WO2020073494A1 - Procédé de détection de porte arrière de page web, dispositif, support d'informations et appareil - Google Patents

Procédé de détection de porte arrière de page web, dispositif, support d'informations et appareil Download PDF

Info

Publication number
WO2020073494A1
WO2020073494A1 PCT/CN2018/122828 CN2018122828W WO2020073494A1 WO 2020073494 A1 WO2020073494 A1 WO 2020073494A1 CN 2018122828 W CN2018122828 W CN 2018122828W WO 2020073494 A1 WO2020073494 A1 WO 2020073494A1
Authority
WO
WIPO (PCT)
Prior art keywords
script
feature
detection
preset
webpage
Prior art date
Application number
PCT/CN2018/122828
Other languages
English (en)
Chinese (zh)
Inventor
李坤
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020073494A1 publication Critical patent/WO2020073494A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • This application relates to the technical field of monitoring, in particular to a webpage backdoor detection method, equipment, storage medium and device.
  • the webpage backdoor uses Active Server Pages (Active Server Pages, ASP), Hypertext Preprocessor (PHP), java server page (Java Server Pages, JSP) or Common Gateway Interface (Common Gateway Interface, CGI) and other command execution environments in the form of web files.
  • ASP Active Server Pages
  • PHP Hypertext Preprocessor
  • JSP Java Server Pages
  • CGI Common Gateway Interface
  • Webpage backdoors usually contain more obvious static features.
  • webpage scripts are detected based on the static characteristics to detect whether the webpage script is a webpage backdoor, which often generates many false positives. Therefore, how to improve the detection of webpage backdoors The accuracy rate is a technical problem to be solved urgently.
  • the main purpose of the present application is to provide a webpage backdoor detection method, equipment, storage medium and device, aiming to solve the technical problem of high detection false alarm rate of webpage backdoor in the prior art.
  • the present application provides a webpage backdoor detection method, which includes the following steps:
  • the target script feature is detected through a preset detection model to obtain a target detection result.
  • the present application also provides a webpage backdoor detection device
  • the webpage backdoor detection device includes a memory, a processor, and a webpage backdoor detection device that is stored on the memory and can run on the processor
  • Read instructions, the readable instructions for webpage backdoor detection are configured to implement the steps of the webpage backdoor detection method as described above.
  • the present application also proposes a storage medium that stores a readable instruction for webpage backdoor detection, and when the readable instruction for webpage backdoor detection is executed by a processor, a webpage as described above is implemented Backdoor detection method steps.
  • the present application also provides a webpage backdoor detection device, the webpage backdoor detection device includes:
  • the matching module is used to obtain the network script to be detected, and match the network script to be detected with the backdoor rule of the preset webpage;
  • the extraction module is used to extract the feature of the network script to be detected through a preset extraction model to obtain the target script feature if the matching fails.
  • the detection module is configured to detect the target script feature through a preset detection model to obtain a target detection result.
  • the network script to be detected is obtained, the network script to be detected is matched with a preset webpage backdoor rule, and the network script to be detected is detected through rule-based matching, and the backdoor of the webpage with obvious characteristics can be detected Out; if the match fails, feature extraction of the network script to be detected through a preset extraction model to obtain target script features, detection of the target script features through a preset detection model to obtain target detection results, by applying rules The combination of detection and machine learning-based model detection. Webpage backdoors that fail to be detected by rule matching can be further detected by machine learning-based models.
  • the preset detection model undergoes extensive sample learning and evaluation of detection accuracy , Has a better detection effect, thereby improving the accuracy of the system to detect whether the network script is a webpage backdoor.
  • FIG. 1 is a schematic structural diagram of a webpage backdoor detection device of a hardware operating environment involved in an embodiment of the present application
  • FIG. 2 is a schematic flowchart of a first embodiment of a webpage backdoor detection method of the application
  • FIG. 3 is a schematic flowchart of a second embodiment of a webpage backdoor detection method of the application.
  • FIG. 4 is a schematic flowchart of a third embodiment of a webpage backdoor detection method of the application.
  • FIG. 5 is a structural block diagram of a first embodiment of a webpage backdoor detection device of the present application.
  • FIG. 1 is a schematic structural diagram of a webpage backdoor detection device of a hardware operating environment according to an embodiment of the present application.
  • the webpage backdoor detection device may include: a processor 1001, for example, a central processor (Central Processing Unit, CPU), communication bus 1002, user interface 1003, network interface 1004, memory 1005.
  • the communication bus 1002 is used to implement connection communication between these components.
  • the user interface 1003 may include a display (Display), and the optional user interface 1003 may further include a standard wired interface and a wireless interface.
  • the wired interface of the user interface 1003 may be a USB interface in this application.
  • the network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a wireless fidelity (WIreless-FIdelity, WI-FI) interface).
  • WIreless-FIdelity WI-FI
  • the memory 1005 may be a high-speed random access memory (Random Access Memory (RAM) memory can also be a stable memory (Non-volatile Memory, NVM), such as disk storage.
