[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN111385295A - WebShell detection method, device, equipment and storage medium - Google Patents

WebShell detection method, device, equipment and storage medium Download PDF

Info

Publication number
CN111385295A
CN111385295A CN202010143249.3A CN202010143249A CN111385295A CN 111385295 A CN111385295 A CN 111385295A CN 202010143249 A CN202010143249 A CN 202010143249A CN 111385295 A CN111385295 A CN 111385295A
Authority
CN
China
Prior art keywords
webshell
detection
keywords
webpage
proportion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010143249.3A
Other languages
Chinese (zh)
Other versions
CN111385295B (en
Inventor
岳巍
裴琦杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010143249.3A priority Critical patent/CN111385295B/en
Publication of CN111385295A publication Critical patent/CN111385295A/en
Application granted granted Critical
Publication of CN111385295B publication Critical patent/CN111385295B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application discloses a WebShell detection method, a WebShell detection device, WebShell detection equipment and a WebShell detection storage medium, wherein the method comprises the following steps: acquiring webpage flow; extracting keywords in element tags in webpage flow; and analyzing the keywords based on the WebShell detection standard to obtain a detection result. The method is based on the fact that keywords in the element tags in the webpage flow are used as the basis for detecting whether the webpage flow is the WebShell flow, detection of the WebShell webpage is achieved, and therefore operation safety of a website server is relatively guaranteed. In addition, the application also provides a WebShell detection device, equipment and a storage medium, and the beneficial effects are as described above.

Description

WebShell detection method, device, equipment and storage medium
Technical Field
The present application relates to the field of network security, and in particular, to a WebShell detection method, apparatus, device, and storage medium.
Background
WebShell is a command execution environment in the form of webpage files such as asp, php, jsp or cgi, and a network hacker often uses WebShell as a webpage backdoor, and when the hacker invades a website, the WebShell webpage backdoor file and a normal webpage file in a WEB directory of a website server are mixed together, and then the WebShell webpage backdoor file can be accessed by using a browser to obtain a corresponding command execution environment so as to achieve the purpose of controlling the website server, so that the WebShell webpage often causes great potential safety hazard to the website server.
Therefore, the WebShell detection method is provided to realize the detection of the WebShell webpage and further relatively ensure the operation safety of the website server, and is a problem to be solved by technical personnel in the field.
Disclosure of Invention
The application aims to provide a WebShell detection method, a WebShell detection device, WebShell detection equipment and a WebShell detection storage medium, so that detection of WebShell webpages is achieved, and operation safety of a website server is relatively guaranteed.
In order to solve the technical problem, the application provides a WebShell detection method, which comprises the following steps:
acquiring webpage flow;
extracting keywords in element tags in webpage flow;
and analyzing the keywords based on the WebShell detection standard to obtain a detection result.
Preferably, before analyzing the keyword based on the WebShell detection standard to obtain a detection result, the method further includes:
acquiring a WebShell webpage sample;
analyzing the keywords based on the WebShell detection standard to obtain a detection result, wherein the detection result comprises the following steps:
counting the proportion of the keywords in the WebShell webpage sample, and generating a detection score according to the proportion;
judging whether the detection score reaches a detection threshold value;
if the detection score reaches a detection threshold value, setting the webpage flow as WebShell flow;
and if the detection score does not reach the detection threshold, stopping WebShell detection.
Preferably, before analyzing the keyword based on the WebShell detection standard to obtain a detection result, the method further includes:
acquiring a WebShell webpage sample and a non-WebShell webpage sample;
analyzing the keywords based on the WebShell detection standard to obtain a detection result, wherein the detection result comprises the following steps:
counting a first proportion of the keywords in the WebShell webpage sample and a second proportion of the keywords in the non-WebShell webpage sample;
generating a detection score according to the first proportion and the second proportion;
judging whether the detection score reaches a detection threshold value;
if the detection score reaches a detection threshold value, setting the webpage flow as WebShell flow;
and if the detection score does not reach the detection threshold, stopping WebShell detection.
Preferably, before generating the detection score according to the first and second ratios, the method further comprises:
judging whether the element label is a preset special element label or not;
if the element label is a preset special element label, acquiring a weight parameter corresponding to the special element label;
adjusting the first ratio and/or the second ratio according to the weight parameter, and executing a step of generating a detection score according to the first ratio and the second ratio;
and if the element label is not the preset special element label, executing the step of generating the detection score according to the first proportion and the second proportion.
Preferably, before analyzing the keyword based on the WebShell detection standard to obtain a detection result, the method further includes:
and removing target keywords which interfere with the accuracy of the detection result from the keywords.
Preferably, the removing of the target keyword from the keywords, which interferes with the accuracy of the detection result, includes:
and removing target keywords with the character length larger than the first length standard and target keywords with the character length smaller than the second length standard from the keywords.
Preferably, the removing of the target keyword from the keywords, which interferes with the accuracy of the detection result, includes:
target keywords existing in the target website are removed from the keywords.
In addition, the present application also provides a WebShell detection apparatus, including:
the flow acquisition module is used for acquiring webpage flow;
the tag extraction module is used for extracting keywords in the element tags in the webpage flow;
and the keyword detection module is used for analyzing the keywords based on the WebShell detection standard to obtain a detection result.
In addition, the present application also provides a WebShell detection apparatus, including:
a memory for storing a computer program;
a processor for implementing the steps of the WebShell detection method as described above when executing the computer program.
Furthermore, the present application also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the WebShell detection method as described above.
According to the WebShell detection method, firstly, the webpage flow is obtained, then the keywords in the element tags in the webpage flow are extracted, and then the keywords extracted from the webpage flow are analyzed based on the WebShell detection standard to obtain the detection result. The method is based on the fact that keywords in the element tags in the webpage flow are used as the basis for detecting whether the webpage flow is the WebShell flow, detection of the WebShell webpage is achieved, and therefore operation safety of a website server is relatively guaranteed. In addition, the application also provides a WebShell detection device, equipment and a storage medium, and the beneficial effects are as described above.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a WebShell detection method disclosed in an embodiment of the present application;
fig. 2 is a flowchart of a specific WebShell detection method disclosed in an embodiment of the present application;
fig. 3 is a flowchart of a specific WebShell detection method disclosed in an embodiment of the present application;
fig. 4 is a flowchart of a specific WebShell detection method disclosed in an embodiment of the present application;
fig. 5 is a schematic structural diagram of a WebShell detection device disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
When a hacker invades a website, the WebShell webpage backdoor file and a normal webpage file in a WEB directory of a website server are mixed together, and then the WebShell webpage backdoor file can be accessed by using a browser to obtain a corresponding command execution environment so as to achieve the purpose of controlling the website server, so that the WebShell webpage often causes great potential safety hazard to the website server.
Therefore, the core of the application is to provide a WebShell detection method to realize detection of WebShell webpages and further relatively ensure the operation safety of a website server.
Please refer to fig. 1, an embodiment of the present application discloses a WebShell detection method, including:
step S10: and acquiring the webpage flow.
It should be noted that the web traffic obtained in this step may specifically be traffic generated based on HTTP or HTTP protocols, that is, hypertext transfer protocol. Types of web traffic include, but are not limited to, HTML types.
In addition, the web page traffic may be specifically a Response data packet returned to the browser by the web server, that is, a traffic Response message of the HTTP communication protocol, in which case, the browser initiates an access request for the target web page to the web server in advance, and after receiving the access request, the web server further obtains a corresponding web page file according to the access request, and encapsulates the web page file into the Response data packet and returns the Response data packet as the web page traffic to the browser. The operation execution object for acquiring the web traffic may be a browser that initiates an access request to the web server, or a client device to which the browser belongs, or a device that can pass through during web traffic transmission, such as a gateway device that the web server passes through during web traffic transmission to the browser.
Step S11: and extracting keywords in the element tags in the webpage flow.
In this step, the element tag of the web traffic is a tag used for marking content elements in the web page source code, and the keyword representation in the element tag is the web page content corresponding to the web traffic. When the type of the webpage flow is an HTML type, the element tag in the webpage flow is an HTML tag, the keyword is an HTML element between the start tag and the end tag of the HTML tag, in addition, the extraction of the keyword in the element tag in the webpage flow can be realized by adopting an XPath analyzing tool, and the reliability of the extraction of the keyword can be relatively ensured.
Step S12: and analyzing the keywords based on the WebShell detection standard to obtain a detection result.
Because the keywords in the element tags in the web traffic can represent the actual use, executable functions and the like of the web page, the key point of the step is to determine whether the web traffic is the WebShell traffic or not in a manner of analyzing the keywords, so that the WebShell detection of the web traffic is realized.
According to the WebShell detection method, firstly, the webpage flow is obtained, then the keywords in the element tags in the webpage flow are extracted, and then the keywords extracted from the webpage flow are analyzed based on the WebShell detection standard to obtain the detection result. The method is based on the fact that keywords in the element tags in the webpage flow are used as the basis for detecting whether the webpage flow is the WebShell flow, detection of the WebShell webpage is achieved, and therefore operation safety of a website server is relatively guaranteed.
Referring to fig. 2, an embodiment of the present application discloses a WebShell detection method, including:
step S20: and acquiring the webpage flow.
Step S21: and extracting keywords in the element tags in the webpage flow.
Step S22: and acquiring a WebShell webpage sample.
It should be noted that, in this embodiment, a WebShell web page sample set is stored in advance, so that a WebShell web page sample can be obtained based on the WebShell web page sample set to be used for comparing with keywords in the obtained web page traffic, and further determining whether the obtained web page traffic belongs to the WebShell traffic, and in addition, obtaining the WebShell web page sample may specifically be obtaining one or more WebShell web page samples in the WebShell web page sample set that is stored in advance.
Step S23: and counting the proportion of the keywords in the WebShell webpage sample, and generating a detection score according to the proportion.
After the WebShell webpage sample is obtained, the proportion of the keywords in the WebShell webpage sample is further counted, namely the integral matching degree between the keywords in the obtained webpage flow and the keywords in the WebShell webpage sample is counted, then a detection score is generated according to the proportion, the detection score can be generated only based on proportion calculation, or can be generated together based on the proportion and other weight parameters, and specific limitation is not made here.
Step S24: and judging whether the detection score reaches a detection threshold value, if so, executing the step S25, and otherwise, executing the step S26.
Step S25: and setting the webpage traffic as WebShell traffic.
Step S26: the WebShell detection is stopped.
And the detection threshold is used for defining whether the webpage flow belongs to the WebShell flow, after the detection score is generated according to the proportion of the keyword in the WebShell webpage sample, whether the detection score reaches the detection threshold is further judged, if so, the webpage flow is set as the WebShell flow, otherwise, the webpage flow is not considered to belong to the WebShell flow, and the WebShell detection is stopped.
In the embodiment, the proportion of the keywords in the webpage flow in the WebShell webpage sample is counted to generate the detection score representing the approximation degree between the webpage flow and the WebShell webpage sample, and whether the webpage flow is the WebShell flow is judged according to the detection score, so that the WebShell detection is completed, and the overall accuracy of the WebShell detection is relatively ensured.
Referring to fig. 3, an embodiment of the present application discloses a WebShell detection method, including:
step S30: and acquiring the webpage flow.
Step S31: and extracting keywords in the element tags in the webpage flow.
Step S32: and acquiring a WebShell webpage sample and a non-WebShell webpage sample.
It should be noted that the key point of this embodiment is to obtain a WebShell web page sample and a non-WebShell web page sample before analyzing the keyword based on the WebShell detection standard, where the WebShell web page sample in this step refers to a web page with a WebShell function, and the non-WebShell web page sample refers to a common web page without the WebShell function.
In this embodiment, a WebShell webpage sample set and a set of non-WebShell webpages should be stored in advance, so that a WebShell webpage sample can be obtained based on the WebShell webpage sample set, and a non-WebShell webpage sample is obtained based on the set of non-WebShell webpages, and then the non-WebShell webpage sample is used for being compared with keywords in the obtained webpage traffic together, and further whether the obtained webpage traffic belongs to the WebShell traffic is determined.
In addition, the obtaining of the WebShell web page samples may specifically be obtaining one or more WebShell web page samples in a pre-stored WebShell web page sample set, and the obtaining of the non-WebShell web page samples may specifically be obtaining one or more non-WebShell web page samples in a pre-stored non-WebShell web page sample set.
Step S33: and counting a first proportion of the keywords in the WebShell webpage sample and a second proportion of the keywords in the non-WebShell webpage sample.
After the WebShell webpage sample is obtained, the first proportion of keywords in the WebShell webpage sample is further counted, namely the integral matching degree between the keywords in the obtained webpage flow and the keywords in the WebShell webpage sample is counted; in addition, after the non-WebShell webpage sample is obtained, the second proportion of the keywords in the non-WebShell webpage sample is further counted, namely the overall matching degree between the keywords in the obtained webpage flow and the keywords in the non-WebShell webpage sample is counted, the first proportion in the step represents the approximate degree between the webpage flow and the WebShell webpage sample, and the second proportion represents the approximate degree between the webpage flow and the non-WebShell webpage sample, so that the overall approximate degrees of the webpage flow, the WebShell flow and the non-WebShell flow are comprehensively evaluated according to the first proportion and the second proportion in the subsequent step.
Step S34: and generating a detection score according to the first proportion and the second proportion.
After the first proportion and the second proportion are obtained, the step further generates a detection score according to the first proportion and the second proportion together, and the detection score may be generated only based on the first proportion and the second proportion, or may be generated based on the first proportion, the second proportion and other weight parameters together, which is not limited specifically herein.
Furthermore, the detection score is generated according to the first proportion and the second proportion, the comprehensive operation of the first proportion and the second proportion is executed to generate the detection score based on a Bayesian classification algorithm, the Bayesian classification algorithm is a statistical classification method and is a classification algorithm which utilizes probability statistical knowledge to classify, the classification accuracy of the algorithm is high, the speed is high, and then the classification between WebShell traffic and non-WebShell traffic can be relatively accurately and efficiently performed on webpage traffic, so that the generation efficiency and the accuracy of the detection score are ensured.
Step S35: and judging whether the detection score reaches a detection threshold value, if so, executing the step S36, and otherwise, executing the step S37.
Step S36: and setting the webpage traffic as WebShell traffic.
Step S37: the WebShell detection is stopped.
And the detection threshold is a standard for defining whether the webpage flow belongs to the WebShell flow, after the detection score is generated, whether the detection score reaches the detection threshold is further judged, if so, the webpage flow is set as the WebShell flow, otherwise, the webpage flow is not considered to belong to the WebShell flow, and the WebShell detection is stopped.
According to the method and the device, the respective proportions of the keywords in the webpage flow in the WebShell webpage sample and the non-WebShell webpage sample are counted, the detection scores representing the approximation degree between the webpage flow and the WebShell webpage sample are comprehensively generated, whether the webpage flow is the WebShell flow is judged according to the detection scores, the WebShell detection is completed, and the overall accuracy of the WebShell detection is relatively guaranteed.
Referring to fig. 4, an embodiment of the present application discloses a WebShell detection method, including:
step S40: and acquiring the webpage flow.
Step S41: and extracting keywords in the element tags in the webpage flow.
Step S42: and acquiring a WebShell webpage sample and a non-WebShell webpage sample.
Step S43: and counting a first proportion of the keywords in the WebShell webpage sample and a second proportion of the keywords in the non-WebShell webpage sample.
Step S44: and judging whether the element tag is a preset special element tag, if so, executing the steps S45 to S47, and otherwise, executing the step S47.
Step S45: and acquiring the weight parameter corresponding to the special element label.
It should be noted that, in the present embodiment, it is considered that in an actual scene, some specific element tags, that is, special element tags, are often used for writing a WebShell webpage, and therefore, before analyzing a keyword based on a WebShell detection standard to obtain a detection result, the present embodiment first determines whether the element tags are preset special element tags, and if so, further obtains an influence weight of the special element tags on the WebShell detection, that is, obtains a weight parameter corresponding to the special element tags.
Step S46: the first and/or second ratios are adjusted according to the weight parameter.
After the weight parameters are obtained, the first proportion and/or the second proportion are/is further adjusted according to the influence weight of the weight parameters on WebShell detection, and therefore the effect of adjusting the detection scores is indirectly generated in the subsequent steps based on the first proportion and/or the second proportion.
Step S47: and generating a detection score according to the first proportion and the second proportion.
Step S48: and judging whether the detection score reaches a detection threshold value, if so, executing step S49, otherwise, executing step S410.
Step S49: and setting the webpage traffic as WebShell traffic.
Step S410: the WebShell detection is stopped.
In this embodiment, when a special element tag exists, based on the influence of the special element tag on the WebShell detection, a weight parameter corresponding to the special element tag is generated, and then a first proportion and a second proportion corresponding to a keyword in the special element tag are adjusted according to the weight parameter to adjust, and then whether the web flow is the WebShell flow is determined according to the detection score, so that the WebShell detection is completed, and the overall accuracy of the WebShell detection is further ensured.
On the basis of the above series of embodiments, as a preferred embodiment, before analyzing the keyword based on the WebShell detection standard to obtain a detection result, the method further includes:
and removing target keywords which interfere with the accuracy of the detection result from the keywords.
It should be noted that, the key words are preprocessed before the key words are analyzed based on the WebShell detection standard to obtain the detection result, so as to filter the target key words in the key words, which cause false alarm in the WebShell detection, where the target key words are determined according to the actual situation, and the accuracy of the detection result is relatively ensured in the embodiment.
On the basis of the above embodiment, as a preferred embodiment, the method for removing a target keyword, which interferes with the accuracy of a detection result, from keywords includes:
and removing target keywords with the character length larger than the first length standard and target keywords with the character length smaller than the second length standard from the keywords.
It should be noted that, because the probability of the occurrence of the longer keyword is considered to be relatively low, the influence of the non-WebShell web page sample is larger; while shorter keys occur with a relatively higher probability resulting in a greater similarity between the first and second fractions. Therefore, the present embodiment removes the target keyword with a character length greater than the first length criterion and the target keyword with a character length less than the second length criterion from the keywords, wherein the first length criterion and the second length criterion are determined according to the actual situation. The embodiment further ensures the accuracy of the detection result.
On the basis of the above embodiment, as a preferred embodiment, the method for removing a target keyword, which interferes with the accuracy of a detection result, from keywords includes:
target keywords existing in the target website are removed from the keywords.
It should be noted that, in the present embodiment, it is considered that some keywords may appear in some specific websites collectively, thereby causing false alarm. For example, a large number of < a > element tags in the software downloading website include keywords such as "File Manager", "Database Manager", and "FTP blasting", which may cause false alarm of the detection result. Therefore, the present embodiment eliminates the target keyword existing in the specific target website from the keywords, and the target keyword referred to herein is determined according to the actual situation.
Referring to fig. 5, an embodiment of the present application discloses a WebShell detection apparatus, including:
the flow acquiring module 10 is used for acquiring the webpage flow;
the tag extraction module 11 is configured to extract keywords in element tags in the web page traffic;
and the keyword detection module 12 is configured to analyze the keyword based on the WebShell detection standard to obtain a detection result.
The WebShell detection device provided by the application firstly obtains the webpage flow, then extracts the keywords in the element tags in the webpage flow, and then analyzes the keywords extracted from the webpage flow based on the WebShell detection standard to obtain the detection result. The device detects the WebShell webpage based on the keywords in the element tags in the webpage flow as the basis for detecting whether the webpage flow is the WebShell flow, and therefore the operation safety of the website server is relatively ensured.
On the basis of the foregoing embodiments, the WebShell detection apparatus is further described and optimized in the embodiments of the present application. Specifically, the method comprises the following steps:
in one embodiment, the apparatus further comprises:
the first sample acquisition module is used for acquiring a WebShell webpage sample;
a keyword detection module 12, comprising:
the first proportion counting module is used for counting the proportion of the keywords in the WebShell webpage sample and generating a detection score according to the proportion;
the first threshold value judging module is used for judging whether the detection score reaches a detection threshold value, if so, the first setting module is called, and otherwise, the first stopping module is called;
the first setting module is used for setting the webpage flow as WebShell flow;
and the first stopping module is used for stopping WebShell detection.
In one embodiment, the apparatus further comprises:
the second sample acquisition module is used for acquiring a WebShell webpage sample and a non-WebShell webpage sample;
a keyword detection module 12, comprising:
the second proportion statistic module is used for counting the first proportion of the keywords in the WebShell webpage sample and the second proportion of the keywords in the non-WebShell webpage sample;
the second proportion statistic module is used for generating a detection score according to the first proportion and the second proportion;
the second threshold value judging module is used for judging whether the detection score reaches a detection threshold value, if so, the second setting module is called, and otherwise, the second stopping module is called;
the second setting module is used for setting the webpage flow as the WebShell flow;
and the second stopping module is used for stopping the WebShell detection.
In one embodiment, the apparatus further comprises:
and the special label judging module is used for judging whether the element label is a preset special element label, if so, the weight obtaining module and the weight adjusting module are sequentially called, and otherwise, the second proportion counting module is called.
And the weight obtaining module is used for obtaining the weight parameters corresponding to the special element labels.
And the weight adjusting module is used for adjusting the first proportion and/or the second proportion according to the weight parameter and calling the second proportion statistical module.
In one embodiment, the apparatus further comprises:
and the keyword filtering module is used for removing target keywords which cause interference on the accuracy of the detection result from the keywords.
In one embodiment, the keyword filtering module includes:
and the length filtering module is used for removing the target keywords with the character length larger than the first length standard and the target keywords with the character length smaller than the second length standard from the keywords.
In one embodiment, the keyword filtering module includes:
and the website filtering module is used for removing the target keywords existing in the target website from the keywords.
In addition, the embodiment of the application also discloses a WebShell detection device, which comprises:
a memory for storing a computer program;
a processor for implementing the steps of the WebShell detection method as described above when executing the computer program.
The WebShell detection device provided by the application firstly obtains the webpage flow, then extracts the keywords in the element tags in the webpage flow, and then analyzes the keywords extracted from the webpage flow based on the WebShell detection standard to obtain the detection result. The device detects the WebShell webpage based on the keywords in the element tags in the webpage flow as the basis for detecting whether the webpage flow is the WebShell flow, and therefore the operation safety of the website server is relatively ensured.
In addition, the embodiment of the application also discloses a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and when being executed by a processor, the computer program realizes the steps of the WebShell detection method.
The computer-readable storage medium provided by the application firstly acquires the webpage flow, then extracts the keywords in the element tags in the webpage flow, and further analyzes the keywords extracted from the webpage flow based on the Webshell detection standard to obtain the detection result. The computer-readable storage medium is used for detecting whether the webpage flow is the WebShell flow or not based on keywords in the element tags in the webpage flow, so that the WebShell webpage is detected, and the operation safety of a website server is relatively ensured.
The WebShell detection method, the WebShell detection device, the WebShell detection equipment and the WebShell detection storage medium provided by the application are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A WebShell detection method is characterized by comprising the following steps:
acquiring webpage flow;
extracting keywords in element tags in the webpage traffic;
and analyzing the keywords based on a WebShell detection standard to obtain a detection result.
2. The WebShell detection method of claim 1, wherein before the keyword is analyzed based on the WebShell detection criteria to obtain a detection result, the method further comprises:
acquiring a WebShell webpage sample;
the keyword is analyzed based on the WebShell detection standard to obtain a detection result, and the detection result comprises the following steps:
counting the proportion of the keywords in the WebShell webpage sample, and generating a detection score according to the proportion;
judging whether the detection score reaches a detection threshold value;
if the detection score reaches a detection threshold value, setting the webpage flow as WebShell flow;
and if the detection score does not reach the detection threshold value, stopping WebShell detection.
3. The WebShell detection method of claim 1, wherein before the keyword is analyzed based on the WebShell detection criteria to obtain a detection result, the method further comprises:
acquiring a WebShell webpage sample and a non-WebShell webpage sample;
the keyword is analyzed based on the WebShell detection standard to obtain a detection result, and the detection result comprises the following steps:
counting a first proportion of the keywords in the WebShell webpage sample and a second proportion of the keywords in the non-WebShell webpage sample;
generating a detection score according to the first proportion and the second proportion;
judging whether the detection score reaches a detection threshold value;
if the detection score reaches a detection threshold value, setting the webpage flow as WebShell flow;
and if the detection score does not reach the detection threshold value, stopping WebShell detection.
4. The WebShell detection method of claim 3, wherein prior to the generating a detection score from the first and second percentages, the method further comprises:
judging whether the element label is a preset special element label or not;
if the element label is the preset special element label, acquiring a weight parameter corresponding to the special element label;
adjusting the first proportion and/or the second proportion according to the weight parameter, and executing the step of generating a detection score according to the first proportion and the second proportion;
and if the element label is not the preset special element label, executing the step of generating the detection score according to the first proportion and the second proportion.
5. The WebShell detection method of any of claims 1 to 4, wherein before the keyword is analyzed based on the WebShell detection criteria to obtain a detection result, the method further comprises:
and removing target keywords which interfere with the accuracy of the detection result from the keywords.
6. The WebShell detection method of claim 5, wherein the removing of the target keyword from the keywords that interferes with the accuracy of the detection result comprises:
and removing the target keywords with the character length larger than a first length standard and the target keywords with the character length smaller than a second length standard from the keywords.
7. The WebShell detection method of claim 5, wherein the removing of the target keyword from the keywords that interferes with the accuracy of the detection result comprises:
and removing the target keywords existing in the target website from the keywords.
8. A WebShell detection device, comprising:
the flow acquisition module is used for acquiring webpage flow;
the tag extraction module is used for extracting keywords in the element tags in the webpage flow;
and the keyword detection module is used for analyzing the keywords based on the WebShell detection standard to obtain a detection result.
9. A WebShell detection device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the WebShell detection method as claimed in any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the WebShell detection method according to any one of claims 1 to 7.
CN202010143249.3A 2020-03-04 2020-03-04 WebShell detection method, device, equipment and storage medium Active CN111385295B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010143249.3A CN111385295B (en) 2020-03-04 2020-03-04 WebShell detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010143249.3A CN111385295B (en) 2020-03-04 2020-03-04 WebShell detection method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111385295A true CN111385295A (en) 2020-07-07
CN111385295B CN111385295B (en) 2022-11-22

Family

ID=71219776

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010143249.3A Active CN111385295B (en) 2020-03-04 2020-03-04 WebShell detection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111385295B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114697049A (en) * 2020-12-14 2022-07-01 中国科学院计算机网络信息中心 WebShell detection method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8990944B1 (en) * 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
CN106572117A (en) * 2016-11-11 2017-04-19 北京安普诺信息技术有限公司 Method and apparatus for detecting WebShell file
CN107659570A (en) * 2017-09-29 2018-02-02 杭州安恒信息技术有限公司 Webshell detection methods and system based on machine learning and static and dynamic analysis
CN108920955A (en) * 2018-06-29 2018-11-30 北京奇虎科技有限公司 A kind of webpage back door detection method, device, equipment and storage medium
CN109684844A (en) * 2018-12-27 2019-04-26 北京神州绿盟信息安全科技股份有限公司 A kind of webshell detection method and device
CN110827253A (en) * 2019-10-30 2020-02-21 北京达佳互联信息技术有限公司 Training method and device of target detection model and electronic equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8990944B1 (en) * 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
CN106572117A (en) * 2016-11-11 2017-04-19 北京安普诺信息技术有限公司 Method and apparatus for detecting WebShell file
CN107659570A (en) * 2017-09-29 2018-02-02 杭州安恒信息技术有限公司 Webshell detection methods and system based on machine learning and static and dynamic analysis
CN108920955A (en) * 2018-06-29 2018-11-30 北京奇虎科技有限公司 A kind of webpage back door detection method, device, equipment and storage medium
CN109684844A (en) * 2018-12-27 2019-04-26 北京神州绿盟信息安全科技股份有限公司 A kind of webshell detection method and device
CN110827253A (en) * 2019-10-30 2020-02-21 北京达佳互联信息技术有限公司 Training method and device of target detection model and electronic equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114697049A (en) * 2020-12-14 2022-07-01 中国科学院计算机网络信息中心 WebShell detection method and device
CN114697049B (en) * 2020-12-14 2024-04-12 中国科学院计算机网络信息中心 WebShell detection method and device

Also Published As

Publication number Publication date
CN111385295B (en) 2022-11-22

Similar Documents

Publication Publication Date Title
CN109922052B (en) Malicious URL detection method combining multiple features
CN109768992B (en) Webpage malicious scanning processing method and device, terminal device and readable storage medium
CN103810425B (en) The detection method of malice network address and device
CN108566399B (en) Phishing website identification method and system
KR100848319B1 (en) Harmful web site filtering method and apparatus using web structural information
CN105184159A (en) Web page falsification identification method and apparatus
CN104766014A (en) Method and system used for detecting malicious website
WO2016188029A1 (en) Method and device for parsing two-dimensional code, computer readable storage medium, computer program product and terminal device
CN113518077A (en) Malicious web crawler detection method, device, equipment and storage medium
CN105516128A (en) Detecting method and device of Web attack
CN114650176A (en) Phishing website detection method and device, computer equipment and storage medium
CN114528457A (en) Web fingerprint detection method and related equipment
CN112532624B (en) Black chain detection method and device, electronic equipment and readable storage medium
CN111385295B (en) WebShell detection method, device, equipment and storage medium
CN112668005A (en) Webshell file detection method and device
CN109284465B (en) URL-based web page classifier construction method and classification method thereof
CN113364784B (en) Detection parameter generation method and device, electronic equipment and storage medium
CN111125704B (en) Webpage Trojan horse recognition method and system
CN113688346A (en) Illegal website identification method, device, equipment and storage medium
CN106982147B (en) Communication monitoring method and device for Web communication application
CN113141332B (en) Command injection identification method, system, equipment and computer storage medium
US10313127B1 (en) Method and system for detecting and alerting users of device fingerprinting attempts
CN115801455B (en) Method and device for detecting counterfeit website based on website fingerprint
CN112202763B (en) IDS strategy generation method, device, equipment and medium
CN114124448A (en) Cross-site scripting attack identification method based on machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant