基于攻击特征的Apache Shiro反序列化攻击检测模型  被引量：3

作　　者：冯美琪 韩杰 李建欣[1] Feng Meiqi;Han Jie;Li Jianxin(Operation Center,TravelSky Technology Limited,Beijing 101318;Beijing Aerospace Wanyuan Science&Technology Co.,Ltd.,Beijing 100176)

机构地区：[1]中国民航信息网络股份有限公司运行中心,北京101318 [2]北京航天万源科技有限公司,北京100176

出　　处：《信息安全研究》2022年第7期656-665,共10页Journal of Information Security Research

基　　金：民航安全能力建设基金项目(PESA2020100,PESA2021009)。

摘　　要：Apache Shiro框架作为广泛应用的安全框架,提供身份验证、授权、密码和会话管理等功能,但其反序列化漏洞易导致任意代码执行等问题,而现有检测方法存在误报较多的问题,因此提出了一种基于攻击特征的Apache Shiro反序列化漏洞攻击检测模型.通过分析正常情况及漏洞利用情况下网络包特征,归纳总结出4个攻击特征,并基于此构建模型检测Apache Shiro反序列化漏洞攻击,同时判断攻击是否疑似成功并流转至人工确认及处置环节.实验结果表明,该方法不但能检测Apache Shiro反序列化漏洞攻击,而且能够进一步确定攻击是否疑似成功,提高安全事件处置效率.与现有方法相比,该方法能够有效降低误报率,从而降低误处置率,减少对正常业务的影响.As a widely used security framework, Apache Shiro framework provides functions such as authentication, authorization, password and session management, but its deserialization vulnerability is easy to lead to arbitrary code execution, and the existing detection methods have many problems of false positives. Therefore, this paper proposes a detection model of Apache Shiro deserialization vulnerability attack based on attack characteristics. By analyzing the network packet characteristics of normal conditions and vulnerability exploitation, this paper summarizes four attack characteristics, and constructs a model based on this to detect Apache Shiro deserialization vulnerability attack. At the same time, the problem, whether the attack is suspected to be successful is judged and transferred to manual confirmation and disposal. Experimental results show that this method can not only detect Apache Shiro deserialization vulnerability attack, but also further determine whether the attack is suspected to be successful and improve the efficiency of security event handling. In addition, compared with the existing methods, this method can effectively reduce the false negatives rate, so as to reduce the false disposal rate and reduce the impact on normal business.

关 键 词：攻击特征 反序列化 漏洞检测 Apache Shiro 安全事件处置 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]