摘要
由于Web应用程序的复杂性和重要性,导致其成为网络攻击的主要目标之一。攻击者在入侵一个网站后,通常会植入一个Webshell,来持久化控制网站。但随着攻防双方的博弈,各种检测技术、终端安全产品被广泛应用,使得传统的以文件形式驻留的Webshell越来越容易被检测到,内存型Webshell成为新的趋势。内存型Webshell在磁盘上不存在恶意文件,而是将恶意代码注入到内存中,隐蔽性更强,不易被安全设备发现,且目前缺少针对内存型Webshell的检测技术。本文面向Java应用程序,总结内存型Webshell的特征和原理,构建内存型Webshell威胁模型,定义了高对抗内存型Webshell,并提出一种基于RASP(Runtime application self-protection,运行时应用程序自我保护)的动静态结合的高对抗内存型Webshell检测技术。针对用户请求,基于RASP技术监测注册组件类函数和特权类函数,获取上下文信息,根据磁盘是否存在文件以及数据流分析技术进行动态特征检测,在不影响应用程序正常运行的前提下,实时地检测;针对JVM中加载的类及对动态检测方法的补充,研究基于文本特征的深度学习静态检测算法,提升高对抗内存型Webshell的检测效率。实验表明,与其他检测工具相比,本文方法检测内存型Webshell效果最佳,准确率为96.45%,性能消耗为7.74%,具有可行性,并且根据检测结果可以准确定位到内存型Webshell的位置。
Web application has become one of the main targets of network attacks due to its complexity and importance.After an attacker invades a website,he usually implants a Webshell to control the website persistently.However,with the game between the offense and defense,various detection technologies and terminal security products are widely used,making the traditional Webshell residing in the form of file more and more easily detected,and the memory-based Web-shell has become a new trend.Memory-based Webshell does not hava malicious files on disk,but injects malicious code into memory,which is more concealed and difficult to be detected by security devices,and currently there is a lack of de-tection technology for memory-based Webshell.For Java applications,this paper summarizes the characteristics and prin-ciples of memory-based Webshell,constructs a memory-based Webshell threat model,defines a high-adversarial mem-ory-based Webshell,and proposes a high-adversarial memory-based Webshell detection technology based on RASP(Run-time application self-protection)and dynamic and static combination.To user requests,the register component functions and privileged functions are monitored based on RASP technology,and the context information is obtained.The dynamic feature detection is carried out in real-time according to whether there are files in the disk and data flow analysis technol-ogy,without affecting the normal operation of the application program.Aiming at the classes loaded in the JVM and the supplement to the dynamic detection method,a deep learning static detection algorithm based on text features is studied to improve the detection efficiency of high-adversarial memory-based webshell.Experiments show that,compared with other detection tools,the method in this paper has the best effect in detecting memory-based Webshells,with an accuracy rate of 96.45%,and a performance consumption of 7.74%,which is feasible.Moreover,the location of the memory-based Web-shell can be accurately located according to the detection results.
作者
张金莉
陈星辰
王晓蕾
陈庆旺
代峰
李香龙
冯云
崔翔
Zhang Jinli;Chen Xingchen;Wang Xiaolei;Chen Qingwang;Dai Feng;Li Xianglong;Feng Yun;Cui Xiang(Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China;Cyberspace Institute of Advanced Technology,Guangzhou University,Guangzhou 510006,China)
出处
《信息安全学报》
CSCD
2022年第6期62-79,共18页
Journal of Cyber Security
基金
中国科学院青年创新促进会(No.2019163)
中国科学院战略性先导科技专项项目(No.XDC02040100)
中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助。
