu et al. A novel approach to trojan horse detection by process tracing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201020