CN118157989B - Webshell memory horse detection method, device, equipment and storage medium - Google Patents
Webshell memory horse detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN118157989B CN118157989B CN202410560582.2A CN202410560582A CN118157989B CN 118157989 B CN118157989 B CN 118157989B CN 202410560582 A CN202410560582 A CN 202410560582A CN 118157989 B CN118157989 B CN 118157989B
- Authority
- CN
- China
- Prior art keywords
- log
- traffic
- memory
- webshell
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 34
- 238000000034 method Methods 0.000 claims abstract description 34
- 230000002159 abnormal effect Effects 0.000 claims abstract description 33
- 238000004458 analytical method Methods 0.000 claims description 18
- 230000004044 response Effects 0.000 claims description 13
- 238000005206 flow analysis Methods 0.000 claims description 8
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 abstract description 6
- 241000283086 Equidae Species 0.000 description 14
- 238000004590 computer program Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 4
- 238000012098 association analyses Methods 0.000 description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011897 real-time detection Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the disclosure provides a Webshell memory horse detection method, a Webshell memory horse detection device, webshell memory horse detection equipment and a storage medium. The method comprises the steps of obtaining network interface flow, analyzing the flow, and determining an abnormal flow log; matching a target Web access log of a target server by using a source IP and a target IP in the abnormal flow log; according to the access path and parameters of the URL request in the target Web access log, determining a candidate URL request; and accessing the access path of the candidate URL request, and determining the candidate URL request which does not exist in the file indicated by the access path and responds successfully as a request sent by an attacker for performing malicious operation by utilizing the Webshell memory horse. In this way, the technical problem that the traditional safety monitoring tool is difficult to find the Webshell memory horse can be solved.
Description
Technical Field
The disclosure relates to the technical field of network security, and in particular relates to a Webshell memory horse detection method, device and equipment and a storage medium.
Background
Webshell memory horses are a file-free attack means that allows an attacker to write malicious backdoors and Trojan horses into the memory of a target Web server or website and perform remote control, which aims at the external window of the enterprise: websites and applications. Conventional webshells are typically file-based, and hackers upload Webshell files to a target server through an upload tool or by utilizing website vulnerabilities, and then execute malicious code by accessing the files, which type of Webshell typically leaves a detectable trace in the file system of the server. The Webshell memory horse directly injects malicious codes into the memory by utilizing the loopholes of the middleware or the server process without leaving any file in the file system of the server, and the Webshell memory horse is difficult to discover and prevent by the traditional safety monitoring tool because of no file characteristic and traffic encryption.
Aiming at the technical problem that the traditional safety monitoring tool is difficult to find a Webshell memory horse, no effective solution is proposed at present.
Disclosure of Invention
The disclosure provides a Webshell memory horse detection method, device and equipment and a storage medium.
According to a first aspect of the present disclosure, a Webshell memory horse detection method is provided. The method comprises the following steps:
Acquiring network interface traffic and performing traffic analysis to determine an abnormal traffic log;
Matching a target Web access log of a target server by using a source IP and a target IP in the abnormal flow log;
According to the access path and parameters of the URL request in the target Web access log, determining a candidate URL request;
And accessing the access path of the candidate URL request, and determining the candidate URL request which does not exist in the file indicated by the access path and responds successfully as a request sent by an attacker for performing malicious operation by utilizing the Webshell memory horse.
The aspects and any possible implementation manner as described above further provide an implementation manner, acquiring network interface traffic and performing traffic analysis to determine an abnormal traffic log, including:
grabbing network interface traffic from the switch;
deep packet analysis is carried out on network interface traffic, and TCP traffic logs are determined;
Performing flow analysis on the TCP flow logs to determine candidate flow logs corresponding to suspicious flows;
In the case where the source IP in the candidate traffic log has no history access record, the candidate traffic log is determined as an abnormal traffic log.
The aspect and any possible implementation manner as described above further provide an implementation manner, performing traffic analysis on the TCP traffic log, and determining a candidate traffic log corresponding to the suspicious traffic, where the determining includes:
Determining TCP traffic with the TCP connection duration between the source IP and the destination IP being longer than or equal to a preset duration as suspicious traffic; and/or the number of the groups of groups,
Determining TCP traffic with the frequency of establishing TCP connection between the source IP and the destination IP being greater than or equal to a preset frequency as suspicious traffic;
And taking the flow log corresponding to the suspicious flow as a candidate flow log.
