CN108595957A - Main browser page altering detecting method, device and storage medium - Google Patents
Main browser page altering detecting method, device and storage medium Download PDFInfo
- Publication number
- CN108595957A CN108595957A CN201810408390.4A CN201810408390A CN108595957A CN 108595957 A CN108595957 A CN 108595957A CN 201810408390 A CN201810408390 A CN 201810408390A CN 108595957 A CN108595957 A CN 108595957A
- Authority
- CN
- China
- Prior art keywords
- mark
- executable file
- operation data
- terminal device
- tampered
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
This application discloses a kind of main browser page altering detecting methods, including:Receive or obtain the browser run on terminal device is tampered information;Obtain the operation data for the suspicious item for causing the main browser page to be tampered;According to the mark of the homepage after described be tampered, the operation data for the other-end equipment for being tampered the homepage is obtained;According to the mark of the first executable file in the operation data of the mark of the first executable file in the operation data of the terminal device and the other-end equipment, the mark for the target executable file for causing the browser to be tampered the homepage is determined;The mark of the target executable file is sent to the terminal device.Present invention also provides corresponding device and storage mediums.
Description
Technical field
This application involves technical field of network security more particularly to main browser page altering detecting method, device and storages
Medium.
Background technology
Currently, the default homepage of browser is the place of Internet company's sharp fight, such as portal website, navigation website
Deng the default homepage for all urgently wanting to set its network address to browser client.When browsing webpage on the internet at present, browsing
The homepage of device can be seized on both sides by the arms, cause user to open slowing for browser, and cause user that can not be modified as original homepage.
Wherein, browser is held as a hostage, and finger is viral or rogue software kidnaps main browser page to specified navigation network address by technological means, reaches
To profit purpose.It detects the virus for causing browser to be held as a hostage or rogue software receives more and more attention, but existing inspection
Survey method relies on the Detection capability of some antivirus softwares, some, which kidnap the virus of main browser page or rogue software, can get around antivirus
The detection of software, thus exist and detect incomplete problem.
Invention content
In order to solve the above technical problems, present application example provides main browser page altering detecting method, device and storage
Medium, to kidnapping the virus of homepage or Detection capability of the detection independent of terminal device of Malware.
Present application example provides a kind of main browser page altering detecting method, including:
Receive or obtain the browser run on terminal device is tampered information, wherein described to be tampered packet
Include the identifying of the terminal device, the browser logs in the mark of homepage;
The operation data for the suspicious item for causing the main browser page to be tampered is obtained, the operation data includes that may lead
Cause the mark for the first executable file that the main browser page is tampered and the mark of the terminal device;
According to the mark of the homepage after described be tampered, the operation for the other-end equipment for being tampered the homepage is obtained
Data, the operation data include may cause homepage be tampered the homepage the first executable file mark;
According to the mark of first executable file in the operation data of the terminal device and the other-end
The mark of first executable file in the operation data of equipment, determination cause the browser to be tampered the homepage
Target executable file mark;
The mark of the target executable file is sent to the terminal device.
Present application example additionally provides a kind of main browser page altering detecting method, including:
When the mark and the default homepage of the browser that detect the browser login homepage on terminal device identify not
Meanwhile the information that is tampered of the browser is sent to server, it is described to be tampered the mark that information includes the terminal device
And the browser logs in the mark of homepage;
The operation data for the suspicious item for causing the main browser page to be tampered, the operation data packet are sent to server
Include the mark for the first executable file that the main browser page may be caused to be tampered and the mark of the terminal device;
Receive the mark for the target executable file that server is sent, wherein the server is according to the terminal device
Operation data in the first executable file mark, be tampered in the operation data of other-end equipment of the homepage
The first executable file mark, determine the mark of the target executable file.
Present application example additionally provides a kind of main browser page tampering detection apparatus, and described device includes:
First acquisition unit is tampered information to receive or obtain the browser run on terminal device, wherein
It is described to be tampered the mark that information includes the identifying of the terminal device, the browser logs in homepage;
Second acquisition unit, it is described to obtain the operation data for the suspicious item for causing the main browser page to be tampered
Operation data includes that the mark for the first executable file that the main browser page may be caused to be tampered and the terminal are set
Standby mark;
Third acquiring unit, to according to described in be tampered after homepage mark, acquisition be tampered the homepage
The operation data of other-end equipment, the operation data include homepage may be caused to be tampered the first of the homepage can
Execute the mark of file;
Determination unit, to according to the mark of first executable file in the operation data of the terminal device and
The mark of first executable file in the operation data of the other-end equipment, determination cause the browser to be usurped
Change the mark to the target executable file of the homepage;
Transmission unit, the mark of the target executable file is sent to the terminal device.
Present application example additionally provides a kind of main browser page tampering detection apparatus, and described device includes:
First transmission unit, to when the mark for detecting the browser login homepage on terminal device and the browser
Default homepage mark it is different when, the information that is tampered of the browser is sent to server, the information that is tampered includes institute
State the mark of terminal device and the mark of browser login homepage;
Second transmission unit, to send the operation number for the suspicious item for causing the main browser page to be tampered to server
According to, the operation data include the mark of the first executable file that the main browser page may be caused to be tampered and described
The mark of terminal device;
Receiving unit, to receive server transmission target executable file mark, wherein the server according to
The mark of the first executable file in the operation data of the terminal device is tampered the other-end equipment of the homepage
Operation data in the first executable file mark, determine the mark of the target executable file.
Present application example additionally provides a kind of computer readable storage medium, is stored with computer-readable instruction, can make
At least one processor executes method as described above.
It, can to first in the multiple terminal devices of a homepage according to being tampered using said program provided by the present application
The mark that file determines the target executable file for causing homepage to be tampered the homepage is executed, detection causes homepage to be tampered
Target executable file do not depend on the Detection capability of terminal device.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without having to pay creative labor, may be used also for those of ordinary skill in the art
With obtain other attached drawings according to these attached drawings.
Fig. 1 is the system architecture figure that present application example is related to;
Fig. 2 is the flow diagram of one exemplary browser device homepage altering detecting method of the application;
Fig. 3 is the interacting message figure of one exemplary browser device homepage altering detecting method of the application;
Fig. 4 is the flow diagram of another exemplary browser device homepage altering detecting method of the application;
Fig. 5 is the structural schematic diagram of one exemplary browser device homepage tampering detection apparatus of the application;
Fig. 6 is the structural schematic diagram of another exemplary browser device homepage tampering detection apparatus of the application;And
Fig. 7 is the computing device composed structure schematic diagram in the embodiment of the present application.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiment is only a part of the embodiment of the present invention, instead of all the embodiments.Based on this
Embodiment in invention, every other reality obtained by those of ordinary skill in the art without making creative efforts
Example is applied, shall fall within the protection scope of the present invention.
