| With the development of informatization,big data and internet of t hings,more and more information can be accessed from the internet.What's m ore the internet provide more and more services that permeate into all the life.From all kinds of data breach events to NASA confidential documents leak,all show the importance of security of Web server.Webshell is the most commo n way to place backdoor,so Webshell detection is one of the most aspects of securing web services.At present,Webshell detection technologies can be divid ed into static detection,behavior-based dynamic detection and log-based detecti on.Static detection detects Webshell by matching signatures and dangerous fun ctions,or analysis code comments,variables defined in the code and function s tring.The static audit does not involve the dynamic behavior of the executed f unction and because of that brings some false positives rate,so it has to deal with the problem of code obfuscation.Behavior-based dynamic detection is mai nly based on payload behavior analysis,Webshell access characteristics(IP,coo kie,etc),access path and host abnormal behavior monitoring.Log-based detecti on mainly deals with Webshell access features,such as page visit features,wh ether a page is an isolated page,whether log contains the payload,etc.Dynam ic detection and log-based detection need large storages and have a relatively 1 arge impact on the performance of servers.Besides,dynamic detection and log-based detection can only find the abnormal file after the attack happened.This paper analysis Webshell Implementation techology,the mainstream det ection techology and bypass techology.Based on these and considering the pro blem that the result of Webshell detection is not very ideal,obfuscated Webshe 11 is difficult to detect and dynamic monitor run-time performance is relatively high,an framework combines static detection and dynamic detection is presented.On aspect of the static detection,an ajust taint analysis detection mechanism tha t combines the taint analysis method,identification of encoding functions and dangerous functions,classification of dangerous functions' vulnerable parameters and adjusted data flow static analysis method is proposed.An obfuscation det ection algorithm that based on identifier word segmentation and a Webshell fin gerprint algorithm that based on abstract syntax tree are proposed.After static detection,suspicious file that have dynamic function call are added to monitor file list.Based on above detection technologies,an multi-strategy-based detectio n framework is designed and implemented. |
PDF Full Text Request