KR20090063197A - Enhanced web shell detection method based on hash validation - Google Patents
Enhanced web shell detection method based on hash validation Download PDFInfo
- Publication number
- KR20090063197A KR20090063197A KR1020090047072A KR20090047072A KR20090063197A KR 20090063197 A KR20090063197 A KR 20090063197A KR 1020090047072 A KR1020090047072 A KR 1020090047072A KR 20090047072 A KR20090047072 A KR 20090047072A KR 20090063197 A KR20090063197 A KR 20090063197A
- Authority
- KR
- South Korea
- Prior art keywords
- file
- cache
- web
- hash value
- time
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/13—File access structures, e.g. distributed indices
- G06F16/137—Hash-based
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2228—Indexing structures
- G06F16/2255—Hash tables
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9014—Indexing; Data structures therefor; Storage structures hash tables
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/451—Execution arrangements for user interfaces
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45504—Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
- G06F9/45508—Runtime interpretation or emulation, e g. emulator loops, bytecode interpretation
- G06F9/45512—Command shells
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Human Computer Interaction (AREA)
- Quality & Reliability (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present invention is a technology for improving the webshell detection performance by inspecting only files that have been changed since the last scan without inspecting all the files every time to detect the existence of a webshell program that is illegally installed on the web server and used for hacking. In detail, in the process of inspecting the web program file existing on the web server for the first time, a hash value is generated for the absolute path of the web program file, and the final change time of the file is obtained and stored in the cache file. In the next and subsequent checking process, the cache file is searched as a hash value for the absolute path of the web program file to be inspected, and a cache search step and a hash value exist to check if the final change time is different even if the hash value does not exist or exists. If not, the hash value of the absolute path of the web program file and the time of last change Added to the cache file, and a hash value is present, but if the last change time the other contains the updated cache storing only the new last change time.
In the method of detecting a special hacking technique called webshell which is not detected through existing antivirus or vulnerability analysis software according to the present invention, it does not check the entire web program file existing in the web server every time, but only the changed files after the final inspection. This can significantly reduce webshell detection time.
Description
In the present invention, in the process of detecting a web shell program that is illegally installed in a web server and used for hacking, the web shell program detection performance is selectively checked by selectively checking only changed files instead of checking the entire web program file existing in the web server. It's about how to improve it.
In order to detect malicious code for webshell hacking, it is necessary to always inspect the entire web program file existing on the web server.
In addition, there is a risk that the webshell detection time can be continuously increased by scanning the entire web program file every time.
As described above, the process of checking malicious code for hacking a web shell burdens the web server, and thus, a faster and more efficient web shell detection methodology is required.
Accordingly, the technical problem of the present invention is to solve the above-mentioned problems, and in the process of detecting the web shell by analyzing the source code of the web program existing in the web server, without first inspecting every web program file every time, After a one-time scan, only changed files are minimized, providing a new way to detect webshells more quickly.
One aspect of the present invention for achieving the above object is to generate a hash value for the absolute path of the web program file in the process of inspecting the entire web program file for the first time to detect the web shell, the final modification of the web program file And a cache generation step of acquiring the time and storing the time in a cache file.
Another aspect of the invention is characterized in that it comprises a cache search step to determine whether the hash value does not exist in the cache file after the cache file is generated, or even if the last change time is different.
According to another aspect of the present invention, when the hash value does not exist in the cache file, the web program file is added to the cache file together with the last modification time of the web program file. It characterized in that it comprises a cache update step of storing in the cache file.
As described above, the present invention does not check the entire web program file existing in the web server in the process of detecting malicious code for hacking, called web shell, but generates a cache file composed of hash code and the last modified time and inspects it through this process. By checking only the web program files that are needed, it reduces the time required for web shell detection while reducing unnecessary web server load.
The main terms used in the present invention are defined.
Webshell is a generic term for web script files written to enable a malicious attacker to remotely execute commands on a target web server.
A web program is defined as a generic term for a program running on a web server through a web browser.
A hash value is a unique 20-byte binary string produced by a one-way function.
The cache file is a file that stores the hash value of the entire path of the web program file and the time of the last change of the file.
Hereinafter, with reference to the accompanying drawings will be described in detail the operation principle of the present invention.
FIG. 1 is a flowchart illustrating a hash verification-based web shell detection performance improvement technique. The
In this configuration, the process of detecting the web shell existing in the
FIG. 2 is a flowchart illustrating a process of searching the
As a first step ①, a hash value 14 'is generated using the
As a second step (2), the final modification time 16 'of the
In the third step ③, it is checked whether the hash value 14 'generated in the step exists in the
As a fourth step (4), it is determined whether or not the hash value 14 'existing in the
In the fifth step (⑤), when the hash value 14 'exists in the fourth step, the last changed
As a sixth step (⑥), in the fifth step, if the last change time 16 'is the same as the
As the seventh step (⑦), if the hash value 14 'does not exist in the fourth step, it corresponds to the new
As an eighth step (8), the
In the ninth step (⑨), if the last change time 16 'is different in the fifth step, the last change time 16' newly obtained from the existing
As the tenth step (i), since the
1 is a flow diagram of a hash verification-based webshell detection performance improvement technique in accordance with the present invention.