  • RAM Random Access Memory
  • NVM Non-volatile Memory
  • the memory 1005 may optionally be a storage device independent of the foregoing processor 1001.
  • FIG. 1 does not constitute a limitation on the webpage backdoor detection device, and may include more or less components than those illustrated, or combine certain components, or arrange different components.
  • the memory 1005 recognized as a computer storage medium may include an operating system, a network communication module, a user interface module, and a readable instruction for detecting a backdoor of a web page.
  • the network interface 1004 is mainly used to connect to a background server and perform data communication with the background server;
  • the user interface 1003 is mainly used to connect user equipment;
  • the webpage backdoor detection device passes through a processor 1001 calls the webpage backdoor detection readable instruction stored in the memory 1005, and executes the webpage backdoor detection method provided by the embodiment of the present application.
  • FIG. 2 is a schematic flowchart of a first embodiment of a webpage backdoor detection method of the present application, and proposes a first embodiment of a webpage backdoor detection method of the present application.
  • the webpage backdoor detection method includes the following steps:
  • Step S10 Obtain the network script to be detected, and match the network script to be detected with the preset backdoor rule of the web page.
  • the execution subject of this embodiment is the webpage backdoor detection device, where the webpage backdoor detection device may be an electronic device such as a personal computer or a server.
  • the preset webpage backdoor (webshell) rule may be a malicious string library, for example, including: "group-specific Malaysia
  • Extracting the features of the network script to be detected refers to the keywords, high-risk functions and file modifications used in the script to be detected Time, file permissions, file owner, and the relevance of other files to extract features in multiple dimensions, to obtain the script features, and match the obtained script features with the preset webshell rule base to obtain Matching result. If the matching result is a successful match, the web script to be detected is a webshell; if the matching result is a matching failure, the web script to be tested is not a webshell and may be a normal web script. Or a webshell that detects errors.
  • step S10 includes:
  • the gateway obtains the network script to be detected from an agent server (Agent).
  • Agent Agent server
  • the number of network scripts to be detected is usually multiple, or may be one.
  • the analysis of the network script to be detected usually involves splitting the network script to be detected into character strings, and extracting features of multiple preset dimensions from all character strings corresponding to the network script to be detected. Multiple preset dimensions include: keywords, high-risk functions, file modification time, file permissions, file owner, and association with other files. Normal web scripts will not contain the features in the preset webpage backdoor rules, then the features of the preset dimensions are matched with the preset webpage backdoor rules, so as to identify whether the web script to be detected is a webpage Backdoor, or normal network script.
  • Step S20 If the matching fails, feature extraction is performed on the network script to be detected through a preset extraction model to obtain target script features.
  • the matching fails, it indicates that the network script to be detected is not a webshell, which may be a normal network script, or a webshell with an error in detection.
  • feature extraction may be performed through the preset extraction model, and the preset extraction model includes a convolutional neural network model and the like.
  • a basic extraction model may be established in advance, a sample network script and corresponding features are acquired to train the basic extraction model, and the preset extraction model is obtained. Feature extraction is performed through the preset extraction model to obtain a suitable feature of the target script.
  • Step S30 Detect the target script feature through a preset detection model to obtain a target detection result.
  • the preset detection model includes a neural network model, which is trained by a large number of training samples to ensure the accuracy of detection of the target script feature by the preset detection model.
  • the target detection result may be that the target script feature is a feature corresponding to a webpage backdoor, that is, the network script to be detected corresponding to the target script feature is a webpage backdoor; the target detection result may also be the target script feature It is a feature corresponding to a normal network script, that is, the network script to be detected corresponding to the target script feature is a normal network script.
  • a basic prediction model is first established, and a large number of sample network scripts and corresponding sample detection results are obtained from the database.
  • the sample network scripts include a large number of normal web scripts And a large number of webpage backdoors, the sample network script can be subjected to data cleaning, and the sample network script after data cleaning can be subjected to feature extraction through the preset extraction model to obtain the first script feature corresponding to the sample network script, then
  • the basic prediction model may be trained according to a large number of the first script features and the corresponding sample detection results to obtain the preset detection model.
  • the data cleaning includes processing irrelevant data, repeated data and smoothed noise data in the sample network script, and processing missing values and outliers in the sample network script.
  • it further includes: establishing a basic prediction model; obtaining a sample network script and corresponding sample detection results; extracting the feature of the sample network script through the preset extraction model to obtain the first Script feature; training the basic prediction model according to the first script feature and the corresponding sample detection result to obtain a preset detection model.
  • the network script to be detected is obtained, the network script to be detected is matched with a preset webpage backdoor rule, and the network script to be detected is detected through rule-based matching.
  • a webpage backdoor with obvious characteristics Detected; if the match fails, feature extraction of the network script to be detected through a preset extraction model to obtain target script features, and detection of the target script features through a preset detection model to obtain target detection results, by applying Rule detection is combined with machine learning-based model detection.
  • Webpage backdoors that fail to be detected by rule matching can be further detected by a machine learning-based model.
  • the preset detection model undergoes a lot of sample learning and detection accuracy. Evaluation has a better detection effect, thereby improving the accuracy of the system to detect whether the web script is a backdoor of a web page.
  • FIG. 3 is a schematic flowchart of a second embodiment of the webpage backdoor detection method of the present application. Based on the first embodiment shown in FIG. 2 above, a second embodiment of the webpage backdoor detection method of the present application is proposed.
  • step S30 after the step S30, it further includes:
  • Step S40 If the target detection result is that the target script feature is a feature corresponding to the back door of the web page, then train the preset detection model according to the target script feature and the corresponding target detection result.
  • the target detection result is that the feature of the target script is a feature corresponding to the backdoor of the webpage
  • the web script to be detected corresponding to the feature of the target script is a backdoor of the webpage
  • the web script to be detected The target detection results are stored in a database, which can be used as sample data for online training or offline training, and the preset detection model can be trained according to the characteristics of the target script and the corresponding target detection results, to The training amount of the preset detection model is increased, thereby improving the accuracy of detection by the preset detection model.
  • step S20 includes:
  • Step S201 If the matching fails, perform data cleaning on the network script to be detected to obtain the target network script.
  • the network script to be detected needs to be sent to the preset high-throughput distributed publish-subscribe messaging system (Kafka), the preset high-throughput distributed publish-subscribe messaging system serves as a message queue, which can cache data, Data can also be distributed, and the network script to be detected is usually copied and distributed.
  • the preset high-throughput distributed publish-subscribe messaging system first copies a copy of the script to be detected into Hadoop.
  • Hadoop is a distributed system infrastructure developed by the Apache Foundation. Hadoop uses the network to be detected
  • the script is used for offline learning and backtracking events.
  • the preset high-throughput distributed publish-subscribe messaging system also copies a copy of the script to be detected for online learning, and sends it to the webpage backdoor detection device. Both online learning and offline learning need to pass the two processes of data cleaning and feature extraction of the network script to be detected, and then train the preset detection model.
  • the webpage backdoor detection device receives the network script to be detected sent by the preset high-throughput distributed publish-subscribe messaging system, and conducts online learning.
  • the network script to be detected needs to be cleaned first.
  • Data cleaning is mainly responsible for filtering out the data that does not conform to the rules, desensitizing sensitive data and formatting the data to facilitate feature extraction. For example, irrelevant data, duplicate data and smooth noise data in the network script to be detected are deleted, and missing values and abnormal values in the network script to be detected are processed.
  • a cleaning rule is constituted, and data that does not conform to the format in the script to be detected is filtered out by the cleaning rule.
  • a target network script is obtained, and then the target network script is subjected to feature extraction to obtain the characteristics of the target script.
  • Step S202 Perform feature extraction on the target network script through the preset extraction model to obtain target script features.
  • the matching fails, it indicates that the network script to be detected is not a webshell, which may be a normal network script, or a webshell with an error in detection.
  • feature extraction of the target network script may be performed through the preset extraction model. The target network script undergoes data cleaning to avoid processing excessive duplicate data and irrelevant data , To extract more suitable features of the target script to improve the efficiency and quality of feature extraction.
  • the matching fails, data cleaning is performed on the network script to be detected to obtain a target network script, and feature extraction of the target network script is performed through the preset extraction model to obtain target script characteristics and data. Clean and filter out duplicate data and irrelevant data in the network script to be detected, thereby improving the efficiency and quality of feature extraction.
  • FIG. 4 is a schematic flowchart of a third embodiment of the webpage backdoor detection method of the present application. Based on the second embodiment shown in FIG. 3, a third embodiment of the webpage backdoor detection method of the present application is proposed.
  • step S30 before the step S30, it further includes:
  • Step S203 Acquire a first number of sample webpage backdoors, and extract the feature webpage backdoors through the preset extraction model to obtain a second script feature.
  • the accuracy of the preset detection model or For the calculation of the recall rate when the accuracy rate exceeds a preset threshold (such as 80%), use the preset detection model for detection, or, when the recall rate is less than the preset recall threshold (such as 20%), Use the preset detection model for detection.
  • the accuracy rate or recall rate can be calculated by acquiring the first number of sample webpage backdoors from the database and detecting the first number of sample webpage backdoors according to the preset detection model. Since the preset detection model detects the feature corresponding to the network script, it is necessary to extract the feature of the sample webpage backdoor through the preset extraction model to obtain the second script feature.
  • Step S204 Detect the second script feature through the preset detection model to obtain an assessment test result, where the assessment test result includes a first test result that the second script feature is a feature corresponding to a backdoor of a webpage.
  • the second script feature is a feature corresponding to the backdoor of the sample webpage, and the second script feature is passed through the preset detection model to detect whether the second script feature is the backdoor of the webpage Feature, if all the second script features can be successfully detected by the preset detection model, the accuracy rate of the preset detection model is 100%.
  • the evaluation detection result includes a first detection result and a second detection result, the first detection result is that the second script feature is a feature corresponding to a back door of the webpage, and the second detection result is the second script feature Not a feature corresponding to a webpage backdoor.
  • Step S205 Count the second quantity of the first detection result, and calculate the accuracy of the preset detection model according to the first quantity and the second quantity.
  • the evaluation detection result may be analyzed, and the evaluation detection result is calculated as the first
  • the second script feature is the second quantity of the first detection result of the feature corresponding to the back door of the webpage
  • the second quantity is the number of the second script features that the preset detection model can correctly detect, that is, it can be correct
  • the number of corresponding sample webpage backdoors is detected, and the second number is divided by the first number to obtain the accuracy rate of the preset detection model.
  • the first quantity is subtracted from the second quantity to obtain a difference quantity, and the difference quantity is divided by the first quantity to obtain a recall rate of the preset detection model.
  • Step S206 When the accuracy rate exceeds a preset threshold, execute step S30.
  • the target script feature corresponding to the network script to be detected may be detected through the preset detection model to detect whether the target script feature is a feature corresponding to a backdoor of a webpage.
  • the evaluation detection result includes the second detection result that the second script feature is not a feature corresponding to the back door of the webpage; after step S205, it further includes:
  • the evaluation test result includes the second test result, where the second test result is that the second script feature is not a feature corresponding to the back door of the web page, and the second script corresponding to the second test result is acquired Feature, that is, the second script feature that is not successfully detected by the preset detection model, can be used as a false detection webpage backdoor feature, and the true detection result of the false detection webpage backdoor feature is set as the false detection webpage backdoor
  • the feature is the feature corresponding to the back door of the web page. Training the preset detection model according to the misdetected webpage backdoor feature and the corresponding real detection result, so that the preset detection model can identify the misdetected webpage backdoor feature as the webpage backdoor correspondence during subsequent detection To improve the detection accuracy of the preset detection model.
  • data washing can be performed on the backdoor of the sample webpage, and then the backdoor of the sample webpage after data cleaning can be used for feature extraction through the preset extraction model to obtain the second script feature.
  • Data cleaning includes deleting irrelevant data, duplicate data and smooth noise data in the backdoor of the sample webpage, and processing missing values and outliers in the backdoor of the sample webpage.
  • a first number of sample webpage backdoors are obtained, and the sample webpage backdoor is used to extract features through the preset extraction model to obtain a second script feature, and the second script is compared with the preset detection model Feature detection to obtain an evaluation detection result, the evaluation detection result including a first detection result where the second script feature is a feature corresponding to a backdoor of a web page, a second number of the first detection result is counted, and according to the first
  • the number and the second number calculate the accuracy of the preset detection model, and when the accuracy exceeds a preset threshold, execute the detection of the target script feature through the preset detection model to obtain a target detection result Step, when the accuracy rate exceeds the preset threshold, the accuracy rate of the preset detection model for detection is high and trustworthy, thereby ensuring that the preset detection model targets the script to be detected The accuracy of script feature detection.
  • the steps to implement the above embodiments may be completed by hardware, or may be completed by a program instructing related hardware.
  • the program may be stored in a computer-readable In the storage medium, the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk.
  • an embodiment of the present application further proposes a storage medium that stores a readable instruction for detecting a webpage backdoor detection, and when the readable instruction for detecting a webpage backdoor detection is executed by a processor, a webpage backdoor detection method as described above is implemented A step of.
