| Data services and application services based on the cloud environment have been the necessity of our work and life.While the cloud environment brings convenience to people,it also faces many security risks internally.Statistics show that malicious WebShell is the main malicious file type in the cloud environment,with high stealth,high destructiveness and fast mutation speed.The malicious WebShell detection now mainly relies on the feature analysis of WebShell source code,while WebShell can have some run-time behavior features differing from that of describing by the source code.In comparison,as an intermediate file of WebShell,Opcode can provide run-time dynamic features of WebShell,which can help to analyze and understand the dynamic features,resulting in the improvement of detecting the malicious WebShell.This thesis uses Opcode to study the dynamic behavior of WebShell,which helps cloud security analysts to analyze the dynamic behavior of WebShell and improve the detection accuracy of malicious WebShell.The main research work of this thesis includes:(1)A WebShell data feature representation method is proposed.The method characterizes WebShell from both static and dynamic aspects,constructing a unified WebShell feature vector.In terms of the static aspect,the static information such as the location characteristics and time characteristics of WebShell files are considered.In regard to the dynamic aspect,the run-time information of the function call and call sequence of WebShell recorded by Opcode is utilized with combining the word vector model,aiming to characterize the dynamic features.(2)A WebShell dynamic behavior visualization is presented.The visualization is based on the classic MSV(Massive Sequences View,large-scale sequence diagram)and designs visual codes for some important patterns,such as function call relationship,function call sequence,dangerous functions,taint marks and periodic function calls,improving the performance of MSV to present these patterns.The visualization can help cloud security analysts to observe and analyze the run-time function call patterns of WebShell,especially to recognize the high-risk behaviors such as obfuscated operations and sensitive function calls.(3)A visual interactive analysis prototype system is designed.The system consists of automated cluster analysis and interactive analysis.In the clustering analysis module,many WebShells are clustered based on the WebShell feature representation vector to find WebShells with the similar dynamic behaviors.In the interactive analysis module,the clustering result projection figures,the WebShell function calling sequence figures and multiple statistical figures are combined to present the clustering results and WebShell dynamic function call behavior,helping users to understand the clustering results and find interesting WebShell clusters and WebShell files. |
PDF Full Text Request