CN111460442A - Attack detection method based on Internet cross search defects - Google Patents
Attack detection method based on Internet cross search defects Download PDFInfo
- Publication number
- CN111460442A CN111460442A CN202010331450.4A CN202010331450A CN111460442A CN 111460442 A CN111460442 A CN 111460442A CN 202010331450 A CN202010331450 A CN 202010331450A CN 111460442 A CN111460442 A CN 111460442A
- Authority
- CN
- China
- Prior art keywords
- widget
- metadata
- data
- htm
- page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 47
- 230000007547 defect Effects 0.000 title claims abstract description 14
- 238000000034 method Methods 0.000 claims abstract description 45
- 238000004458 analytical method Methods 0.000 claims abstract description 18
- 230000008859 change Effects 0.000 claims abstract description 7
- 230000006870 function Effects 0.000 claims description 18
- 238000013515 script Methods 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 8
- 230000000694 effects Effects 0.000 abstract description 3
- 230000006399 behavior Effects 0.000 abstract description 2
- 238000012544 monitoring process Methods 0.000 description 28
- 230000008569 process Effects 0.000 description 14
- 230000003068 static effect Effects 0.000 description 8
- 230000004044 response Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000002513 implantation Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
Abstract
The invention provides an attack detection method based on Internet cross search defects, which comprises the following steps: s1: receiving and executing a widget including metadata from a web server, analyzing the widget during the execution, determining a first feature to be maintained when the widget is executed based on the analysis result, and comparing the first feature data with a feature included in the metadata; s2: an alarm is raised when a change equal to or greater than a predetermined value is detected between the first characteristic data and the second characteristic data. The method and the device have the advantages that the widget is provided in the state that the metadata file is associated with the widget and the associated metadata file is included in the widget, so that the activity of the widget is monitored, and illegal behaviors are prevented from embezzlement or tampering information.
Description
Technical Field
The invention relates to the technical field of internet search, in particular to an attack detection method based on internet cross search defects.
Background
Because the test code is implanted into the target application program of the mobile terminal device, the intrusion to the application program is large, and because the implanted code may conflict with part of logic in the target application program, the stability and compatibility of the test are also reduced.
For example, CN101442412B prior art discloses various attack early warning methods based on software defect and network attack relationship mining, whereas an intrusion detection method based on an attack mode can only detect the type of intrusion attack, but cannot provide a constructive software defect repair suggestion for a software developer, and it is difficult to substantially improve the software security quality. In another typical method for detecting the orphan implantation attack disclosed in the prior art of WO2012166440a2, various injections and attacks directly cause the security of the WEB site to be reduced. Even some hackers directly acquire the system permission through the web front end to change and destroy the background, so that the purpose of illegal access is achieved. These behaviors are manifested in forms visible to the average user, namely tampering, horse hanging, implanting dark chains and orphan pages, etc. Referring to the method and system for defending against virus or malicious programs disclosed in the prior art of WO2013029504a1, trojan programs are increasingly threatening users, and especially some trojan programs conceal themselves by using very subtle means, so that ordinary users are difficult to detect after poisoning. The trojan program may steal the passwords or data for it that monitors others and theft for bare places.
The invention is made in order to solve the problems of difficult discovery, single detection means, poor safety performance or poor reliability and the like in the field.
Disclosure of Invention
The invention aims to provide an attack detection method based on internet cross search defects aiming at the defects of the existing internet cross search.
In order to overcome the defects of the prior art, the invention adopts the following technical scheme:
an attack detection method based on Internet cross search defects, S1: receiving and executing a widget including metadata from a web server, analyzing the widget during the execution, determining a first feature to be maintained when the widget is executed based on the analysis result, and comparing data of the first feature with a feature included in the metadata;
s2: configured to issue an alarm when a change equal to or greater than a predetermined value is detected between the data of the first characteristic and the data of the second characteristic.
Optionally, the data of the first characteristic and the data of the second characteristic comprise at least one of a hypertext markup language HTM L page, a Java script, a JS function call graph, and an external JS library item used;
widgets or cascading style sheets used by widgets;
the HTM L page includes a document object model tree of the HTM L page.
Optionally, the uniform resource locator UR L and the processing protocol of the widget are analyzed, the HTM L of the widget is analyzed, and the JS of the widget is executed.
Optionally, performing the HTM L parsing method includes comparing a list of external dependencies included in the metadata and a list of external dependencies included in the metadata, and comparing the external dependencies included in the runtime of the widget, or comparing a DOM tree generated at the runtime of the widget and a DOM tree included in the metadata, and binding the metadata to the widget using at least one of encryption and signature.
Optionally, analyzing the widget;
determining at least one feature maintained while the widget executes, based on a result of the analysis;
generating metadata comprising data of the at least one characteristic;
associating metadata with the widget;
including the associated metadata file in the widget; and provides the widget to the device.
Optionally, the data of the at least one feature includes one of a hypertext markup language HTM L page, a Java script, a JS function call graph, an external JS library item or cascade used by the widget.
Optionally, the HTM L page includes a document object model, DOM, tree of the HTM L page.
Optionally, the detection method includes: updating the widget; and updating data of at least one feature included in the metadata based on the update result;
providing the updated metadata to the device and binding the metadata to the widget using at least one of encryption and signature.
The beneficial effects obtained by the invention are as follows:
1. monitoring activity of widgets by employing a state in which a metadata file is associated with a widget and the associated metadata file is included in the widget to provide the widget;
2. comparing the DOM tree generated during the runtime of the widget with the DOM tree included in the metadata by adopting the list of external dependencies used during the runtime of the widget and the list of external dependencies included in the metadata; the execution program only needs to be subjected to black-drawing processing as long as the execution program does not accord with the operation rule, so that the execution program can efficiently carry out restricted operation or suspension processing on malicious widgets in the process of browsing the webpage;
3. the operation of a widget is monitored by employing a locator UR L that resolves the same resource of the widget and is detected and injected by a web server into a command stream of the widget running on a web-based operating system on a device in the wireless communication system, and creating a metadata file comprising data of at least one invariance and storing the metadata file with the widget in a memory;
4. performing this identification by comparing the real-time parsing results with corresponding data in the metadata file, the monitoring module issuing an alert when a mismatch between the real-time invariant and respective data associated with the invariant within the metadata file is identified;
5. the list traversing device is used for detecting or verifying the list created by the detection unit, and if the detection unit creates the list with great difference, the controller or the control unit locks or freezes the whole widget generating the monitoring unit creation list, so that the operating system loses the function of performing activity in the browsing process.
Drawings
The invention will be further understood from the following description in conjunction with the accompanying drawings. The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the embodiments. Like reference numerals designate corresponding parts throughout the different views.
FIG. 1 is one of the control flow diagrams of a widget in a detection cross-search
Fig. 2 is a control flow chart of detecting the analysis widget.
FIG. 3 is one of the control flow diagrams for the widget generation metadata.
Fig. 4 is one of control flow charts of the detection method.
Detailed Description
In order to make the objects and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the following embodiments; it should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. Other systems, methods, and/or features of the present embodiments will become apparent to those skilled in the art upon review of the following detailed description. It is intended that all such additional systems, methods, features and advantages be included within this description, be within the scope of the invention, and be protected by the accompanying claims. Additional features of the disclosed embodiments are described in, and will be apparent from, the detailed description that follows.
The same or similar reference numerals in the drawings of the embodiments of the present invention correspond to the same or similar components; in the description of the present invention, it should be understood that if there is an orientation or positional relationship indicated by the terms "upper" and "lower" and "left" and "right" etc., it is only for convenience of description and simplification of the description based on the orientation or positional relationship shown in the drawings, but it is not indicated or implied that the device or assembly referred to must have a specific orientation.
An embodiment of the method for detecting the attack based on the Internet cross search defect includes the steps of receiving and executing a widget including metadata from a network server, analyzing the widget during execution, determining a first characteristic to be maintained when the widget executes based on the analysis result, and comparing the data of the first characteristic with the data of a second characteristic included in the metadata, S2, when a change equal to or greater than a predetermined value is detected between the data of the first characteristic and the data of the second characteristic, issuing an alarm, the data of the first characteristic and the data of the second characteristic include at least one of a hypertext markup language (HTM) L page, a Java script, a JS function call graph, an external JS library item used, or a cascade style table used, the HTM L page includes a document object tree of the HTM L page, parsing a uniform resource locator (UR L) of the widget, and a processing protocol, executing a JS, executing the HTM 28, executing the HTML script includes a document object tree of the HTM L page, and comparing the metadata of the HTML document object tree after the widget executes, the analysis result, the HTML document object tree includes at least one of the HTML document object tree metadata call graph, the HTML document object tree and the signature data of the JS library tree includes at least one of the XML document object tree, the HTML document page, the HTML document meta tree includes the XML document meta tree, the HTML document meta tree includes the HTML document meta tree, the HTML page includes the meta tree, the HTML page, the meta tree includes the meta tree.
S1, receiving and executing a widget including metadata, analyzing the widget during execution, determining a first feature to be maintained during execution of the widget based on the analysis result, and comparing data of the first feature with data of a second feature, S2, when a change equal to or greater than a predetermined value is detected between the data of the first feature and the data of the second feature, S2, sending an alarm, specifically, when a situation that isolated page implantation exists frequently in a webpage during cross search, under which the windows are suspended on the surface of the webpage, so that private information such as personal information is leaked due to being used or tampered, performing a solution under the situation, wherein the specific implementation step is that the window is switched over or the windows are provided from the server, the method comprises the steps of receiving a search result, receiving a malicious code from the server, providing a software file detection system, and providing a malicious code detection system detection data, wherein the method comprises the steps of receiving a malicious code stream detection system and providing a malicious code detection system detection data, wherein the malicious code detection system detection data of the malicious code detection system detection data comprises the steps of detecting whether the widget is a malicious code flow, wherein the malicious code detection system detection method includes the steps of receiving a malicious code, wherein the malicious code, the malicious code flow detection method includes the malicious code, wherein the malicious code, the malicious code detection method of providing a malicious code when the malicious code detection system detection data of a malicious code detection system detection method of providing a malicious code when a malicious code detection system detection method of detecting a malicious code is changed;
the data of the first characteristic and the data of the second characteristic in steps S1 and S2 comprise at least one of a hypertext markup language (HTM) L page, a Java Script, a JS function call graph, an external JS library item used, a cascading style sheet used by a widget or a widget, the HTM L page comprises a document object model tree of the HTM L page, in particular, the hypertext markup language (HTM L) page, a Java Script (JS) function call graph, an external JS library item used by a widget, and a Cascading Style Sheet (CSS) used by a widget, all of which operate under the control of a controller, the HTM L page included in the data of invariants is a Document Object Model (DOM) tree of the HTM L page, the executed widget executed during running, a uniform resource locator (UR L) parsing, executing protocol processing, executing HTM L parsing, and executing JS of the widget, adopting an execution time processing method of the HTM, comparing the execution time processing with execution method of the widget, and executing the HTML Document Object Model (DOM) included in the execution method of the HTM L, wherein the execution method includes comparing the execution of the widget with the execution method of the execution of the HTML library tree, and the HTML library including the execution method of the execution of the HTML function call graph, and the execution method of the execution of the HTML library including the HTML library item, and the HTML function call graph included in the execution method of executing the execution of the HTML L, so long as to generate the execution method;
the method comprises the steps of analyzing a uniform resource locator UR L and a processing protocol of a widget, analyzing an HTM L of the widget, and executing JS of the widget, specifically, analyzing the locator UR L of the same resource of the widget, detecting and injecting malicious codes in a command stream of the widget running on a network-based operating system on a device in a wireless communication system by a network server, wherein the network server comprises a controller and a transmission unit, the controller can analyze the widget through the network server, determine at least one invariant which is continuously maintained and saved when the widget runs, create a metadata file comprising data of the at least one invariant, and store the metadata file and the widget in a memory, and the transmission unit is configured to include an associated metadata file in the widget and provide the metadata file to the device;
in addition, in the present embodiment, there is provided a detection apparatus for detecting malicious code of a command stream based on a widget running on an operating system on a network, the detection apparatus including a microprocessor configured to receive and execute the widget including metadata from a network server, determine a first invariant maintained and saved continuously at a widget runtime based on a result of analysis, and compare data of the first invariant, the metadata including data of a second invariant, issue an alarm when a change between the data of the first invariant and the data of the second invariant is detected to be equal to or greater than a predetermined value, execute the HTM L parsing method including comparing a list including external dependencies used during the widget runtime with a list including external dependencies included in the metadata, and comparing the external dependencies included in the widget runtime or comparing a DOM tree generated at the widget runtime with a DOM tree included in the metadata, binding the metadata to the widget using at least one of encryption and signature;
the monitoring module is included in an operating system rendering engine of the network; when the widget is running in the device, the runtime of the web browser starts the execution of the widget, and the metadata file of the widget is loaded to the web runtime together with the code of the widget; the monitoring module operates at run-time by parsing the widget code that executes to determine and identify the relevant invariant or structure of the relevant invariant, the monitoring module using the results of the parsing to identify the validity, correctness, and accuracy of the invariant or structure thereof; performing this identification by comparing the real-time parsing results with corresponding data in the metadata file, the monitoring module issuing an alert when a mismatch between the real-time invariant and respective data associated with the invariant within the metadata file is identified; in addition, when each data in the metadata file and the real-time invariance are consistent with each other, the execution of the widget enables the widget to carry out clearing operation, and the malicious code is cleared; the monitoring module contains the call graph information in the metadata file and the corresponding identification in real time, so that the vulnerability injection of the script can be relieved; for example: the call graph of the widget may be extracted by using a static code analysis technique; it should be noted that the present invention is not limited to operating with a full call graph, as the identification can be performed with a simplified call graph that includes some code reachable from the input control; performing the identification with a reduced call graph will reduce some of the crossovers or links associated with the identification; the monitoring module may identify any deviations from the expected list of invariants or the corresponding structure of the invariants by performing identification on the metadata file during execution of the widget; of course, as the information about the invariants is more complete, i.e., the number of monitored invariants increases and/or the level of detail of each invariant increases, the accuracy of the detection becomes higher;
the widget execution comprises, in this embodiment, the additional steps of (a) identifying the dependency of the page (external), i.e. the code components required to be placed in the page to render the page successful, such as JS, CSS, images, etc., (b) the HTM L parsing, including the building of a DOM for rendering the page, (c) the execution of a JavaScript program, (c) the function of the monitoring unit can be implemented in the form of a special callback, invoked in the appropriate of the three steps above, the monitoring module recording and maintaining a corresponding list of all or part of the CSS during the execution of the widget;
at the end of this process, a callback will be executed to compare the list with the corresponding data in the metadata file, if a deviation is detected in the name or version of the library, an appropriate alarm will be triggered, the HTM L in the monitoring module parses the function to build a DOM tree, which is the entity that the layout manager of the widget operates on;
the JS resolution comprises three stages: (a) a parsing step in which the syntax is verified and a corresponding binary representation is constructed; (b) a function parsing step in which all functions are registered; (c) performing a step of re-verifying the code, wherein the code is re-verified; is inserted into the third stage to be executed;
in the third step above, it may be checked whether the stack matches the call graph created in the cross search; in addition, in the third step, it can also be determined whether a special predefined sensitive function is invoked or whether there is an unexpected access to a security-sensitive resource; in the event that the monitoring module detects one of these events, an appropriate alarm is triggered;
the characteristic data comprise one of a hypertext markup language (HTM) L page, a Java script, a JS function call graph and an external JS library item or cascade used by a widget, the HTM L page comprises a Document Object Model (DOM) tree of the HTM L page, specifically, the characteristic data comprise first characteristic data and second characteristic data, the first characteristic data and the second characteristic data are executed in the controller, the HTM L pages of all active widgets and running scripts of the widgets are verified, and in the embodiment, the running scripts can be shielded by the controller to enable the running scripts to be operated, so that the widget is in a state of being
The monitoring unit creates a DOM tree for the running widget and compares the DOM tree with the corresponding DOM tree in the metadata file when the running widget is finished, the monitoring unit gives an alarm when any deviation is found, the networking UR L of the widget or the plug-in is required to be shielded in the process so that the plug-in or the widget cannot transmit data with the outside equipment, the monitoring unit is provided with a list traversing device for detecting or verifying the list created by the detecting unit, if the detecting unit creates the list with great difference, the whole widget generating the monitoring unit creating the list is locked or frozen by a controller or a control unit so that the operating system loses the function of the widget in the browsing process, in other embodiments, the monitoring unit can also adopt the whole running widget, and the monitoring unit can perform monitoring operation in the process of monitoring the widget, and the monitoring operation box is set to be used for controlling the widget or adjusting the operation of the widget in the browsing software, so that the operating system can not take an action in the browsing process of the browsing process when the widget is operated by a monitoring software, and the monitoring operation of the widget is performed by the monitoring software, and the monitoring operation box is set to be used for controlling the operation of the widget in the browsing operation of the widget, so that the widget, and the operation of the widget, the monitoring operation of the widget is performed by the monitoring unit, and the operation of the widget, the operation of the operation box, the operation of the widget, the operation box, and the operation of the widget, and the operation of the widget, the operation of the operation box, and the operation of the operation box, the operation of the operation box, and the operation box, the operation;
the detection method comprises the following steps: updating the widget; and updating data of at least one feature included in the metadata based on the update result; providing the updated metadata to a device and binding the metadata to the widget using at least one of encryption and signature; specifically, the detection method is used for detecting the widget, and is used for firstly identifying the version number of the widget in the detection process, and detecting the identification of the version number of the widget, namely identifying the transmitted road strength through the identification of the version number of the widget; in this embodiment, after the result data is updated, each feature data of the result metadata is actually divided, and is used in a plurality of feature data supply devices, and the trigger device of the metadata is monitored in real time; in addition, in the process of data transmission of a plurality of metadata, the metadata can be bound with the widget by encrypting the original data, so that the security of the metadata is effectively ensured; in this embodiment, the widget and the encrypted metadata are in a one-to-one correspondence relationship, that is: specific metadata can be identified only through the specific micro-part number, so that the transmission safety of the metadata is effectively ensured, and the danger of stealing or tampering information after the isolated page is implanted in the webpage browsing process is also effectively prevented.
Example three: the present embodiment should be understood to at least include all the features of any one of the foregoing embodiments and further improve on the same, and in particular, the present embodiment provides an execution Web program product, including: a hardware storage device having stored therein computer-executable program code that, when executed by a computer hardware system comprising a security system configured to test a Web service, causes the computer hardware system to: performing static analysis of the Web service by the security system; performing, by the security system, a static analysis on the Web service; locating a seed instruction in program code of a Web service during the static analysis, wherein an identity of the requestor is determined by the Web service; during static analysis, determining whether a value in a seed instruction is deterministic in selecting between multiple paths of a branch in program code; and in response to the determination, by the security system, selecting one of a plurality of paths based on the Web service according to the identity of the requestor to indicate that the Web service has a potential vulnerability; specifically, during static analysis, a seed instruction is located in program code of a Web service, wherein the identity of the requestor is determined by the Web service; during static analysis, determining whether a value in a seed instruction is deterministic in selecting between multiple paths of a branch in program code; and by the security system and in response to determining that the Web service has a potential vulnerability based on the Web service selecting one of the plurality of paths in accordance with the identity of the requestor, determining a trusted identity to compare with, and submitting the payload to the Web service in which the trusted identity is emulated; program code of the Web service is configured with first diagnostic program code configured to determine, in response to execution of the Web service, that the trusted identity compares a response to the payload from the Web service to an expected response; program code indicating that the Web service is detected using second diagnostic program code based on the comparison, the second diagnostic program code configured to invalidate identity decryption within the Web service in response to execution of the Web service; the static analysis is executed on the Web service through the safety system, so that the operation of the widget can be monitored, and the operation of the widget is monitored by positioning the seed instruction in the Web service program code, so that the stealing of personal information due to the implantation of a single page in the cross search process is prevented.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
In summary, the attack detection method based on Internet cross search defects of the invention provides widgets in a state of associating metadata files with widgets and including the associated metadata files in the widgets, ensures that an executive can efficiently restrict or suspend malicious widgets in browsing web pages by comparing a list of external dependencies used during runtime of the widgets with a list of external dependencies included in metadata or comparing a DOM tree generated during runtime of the widgets with a DOM tree included in the metadata, ensures that the executive does not have to perform a blacking process as long as the executive does not comply with an operation rule, creates metadata files including data of at least one invariant and stores the metadata files with a locator UR L of the same resource of the widget and detects and injects code in a command stream of the widget running on a network-based operating system on a device in a wireless communication system and creates metadata files including data of at least one invariant and stores the metadata files in a memory, and provides the control unit to detect the occurrence of the widget by comparing the metadata files with a monitoring unit and the metadata files, and sets up a monitoring unit to detect whether the widget exists in real time, and to detect whether the widget.
Although the invention has been described above with reference to various embodiments, it should be understood that many changes and modifications may be made without departing from the scope of the invention. That is, the methods, systems, and devices discussed above are examples. Various configurations may omit, substitute, or add various procedures or components as appropriate. For example, in alternative configurations, the methods may be performed in an order different than that described, and/or various components may be added, omitted, and/or combined. Moreover, features described with respect to certain configurations may be combined in various other configurations, as different aspects and elements of the configurations may be combined in a similar manner. Further, elements therein may be updated as technology evolves, i.e., many elements are examples and do not limit the scope of the disclosure or claims.
Specific details are given in the description to provide a thorough understanding of the exemplary configurations including implementations. However, configurations may be practiced without these specific details, for example, well-known circuits, processes, algorithms, structures, and techniques have been shown without unnecessary detail in order to avoid obscuring the configurations. This description provides example configurations only, and does not limit the scope, applicability, or configuration of the claims. Rather, the foregoing description of the configurations will provide those skilled in the art with an enabling description for implementing the described techniques. Various changes may be made in the function and arrangement of elements without departing from the spirit or scope of the disclosure.
In conclusion, it is intended that the foregoing detailed description be regarded as illustrative rather than limiting, and that it be understood that these examples are illustrative only and are not intended to limit the scope of the invention. After reading the description of the invention, the skilled person can make various changes or modifications to the invention, and these equivalent changes and modifications also fall into the scope of the invention defined by the claims.
Claims (8)
1. An attack detection method based on Internet cross search defects is characterized by comprising the following steps:
s1: receiving and executing a widget including metadata from a web server, analyzing the widget during the execution, determining a first feature to be maintained when the widget is executed based on the analysis result, and comparing the first feature data with a feature included in the metadata;
s2: an alarm is raised when a change equal to or greater than a predetermined value is detected between the first characteristic data and the second characteristic data.
2. The Internet cross-search flaw-based attack detection method of claim 1, wherein the data of the first characteristic and the second characteristic data in steps S1 and S2 include at least one of a hypertext markup language (HTM) L page, a Java script, a JS function call graph, an external JS library entry used;
widgets or cascading style sheets used by widgets;
the HTM L page includes a document object model tree of the HTM L page.
3. The method for attack detection based on Internet cross-search defects according to one of the previous claims is characterized by resolving the uniform resource locator UR L and the processing protocol of the widget, resolving the HTM L of the widget and executing the JS of the widget.
4. The Internet cross-search flaw based attack detection method according to one of the preceding claims, wherein performing the HTM L parsing method comprises comparing a list including external dependencies used during the runtime of the widget with a list including external dependencies included in the metadata, and comparing the external dependencies included in the runtime of the widget or comparing a DOM tree generated at the runtime of the widget with a DOM tree included in the metadata, the metadata being bound to the widget using at least one of encryption and signature.
5. The method for attack detection based on internet cross-search flaws according to one of the preceding claims, characterized by analyzing widgets;
determining at least one feature maintained while the widget executes, based on a result of the analysis;
generating metadata comprising data of the at least one characteristic;
associating metadata with the widget;
including the associated metadata file in the widget; and provides the widget to the device.
6. The method of any preceding claim, wherein the data of the at least one feature comprises one of a hypertext markup language HTM L page, a Java script, a JS function call graph, an external JS library entry or cascade used by the widget.
7. The internet cross-search flaw based attack detection method of one of the preceding claims, wherein the HTM L page includes a Document Object Model (DOM) tree of the HTM L page.
8. The method for detecting attacks based on Internet cross-search flaws as claimed in any one of the preceding claims, wherein the detection method comprises: updating the widget; and updating data of at least one feature included in the metadata based on the update result;
providing the updated metadata to the device and binding the metadata to the widget using at least one of encryption and signature.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010331450.4A CN111460442A (en) | 2020-04-24 | 2020-04-24 | Attack detection method based on Internet cross search defects |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010331450.4A CN111460442A (en) | 2020-04-24 | 2020-04-24 | Attack detection method based on Internet cross search defects |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111460442A true CN111460442A (en) | 2020-07-28 |
Family
ID=71679093
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010331450.4A Pending CN111460442A (en) | 2020-04-24 | 2020-04-24 | Attack detection method based on Internet cross search defects |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111460442A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101957816A (en) * | 2009-07-13 | 2011-01-26 | 上海谐宇网络科技有限公司 | Webpage metadata automatic extraction method and system based on multi-page comparison |
| US20130167239A1 (en) * | 2011-12-22 | 2013-06-27 | International Business Machines Corporation | Detection of second order vulnerabilities in web services |
| US8595186B1 (en) * | 2007-06-06 | 2013-11-26 | Plusmo LLC | System and method for building and delivering mobile widgets |
| US20160028742A1 (en) * | 2014-07-25 | 2016-01-28 | Martin Johns | Condition checking for page integration of third party services |
| US20160142437A1 (en) * | 2014-11-17 | 2016-05-19 | Samsung Electronics Co., Ltd. | Method and system for preventing injection-type attacks in a web based operating system |
| WO2016080735A1 (en) * | 2014-11-17 | 2016-05-26 | Samsung Electronics Co., Ltd. | Method and apparatus for preventing injection-type attack in web-based operating system |
| CN107786537A (en) * | 2017-09-19 | 2018-03-09 | 杭州安恒信息技术有限公司 | A kind of lonely page implantation attack detection method based on internet intersection search |
-
2020
- 2020-04-24 CN CN202010331450.4A patent/CN111460442A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8595186B1 (en) * | 2007-06-06 | 2013-11-26 | Plusmo LLC | System and method for building and delivering mobile widgets |
| CN101957816A (en) * | 2009-07-13 | 2011-01-26 | 上海谐宇网络科技有限公司 | Webpage metadata automatic extraction method and system based on multi-page comparison |
| US20130167239A1 (en) * | 2011-12-22 | 2013-06-27 | International Business Machines Corporation | Detection of second order vulnerabilities in web services |
| US20160028742A1 (en) * | 2014-07-25 | 2016-01-28 | Martin Johns | Condition checking for page integration of third party services |
| US20160142437A1 (en) * | 2014-11-17 | 2016-05-19 | Samsung Electronics Co., Ltd. | Method and system for preventing injection-type attacks in a web based operating system |
| WO2016080735A1 (en) * | 2014-11-17 | 2016-05-26 | Samsung Electronics Co., Ltd. | Method and apparatus for preventing injection-type attack in web-based operating system |
| CN107786537A (en) * | 2017-09-19 | 2018-03-09 | 杭州安恒信息技术有限公司 | A kind of lonely page implantation attack detection method based on internet intersection search |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sarmah et al. | A survey of detection methods for XSS attacks | |
| Gupta et al. | XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud | |
| Shar et al. | Automated removal of cross site scripting vulnerabilities in web applications | |
| Balzarotti et al. | Multi-module vulnerability analysis of web-based applications | |
| US8266700B2 (en) | Secure web application development environment | |
| US11455400B2 (en) | Method, system, and storage medium for security of software components | |
| Doupe et al. | deDacota: toward preventing server-side XSS via automatic code and data separation | |
| US20100037317A1 (en) | Mehtod and system for security monitoring of the interface between a browser and an external browser module | |
| JP2014038596A (en) | Method for identifying malicious executable | |
| Izquierdo et al. | Collaboro: a collaborative (meta) modeling tool | |
| Møller et al. | Automated detection of client-state manipulation vulnerabilities | |
| US10339305B2 (en) | Sub-execution environment controller | |
| Wang et al. | A new cross-site scripting detection mechanism integrated with HTML5 and CORS properties by using browser extensions | |
| Song et al. | Understanding javascript vulnerabilities in large real-world android applications | |
| Ibrahim et al. | SafetyNOT: on the usage of the SafetyNet attestation API in Android | |
| Hou et al. | A dynamic detection technique for XSS vulnerabilities | |
| CN112016096A (en) | XSS vulnerability auditing method and device | |
| Gupta et al. | Evaluation and monitoring of XSS defensive solutions: a survey, open research issues and future directions | |
| Soewito et al. | Android sensitive data leakage prevention with rooting detection using Java function hooking | |
| Li et al. | Lchecker: Detecting loose comparison bugs in php | |
| Onarlioglu et al. | Sentinel: Securing legacy firefox extensions | |
| US7620983B1 (en) | Behavior profiling | |
| Pazos et al. | XSnare: application-specific client-side cross-site scripting protection | |
| Cavalli et al. | Design of a secure shield for internet and web-based services using software reflection | |
| Saini et al. | The darker side of firefox extension |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200728 |