  • an embodiment of the present application further provides a webpage backdoor detection device, and the webpage backdoor detection device includes:
  • the matching module 10 is used to obtain a network script to be detected, and match the network script to be detected with a preset backdoor rule of a webpage;
  • the extraction module 20 is configured to extract the feature of the network script to be detected through a preset extraction model to obtain the target script feature if the matching fails.
  • the detection module 30 is configured to detect the target script feature through a preset detection model to obtain a target detection result.
  • the execution subject of this embodiment is the webpage backdoor detection device, where the webpage backdoor detection device may be an electronic device such as a personal computer or a server.
  • the preset webpage backdoor (webshell) rule may be a malicious string library, for example, including: "group-specific Malaysia
  • Extracting the features of the network script to be detected refers to the keywords, high-risk functions and file modifications used in the script to be detected Time, file permissions, file owner, and the relevance of other files to extract features in multiple dimensions, to obtain the script features, and match the obtained script features with the preset webshell rule base to obtain Matching result. If the matching result is a successful match, the web script to be detected is a webshell; if the matching result is a matching failure, the web script to be tested is not a webshell and may be a normal web script. Or a webshell that detects errors.
  • the extraction module 20 is also used to obtain the network script to be detected through the gateway, analyze the network script to be detected, and extract features of multiple preset dimensions;
  • the matching module 10 is also used to match the feature of the preset dimension with the preset backdoor rule of the webpage.
  • the gateway obtains the network script to be detected from an agent server (Agent).
  • Agent Agent server
  • the number of network scripts to be detected is usually multiple, or may be one.
  • the analysis of the network script to be detected usually involves splitting the network script to be detected into character strings, and extracting features of multiple preset dimensions from all character strings corresponding to the network script to be detected. Multiple preset dimensions include: keywords, high-risk functions, file modification time, file permissions, file owner, and association with other files. Normal web scripts will not contain the features in the preset webpage backdoor rules, then the features of the preset dimensions are matched with the preset webpage backdoor rules, so as to identify whether the web script to be detected is a webpage Backdoor, or normal network script.
  • the matching fails, it indicates that the network script to be detected is not a webshell, which may be a normal network script, or a webshell with an error in detection.
  • feature extraction may be performed through the preset extraction model, and the preset extraction model includes a convolutional neural network model and the like.
  • a basic extraction model may be established in advance, a sample network script and corresponding features are acquired to train the basic extraction model, and the preset extraction model is obtained. Feature extraction is performed through the preset extraction model to obtain a suitable feature of the target script.
  • the preset detection model includes a neural network model, which is trained by a large number of training samples to ensure the accuracy of detection of the target script feature by the preset detection model.
  • the target detection result may be that the target script feature is a feature corresponding to a webpage backdoor, that is, the network script to be detected corresponding to the target script feature is a webpage backdoor; the target detection result may also be the target script feature It is a feature corresponding to a normal network script, that is, the network script to be detected corresponding to the target script feature is a normal network script.
  • a basic prediction model is first established, and a large number of sample network scripts and corresponding sample detection results are obtained from the database.
  • the sample network scripts include a large number of normal web scripts And a large number of webpage backdoors, the sample network script can be subjected to data cleaning, and the sample network script after data cleaning can be subjected to feature extraction through the preset extraction model to obtain the first script feature corresponding to the sample network script, then
  • the basic prediction model may be trained according to a large number of the first script features and the corresponding sample detection results to obtain the preset detection model.
  • the data cleaning includes processing irrelevant data, repeated data and smoothed noise data in the sample network script, and processing missing values and outliers in the sample network script.
  • it also includes: an establishment module for establishing a basic prediction model; an acquisition module for acquiring sample network scripts and corresponding sample detection results; and an extraction module 20 for passing the sample network scripts
  • the preset extraction model performs feature extraction to obtain a first script feature; a training module is used to train the basic prediction model according to the first script feature and the corresponding sample detection result to obtain a preset detection model .
  • the network script to be detected is obtained, the network script to be detected is matched with a preset webpage backdoor rule, and the network script to be detected is detected through rule-based matching.
  • a webpage backdoor with obvious characteristics Detected; if the match fails, feature extraction of the network script to be detected through a preset extraction model to obtain target script features, and detection of the target script features through a preset detection model to obtain target detection results, by applying Rule detection is combined with machine learning-based model detection.
  • Webpage backdoors that fail to be detected by rule matching can be further detected by a machine learning-based model.
  • the preset detection model undergoes a lot of sample learning and detection accuracy. Evaluation has a better detection effect, thereby improving the accuracy of the system to detect whether the web script is a backdoor of a web page.
  • the webpage backdoor detection device further includes: a training module, configured to: if the target detection result is that the target script feature is a feature corresponding to the webpage backdoor, according to the target script feature and the corresponding The target detection result trains the preset detection model.
  • the webpage backdoor detection device further includes: a data cleaning module, configured to perform data cleaning on the network script to be detected if a match fails, to obtain a target network script;
  • the extraction module 20 is further configured to perform feature extraction on the target network script through the preset extraction model to obtain target script features.
  • the extraction module 20 is further configured to obtain a network script to be detected through a gateway, analyze the network script to be detected, and extract features of multiple preset dimensions;
  • the matching module 10 is also used to match the feature of the preset dimension with the preset backdoor rule of the webpage.
  • the webpage backdoor detection device further includes: a building module for building a basic prediction model;
  • Acquisition module for acquiring sample network scripts and corresponding sample detection results
  • the extraction module 20 is further configured to perform feature extraction on the sample network script through the preset extraction model to obtain a first script feature
  • the training module is configured to train the basic prediction model according to the first script feature and the corresponding sample detection result to obtain a preset detection model.
  • the acquiring module is further configured to acquire a first number of sample webpage backdoors, extract the feature webpage backdoors through the preset extraction model, and obtain second script features;
  • the detection module 30 is further configured to detect the second script feature through the preset detection model to obtain an assessment test result, where the assessment test result includes that the second script feature is a feature corresponding to a backdoor of a webpage The first test result;
  • the webpage backdoor detection device further includes: a calculation module for counting a second quantity of the first detection result, and calculating an accuracy rate of the preset detection model according to the first quantity and the second quantity;
  • the detection module 30 is further configured to perform the step of detecting the feature of the target script through a preset detection model to obtain a target detection result when the accuracy rate exceeds a preset threshold.
  • the evaluation detection result includes a second detection result that the second script feature is not a feature corresponding to the back door of the web page;
  • the acquiring module is further configured to acquire a second script feature corresponding to the second detection result as a misdetected webpage backdoor feature
  • the training module is further configured to set a true detection result of the misdetected webpage backdoor feature as the misdetected webpage backdoor feature is a feature corresponding to the webpage backdoor, and according to the misdetected webpage backdoor feature
  • the preset detection model is used for training.
  • sequence numbers of the above embodiments of the present application are for description only, and do not represent the advantages and disadvantages of the embodiments.
  • several of these devices may be embodied by the same hardware item.
  • the use of the words first, second, and third does not indicate any order, and these words can be interpreted as names.
  • the embodiment method can be implemented by means of software plus the necessary general hardware platform, of course Hardware, but in many cases the former is a better implementation.
  • the technical solution of the present application may be essentially in the form of software products or contribute to the existing technology.
  • the computer software product is stored in a storage medium (such as Read Only Memory image (ROM) / Random Access Memory (Random Access Memory, RAM), magnetic disks, and optical disks) include several instructions to enable a terminal device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to perform the methods described in the embodiments of the present application.
  • ROM Read Only Memory image
  • RAM Random Access Memory
  • magnetic disks magnetic disks
  • optical disks include several instructions to enable a terminal device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to perform the methods described in the embodiments of the present application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un procédé de détection de porte arrière de page Web, un dispositif, un support d'informations et un appareil, le procédé consistant : à acquérir un script de réseau à détecter, et mettre en correspondance le script de réseau à détecter avec une règle de porte arrière de page Web prédéfinie (S10) ; si la correspondance échoue, à effectuer une extraction de caractéristique sur le script de réseau à détecter par un modèle d'extraction prédéfini pour obtenir une caractéristique de script cible (S20) ; et à détecter la caractéristique de script cible par un modèle de détection prédéfini pour obtenir un résultat de détection cible (S30). Le procédé améliore la précision avec laquelle le système détecte si le script de réseau à détecter est une porte arrière de page Web par la combinaison d'une détection de règle et d'une détection de modèle basée sur l'apprentissage machine.
PCT/CN2018/122828 2018-10-11 2018-12-21 Procédé de détection de porte arrière de page web, dispositif, support d'informations et appareil WO2020073494A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811188296.9 2018-10-11
CN201811188296.9A CN109657459A (zh) 2018-10-11 2018-10-11 网页后门检测方法、设备、存储介质及装置

Publications (1)

Publication Number Publication Date
WO2020073494A1 true WO2020073494A1 (fr) 2020-04-16

Family

ID=66110701

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/122828 WO2020073494A1 (fr) 2018-10-11 2018-12-21 Procédé de détection de porte arrière de page web, dispositif, support d'informations et appareil

Country Status (2)

Country Link
CN (1) CN109657459A (fr)
WO (1) WO2020073494A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113839904A (zh) * 2020-06-08 2021-12-24 北京梆梆安全科技有限公司 基于智能网联汽车的安全态势感知方法和系统

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110232277A (zh) * 2019-04-23 2019-09-13 平安科技(深圳)有限公司 网页后门的检测方法、装置和计算机设备
CN111695117B (zh) * 2020-06-12 2023-10-03 国网浙江省电力有限公司信息通信分公司 一种webshell脚本检测方法及装置
CN111800405A (zh) * 2020-06-29 2020-10-20 深信服科技股份有限公司 检测方法及检测设备、存储介质
CN112182561B (zh) * 2020-09-24 2024-04-30 百度在线网络技术(北京)有限公司 一种后门的检测方法、装置、电子设备和介质
CN112769840B (zh) * 2021-01-15 2023-04-07 杭州安恒信息技术股份有限公司 一种基于强化学习Dyna框架的网络攻击行为识别方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101069175A (zh) * 2003-10-03 2007-11-07 考维枸有限公司 动态消息过滤
CN107294982A (zh) * 2017-06-29 2017-10-24 深信服科技股份有限公司 网页后门检测方法、装置及计算机可读存储介质
CN107451476A (zh) * 2017-07-21 2017-12-08 上海携程商务有限公司 基于云平台的网页后门检测方法、系统、设备及存储介质
CN107622202A (zh) * 2017-09-20 2018-01-23 杭州安恒信息技术有限公司 网页后门检测方法及装置
US20180082063A1 (en) * 2016-09-16 2018-03-22 Rapid7, Inc. Web shell detection

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103577755A (zh) * 2013-11-01 2014-02-12 浙江工业大学 一种基于支持向量机的恶意脚本静态检测方法
CN104618343B (zh) * 2015-01-06 2018-11-09 中国科学院信息工程研究所 一种基于实时日志的网站威胁检测的方法及系统
CN106961419B (zh) * 2017-02-13 2020-04-14 深信服科技股份有限公司 WebShell检测方法、装置及系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101069175A (zh) * 2003-10-03 2007-11-07 考维枸有限公司 动态消息过滤
US20180082063A1 (en) * 2016-09-16 2018-03-22 Rapid7, Inc. Web shell detection
CN107294982A (zh) * 2017-06-29 2017-10-24 深信服科技股份有限公司 网页后门检测方法、装置及计算机可读存储介质
CN107451476A (zh) * 2017-07-21 2017-12-08 上海携程商务有限公司 基于云平台的网页后门检测方法、系统、设备及存储介质
CN107622202A (zh) * 2017-09-20 2018-01-23 杭州安恒信息技术有限公司 网页后门检测方法及装置

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113839904A (zh) * 2020-06-08 2021-12-24 北京梆梆安全科技有限公司 基于智能网联汽车的安全态势感知方法和系统
CN113839904B (zh) * 2020-06-08 2023-08-22 北京梆梆安全科技有限公司 基于智能网联汽车的安全态势感知方法和系统

Also Published As

Publication number Publication date
CN109657459A (zh) 2019-04-19

Similar Documents

Publication Publication Date Title
WO2020073494A1 (fr) Procédé de détection de porte arrière de page web, dispositif, support d'informations et appareil
WO2020253034A1 (fr) Procédé, appareil et dispositif de test de point enfoui client, et support d'enregistrement
WO2020015064A1 (fr) Procédé de traitement de défaillance de système, appareil, dispositif et support d'informations
WO2020034526A1 (fr) Procédé d'inspection de qualité, appareil, dispositif et support de stockage informatique pour l'enregistrement d'une assurance
WO2020107765A1 (fr) Procédé, appareil et dispositif de traitement d'analyse de déclaration, et support de stockage lisible par ordinateur
WO2017213400A1 (fr) Détection de logiciels malveillants par exploitation des variations de re-composition de logiciel malveillant
WO2021072881A1 (fr) Procédé, appareil et dispositif de traitement de demande fondée sur un stockage d'objet, et support de stockage
WO2020015067A1 (fr) Procédé d'acquisition de données, dispositif, équipement et support de stockage
WO2020077832A1 (fr) Procédé, appareil et dispositif d'accès à un bureau dans le nuage et support de stockage
WO2020015060A1 (fr) Procédé et appareil d'estimation d'anomalie de consommation d'énergie, et support d'enregistrement informatique
WO2020253116A1 (fr) Procédé d'exécution de données par lots, dispositif, support d'enregistrement et hôte membre en groupe
WO2013169059A1 (fr) Système et procédé de surveillance d'un service internet
WO2020062644A1 (fr) Procédé, appareil et dispositif de détection du bogue de détournement json et support d'enregistrement
WO2020087981A1 (fr) Procédé et appareil de génération de modèle d'audit de contrôle de risque, dispositif, et support de stockage lisible
WO2015194829A2 (fr) Procédé de détection d'un certain nombre de dispositifs sélectionnés parmi une pluralité de terminaux clients dans un réseau privé à l'aide du même ip public par un serveur web doté d'un nom de domaine non spécifié supplémentaire à partir d'un trafic de demandes d'accès à l'internet du terminal client faisant une demande d'accès à l'internet, et système de détection sélective pour un dispositif dans un état dans lequel un ip public est partagé
WO2020258672A1 (fr) Procédé et dispositif de détection d'anomalie d'accès au réseau
WO2020119384A1 (fr) Procédé, appareil et dispositif de détection d'anomalie d'assurance médicale sur la base d'une analyse de mégadonnées, et support
WO2021027143A1 (fr) Procédé, appareil et dispositif de poussée d'informations et support d'informations lisible par ordinateur
WO2020233060A1 (fr) Procédé et appareil de notification d'événement, serveur de notification d'événement et support de stockage
WO2020082766A1 (fr) Procédé et appareil d'association pour un procédé d'entrée, dispositif et support d'informations lisible
WO2020233089A1 (fr) Procédé et appareil de création de jeu de test, terminal et support de stockage lisible par ordinateur
WO2019024485A1 (fr) Procédé et dispositif de partage de données, et support de stockage lisible par ordinateur
WO2020253115A1 (fr) Procédé, appareil et dispositif de recommandation de produit basés sur une reconnaissance vocale et support de stockage
WO2020155773A1 (fr) Procédé de surveillance d'entrée de texte suspecte, dispositif, appareil informatique et support de sockage
WO2020062641A1 (fr) Procédé d'identification d'un rôle d'utilisateur, équipement utilisateur, support d'informations et appareil d'identification d'un rôle d'utilisateur

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18936405

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 14/07/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18936405

Country of ref document: EP

Kind code of ref document: A1