面向 Java 的高对抗内存型 Webshell 检测技术

张金莉; 陈星辰; 王晓蕾; 陈庆旺; 代峰; 李香龙; 冯云; 崔翔

引用本文：

张金莉,陈星辰,王晓蕾,陈庆旺,代峰,李香龙,冯云,崔翔.面向 Java 的高对抗内存型 Webshell 检测技术[J].信息安全学报,2022,7(6):62-79 [点击复制]
Zhang Jinli,Chen Xingchen,Wang Xiaolei,Chen Qingwang,Dai Feng,Li Xianglong,Feng Yun,Cui Xiang.Java-oriented High-adversarial Memory Webshell Detection Technology[J].Journal of Cyber Security,2022,7(6):62-79 [点击复制]

本文已被：浏览 2885次下载 2721次	码上扫一扫！
面向 Java 的高对抗内存型 Webshell 检测技术
张金莉^1,2, 陈星辰^1,2, 王晓蕾^1,2, 陈庆旺^1,2, 代峰¹, 李香龙^1,2, 冯云¹, 崔翔^1,3
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所北京中国 100093;2.中国科学院大学网络空间安全学院北京中国 100049;3.广州大学网络空间先进技术研究院广州中国 510006)

摘要:

由于 Web 应用程序的复杂性和重要性, 导致其成为网络攻击的主要目标之一。攻击者在入侵一个网站后, 通常会植入一个 Webshell, 来持久化控制网站。但随着攻防双方的博弈, 各种检测技术、终端安全产品被广泛应用, 使得传统的以文件形式驻留的 Webshell 越来越容易被检测到, 内存型 Webshell 成为新的趋势。内存型 Webshell 在磁盘上不存在恶意文件, 而是将恶意代码注入到内存中, 隐蔽性更强, 不易被安全设备发现, 且目前缺少针对内存型 Webshell 的检测技术。本文面向 Java 应用程序, 总结内存型 Webshell 的特征和原理, 构建内存型 Webshell 威胁模型, 定义了高对抗内存型 Webshell, 并提出一种基于RASP(Runtime application self-protection, 运行时应用程序自我保护)的动静态结合的高对抗内存型 Webshell 检测技术。针对用户请求, 基于 RASP 技术监测注册组件类函数和特权类函数, 获取上下文信息, 根据磁盘是否存在文件以及数据流分析技术进行动态特征检测, 在不影响应用程序正常运行的前提下, 实时地检测; 针对 JVM 中加载的类及对动态检测方法的补充, 研究基于文本特征的深度学习静态检测算法, 提升高对抗内存型 Webshell 的检测效率。实验表明, 与其他检测工具相比, 本文方法检测内存型 Webshell 效果最佳, 准确率为 96.45%, 性能消耗为 7.74%, 具有可行性, 并且根据检测结果可以准确定位到内存型Webshell 的位置。

关键词: 内存型 Webshell RASP 动态检测静态检测

DOI：10.19363/J.cnki.cn10-1380/tn.2022.11.04

投稿时间：2022-06-20修订日期：2022-08-17

基金项目:本课题得到中国科学院青年创新促进会(No. 2019163); 中国科学院战略性先导科技专项项目(No. XDC02040100); 中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助。

Java-oriented High-adversarial Memory Webshell Detection Technology

Zhang Jinli^1,2, Chen Xingchen^1,2, Wang Xiaolei^1,2, Chen Qingwang^1,2, Dai Feng¹, Li Xianglong^1,2, Feng Yun¹, Cui Xiang^1,3

(1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;3.Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China)

Abstract:

Web application has become one of the main targets of network attacks due to its complexity and importance. After an attacker invades a website, he usually implants a Webshell to control the website persistently. However, with the game between the offense and defense, various detection technologies and terminal security products are widely used, making the traditional Webshell residing in the form of file more and more easily detected, and the memory-based Webshell has become a new trend. Memory-based Webshell does not hava malicious files on disk, but injects malicious code into memory, which is more concealed and difficult to be detected by security devices, and currently there is a lack of detection technology for memory-based Webshell. For Java applications, this paper summarizes the characteristics and principles of memory-based Webshell, constructs a memory-based Webshell threat model, defines a high-adversarial memory-based Webshell, and proposes a high-adversarial memory-based Webshell detection technology based on RASP (Runtime application self-protection) and dynamic and static combination. To user requests, the register component functions and privileged functions are monitored based on RASP technology, and the context information is obtained. The dynamic feature detection is carried out in real-time according to whether there are files in the disk and data flow analysis technology, without affecting the normal operation of the application program. Aiming at the classes loaded in the JVM and the supplement to the dynamic detection method, a deep learning static detection algorithm based on text features is studied to improve the detection efficiency of high-adversarial memory-based webshell. Experiments show that, compared with other detection tools, the method in this paper has the best effect in detecting memory-based Webshells, with an accuracy rate of 96.45%, and a performance consumption of 7.74%, which is feasible. Moreover, the location of the memory-based Webshell can be accurately located according to the detection results.

Key words: memory webshell RASP dynamic detection static detection