The Research and Improvement in the Detection of PHP Variable WebShell based on Information Entropy

10.3966/199115992017102805006

Chundong Wang；Hong Yang；Zhentang Zhao；Liangyi Gong；Zhiyuan Li

characteristic value detection ； information entropy ； PHP ； variable Webshell

電腦學刊

28卷5期（2017 / 10 / 01）

62 - 69

英文

The In recent years, a trend to implant into the back door for website attack has been increasing, using back door to tamper the application system, stealing the sensitive information in database and cause great threat. The existing technology to Webshell backdoor detection method is generally static attributes, can search and kill common backdoor attack, but because of the variable WebShell often disguised as a normal WEB script file, this kind of dynamic behavior detection technology often difficult to handle, can not effectively detect variable WebShell. In order to detect variable WebShell, we propose an information entropy detection algorithm based on PHP special strings, use a normal file information entropy for threshold, detect whether the PHP file contains Webshell or not. On this basis, in order to slove difficulties with non-ASCII code and digital variable WebShell as well as the flexibility of the PHP language dynamic function, we propose detection algorithm based on quotation information entropy. The experimental results shows that special string information entropy detection algorithm based on PHP and detection algorithm based on quotes entropy can better detect variable Webshell with high accuracy and low false alarm rate. The PHP special string detection algorithm based on information entropy with detection algorithm based on quotation information entropy show better detection performance in handle with difficulties to detect ASCII and digital variable Webshell.