信息网络安全 ›› 2021, Vol. 21 ›› Issue (1): 65-71.doi: 10.3969/j.issn.1671-1122.2021.01.008

• 技术研究 • 上一篇    下一篇

一种基于高速网络的WebShell综合检测溯源技术研究与实现

王跃达1(), 黄潘2, 荆涛3, 宋雅稀1   

  1. 1.中国科学院计算机网络信息中心,北京 100190
    2.北龙泽达(北京)数据科技有限公司,北京 100190
    3.中国科学院办公厅,北京 100864
  • 收稿日期:2020-11-07 出版日期:2021-01-10 发布日期:2021-02-23
  • 通讯作者: 王跃达 E-mail:anquanip@cnic.cn
  • 作者简介:王跃达(1982—),男,吉林,高级工程师,本科,主要研究方向为网络空间安全|黄潘(2000—),男,湖北,工程师,主要研究方向为流量检测、网络攻击|荆涛(1979—),男,吉林,高级工程师,博士,主要研究方向为网络与信息安全、流量协议分析|宋雅稀(1994—),女,河北,硕士,主要研究方向为网络安全
  • 基金资助:
    国家重点研发计划(2017YFB0801902)

Research and Implementation on WebShell Comprehensive Detection and Traceability Technology Based on High-speed Network

WANG Yueda1(), HUANG Pan2, JING Tao3, SONG Yaxi1   

  1. 1. Computer Network Information Center, Chinese Academy of Sciences, Beijing 100190, China
    2. Beilong Zedata (Beijing) Data Technology Co., Ltd., Beijing 100190, China
    3. Office of General Affairs,Chinese Academy of Sciences, Beijing 100864, China
  • Received:2020-11-07 Online:2021-01-10 Published:2021-02-23
  • Contact: WANG Yueda E-mail:anquanip@cnic.cn

摘要:

WebShell是常见的Web脚本入侵攻击工具。攻击者将WebShell植入网站服务器后可对网站服务器进行控制,获取服务器操作权限。WebShell通常嵌套在正常网页脚本中,具有极强的隐蔽性,对网站自身及访问者带来极大危害。针对这些问题,文章提出一种基于DPDK的高速网络流量分析检测技术,在高速网络环境中对网络流量进行数据包捕获和解析,并通过特征码匹配的方式实现对WebShell的高效检测,同时对WebShell文件和攻击者进行溯源分析。

关键词: WebShell, DPDK, 流量分析, 溯源分析

Abstract:

WebShell is a common Web script intrusion attack tool. By implanting WebShell into the Website server, the Website server can be controlled and the server operating program permissions can be obtained. WebShell is usually nested in normal Webpage scripts, which has strong concealment and brings great harm to the Website itself and visitors. In response to the above problems, this paper proposes a high-speed network traffic analysis and detection technology based on DPDK, which captures and analyzes network traffic in a high-speed network environment, and realizes efficient detection of WebShell in traffic data packets through feature code matching. At the same time, the WebShell file and the attacker are traced and analyzed.

Key words: WebShell, DPDK, traffic analysis, traceability analysis

中图分类号: