Journal of Information Security Research ›› 2016, Vol. 2 ›› Issue (1): 66-73.

Previous Articles     Next Articles

Webshell Detection Method Research Based on Web Log

Shi Liuyang   

  • Received:2015-11-20 Online:2016-01-05 Published:2016-01-18

基于Web日志的Webshell检测方法研究

石刘洋   

  1. 四川大学电子信息学院
  • 通讯作者: 石刘洋
  • 作者简介:石刘洋 硕士研究生,主要研究方向为Web安全. 470862999@qq.com 方勇 博士,教授,主要研究方向为信息安全、网络信息对抗. yfang@scu.edu.cn附录A原始实验数据.

Abstract: In this paper, a new method of Webshell detection based on Web log is proposed, which is based on the analysis of the server log text file, and the Webshell is detected from three angles: text feature, statistical feature and correlation feature. In the text feature, it is mainly to match the file access path and the parameters that are submitted. The experimental results show that the normal Web documents and Webshell files have obvious differences in the characteristics of the file access path and the parameters. In the statistical characteristics, the first is the comparison of the frequency of access to the file, and the experiment proved that the frequency of the Web page file access, combined with the depth of the Web page file directory, the starting time and the number of individual visitors, can accurately identify abnormal file. Page correlation is found by calculating the access of Web documents, the experiment shows that the Webshell is usually a solitary file, and the normal Web documents are clearly distinguished.

Key words: Website backdoor, Webshell, Web log, Web security, intrusion detection

摘要: 提出了一种基于Web日志的轻量级的Webshell检测方法,通过对服务器日志文本文件进行分析,从文本特征、统计特征和页面关联特征3个角度检测Webshell,并通过实验对方法的可行性进行了验证.文本特征方面主要是对文件访问路径和提交的参数进行特征匹配,实验证明正常网页文件和Webshell文件在文件访问路径特征和提交的参数特征上有明显区别.在统计特征方面,首先是对比网页文件的访问频率,实验证明通过统计网页文件访问频率,结合网页文件目录深度、起始时间段和单位时间独立访客数,可准确识别异常文件.页面关联特征是通过计算网页文件的出入度找出孤立文件,实验表明,Webshell通常为孤立文件,和正常网页文件区分明显.

关键词: 网站后门, Webshell, Web日志, Web安全, 入侵检测