摘要
为解决Webshell检测效果不佳的问题,分析其特点,综合考虑指纹匹配抗混淆能力、代码混淆识别能力及检测准确率3个因素,提出基于标识符分词的混淆检测算法、基于语法树的指纹算法及一套污点分析检测机制,在此基础上构建一种基于组合策略的检测框架。污点分析机制中,在污点分析技术的基础上,加入编码函数及危险函数识别,对危险函数的参数进行危险分类标记,改进现有数据流静态分析方法。实验结果表明,该框架的Webshell整体检测率与混淆Webshell的检测率优于大部分测试软件。
To solve the problem that the result of Webshell detection is not very ideal,characteristics of Webshell were analyzed,and factors such as the resisting ability of fingerprint,code obfuscation detection and overall detection rate were taken into consideration.An obfuscation detection algorithm based on identifier word segmentation and a Webshell fingerprint algorithm were proposed,and a taint analysis detection mechanism was implemented.Based on all these above,a detection framework was designed.The taint analysis detection mechanism was combined with the traditional taint analysis method,identification of encoding functions and dangerous functions were added,dangerous classification was done to functions’vulnerable parameters and data flow static analysis method was adjusted.Results of experiments show that the overall Webshell detection rate and obfuscated Webshell detection rate are better than most of the tested software.
作者
王文清
彭国军
陈震杭
胡岸琪
WANG Wen-qing;PENG Guo-jun;CHEN Zhen-hang;HU An-qi(School of Computer,Wuhan University,Wuhan 430072,China;Key Laboratory of Aerospace Information Security and Trusted Computing,Wuhan University,Wuhan 430072,China)
出处
《计算机工程与设计》
北大核心
2018年第4期907-911,917,共6页
Computer Engineering and Design
基金
国家自然科学基金项目(U1636107
61202387
61373168)
关键词
Webshell检测
标识符分词
混淆检测
指纹算法
污点分析
Webshell detection
identifier word segmentation
obfuscation detection
fingerprint algorithm
taint analysis