2 is a flowchart illustrating a process of searching a cache file to check whether a web program file is detected and updating the contents of the cache file if necessary.
<Description of the symbols for the main parts of the drawings>
10: web program file 12: hash function
14: hash value 14 ': newly generated hash value
16: last modified time 16 ': newly acquired last modified time
18: Cache file generation 20: Cache file
22: Cache file search 24: Cache file update
Claims (3)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020090047072A KR20090063197A (en) | 2009-05-28 | 2009-05-28 | Enhanced web shell detection method based on hash validation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020090047072A KR20090063197A (en) | 2009-05-28 | 2009-05-28 | Enhanced web shell detection method based on hash validation |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20090063197A true KR20090063197A (en) | 2009-06-17 |
Family
ID=40992251
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020090047072A KR20090063197A (en) | 2009-05-28 | 2009-05-28 | Enhanced web shell detection method based on hash validation |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20090063197A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2011126254A2 (en) * | 2010-04-05 | 2011-10-13 | 주식회사 안철수연구소 | Terminal device and method for confirming file distributor of same terminal device |
KR101130088B1 (en) * | 2010-03-05 | 2012-03-28 | 주식회사 안철수연구소 | Malware detecting apparatus and its method, recording medium having computer program recorded |
CN115174197A (en) * | 2022-07-01 | 2022-10-11 | 阿里云计算有限公司 | Webshell file detection method and system, electronic device and computer storage medium |
-
2009
- 2009-05-28 KR KR1020090047072A patent/KR20090063197A/en not_active Application Discontinuation
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101130088B1 (en) * | 2010-03-05 | 2012-03-28 | 주식회사 안철수연구소 | Malware detecting apparatus and its method, recording medium having computer program recorded |
WO2011126254A2 (en) * | 2010-04-05 | 2011-10-13 | 주식회사 안철수연구소 | Terminal device and method for confirming file distributor of same terminal device |
WO2011126254A3 (en) * | 2010-04-05 | 2012-01-26 | 주식회사 안철수연구소 | Terminal device and method for confirming file distributor of same terminal device |
KR101130090B1 (en) * | 2010-04-05 | 2012-03-28 | 주식회사 안철수연구소 | Terminal device and method for investigating file distributor of the terminal device |
CN115174197A (en) * | 2022-07-01 | 2022-10-11 | 阿里云计算有限公司 | Webshell file detection method and system, electronic device and computer storage medium |
CN115174197B (en) * | 2022-07-01 | 2024-03-29 | 阿里云计算有限公司 | Webshell file detection method, system, electronic equipment and computer storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5507699B2 (en) | Malignant site detection apparatus and method | |
US10055590B2 (en) | Rule matching in the presence of languages with no types or as an adjunct to current analyses for security vulnerability analysis | |
Pham et al. | Detection of recurring software vulnerabilities | |
Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
CN104751048B (en) | A kind of dynamic link library integrity measurement method under pre-linking mechanism | |
US20120192279A1 (en) | Malware detection using external call characteristics | |
CN110287693B (en) | Automatic buffer overflow vulnerability detection method based on symbol execution path pruning | |
JP5863973B2 (en) | Program execution device and program analysis device | |
US20080115219A1 (en) | Apparatus and method of detecting file having embedded malicious code | |
JP2018502351A (en) | RASP for script language | |
JPWO2006087780A1 (en) | Vulnerability audit program, vulnerability audit device, vulnerability audit method | |
Van Overveldt et al. | FlashDetect: ActionScript 3 malware detection | |
US10395033B2 (en) | System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks | |
US20110219454A1 (en) | Methods of identifying activex control distribution site, detecting security vulnerability in activex control and immunizing the same | |
JP2009093615A (en) | Method and device for analyzing exploit code in non-executable file using virtual environment | |
CN103914657A (en) | Malicious program detection method based on function characteristics | |
KR20090063197A (en) | Enhanced web shell detection method based on hash validation | |
JP4587976B2 (en) | Application vulnerability inspection method and apparatus | |
CN105117648A (en) | Detection system and method for 0DAY/malicious document based on virtual machine | |
KR101161008B1 (en) | system and method for detecting malicious code | |
US20080016573A1 (en) | Method for detecting computer viruses | |
CN103390129B (en) | Detect the method and apparatus of security of uniform resource locator | |
US20150193617A1 (en) | Signature verification device, signature verification method, and program | |
JP5077455B2 (en) | Vulnerability audit program, vulnerability audit device, vulnerability audit method | |
CN111027072B (en) | Kernel Rootkit detection method and device based on elf binary standard analysis under Linux |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application | ||
E601 | Decision to refuse application |