KR20090063197A - Enhanced web shell detection method based on hash validation - Google Patents

Enhanced web shell detection method based on hash validation Download PDF

Info

Publication number
KR20090063197A
KR20090063197A KR1020090047072A KR20090047072A KR20090063197A KR 20090063197 A KR20090063197 A KR 20090063197A KR 1020090047072 A KR1020090047072 A KR 1020090047072A KR 20090047072 A KR20090047072 A KR 20090047072A KR 20090063197 A KR20090063197 A KR 20090063197A
Authority
KR
South Korea
Prior art keywords
file
cache
web
hash value
time
Prior art date
Application number
KR1020090047072A
Other languages
Korean (ko)
Inventor
김동규
Original Assignee
(주)유엠브이기술
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)유엠브이기술 filed Critical (주)유엠브이기술
Priority to KR1020090047072A priority Critical patent/KR20090063197A/en
Publication of KR20090063197A publication Critical patent/KR20090063197A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • G06F16/137Hash-based
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • G06F16/2255Hash tables
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9014Indexing; Data structures therefor; Storage structures hash tables
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/451Execution arrangements for user interfaces
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • G06F9/45508Runtime interpretation or emulation, e g. emulator loops, bytecode interpretation
    • G06F9/45512Command shells

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Human Computer Interaction (AREA)
  • Quality & Reliability (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present invention is a technology for improving the webshell detection performance by inspecting only files that have been changed since the last scan without inspecting all the files every time to detect the existence of a webshell program that is illegally installed on the web server and used for hacking. In detail, in the process of inspecting the web program file existing on the web server for the first time, a hash value is generated for the absolute path of the web program file, and the final change time of the file is obtained and stored in the cache file. In the next and subsequent checking process, the cache file is searched as a hash value for the absolute path of the web program file to be inspected, and a cache search step and a hash value exist to check if the final change time is different even if the hash value does not exist or exists. If not, the hash value of the absolute path of the web program file and the time of last change Added to the cache file, and a hash value is present, but if the last change time the other contains the updated cache storing only the new last change time.

In the method of detecting a special hacking technique called webshell which is not detected through existing antivirus or vulnerability analysis software according to the present invention, it does not check the entire web program file existing in the web server every time, but only the changed files after the final inspection. This can significantly reduce webshell detection time.

Description

Hash validation based web shell detection performance improvement technology {Enhanced Web Shell Detection Method based on Hash Validation}

In the present invention, in the process of detecting a web shell program that is illegally installed in a web server and used for hacking, the web shell program detection performance is selectively checked by selectively checking only changed files instead of checking the entire web program file existing in the web server. It's about how to improve it.

In order to detect malicious code for webshell hacking, it is necessary to always inspect the entire web program file existing on the web server.

In addition, there is a risk that the webshell detection time can be continuously increased by scanning the entire web program file every time.

As described above, the process of checking malicious code for hacking a web shell burdens the web server, and thus, a faster and more efficient web shell detection methodology is required.

Accordingly, the technical problem of the present invention is to solve the above-mentioned problems, and in the process of detecting the web shell by analyzing the source code of the web program existing in the web server, without first inspecting every web program file every time, After a one-time scan, only changed files are minimized, providing a new way to detect webshells more quickly.

One aspect of the present invention for achieving the above object is to generate a hash value for the absolute path of the web program file in the process of inspecting the entire web program file for the first time to detect the web shell, the final modification of the web program file And a cache generation step of acquiring the time and storing the time in a cache file.

Another aspect of the invention is characterized in that it comprises a cache search step to determine whether the hash value does not exist in the cache file after the cache file is generated, or even if the last change time is different.

According to another aspect of the present invention, when the hash value does not exist in the cache file, the web program file is added to the cache file together with the last modification time of the web program file. It characterized in that it comprises a cache update step of storing in the cache file.

As described above, the present invention does not check the entire web program file existing in the web server in the process of detecting malicious code for hacking, called web shell, but generates a cache file composed of hash code and the last modified time and inspects it through this process. By checking only the web program files that are needed, it reduces the time required for web shell detection while reducing unnecessary web server load.

The main terms used in the present invention are defined.

Webshell is a generic term for web script files written to enable a malicious attacker to remotely execute commands on a target web server.

A web program is defined as a generic term for a program running on a web server through a web browser.

A hash value is a unique 20-byte binary string produced by a one-way function.

The cache file is a file that stores the hash value of the entire path of the web program file and the time of the last change of the file.

Hereinafter, with reference to the accompanying drawings will be described in detail the operation principle of the present invention.

FIG. 1 is a flowchart illustrating a hash verification-based web shell detection performance improvement technique. The web program file 10 to be web shell detected only once, the hash function 12 as a one-way function, and the hash function 12 are illustrated in FIG. The cache generation process 18 which generates the cache file 20 by generating the hash value 14 of the entire path of the web program file 10 and obtaining the last modified time 16 of the web program file 10 through ) And, if the cache file 20 is present, regenerates the hash value 14 'of the entire path of the web program file 10 and re-acquires the last modified time 16' of the file. 20) a cache search process 22 for searching and comparing, and a cache value if the hash value 14 'that does not exist in the cache file 20 in the cache search process 22 or the last modified time 16' is changed. It consists of a cache update process 24 to store in the file 20.

In this configuration, the process of detecting the web shell existing in the web server 10 by the web shell agent 12 in the hash shell-based web shell detection performance improvement technology will be described in detail.

FIG. 2 is a flowchart illustrating a process of searching the cache file 20 to confirm whether the web program file 10 is detected and updating the contents of the cache file 20 when necessary.

As a first step ①, a hash value 14 'is generated using the hash function 12 for the entire path name of the web program file 10 to be detected by the web shell.

As a second step (2), the final modification time 16 'of the web program file 10 to be detected is acquired.

In the third step ③, it is checked whether the hash value 14 'generated in the step exists in the cache file 20. Instead of searching the file every time, the performance of the cache file 20 is read in advance after reading the contents of the memory, and the processing performance is much improved.

As a fourth step (4), it is determined whether or not the hash value 14 'existing in the cache file 20 is present according to the search result of the third step.

In the fifth step (⑤), when the hash value 14 'exists in the fourth step, the last changed time 16 stored in the cache file 20 and the newly obtained last changed time 16' are obtained. Determine if they are different from each other.

As a sixth step (⑥), in the fifth step, if the last change time 16 'is the same as the last change time 16 previously stored in the cache file 20, the file does not need to perform web shell detection. Confirm with

As the seventh step (⑦), if the hash value 14 'does not exist in the fourth step, it corresponds to the new web program file 10. Therefore, the hash value 14' and the last modified time 16 'are cached. Add to file 20.

As an eighth step (8), the web program file 10 belonging to the seventh step is determined to be a file to perform webshell detection.

In the ninth step (⑨), if the last change time 16 'is different in the fifth step, the last change time 16' newly obtained from the existing last change time 16 stored in the cache file 20 is newly obtained. Change it to save.

As the tenth step (i), since the web program file 10 belonging to the ninth step may have changed in content since the last inspection, the web program file 10 is determined to be a file to which the web shell detection should be performed.

1 is a flow diagram of a hash verification-based webshell detection performance improvement technique in accordance with the present invention.

2 is a flowchart illustrating a process of searching a cache file to check whether a web program file is detected and updating the contents of the cache file if necessary.

<Description of the symbols for the main parts of the drawings>

10: web program file 12: hash function

14: hash value 14 ': newly generated hash value

16: last modified time 16 ': newly acquired last modified time

18: Cache file generation 20: Cache file

22: Cache file search 24: Cache file update

Claims (3)

The web program file 10 to be detected by the web shell, the hash function 12 as a one-way function, and the hash function 12 generate a hash value 14 of the entire path of the web program file 10 and generate a web. The cache generation process 18 of generating the cache file 20 by acquiring the last modified time 16 of the program file 10, and the cache file 20 in the entire path of the web program file 10, if present. In the cache search process (22) and the cache search process (22) for regenerating the hash value (14 ') for the file and re-acquire the last modified time (16') of the file to search and compare the cache file 20 Hash verification based web shell detection performance consisting of a cache update process 24 for storing a hash value 14 'that does not exist in the cache file 20 or the last change time 16' in the cache file 20. In upgrade technology, In the process of inspecting the entire web program file 10 for the first time, a hash value 14 of the absolute path of the web program file 10 is generated, and the last modified time 14 of the web program file 10 is determined. A cache generation step of acquiring and storing the same in the cache file 20; After the cache file 20 is generated, a cache search step of checking whether the hash value 14 'that does not exist in the cache file 20 or the last change time 16' differs even if the cache file 20 exists; In the case of the hash value 14 'that does not exist in the cache file 20, it is added to the cache file 20 together with the last modified time 16' of the web program file 10, and the cache file 20 In this case, when the last modified time 16 'is different, a cache update step of storing the new last modified time 16' in the cache file 20 is performed. Technology The hash value 14 is generated through the hash function 12, which is a one-way function, for the entire path name of the web program file 10 to be detected by the web shell. Hash verification-based web shell detection performance improvement technology comprising the cache generation process 18 of generating a cache file 20 by obtaining the last change time 16 of 10) The method of claim 1, wherein the cache file 20 is searched to check whether the web program file 10 is detected, and if necessary, in the process of updating the contents of the cache file 20, A first step of generating a hash value 14 'using the hash function 12 for the entire path name of the web program file 10 to be detected by the web shell; Obtaining a final modification time (16 ') of the web program file 10 to be detected by the web shell; A third step of searching whether the hash value 14 'generated in the step exists in the cache file 20; A fourth step of determining whether or not the hash value 14 'existing in the cache file 20 is based on the search result of the step; A fifth step of determining whether the last modified time 16 'stored in the cache file 20 and the newly acquired last modified time 16' are different from each other when the hash value 14 'exists in the above step; A sixth step of determining if the last modified time 16 'is identical to the last changed time 16 previously stored in the cache file 20 as a file which does not need to perform web shell detection; In the fourth step, if the hash value 14 'does not exist, it corresponds to the new web program file 10. Therefore, the hash value 14' and the final change time 16 'are added to the cache file 20. Step 7; An eighth step of confirming that the web program file (10) belonging to the step is a file to perform web shell detection; In the fifth step, if the last change time 16 'is different, the ninth step of changing the existing last change time 16 stored in the cache file 20 to the newly acquired last change time 16' and storing it. Wow; Since the web program file 10 belonging to the above step has a possibility that the contents have been changed since the last inspection, the hash check-based web shell comprises a ninth step of determining the file to be the webshell detection. Detection performance improvement technology
KR1020090047072A 2009-05-28 2009-05-28 Enhanced web shell detection method based on hash validation KR20090063197A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020090047072A KR20090063197A (en) 2009-05-28 2009-05-28 Enhanced web shell detection method based on hash validation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020090047072A KR20090063197A (en) 2009-05-28 2009-05-28 Enhanced web shell detection method based on hash validation

Publications (1)

Publication Number Publication Date
KR20090063197A true KR20090063197A (en) 2009-06-17

Family

ID=40992251

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020090047072A KR20090063197A (en) 2009-05-28 2009-05-28 Enhanced web shell detection method based on hash validation

Country Status (1)

Country Link
KR (1) KR20090063197A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011126254A2 (en) * 2010-04-05 2011-10-13 주식회사 안철수연구소 Terminal device and method for confirming file distributor of same terminal device
KR101130088B1 (en) * 2010-03-05 2012-03-28 주식회사 안철수연구소 Malware detecting apparatus and its method, recording medium having computer program recorded
CN115174197A (en) * 2022-07-01 2022-10-11 阿里云计算有限公司 Webshell file detection method and system, electronic device and computer storage medium

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101130088B1 (en) * 2010-03-05 2012-03-28 주식회사 안철수연구소 Malware detecting apparatus and its method, recording medium having computer program recorded
WO2011126254A2 (en) * 2010-04-05 2011-10-13 주식회사 안철수연구소 Terminal device and method for confirming file distributor of same terminal device
WO2011126254A3 (en) * 2010-04-05 2012-01-26 주식회사 안철수연구소 Terminal device and method for confirming file distributor of same terminal device
KR101130090B1 (en) * 2010-04-05 2012-03-28 주식회사 안철수연구소 Terminal device and method for investigating file distributor of the terminal device
CN115174197A (en) * 2022-07-01 2022-10-11 阿里云计算有限公司 Webshell file detection method and system, electronic device and computer storage medium
CN115174197B (en) * 2022-07-01 2024-03-29 阿里云计算有限公司 Webshell file detection method, system, electronic equipment and computer storage medium

Similar Documents

Publication Publication Date Title
JP5507699B2 (en) Malignant site detection apparatus and method
US10055590B2 (en) Rule matching in the presence of languages with no types or as an adjunct to current analyses for security vulnerability analysis
Pham et al. Detection of recurring software vulnerabilities
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
CN104751048B (en) A kind of dynamic link library integrity measurement method under pre-linking mechanism
US20120192279A1 (en) Malware detection using external call characteristics
CN110287693B (en) Automatic buffer overflow vulnerability detection method based on symbol execution path pruning
JP5863973B2 (en) Program execution device and program analysis device
US20080115219A1 (en) Apparatus and method of detecting file having embedded malicious code
JP2018502351A (en) RASP for script language
JPWO2006087780A1 (en) Vulnerability audit program, vulnerability audit device, vulnerability audit method
Van Overveldt et al. FlashDetect: ActionScript 3 malware detection
US10395033B2 (en) System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks
US20110219454A1 (en) Methods of identifying activex control distribution site, detecting security vulnerability in activex control and immunizing the same
JP2009093615A (en) Method and device for analyzing exploit code in non-executable file using virtual environment
CN103914657A (en) Malicious program detection method based on function characteristics
KR20090063197A (en) Enhanced web shell detection method based on hash validation
JP4587976B2 (en) Application vulnerability inspection method and apparatus
CN105117648A (en) Detection system and method for 0DAY/malicious document based on virtual machine
KR101161008B1 (en) system and method for detecting malicious code
US20080016573A1 (en) Method for detecting computer viruses
CN103390129B (en) Detect the method and apparatus of security of uniform resource locator
US20150193617A1 (en) Signature verification device, signature verification method, and program
JP5077455B2 (en) Vulnerability audit program, vulnerability audit device, vulnerability audit method
CN111027072B (en) Kernel Rootkit detection method and device based on elf binary standard analysis under Linux

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application
E601 Decision to refuse application