CN107426196B - A method and system for identifying WEB intrusion - Google Patents

Abstract

Translated fromChinese

本发明涉及一种识别WEB入侵的方法，包括：获取访问者的访问行为；判断所述访问行为是否为可疑请求，如果是可疑请求，根据预设的可疑分值评判标准，累加所述访问行为涉及的可疑分值得到安全分值；当安全分值大于预设的阈值，用户行为异常，存在WEB入侵。本发明提供的技术方案摆脱了对高度依赖规则式的传统IPS、IDS等设备的依赖，实现基于无规则式识别未知的高级入侵WEB服务器的手段和0day漏洞的利用，而且做到了对Web服务器安全状态和运行情况实时感知。

The present invention relates to a method for identifying WEB intrusion, comprising: acquiring access behavior of a visitor; judging whether the access behavior is a suspicious request, and if it is a suspicious request, accumulating the access behavior according to a preset suspicious score evaluation standard The suspicious score involved gets a security score; when the security score is greater than the preset threshold, the user behaves abnormally and there is WEB intrusion. The technical solution provided by the invention gets rid of the dependence on the traditional IPS, IDS and other devices that are highly dependent on the rules, realizes the method of identifying unknown advanced intrusion WEB servers based on the irregular style and the utilization of 0day loopholes, and realizes the security of the Web server. Real-time awareness of status and operating conditions.

Description

Translated fromChinese

一种识别WEB入侵的方法及系统A method and system for identifying WEB intrusion

技术领域technical field

本发明涉及WEB服务器的安全监测，具体涉及一种识别WEB入侵的方法及系统。The invention relates to the security monitoring of a WEB server, in particular to a method and a system for identifying WEB intrusion.

背景技术Background technique

随着网络的大众化普及，IT技术在推动产品创新与变革的同时，各种安全问题也日益严峻，促使信息安全产业站在了IT产业发展的最前沿。而WEB应用安全则是信息安全的一个重要的分支。WEB应用安全目前的安全措施主要是通过部署防火墙、IDS、IPS等主流系统或设备实现。而随着网络攻击技术的发展，防火墙的先天不足对WEB服务的攻击显得无能为力。With the popularization of the Internet, while IT technology promotes product innovation and reform, various security issues are becoming more and more serious, making the information security industry stand at the forefront of the development of the IT industry. WEB application security is an important branch of information security. The current security measures for WEB application security are mainly implemented by deploying mainstream systems or devices such as firewalls, IDS, and IPS. With the development of network attack technology, the inherent deficiencies of firewalls are powerless to attack WEB services.

例如传统的WEB防火墙是以关键字特征技术进行检测Webshell，但这种技术存在着当用户正常页面中包含关键字特征时，便会出现误判；同时在攻击者将关键字进行编码或加密变形时，便又会出现较高的漏报率。而且这些基于特征库的被动防御体系存在着滞后性，往往是先有特征才能检测，不能够进行无特征的检测，所以都无法抵御高级的未知入侵行为。针对IDS、IPS等主流的互联网安全产品也存在同样的问题。因此当前针对WEB应用的高级未知入侵行为检测正面临着严峻的挑战。For example, the traditional WEB firewall uses the keyword feature technology to detect Webshell, but this technology has the possibility of misjudgment when the user's normal page contains the keyword feature; at the same time, the attacker encodes or encrypts the keyword and deforms it. , there will be a higher false negative rate. Moreover, these passive defense systems based on the signature database have a hysteresis. Often, there are signatures before detection, and they cannot be detected without signatures, so they cannot resist advanced unknown intrusion behaviors. The same problem exists for mainstream Internet security products such as IDS and IPS. Therefore, the current advanced unknown intrusion detection for WEB applications is facing severe challenges.

现有Web服务器系统的安全监测机制过度依赖WAF和IDS系统。而WAF和IDS系统又基本依赖于规则，对于不具备规则的0day漏洞攻击毫无感知。The security monitoring mechanism of the existing Web server system relies too much on WAF and IDS systems. However, WAF and IDS systems basically rely on rules and are unaware of zero-day vulnerability attacks that do not have rules.

因此，为克服上述缺陷本发明提出了一种识别WEB入侵的方法及系统。Therefore, in order to overcome the above-mentioned defects, the present invention proposes a method and system for identifying WEB intrusion.

发明内容SUMMARY OF THE INVENTION

为了解决现有技术中所存在的上述不足，本发明提供一种识别WEB入侵的方法及系统。In order to solve the above deficiencies in the prior art, the present invention provides a method and system for identifying WEB intrusion.

本发明提供的技术方案是：The technical scheme provided by the present invention is:

一种识别WEB入侵的方法，所述方法包括：A method for identifying WEB intrusion, the method comprising:

获取访问者的访问行为；Obtain the access behavior of visitors;

判断所述访问行为是否为可疑请求，如果是可疑请求，根据预设的可疑分值评判标准，累加所述访问行为涉及的可疑分值得到安全分值；Judging whether the access behavior is a suspicious request, and if it is a suspicious request, according to a preset suspicious score evaluation standard, accumulating the suspicious scores involved in the access behavior to obtain a safety score;

当安全分值大于预设的阈值，判定用户行为异常，存在WEB入侵。When the security score is greater than the preset threshold, it is determined that the user's behavior is abnormal and there is WEB intrusion.

优选的，所述安全分值按下式计算：Preferably, the safety score is calculated as follows:

安全分值＝A可疑分值+B可疑分值+C可疑分值+D可疑分值(1)Safety score = A suspicious score + B suspicious score + C suspicious score + D suspicious score (1)

式中，A：文件监测；B：WEB进程行为监测；C：系统异常分析；D：补充监测。In the formula, A: file monitoring; B: WEB process behavior monitoring; C: system abnormality analysis; D: supplementary monitoring.