Present applicant proposes main browser page altering detecting method, device and storage mediums.This application involves system tray
Structure is as shown in Figure 1, the system architecture includes:Terminal device 101a-101n, application server 102, terminal device 101a-101n
It is connect by internet 103 between application server 102.Each terminal device 101a-101n includes application management client
104 and browser client 105.Wherein, the application server 102 can provide network peace for terminal device 101a-101n
Full service.The application management client 104 can be that (APP) is applied in computer control, be the user of terminal device 101a-101n
Software Management services are provided, for example, download, unload, update application software etc..Application management client 104 can also be terminal
The user of equipment 101a-101n provides security service, for example, providing the service of checking and killing virus.In addition, application management client
The services such as 104 can also provide cleaning rubbish for the user of terminal device 101a-101n, computer accelerates.The application management visitor
Family end 104 can be computer house keeper, 360 security guards, Kingsoft bodyguard etc..The browser client 105 can be, for example,
IE browser, 360 secure browsers, red fox, Window on the World, search dog etc..Above-mentioned terminal device 101a-101n can be such as
The portable terminals such as mobile phone, tablet, palm PC, wearable device, or the PC such as desktop computer, laptop,
Or the various smart machines with the Internet access capability and displaying interface such as smart television.
Wherein, the default homepage data of browser client 105 are stored in application management client 104, for example, acquiescence
The mark of homepage, the mark can be the network address of default homepage.When the browser client 105 on terminal device 101a-101n
When startup, application management client 104 can get the process data of browser by interface, be obtained from the process data
The mark of the homepage logged in browser, for example, the network address of the homepage logged in.When application management client 104 finds to log in master
When the network address difference of the network address of page and the default homepage, illustrate that the homepage of the browser is held as a hostage, application management client 104
It is tampered information to the transmission of application server 102.It includes that 104 place of the application management client is whole to be tampered information at this
The identifying of end equipment, the mark (for example, logging in network address of homepage) for logging in homepage, the mark of default homepage are (for example, acquiescence
The network address of homepage).In addition, distorting the IP that can also include the terminal device in information.
The suspicious item that being stored in application management client 104 can cause homepage to be tampered (may cause homepage to be tampered
Executable file belonging to classification), the suspicious item, it may for example comprise system startup item, file, process, MBR, VBR etc., this
Can also include other outside can lead to the suspicious item that homepage is tampered.When the suspicious item is run, application management client
104 obtain the operation data of the suspicious item by relevant interface, are reported to application server 102.It is wrapped in the operation data
Include the identifying of the first executable file that homepage may be caused to be tampered, 104 place terminal device of the application management client
Mark and first executable file operation data.The operation data includes that each first executable file is corresponding
The mark of second executable file, wherein second executable file generates or execute or discharge the described first executable text
Part.The mark for reporting the first executable file and the opportunity for reporting operation data may be the same or different.
When the browser client 105 on any of terminal device 101a-101n terminal devices starts, when application is managed
When reason client 104 detects the homepage and default homepage difference that browser client 105 starts, on application server 102
Report is tampered information, and the homepage for being tampered the mark of carried terminal equipment in information and being logged in after being tampered identifies (for example, by usurping
The website of homepage after changing).For application server 102 according to the mark of the homepage after being tampered, it includes institute that information is distorted in acquisition
The other-end equipment for stating the mark of homepage obtains the operation data of the other-end equipment, by the fortune of the terminal device
The first executable file in the operation data of row data and the other-end equipment is clustered, and determines the executable text of target
Part (executable file of the virus or Malware that cause browser to be tampered).For the terminal device, according to the terminal
The operation data for the target executable file that equipment reports is traced to the source.Specifically, according to the operand of target executable file
According to determining the second executable file generated or discharge or execute the target executable file.By the target executable file
Mark and the mark of second executable file be sent to the terminal device.Application management in the terminal device
Whether client 104 can delete the first executable file, and send out reminder message to terminal user, remind user that will
Second executable file is deleted.
For example, for that may cause for the system startup item that homepage is tampered, the system startup item includes:Start
Item, service and driving.It is illustrated by taking startup item as an example, after downloading application program B (second executable file), application
Release executable file A (the first executable file) when program B is executed, and a startup item is created, startup item direction can be held
Compose a piece of writing part A.At this point, the operation data that application management client 104 sends the first executable file A to application server 102 is (real
When report), which includes the mark of the first executable file A, and creates the first executable file A and correspond to
Startup item application program B (the second executable file) mark.When 104 place terminal device of application management client starts
Afterwards, after the corresponding startup items of the first executable file A start, application management client 104 reports the to application server 102
The mark of one executable file A and the mark of terminal device (terminal device reports after starting).Application server 102 is according to terminal
The mark of each first executable file A in equipment and the corresponding operation data of each first executable file generate the terminal and set
Standby operation data.When the corresponding first executable file A of startup item is executed, the first executable file A can pass through modification
Homepage is distorted in the various ways realizations such as browser configuration, injection browser process or modification browser registration table.For example, working as
When application server 102 is clustered for a homepage being tampered, it is found that the terminal device for being tampered homepage is most of all
There are the startup items of the first executable file A, determine that the first executable file A is virus or Malware at this time.It can to first
It executes file A to trace to the source, is the discovery that the A discharged when application program B is executed, and create the startup item for being directed toward A, by tracing to the source
Determine the second executable file B.The mark of the mark of first executable file A and the second executable file B is sent to application
Management client 104.It is identical as the mode of startup item for the mode of service and driving in system startup item, it is no longer superfluous herein
It states.
For the files classes in suspicious item, when the second executable file discharges first executable file, the is reported
The operation data (real-time report) of one executable file reports the first executable file when the first executable file is performed
Mark and terminal device mark (real-time report).If the first executable file is virus document or Malware, when
When the first executable file, it can be distorted by changing the modes such as browser configuration or injection browser process or modification registration table
Homepage.For the process class in suspicious item, when application program (corresponding second executable file) executes a process, (corresponding first can
Execute file) when, the mark of the first executable file and the mark (real-time report) of terminal device are reported, while reporting first can
The operation data (real-time report) of file is executed, which includes the mark for the second executable file for executing the process
Know (real-time report) and the mark of corresponding first executable file of the process.Accordingly, if the process is virus
File or the corresponding process of Malware can be by changing browser configuration or injection browser then after the process initiation
The modes such as process or modification registration table distort homepage.For MBR, VBR class in suspicious item, when (corresponding second can for application program
Execute file) MBR, VBR in modification disk, modified MBR, VBR include that (correspondence first can be held for the execution code of virus
Style of writing part), at this point, application management client 104 reports operation data (real-time report), operation data to application server 102
Include the mark (real-time report) for the second executable file for changing MBR, VBR and the mark of first executable file.
When terminal device starts, the execution code that operating system reads the first executable file in MBR, VBR executes.When application is managed
Reason client 104 is when detecting that MBR, VBR of execution change, and reports the mark and terminal device of the first executable file
It identifies (being reported when terminal device starting up).When operating system executes the executable code of the virus in MBR, VBR, virus
Executable code can be usurped by changing browser configuration or injection browser process or the modification modes such as registration table when executing
Change homepage.
This application provides a kind of main browser page altering detecting methods, are applied to server (application server 102), such as
Shown in Fig. 2, it the described method comprises the following steps:
S201:Receive or obtain the browser run on terminal device is tampered information, wherein described to be tampered letter
Breath include the identifying of the terminal device, browser login homepage mark.
Stored in application management client 104 its browser client on the terminal device default homepage, that is, use
The homepage of family locking.When user opens a terminal the browser in equipment, application management client 104 detects that browser starts
Afterwards, the process parameter of browser is extracted, which includes the homepage logged in.Judge the master of the homepage logged in and user's locking
Whether page is consistent, if inconsistent, report and is tampered information, it includes the mark of terminal device, default homepage that this, which is tampered information,
Mark (for example, URL), log in the mark (for example, URL) of homepage.
S202:The operation data for the suspicious item for causing the main browser page to be tampered is obtained, the operation data includes
It may lead to the mark for the first executable file that the main browser page is tampered and the mark of the terminal device.
The operation data includes two class data, and one kind is first can hold under the suspicious item that possible cause homepage to be tampered
The mark of part of composing a piece of writing and the mark of terminal device, another kind of is the operation data of the first executable file.This two classes data application
Management client 104 can report simultaneously, can also report respectively.For system startup item class (including startup item, service and drive
It is dynamic), when the corresponding application program of the second executable file executes, the first executable file can be discharged, and create direction first
The system startup item of executable file, at this point, application management client 104 can report the operation data of the first executable file,
The operation data includes:The mark of second executable file, the mark of the first executable file and action type information:It creates
System startup item.Operation data is real-time report.When terminal device starts, the corresponding first executable text of system startup item
Part is performed, at this point, application management client 104 reports the mark of the first executable file and the mark (terminal of terminal device
Equipment reports when starting).For files classes, when the corresponding application program of the second executable file executes, can discharge first can
Execute file, at this time application management client 104 report the first executable file mark and terminal device mark (in real time on
Report).It includes first executable that the operation data (real-time report) of the first executable file, the operation data can also be reported simultaneously
The mark of file, the mark of the second executable file and action type information:The corresponding application program of second executable file is held
The first executable file is discharged when row.For process class, when the corresponding application program of the second executable file executes a process
When (corresponding first executable file), application management client 104 can report the mark and terminal device of the first executable file
Mark (real-time report).While the operation data (real-time report) of the first executable file can be also reported, in the operation data
The mark and action type information of mark, the second executable file including the first executable file:Second executable file pair
The application program answered executes the corresponding process (real-time report) of the first executable file.For that homepage may be caused to be tampered
MBR, VBR class, when MBR, VBR are changed, modified MBR, VBR include the execution code of the first executable file, this
When application management client 104 report the operation data (real-time report) of the first executable file, which includes
The mark of one executable file changes the mark of the second executable file of MBR, VBR.Where application management client 104
When the startup of terminal device, operating system can read the data in MBR, VBR at this time, when application management client 104 detects
When the data of MBR, VBR are changed, application management client 104 reports the mark of the first executable file and the mark of terminal device
Know (terminal device reports when starting).
S203:According to the mark of the homepage after described be tampered, the other-end equipment for being tampered the homepage is obtained
Operation data, the operation data include may cause homepage be tampered the homepage the first executable file mark
Know.
When the homepage of other-end equipment is tampered, other-end equipment can also report and be tampered information.According to one
The mark of homepage after being tampered can get a plurality of of the mark comprising the homepage and be tampered information, and then determination is described more
Item is tampered the corresponding multiple terminal devices of information, obtains the operation data of the multiple terminal device.
S204:According to the mark of first executable file in the operation data of the terminal device and it is described other
The mark of first executable file in the operation data of terminal device, it is described that determination causes the browser to be tampered
The mark of the target executable file of homepage.
The first executable file of one or more of operation data to each terminal device 101a-101n clusters.
The number that each first executable file occurs in the operation data of the terminal device and other terminal devices can be counted, it will
The first most executable file of number is determined as target executable file, and a frequency threshold value can also be arranged, be more than by number
First executable file of the threshold value is determined as target executable file.Determining target executable file can be one,
Can be multiple.Each first executable file can also be counted in the operation data of the terminal device and other terminal devices
The first executable file that frequency maximum or the frequency are more than predetermined threshold value is determined as target executable file by the frequency of appearance.
In operation data can also include the first executable file belonging to classification, for example, system startup item, file, process, MBR,
VBR etc. can be directed to each classification (also referred to as suspicious item) and determine target executable file, determine the side of target executable file
Aforesaid way may be used in formula.For example, determining that target executable file, first executable file correspond to one by the frequency
Terminal user, for example, in 100 users, the user of N% is there are software A, and N>50, then being particularly likely that software A is robbed
Homepage is held, N is bigger, and result is more accurate.Wherein, N can be a preset threshold value.
S205:The mark of the target executable file is sent to the terminal device.
The mark of first executable file is sent to the terminal device, specifically, the application being sent on terminal device
Management client 104.Application management client 104 can be by corresponding first executable file of the mark of the first executable file
Respective handling is carried out, for example, deleting, to prevent the homepage of browser to be tampered.
Using main browser page altering detecting method provided by the present application, detection causes the homepage of terminal device to be tampered
When target executable file, according to the first executable file and homepage that homepage may be caused to be tampered on the terminal device
The first executable file that the possibility being tampered in the other-end equipment of same homepage causes homepage to be tampered is clustered,
Determination leads to the target executable file that homepage is tampered.Detection target executable file is clustered by server, is disobeyed
Rely the Detection capability in terminal device, can solve the problems, such as existing missing inspection when terminal device can not detect target executable file,
Detection is more accurate.
In some instances, in above-mentioned steps S204, in executing the operation data according to the terminal device
The mark of first executable file and the operation data of the other-end equipment in first executable file
Mark, determine when the browser being caused to be tampered the mark of target executable file of the homepage, including following step
Suddenly:
S11:Determine operation data and the other-end of the mark of each first executable file in the terminal device
The frequency occurred in the operation data of equipment, the frequency is met the first executable file of predetermined condition mark be determined as it is described
The mark of target executable file.
For the mark of first executable file, determine the mark of first executable file in each terminal device
The number occurred in the operation data of 101a-101n, while determining the quantity of each terminal device 101a-101n, it will be described
The frequency of the number of first executable file and the ratio of the quantity as first executable file.It can be by maximum frequency
Secondary corresponding first executable file is determined as target executable file;Frequency threshold value can also be set, will be more than the frequency threshold
Corresponding first executable file of the frequency of value is as target executable file.
In some instances, further include the first executable file generic in the operation data, the method is into one
Step includes:
According to the identifying of first executable file in the operation data of the terminal device, the other-end is set
The mark of the first executable file and each first executable file generic, determine correspondence of all categories in standby operation data
The first executable file mark set;
When executing the mark for determining the target executable file, including step:
Determine the mark of corresponding target executable file of all categories;
Wherein, the mark of target executable file is sent to the terminal device includes:
The mark of the corresponding target executable file of all categories is sent to the terminal device.
The mark of each first executable file is added in the set of respectively affiliated classification, in the set, first
The mark of executable file not duplicate removal.According to the set of all categories, corresponding target executable file of all categories is determined
Mark.The classification may include system startup item, file, process and MBR, VBR etc..
In some instances, when executing the mark for determining corresponding target executable file of all categories, including following step
Suddenly:
In the set of the mark of the first executable file of a classification, identifying for each first executable file is determined
The existing frequency;The mark that the frequency is met to the first executable file of predetermined condition is determined as the classification corresponding first and can hold
The mark of style of writing part.
In the set of a classification, include the mark of one or more first executable files, the first executable file
Mark not duplicate removal.Counting in the number and the set that each first executable file occurs in the set total first can
The number for executing file, using the ratio of the number of the first executable file and the total degree as first executable file
Mark occur the frequency.The reservation condition can be the mark of maximum first executable file of the frequency, or frequency
The mark of secondary the first executable file more than frequency threshold value.
In some instances, the operation data of the terminal device further includes the operation data of the first executable file, institute
It includes the mark of first executable file and the mark of the second executable file to state operation data, wherein described second
Executable file generates or executes or discharge first executable file.
Main browser page altering detecting method provided by the present application further comprises the steps:
Obtaining the target in the operation data of the terminal device according to the mark of the target executable file can
Execute the operation data of file;
The the second executable text for generating or executing or discharge the target executable file is determined according to the operation data
The mark of part;
The mark of second executable file is sent to the terminal device.
First operation data that can execute file includes generating or executing or discharge the second of the first executable file
Executable file, which is the source for causing homepage to be tampered.Wherein, it is tracing to the source
In the process, it traces to the source respectively for different terminal devices, the homepage after being tampered for one causes homepage to be tampered
Reason is all the first executable file, but in different terminal devices, forms the source not necessarily phase of the first executable file
Together, terminal device may execute the first executable file (virus or evil for causing homepage to be tampered in a manner of system startup item
The execution code of meaning software), terminal device may also execute the first executable file in a manner of MBR, VBR (leads to homepage
The execution code of the virus or Malware that are tampered).The mark of second executable file is sent to application management client
After 104, application management client 104 can issue the user with reminder message, remind whether user deletes the second executable file,
Determine whether that the source that homepage will be caused to be tampered is deleted by the user of terminal device.
In some instances, main browser page altering detecting method provided by the present application further comprises the steps:
Receive the application pipe that each application management client 104 reports in one or more application management client 104
Manage the operation data of 104 place terminal device of client;
Wherein, when the operation data of other-end equipment of the homepage is distorted in acquisition, include the following steps:
Obtain the mark for including the homepage one or more distorts information;
Determine described one or more mark for distorting the terminal device that information includes respectively;
The operation data of each terminal device is obtained according to the mark of each terminal device.
The mark of homepage after being tampered for one determines that the other-end for causing homepage to be tampered the homepage is set
It sets.Wherein, it distorts corresponding the terminal device of information for one, institute is tampered according to the information determination of distorting of each terminal device
State one or more terminal devices of homepage.The operation data for obtaining each terminal device obtains the operation data of each terminal device
One or more of the mark of the first executable file and each first executable file operation data.
In some instances, main browser page altering detecting method provided by the present application further comprises the steps:
Receive the running environment data for each terminal device that each terminal device reports;
Running environment information is determined according to the running environment data;
The running environment information is sent to the second client.
The running environment data include, for example, ghost system banners and plug-in application identities.When terminal device starts
Afterwards, with the presence or absence of the quick of refitting ghost systems on application management client 104 (for example, computer house keeper) detection terminal desktop
Mode reports ghost system banners when it is present.When terminal device is downloaded plug-in in application, application management client 104 is real
When report the mark of plug-in file.The running environment information includes, for example, according to the ghost systems in running environment data
It identifies whether determining terminal device uses ghost systems, can also include according to the plug-in text in the running environment data
Whether the terminal device of the mark determination of part is using plug-in.Second client is the visitor of 102 maintenance personnel of application server
Family end, maintenance personnel can ask running environment information to application server 102 by the second client, be believed according to running environment
Breath is analyzed, and determination prevents the strategy etc. that homepage is tampered.
In some instances, it is described distort in information further include terminal device where the client IP, the method
Further comprise the steps:
It is distorted from described one or more and obtains the IP for respectively distorting the corresponding terminal device of information in information, according to each terminal
The IP of equipment determines the region of each terminal device;
Determine ratio of each region in the region of each terminal device, the region that ratio is met to predetermined condition is sent
To the second client.
In this example, for the one or more terminal devices being held as a hostage to the same homepage, according to each terminal device
IP determine one or more of terminal devices with the presence or absence of region assemble.A threshold value can be preset, when each region
When ratio in the region of each terminal device is more than the threshold value, determine that one or more of terminal devices have ground
Assemble in domain.It is sent to the second client in the region of aggregation, is analyzed with maintaining easily personnel.
In some instances, the method further includes:
It determines described one or more quantity for distorting information, the quantity is sent to the second client.
It distorts information for one and corresponds to a terminal device, for the mark of a homepage after being tampered, determination is tampered
Terminal device quantity, quantity is sent to the second client, is analyzed with maintaining easily personnel.
In some instances, wherein further include the operation data of the first executable file in the operation data;
Wherein, when executing the operation data of the suspicious item for obtaining and the main browser page being caused to be tampered, including
Following steps:
Receive the terminal device execute first executable file reported when the first executable file mark and
The mark of the terminal device;It receives and executes described during the second executable file in the terminal device is performed
When one executable file, the operation data of first executable file reported, the operation data includes described first
The mark of the mark of executable file and second executable file.
The operation data that application management client 104 reports includes the executable text of one or more first under suspicious item
The mark of part.Wherein, suspicious item may include process.When the corresponding application program of the second executable file executes a process
When (corresponding first executable file), application management client 104 can report the mark and terminal device of the first executable file
Mark (real-time report).While the operation data (real-time report) of the first executable file can be also reported, in the operation data
The mark and action type information of mark, the second executable file including the first executable file:Second executable file pair
The application program answered executes the corresponding process (real-time report) of the first executable file.
In some instances, wherein further include the operation data of the first executable file in the operation data;
Wherein, when executing the operation data of the suspicious item for obtaining and the main browser page being caused to be tampered, including
Following steps:
Receive mark and the institute of corresponding first executable file of system startup item reported when the terminal device starts
State the mark of terminal device;It receives and is reported when the second executable file in terminal setting creates the system startup item
First executable file operation data, the operation data includes mark and the institute of first executable file
State the mark of the second executable file.
The suspicious item may include system startup item, including startup item, service and process etc..For system startup item
Class can discharge the first executable file, and creating direction first can when the corresponding application program of the second executable file executes
Execute the system startup item of file.At this point, application management client 104 can report the operation data of the first executable file, it should
Operation data includes:The mark of second executable file, the mark of the first executable file and action type information:Create system
System startup item.Operation data is real-time report.When terminal device starts, corresponding first executable file of system startup item
Be performed, at this point, application management client 104 report the first executable file mark and the mark of terminal device (terminal is set
It is reported when standby startup).
In some instances, wherein further include the operation data of each first executable file in the operation data;Its
In, when executing the operation data of the suspicious item for obtaining and the main browser page being caused to be tampered, include the following steps:
Receive the mark that the terminal device executes first executable file reported when first executable file
The mark of knowledge and the terminal device;It receives the second executable file in the terminal device and is performed release described the
When one executable file, the operation data for first executable file that the terminal device reports, in the operation data
The mark of mark and second executable file including first executable file.
The first executable file can be discharged when the corresponding application program of the second executable file executes for files classes,
Application management client 104 can report the mark of the first executable file and the mark (real-time report) of terminal device at this time.Together
When can also report the operation data (real-time report) of the first executable file, which includes the first executable file
Mark, the mark of the second executable file and action type information:Second executable file corresponding application program is released when executing
Put the first executable file.
The operation data and distort information that application server 102 is reported according to each application management client 104 in the application
Determine the first executable file, carrying out backtracking according to the first executable file of operation data pair determines the detailed of the second executable file
Thin flow chart, as shown in figure 3, mainly including the following steps that:
S301:Application management client 104 is reported to application server 102 and is tampered when detecting that homepage is tampered
Information distorts the mark that information includes the homepage after being tampered at this.
S302:The operation data for the suspicious item that homepage may be caused to be tampered is reported to application server 102.
S303:The other-end equipment for being tampered the homepage is obtained according to the mark of the homepage after being tampered.
S304:Obtain the operation data of other-end equipment.
S305:Operation data to the terminal device and the in the operation data of other terminal devices first executable text
Part is clustered, and target executable file is obtained.
S306:Determine that target can be held according to the operation data of target executable file in the operation data of the terminal device
Part of composing a piece of writing corresponds to the second executable file.
S307:The mark of the mark of target executable file and the second executable file is sent to management applications client
104。
Present invention also provides a kind of main browser page altering detecting methods, are applied to application management client 104, such as scheme
Shown in 4, it the described method comprises the following steps:
S401:When the default homepage mark of the mark and the browser that detect the browser login homepage on terminal device
When knowing different, the information that is tampered of the browser is sent to server, the information that is tampered includes the terminal device
Mark and the browser log in the mark of homepage.
Application management client 104 can get the process data of browser by relevant interface, when in process data
The second homepage mark it is different from the mark of default homepage when, reported to application server 102 and distort information.The homepage
Mark can be the URL of homepage, or the symbol etc. of other identifier homepage.It can be daily to report and distort the opportunity of information
After terminal device starts, when browser starts for the first time, above-mentioned steps S401-S402 is executed.It in some instances, can also be each
When browser starts, it is carried out above-mentioned steps S401-S402.Relevant operation in step S401-S402 and above application service
Each step is corresponding in the method for 102 side of device, and details are not described herein.
S402:The operation data for the suspicious item for causing the main browser page to be tampered, the operation are sent to server
Data include the mark for the first executable file that the main browser page may be caused to be tampered and the terminal device
Mark.
Relevant operation in the step is corresponding with each step in the method for 102 side of above application server, herein no longer
It repeats.
S403:Receive the mark for the target executable file that server is sent, wherein the server is according to the terminal
The mark of the first executable file in the operation data of equipment is tampered the operation number of the other-end equipment of the homepage
The mark of the first executable file in determines the mark of the target executable file.
Relevant operation in the step is corresponding with each step in the method for 102 side of above application server, herein no longer
It repeats.
Using main browser page altering detecting method provided by the present application, detection causes the homepage of terminal device to be tampered
When target executable file, according to the first executable file and homepage that homepage may be caused to be tampered on the terminal device
The first executable file that the possibility being tampered in the other-end equipment of same homepage causes homepage to be tampered is clustered,
Determination leads to the target executable file that homepage is tampered.Detection target executable file is clustered by server, is disobeyed
Rely the Detection capability in terminal device, can solve the problems, such as existing missing inspection when terminal device can not detect target executable file,
Detection is more accurate.
In some instances, the operation data of the terminal device further includes the operation data of the first executable file, institute
State the mark of mark and the second executable file that operation data includes the first executable file, wherein described second can hold
Row file generated or execution or release first executable file.
Main browser page altering detecting method provided by the present application further comprises the steps:
Receive the second executable file of generation or execution or the release target executable file that server is sent
Mark, wherein the server is according to the operand of the target executable file in the operation data of the terminal device
According to determining the mark of second executable file.
In this example, it traces to the source determining target executable file, determining leads to the of target executable file
Two executable files.Specific process of tracing to the source is similar with the process of tracing to the source of server side, no longer traces herein.
In some instances, main browser page altering detecting method provided by the present application further comprises the steps:
The white list of the first executable file generic is established, the white list includes belonging to the first executable file
One or more classifications;
Wherein, the operation data that the suspicious item for causing the main browser page to be tampered is sent to server includes:
Determine the first executable file generic, when in the white list exist classification corresponding with the classification
When, report the operation data to server.
In this example, the classification in the white list is that possible lead to the suspicious item that homepage is tampered, for example, system opens
Dynamic item (including startup item, service and driving etc.).What application management client 104 preset that these may lead to that homepage is tampered can
Doubt item.The maintenance personnel of 102 side of application server empirically determined can lead to the suspicious item that homepage is tampered, can by described in
It doubts item and the setting of application management client 104 is sent to by application server 102.Application management client 104 is worked as under suspicious item
The first executable file be performed, just report the mark of the first executable file and the mark of terminal device.
In some instances, before sending the operation data to server, further comprise step:
Obtain the content of text of first executable file;
The mark of first executable file is determined according to the content of text.
In this example, the possibility reported causes the mark for the first executable file that homepage is tampered can be according to first
The content of text of executable file determines.Application management client 104 can pass through the content of text of the first executable file
MD5 (Message Digest Algorithm, Message Digest 5) generates the mark of the first executable file.It can also use
Other algorithms generate the mark of the first executable file according to the content of text of the first executable file.Others can also be used
Identification method.
Present invention also provides a kind of main browser page tampering detection apparatus 500, as shown in figure 5, described device includes:
First acquisition unit 501 is tampered information to receive or obtain the browser run on terminal device,
In, it is described to be tampered the mark that information includes the identifying of the terminal device, the browser logs in homepage;
Second acquisition unit 502, to obtain the operation data for the suspicious item for causing the main browser page to be tampered, institute
State the mark and the terminal that operation data includes the first executable file that the main browser page may be caused to be tampered
The mark of equipment;
Third acquiring unit 503, to according to described in be tampered after homepage mark, acquisition be tampered the homepage
Other-end equipment operation data, the operation data includes that homepage may be caused to be tampered the first of the homepage
The mark of executable file;
Determination unit 504, to according to the mark of first executable file in the operation data of the terminal device
The mark of first executable file in the operation data of knowledge and the other-end equipment, determination lead to the browser
It is tampered the mark of the target executable file of the homepage;
Transmission unit 505, the mark of the target executable file is sent to the terminal device.
Present invention also provides a kind of main browser page tampering detection apparatus 600, as shown in fig. 6, described device includes:
First transmission unit 601, to when detect browser on terminal device log in the mark of homepage with it is described clear
Look at device default homepage mark it is different when, the information that is tampered of the browser is sent to server, it is described to be tampered packet
Include the mark of the terminal device and the mark of browser login homepage;
Second transmission unit 602, to send the fortune for the suspicious item for causing the main browser page to be tampered to server
Row data, the operation data include the first executable file that the main browser page may be caused to be tampered mark and
The mark of the terminal device;
Receiving unit 603, to receive the mark for the target executable file that server is sent, wherein the server
According to the mark of the first executable file in the operation data of the terminal device, it is tampered the other-end of the homepage
The mark of the first executable file in the operation data of equipment determines the mark of the target executable file.
Present invention also provides a kind of computer readable storage mediums, are stored with computer-readable instruction, can make at least
One processor executes method as described above.
Fig. 7 shows the meter where main browser page tampering detection apparatus 500 and main browser page tampering detection apparatus 600
Calculate the composite structural diagram of equipment.As shown in fig. 7, the computing device includes one or more processor (CPU) 702, communication mould
Block 704, memory 706, user interface 710, and the communication bus 708 for interconnecting these components.
Processor 702 can send and receive data to realize network communication and/or local communication by communication module 704.
User interface 710 includes one or more output equipments 712 comprising one or more speakers and/or one
Or multiple visual displays.User interface 710 also includes one or more input equipments 714 comprising such as, keyboard, mouse
Mark, voice command input unit or loudspeaker, touch screen displays, touch sensitive tablet, posture capture camera or other inputs are pressed
Button or control etc..
Memory 706 can be high-speed random access memory, such as DRAM, SRAM, DDR RAM or other deposit at random
Take solid storage device;Or nonvolatile memory, such as one or more disk storage equipments, optical disc memory apparatus, sudden strain of a muscle
Deposit equipment or other non-volatile solid-state memory devices.
Memory 706 stores the executable instruction set of processor 702, including:
Operating system 716 includes the program for handling various basic system services and for executing hardware dependent tasks;
Using 718, include the portion of main browser page tampering detection apparatus 500 and main browser page tampering detection apparatus 600
Point or whole unit or module.In main browser page tampering detection apparatus 500 and main browser page tampering detection apparatus 600
At least one unit can be stored with machine-executable instruction.Processor 702 is by executing in memory 706 in each unit at least
Machine-executable instruction in one unit, and then can realize the work(of at least one of above-mentioned each unit or module module
Energy.
It should be noted that step and module not all in above-mentioned each flow and each structure chart is all necessary, it can
To ignore certain steps or module according to the actual needs.Each step execution sequence be not it is fixed, can as needed into
Row adjustment.The division of each module is intended merely to facilitate the division functionally that description uses, and in actual implementation, a module can
It is realized by multiple modules with point, the function of multiple modules can also be realized by the same module, these modules can be located at same
In a equipment, it can also be located in different equipment.
Hardware module in each embodiment can in hardware or hardware platform adds the mode of software to realize.Above-mentioned software
Including machine readable instructions, it is stored in non-volatile memory medium.Therefore, each embodiment can also be presented as software product.
In each example, hardware can be by special hardware or the hardware realization of execution machine readable instructions.For example, hardware can be with
Permanent circuit or logical device (such as application specific processor, such as FPGA or ASIC) specially to design are used to complete specifically to grasp
Make.Hardware can also include programmable logic device or circuit by software provisional configuration (as included general processor or other
Programmable processor) for executing specific operation.
In addition, each example of the application can pass through the data processor by data processing equipment such as computer execution
To realize.Obviously, data processor constitutes the application.In addition, being generally stored inside the data processing in a storage medium
Program by program by directly reading out storage medium or the storage by program being installed or being copied to data processing equipment
It is executed in equipment (such as hard disk and/or memory).Therefore, such storage medium also constitutes the application, and present invention also provides one
Kind non-volatile memory medium, wherein being stored with data processor, this data processor can be used for executing in the application
State any one of method example example.
The corresponding machine readable instructions of Fig. 7 modules can make operating system operated on computer etc. described herein to complete
Some or all of operation.Non-volatile computer readable storage medium storing program for executing can be set in the expansion board in insertion computer
In the memory set or write the memory being arranged in the expanding element being connected with computer.Mounted on expansion board or expansion
Opening up CPU on unit etc. can be according to instruction execution part and whole practical operations.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
With within principle, any modification, equivalent substitution, improvement and etc. done should be included within the scope of protection of the invention god.
Claims (15)
1. a kind of main browser page altering detecting method, which is characterized in that including:
Receive or obtain the browser run on terminal device is tampered information, wherein the information that is tampered includes institute
State the identifying of terminal device, the browser logs in the mark of homepage;
The operation data for the suspicious item for causing the main browser page to be tampered is obtained, the operation data includes that may lead to institute
State the mark for the first executable file that main browser page is tampered and the mark of the terminal device;
According to the mark of the homepage after described be tampered, the operation number for the other-end equipment for being tampered the homepage is obtained
According to, the operation data include may cause homepage be tampered the homepage the first executable file mark;
According to the mark of first executable file in the operation data of the terminal device and the other-end equipment
Operation data in first executable file mark, determining causes the browser to be tampered the mesh of the homepage
Mark the mark of executable file;
The mark of the target executable file is sent to the terminal device.
2. according to the method described in claim 1, wherein, described first in the operation data according to the terminal device
The mark of first executable file in the operation data of the mark of executable file and the other-end equipment determines
The mark that the browser is tampered the target executable file of the homepage is caused to include:
Determine the mark of each first executable file in the operation data of the terminal device and the fortune of the other-end equipment
The frequency occurred in row data, the mark that the frequency is met to the first executable file of predetermined condition are determined as the target and can hold
The mark of style of writing part.
3. according to the method described in claim 1, wherein, in the operation data further including the affiliated class of the first executable file
Not, the method further includes:
According to the identifying of first executable file in the operation data of the terminal device, the other-end equipment
The mark of first executable file and each first executable file generic in operation data determine of all categories corresponding
The set of the mark of one executable file;
Wherein it is determined that the mark of the target executable file includes:
Determine the mark of corresponding target executable file of all categories;
Wherein, the mark of target executable file is sent to the terminal device includes:
The mark of the corresponding target executable file of all categories is sent to the terminal device.
4. according to the method described in claim 3, wherein, the mark packet of the determination corresponding target executable file of all categories
It includes:
In the set of the mark of the first executable file of a classification, determine what the mark of each first executable file occurred
The frequency;
The mark that the frequency is met to the first executable file of predetermined condition is determined as the corresponding first executable text of the classification
The mark of part.
5. according to the method described in claim 1, wherein, the operation data of the terminal device further includes the first executable file
Operation data, the operation data includes the mark of first executable file and the mark of the second executable file,
Wherein, second executable file generates or executes or discharge first executable file;
Wherein, the method further includes:
It is executable that the target is obtained in the operation data of the terminal device according to the mark of the target executable file
The operation data of file;
The second executable file for generating or executing or discharge the target executable file is determined according to the operation data
Mark;
The mark of second executable file is sent to the terminal device.
6. according to the method described in claim 1, it is characterized in that, further including the first executable file in the operation data
Operation data;
Wherein, the operation data for obtaining the suspicious item for causing the main browser page to be tampered includes:
It receives the terminal device and executes the mark of first executable file reported when the first executable file and described
The mark of terminal device;
It receives when executing first executable file during the second executable file in the terminal device is performed,
The operation data of first executable file reported, the operation data include the mark of first executable file
And the mark of second executable file.
7. according to the method described in claim 1, further including the operation data of the first executable file in the operation data;
Wherein, the operation data for obtaining the suspicious item for causing the main browser page to be tampered includes:
Receive the mark of corresponding first executable file of system startup item reported when the terminal device starts and the end
The mark of end equipment;
Receiving described first reported when the second executable file in terminal setting creates the system startup item can
The operation data of file is executed, the operation data includes that the mark of first executable file and described second can perform
The mark of file.
8. according to the method described in claim 1, it is characterized in that, further including the first executable file in the operation data
Operation data;
Wherein, the operation data for obtaining the suspicious item for causing the main browser page to be tampered includes:
Receive the terminal device execute first executable file reported when first executable file mark and
The mark of the terminal device;
It receives when the second executable file in the terminal device is performed and discharges first executable file, it is described
The operation data for first executable file that terminal device reports, the operation data include the described first executable text
The mark of the mark of part and second executable file.
9. a kind of main browser page altering detecting method, which is characterized in that the method includes:
When the mark for detecting the browser login homepage on terminal device is different from the default homepage of browser mark,
Send the information that is tampered of the browser to server, the mark that information includes the terminal device and described of being tampered
Browser logs in the mark of homepage;
The operation data for the suspicious item for causing the main browser page to be tampered is sent to server, the operation data includes can
It can lead to the mark for the first executable file that the main browser page is tampered and the mark of the terminal device;
Receive the mark for the target executable file that server is sent, wherein the server is according to the fortune of the terminal device
The mark of the first executable file in row data, be tampered in the operation data of the other-end equipment of the homepage
The mark of one executable file determines the mark of the target executable file.
10. according to the method described in claim 9, it is characterized in that, the operation data of the terminal device further includes first can
The operation data of file is executed, the operation data includes the mark of the first executable file and the mark of the second executable file
To know, wherein second executable file generates or executes or discharge first executable file,
Wherein, the method further includes:
The mark of the second executable file of generation or execution or the release target executable file that server is sent is received,
Wherein, the server is according to the operation data of the target executable file in the operation data of the terminal device, really
The mark of fixed second executable file.
11. according to the method described in claim 9, wherein, the method further includes:
The white list of the first executable file generic is established, the white list includes one belonging to the first executable file
A or multiple classifications;
Wherein, the operation data that the suspicious item for causing the main browser page to be tampered is sent to server includes:
Determine the first executable file generic, when there is classification corresponding with the classification in the white list,
The operation data is reported to server.
12. according to the method described in claim 9, wherein, before sending the operation data to server, the method into
One step includes:
Obtain the content of text of first executable file;
The mark of first executable file is determined according to the content of text.
13. a kind of main browser page tampering detection apparatus, which is characterized in that described device includes:
First acquisition unit is tampered information, wherein described to receive or obtain the browser run on terminal device
It is tampered the mark that information includes the identifying of the terminal device, the browser logs in homepage;
Second acquisition unit, to obtain the operation data for the suspicious item for causing the main browser page to be tampered, the operation
Data include the mark for the first executable file that the main browser page may be caused to be tampered and the terminal device
Mark;
Third acquiring unit, to according to described in be tampered after homepage mark, obtain be tampered the homepage other
The operation data of terminal device, the operation data include that homepage may be caused to be tampered the first of the homepage to can perform
The mark of file;
Determination unit, to according to the mark of first executable file in the operation data of the terminal device and described
The mark of first executable file in the operation data of other-end equipment, determination cause the browser to be tampered
The mark of the target executable file of the homepage;
Transmission unit, the mark of the target executable file is sent to the terminal device.
14. a kind of main browser page tampering detection apparatus, which is characterized in that described device includes:
First transmission unit detects that the browser on terminal device logs in the mark of homepage and writing from memory for the browser to work as
Recognize homepage mark it is different when, the information that is tampered of the browser is sent to server, the information that is tampered includes the end
The mark of end equipment and the browser log in the mark of homepage;
Second transmission unit, to send the operation data for the suspicious item for causing the main browser page to be tampered to server,
The operation data includes the mark for the first executable file that the main browser page may be caused to be tampered and the end
The mark of end equipment;
Receiving unit, to receive the mark for the target executable file that server is sent, wherein the server is according to
The mark of the first executable file in the operation data of terminal device is tampered the fortune of the other-end equipment of the homepage
The mark of the first executable file in row data determines the mark of the target executable file.
15. a kind of computer readable storage medium, is stored with computer-readable instruction, at least one processor can be made to execute such as
Claim 1-12 any one of them methods.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810408390.4A CN108595957B (en) | 2018-05-02 | 2018-05-02 | Browser homepage tampering detection method, device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810408390.4A CN108595957B (en) | 2018-05-02 | 2018-05-02 | Browser homepage tampering detection method, device and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108595957A true CN108595957A (en) | 2018-09-28 |
CN108595957B CN108595957B (en) | 2023-04-14 |
Family
ID=63619492
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810408390.4A Active CN108595957B (en) | 2018-05-02 | 2018-05-02 | Browser homepage tampering detection method, device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108595957B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109299135A (en) * | 2018-11-26 | 2019-02-01 | 平安科技(深圳)有限公司 | Abnormal inquiry recognition methods, identification equipment and medium based on identification model |
CN111832018A (en) * | 2019-04-19 | 2020-10-27 | 富泰华工业(深圳)有限公司 | Virus detection method, virus detection device, computer device and storage medium |
CN112989349A (en) * | 2021-04-19 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Virus detection method, device, equipment and storage medium |
CN109299135B (en) * | 2018-11-26 | 2024-05-14 | 平安科技(深圳)有限公司 | Abnormal query recognition method, recognition equipment and medium based on recognition model |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004220374A (en) * | 2003-01-15 | 2004-08-05 | Toshiba Solutions Corp | Portal server and information transfer method for portal server |
JP2005011061A (en) * | 2003-06-19 | 2005-01-13 | Nec Fielding Ltd | Monitoring/operating system, method and program to protect web server from web page alteration attack |
CN103605926A (en) * | 2013-11-29 | 2014-02-26 | 北京奇虎科技有限公司 | Webpage tampering detecting method and device |
CN104601543A (en) * | 2014-12-05 | 2015-05-06 | 百度在线网络技术(北京)有限公司 | Method and system for identifying software tampered browser home page |
CN105184159A (en) * | 2015-08-27 | 2015-12-23 | 深圳市深信服电子科技有限公司 | Web page falsification identification method and apparatus |
CN105354490A (en) * | 2015-09-30 | 2016-02-24 | 北京奇虎科技有限公司 | Method and device for processing hijacked browser |
US9298585B1 (en) * | 2013-12-30 | 2016-03-29 | Google Inc. | Blacklisting of fault generating software code |
WO2017054731A1 (en) * | 2015-09-30 | 2017-04-06 | 北京奇虎科技有限公司 | Method and device for processing hijacked browser |
-
2018
- 2018-05-02 CN CN201810408390.4A patent/CN108595957B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004220374A (en) * | 2003-01-15 | 2004-08-05 | Toshiba Solutions Corp | Portal server and information transfer method for portal server |
JP2005011061A (en) * | 2003-06-19 | 2005-01-13 | Nec Fielding Ltd | Monitoring/operating system, method and program to protect web server from web page alteration attack |
CN103605926A (en) * | 2013-11-29 | 2014-02-26 | 北京奇虎科技有限公司 | Webpage tampering detecting method and device |
US9298585B1 (en) * | 2013-12-30 | 2016-03-29 | Google Inc. | Blacklisting of fault generating software code |
CN104601543A (en) * | 2014-12-05 | 2015-05-06 | 百度在线网络技术(北京)有限公司 | Method and system for identifying software tampered browser home page |
CN105184159A (en) * | 2015-08-27 | 2015-12-23 | 深圳市深信服电子科技有限公司 | Web page falsification identification method and apparatus |
CN105354490A (en) * | 2015-09-30 | 2016-02-24 | 北京奇虎科技有限公司 | Method and device for processing hijacked browser |
WO2017054731A1 (en) * | 2015-09-30 | 2017-04-06 | 北京奇虎科技有限公司 | Method and device for processing hijacked browser |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109299135A (en) * | 2018-11-26 | 2019-02-01 | 平安科技(深圳)有限公司 | Abnormal inquiry recognition methods, identification equipment and medium based on identification model |
CN109299135B (en) * | 2018-11-26 | 2024-05-14 | 平安科技(深圳)有限公司 | Abnormal query recognition method, recognition equipment and medium based on recognition model |
CN111832018A (en) * | 2019-04-19 | 2020-10-27 | 富泰华工业(深圳)有限公司 | Virus detection method, virus detection device, computer device and storage medium |
CN112989349A (en) * | 2021-04-19 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Virus detection method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN108595957B (en) | 2023-04-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11798028B2 (en) | Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit | |
US11570211B1 (en) | Detection of phishing attacks using similarity analysis | |
US10467411B1 (en) | System and method for generating a malware identifier | |
US10652274B2 (en) | Identifying and responding to security incidents based on preemptive forensics | |
US9838419B1 (en) | Detection and remediation of watering hole attacks directed against an enterprise | |
CN103493061B (en) | For the method and apparatus tackling Malware | |
TWI726749B (en) | Method for diagnosing whether network system is breached by hackers and related method for generating multiple associated data frames | |
JP6500086B2 (en) | Two-dimensional code analysis method and apparatus, computer-readable storage medium, computer program, and terminal device | |
CN104038466B (en) | Intruding detection system, method and apparatus for cloud computing environment | |
US10084637B2 (en) | Automatic task tracking | |
CN111885007B (en) | Information tracing method, device, system and storage medium | |
CN109862003A (en) | Local generation method, device, system and the storage medium for threatening information bank | |
US9535811B2 (en) | Agent dynamic service | |
CN110826058A (en) | Malware detection based on user interaction | |
CN108600145B (en) | Method and device for determining DDoS attack equipment | |
CN107423090B (en) | Flash player abnormal log management method and system | |
CN108470126A (en) | Data processing method, device and storage medium | |
CN108595957A (en) | Main browser page altering detecting method, device and storage medium | |
CN114465741B (en) | Abnormality detection method, abnormality detection device, computer equipment and storage medium | |
CN106953874B (en) | Website falsification-proof method and device | |
CN113765924A (en) | Safety monitoring method, terminal and equipment based on cross-server access of user | |
CN113515744A (en) | Malicious document detection method, device and system, electronic device and storage medium | |
US11962618B2 (en) | Systems and methods for protection against theft of user credentials by email phishing attacks | |
CN115589335A (en) | Processing method and system for NTP distributed denial of service attack | |
CN112507274A (en) | Webpage evidence obtaining method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |