CN112153033A - Method and device for detecting webshell - Google Patents

Method and device for detecting webshell Download PDF

Info

Publication number
CN112153033A
CN112153033A CN202010973058.XA CN202010973058A CN112153033A CN 112153033 A CN112153033 A CN 112153033A CN 202010973058 A CN202010973058 A CN 202010973058A CN 112153033 A CN112153033 A CN 112153033A
Authority
CN
China
Prior art keywords
access request
probability
webshell
markov chain
reference path
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010973058.XA
Other languages
Chinese (zh)
Other versions
CN112153033B (en
Inventor
王呈祥
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN202010973058.XA priority Critical patent/CN112153033B/en
Publication of CN112153033A publication Critical patent/CN112153033A/en
Application granted granted Critical
Publication of CN112153033B publication Critical patent/CN112153033B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application relates to a method, a device, an electronic device and a storage medium for detecting webshell, wherein the method comprises the steps of obtaining an access request of a client; counting the reference path in the access request, adding the reference path into a Markov chain, and calculating the probability of the reference path on the Markov chain; and judging whether the webshell attack exists in the access request or not according to the probability of the reference path on the Markov chain. By the method and the device, the problems of high false alarm rate and high missing report rate of detecting webshell attack are solved, and the false alarm rate and the missing report rate of the webshell can be reduced.

Description

Method and device for detecting webshell
Technical Field
The present application relates to the field of network security, and in particular, to a method and an apparatus for detecting a webshell, an electronic apparatus, and a storage medium.
Background
A cyber attack refers to any type of offensive action performed against a computer information system, infrastructure, computer network, or personal computer device, etc. For computers and computer networks, destroying, revealing, modifying, disabling software or services, stealing or accessing data from any computer without authorization, is considered an attack in computers and computer networks.
webshell is a backdoor program installed after a website has been successfully invaded, and these files are mixed with the normal website files in the web directory of the website server. After a hacker uses the webshell to attack, generally no record is left in the system log, so that the invaded trace is difficult to find, and the imperceptibility is extremely high. In the related art, a method for matching feature codes, feature values and danger functions is generally adopted for detecting webshell, but the method can intelligently detect the webshell attack and has high false alarm rate and low false alarm rate.
At present, no effective solution is provided aiming at the problem of high false alarm rate and high false missing rate of detecting webshell attack in the related technology.
Disclosure of Invention
The embodiment of the application provides a method, a device, an electronic device and a storage medium for detecting webshell, so as to at least solve the problems of high false alarm rate and high false missing rate of webshell attack detection in the related technology.
In a first aspect, an embodiment of the present application provides a method for detecting a webshell, including:
acquiring an access request of a client;
counting a reference path in the access request, adding the reference path into the Markov chain, and calculating the probability of the reference path on the Markov chain;
and judging whether a webshell attack exists in the access request or not according to the probability of the reference path on the Markov chain.
In some embodiments, the counting reference paths in the access request, adding the reference paths to the markov chain, and calculating the probability of the reference paths on the markov chain includes: acquiring a session value in the access request; and importing the referrer value of the access request with the same session value into a linked list to form a referrer chain, adding the referrer chain into the Markov chain, and calculating the probability of the referrer chain on the Markov chain.
In some embodiments, in the step of obtaining the session value in the access request, the method includes: and when the access request does not carry the cookie value, generating a session value and returning the session value to the client.
In some embodiments, in the step of obtaining the session value in the access request, the method includes: and when the cookie value in the access request is not matched with the session value of the server, generating a session value and returning the session value to the client.
In some embodiments, in the step of obtaining the session value in the access request, the method includes: and when the cookie value in the access request is matched with the session value of the server, directly calling the session value in the cookie value in the access request.
In some embodiments, the step of determining whether a webshell attack exists in the access request according to the probability of the reference path on the markov chain includes: setting a probability threshold; and when the probability of the reference path on the Markov chain is lower than the probability threshold, judging that the webshell attack exists in the access request.
In some embodiments, after determining that a webshell attack exists in the access request, the method further includes: and the control server blocks the webshell attack.
In a second aspect, an embodiment of the present application provides an apparatus for detecting a webshell, including: the device comprises an acquisition module, a probability module and a judgment module; the acquisition module is used for acquiring an access request of a client; the probability module is used for counting the reference path in the access request, adding the reference path into the Markov chain and calculating the probability of the reference path on the Markov chain; and the judging module is used for judging whether the webshell attack exists in the access request according to the probability of the reference path on the Markov chain.
In a third aspect, an embodiment of the present application provides an electronic apparatus, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor, when executing the computer program, implements the method for detecting webshell according to the first aspect.
In a fourth aspect, an embodiment of the present application provides a storage medium, on which a computer program is stored, where the program, when executed by a processor, implements the method for detecting a webshell according to the first aspect.
Compared with the related art, the method, the device, the electronic device and the storage medium for detecting the webshell provided by the embodiment of the application acquire the access request of the client; counting the reference path in the access request, adding the reference path into the Markov chain, and calculating the probability of the reference path on the Markov chain; and judging whether the webshell attack exists in the access request or not according to the probability of the reference path on the Markov chain. The method solves the problems of high false alarm rate and high missing report rate of detecting the webshell attack, and can reduce the false alarm rate and the missing report rate of the webshell.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of a terminal of a method for detecting a webshell according to an embodiment of the present application;
FIG. 2 is a flow chart of a method of detecting a webshell according to an embodiment of the present application;
FIG. 3 is a preferred flow diagram of a method of detecting a webshell according to an embodiment of the present application;
fig. 4 is a block diagram illustrating an architecture of an apparatus for detecting webshell according to an embodiment of the present disclosure;
fig. 5 is a block diagram of a computer-readable storage medium according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The various techniques described herein may be used in various Wireless communication systems, such as 2G, 3G, 4G, 5G communication systems and next generation communication systems, such as Global System for Mobile communications (GSM), Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Wideband Code Division Multiple Access (OFDMA), Frequency Division Multiple Access (WCDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access (OFDMA), FDMA-System, General Packet Radio Service (GPRS), LTE-5G (Radio System for Long Term Evolution (LTE), abbreviated NR) systems and other such communication systems.
The method for detecting webshell provided in this embodiment can be applied to a base station, a Radio Remote Unit (Radio Remote Unit, abbreviated as RRU), or any other network element device that needs to perform Radio frequency transceiving. A base station in this context may be a device in an access network that communicates over the air-interface, through one or more sectors, with wireless terminals. The base station may be configured to interconvert received air frames with Internet Protocol (IP) packets as a router between the wireless terminal and the rest of the access network, which may include an IP network. The base station may also coordinate management of attributes for the air interface. For example, the Base Station may be a Base Transceiver Station (BTS) in GSM or CDMA, a Base Station (Node B) in WCDMA, an evolved Node B (eNB or e-Node B) in LTE, or a generation Node B (gNB) in 5G NR, and the present application is not limited thereto.
The method provided by the embodiment can be executed in a terminal, a computer or a similar operation device. Taking the operation on a terminal as an example, fig. 1 is a hardware structure block diagram of an application terminal of the method for detecting webshell according to the embodiment of the present invention. As shown in fig. 1, the terminal may include one or more (only one shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the terminal. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 can be used for storing computer programs, for example, software programs and modules of application software, such as a computer program corresponding to a method for detecting webshell in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, thereby implementing the above-mentioned method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
Fig. 2 is a flowchart of a method for detecting a webshell according to an embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps:
step S201, an access request of a client is acquired.
Specifically, acquiring the access request of the client refers to acquiring a request of an http protocol of the client, which is hereinafter referred to as an http request.
The http protocol defines how a Web client requests a Web page from a Web server and how the server transmits the Web page to the client. The http protocol adopts a request/response model, and the client sends a request message to the server, wherein the request message comprises a request method, a URL (uniform resource locator), a protocol version, a request header and request data.
Step S202, counting the reference path in the access request, adding the reference path into the Markov chain, and calculating the probability of the reference path on the Markov chain.
Specifically, the request headers in the access requests are connected into a path with reference relationship, and the path with reference relationship is added into the Markov chain, so that the probability of the application path on the Markov chain can be obtained.
For example, referrers of http requests of the same session value form a chain, r1- > r3- > r2- > r 5; according to the Markov chain of the preferer, the probability from the previous preferer to the next preferer can be obtained, and further the probability of the whole preferer chain can be obtained. For example, P (r1- > r3- > r2- > r5) ═ P (r1- > r3) × P (r3- > r2) × P (r2- > r 5).
Step S203, judging whether the webshell attack exists in the access request according to the probability of the reference path on the Markov chain.
For example, following the previous example, if the probability that P (r1- > r3- > r2- > r5) is much smaller than the normal value P (r1- > r5), it can be determined that the client has been subjected to webshell attack, because the referrer chain of normal http requests is relatively fixed, the probability is not very low.
Based on the above steps S201 to S203, by acquiring the access request of the client, the access request includes a reference path, and by counting the reference path in the access request, because the markov chain can determine the reference rate of the event, the reference path is added to the markov chain, and when the reference rate is very low, it can be determined that the client has been subjected to webshell attack. In a general normal http request, a reference path presents regularity, a webshell attack presents an unordered or abnormal access characteristic, abnormal probability can be analyzed through a Markov model, the webshell attack can be blocked when being found, and the problems of high false alarm rate and high missing report rate of the webshell attack are solved.
In some embodiments, counting a reference path in the access request, adding the reference path to the markov chain, and calculating a probability of the reference path on the markov chain includes: acquiring a session value in the access request; and importing the referrer value of the access request with the same session value into a linked list to form a referrer chain, adding the referrer chain into the Markov chain, and calculating the probability of the referrer chain on the Markov chain.
Wherein, refer is an http request header, and session value, i.e. session, is recorded by the http request header of the cookie, for example:
GET/HTTP/1.1
Host:bar.other
User-Agent:Mozilla/5.0(Macintosh;U;Intel Mac OS X 10.5;en-US;rv:1.9.1b3pre)Gecko/20081130Minefield/3.1b3pre
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-us,en;q=0.5
Accept-Encoding:gzip,deflate
Connection:keep-alive
Referer:http://foo.example/examples/credential.html
Origin:http://foo.example
Cookie:
SESSIONID=yOK3vjFD75aPnrF7C2HmdnV6QZcEbzWoWiBYEnLerjQ99zWpBng。
for example, refer is a part of http request header, and when the browser or the simulated browser behavior sends a request to the web server, refer is included in the header information. Having a www.***.com link in www.***.com, then clicking on this www.***.com has in its header: referer ═ http:// www.***.com. It can be seen that referrer represents a source.
The method comprises the steps of adding the referrer chain into the Markov chain, calculating the probability of the referrer chain on the Markov chain, and rapidly knowing whether the client is attacked by webshell.
In some embodiments, in the step of obtaining the session value in the access request, the method includes: and when the access request does not carry the cookie value, generating a session value and returning the session value to the client.
And when the cookie value in the access request is not matched with the session value of the server, generating a session value and returning the session value to the client.
For example, when url is requested for the first time, no cookie is returned, a cookie is created by response, the validity period of the cookie is set, the cookie is returned, then the cookie is submitted when the browser is accessed again, the cookie is invalid when the browser is closed, because the cookie is in a session level, the cookie is returned, the cookie exists on a local disk when the cookie is returned, the browser is closed, and the cookie is still carried by the cookie when the cookie is accessed.
Specifically, the server firstly checks whether a session identifier is included in an http request of the client, a cookie mode is adopted, if no cookie exists or sessionid carried in the cookie is inconsistent with that stored by the server, a sessionid is generated through an algorithm, and when an http response is constructed for the client, the sessionid is returned to the client as a cookie value, so that a subsequent http request of the client can bring the sessionid, and the server receives the request, and can judge whether the session is the same session through the sessionid.
The refer chain in this application needs to be valid in the same session.
In some embodiments, in the step of obtaining the session value in the access request, the method includes: and when the cookie value in the access request is matched with the session value of the server, directly calling the session value in the cookie value in the access request.
And if the cookie value and the session value are matched, the session value of the server does not need to be returned to the user as the cookie value, and the session value in the cookie value of the client is directly called.
In some embodiments, the step of determining whether a webshell attack exists in the access request according to the probability of the reference path on the markov chain includes: setting a probability threshold; and when the probability of the reference path on the Markov chain is lower than the probability threshold, judging that the webshell attack exists in the access request.
Wherein, the probability threshold is set according to the strength of webshell attack.
For example, referrers of http requests of the same session value form a chain, r1- > r2- > r3- > r 4; according to the Markov chain of the preferer, the probability from the previous preferer to the next preferer can be obtained, and further the probability of the whole preferer chain can be obtained. For example, P (r1- > r2- > r3- > r5) ═ P (r1- > r2) × P (r2- > r3) × P (r3- > r4) ═ 0.00003024, where P (r1- > r2) ═ 0.8, P (r2- > r3) ═ 0.006, P (r3- > r4) ═ 0.009, and P (r1- > r4) ═ 0.7.
If P (r1- > r2- > r3- > r4) ═ 0.00003024 is much smaller than the probability of the normal value P (r1- > r4) ═ 0.7, it can be determined that the client has been subjected to webshell attack, because the referrer chain of the normal http request is relatively fixed and the probability is not very low, and the probability of P (r1- > r2- > r3- > r4) > 0.0000432 is obviously low.
In some embodiments, after determining that the webshell attack exists in the access request, the method further includes: the control server blocks the webshell attack.
Fig. 3 is a preferred flowchart of a method for detecting a webshell according to an embodiment of the present application, and as shown in fig. 3, the method for detecting a webshell includes the following steps:
step S301, obtaining an http request;
step S302, judging whether the cookie value exists and the validity of the cookie value;
step S303, if the step S302 judges that the cookie value does not exist or the session value carried by the cookie value is illegal, a session for marking the user is generated.
Step S304, the sessionid generated in step S303 is taken as a cookie value to be brought to the user;
step S305, obtaining a referrer value of the current request;
step S306, storing the referrer value obtained in the step S305 into a linked list to form a referrer chain;
step S307, adding the referrer chain generated in the step S306 into a known Markov chain;
step S308, calculating a probability P of the referrer chain based on the Markov model;
step S309, determining whether the probability P calculated in step S308 is smaller than the probability of normal access;
step S310, determined in step S309, if the access probability is smaller than the normal access probability, a webshell attack is determined;
step S311, determined by step S309, assumes a normal access if it is greater than or equal to the normal access probability.
The embodiment also provides a device for detecting webshell, which is used for implementing the above embodiments and preferred embodiments, and the description of the device is omitted. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 4 is a block diagram illustrating a structure of an apparatus for detecting a webshell according to an embodiment of the present application, where, as shown in fig. 4, the apparatus includes: an acquisition module 40, a construction module 42, and a judgment module 44;
the obtaining module 40 is configured to obtain an access request of a client.
Specifically, acquiring the access request of the client refers to acquiring a request of an http protocol of the client, which is hereinafter referred to as an http request.
The http protocol defines how a Web client requests a Web page from a Web server and how the server transmits the Web page to the client. The http protocol employs a request/response model. The client sends a request message to the server, wherein the request message comprises a request method, a URL (uniform resource locator), a protocol version, a request header and request data.
The probability module 42 is configured to count a reference path in the access request, add the reference path to the markov chain, and calculate a probability of the reference path on the markov chain;
specifically, the request headers in the access requests are connected into a path with reference relationship, and the path with reference relationship is added into the Markov chain, so that the probability of the application path on the Markov chain can be obtained.
For example, referrers of http requests of the same session value form a chain, r1- > r3- > r2- > r 5; according to the Markov chain of the preferer, the probability from the previous preferer to the next preferer can be obtained, and further the probability of the whole preferer chain can be obtained. For example, P (r1- > r3- > r2- > r5) ═ P (r1- > r3) × P (r3- > r2) × P (r2- > r 5).
The judging module 44 is configured to judge whether a webshell attack exists in the access request according to the probability of the reference path on the markov chain.
For example, following the previous example, if the probability that P (r1- > r3- > r2- > r5) is much smaller than the normal value P (r1- > r5), it can be determined that the client has been subjected to webshell attack, because the referrer chain of normal http requests is relatively fixed, the probability is not very low.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
step S1, an access request of the client is obtained.
Specifically, acquiring the access request of the client refers to acquiring a request of an http protocol of the client, which is hereinafter referred to as an http request.
The http protocol defines how a Web client requests a Web page from a Web server and how the server transmits the Web page to the client. The http protocol employs a request/response model. The client sends a request message to the server, wherein the request message comprises a request method, a URL (uniform resource locator), a protocol version, a request header and request data.
And step S2, counting the reference path in the access request, adding the reference path into the Markov chain, and calculating the probability of the reference path on the Markov chain.
Specifically, the request headers in the access requests are connected into a path with reference relationship, and the path with reference relationship is added into the Markov chain, so that the probability of the application path on the Markov chain can be obtained. For example, referrers of http requests of the same session value form a chain, r1- > r3- > r2- > r 5; according to the Markov chain of the preferer, the probability from the previous preferer to the next preferer can be obtained, and further the probability of the whole preferer chain can be obtained. For example, P (r1- > r3- > r2- > r5) ═ P (r1- > r3) × P (r3- > r2) × P (r2- > r 5).
And step S3, judging whether the webshell attack exists in the access request according to the probability of the reference path on the Markov chain. It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
For example, following the previous example, if the probability that P (r1- > r3- > r2- > r5) is much smaller than the normal value P (r1- > r5), it can be determined that the client has been subjected to webshell attack, because the referrer chain of normal http requests is relatively fixed, the probability is not very low.
The webshell is used as a webpage backdoor, the files are mixed with a normal website under a website server web directory, and after a hacker attacks the webshell, the record is generally not left in a system log, so that an invaded trace is difficult to find, and the imperceptibility is extremely high.
Through the steps S201 to S203, the access request of the client is obtained, the access request comprises a quoted path, the quoted path in the access request is added into the Markov chain through counting the quoted path in the access request, the quoted path is added into the Markov chain because the Markov chain can judge the quoted rate of the event, when the quoted rate is very low, the client can be judged to be attacked by webshell, the normal http request is common, the quoted path presents a regularity, the webshell attack presents an unordered or abnormal access characteristic, the probability of abnormality can be analyzed through the Markov model, and the webshell attack is prevented. The method can block the webshell, and solves the problem of increasing the efficiency of detecting the webshell attack.
Those skilled in the art will appreciate that the architecture shown in fig. 5 is a block diagram of only a portion of the architecture associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as a particular computing device may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which, when being executed by a processor, implements the steps of a method for detecting webshell provided in the above embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method of detecting a webshell, comprising:
acquiring an access request of a client;
counting a reference path in the access request, adding the reference path into a Markov chain, and calculating the probability of the reference path on the Markov chain;
and judging whether a webshell attack exists in the access request or not according to the probability of the reference path on the Markov chain.
2. The method of claim 1, wherein the counting reference paths in the access request, adding the reference paths to the Markov chain, and calculating probabilities of the reference paths on the Markov chain comprises:
acquiring a session value in the access request;
and importing the referrer value of the access request with the same session value into a linked list to form a referrer chain, adding the referrer chain into the Markov chain, and calculating the probability of the referrer chain on the Markov chain.
3. The method of claim 2, wherein in the step of obtaining the session value in the access request, the method comprises:
and when the access request does not carry the cookie value, generating a session value and returning the session value to the client.
4. The method of claim 2, wherein in the step of obtaining the session value in the access request, the method comprises:
and when the cookie value in the access request is not matched with the session value of the server, generating a session value and returning the session value to the client.
5. The method of claim 2, wherein in the step of obtaining the session value in the access request, the method comprises:
and when the cookie value in the access request is matched with the session value of the server, directly calling the session value in the cookie value in the access request.
6. The method according to any one of claims 1 to 4, wherein the step of determining whether a webshell attack exists in the access request according to the probability of the reference path on the Markov chain comprises:
setting a probability threshold;
and when the probability of the reference path on the Markov chain is lower than the probability threshold, judging that the webshell attack exists in the access request.
7. The method of any of claims 1 to 4, wherein after determining that a webshell attack is present in the access request, the method further comprises:
and the control server blocks the webshell attack.
8. An apparatus for detecting a webshell, comprising: the device comprises an acquisition module, a probability module and a judgment module;
the acquisition module is used for acquiring an access request of a client;
the probability module is used for counting the reference path in the access request, adding the reference path into a Markov chain and calculating the probability of the reference path on the Markov chain;
and the judging module is used for judging whether the webshell attack exists in the access request according to the probability of the reference path on the Markov chain.
9. An electronic device comprising a memory and a processor, wherein the memory has stored thereon a computer program, and the processor is configured to execute the computer program to perform a method of detecting a webshell as claimed in any of claims 1 to 7.
10. A storage medium having a computer program stored thereon, wherein the computer program is configured to perform a method for detecting webshell according to any one of claims 1 to 7 when the computer program is run.
CN202010973058.XA 2020-09-16 2020-09-16 Method and device for detecting webshell Active CN112153033B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010973058.XA CN112153033B (en) 2020-09-16 2020-09-16 Method and device for detecting webshell

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010973058.XA CN112153033B (en) 2020-09-16 2020-09-16 Method and device for detecting webshell

Publications (2)

Publication Number Publication Date
CN112153033A true CN112153033A (en) 2020-12-29
CN112153033B CN112153033B (en) 2023-04-07

Family

ID=73893811

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010973058.XA Active CN112153033B (en) 2020-09-16 2020-09-16 Method and device for detecting webshell

Country Status (1)

Country Link
CN (1) CN112153033B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101826104A (en) * 2010-04-02 2010-09-08 南京邮电大学 Method for realizing website navigability based on continuous time Markov chain
WO2013059287A1 (en) * 2011-10-21 2013-04-25 Mcafee, Inc. System and method for detection of denial of service attacks
US9225738B1 (en) * 2014-06-30 2015-12-29 Emc Corporation Markov behavior scoring
CN106936781A (en) * 2015-12-29 2017-07-07 亿阳安全技术有限公司 A kind of decision method and device of user's operation behavior
CN109167773A (en) * 2018-08-22 2019-01-08 杭州安恒信息技术股份有限公司 A kind of access exception detection method and system based on Markov model
CN109600382A (en) * 2018-12-19 2019-04-09 北京知道创宇信息技术有限公司 Webshell detection method and device, HMM model training method and device
CN109936545A (en) * 2017-12-18 2019-06-25 华为技术有限公司 The detection method and relevant apparatus of Brute Force attack
CN109951500A (en) * 2019-04-29 2019-06-28 宜人恒业科技发展(北京)有限公司 Network attack detecting method and device
CN111368290A (en) * 2018-12-26 2020-07-03 中兴通讯股份有限公司 Data anomaly detection method and device and terminal equipment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101826104A (en) * 2010-04-02 2010-09-08 南京邮电大学 Method for realizing website navigability based on continuous time Markov chain
WO2013059287A1 (en) * 2011-10-21 2013-04-25 Mcafee, Inc. System and method for detection of denial of service attacks
US9225738B1 (en) * 2014-06-30 2015-12-29 Emc Corporation Markov behavior scoring
CN106936781A (en) * 2015-12-29 2017-07-07 亿阳安全技术有限公司 A kind of decision method and device of user's operation behavior
CN109936545A (en) * 2017-12-18 2019-06-25 华为技术有限公司 The detection method and relevant apparatus of Brute Force attack
CN109167773A (en) * 2018-08-22 2019-01-08 杭州安恒信息技术股份有限公司 A kind of access exception detection method and system based on Markov model
CN109600382A (en) * 2018-12-19 2019-04-09 北京知道创宇信息技术有限公司 Webshell detection method and device, HMM model training method and device
CN111368290A (en) * 2018-12-26 2020-07-03 中兴通讯股份有限公司 Data anomaly detection method and device and terminal equipment
CN109951500A (en) * 2019-04-29 2019-06-28 宜人恒业科技发展(北京)有限公司 Network attack detecting method and device

Also Published As

Publication number Publication date
CN112153033B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
US10218733B1 (en) System and method for detecting a malicious activity in a computing environment
US10869198B2 (en) Wireless system access control method and device
US20110179467A1 (en) Intercepting malicious access
CN110636068B (en) Method and device for identifying unknown CDN node in CC attack protection
US20130346552A1 (en) Download method, system, and device for mobile terminal
CN110392998B (en) Data packet checking method and equipment
CN111866124B (en) Method, device, server and machine-readable storage medium for accessing webpage
US20130117817A1 (en) Prevention of cross site request forgery attacks by conditional use cookies
WO2005074442A2 (en) Method and system associating a signature with a mobile device
CN104618404A (en) Processing method, device and system for preventing network attack to Web server
CN112491883A (en) Method, device, electronic device and storage medium for detecting web attack
CN108400955A (en) A kind of means of defence and system of network attack
CN112311722B (en) Access control method, device, equipment and computer readable storage medium
CN114095224B (en) Message detection method, device, electronic equipment and storage medium
CN113055357B (en) Method and device for verifying credibility of communication link by single packet, computing equipment and storage medium
CN104462242A (en) Webpage reflow quantity counting method and device
CN107786489A (en) Access request verification method and device
CN112153033B (en) Method and device for detecting webshell
US10360379B2 (en) Method and apparatus for detecting exploits
JP5911431B2 (en) Block malicious access
CN112165466B (en) Method and device for false alarm identification, electronic device and storage medium
CN113766186A (en) Skipping method, device and system of network camera configuration interface and electronic device
US11075911B2 (en) Group-based treatment of network addresses
CN115086069B (en) DDoS attack recognition method and device
CN112367304B (en) Request limiting method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant