Research and Implementation on WebShell Comprehensive Detection and Traceability Technology Based on High-speed Network

doi:10.3969/j.issn.1671-1122.2021.01.008

Abstract

Abstract:

WebShell is a common Web script intrusion attack tool. By implanting WebShell into the Website server, the Website server can be controlled and the server operating program permissions can be obtained. WebShell is usually nested in normal Webpage scripts, which has strong concealment and brings great harm to the Website itself and visitors. In response to the above problems, this paper proposes a high-speed network traffic analysis and detection technology based on DPDK, which captures and analyzes network traffic in a high-speed network environment, and realizes efficient detection of WebShell in traffic data packets through feature code matching. At the same time, the WebShell file and the attacker are traced and analyzed.

Key words: WebShell, DPDK, traffic analysis, traceability analysis

CLC Number:

TP309

WANG Yueda, HUANG Pan, JING Tao, SONG Yaxi. Research and Implementation on WebShell Comprehensive Detection and Traceability Technology Based on High-speed Network[J]. Netinfo Security, 2021, 21(1): 65-71.

Figures/Tables 6

References 10

[1]	ZHAO Yuntao, XU Chunyu, BO bo, et al. Traffic-based WebShell Behavior Analysis and Detection Method[J]. Network Security Technology & Application, 2018,18(4):8-9.
	赵运弢, 徐春雨, 薄波, 等. 基于流量的WebShell行为分析与检测方法[J]. 网络安全技术与应用, 2018,18(4):8-9.
[2]	National Internet Emergency Center. 2019 China Internet Network Security Report[EB/OL]. http://www.cert.org.cn/publish/main/46/2020/20200811124544754595627/20200811124544754595627_.html, 2020-05-22.
	国家计算机网络应急技术处理协调中心. 2019年中国互联网网络安全报告[EB/OL]. http://www.cert.org.cn/publish/main/46/2020/20200811124544754595627/20200811124544754595627_.html, 2020-05-22.
[3]	ZHOU Henglei. A Traffic-based WebShell Communication Detection Scheme[J]. Financial Computer of China, 2020,27(6):60-64.
	周恒磊. 一种基于流量的WebShell通信检测方案[J]. 中国金融电脑, 2020,27(6):60-64.
[4]	XIAO Zhongqi. Design and Implementation of Traffic Identification System Based on DPDK[D]. Wuhan: Huazhong University of Science and Technology, 2019.
	肖中奇. 基于DPDK的流量识别系统的设计与实现[D]. 武汉:华中科技大学, 2019.
[5]	ZENG Li, YE Xiaozhou, WANG Lingfang. Summary of Research on DPDK Technology Application of Webshell Detection Framework Based on Combinatorial Policy[J]. Journal of Network New Media, 2020,9(2):1-8.
	曾理, 叶晓舟, 王玲芳. DPDK技术应用研究综述[J]. 网络新媒体技术, 2020,9(2):1-8.
[6]	REN Qingqing, ZHOU Liang, XU Zhijun, et al. PacketUsher: Exploiting DPDK to Accelerate Compute-intensive Packet Processing[EB/OL]. https://www.sciencedirect.com/science/article/abs/pii/S0140366420318521, 2020-08-11.
[7]	WANG Wenqing, PENG Guojun, CHEN Zhenhang, et al. WebShell Detection Framework Based on Combination Strategy[J]. Computer Engineering and Design, 2018,39(4):907-911, 917.
	王文清, 彭国军, 陈震杭, 等. 基于组合策略的WebShell检测框架[J]. 计算机工程与设计, 2018,39(4):907-911,917.
[8]	JIANG Tian. Research on WebShell Detection Method Based on Convolution Neural Network[J]. Information Technology and Network Security, 2019,38(7):27-31.
	姜天. 基于卷积神经网络的WebShell检测方法研究[J]. 信息技术与网络安全, 2019,38(7):27-31.
[9]	LI Jiangtao. WebShell Detection Method and Implementation Based on Machine Learning Combination Algorithm[D]. Jinan: Shandong University, 2019.
	李江涛. 基于机器学习组合算法的WebShell检测方法与实现[D]. 济南:山东大学, 2019.
[10]	ZHAI Yunsai. A Calculation Method to Find the Maximum Length of the Same Prefix and Suffix Substrings in KMP Algorithm[J]. Practical Electronics, 2020(12):50-51, 54.
	翟允赛. KMP算法中一种求相同前后缀子串最大长度的计算方法[J]. 电子制作, 2020(12):50-51,54.

WebShell特征	检测数量/条/天	检测匹配率	误报率	木马类型
getpwd=	62	100%	0%	网页大马
@eval/%40eval	2638	100%	0%	一句话木马、中国菜刀、蚁剑
array_map	77	100%	0%	中国菜刀
&z1=	246	90.2%	9.8%	中国菜刀
X@Y	1000	0.4%	99.6%	中国菜刀
silicpass	9	100%	0%	网页大马
d2hvYW1p	5	100%	0%	蚁剑
mytag_js.php	1000	50%	50%	蚁剑
&z2=	600	10%	99%	中国菜刀
%u0045	10	100%	0%	中国菜刀