CN113312624B - Java Web application memory Trojan horse detection method, terminal equipment and storage medium - Google Patents
Java Web application memory Trojan horse detection method, terminal equipment and storage medium Download PDFInfo
- Publication number
- CN113312624B CN113312624B CN202110685500.3A CN202110685500A CN113312624B CN 113312624 B CN113312624 B CN 113312624B CN 202110685500 A CN202110685500 A CN 202110685500A CN 113312624 B CN113312624 B CN 113312624B
- Authority
- CN
- China
- Prior art keywords
- java
- class
- memory
- byte stream
- web application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/31—Programming languages or programming paradigms
- G06F8/315—Object-oriented languages
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a Java Web application memory Trojan horse detection method, terminal equipment and storage medium, wherein the method comprises the following steps: s1: obtaining a Class byte stream from a Java virtual machine in operation; s2: analyzing the Class byte stream into identifiable Constant and Method; s3: and matching the parsed Constant and Method according to a sensitive rule base formed by sensitive rules, and judging the risk of the Class byte stream according to a matching result. Compared with the traditional detection method, the method has lower resource consumption, further has smaller influence on the operation of the service system, and avoids a large number of I/O operations.
Description
Technical Field
The invention relates to the field of Trojan detection, in particular to a Java Web application memory Trojan detection method, terminal equipment and a storage medium.
Background
The Web application system is widely applied to important business lines such as social contact, shopping, mail and the like, plays a very important role in network assets, has wide attacked surface and more attack technologies, and is easy to invade. The "no file horse" (memory horse) is a "no file horse of host layer security face", the implementation method has: process injection (shellcode injection), WMI backdoor (resident malicious payload), remote execution of download commands (e.g., powershell, mshta, regsvr, 32, etc.). The file-free horse (i.e. memory horse) of the application layer security plane is that malicious codes reside in the memory through Web containers (such as tomcat, webLogic and the like) or Web application vulnerabilities (such as arbitrary command execution, file uploading, reverse serialization and the like) in the containers, and an attacker often uses the memory horse for permission maintenance. Compared with the traditional 'file horse' attack, the attack mode can greatly reduce traces left by an attacker in the target aircraft (the traditional security products have insufficient detection capability on the attacks). An attacker can construct different types of memory horses by using different development languages such as Java, C#, PHP and the like. The detection technology is limited to consume larger process cpu resources. The memory horse injection mode and the implementation change are continuous, and the existing detection method is difficult to effectively detect with low consumption.
The existing memory Trojan horse detection method mainly comprises other means such as agent injection decompilation Class file detection, member variable filemaps traversal by using a request context standard, servletmaps judgment of disk source detection and the like. The Agent injection mode detects jar packet attach to jvm process through Java instrumentation mechanism, and checks whether class loaded in jvm is abnormal. The whole detection thought is as follows: all loaded classes in jvm are acquired. Traversing each class, and judging whether the class is a risk class. Classes in memory that may be newly added/modified by an attacker are labeled herein as risk classes (e.g., classes that implement filters/servlets). Traversing the risk class, and checking whether the risk class is webshell; checking whether a Class file of a high risk Class exists; decompiling risk class bytecodes, and checking that malicious codes are contained in Java files. The method has the advantages that the detection rate of the internal detection Trojan horse is high, but for the occupation of the target process cpu and the resource consumption of the system IO occupation are large, the JDK official tool JMC is used for finding that the use rate of the 1-core 2G cpu is increased to 80% -90% in the detection process, the service application is seriously influenced, and the abnormal breakdown of the process is directly caused by probability. The study consumption is mainly focused on dump Class files and Class decompilation.
Disclosure of Invention
In order to solve the problems, the invention provides a Trojan horse detection method for Java Web application memory, terminal equipment and a storage medium.
The specific scheme is as follows:
a Java Web application memory Trojan horse detection method comprises the following steps:
s1: obtaining a Class byte stream from a Java virtual machine in operation;
s2: analyzing the Class byte stream into identifiable Constant and Method;
s3: and matching the parsed Constant and Method according to a sensitive rule base formed by sensitive rules, and judging the risk of the Class byte stream according to a matching result.
Further, in step S1, a Class byte stream is obtained from the running Java virtual machine through a Java agent technology.
Further, the specific method for obtaining the Class byte stream from the running Java virtual machine through the Java agent technology comprises the following steps: a jar file is written in advance according to Java agent technical specifications, the written jar file is injected into a target process by using a virtual machine, a Class File converter is registered and converted in a Java virtual machine, and Class byte streams running in the Java virtual machine can be grabbed after Class is redefined by invoking instrumentation Utils# reconversion classes.
In step S2, the Class byte stream is read as a Class byte code file according to the 16-ary system, and then analyzed.
Further, in step S3, the sensitive rule is dangerous Java api.
Further, in step S3, the specific method for determining the risk of the Class byte stream according to the matching result is as follows: and judging the Class byte stream as the memory Trojan when the hit rule exists in the matching result, the packet to which the Class byte stream belongs to any one of the implementation Class of Javax.servlet.Filter, javax.servlet.servlet and Javax.servlet.servletrequestListener, and the three conditions that no disk source exists are met.
The Java Web application memory Trojan horse detection terminal device comprises a processor, a memory and a computer program stored in the memory and capable of running on the processor, wherein the steps of the method of the embodiment of the invention are realized when the processor executes the computer program.
A computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method described above for embodiments of the present invention.
By adopting the technical scheme, compared with the traditional detection method, the method has lower resource consumption, further has smaller influence on the operation of the service system, and avoids a large number of I/O operations.
Drawings
Fig. 1 is a flowchart of a first embodiment of the present invention.
FIG. 2 is a flow chart illustrating the retrieval of a Class byte stream from a Java virtual machine in this embodiment.
FIG. 3 is a schematic diagram of a 16-ary Class byte code file in this embodiment.
Detailed Description
For further illustration of the various embodiments, the invention is provided with the accompanying drawings. The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments and together with the description, serve to explain the principles of the embodiments. With reference to these matters, one of ordinary skill in the art will understand other possible embodiments and advantages of the present invention.
The invention will now be further described with reference to the drawings and detailed description.
Embodiment one:
the embodiment of the invention provides a Trojan horse detection method for Java Web application memory, which is shown in fig. 1 and comprises the following steps:
s1: class byte streams are obtained from the running Java virtual machine (Java Virtual Machine, JVM).
In this embodiment, a Class byte stream is obtained from a running Java virtual machine by using a Java agent technology, as shown in fig. 2, and the specific implementation method is as follows: a jar file is written in advance according to Java agent technical specifications, the written jar file is injected into a target process by using a virtual machine, a Class File converter is registered and converted in a Java virtual machine, and Class byte streams running in the Java virtual machine can be grabbed after Class is redefined by invoking instrumentation Utils# reconversion classes.
S2: the Class byte stream is parsed into identifiable Constant and Method.
And analyzing the obtained Class byte stream into identifiable Constant and Method according to Java byte code characteristics.
In this embodiment, the obtained Class byte stream is read as a Class byte code file in 16 scale, as shown in fig. 3.
The Class bytecode file has no delimiter, and therefore, the format of what each position represents, the length of each part, and the like is strictly defined.
The first part is four bytes "CA FE BA BE" with magic at the beginning of the Class bytecode file, and the magic number of the Class bytecode file is stored, and the magic number is a flag of the Class bytecode file and is a fixed value: 0XCAFEBABE. The magic number can be used as a criterion for determining whether a file is a Class bytecode file.
The second parts are minor_version ("00") and major_version ("00") followed by the four bytes of the magic number are the minor version number (minor_version) and major version number (major_version) of the Class bytecode file.
The third part is constant_pool_count: u2, the number of constants in the constant pool, "00 24" represents 25. Constant pools typically hold two types of data: the first is the literal quantity, such as character string, final modified constant, etc.; the second is a symbolic reference such as a full-qualified name of the class/interface, a name and description of the method, a name and description of the field, etc.
The parsed Constant in step S2 represents data in the Constant pool, and in this embodiment, the type of data in the Constant pool that is mainly parsed by the parsing process is the literal quantity CONSTANT_utf8_info.
The fourth part is the member variable of the class, filtered_info.
Wherein the name_index and descriptor_index in the filtered_info both point to constant pool index positions.
The fifth part is the method content method_info.
Where both the name_index and the descriptor_index in method_info point to constant pool index positions.
Wherein attribute_info is used for recording a field or a method body structure; the constant pool index location pointed to by attribute_name_index.
The Method analyzed in step S2 represents the Method content method_info.
S3: and matching the parsed Constant and Method according to a sensitive rule base formed by sensitive rules, and judging the risk of the Class byte stream according to a matching result.
The sensitive rule in this embodiment is dangerous Javaapi such as ProcessBuilder (). Command (), run.
Experiments prove that the whole consumption of the method in the embodiment is only about 5-10% of 1-core 2G cpu resources (jmc tool collection).
The specific method for judging the risk of the Class byte stream according to the matching result in the embodiment is as follows: when the hit rule exists in the matching result, the packet to which the Class byte stream belongs to any one of the implementation Class of Javax.servlet.Filter, javax.servlet.Servlet.ServeletRequestListener and Javax.servlet.ServeletLestener, and the three conditions that a disk source does not exist are met, judging that the Class byte stream is a memory Trojan, and judging that the Class byte stream is not the memory Trojan in the rest cases.
The embodiment of the invention provides a low-consumption low-impact memory Trojan detection method based on Java agents, which is used for performing memory Trojan detection by analyzing byte streams of a Java virtual machine in operation through characteristics of Java byte codes. The detection method of the embodiment optimizes the use of the direct identification file stream, avoids dump class and decompilation operation, ensures that CPU resource consumption is lower than that of the current detection mode, has lower influence on the operation of a business system due to relatively stable resource consumption, and simultaneously avoids a large number of I/O operations.
Embodiment two:
the invention also provides a Java Web application memory Trojan horse detection terminal device, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the steps in the method embodiment of the first embodiment of the invention are realized when the processor executes the computer program.
Further, as an executable scheme, the Java Web application memory Trojan horse detection terminal device may be a computing device such as a desktop computer, a notebook computer, a palm computer, a cloud server, and the like. The Java Web application memory Trojan horse detection terminal device can include, but is not limited to, a processor and a memory. It will be appreciated by those skilled in the art that the above-mentioned composition structure of the Java Web application memory Trojan detection terminal device is merely an example of the Java Web application memory Trojan detection terminal device, and does not constitute limitation of the Java Web application memory Trojan detection terminal device, and may include more or fewer components than the above-mentioned components, or may combine some components, or different components, for example, the Java Web application memory Trojan detection terminal device may further include an input/output device, a network access device, a bus, and the embodiment of the present invention does not limit the present invention.
Further, as an implementation, the processor may be a central processing unit (Central Processing Unit, CPU), other general purpose processor, digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, etc. The general processor may be a microprocessor or any conventional processor, and the processor is a control center of the Java Web application memory Trojan horse detection terminal device, and connects various parts of the whole Java Web application memory Trojan horse detection terminal device by using various interfaces and lines.
The memory may be used to store the computer program and/or the module, and the processor may implement various functions of the Java Web application memory Trojan horse detection terminal device by running or executing the computer program and/or the module stored in the memory and invoking the data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for a function; the storage data area may store data created according to the use of the cellular phone, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
The present invention also provides a computer readable storage medium storing a computer program which when executed by a processor implements the steps of the above-described method of an embodiment of the present invention.
The modules/units integrated by the Java Web application memory Trojan detection terminal device may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as a stand alone product. Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a software distribution medium, and so forth.
While the invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (5)
1. The Trojan horse detection method for the Java Web application memory is characterized by comprising the following steps of:
s1: the Class byte stream is obtained from the running Java virtual machine through Java agent technology, and the specific method comprises the following steps: writing a jar file in advance according to Java agent technical specifications, injecting the written jar file into a target process by using a virtual machine, registering a Class conversion file Class into a Java virtual machine, and calling an instrumentation ntils# reconversion classes redefining Class to capture Class byte streams running in the Java virtual machine;
s2: analyzing the Class byte stream into identifiable Constant and Method;
s3: matching the parsed Constant and Method according to a sensitive rule base formed by sensitive rules, and judging the risk of the Class byte stream according to a matching result; the specific method for judging the risk of the Class byte stream according to the matching result comprises the following steps: and judging the Class byte stream as the memory Trojan when the hit sensitive rule exists in the matching result, the packet to which the Class byte stream belongs to the implementation Class of any one of the Java x.servlet.Filter, the Java.servlet.servlet and the Java.servlet.servletrequestListener, and the three conditions that no disk source exists are met.
2. The Java Web application memory Trojan horse detection method according to claim 1, wherein the method comprises the following steps: in the step S2, the Class byte stream is firstly read as a Class byte code file according to 16 system, and then is analyzed.
3. The Java Web application memory Trojan horse detection method according to claim 1, wherein the method comprises the following steps: in step S3, the sensitive rule is a dangerous Java api.
4. A Java Web application memory Trojan horse detection terminal device is characterized in that: comprising a processor, a memory and a computer program stored in the memory and running on the processor, which processor, when executing the computer program, carries out the steps of the method according to any one of claims 1 to 3.
5. A computer-readable storage medium storing a computer program, characterized in that: the computer program, when executed by a processor, implements the steps of the method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110685500.3A CN113312624B (en) | 2021-06-21 | 2021-06-21 | Java Web application memory Trojan horse detection method, terminal equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110685500.3A CN113312624B (en) | 2021-06-21 | 2021-06-21 | Java Web application memory Trojan horse detection method, terminal equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113312624A CN113312624A (en) | 2021-08-27 |
| CN113312624B true CN113312624B (en) | 2023-06-30 |
Family
ID=77379693
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110685500.3A Active CN113312624B (en) | 2021-06-21 | 2021-06-21 | Java Web application memory Trojan horse detection method, terminal equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113312624B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113946825B (en) * | 2021-12-22 | 2022-04-26 | 北京微步在线科技有限公司 | Memory horse processing method and system |
| CN114491557A (en) * | 2022-01-27 | 2022-05-13 | 北京小佑网络科技有限公司 | Java memory Trojan horse threat detection method based on container environment |
| CN114629711B (en) * | 2022-03-21 | 2024-02-06 | 广东云智安信科技有限公司 | Method and system for detecting special Trojan horse on Windows platform |
| CN114692153B (en) * | 2022-04-11 | 2024-05-14 | 北京中睿天下信息技术有限公司 | Malicious code detection method, device and storage medium based on JAVA program |
| CN115270126B (en) * | 2022-09-29 | 2022-12-16 | 北京微步在线科技有限公司 | Method and device for detecting Java memory horse, electronic equipment and storage medium |
| CN115688106A (en) * | 2022-11-16 | 2023-02-03 | 安芯网盾(北京)科技有限公司 | Method and device for detecting Java agent non-file-injection memory horse |
| CN115935361B (en) * | 2023-01-09 | 2023-06-16 | 北京微步在线科技有限公司 | Java memory horse detection method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663286A (en) * | 2012-03-21 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and device for identifying virus APK (android package) |
| CN102831043A (en) * | 2011-06-17 | 2012-12-19 | 阿里巴巴集团控股有限公司 | Monitoring method and device for application program |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109684027B (en) * | 2017-10-18 | 2020-11-24 | 北京京东尚科信息技术有限公司 | Method and device for dynamically tracking running of Java virtual machine |
| CN108038045B (en) * | 2017-12-29 | 2020-09-29 | 上海新炬网络技术有限公司 | Android user behavior data acquisition method based on non-buried point |
| US11314856B2 (en) * | 2019-04-29 | 2022-04-26 | ColorTokens, Inc. | Generating rule-based access control policies using a bytecode instrumentation system |
| CN110866257A (en) * | 2019-11-14 | 2020-03-06 | 贵州医渡云技术有限公司 | Trojan detection method and device, electronic equipment and storage medium |
-
2021
- 2021-06-21 CN CN202110685500.3A patent/CN113312624B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831043A (en) * | 2011-06-17 | 2012-12-19 | 阿里巴巴集团控股有限公司 | Monitoring method and device for application program |
| CN102663286A (en) * | 2012-03-21 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and device for identifying virus APK (android package) |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113312624A (en) | 2021-08-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113312624B (en) | Java Web application memory Trojan horse detection method, terminal equipment and storage medium | |
| US10476899B2 (en) | Application phenotyping | |
| US8307432B1 (en) | Generic shellcode detection | |
| US7797743B2 (en) | File conversion in restricted process | |
| US10079835B1 (en) | Systems and methods for data loss prevention of unidentifiable and unsupported object types | |
| Tuncay et al. | Draco: A system for uniform and fine-grained access control for web code on android | |
| US10986103B2 (en) | Signal tokens indicative of malware | |
| CN102831339B (en) | Method, device and browser for protecting webpage against malicious attack | |
| US11288344B2 (en) | Protecting an application via an intra-application firewall | |
| US10242189B1 (en) | File format validation | |
| US20120222116A1 (en) | System and method for detecting web browser attacks | |
| US8645667B2 (en) | Operating system management of address-translation-related data structures and hardware lookasides | |
| US20160134652A1 (en) | Method for recognizing disguised malicious document | |
| CN102819703B (en) | For protecting the method and apparatus of web page attacks | |
| CN114936368A (en) | Java memory Trojan detection method, terminal device and storage medium | |
| CN115454541A (en) | Macro code acquisition method and device, electronic equipment and storage medium | |
| CN115481397A (en) | Code injection attack evidence obtaining detection method and system based on reverse analysis of memory structure | |
| US20130133067A1 (en) | Pattern matching engine, terminal apparatus using the same, and method thereof | |
| CN111262842B (en) | Webpage tamper-proofing method and device, electronic equipment and storage medium | |
| CN113722641A (en) | AI-based injection request protection method, device, terminal equipment and medium | |
| CN114490010A (en) | Resource operation control method, electronic device, chip and readable storage medium | |
| CN110347517B (en) | Dual-system communication method and computer-readable storage medium | |
| EP3430524B1 (en) | Print interface technology agnostic data loss prevention through print operations | |
| KR102494838B1 (en) | Methods and apparatus for disarming a link on documentsummaryinformation stream in ms-cfb | |
| CN112580023B (en) | Shadow stack management method and device, medium and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20221028 Address after: Unit 403, No.12, guanri Road, phase II, software park, Xiamen City, Fujian Province, 361000 Applicant after: XIAMEN FUYUN INFORMATION TECHNOLOGY CO.,LTD. Applicant after: Jianxin Financial Science and Technology Co.,Ltd. Address before: Unit 403, No.12, guanri Road, phase II, software park, Xiamen City, Fujian Province, 361000 Applicant before: XIAMEN FUYUN INFORMATION TECHNOLOGY CO.,LTD. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |