关键词: 语义分析, Webshell, 行为特征提取, 入侵检测, Web安全

Abstract: A semanticsbased Webshell detection method was proposed. This method obtained the code behavior and related dependencies by syntax analysis of the file, and achieved semantic understanding to complete the Webshell detection by the risk model. A critical abstract syntax subtree extraction method which can reject irrelevant factor and get the malicious behavior occurrence point was proposed. The description of behavior in risk model database was defined with BackusNaur Form, finally a smooth risk value curve could be obtained by graph matching algorithm, which can finish the criticality assessment of the file and can get a better result by adjusting the threshold A webshell detection system based on that detection method was designed and finished, the experimental results have demonstrated that the SemanticsBased method was effective in Webshell detection.

Key words: semantic analysis, Webshell, behavior signature extraction, intrusion detection, Web security