CAJ | 학술논문

针对及时检测攻击者利用系统漏洞或篡改网页开源代码秘密地在web服务器上嵌入的恶意代码web shell问题，提出了一种基于评分机制的web shell检测系统Evil-hunter．首先，从互联网和各种安全论坛上收集了大量的web shell经常使用的恶意函数样本数据．其次，根据恶意函数在web shell和正常web应用中的不同危险级别和使用频度，利用所提出的评分策略对所收集的样本数据进行评分，并分析统计结果以得出适当的分数阈值．最后，根据所得出的分数阈值，借用简单的检测算法来对web 应用中所包含的恶意代码web shell进行识别．实验结果表明，与其他方法相比Evil-hunter具有更高的识别率和准确度．
침대급시검측공격자이용계통루동혹찬개망혈개원대마비밀지재web복무기상감입적악의대마web shell문제，제출료일충기우평분궤제적web shell검측계통Evil-hunter．수선，종호련망화각충안전론단상수집료대량적web shell경상사용적악의함수양본수거．기차，근거악의함수재web shell화정상web응용중적불동위험급별화사용빈도，이용소제출적평분책략대소수집적양본수거진행평분，병분석통계결과이득출괄당적분수역치．최후，근거소득출적분수역치，차용간단적검측산법래대web 응용중소포함적악의대마web shell진행식별．실험결과표명，여기타방법상비Evil-hunter구유경고적식별솔화준학도．
In order to detect web shells that hackers inject into web servers by exploiting system vulnerabilities or web page open sources a novel web shell detection system based on the scoring scheme is proposed named Evil-hunter.First a large set of malicious function samples normally used in web shells are collected from various sources on the Internet and security forums.Secondly according to the danger level and the frequency of using these malicious functions in the web shells as well as in legal web applications an assigning score strategy for each malicious sample is devised. Then the appropriate score threshold value for each sample is obtained from the results of a statistical analysis.Finally based on the threshold value a simple algorithm is presented to identify files that contain web shells in web applications. The experimental results show that compared with other approaches Evil-hunter can identify web shells more efficiently and accurately.