Research And Implementation Of Java Memory Webshell Detection Technology Based On Program Analysis

In recent years,with the rapid development of Internet technology,Web applications have been widely used,which leads to more and more network attacks against Web applications.As one of the most common attacks,Webshell poses a serious threat to the security of Web applications.Although the existing detection technology can effectively identify traditional Webshell that needs to upload files,which ensures the security of Web applications to a certain extent,it is useless to Java memory Webshell.Java memory Webshell,as a file-free Webshell technology,injects executable code into memory,which is more hidden and brings great difficulty to detection.At present,there is little research on detection technology for Java memory Webshell,which is in the initial stage.A small number of open source tools can detect Java memory Webshell,but only support the detection of individual types,with high false negative rate and poor detection effect.Based on the above background,this paper focuses on the research and implementation of Java memory Webshell detection technology based on program analysis.The main work and innovations are as follows:1)Propose a dynamic Java memory Webshell detection technology based on class call information.This technology effectively filters suspicious classes from the Java virtual machine based on the class call information when target sensitive methods are triggered,which is obtained by dynamic RASP monitoring,and detects Java memory Webshell depending on whether their bytecode loading path is abnormal.2)Propose a static Java memory Webshell detection technology based on taint analysis.By defining taint sources,taint sinks and taint propagation rules,this technology tracks the propagation process of taint variables so as to detect the security problems in the code of suspicious classes.3)Implement a prototype detection system for Java memory Webshell.The test results show that this system can effectively detect Java memory Webshell that has been maliciously loaded into Java virtual machine.Compared with other tools,this system has a higher detection rate.