The aspect and any possible implementation manner as described above further provide an implementation manner, matching a target Web access log of a target server with a source IP and a destination IP in an abnormal traffic log, including:
Determining a target server according to the target IP in the abnormal flow log;
Acquiring a Web access log of a target server, wherein a client IP initiating a request is recorded in the Web access log;
and matching the source IP in the abnormal flow log with the client IP in the Web access log of the target server to determine the target Web access log.
In the foregoing aspect and any possible implementation manner, there is further provided an implementation manner, determining, according to an access path and a parameter of a URL request in a target Web access log, a candidate URL request, including:
If the URL requests with the same access path and different parameters exist in the target Web access log within the preset time range, determining the URL requests with the same access path and different parameters as candidate URL requests.
Aspects and any one of the possible implementations described above, further provide an implementation of accessing an access path of a candidate URL request, and determining that a file indicated by the access path is not present and that a successful candidate URL request is a request sent by an attacker for performing a malicious operation using a Webshell memory horse, including:
Accessing the access path of the candidate URL request to obtain an access result;
if the access result is that the file does not exist and the response status code corresponding to the candidate URL request indicates that the request response is successful, the candidate URL request is determined to be a request sent by an attacker for performing a malicious operation by using the Webshell memory horse.
According to a second aspect of the present disclosure, a Webshell memory horse detection device is provided. The device comprises:
the acquisition module is used for acquiring the network interface flow and analyzing the flow to determine an abnormal flow log;
the matching module is used for matching a target Web access log of the target server by utilizing the source IP and the target IP in the abnormal flow log;
the determining module is used for determining candidate URL requests according to access paths and parameters of the URL requests in the target Web access log;
And the detection module is used for accessing the access path of the candidate URL request, and determining the candidate URL request which does not exist in the file indicated by the access path and responds successfully as a request sent by an attacker for executing malicious operation by utilizing the Webshell memory horse.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device includes: a memory and a processor, the memory having stored thereon a computer program, the processor implementing the method as described above when executing the program.
According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which when executed by a processor implements a method according to the first aspect of the present disclosure.
According to the method and the device, through the association analysis of the flow logs and the Web access logs, the request sent by an attacker for executing malicious operations by utilizing the Webshell memory horse is identified, so that the detection of the Webshell memory horse is realized, and the technical problem that the Webshell memory horse is difficult to find by a traditional safety monitoring tool is solved.
It should be understood that what is described in this summary is not intended to limit the critical or essential features of the embodiments of the disclosure nor to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. For a better understanding of the present disclosure, and without limiting the disclosure thereto, the same or similar reference numerals denote the same or similar elements, wherein:
FIG. 1 illustrates a flow chart of a Webshell memory horse detection method according to an embodiment of the present disclosure;
Fig. 2 is a schematic diagram of a data transmission flow of a Webshell memory horse detection method according to an embodiment of the present disclosure;
FIG. 3 illustrates a block diagram of a Webshell memory horse detection device, according to an embodiment of the present disclosure;
Fig. 4 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments in this disclosure without inventive faculty, are intended to be within the scope of this disclosure.
In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
In the method, the system and the device, through the association analysis of the flow logs and the Web access logs, the request sent by an attacker for executing malicious operations by utilizing the Webshell memory horse is identified, so that the detection of the Webshell memory horse is realized, and the technical problem that the Webshell memory horse is difficult to find by the traditional safety monitoring tool is solved.
Fig. 1 illustrates a flowchart of a Webshell memory horse detection method 100 according to an embodiment of the present disclosure.
Step S110, obtaining network interface flow and analyzing the flow, and determining an abnormal flow log;
step S120, a target Web access log of a target server is matched by utilizing a source IP and a target IP in the abnormal flow log;
Step S130, determining candidate URL requests according to access paths and parameters of URL requests in a target Web access log;
Step S140, accessing the access path of the candidate URL request, and determining the candidate URL request, which is indicated by the access path and is successful in response, as a request sent by an attacker for performing a malicious operation using the Webshell memory horse.
In some embodiments, in step S110, the abnormal traffic log may be determined by grabbing network interface traffic from the switch and performing DPI (deep packet inspection) and TCP traffic analysis.
Optionally, step S110, obtaining the network interface traffic and performing traffic analysis, determining an abnormal traffic log, includes:
grabbing network interface traffic from the switch;
deep packet analysis is carried out on network interface traffic, and TCP traffic logs are determined;
Performing flow analysis on the TCP flow logs to determine candidate flow logs corresponding to suspicious flows;
In the case where the source IP in the candidate traffic log has no history access record, the candidate traffic log is determined as an abnormal traffic log.
According to the embodiment of the disclosure, the anomaly detection of the traffic is realized through deep packet analysis and TCP traffic analysis without detecting the content carried by the traffic, so that the detection method is not only suitable for non-encrypted traffic, but also suitable for encrypted traffic.
In some embodiments, performing traffic analysis on the TCP traffic log to determine a candidate traffic log corresponding to the suspicious traffic includes:
Determining TCP traffic with the TCP connection duration between the source IP and the destination IP being longer than or equal to a preset duration as suspicious traffic; and/or the number of the groups of groups,
Determining TCP traffic with the frequency of establishing TCP connection between the source IP and the destination IP being greater than or equal to a preset frequency as suspicious traffic;
And taking the flow log corresponding to the suspicious flow as a candidate flow log.
Suspicious traffic may be either long connection traffic or high frequency access traffic for a short period of time.
The preset duration may be set according to actual needs, for example, the preset duration is 5 minutes, and the TCP traffic with the frequency of establishing the TCP connection between the source IP and the destination IP being greater than or equal to 5 minutes is determined as the suspicious traffic.
The preset frequency can be set according to actual needs, for example, the preset frequency is 20 times within 1 minute, and more than 20 TCP flows of the TCP connection established between the source IP and the destination IP within 1 minute are determined to be suspicious flows.
According to the embodiment of the disclosure, the high-frequency access flow in a long connection flow and a short time is used as an index dimension of TCP flow analysis, a specific monitoring index is provided for judging suspicious flow, and the index dimension can realize real-time detection of suspicious flow.
In some embodiments, step S120 matches a target Web access log of the target server using the source IP and the destination IP in the abnormal traffic log, including:
Determining a target server according to the target IP in the abnormal flow log;
Acquiring a Web access log of a target server, wherein a client IP initiating a request is recorded in the Web access log;
and matching the source IP in the abnormal flow log with the client IP in the Web access log of the target server to determine the target Web access log.
According to the embodiment of the disclosure, the corresponding Web access logs are associated through the source IP and the destination IP in the abnormal traffic log, so that the abnormal target Web access log is determined.
In some embodiments, step S130, determining the candidate URL request according to the access path and parameters of the URL request in the target Web access log includes:
If the URL requests with the same access path and different parameters exist in the target Web access log within the preset time range, determining the URL requests with the same access path and different parameters as candidate URL requests.
In the case of normal access, a plurality of URL requests having the same access path and only different parameters do not occur in a short time, and if this occurs, it is necessary to further determine that the access is likely to be an attacker-initiated access.
According to the embodiment of the disclosure, the URL request possibly having aggressiveness is mined from the target Web access log, so that whether the Webshell memory horse exists can be continuously judged in the subsequent steps.
In some embodiments, step S140, accessing the access path of the candidate URL request, and determining, as a request sent by an attacker for performing a malicious operation with the Webshell memory horse, a candidate URL request for which the file indicated by the access path does not exist and for which the response is successful, includes:
Accessing the access path of the candidate URL request to obtain an access result;
if the access result is that the file does not exist and the response status code corresponding to the candidate URL request indicates that the request response is successful, the candidate URL request is determined to be a request sent by an attacker for performing a malicious operation by using the Webshell memory horse.
In the case of normal access, the access path has a corresponding file under the server Web directory, and if this file does not exist, but the access is successful (response status code is 200), it is indicated that the candidate URL request is a request sent by an attacker for performing a malicious operation using Webshell memory horses.
According to the embodiment of the disclosure, the detection of the Webshell memory horses is realized by detecting that the access path indication file does not exist but responds to the successful URL request, so that the Webshell memory horses residing in the memory can be accurately found.
According to the embodiment of the disclosure, the following technical effects are achieved:
the method 100 of the disclosed embodiments is described below in terms of specific embodiments:
Webshell memory horses are a type of memory horses which are written in a memory with malicious backdoors and Trojan horses and executed, and reach a remote control Web server, and aim at an external window of an enterprise: websites and applications. However, the traditional Webshell is based on the file type, and a hacker can implant Trojan horse by using an uploading tool or website vulnerability, wherein the difference is that the Webshell memory horse is a file-free horse and traffic is encrypted, and certain malicious codes are executed by using a process of the middleware, so that the file is not landed, and huge difficulty is brought to detection.
The embodiment of the disclosure provides a detection method for analyzing Webshell memory horses based on correlation of traffic and Web access logs, by the method, the Webshell memory horses residing in a memory can be accurately found. Fig. 2 is a schematic diagram of a data transmission flow of a Webshell memory horse detection method according to an embodiment of the present disclosure. In a network environment, a client is connected to a switch through a network, the switch is connected to a server, the client sends a request to the server through the switch, receives a response returned from the server from the switch, and the server records each access request and generates an access log file. In the embodiment of the disclosure, detection of Webshell memory horses is realized through association analysis of traffic and Web access logs, wherein the traffic can be grabbed from a switch, and the Web access logs can be acquired from a server. The specific detection indexes of the Webshell memory horses comprise an index dimension based on flow analysis and an index dimension based on web access log analysis:
1. index dimension based on flow analysis:
1) Long connection flow;
2) High frequency access traffic in a short time;
3) The client IP of the above 2 suspicious flows has no history access record;
2. Index dimension based on web access log analysis:
1) In a short time, many web access paths are the same, and only url requests with different parameters are requested;
2) The web page file does not exist, but responds to url requests with a status code of 200.
The specific flow of the detection of the Webshell memory horses in the embodiment of the disclosure is as follows: the method comprises the steps of capturing network interface traffic and carrying out deep packet analysis, acquiring TCP traffic, analyzing the TCP traffic, determining long connection traffic of which the client IP has no history access record and high-frequency access traffic in a short time, and judging the long connection traffic and the high-frequency access traffic as abnormal traffic; according to the Web access logs corresponding to the source IP and the destination IP in the abnormal traffic log, if a plurality of Web access paths are the same and only URL requests with different parameters exist in a short time, determining the URL request with the URL request indicating that the Web page file of the access path does not exist and the response state code of 200 as a request sent by an attacker for executing malicious operation by utilizing the Webshell memory horse, and simultaneously determining that the Webshell memory horse exists currently.
According to the embodiment of the disclosure, the following technical effects are achieved:
the existing Webshell memory horses can be timely found through the collection and real-time detection of the flow; through the correlation analysis of the index dimension based on the flow analysis and the index dimension based on the web access log analysis, the accuracy of Webshell memory horse detection can be improved, and the detection process of the detection method does not need to carry out detection analysis on the content carried by the flow, so that the detection method is suitable for non-encrypted flow and encrypted flow.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present disclosure is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present disclosure. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules referred to are not necessarily required by the present disclosure.
The foregoing is a description of embodiments of the method, and the following further describes embodiments of the present disclosure through examples of apparatus.
Fig. 3 illustrates a block diagram of a Webshell memory horse detection device, according to an embodiment of the present disclosure. As shown in fig. 3, the apparatus 300 includes:
an obtaining module 310, configured to obtain a network interface flow and perform flow analysis, and determine an abnormal flow log;
the matching module 320 is configured to match a target Web access log of the target server with the source IP and the destination IP in the abnormal traffic log;
a determining module 330, configured to determine a candidate URL request according to an access path and parameters of the URL request in the target Web access log;
The detection module 340 is configured to access an access path of the candidate URL request, and determine, as a request sent by an attacker for performing a malicious operation using the Webshell memory horse, a candidate URL request that does not exist in a file indicated by the access path and that is successful in response.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the described modules may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
According to an embodiment of the disclosure, the disclosure further provides an electronic device, a readable storage medium.
Fig. 4 illustrates a block diagram of an exemplary electronic device 400 capable of implementing embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The electronic device 400 includes a computing unit 401 that can perform various suitable actions and processes according to a computer program stored in a ROM402 or a computer program loaded from a storage unit 408 into a RAM 403. In the RAM403, various programs and data required for the operation of the electronic device 400 may also be stored. The computing unit 401, ROM402, and RAM403 are connected to each other by a bus 404. An I/O interface 405 is also connected to bus 404.
Various components in electronic device 400 are connected to I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, etc.; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408, such as a magnetic disk, optical disk, etc.; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the electronic device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The computing unit 401 may be a variety of general purpose and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 401 performs the various methods and processes described above, such as method 100. For example, in some embodiments, the method 100 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 400 via the ROM402 and/or the communication unit 409. One or more of the steps of the method 100 described above may be performed when a computer program is loaded into RAM403 and executed by the computing unit 401. Alternatively, in other embodiments, the computing unit 401 may be configured to perform the method 100 by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems-on-chips (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: display means for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (7)
1. The Webshell memory horse detection method is characterized by comprising the following steps of:
Acquiring network interface traffic and performing traffic analysis to determine an abnormal traffic log, including: grabbing network interface traffic from the switch; carrying out deep packet analysis on the network interface traffic to determine a TCP traffic log; performing flow analysis on the TCP flow logs to determine candidate flow logs corresponding to suspicious flow; determining the candidate traffic log as an abnormal traffic log under the condition that the source IP in the candidate traffic log has no history access record;
matching a target Web access log of a target server by using a source IP and a target IP in the abnormal flow log;
According to the access path and parameters of the URL request in the target Web access log, determining a candidate URL request comprises: if the URL requests with the same access path and different parameters exist in the target Web access log within a preset time range, determining the URL requests with the same access path and different parameters as candidate URL requests;
And accessing the access path of the candidate URL request, and determining the candidate URL request which does not exist in the file indicated by the access path and responds successfully as a request sent by an attacker for performing malicious operation by utilizing the Webshell memory horse.
2. The method according to claim 1, wherein the performing traffic analysis on the TCP traffic log to determine a candidate traffic log corresponding to suspicious traffic includes:
Determining TCP traffic with the TCP connection duration between the source IP and the destination IP being longer than or equal to a preset duration as suspicious traffic; and/or the number of the groups of groups,
Determining TCP traffic with the frequency of establishing TCP connection between the source IP and the destination IP being greater than or equal to a preset frequency as suspicious traffic;
And taking the flow log corresponding to the suspicious flow as the candidate flow log.
3. The method of claim 1, wherein the matching the target Web access log of the target server using the source IP and the destination IP in the abnormal traffic log comprises:
determining a target server according to the target IP in the abnormal flow log;
acquiring a Web access log of the target server, wherein a client IP initiating a request is recorded in the Web access log;
and matching the source IP in the abnormal flow log with the client IP in the Web access log of the target server to determine a target Web access log.
4. The method of claim 1, wherein accessing the access path of the candidate URL request and determining that the file indicated by the access path is not present and that the candidate URL request is successful in response to be a request sent by an attacker for performing a malicious operation using a Webshell memory horse comprises:
Accessing the access path of the candidate URL request to obtain an access result;
and if the access result is that the file does not exist and the response state code corresponding to the candidate URL request indicates that the request response is successful, determining the candidate URL request as a request sent by an attacker for executing malicious operation by utilizing a Webshell memory horse.
5. A Webshell memory horse detection device for performing the method of any of claims 1 to 4, the device comprising:
the acquisition module is used for acquiring the network interface flow and analyzing the flow to determine an abnormal flow log;
The matching module is used for matching a target Web access log of the target server by utilizing the source IP and the target IP in the abnormal flow log;
The determining module is used for determining candidate URL requests according to the access paths and parameters of the URL requests in the target Web access log;
And the detection module is used for accessing the access path of the candidate URL request, and determining the candidate URL request which does not exist in the file indicated by the access path and responds successfully as a request sent by an attacker for executing malicious operation by utilizing the Webshell memory horse.
6. An electronic device, comprising:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1 to 4.
7. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410560582.2A CN118157989B (en) | 2024-05-08 | 2024-05-08 | Webshell memory horse detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410560582.2A CN118157989B (en) | 2024-05-08 | 2024-05-08 | Webshell memory horse detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118157989A CN118157989A (en) | 2024-06-07 |
| CN118157989B true CN118157989B (en) | 2024-10-01 |
Family
ID=91294975
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410560582.2A Active CN118157989B (en) | 2024-05-08 | 2024-05-08 | Webshell memory horse detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118157989B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107332804A (en) * | 2016-04-29 | 2017-11-07 | 阿里巴巴集团控股有限公司 | The detection method and device of webpage leak |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7644433B2 (en) * | 2002-12-23 | 2010-01-05 | Authernative, Inc. | Authentication system and method based upon random partial pattern recognition |
| CN108206802B (en) * | 2016-12-16 | 2020-11-17 | 华为技术有限公司 | Method and device for detecting webpage backdoor |
| WO2019066295A1 (en) * | 2017-09-28 | 2019-04-04 | 큐비트시큐리티 주식회사 | Web traffic logging system and method for detecting web hacking in real time |
| CN113645191B (en) * | 2021-07-13 | 2023-02-28 | 北京华云安信息技术有限公司 | Method, device and equipment for determining suspicious host and computer readable storage medium |
| CN114065196A (en) * | 2021-09-30 | 2022-02-18 | 奇安信科技集团股份有限公司 | Java memory detection method, device, electronic device and storage medium |
| CN116488872A (en) * | 2023-04-06 | 2023-07-25 | 中国建设银行股份有限公司 | Method and device for identifying and defending attack behaviors of Java Web application |
| CN117235714A (en) * | 2023-08-07 | 2023-12-15 | 深圳市深信服信息安全有限公司 | File-free attack detection method, device, equipment and storage medium |
| CN117220994A (en) * | 2023-10-14 | 2023-12-12 | 广东睿程信息技术有限公司 | Data processing method and system based on network security service |
-
2024
- 2024-05-08 CN CN202410560582.2A patent/CN118157989B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107332804A (en) * | 2016-04-29 | 2017-11-07 | 阿里巴巴集团控股有限公司 | The detection method and device of webpage leak |
Non-Patent Citations (1)
| Title |
|---|
| 干货_内存马检测排查手段 (附工具 );乌雲安全;公众号;20230101;第1-24页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118157989A (en) | 2024-06-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| CN107066883B (en) | System and method for blocking script execution | |
| CN112926048B (en) | Abnormal information detection method and device | |
| JP5715693B2 (en) | System and method for creating customized trust bands for use in malware detection | |
| EP3270317B1 (en) | Dynamic security module server device and operating method thereof | |
| CN110602044A (en) | Network threat analysis method and system | |
| CN103888480B (en) | Network information security authentication method and cloud device based on cloud monitoring | |
| CN107426196B (en) | A method and system for identifying WEB intrusion | |
| CN103473501A (en) | Malware tracking method based on cloud safety | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| JP2024536226A (en) | SYSTEM AND METHOD FOR DETECTING MALICIOUS HANDS-ON KEYBOARD ACTIVITY VIA MACHINE LEARNING | |
| CN110417578B (en) | An abnormal FTP connection alarm processing method | |
| CN113497786A (en) | Evidence obtaining and tracing method and device and storage medium | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack | |
| US10742668B2 (en) | Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof | |
| JPWO2018143097A1 (en) | Judgment apparatus, judgment method, and judgment program | |
| CN118157989B (en) | Webshell memory horse detection method, device, equipment and storage medium | |
| CN113114609A (en) | Webshell detection evidence obtaining method and system | |
| CN117609992A (en) | Data disclosure detection method, device and storage medium | |
| US10554678B2 (en) | Malicious content detection with retrospective reporting | |
| CN113645191B (en) | Method, device and equipment for determining suspicious host and computer readable storage medium | |
| CN106487771B (en) | Network behavior acquisition method and device | |
| US10599845B2 (en) | Malicious code deactivating apparatus and method of operating the same | |
| CN118677661B (en) | Threat information detection method and device, electronic equipment and storage medium | |
| CN118200022B (en) | Data encryption method and system based on malicious attacks on big data networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |