Research On Detection Methods For New WebShell

In recent years,with the continuous development and application of computer technology,web application techniques have been updating rapidly,together with WebShell backdoor technique.Due to its obvious text characteristics,the traditional WebShell is easily recognized by various killing tools and thus the attack on it can be detected,which indicates that the traditional WebShell backdoor can no longer meet the needs of attackers.Under the circumstances,a growing number of attackers come to study new types of WebShell backdoor technique.As a result,many new types of WebShell have come into existence,including WebShell loaded through bytecode,WebShell based on a particular class call,WebShell based on various expressions,WebShell based on deserialization or JNDI injection technique,and WebShell based on fileless attack technique.All the new WebShell techniques have brought great challenges to the existing security defense and detection mechanism.Aimed at solving the difficulty in detecting the memory webshell--the most representative WebShell backdoor based on fileless attack technique in new types of WebShell,this paper puts forward two detection models by comparing some existing detection methods adopted in the domestic and foreign cases and then figuring out their shortcomings,based on the analysis of writing principles of new WebShell and the research on the memory webshell,which integrates many new WebShell writing techniques.According to the experiments,the two models can effectively solve the difficulty in detection the memory webshell.The work mentioned is carried out as follows.(1)As for the difficulty in detecting the memory webshell,this paper begins with analyzing and summarizing some existing memory scan detection techniques to devise a set of memory object scanning schemes based on Java Instrument techniques.With the schemes,the relevant information of the class objects loaded in the JVM can be obtained to be particularly processed into presentation objects.Through extensive training,use Naive Bayes Algorithm to devise a memory webshell detection model based on abnormal performance sequence,which can effectively classify the performance sequence.(2)For memory webshell detection,we should pay more attention to the situation of missing alarms in the actual scene.Therefore,the memory webshell detection model based on abnormal performance sequence ensures a low rate of missing alarms,but also leads to a large number of false alarms in the classification results of the model.To solve this problem,this paper devises a memory webshell detection model based on taint analysis and ASM.According to the classification results from the other model mentioned,the model exports from memory the appointed class file with class loaded,then conducts an in-depth analysis of the class file exported using taint analysis coordinated with ASM Bytecode Enhancement framework.In this way,the average number of false negatives of the three test items in the experiment decreased from 39,74 and 152 to 3,6 and 19,it greatly reduces the false alarm rate of the classifier and improves the accuracy of detecting memory webshell.