摘要: |
由于 Web 应用程序的复杂性和重要性, 导致其成为网络攻击的主要目标之一。攻击者在入侵一个网站后, 通常会植入一个 Webshell, 来持久化控制网站。但随着攻防双方的博弈, 各种检测技术、终端安全产品被广泛应用, 使得传统的以文件形式驻留的 Webshell 越来越容易被检测到, 内存型 Webshell 成为新的趋势。 内存型 Webshell 在磁盘上不存在恶意文件, 而是将恶意代码注入到内存中, 隐蔽性更强, 不易被安全设备发现, 且目前缺少针对内存型 Webshell 的检测技术。本文面向 Java 应用程序, 总结内存型 Webshell 的特征和原理, 构建内存型 Webshell 威胁模型, 定义了高对抗内存型 Webshell, 并提出一种基于RASP(Runtime application self-protection, 运行时应用程序自我保护)的动静态结合的高对抗内存型 Webshell 检测技术。针对用户请求, 基于 RASP 技术监测注册组件类函数和特权类函数, 获取上下文信息, 根据磁盘是否存在文件以及数据流分析技术进行动态特征检测, 在不影响应用程序正常运行的前提下, 实时地检测; 针对 JVM 中加载的类及对动态检测方法的补充, 研究基于文本特征的深度学习静态检测算法, 提升高对抗内存型 Webshell 的检测效率。实验表明, 与其他检测工具相比, 本文方法检测内存型 Webshell 效果最佳, 准确率为 96.45%, 性能消耗为 7.74%, 具有可行性, 并且根据检测结果可以准确定位到内存型Webshell 的位置。 |
关键词: 内存型 Webshell RASP 动态检测 静态检测 |
DOI:10.19363/J.cnki.cn10-1380/tn.2022.11.04 |
投稿时间:2022-06-20修订日期:2022-08-17 |
基金项目:本课题得到中国科学院青年创新促进会(No. 2019163); 中国科学院战略性先导科技专项项目(No. XDC02040100); 中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助。 |
|
Java-oriented High-adversarial Memory Webshell Detection Technology |
Zhang Jinli,Chen Xingchen,Wang Xiaolei,Chen Qingwang,Dai Feng,Li Xianglong,Feng Yun,Cui Xiang |
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China |
Abstract: |
Web application has become one of the main targets of network attacks due to its complexity and importance. After an attacker invades a website, he usually implants a Webshell to control the website persistently. However, with the game between the offense and defense, various detection technologies and terminal security products are widely used, making the traditional Webshell residing in the form of file more and more easily detected, and the memory-based Webshell has become a new trend. Memory-based Webshell does not hava malicious files on disk, but injects malicious code into memory, which is more concealed and difficult to be detected by security devices, and currently there is a lack of detection technology for memory-based Webshell. For Java applications, this paper summarizes the characteristics and principles of memory-based Webshell, constructs a memory-based Webshell threat model, defines a high-adversarial memory-based Webshell, and proposes a high-adversarial memory-based Webshell detection technology based on RASP (Runtime application self-protection) and dynamic and static combination. To user requests, the register component functions and privileged functions are monitored based on RASP technology, and the context information is obtained. The dynamic feature detection is carried out in real-time according to whether there are files in the disk and data flow analysis technology, without affecting the normal operation of the application program. Aiming at the classes loaded in the JVM and the supplement to the dynamic detection method, a deep learning static detection algorithm based on text features is studied to improve the detection efficiency of high-adversarial memory-based webshell. Experiments show that, compared with other detection tools, the method in this paper has the best effect in detecting memory-based Webshells, with an accuracy rate of 96.45%, and a performance consumption of 7.74%, which is feasible. Moreover, the location of the memory-based Webshell can be accurately located according to the detection results. |
Key words: memory webshell RASP dynamic detection static detection |