Abstract: As a widely used security framework, Apache Shiro framework provides functions such as authentication, authorization, password and session management, but its deserialization vulnerability is easy to lead to arbitrary code execution, and the existing detection methods have many problems of false positives. Therefore, this paper proposes a detection model of Apache Shiro deserialization vulnerability attack based on attack characteristics. By analyzing the network packet characteristics of normal conditions and vulnerability exploitation, this paper summarizes four attack characteristics, and constructs a model based on this to detect Apache Shiro deserialization vulnerability attack. At the same time, the problem, whether the attack is suspected to be successful is judged and transferred to manual confirmation and disposal. Experimental results show that this method can not only detect Apache Shiro deserialization vulnerability attack, but also further determine whether the attack is suspected to be successful and improve the efficiency of security event handling. In addition, compared with the existing methods, this method can effectively reduce the false negatives rate, so as to reduce the false disposal rate and reduce the impact on normal business.Key words attack characteristic; deserialization; vulnerability detection; Apache Shiro; security event handling

Key words: attack characteristic, deserialization, vulnerability detection, Apache Shiro, security event handling

摘要： Apache Shiro框架作为广泛应用的安全框架，提供身份验证、授权、密码和会话管理等功能，但其反序列化漏洞易导致任意代码执行等问题，而现有检测方法存在误报较多的问题，因此提出了一种基于攻击特征的Apache Shiro反序列化漏洞攻击检测模型.通过分析正常情况及漏洞利用情况下网络包特征，归纳总结出4个攻击特征，并基于此构建模型检测Apache Shiro反序列化漏洞攻击，同时判断攻击是否疑似成功并流转至人工确认及处置环节.实验结果表明，该方法不但能检测Apache Shiro反序列化漏洞攻击，而且能够进一步确定攻击是否疑似成功，提高安全事件处置效率.与现有方法相比，该方法能够有效降低误报率，从而降低误处置率，减少对正常业务的影响.关键词攻击特征；反序列化；漏洞检测；Apache Shiro；安全事件处置

关键词: 攻击特征, 反序列化, 漏洞检测, Apache Shiro, 安全事件处置