优选的，所述文件监测A，用于对WEB目录和系统敏感目录/路径的监测，并对不常见的HTTP请求进行可疑分值定义。Preferably, the file monitoring A is used for monitoring WEB directories and system sensitive directories/paths, and defining suspicious scores for uncommon HTTP requests.

优选的，所述对不常见的HTTP请求定义可疑分值为+1.Preferably, the suspicious score of the uncommon HTTP request is defined as +1.

优选的，所述WEB进程行为监测B，用于监测并记录WEB进程在执行HTTP请求时的行为和状态，并对执行HTTP请求时的异常行为和状态进行可疑分值定义。Preferably, the WEB process behavior monitoring B is used to monitor and record the behavior and state of the WEB process when executing the HTTP request, and define suspicious scores for the abnormal behavior and state when executing the HTTP request.

优选的，所述对执行HTTP请求时的异常行为和状态进行可疑分值定义包括：WEB进程在执行当前请求时打开系统敏感目录下的文件，定义可疑分值为+5；Preferably, the suspicious score definition for the abnormal behavior and state when executing the HTTP request includes: the WEB process opens a file in the system sensitive directory when executing the current request, and defines the suspicious score as +5;

WEB进程在执行当前请求时在网站目录下新增脚本文件，定义可疑分值为+5；When the WEB process executes the current request, a script file is added to the website directory, and the suspicious score is defined as +5;

WEB进程在执行当前请求时对网站目录下原有的脚本文件进行修改，定义可疑分值为+5；The WEB process modifies the original script file in the website directory when executing the current request, and defines the suspicious score as +5;

WEB进程在执行当前请求时占用大量IO和句柄资源或内存和CPU飙升，定义可疑分值为+5；The WEB process occupies a lot of IO and handle resources or soars memory and CPU when executing the current request, and the suspicious score is defined as +5;

当前请求的文件为通过WEB进程新增或修改的脚本文件时，定义可疑分值为+5。When the currently requested file is a script file added or modified through the WEB process, the suspicious score is defined as +5.

优选的，所述系统异常分析C，用于监测并记录系统异常登录的时间和IP信息，以及消耗CPU/内存资源极高的新增进程，同时分析在响应当前HTTP请求时是否出现异常，并对出现异常IP远程登录系统进行可疑分值定义。Preferably, the system abnormality analysis C is used to monitor and record the time and IP information of abnormal system login, as well as the newly added process that consumes extremely high CPU/memory resources, and analyzes whether an abnormality occurs when responding to the current HTTP request, and Define suspicious scores for abnormal IP remote login systems.

优选的，所述对出现异常IP远程登录系统进行可疑分值定义包括：出现异常IP远程登录系统时，定义可疑分值为+10。Preferably, defining a suspicious score for the remote login system with an abnormal IP includes: when an abnormal IP remote login system occurs, defining the suspicious score as +10.

优选的，所述补充监测，用于通过WEB访问日志获取可疑访问记录和所有历史记录中被访问过的URL路径，并对在WEB访问日志中标记为可疑请求的访问者、目标文件，以及未出现过的URL路径进行可疑分值的定义。Preferably, the supplementary monitoring is used to obtain suspicious access records and URL paths that have been visited in all historical records through the WEB access log, and to monitor the visitors, target files, and unauthorized requests marked as suspicious requests in the WEB access log. The URL paths that have appeared are used to define suspicious scores.

优选的，所述在WEB访问日志中标记为可疑请求的访问者、目标文件，以及未出现过的URL路径进行可疑分值的定义包括：当前的请求者IP在WEB访问日志中被标记为可疑请求的，定义可疑分值+1；Preferably, the definition of suspicious scores for visitors, target files, and URL paths that have not appeared in the WEB access log as suspicious requests includes: the current requester IP is marked as suspicious in the WEB access log. If requested, define the suspicious score +1;

当前请求的目标文件在WEB访问日志中被标记为可疑请求的目标文件路径，定义可疑分值为+1；The target file of the current request is marked as the target file path of the suspicious request in the WEB access log, and the suspicious score is defined as +1;

当前请求的URL路径在WEB访问日志的记录中从未出现过，定义可疑分值为+5。The URL path of the current request has never appeared in the records of the WEB access log, and the suspicious score is defined as +5.

优选的，所述系统敏感目录包括WEB目录和系统目录；Preferably, the system-sensitive directory includes a WEB directory and a system directory;

所述WEB目录包括WEB容器目录和WEB程序目录。The WEB directory includes a WEB container directory and a WEB program directory.

优选的，所述获取访问者的访问行为包括：请求方法、目标文件、WEB进程在执行请求时打开的文件和对监测目录下的所有文件的操作。Preferably, the obtaining of the access behavior of the visitor includes: a request method, a target file, a file opened by the WEB process when the request is executed, and operations on all files in the monitoring directory.

一种识别WEB入侵的系统，所述系统包括：获取模块、行为检测模块和核心算法模块；A system for identifying WEB intrusion, the system comprises: an acquisition module, a behavior detection module and a core algorithm module;

所述获取模块，用于获取访问者的访问行为；The obtaining module is used to obtain the access behavior of the visitor;

行为检测模块，用于判定用户的访问行为是否为可疑行为，并为可疑行为赋予可疑分值；The behavior detection module is used to determine whether the user's access behavior is suspicious behavior, and assign suspicious scores to the suspicious behavior;

所述核心算法模块，用于累加所述可疑分值，并将累加的可疑分值与预设阈值进行比较，当所述累加的可疑分值大于预设阈值时，判定存在WEB入侵。The core algorithm module is used for accumulating the suspicious score, and comparing the accumulated suspicious score with a preset threshold, and when the accumulated suspicious score is greater than the preset threshold, it is determined that there is WEB intrusion.

优选的，所述行为检测模块包括：文件监测模块、WEB进程行为监测模块、系统异常分析模块和补充监测模块；Preferably, the behavior detection module includes: a file monitoring module, a WEB process behavior monitoring module, a system abnormality analysis module and a supplementary monitoring module;

所述文件监测模块，用于对WEB目录和系统敏感目录/路径的监测，并对不常见的HTTP请求进行可疑分值定义；The file monitoring module is used for monitoring WEB directory and system sensitive directory/path, and carrying out suspicious score definition for uncommon HTTP requests;

所述WEB进程行为监测模块，用于监测并记录WEB进程在执行HTTP请求时的行为和状态，并对执行HTTP请求时的异常行为和状态进行可疑分值定义；The WEB process behavior monitoring module is used to monitor and record the behavior and state of the WEB process when executing the HTTP request, and carry out suspicious score definition to the abnormal behavior and state when executing the HTTP request;

所述系统异常分析模块，用于监测并记录系统异常登录的时间和IP信息，以及消耗CPU/内存资源极高的新增进程，同时分析在响应当前HTTP请求时是否出现异常，并对出现异常IP远程登录系统进行可疑分值定义；The system abnormality analysis module is used to monitor and record the time and IP information of abnormal system login, as well as the newly added process that consumes extremely high CPU/memory resources, and analyzes whether an abnormality occurs when responding to the current HTTP request, and responds to the abnormality. IP remote login system to define suspicious score;

所述补充监测模块，用于通过WEB访问日志获取可疑访问记录和所有历史记录中被访问过的URL路径，并对在WEB访问日志中标记为可疑请求的访问者、目标文件，以及未出现过的URL路径进行可疑分值的定义。The supplementary monitoring module is used to obtain suspicious access records and URL paths that have been visited in all historical records through the WEB access log, and to mark visitors and target files that are marked as suspicious requests in the WEB access log, and have not appeared. The URL path to carry out the definition of suspicious score.

优选的，所述文件监测模块监测的可疑请求对应的可疑分值包括：当前的请求方法为不常见的HTTP请求，可疑分值+1；Preferably, the suspicious score corresponding to the suspicious request monitored by the file monitoring module includes: the current request method is an uncommon HTTP request, and the suspicious score is +1;

所述WEB进程监测模块监测的可疑请求对应的可疑分值包括：WEB进程在执行当前请求时打开系统敏感目录下的文件，可疑分值+5；WEB进程在执行当前请求时在网站目录下新增脚本文件，可疑分值+5；WEB进程在执行当前请求时对网站目录下原有的脚本文件进行修改，可疑分值+5；WEB进程在执行当前请求时占用大量IO和句柄资源或内存和CPU飙升，可疑分值+5；当前请求的文件为通过WEB进程新增或修改的脚本文件，可疑分值+5；The suspicious score corresponding to the suspicious request monitored by the WEB process monitoring module includes: when the WEB process opens the file in the system sensitive directory when executing the current request, the suspicious score is +5; Add a script file, the suspicious score is +5; the WEB process modifies the original script file in the website directory when executing the current request, and the suspicious score is +5; the WEB process occupies a lot of IO and handle resources or memory when executing the current request and CPU soaring, suspicious score +5; the currently requested file is a script file added or modified through the WEB process, suspicious score +5;

所述系统异常分析模块监测的可疑请求对应的可疑分值包括：出现异常IP远程登录系统时，可疑分值+10；The suspicious score corresponding to the suspicious request monitored by the system abnormality analysis module includes: when an abnormal IP remote login system occurs, the suspicious score+10;

所述补充监测模块的可疑请求对应的可疑分值包括：当前的请求者IP在WEB容器目录中标记为可疑请求的，可疑分值+1；当前请求的目标文件为WEB容器目录中返回404状态码的文件，可疑分值+1；当前请求的URL路径在WEB访问日志的记录中从未出现过，可疑分值+5。The suspicious score corresponding to the suspicious request of the supplementary monitoring module includes: if the current requester IP is marked as a suspicious request in the WEB container directory, the suspicious score is +1; the target file of the current request is a 404 status returned in the WEB container directory. code file, the suspicious score is +1; the URL path of the current request has never appeared in the records of the WEB access log, and the suspicious score is +5.

与现有技术相比，本发明的有益效果为：Compared with the prior art, the beneficial effects of the present invention are:

本发明提供的技术方案，通过判断访问用户的访问行为是否为可疑请求，再根据预设的可疑分值评判标准，确定访问者的可疑请求的可疑分值，将总可疑分值与预设阈值比较，确定访问行为是否正常，实现了无特征检测，有效的降低了漏洞率。The technical solution provided by the present invention is to determine whether the access behavior of the visiting user is a suspicious request, and then determine the suspicious score of the suspicious request of the visitor according to the preset suspicious score evaluation standard, and compare the total suspicious score with the preset threshold value. By comparison, it is determined whether the access behavior is normal, and featureless detection is realized, which effectively reduces the vulnerability rate.

本发明提供的技术方案，采用监测模块和核心算法模块实时对用户访问行为进行监测，摆脱了对高度依赖规则式的传统IPS、IDS等设备的依赖，实现基于无规则式识别未知的高级入侵WEB服务器的手段。The technical scheme provided by the present invention adopts the monitoring module and the core algorithm module to monitor the user's access behavior in real time, gets rid of the dependence on the traditional IPS, IDS and other devices that are highly dependent on rules, and realizes the identification of unknown advanced intrusion WEB based on the irregular style. server means.

附图说明Description of drawings

图1为本发明的识别WEB入侵的方法流程图；Fig. 1 is the flow chart of the method for identifying WEB intrusion of the present invention;

图2为本发明的核心算法模块与文件监测模块、系统异常分析模块和WEB进程行为监测模块结构关系示意图；2 is a schematic diagram of the structural relationship between a core algorithm module of the present invention, a file monitoring module, a system abnormality analysis module, and a WEB process behavior monitoring module;

图3为本发明的文件监测模块结构示意图；3 is a schematic structural diagram of a file monitoring module of the present invention;

图4为本发明的WEB进程行为监测模块结构示意图；4 is a schematic structural diagram of a WEB process behavior monitoring module of the present invention;

图5为本发明的WEB入侵判断原理示意图；5 is a schematic diagram of the WEB intrusion judgment principle of the present invention;

其中，1-文件监测模块、1-1web程序目录、1-2系统目录、1-3注册表项、1-4web容器目录、2 WEB进程行为监测模块、2-1启动/加载PE文件、2-2 CPU/内存/IO/句柄、2-3 WEB目录脚本文件变更、2-4系统目录文件变更、3系统异常分析模块、4补充监测模块、5核心算法模块。Among them, 1- file monitoring module, 1-1 web program directory, 1-2 system directory, 1-3 registry entry, 1-4 web container directory, 2 WEB process behavior monitoring module, 2-1 start/load PE file, 2 -2 CPU/memory/IO/handle, 2-3 WEB directory script file change, 2-4 system directory file change, 3 system abnormal analysis module, 4 supplementary monitoring module, 5 core algorithm module.

具体实施方式Detailed ways

为了更好地理解本发明，下面结合说明书附图和实例对本发明的内容做进一步的说明。In order to better understand the present invention, the content of the present invention will be further described below with reference to the accompanying drawings and examples.

本发明提供一种识别WEB入侵的方法，如图1所示，该方法具体为：The present invention provides a method for identifying WEB intrusion, as shown in Figure 1, the method is specifically:

获取访问者的访问行为；Obtain the access behavior of visitors;

判断所述访问行为是否为可疑请求，如果是可疑请求，根据预设的可疑分值评判标准，累加所述访问行为涉及的可疑分值得到安全分值；Judging whether the access behavior is a suspicious request, and if it is a suspicious request, according to a preset suspicious score evaluation standard, accumulating the suspicious scores involved in the access behavior to obtain a safety score;

当安全分值大于预设的阈值，用户行为异常，存在WEB入侵。When the security score is greater than the preset threshold, the user behaves abnormally and there is WEB intrusion.

将该方法做进一步细化，具体如下所示：This method is further refined as follows:

步骤1:针对WEB网站建立起可信架构，可信架构原则是WEB网站当前所有内容均是可信的。Step 1: Establish a trusted architecture for the WEB website. The principle of the trusted architecture is that all the current contents of the WEB website are trusted.

步骤2:针对已建立起的可信WEB网站架构进行提取文件路径操作，通过文件监测模块获取全站所有的脚本文件路径，并对全站目录进行监测。Step 2: Extract the file path operation for the established trusted WEB website architecture, obtain all the script file paths of the whole site through the file monitoring module, and monitor the directory of the whole site.

步骤3:针对系统目录如System32/System目录进行监测。Step 3: Monitor the system directory such as the System32/System directory.

步骤4:针对WEB容器目录进行监测。Step 4: Monitor the WEB container directory.

步骤5:通过WEB访问日志获取可疑访问记录，包括返回404页面的URL请求(对可执行文件的请求)和不常见的HTTP请求，记录该类可疑请求的访问者IP、访问时间、目标文件路径、统计同IP访问记录数目、统计同URL访问记录数目。Step 5: Obtain suspicious access records through WEB access logs, including URL requests that return 404 pages (requests for executable files) and uncommon HTTP requests, and record the visitor IP, access time, and target file path of such suspicious requests , Count the number of access records with the same IP, and count the number of access records with the same URL.

步骤6:通过WEB访问日志获取所有历史记录中被访问过的URL路径。Step 6: Obtain the URL paths that have been visited in all historical records through the WEB access log.

步骤7:当用户访问WEB网站时，记录当前的请求者IP、请求方法、目标文件、WEB进程在执行该请求时打开的文件和对监测目录下的所有文件的操作。Step 7: When the user accesses the WEB website, record the current requester IP, request method, target file, the file opened by the WEB process when executing the request, and operations on all files under the monitoring directory.

步骤8：根据可疑分值评判标准对访问行为的可疑请求进行可疑分值计算。Step 8: Calculate suspicious scores for suspicious requests for access behaviors according to the suspicious score evaluation criteria.

如图3所示，文件监测模块1主要负责监测web程序目录1‐1、系统目录1‐2、注册表1‐3和web容器目录1‐4、系统敏感目录/路径(包括System32/System和注册表)等路径下的文件变化。As shown in Figure 3, thefile monitoring module 1 is mainly responsible for monitoring the web program directory 1-1, system directory 1-2, registry 1-3 and web container directory 1-4, system sensitive directories/paths (including System32/System and Registry) and other file changes in the path.

如图4所示，WEB进程行为监测模块，负责监测并记录WEB进程在执行HTTP请求时的行为和状态，包括启动/加载PE文件2-1、CPU/内存/IO/句柄2-2、WEB目录脚本文件变更2-3、系统目录文件变更2-4，和对文件的增、删、改和加载或启动其他可执行PE文件等操作以及CPU、内存、IO、句柄等资源的变化。As shown in Figure 4, the WEB process behavior monitoring module is responsible for monitoring and recording the behavior and status of the WEB process when executing HTTP requests, including starting/loading the PE file 2-1, CPU/memory/IO/handle 2-2, WEB Directory script file changes 2-3, system directory file changes 2-4, and operations such as adding, deleting, modifying and loading files or starting other executable PE files, and changes in resources such as CPU, memory, IO, and handles.

可疑分值评判标准：Suspicious score evaluation criteria:

所述文件监测的可疑分值包括：当前的请求方法为不常见的HTTP请求，可疑分值+1；The suspicious score of the file monitoring includes: the current request method is an uncommon HTTP request, and the suspicious score is +1;

所述WEB进程行为监测的可疑分值包括：WEB进程在执行当前请求时打开系统敏感目录下的文件，可疑分值+5；The suspicious score of the WEB process behavior monitoring includes: when the WEB process opens the file under the system sensitive directory when executing the current request, the suspicious score is +5;

WEB进程在执行当前请求时在网站目录下新增脚本文件，可疑分值+5；When the WEB process executes the current request, a script file is added to the website directory, and the suspicious score is +5;

WEB进程在执行当前请求时对网站目录下原有的脚本文件进行修改，可疑分值+5；The WEB process modifies the original script file in the website directory when executing the current request, and the suspicious score is +5;

WEB进程在执行当前请求时占用大量IO和句柄资源或内存和CPU飙升，可疑分值+5；The WEB process occupies a lot of IO and handle resources or the memory and CPU soar when executing the current request, and the suspicious score is +5;

当前请求的文件为通过WEB进程新增或修改的脚本文件，可疑分值+5；The currently requested file is a script file added or modified through the WEB process, and the suspicious score is +5;

所述系统异常分析的可疑分值包括：出现异常IP远程登录系统，可疑分值+10；The suspicious score of the system abnormality analysis includes: the abnormal IP remote login system occurs, and the suspicious score is +10;

所述补充监测的可疑分值包括：当前的请求者IP在WEB访问日志中被标记为可疑请求的，可疑分值+1；The suspicious score of the supplementary monitoring includes: if the current requester IP is marked as a suspicious request in the WEB access log, the suspicious score is +1;

当前请求的目标文件在WEB访问日志中被标记为可疑请求的目标文件路径，可疑分值+1；The target file of the current request is marked as the target file path of the suspicious request in the WEB access log, and the suspicious score is +1;

当前请求的URL路径在WEB访问日志的记录中从未出现过，可疑分值+5。The URL path of the current request has never appeared in the records of the WEB access log, and the suspicious score is +5.

系统敏感目录包括WEB目录和系统目录；WEB目录包括WEB容器目录和WEB程序目录。The system sensitive directory includes the WEB directory and the system directory; the WEB directory includes the WEB container directory and the WEB program directory.

为了更好地理解本发明实施例中的技术方案，并使本发明的上述目的、特征和优点能够更加明显易懂，下面结合入侵实例作进一步详细的说明。攻击者要入侵一台WEB服务器，至少经过的三个阶段，Weshell的写入、Webshell的访问和Webshell的执行。In order to better understand the technical solutions in the embodiments of the present invention, and to make the above-mentioned objects, features and advantages of the present invention more obvious and easy to understand, further detailed descriptions are given below with reference to an intrusion example. An attacker wants to invade a WEB server, at least three stages are passed, the writing of the Webshell, the access of the Webshell and the execution of the Webshell.

当出现攻击者试图在WEB目录下上传一个Webshell时(也有可能通过其他方式写入Webshell)，会被文件监测模块和WEB进程行为监测模块监测到WEB进程向WEB目录写入脚本文件的行为，并由核心算法模块对可疑分值+5；When an attacker tries to upload a Webshell in the WEB directory (it is also possible to write a Webshell in other ways), the file monitoring module and the WEB process behavior monitoring module will monitor the behavior of the WEB process writing script files to the WEB directory, and The suspicious score is +5 by the core algorithm module;

当攻击者试图访问在WEB目录下上传的Webshell文件时，会被WEB行为监测模块监测到WEB进程尝试打开一个通过WEB进程新增的脚本文件的行为，并由核心算法模块对可疑分值+5；When an attacker tries to access the Webshell file uploaded in the WEB directory, the WEB behavior monitoring module will detect the behavior of the WEB process trying to open a script file newly added through the WEB process, and the core algorithm module will add +5 to the suspicious score. ;

当目标Webshell文件在执行如修改注册表或启动cmd进程、或加载危险dll或创建系统帐号等行为将被WEB进程行为监测模块发现，并由核心算法模块对可疑分值+5；When the target Webshell file is executing behaviors such as modifying the registry or starting the cmd process, or loading dangerous dlls or creating a system account, it will be discovered by the WEB process behavior monitoring module, and the core algorithm module will add +5 to the suspicious score;

当出现异常IP远程登录系统，可疑分值+10；When there is an abnormal IP remote login system, the suspicious score is +10;

如图2所示，核心算法模块5与文件监测模块1、WEB进程行为监测模块2、系统异常分析模块3、补充监测模块4之间的关系图，核心算法模块用于累加所述可疑分值，得到安全分值，并安全分值与预设阈值进行比较，当所述累加的可疑分值大于预设阈值时，判定存在WEB入侵。As shown in Figure 2, the relationship diagram between thecore algorithm module 5 and thefile monitoring module 1, the WEB processbehavior monitoring module 2, the systemabnormality analysis module 3, and thesupplementary monitoring module 4, the core algorithm module is used to accumulate the suspicious scores. , obtain a safety score, and compare the safety score with a preset threshold, when the accumulated suspicious score is greater than the preset threshold, it is determined that there is WEB intrusion.

安全分值＝A可疑分值+B可疑分值+C可疑分值+D可疑分值 (1)Safety score = A suspicious score + B suspicious score + C suspicious score + D suspicious score (1)

式中，A：文件监测；B：WEB进程行为监测；C：系统异常分析；D：补充监测。In the formula, A: file monitoring; B: WEB process behavior monitoring; C: system abnormality analysis; D: supplementary monitoring.

设定如果安全分值累计>15时，则说明当前系统可能已经被未知的高级入侵手段所入侵。上述过程总计可疑分值为25分，可以判定为当前系统已被入侵。之所以设计为大于15分即认定为入侵主要是由于上述过程4不是必备的，攻击者可能只是利用访问已经上传的WebShell执行各种命令达到入侵的效果，而即便如此也会因为上传，访问并通过执行Webshell触发异常行为使得可疑分值累计达到15分以上。It is set that if the accumulated security score is greater than 15, it means that the current system may have been invaded by unknown advanced intrusion methods. The total suspicious score of the above process is 25 points, and it can be determined that the current system has been invaded. The reason why it is designed to be more than 15 points to be considered as an intrusion is mainly because theabove process 4 is not necessary. The attacker may just use the access to the uploaded WebShell to execute various commands to achieve the effect of intrusion. And the abnormal behavior is triggered by executing Webshell, so that the cumulative suspicious score reaches more than 15 points.

一种识别WEB入侵的系统，该系统包括：获取模块、行为检测模块和核心算法模块；A system for identifying WEB intrusion, the system includes: an acquisition module, a behavior detection module and a core algorithm module;

获取模块用于获取访问者的访问行为；The access module is used to obtain the access behavior of the visitor;

检测模块：用于判定用户的访问行为是否为可疑行为，并为可疑行为赋可疑分值；Detection module: used to determine whether the user's access behavior is suspicious behavior, and assign suspicious scores to the suspicious behavior;

核心算法模块用于累加所述可疑分值，并将累加的可疑分值与预设阈值进行比较，当大所述累加的可疑分值大于预设阈值时，判定存在WEB入侵。The core algorithm module is used for accumulating the suspicious scores, and comparing the accumulated suspicious scores with a preset threshold, and when the accumulated suspicious scores are greater than the preset threshold, it is determined that there is a WEB intrusion.

检测模块包括：文件监测模块、WEB进程行为监测模块、系统异常分析模块和补充监测模块。The detection module includes: file monitoring module, WEB process behavior monitoring module, system abnormality analysis module and supplementary monitoring module.

文件监测模块主要负责监测WEB目录(包括WEB程序目录和WEB容器目录如WEB日志)、系统敏感目录/路径(包括System32/System和注册表)等路径下的文件变化；The file monitoring module is mainly responsible for monitoring file changes in the WEB directory (including WEB program directory and WEB container directory such as WEB log), system sensitive directory/path (including System32/System and registry) and other paths;

WEB进程监测模块负责监测并记录WEB进程在执行HTTP请求时的行为和状态，包括对文件的增、删、改和加载或启动其他可执行PE文件等操作以及CPU、内存、IO、句柄等资源的变化；The WEB process monitoring module is responsible for monitoring and recording the behavior and status of the WEB process when executing HTTP requests, including operations such as adding, deleting, modifying and loading files or starting other executable PE files, as well as resources such as CPU, memory, IO, and handles. The change;

系统异常状态监测模块负责:监测并记录每次系统异常登录的时间和IP信息；根据Web进程行为监测模块采集到的历史执行每个HTTP请求时Web进程占用的CPU\内存\IO\句柄等资源状况并结合WEB日志中记录的对每个HTTP请求的响应时长峰值和平均值，分析在响应当前HTTP请求时是否出现异常；监测是否在新增损耗CPU/内存等资源极高的进程；The system abnormal state monitoring module is responsible for: monitoring and recording the time and IP information of each abnormal system login; according to the history collected by the Web process behavior monitoring module, the CPU\memory\IO\handles and other resources occupied by the Web process when each HTTP request is executed Combined with the peak and average response time of each HTTP request recorded in the WEB log, analyze whether there is an abnormality in responding to the current HTTP request; monitor whether new processes with extremely high resources such as CPU/memory are being added;

补充监测模块通过WEB访问日志获取可疑访问记录，包括返回404页面的URL请求(对可执行文件的请求)和不常见的HTTP请求，记录该类可疑请求的访问者IP、访问时间、目标文件路径、统计同IP访问记录数目、统计同URL访问记录数目，并通过WEB访问日志获取所有历史记录中被访问过的URL路径。The supplementary monitoring module obtains suspicious access records through the WEB access log, including URL requests (requests for executable files) that return 404 pages and uncommon HTTP requests, and records the visitor IP, access time, and target file path of such suspicious requests. , Count the number of access records with the same IP, count the number of access records with the same URL, and obtain the URL paths that have been visited in all historical records through the WEB access log.

文件监测模块监测的可疑请求对应的可疑分值的包括：当前的请求方法为不常见的HTTP请求，可疑分值+1；The suspicious score corresponding to the suspicious request monitored by the file monitoring module includes: the current request method is an uncommon HTTP request, and the suspicious score is +1;

WEB进程监测模块监测的可疑请求对应的可疑分值包括：WEB进程在执行当前请求时打开系统敏感目录下的文件，可疑分值+5；WEB进程在执行当前请求时在网站目录下新增脚本文件，可疑分值+5；WEB进程在执行当前请求时对网站目录下原有的脚本文件进行修改，可疑分值+5；WEB进程在执行当前请求时占用大量IO和句柄资源或内存和CPU飙升，可疑分值+5；当前请求的文件为通过WEB进程新增或修改的脚本文件，可疑分值+5；The suspicious score corresponding to the suspicious request monitored by the WEB process monitoring module includes: when the WEB process executes the current request, the file in the sensitive directory of the system is opened, and the suspicious score is +5; when the WEB process executes the current request, a new script is added in the website directory File, suspicious score +5; WEB process modifies the original script file in the website directory when executing the current request, suspicious score +5; WEB process occupies a lot of IO and handle resources or memory and CPU when executing the current request Soaring, suspicious score +5; the currently requested file is a script file added or modified through the WEB process, suspicious score +5;

系统异常分析模块监测的可疑请求对应的可疑分值包括：出现异常IP远程登录系统时，可疑分值+10；The suspicious score corresponding to the suspicious request monitored by the system abnormality analysis module includes: when an abnormal IP remote login system occurs, the suspicious score +10;

补充监测模块的可疑请求对应的可疑分值包括：当前的请求者IP在WEB容器目录中标记为可疑请求的，可疑分值+1；当前请求的目标文件为WEB容器目录中返回404状态码的文件，可疑分值+1；当前请求的URL路径在WEB访问日志的记录中从未出现过，可疑分值+5。The suspicious score corresponding to the suspicious request of the supplementary monitoring module includes: if the current requester IP is marked as a suspicious request in the WEB container directory, the suspicious score is +1; the target file of the current request is the 404 status code returned in the WEB container directory. For files, the suspicious score is +1; the URL path of the current request has never appeared in the records of the WEB access log, and the suspicious score is +5.

本领域内的技术人员应明白，本申请的实施例可提供为方法、系统、或计算机程序产品。因此，本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且，本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中，使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

以上仅为本发明的实施例而已，并不用于限制本发明，凡在本发明的精神和原则之内，所做的任何修改、等同替换、改进等，均包含在申请待批的本发明的权利要求范围之内。The above are only examples of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention are included in the application for pending approval of the present invention. within the scope of the claims.

Claims (4)

Translated fromChinese

1.一种识别WEB入侵的方法，其特征在于，所述方法包括：1. a method for identifying WEB intrusion, wherein the method comprises:获取访问者的访问行为；Obtain the access behavior of visitors;判断所述访问行为是否为可疑请求，如果是可疑请求，根据预设的可疑分值评判标准，累加所述访问行为涉及的可疑分值得到安全分值；Judging whether the access behavior is a suspicious request, and if it is a suspicious request, according to a preset suspicious score evaluation standard, accumulating the suspicious scores involved in the access behavior to obtain a safety score;当安全分值大于预设的阈值，判定用户行为异常，存在WEB入侵；When the security score is greater than the preset threshold, it is determined that the user's behavior is abnormal and there is WEB intrusion;所述安全分值按下式计算：The safety score is calculated as follows:安全分值＝A可疑分值+B可疑分值+C可疑分值+D可疑分值(1)Safety score = A suspicious score + B suspicious score + C suspicious score + D suspicious score (1)式中，A：文件监测；B：WEB进程行为监测；C：系统异常分析；D：补充监测；In the formula, A: file monitoring; B: WEB process behavior monitoring; C: system abnormality analysis; D: supplementary monitoring;所述文件监测A，用于对WEB目录和系统敏感目录/路径的监测，并对不常见的HTTP请求进行可疑分值定义；Described file monitoring A is used for monitoring WEB directory and system sensitive directory/path, and carrying out suspicious score definition to uncommon HTTP requests;所述对不常见的HTTP请求定义可疑分值为+1；The suspicious score is defined as +1 for uncommon HTTP requests;所述WEB进程行为监测B，用于监测并记录WEB进程在执行HTTP请求时的行为和状态，并对执行HTTP请求时的异常行为和状态进行可疑分值定义；The WEB process behavior monitoring B is used to monitor and record the behavior and state of the WEB process when executing the HTTP request, and carry out suspicious score definition to the abnormal behavior and state when executing the HTTP request;所述对执行HTTP请求时的异常行为和状态进行可疑分值定义包括：WEB进程在执行当前请求时打开系统敏感目录下的文件，定义可疑分值为+5；The suspicious score definition for the abnormal behavior and state when executing the HTTP request includes: the WEB process opens the file under the system sensitive directory when executing the current request, and the suspicious score is defined as +5;WEB进程在执行当前请求时在网站目录下新增脚本文件，定义可疑分值为+5；When the WEB process executes the current request, a new script file is added to the website directory, and the suspicious score is defined as +5;WEB进程在执行当前请求时对网站目录下原有的脚本文件进行修改，定义可疑分值为+5；The WEB process modifies the original script file in the website directory when executing the current request, and defines the suspicious score as +5;WEB进程在执行当前请求时占用大量IO和句柄资源或内存和CPU飙升，定义可疑分值为+5；The WEB process occupies a lot of IO and handle resources or soars memory and CPU when executing the current request, and the suspicious score is defined as +5;当前请求的文件为通过WEB进程新增或修改的脚本文件时，定义可疑分值为+5；When the currently requested file is a script file added or modified through the WEB process, the suspicious score is defined as +5;所述系统异常分析C，用于监测并记录系统异常登录的时间和IP信息，以及消耗CPU/内存资源极高的新增进程，同时分析在响应当前HTTP请求时是否出现异常，并对出现异常IP远程登录系统进行可疑分值定义；The system abnormality analysis C is used to monitor and record the time and IP information of abnormal system login, as well as the newly added process that consumes extremely high CPU/memory resources, and analyzes whether abnormality occurs when responding to the current HTTP request, and the abnormality occurs. IP remote login system to define suspicious score;所述对出现异常IP远程登录系统进行可疑分值定义包括：出现异常IP远程登录系统时，定义可疑分值为+10；Defining the suspicious score for the abnormal IP remote login system includes: when the abnormal IP remote login system occurs, defining the suspicious score as +10;所述补充监测，用于通过WEB访问日志获取可疑访问记录和所有历史记录中被访问过的URL路径，并对在WEB访问日志中标记为可疑请求的访问者、目标文件，以及未出现过的URL路径进行可疑分值的定义；The supplementary monitoring is used to obtain suspicious access records and URL paths that have been visited in all historical records through the WEB access log, and to mark visitors, target files, and unseen requests marked as suspicious in the WEB access log. The URL path carries out the definition of suspicious score;所述在WEB访问日志中标记为可疑请求的访问者、目标文件，以及未出现过的URL路径进行可疑分值的定义包括：当前的请求者IP在WEB访问日志中被标记为可疑请求的，定义可疑分值+1；Described in the WEB access log marked as suspicious request visitors, target files, and URL paths that have not appeared to carry out the definition of suspicious scores include: the current requester IP is marked as suspicious requests in the WEB access log, Define suspicious score +1;当前请求的目标文件在WEB访问日志中被标记为可疑请求的目标文件路径，定义可疑分值为+1；The target file of the current request is marked as the target file path of the suspicious request in the WEB access log, and the suspicious score is defined as +1;当前请求的URL路径在WEB访问日志的记录中从未出现过，定义可疑分值为+5；The URL path of the current request has never appeared in the records of the WEB access log, and the suspicious score is defined as +5;所述系统敏感目录包括WEB目录和系统目录；The system sensitive directory includes a WEB directory and a system directory;所述WEB目录包括WEB容器目录和WEB程序目录；The WEB directory includes a WEB container directory and a WEB program directory;所述获取访问者的访问行为包括：请求方法、目标文件、WEB进程在执行请求时打开的文件和对监测目录下的所有文件的操作。The access behavior of acquiring the visitor includes: request method, target file, files opened by the WEB process when the request is executed, and operations on all files in the monitoring directory.2.一种应用权利要求1所述的识别WEB入侵方法的系统，其特征在于，所述系统包括：获取模块、行为检测模块和核心算法模块；2. A system for applying the method for identifying WEB intrusion according to claim 1, wherein the system comprises: an acquisition module, a behavior detection module and a core algorithm module;所述获取模块，用于获取访问者的访问行为；The obtaining module is used to obtain the access behavior of the visitor;行为检测模块，用于判定用户的访问行为是否为可疑行为，并为可疑行为赋予可疑分值；The behavior detection module is used to determine whether the user's access behavior is suspicious behavior, and assign suspicious scores to the suspicious behavior;所述核心算法模块，用于累加所述可疑分值，并将累加的可疑分值与预设阈值进行比较，当所述累加的可疑分值大于预设阈值时，判定存在WEB入侵。The core algorithm module is used for accumulating the suspicious score, and comparing the accumulated suspicious score with a preset threshold, and when the accumulated suspicious score is greater than the preset threshold, it is determined that there is WEB intrusion.3.如权利要求2所述的识别WEB入侵的系统，其特征在于，所述行为检测模块包括：文件监测模块、WEB进程行为监测模块、系统异常分析模块和补充监测模块；3. The system for identifying WEB intrusion as claimed in claim 2, wherein the behavior detection module comprises: a file monitoring module, a WEB process behavior monitoring module, a system abnormality analysis module and a supplementary monitoring module;所述文件监测模块，用于对WEB目录和系统敏感目录/路径的监测，并对不常见的HTTP请求进行可疑分值定义；The file monitoring module is used for monitoring WEB directory and system sensitive directory/path, and carrying out suspicious score definition for uncommon HTTP requests;所述WEB进程行为监测模块，用于监测并记录WEB进程在执行HTTP请求时的行为和状态，并对执行HTTP请求时的异常行为和状态进行可疑分值定义；The WEB process behavior monitoring module is used to monitor and record the behavior and state of the WEB process when executing the HTTP request, and carry out suspicious score definition to the abnormal behavior and state when executing the HTTP request;所述系统异常分析模块，用于监测并记录系统异常登录的时间和IP信息，以及消耗CPU/内存资源极高的新增进程，同时分析在响应当前HTTP请求时是否出现异常，并对出现异常IP远程登录系统进行可疑分值定义；The system abnormality analysis module is used to monitor and record the time and IP information of abnormal system login, as well as the newly added process that consumes extremely high CPU/memory resources, and analyzes whether an abnormality occurs when responding to the current HTTP request, and responds to the abnormality. IP remote login system to define suspicious score;所述补充监测模块，用于通过WEB访问日志获取可疑访问记录和所有历史记录中被访问过的URL路径，并对在WEB访问日志中标记为可疑请求的访问者、目标文件，以及未出现过的URL路径进行可疑分值的定义。The supplementary monitoring module is used to obtain suspicious access records and URL paths that have been visited in all historical records through the WEB access log, and to mark visitors and target files that are marked as suspicious requests in the WEB access log, and have not appeared. The URL path to carry out the definition of suspicious score.4.如权利要求3所述的识别WEB入侵的系统，其特征在于，所述文件监测模块监测的可疑请求对应的可疑分值包括：当前的请求方法为不常见的HTTP请求，可疑分值+1；4. the system of identifying WEB intrusion as claimed in claim 3, is characterized in that, the suspicious score corresponding to the suspicious request that described file monitoring module monitors comprises: current request method is uncommon HTTP request, suspicious score+ 1;所述WEB进程监测模块监测的可疑请求对应的可疑分值包括：WEB进程在执行当前请求时打开系统敏感目录下的文件，可疑分值+5；WEB进程在执行当前请求时在网站目录下新增脚本文件，可疑分值+5；WEB进程在执行当前请求时对网站目录下原有的脚本文件进行修改，可疑分值+5；WEB进程在执行当前请求时占用大量IO和句柄资源或内存和CPU飙升，可疑分值+5；当前请求的文件为通过WEB进程新增或修改的脚本文件，可疑分值+5；The suspicious score corresponding to the suspicious request monitored by the WEB process monitoring module includes: when the WEB process opens the file in the system sensitive directory when executing the current request, the suspicious score is +5; Add a script file, the suspicious score is +5; the WEB process modifies the original script file in the website directory when executing the current request, and the suspicious score is +5; the WEB process occupies a lot of IO and handle resources or memory when executing the current request and CPU soaring, suspicious score +5; the currently requested file is a script file added or modified through the WEB process, suspicious score +5;所述系统异常分析模块监测的可疑请求对应的可疑分值包括：出现异常IP远程登录系统时，可疑分值+10；The suspicious score corresponding to the suspicious request monitored by the system abnormality analysis module includes: when an abnormal IP remote login system occurs, the suspicious score+10;所述补充监测模块的可疑请求对应的可疑分值包括：当前的请求者IP在WEB容器目录中标记为可疑请求的，可疑分值+1；当前请求的目标文件为WEB容器目录中返回404状态码的文件，可疑分值+1；当前请求的URL路径在WEB访问日志的记录中从未出现过，可疑分值+5。The suspicious score corresponding to the suspicious request of the supplementary monitoring module includes: if the current requester IP is marked as a suspicious request in the WEB container directory, the suspicious score is +1; the target file of the current request is a 404 status returned in the WEB container directory. code file, the suspicious score is +1; the URL path of the current request has never appeared in the records of the WEB access log, and the suspicious score is +5.

Images