| 摘要: |
| 近些年来,随着计算机技术的不断发展和应用,Web应用技术也在快速更迭,与其一起发展的还有木马后门技术,但传统的木马后门技术已经不能满足攻击者的需求,因而基于内存攻击的方式不断涌现,包括powershell内存载入攻击、.NET assembly托管代码注入攻击以及内存马(Memory WebShell,MemShell)攻击等,这些攻击方式为现有的安全防御检测机制带来了极大的挑战。因而业界对面向解决基于内存的攻击尤其是内存马的攻击展现出了强烈的需求。但当前业内针对内存马的检测能力较弱,学术界也缺乏对该领域的研究工作,所以本文提出了一种针对Tomcat Filter型的内存马检测方法。通过研究发现,内存马其最核心技术便是无文件(Fileless)及不落地(Living off the Land),但尽管如此,内存马最终会在内存中展现其功能并执行命令,所以内存是所有威胁的交汇点,因此本文将Java虚拟机(Java Virtual Machine,JVM)作为起始点,首先利用JVM内存扫描技术遍历出JVM内存中加载的所有Filter类型对象,但需要注意的是这些对象并非都是有威胁的,并且每一个对象都具有一定的特征,所以可以对这些特征通过人工经验进行分类并且筛选出具有代表性的特征向量,然后获取每一个Filter类型对象的所有代表特征向量,并根据特征向量的值梳理出异常表现序列;最后,利用朴素贝叶斯算法将大量正常和异常的Filter对象的异常表现序列作为训练样本,计算出对应项的条件概率并形成贝叶斯分类器。利用训练出的贝叶斯分类器就可以构建出一个内存马检测模型,该模型能够有效得针对该类型的内存马进行检测。实验结果表明,本文提出的方法针对Tomcat Filter型内存马的检测,实现了零误报率和94.07%的召回率。 |
| 关键词: 远程控制|内存马|无文件后门|朴素贝叶斯分类算法|异常表现序列 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2023.07.11 |
| Received:December 21, 2021Revised:February 28, 2022 |
| 基金项目:本课题得到国家重点研发计划(No. 2020YFB1006003, No. 2020YFB1006004)、国家自然科学基金(No. 61772150, No. 61862012, No.61962012, No. 62002184)、广东省重点领域研发计划项目(No. 2020B0101090002)、鹏城实验室网络空间安全研究中心网络仿真项目(No.PCL2018KP004)的资助。 |
|
| Research on MemShell Detection Technology for Tomcat Filter |
| CAI Guobao,Zhang Kun,Qu Bo,Li Jun,Yuan Fang,Li Zhenyu,Ding Yong |
| School of Computer and Information Security, Guilin University of Electronic Technology Guilin 541000, China;State Information Center, Beijing 100000, China;Peng Cheng Laboratory, Shenzhen 518000, China;China Industrial Control Systems Cyber Emergency Response Team, Beijing 100000, China;Communication center of the Ministry of Foreign Affairs, Beijing 100000, China |
| Abstract: |
| In recent years, with the continuous development and application of computer technology, web application technology is also changing rapidly, along with the development of Trojan back door technology. Apart from the attacks using traditional Trojan back door technology, memory-based attacks are emerging, including PowerShell memory loading attacks, .NET assembly managed code injection attacks and Memory WebShell (MemShell) attacks, all of which can bring great challenges to the existing security defense and detection mechanism. Therefore, there comes a great demand for solutions to memory-based attacks, especially MemShell ones. While the industry is presently faced with a lack of MemShell detection means, little academic research has been carried out. Under the circumstances, this paper proposes an approach to detecting MemShell of Tomcat Filter. Research shows that the core technology of MemShell is fileless and living off the land. However, MemShell will eventually show its functions and execute commands in memory, so memory is the intersection of all threats. Therefore, this paper takes Java virtual machine (JVM) as the starting point. Firstly, use the JVM memory scanning technology to traverse all Filter type objects loaded in the JVM memory, whereas it should be noted that these objects are not all threatening, and each object has certain characteristics, so these characteristics can be classified through human experience and representative feature vectors can be filtered. Then, get the representative eigenvector of each filter type object, and sort out the abnormal performance sequence according to the value of the eigenvector. Finally, the naive Bayesian algorithm is used to take a large number of abnormal performance sequences of normal and abnormal filter objects as training samples to calculate the conditional probability of corresponding items and then form a Bayesian classifier. Using the trained Bayesian classifier, a MemShell detection model can be constructed, which can effectively detect this type of MemShell. Shown by the experimental results, the method proposed in this paper achieves zero false positive rate and 94.07% recall rate for the detection of Tomcat filter MemShell. |
| Key words: remote control|memory webshell|fileless webshell|naive bayesianclassification algorithm|abnormal performance sequence |
