CN115906086A - Method, system and storage medium for detecting webpage backdoor based on code attribute graph - Google Patents

Abstract

The invention provides a method, a system and a storage medium for detecting a webpage backdoor based on a code attribute graph, and belongs to the technical field of network security. The detection method comprises the steps of establishing an abstract syntax tree according to a test sample, and then establishing a control flow graph, a program dependence graph and a function call graph according to the abstract syntax tree; respectively extracting grammatical attributes, control flows, data flows and relationship combinations among processes in a control flow graph, a program dependency graph and a function call relationship graph to construct a code attribute graph, and storing the code attribute graph into a code attribute graph database; and finally, searching a taint path based on the reverse traversal of the code attribute graph database, and performing webpage backdoor detection. The webpage backdoor detection method can realize effective utilization of data set samples, and improves the utilization rate of data by extracting the relations among syntactic attributes, control flows, data flows and processes in the static source code analysis method.

Description

Web page backdoor detection method, system and storage medium based on code attribute graph

technical field

The invention belongs to the technical field of network security, and in particular relates to a webpage backdoor detection method, system and storage medium based on a code attribute graph.

Background technique

With the rapid development of the Internet and the rapid popularization of web applications, web service attacks have become more frequent, and implanting Webshells into target sites has become one of the most commonly used attack methods for attackers. Attackers use Webshells to obtain system information. Command execution environment, so as to further control the website server, to achieve the purpose of information sniffing, data theft or tampering. In order to combat Web service attacks, research on Webshell detection has become one of the current important tasks.

Webshell detection technology is currently mainly divided into three methods: dynamic feature detection, static feature detection, and machine learning methods. Among them, dynamic feature detection is mainly based on file behavior, Webshell communication traffic and other characteristics, and it needs to be dynamically executed in Webshell. Only then can the detection and analysis be carried out. The static feature detection method is mainly based on the text content of the Webshell or the log information of the system for detection and analysis, and the main research direction of the current static feature detection method is based on the file content of the Webshell. detection, but since the regular expression is extracted from the existing Webshell, it needs to be continuously updated, and it does not have the ability to detect the Webshell that has not appeared at present, and because the Webshell code obfuscation encryption technology continues to mature, resulting in the use of Regular expression detection methods can be easily circumvented by webshells. Applying machine learning to Webshell detection has achieved good results. Webshell detection through machine learning, where the decisive role lies in the feature selection of the Webshell.

Van-Giap Le et al. proposed Xss, Sql injection vulnerability detection and Webshell detection based on taint analysis in 2016. Stain analysis can also be called data flow tracking and positioning technology. It is necessary to find a path from user-controllable input to sensitive function. Data flow, if present, can confirm that the file is a webshell. This technique works well for unencrypted and obfuscated simple php files, but because of the flexibility of the php language, if an attacker uses obfuscation, encryption and other deformation techniques, he can easily bypass this type of detection system.

In 2018, Yong Fang and others proposed a method of using the random forest algorithm combined with the FastText method to build a training model for Webshell detection, and extracted statistical features such as the longest string, information entropy, coincidence index, signature function and blacklist keywords features, and it is also the first time to extract the php opcode code, which is processed by FastText and input to the random forest algorithm together with the above features for model training.

The detection method of Webshell in the prior art mainly adopts machine learning method for detection, and builds a model by extracting statistical features of Webshell and combining word importance or word frequency features in the text. Since statistical features can only be detected and analyzed from an overall perspective, based on the rapid development of current Web services, developers often obfuscate and encrypt the source code in order to avoid source code leaks, resulting in the detection of Webshells using statistical features-based methods. A large number of false positives are generated, and effective detection and analysis cannot be performed. However, summarizing and extracting other features of Webshell requires a large number of Webshell samples, and the extracted features often depend on the sample set used, resulting in overfitting of the final detection model.

Contents of the invention

In order to solve the above problems and improve the accuracy of Webshell detection, the present invention proposes a method of extracting the relationship between grammatical attributes, control flow, data flow, and process in the Webshell source code, combined with the construction of a code attribute graph, and based on the code attribute graph, the code attribute graph Stored in the graph data, using the graph search method to detect Webshells can effectively improve the accuracy of Webshell detection and reduce false positives.

The first aspect of the present invention discloses a web page backdoor detection method based on a code attribute graph, the method comprising:

Step S1: establish an abstract syntax tree according to the test sample, and then establish a control flow graph, a program dependency graph, and a function call relationship graph according to the abstract syntax tree;

Step S2: Extract the grammatical attributes in the abstract syntax tree as nodes, respectively extract the control flow in the control flow graph, the data flow in the program dependency graph, and the relationship between function procedures in the function call graph, and jointly construct code attributes graph, and store it in the code attribute graph database;

Step S3: Perform webpage backdoor detection based on the taint path search through the reverse traversal of the code attribute graph database.

According to the method of the first aspect of the present invention, step S3 specifically includes: searching and locating the sink function node of the web page backdoor type in the code attribute graph, and searching for the superglobal variable provided in the Web application to obtain user input data based on the sink function node .

According to the method of the first aspect of the present invention, the sink function node is a sensitive function that interacts with databases, file systems and system terminals.

According to the method of the first aspect of the present invention, step S3 further includes: the code attribute graph includes syntax attributes and function call relationships, reversely traverses according to these two types of attributes, and traces back to the sink function node and the transfer relationship of variables until Find the source node.

According to the method of the first aspect of the present invention, a taint path is searched in the code attribute graph, and the situation that there is no special character escape in the taint path is judged as Webshell.

According to the method of the first aspect of the present invention, step S2 is specifically: by extracting the grammatical attributes in the abstract syntax tree as nodes, based on the control flow information in the control flow graph, the data flow information in the program dependency graph, and the function call relationship graph The relationship between functions and processes in the graph is constructed based on the open source graph database New4j to generate code attribute graphs.

The second aspect of the present invention discloses a webpage backdoor detection system based on a code attribute graph, including:

The first module is used to establish an abstract syntax tree according to the test sample, and then establish a control flow graph, a program dependency graph and a function call relationship graph according to the abstract syntax tree;

The second module: used to extract the grammatical attributes in the abstract syntax tree as nodes, respectively extract the control flow in the control flow graph, the data flow in the program dependency graph, and the relationship between function procedures in the function call graph, and combine them together Construct the code attribute graph and store it in the code attribute graph database;

The third module: it is used to search the taint path based on the reverse traversal of the code attribute graph database, and detect the backdoor of the web page.

The third aspect of the present invention discloses a computer storage medium. The computer storage medium stores computer program instructions. When the computer program instructions are executed, the aforementioned method for detecting web page backdoors is realized.

The fourth aspect of the present invention discloses a webpage backdoor detection system based on a code attribute graph, which includes the storage medium and is used to execute the method for detecting a webpage backdoor based on a code attribute graph.

The webpage backdoor detection scheme based on the code attribute graph provided by the present invention mainly realizes the following effects:

(1) The scheme can be used to realize the effective utilization of data set samples, and improve the utilization rate of data by extracting grammatical attributes, control flow, data flow, and relationship between processes in the static source code analysis method;

(2) The accuracy of Webshell detection can be effectively improved by using the above scheme. Webshell detection is performed based on the code attribute graph, and the path from data input to output is queried, which can improve the distinction between normal files and webshells, and reduce detection false positives;

(3) Using the above scheme can improve the efficiency of Webshell detection. There are many efficient graph search algorithms in graph theory, which convert the static analysis of Webshell into a code attribute graph, and use the graph search algorithm to efficiently detect Webshell.

Description of drawings

In order to more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the following will briefly introduce the accompanying drawings that need to be used in the description of the specific embodiments or prior art. Obviously, the accompanying drawings in the following description These are some implementations of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without creative work.

Fig. 1 is a flow chart of a webpage backdoor detection method based on a code attribute graph according to an embodiment of the present invention;

Fig. 2 is a Webshell example diagram of a web page backdoor detection method based on a code attribute graph according to the present invention;

Fig. 3 is the AST tree diagram of a kind of web page backdoor detection method based on the code attribute graph according to the present invention;

FIG. 4 is a control flow diagram of a method for detecting web page backdoors based on a code attribute graph according to an embodiment of the present invention;

Fig. 5 is a program dependency graph of a Webshell example of a webpage backdoor detection method based on a code attribute graph according to an embodiment of the present invention.

Detailed ways

In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is only some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

The present embodiment provides a web page backdoor detection method based on a code attribute graph, as shown in Figure 1, which includes:

Step S1, establishing an abstract syntax tree according to the test sample, and then extracting a control flow graph, a program dependency graph, and a function call relationship graph according to the abstract syntax tree;

Step S2, extracting the grammatical attributes in the abstract syntax tree as nodes, respectively extracting the control flow in the control flow graph, the data flow in the program dependency graph, and the relationship between function procedures in the function call graph, and jointly constructing code attributes graph, and store it in the code attribute graph database;

Step S3, based on the taint path search of the graph reverse traversal, webpage backdoor (Webshell) detection is performed.

The abstract syntax tree in step S1 represents the grammatical structure of the program source code in a tree form, the control flow comes from the control flow graph, the data flow comes from the program dependency graph, and the relationship between functions and procedures comes from the function call relationship graph.

The following takes a piece of Webshell computer program code as an example to specifically demonstrate how the webpage backdoor detection method based on the code attribute graph is implemented. For details, see FIGS. 2-5, wherein FIG. An example diagram of the Webshell computer program code used in the webpage backdoor detection method.

As shown in Figure 3, each node on the abstract syntax tree represents a structure in the source code. In this embodiment, the nodes of the abstract syntax tree are divided into two categories, wherein internal nodes represent operators, such as assignment or function calls, the leaf nodes are operands such as constants or identifiers.

Figure 3 is a graphical representation of the abstract syntax tree. The abstract syntax tree is suitable for modeling vulnerabilities through functions or syntax constructs in source files to clarify how programming structures are nested, but the abstract syntax tree does not contain semantic information, such as application control flow or data flow. Therefore, abstract syntax trees cannot be used to analyze attacker-controlled data flow in a program, requiring additional structures.

The control flow graph (Control Flow Graph, CFG) constructed according to the abstract syntax tree in this embodiment is an abstract representation of a process or program, and is an abstract data structure used in the compiler, which is maintained internally by the compiler , which represents all the paths traversed during the execution of a program; it also represents the possible execution flow of all basic blocks in a process in the form of a graph, and also reflects the real-time execution process of a process. A function's control flow graph contains a designated entry node, a designated exit node, and nodes for each statement and predicate contained in the function, each connected by a labeled directed edge to indicate control flow. The label ε denotes an unconditional control flow edge, and edges from a predicate are labeled true or false to indicate that the predicate transfers control to the destination node.

Figure 4 shows the control flow graph of the Webshell example. Most of the sample code is an unconditional control flow. There are two edges in the predicate node "if(md5($pass)== 'e10adc3949ba59abbe56e057f20f883e ')", which means to judge Whether the value of md5($pass) is the hexadecimal data segment 'e10adc3949ba59abbe56e057f20f883e', that is, according to the result calculated by the predicate node is true or false, to judge whether the control flow of the final function is transferred to the first statement in the if function or the Function terminates execution.

Program Dependence Graphs (PDG) are used to execute program slices and describe the dependencies between statements and predicates; the nodes of the program dependency graph are the statements and predicates of the function, and the edges in the program dependency graph include data dependency edges There are two types of control-dependent edges and control-dependent edges. The data-dependent edge indicates that the variable defined in the source statement is used in the target statement, and the control-dependent edge indicates that the execution of a statement depends on a predicate.

Figure 5 shows the program dependency graph of the Webshell example in this embodiment, where D represents a data dependency edge, C represents a control dependency edge, that is, the data transfer of the variable $pass, and the predicate node "if(md5($pass)== ' e10adc3949ba59abbe56e057f20f883e ')" for control flow passing.

The analysis of control flow graphs and program dependency graphs is based on function-level definitions, and only supports intra-procedural analysis. A function call graph (Call graph, CG) is usually a directed acyclic graph, in which the nodes are functions and the edges are the call relationships between functions. Based on the function call graph, the control flow and data flow analysis between processes can be realized.

In this embodiment, step S2 extracts the syntax attributes in the abstract syntax tree as nodes, the control flow information in the control flow graph, the data flow information in the program dependency graph, and the relationship between function processes in the function call graph based on open source The graph database New4j constructs graphs of code attribute graphs and generates code attribute graphs, thus transforming code analysis problems into graph search and traversal problems.

In this embodiment, the Webshell detection based on the taint path search of the graph reverse traversal described in step S3 is based on the generated code attribute graph, searching and locating the function node of the output point (sink) of the webpage backdoor Webshell type in the graph, that is, the same as Sensitive functions that interact with databases, file systems, and system terminals. Common sink nodes in web backdoor Webshells are shown in Table 1. Then search for input point (source) nodes based on sink nodes, that is, search for user input provided in web applications. The superglobal variable for data.

Table 1: Common sensitive functions in Webshell

type sensitive function database interaction class mysql_query, mysqli_query, etc. File System Interaction Class file_get_contents, readfile, file_put_content, fopen, fwrite, readdir, etc. System Terminal Interaction system, shell_exec, exec, eval, assert, call_user_func, cmd_shell, etc.

As shown in Table 2, due to the particularity of Webshells, there are a large number of webpage backdoor Webshells that pass fixed strings into the sink point for execution, so the strings are also included in the scope of source node search.

Table 2: Common entry points

source describe $_GET Contains all GET parameters, which is a key/value representation of the parameters passed in the URL. $_POST All data in the content part of the HTTP message $_COOKIE The Cookie field in the header of the HTTP message is used to record the user's authentication information $_REQUEST Contains three request methods: GET, POST and COOKIE $_SERVER Contains different server attribute related values, such as the IP address of the server, etc. $_FILES Contains the information and content of the file upload

Since the code attribute graph contains grammatical attributes and function call relationships, according to these two types of key attributes, according to the idea of reverse traversal, backtrack the sink node and the transfer relationship of variables until the source node is found, that is, search in the code attribute graph A taint path, if there is a taint path in the sample, and there is no special character escape type function node in the taint path, then the sample is judged as a Webshell; if there is no taint path, or there is a special character escape type in the taint path function, it is judged as a normal file, so as to detect the Webshell.

The second aspect of the present invention discloses a webpage backdoor detection system based on a code attribute graph, including:

The first module is used to establish an abstract syntax tree according to the test sample, and then establish a control flow graph, a program dependency graph and a function call relationship graph according to the abstract syntax tree;

The second module: used to extract the grammatical attributes in the abstract syntax tree as nodes, respectively extract the control flow in the control flow graph, the data flow in the program dependency graph, and the relationship between function procedures in the function call graph, and combine them together Construct the code attribute graph and store it in the code attribute graph database;

The third module: it is used to search the taint path based on the reverse traversal of the code attribute graph database, and detect the backdoor of the web page.

The third aspect of the present invention discloses a computer storage medium. The computer storage medium stores computer program instructions. When the computer program instructions are executed, the aforementioned method for detecting web page backdoors is realized.

The fourth aspect of the present invention discloses a webpage backdoor detection system based on a code attribute graph, which includes the storage medium, and is used to execute the method for detecting a webpage backdoor based on a code attribute graph.

In summary, the technical solution proposed by the present invention has the following technical effects:

(1) Improve the utilization rate of data by extracting grammatical attributes, control flow, data flow, and relationship between processes in the static source code analysis method;

(2) The accuracy of Webshell detection can be effectively improved by using the above scheme. Webshell detection is performed based on the code attribute graph, and the path from data input to output is queried, which can improve the distinction between normal files and webshells, and reduce detection false positives;

(3) Using the above scheme can improve the efficiency of Webshell detection. There are many efficient graph search algorithms in graph theory, which convert the static analysis of Webshell into a code attribute graph, and use the graph search algorithm to efficiently detect Webshell.

Please note that the various technical features of the above embodiments can be combined arbitrarily. For the sake of concise description, all possible combinations of the various technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features , should be considered as within the scope of this specification. The above examples only express several implementation modes of the present application, and the description thereof is relatively specific and detailed, but should not be construed as limiting the scope of the patent for the invention. It should be noted that those skilled in the art can make several modifications and improvements without departing from the concept of the present application, and these all belong to the protection scope of the present application. Therefore, the scope of protection of the patent application should be based on the appended claims.

Claims (9)

1. A webpage backdoor detection method based on a code attribute graph is characterized by comprising the following steps:

step S1: establishing an abstract syntax tree according to a test sample, and establishing a control flow graph, a program dependence graph and a function call relation graph according to the abstract syntax tree;

step S2: extracting the syntactic attributes in the abstract syntactic tree as nodes, respectively extracting control flow in a control flow graph, data flow in a program dependency graph and the relationship among function processes in a function call relationship graph, jointly combining to construct a code attribute graph, and storing the code attribute graph in a code attribute graph database;

and step S3: and searching a taint path based on the reverse traversal of the code attribute graph database, and performing webpage backdoor detection.

2. The method for detecting the backdoor of the webpage based on the code attribute map as claimed in claim 1, wherein the step S3 is specifically: searching and positioning a sink function node of a webpage backdoor type in the code attribute graph, and providing a super-global variable for acquiring user input data in Web application based on the sink function node.

3. The method for detecting the backdoor of the webpage based on the code attribute graph as claimed in claim 2, wherein the sink function node is a sensitive function interacting with a database, a file system and a system terminal.

4. The method for detecting the backdoor of the webpage based on the code attribute graph as claimed in claim 2, wherein the step S3 further comprises the steps of including syntax attributes and function call relations in the code attribute graph, and backtracking the transfer relations of sink function nodes and variables according to the reverse traversal of the two types of attributes until source nodes are found.

5. The method for detecting the backdoor of the webpage based on the code attribute map as claimed in claim 4, wherein a taint path is searched in the code attribute map, and the situation that no special character escape exists in the taint path is judged as Webshell.

6. The method for detecting the backdoor of the webpage based on the code attribute map as claimed in claim 1, wherein the step S2 is specifically as follows: the method comprises the steps of extracting grammar attributes in an abstract grammar tree to serve as nodes, and building a map of a code attribute graph based on control flow information in a control flow graph, data flow information in a program dependency graph and function process relation in a function call relation graph based on an open source graph database New4j to generate the code attribute graph.

7. A system for detecting a backdoor of a web page based on a code attribute map, comprising:

the first module is used for establishing an abstract syntax tree according to a test sample, and then establishing a control flow graph, a program dependence graph and a function call relation graph according to the abstract syntax tree;

a second module: the abstract syntax tree is used for extracting syntax attributes in the abstract syntax tree as nodes, respectively extracting control flow in a control flow graph, data flow in a program dependency graph and function process relation in a function call relation graph, jointly combining and constructing a code attribute graph, and storing the code attribute graph in a code attribute graph database;

a third module: and searching for a taint path based on the reverse traversal of the code attribute graph database, and performing webpage backdoor detection.

8. A computer storage medium storing computer program instructions that, when executed, implement the web page backdoor detection method of any of claims 1-6.

9. A web page backdoor detection system based on a code attribute map, the web page backdoor detection system comprising the computer storage medium of claim 8.

Images