Research And Implementation Of Webshell Detection Technology Via PHP Dynamic Characteristics

The booming development of Internet technology has greatly improved the operating efficiency of society.But the security problems of Web systems are becoming more and more serious.Webshell malicious code attacks have become one of the most commonly used means of web attacks.Attackers exploit web vulnerabilities to implant webshell malicious code into the server to obtain the command execution environment.Facing the threat to website security caused by webshell attacks in the continuous intrusion process,it is of great significance to improve the detection capability of webshell attacks.One-sentence Webshell is widely used in continuous invasion process with its advantages of small size and high concealability.Therefore,this paper mainly studies the one-sentence Webshell by analyzing the shortcomings of existing single-dimension detection methods,and proposes a multi-dimensional detection model combining malicious code detection and post-invasion behavior detection with the dynamic characteristics of PHP as the core of detection,to achieve the tracking of the whole process for Webshell attacks.Among them,malicious code detection adopts the static detection and dynamic sandbox detection models,while behavioral detection is mainly based on the results of code detection,and accurately correlates the traffic data generated by it,so as to completely restore the attack behavior and facilitate the deep traceability of the attack threat.The main contents and innovations are as follows:(1)By analyzing the code characteristics of one-sentence Webshell,and conducting induction and research,it summarizes five PHP syntax characteristics that are commonly used to construct this type of Webshell:the dynamic characteristics of PHP syntax.Based on this,a static detection method is implemented by combining taint tracking techniques and using the syntax tree nodes with dynamic characteristics as the sink points for static taint tracking.(2)Facing the situation of using variable functions to encrypt or obfuscate one-sentence Webshells,pure static detection still has certain shortcomings.Therefore,a dynamic detection method is designed.By executing malicious code in the sandbox and restoring the function name of the variable function when the script is running,combined with the results of static detection,the risk attribute of the code can be further judged.(3)Monitor the command-and-control channel established by the attacker and the malicious code,correlate specific abnormal traffic with the results of malicious code detection,and detect bidirectional traffic,which can not only restore the attack behavior,but also perceive the result of the attack.Provide the basis for emergency response for security defense personnel.(4)Based on the above method,the construction of the Webshell detection system was completed,and the comprehensive comparison verification and functional test were conducted,and the final results showed that the system has certain advantages.