CN117336098B - Network space data security monitoring and analyzing method - Google Patents
Network space data security monitoring and analyzing method Download PDFInfo
- Publication number
- CN117336098B CN117336098B CN202311537519.9A CN202311537519A CN117336098B CN 117336098 B CN117336098 B CN 117336098B CN 202311537519 A CN202311537519 A CN 202311537519A CN 117336098 B CN117336098 B CN 117336098B
- Authority
- CN
- China
- Prior art keywords
- website
- text
- event
- user
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000012544 monitoring process Methods 0.000 title claims abstract description 32
- 238000004458 analytical method Methods 0.000 claims abstract description 25
- 230000001788 irregular Effects 0.000 claims abstract description 22
- 230000002159 abnormal effect Effects 0.000 claims description 63
- 230000001939 inductive effect Effects 0.000 claims description 41
- 238000012795 verification Methods 0.000 claims description 13
- 230000006399 behavior Effects 0.000 claims description 12
- 238000000605 extraction Methods 0.000 claims description 12
- 230000005856 abnormality Effects 0.000 claims description 10
- 230000003068 static effect Effects 0.000 claims description 9
- 238000011156 evaluation Methods 0.000 claims description 8
- 230000009471 action Effects 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 7
- 238000012937 correction Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 6
- 238000001914 filtration Methods 0.000 claims description 4
- 238000012216 screening Methods 0.000 claims description 4
- 238000012942 design verification Methods 0.000 claims description 3
- 230000036541 health Effects 0.000 claims description 3
- 238000012360 testing method Methods 0.000 claims description 3
- 241001391944 Commicarpus scandens Species 0.000 abstract 1
- 230000007246 mechanism Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 108700041286 delta Proteins 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention belongs to the field of network space data security monitoring, and particularly discloses a network space data security monitoring analysis method, which comprises the following steps: the hidden suspicious degree of the website path in the page is judged by analyzing the website path, and then the website with the path suspicious degree exceeding the threshold value is subjected to important marking, and when a user accesses the important marked website, the website content is identified again, so that the user can be helped to better identify and avoid potential risk websites, the safety and the trust degree of the user are improved, and meanwhile, more accurate, real and useful information is provided for the user, and the browsing experience is optimized. The method has the advantages that the browser is subjected to irregular searching and killing judgment through the irregular setting rule, the risk of network attack of a user is reduced, the irregular setting rule is determined by subjective consciousness of the user, log records of the system are not easy to break and bypass, and the overall network security situation is positively influenced.
Description
Technical Field
The invention belongs to the field of network space data safety monitoring, and relates to a network space data safety monitoring analysis method.
Background
The browser webpage is one of the most common content forms in the network space, and is also one of main carriers for an attacker to perform network attack and spread popularization software, so that in the use process of a user, monitoring potential safety hazards existing in the browser webpage is very important.
Through carrying out security monitoring to browser webpage, can discover in advance and clear away potential threat, prevent spreading of popularization software, protect user's privacy information and property safety, guarantee the normal operating of enterprise and individual in the network space, can strengthen the protection and the management to the webpage, guarantee the data security of network space, improve the security performance of webpage.
The main application method in browser webpage data safety monitoring at present is to compare and screen the websites existing in the webpage with the stored compliant website library, and the following defects exist: 1. the hidden paths of the page websites can exist, all possible security threats and malicious behaviors cannot be completely covered by the aid of the known compliant website library, an attacker can use a new technology to conduct feature hiding on bad websites, the websites cannot appear in the compliant website library, and therefore if the websites are simply screened, hidden information of the websites cannot be deeply analyzed, and some potential risks are easily ignored.
2. The existing browser page safety monitoring is only carried out once when a user logs in a webpage, the monitoring mode is relatively fixed, however, the safety of the webpage is extremely easy to be threatened, attack means aiming at the safety of the webpage are increasingly complex and various, and the system log record is easy to be cracked and bypassed when the monitoring is carried out in a fixed mode, so that potential security holes are caused. In addition, many browsers do not open by default or provide an automated query and update mechanism, which results in users needing manual query operations that cannot timely address new threats.
Disclosure of Invention
In view of this, in order to solve the problems set forth in the background art, a network space data security monitoring and analyzing method is now provided.
The aim of the invention can be achieved by the following technical scheme: the invention provides a network space data security monitoring and analyzing method, which comprises the following steps: step one: extracting source codes: after a user logs in a browser to access a page, the source code of the current access page is obtained, and then a text set and a website set in the source code are extracted.
Step two: text set analysis: analyzing a text set in the source code, wherein the text set comprises static texts and directory texts of websites, identifying whether inducible texts exist, and if the inducible texts exist, judging whether the inducible texts are the directory texts of the websites.
Step three: screening of key mark websites: when the directory text of the website is the inducible text, removing the websites corresponding to the inducible text from the website set to obtain the residual websites, analyzing the suspicious degree of the residual websites to obtain the abnormal websites and the key marked websites, and shielding the abnormal websites.
Step four: safety monitoring: after a user enters a page corresponding to a certain key mark website, counting the number of the key mark websites entering the page, and if the number exceeds a set value, executing closing operation on the entering page.
Step five: and (3) setting an indefinite time: and acquiring a system security log of the browser, and setting an irregular extraction rule according to the access rule of the user in the browser.
Step six: and (3) log analysis: and carrying out untimely analysis on the system security log, detecting an abnormal event in the system security log, and judging whether autonomous searching and killing operation is required to be executed on the browser.
Specifically, the analyzing the text set in the source code includes: the HTML parsing library is used to convert the source code into an operable document object model through which all text content and hyperlink elements, i.e., text sets and web site sets in the source code, are located.
Constructing an inducible text keyword library, identifying each inducible text in a text set by a keyword filtering method, counting the proportion of the inducible text in the text set, comparing the proportion with a set proportion threshold, closing the current webpage when the proportion of the inducible text in the text set exceeds the set proportion threshold, and otherwise judging whether each inducible text is a directory text of a website or not.
The method comprises the specific steps of acquiring the position of an inducible text in a source code, further identifying whether the corresponding position of the source code has a website by using a URL analysis function, if not, the inducible text is a static text, and further executing marking and shielding operations on the static text; if the website exists, the induced text is the directory text of the website, and the positioning shielding is carried out on the website.
Specifically, the suspicious degree procedure for analyzing each remaining website is as follows: and C1, acquiring a protocol of each residual website, if a certain residual website protocol is HTTPS, acquiring the content of the website protocol certificate, further verifying the compliance epsilon of the residual website protocol certificate, otherwise, marking the compliance epsilon of the residual website protocol certificate as 1, and acquiring the compliance epsilon k = epsilon or 1, k of each residual website protocol certificate as residual website number, wherein k = 1,2, & gt, u.
C2, simulating user behaviors by using an automatic testing tool, obtaining multiple redirection behaviors of each residual website, obtaining the redirection times and paths of each residual website, and calculating the suspicious degree of the redirection paths of each residual websiteWherein ρ 0 is a set suspicion adjustment coefficient, M is the number of the redirection times of the remaining web sites, M 'is a set threshold of the number of the redirection times, ρ k' is the k-th weight of influence on the validity of the redirection path of the remaining web sites.
C3, calculating the suspicious degree of each residual websiteWherein, ρ ', ε' are respectively the setting reference values of the suspicious degree of the redirection path and the compliance degree of the protocol certificate, λ1 and λ2 are respectively the setting duty ratios corresponding to the suspicious degree of the redirection path and the compliance degree of the protocol certificate, and e is a natural constant.
Specifically, the analysis mode of the validity influence weight of the residual website redirection path is as follows: obtaining each path target URL of the redirection of the residual website, simulating each path target URL of the redirection by using a network monitoring tool, obtaining returned response content through an interface provided by the tool, and storing the response content as various variable indexes, wherein the variable indexes comprise IP addresses corresponding to website domain names, HTTP status codes of the websites and URL return content.
And according to the expected content design verification rule, analyzing each variable index and verifying to obtain a verification result of each variable index, wherein the verification result comprises valid and invalid.
If the verification result of a certain variable index is effective, marking the influence weight corresponding to the variable index as 1, otherwise marking the influence weight as 0, adding the influence weights corresponding to the variable indexes to obtain the comprehensive influence weight of the paths, and further adding the comprehensive influence weights of the paths to obtain the website redirection path effectiveness influence weight.
Specifically, the extraction mode of the key mark website is as follows: setting a suspicious threshold range, if the suspicious degree of a certain residual website is smaller than the minimum value of the suspicious threshold range, marking the residual website as an abnormal website, and carrying out interception shielding on the abnormal website; if the suspicion degree of a certain residual website is within the suspicion degree threshold, the residual website is marked as a key mark website.
Specifically, the method for setting the irregular extraction rule is as follows: f1, determining an initial time range, generating a random time point in the initial time range by using a random function, and taking the random time point as a starting time point t Starting from the beginning for timing task execution.
F2, extracting the peak access time in the initial time range from the system security log at the end time of the initial time range, and marking as t Peak to peak , and taking t1=t Peak to peak +|t Peak to peak -t Starting from the beginning | as the first irregular time.
F3, taking t Peak to peak and t1 as the start access time and the end access time of the next time range, extracting the peak access time t Peak to peak ' in the next time range in the system security log at the end access time of the next time range, further taking t2=t1+ (t Peak to peak '-t Peak to peak ) as the second indefinite time, and setting indefinite time in the user access process according to the indefinite time setting rule.
Specifically, the performing the untimely analysis on the corresponding content of the security log includes: and acquiring a system security log according to a time point in the irregular extraction rule, extracting a downloading event and an abnormal login event in the current time range from the system security log, analyzing an abnormal coefficient of the downloading event and an abnormal coefficient of the abnormal login event, and marking the abnormal coefficient and the abnormal coefficient as delta 1 and delta 2.
The system security log is evaluated for an abnormal event impact factor delta,Τ is a correction factor for setting the abnormal event influence coefficient, when δ > δ 0, it is determined that the browser needs to perform an autonomous killing operation, and δ 0 represents a set abnormal event influence coefficient threshold.
Specifically, the steps of analyzing the anomaly coefficient of the download event are as follows: and identifying whether the downloading event is an autonomous downloading action of the user, if the downloading event is a webpage downloading action, acquiring a downloading source website, carrying out early warning on the downloading source website, and taking phi 0 as an anomaly coefficient of the downloading event.
If the download event is the autonomous download behavior of the user, extracting the webpage upload data of the download file corresponding to the download event and the download data of the user side, and comparing and calculating the health index of the download file package of the download eventS1 and s2 are respectively a download start time and a download end time in the user download data, B represents a download file size, v represents a normal download time corresponding to a set unit file size, Δv represents a set download speed error allowable value, ζ represents an anomaly corresponding to the download file size in the user download data, and ψ is further taken as an anomaly coefficient of a download event, so that the anomaly coefficient of the download event is δ1=ψ or ψ 0.
Specifically, the step of analyzing the anomaly coefficient of the anomaly log-in event comprises the following steps: recording each abnormal login event before the access starting time corresponding to the current time range as each historical login event, acquiring login information of the abnormal login event corresponding to the current time point, comparing the login information with the login information of each historical login event, calculating login address evaluation coefficients of each historical login event, counting the number of the historical login events exceeding a threshold value of the set login address evaluation coefficients, and recording as Y.
Extracting login equipment from login information corresponding to an abnormal login event at the current time point, comparing the login equipment with common equipment of a user, calculating an abnormal coefficient delta 2 of the abnormal login event,Wherein Y' represents the number of historical login events, sigma represents the setting deviation correction factor corresponding to the abnormality coefficient of the abnormal login event, U represents the setting constant larger than 2, P represents that login equipment can be matched with user common equipment, beta 1 represents the influence weight of the login equipment set in the P state, and beta 2 represents/>The login device set in the state affects the weight.
Compared with the prior art, the invention has the following beneficial effects: (1) According to the method and the system for identifying the web site, the hidden suspicious degree of the web site path in the page is judged by analyzing the web site path, and then the web site with the suspicious degree exceeding the threshold value of the path is subjected to key marking, when a user accesses the key marked web site, the web site content is identified again, the user can be more alert when accessing, the user can be helped to better identify and avoid the potential risk web site, so that the safety and the trust degree of the user are improved, the web site content can be identified again, more accurate, real and useful information can be provided for the user, and the browsing experience of the user is optimized.
(2) According to the invention, the irregular searching and killing judgment is carried out on the browser through the irregular setting rule, so that the content of the browser can be updated in time, malicious software is found and cleared, and the spread of the malicious software in the browser is prevented, thereby reducing the risk of network attack of a user.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of the steps of the system method of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the present invention provides a network space data security monitoring and analyzing method, which includes: step one: extracting source codes: after a user logs in a browser to access a page, the source code of the current access page is obtained, and then a text set and a website set in the source code are extracted.
Step two: text set analysis: analyzing a text set in the source code, wherein the text set comprises static texts and directory texts of websites, identifying whether inducible texts exist, and if the inducible texts exist, judging whether the inducible texts are the directory texts of the websites.
In a preferred embodiment, the analyzing the text set in the source code, analyzing the content includes: the HTML parsing library is used to convert the source code into an operable document object model through which all text content and hyperlink elements, i.e., text sets and web site sets in the source code, are located.
Constructing an inducible text keyword library, identifying each inducible text in a text set by a keyword filtering method, counting the proportion of the inducible text in the text set, comparing the proportion with a set proportion threshold, closing the current webpage when the proportion of the inducible text in the text set exceeds the set proportion threshold, and otherwise judging whether each inducible text is a directory text of a website or not.
Specifically, the keyword filtering method comprises the following steps: and comparing each text in the text set with each keyword in the inducible text keyword library, and if a certain text in the text set can be matched with a certain keyword in the inducible text keyword library, determining that the text in the text set is the inducible text.
In a preferred embodiment, the specific step of determining whether the inducible text is a directory text of a website includes the steps of obtaining a position of the inducible text in a source code, further identifying whether the website exists at a corresponding position of the source code by using a URL parsing function, if the website does not exist, determining that the inducible text is a static text, and further performing marking and shielding operations on the static text; if the website exists, the induced text is the directory text of the website, and the positioning shielding is carried out on the website.
Step three: screening of key mark websites: when the directory text of the website is the inducible text, removing the websites corresponding to the inducible text from the website set to obtain the residual websites, analyzing the suspicious degree of the residual websites to obtain the abnormal websites and the key marked websites, and shielding the abnormal websites.
In a preferred embodiment, the suspicious procedure for analyzing each remaining web site is as follows: and C1, acquiring a protocol of each residual website, if a certain residual website protocol is HTTPS, acquiring the content of the website protocol certificate, wherein the content of the protocol certificate comprises an issuer, a domain name and an expiration date, further verifying the compliance epsilon of the residual website protocol certificate, otherwise, marking the compliance epsilon of the residual website protocol certificate as 1, and obtaining the compliance epsilon k =epsilon or 1, k of each residual website protocol certificate as the residual website number, wherein k=1, 2.
The compliance verification method of the website protocol certificate is as follows: checking an issuer field in a website protocol certificate, confirming whether the website protocol certificate is issued by a set certificate issuing mechanism, if the issuer mechanism can be identified, indicating that the issuer content of the website protocol certificate meets the requirement, further checking a domain name field in the website protocol certificate, matching the domain name field with a currently queried page website domain name, if the website domain name can be successfully matched, indicating that the domain name content of the website protocol certificate meets the requirement, further comparing the expiration date of the website protocol certificate with the current date, and if the expiration date of the website protocol certificate is after the current date, indicating that the date content of the website protocol certificate meets the requirement, and further taking epsilon 1 as the compliance of the website protocol certificate; if the above-mentioned checking step has an unsatisfactory content, then epsilon 2 is used as the compliance degree of the website protocol certificate, so when the website protocol is HTTPS, the compliance degree epsilon=epsilon 1 or epsilon 2 of the website protocol certificate is obtained.
C2, simulating user behaviors by using an automatic testing tool, obtaining multiple redirection behaviors of each residual website, obtaining the redirection times and paths of each residual website, and calculating the suspicious degree of the redirection paths of each residual websiteWherein ρ 0 is a set suspicion adjustment coefficient, M is the number of the redirection times of the remaining web sites, M 'is a set threshold of the number of the redirection times, ρ k' is the k-th weight of influence on the validity of the redirection path of the remaining web sites.
C3, calculating the suspicious degree of each residual websiteWherein, ρ ', ε' are respectively the setting reference values of the suspicious degree of the redirection path and the compliance degree of the protocol certificate, λ1 and λ2 are respectively the setting duty ratios corresponding to the suspicious degree of the redirection path and the compliance degree of the protocol certificate, and e is a natural constant.
In a preferred embodiment, the remaining website redirection path validity impact weight analysis method is as follows: obtaining each path target URL of the redirection of the residual website, simulating each path target URL of the redirection by using a network monitoring tool, obtaining returned response content through an interface provided by the tool, and storing the response content as various variable indexes, wherein the variable indexes comprise IP addresses corresponding to website domain names, HTTP status codes of the websites and URL return content.
And the target URL of each path of the residual website redirection is obtained by using a browser development tool.
And according to the expected content design verification rule, analyzing each variable index and verifying to obtain a verification result of each variable index, wherein the verification result comprises valid and invalid.
If the verification result of a certain variable index is effective, marking the influence weight corresponding to the variable index as 1, otherwise marking the influence weight as 0, adding the influence weights corresponding to the variable indexes to obtain the comprehensive influence weight of the paths, and further adding the comprehensive influence weights of the paths to obtain the website redirection path effectiveness influence weight.
The verification result of each variable index corresponds to analysis content and includes: and E1, before accessing the URL, analyzing the domain name of the URL into an IP address, and if the IP address corresponding to the URL cannot be analyzed, considering that the URL is invalid.
E2, acquiring the HTTP status code of the website, and analyzing whether the HTTP status code of the website is effective.
Exemplary, common HTTP status codes include 200, 404, 500, etc., where 200 indicates that the request was successful, 404 indicates that the page does not exist, 500 indicates that the server is in error, etc., and if the returned status code is 200, the URL is considered valid, and further the URL connection duration is obtained, and if the connection duration exceeds the set duration, it indicates that the connection cannot be established, and the URL is invalid.
And E3, acquiring the returned content of the URL, judging whether the returned content meets the expectation, and if not, invalidating the URL. For example, if an HTML page is desired to be returned, but an error message or other type of content is actually returned, then the URL is deemed invalid.
In a preferred embodiment, the extraction method of the key mark website is as follows: setting a suspicious threshold range, if the suspicious degree of a certain residual website is smaller than the minimum value of the suspicious threshold range, marking the residual website as an abnormal website, and carrying out interception shielding on the abnormal website; if the suspicion degree of a certain residual website is within the suspicion degree threshold, the residual website is marked as a key mark website.
Step four: safety monitoring: after a user enters a page corresponding to a certain key mark website, counting the number of the key mark websites entering the page, and if the number exceeds a set value, executing closing operation on the entering page.
According to the method and the system for identifying the web site, the hidden suspicious degree of the web site path in the page is judged by analyzing the web site path, and then the web site with the suspicious degree exceeding the threshold value of the path is subjected to key marking, when a user accesses the key marked web site, the web site content is identified again, the user can be more alert when accessing, the user can be helped to better identify and avoid the potential risk web site, so that the safety and the trust degree of the user are improved, the web site content can be identified again, more accurate, real and useful information can be provided for the user, and the browsing experience of the user is optimized.
Step five: and (3) setting an indefinite time: and acquiring a system security log of the browser, and setting an irregular extraction rule according to the access rule of the user in the browser.
In a preferred embodiment, the method for setting the irregular extraction rule is as follows: f1, determining an initial time range, generating a random time point in the initial time range by using a random function, and taking the random time point as a starting time point t Starting from the beginning for timing task execution.
F2, extracting the peak access time in the initial time range from the system security log at the end time of the initial time range, and marking as t Peak to peak , and taking t1=t Peak to peak +|t Peak to peak -t Starting from the beginning | as the first irregular time.
F3, taking t Peak to peak and t1 as the start access time and the end access time of the next time range, extracting the peak access time t Peak to peak ' in the next time range in the system security log at the end access time of the next time range, further taking t2=t1+ (t Peak to peak '-t Peak to peak ) as the second indefinite time, and setting indefinite time in the user access process according to the indefinite time setting rule.
The peak access time acquisition mode is as follows: the access amount of each time point in the initial time range is extracted from the access log, the access amount of each time point in the initial time range is compared with the preset access amount, when the access amount of a certain time point in the initial time range is larger than the preset access amount, the time point is marked as initial time, the access amount of each time point corresponding to the subsequent time point at the time point is compared with the preset access amount in sequence, and the time point with the access amount smaller than the preset access amount is positioned as terminal time.
Taking the interval duration between the initial time and the terminal time as a sub-time period, further obtaining each sub-time period in the initial time range, comparing the access quantity corresponding to the central time of each sub-time period with each other, screening out the maximum access quantity, and further recording the central time of the sub-time period corresponding to the maximum access quantity as the peak access time. And when t Peak to peak =t Peak to peak ', acquiring the central time corresponding to the subinterval of the access quantity arranged in the second bit, and recording as the peak access time.
The center time of the sub-time period is the corresponding time of the middle time point of the sub-time period.
The access amount refers to the access behavior of the user to the website, wherein the access behavior comprises equipment information, IP address, accessed page or resource of the user and the like. In the peak access time period, activities are frequent and more potential risks exist, timely monitoring and response are very important, and therefore, when an irregular time interval is set, the peak access time is preferentially selected for extracting the security log.
Step six: and (3) log analysis: and carrying out untimely analysis on the system security log, detecting an abnormal event in the system security log, and judging whether autonomous searching and killing operation is required to be executed on the browser.
In a preferred embodiment, the performing the untimely analysis on the corresponding content of the security log includes: and acquiring a system security log according to a time point in the irregular extraction rule, extracting a downloading event and an abnormal login event in the current time range from the system security log, analyzing an abnormal coefficient of the downloading event and an abnormal coefficient of the abnormal login event, and marking the abnormal coefficient and the abnormal coefficient as delta 1 and delta 2.
The system security log is evaluated for an abnormal event impact factor delta,Τ is a correction factor for setting the abnormal event influence coefficient, when δ > δ 0, it is determined that the browser needs to perform an autonomous killing operation, and δ 0 represents a set abnormal event influence coefficient threshold.
In a preferred embodiment, the analysis of anomaly coefficients of download events comprises the steps of: and identifying whether the downloading event is an autonomous downloading action of the user, if the downloading event is a webpage downloading action, acquiring a downloading source website, carrying out early warning on the downloading source website, and taking phi 0 as an anomaly coefficient of the downloading event.
Specifically, by analyzing the operation flow of the user in the website, it can be determined whether the download event is associated with the current operation of the user. For example, if the user triggers a download event after clicking a button, then the download event is determined to be an autonomous download action by the user.
If the download event is the autonomous download behavior of the user, extracting the webpage upload data of the download file corresponding to the download event and the download data of the user side, and comparing and calculating the health index of the download file package of the download eventS1 and s2 are respectively a download start time and a download end time in the user download data, B represents a download file size, v represents a normal download time corresponding to a set unit file size, Δv represents a set download speed error allowable value, ζ represents an anomaly corresponding to the download file size in the user download data, and ψ is further taken as an anomaly coefficient of a download event, so that the anomaly coefficient of the download event is δ1=ψ or ψ 0.
The webpage uploading data of the downloaded file is the file uploading size, and the user side downloading data comprises the downloaded file size, the downloading starting time and the downloading ending time.
The abnormality degree obtaining mode corresponding to the size of the downloaded file in the user downloaded data is as follows: the uploading size of the file is marked as B ', if B is more than B', binding files exist in the downloaded file, the anomaly degree corresponding to the size of the downloaded file in the downloaded data of a user is marked as ζ1, the content of a downloaded file packet is analyzed by using a security analysis tool, the existing hidden file is identified, the position of the hidden file is tracked by searching a registry item, a file path and a process, and then the hidden file is automatically deleted; if B is less than B', the downloaded file is in shortage, the degree of abnormality corresponding to the size of the downloaded file in the user downloaded data is marked as zeta 2, and early warning information is sent to a background system of the file downloading end, so that the degree of abnormality zeta=zeta 1 or zeta 2 corresponding to the size of the downloaded file in the user downloaded data is obtained.
In a preferred embodiment, the analysis of anomaly coefficients of an anomaly log event comprises the following steps: recording each abnormal login event before the access starting time corresponding to the current time range as each historical login event, acquiring login information of the abnormal login event corresponding to the current time point, comparing the login information with the login information of each historical login event, calculating login address evaluation coefficients of each historical login event, counting the number of the historical login events exceeding a threshold value of the set login address evaluation coefficients, and recording as Y.
Extracting login equipment from login information corresponding to an abnormal login event at the current time point, comparing the login equipment with common equipment of a user, calculating an abnormal coefficient delta 2 of the abnormal login event,Wherein Y' represents the number of historical login events, sigma represents the setting deviation correction factor corresponding to the abnormality coefficient of the abnormal login event, U represents the setting constant larger than 2, P represents that login equipment can be matched with user common equipment, beta 1 represents the influence weight of the login equipment set in the P state, and beta 2 represents/>The login device set in the state affects the weight.
It should be noted that, the login address evaluation coefficient calculation mode of the history login event is as follows: extracting a historical login place from login information of a historical login event, extracting a current login place from login information of an abnormal login event corresponding to a current time point, comparing the historical login place with the current login place to obtain a geographic position distance L, and obtaining a login address evaluation coefficient of the historical login event by a calculation formulaAnd E2, wherein E1 represents that the historic login location is different from the country corresponding to the current login location, and E2 represents that the historic login location is the same as the country corresponding to the current login location.
The user commonly used equipment is equipment for inputting a short message authentication password by a user.
According to the invention, the irregular searching and killing judgment is carried out on the browser through the irregular setting rule, so that the content of the browser can be updated in time, malicious software is found and cleared, and the spread of the malicious software in the browser is prevented, thereby reducing the risk of network attack of a user.
The foregoing is merely illustrative and explanatory of the principles of this invention, as various modifications and additions may be made to the specific embodiments described, or similar arrangements may be substituted by those skilled in the art, without departing from the principles of this invention or beyond the scope of this invention as defined in the claims.
Claims (10)
1. The network space data security monitoring and analyzing method is characterized by comprising the following steps:
Step one: extracting source codes: when a user logs in a browser to access a page, acquiring a source code of the current access page, and further extracting a text set and a website set in the source code;
Step two: text set analysis: analyzing a text set in a source code, wherein the text set comprises static texts and directory texts of websites, identifying whether inducible texts exist, and if the inducible texts exist, judging whether the inducible texts are the directory texts of the websites;
Step three: screening of key mark websites: when the directory text of the website is an inducible text, removing the websites corresponding to the inducible text from the website set to obtain each residual website, analyzing the suspicious degree of each residual website to obtain each abnormal website and each key mark website, and further shielding each abnormal website;
step four: safety monitoring: after a user enters a page corresponding to a certain key mark website, counting the number of the key mark websites entering the page, and if the number exceeds a set value, executing closing operation on the entering page;
step five: and (3) setting an indefinite time: acquiring a system security log of a browser, and setting an irregular extraction rule according to an access rule of a user in the browser;
Step six: and (3) log analysis: and carrying out untimely analysis on the system security log, detecting an abnormal event in the system security log, and judging whether autonomous searching and killing operation is required to be executed on the browser.
2. The network space data security monitoring and analyzing method according to claim 1, wherein: the analyzing the text set in the source code, the analyzing the content includes:
converting the source code into an operable document object model by using an HTML parsing library, and locating all text contents and hyperlink elements, namely a text set and a website set in the source code through the document object model;
Constructing an inducible text keyword library, identifying each inducible text in a text set by a keyword filtering method, counting the proportion of the inducible text in the text set, comparing the proportion with a set proportion threshold, closing the current webpage when the proportion of the inducible text in the text set exceeds the set proportion threshold, and otherwise judging whether each inducible text is a directory text of a website or not.
3. The network space data security monitoring and analyzing method according to claim 1, wherein: the specific step of judging whether the inducible text is the directory text of the website comprises the steps of acquiring the position of the inducible text in a source code, further identifying whether the website exists at the corresponding position of the source code by using a URL analysis function, if the website does not exist, the inducible text is a static text, and further executing marking and shielding operation on the static text; if the website exists, the induced text is the directory text of the website, and the positioning shielding is carried out on the website.
4. The network space data security monitoring and analyzing method according to claim 1, wherein: the suspicious degree process for analyzing each residual website is as follows:
C1, acquiring the protocol of each residual website, if a certain residual website protocol is HTTPS, acquiring the content of the website protocol certificate, and further verifying the compliance of the residual website protocol certificate Otherwise, marking the compliance of the residual website protocol certificates as 1 to obtain the compliance/>, of each residual website protocol certificate,/>For the remaining websites number,/>;
The compliance verification mode of the website protocol certificate is as follows: checking an issuer field in the website protocol certificate, confirming whether the website protocol certificate is issued by a set certificate issuer, if the issuer is identified, indicating that the issuer content of the website protocol certificate meets the requirement, further checking a domain name field in the website protocol certificate, matching the domain name field with a currently queried page website domain name, if the website domain name can be successfully matched, indicating that the domain name content of the website protocol certificate meets the requirement, further comparing the expiration date of the website protocol certificate with the current date, and if the expiration date of the website protocol certificate is after the current date, indicating that the date content of the website protocol certificate meets the requirement, and further judging that the date content of the website protocol certificate meets the requirementAs a compliance of the web site protocol certificate; if the above-mentioned checking step has unsatisfactory content, then use/>As the compliance of the website protocol certificate, when the website protocol is HTTPS, the compliance/>, of the website protocol certificate is obtained;
C2, simulating user behaviors by using an automatic testing tool, obtaining multiple redirection behaviors of each residual website, obtaining the redirection times and paths of each residual website, and calculating the suspicious degree of the redirection paths of each residual websiteWherein/>Adjusting the coefficient for the set suspicion,/>For the number of redirect times of the remaining web site,/>For a set threshold number of redirections,/>For/>The effectiveness of the redirect paths of the residual websites influences the weight;
C3, calculating the suspicious degree of each residual website Wherein/>Setting reference values of suspicious degree and protocol certificate compliance degree of redirection paths respectively,/>And setting the duty ratio corresponding to the suspicious degree of the redirection path and the compliance degree of the protocol certificate respectively, wherein e is a natural constant.
5. The network space data security monitoring and analyzing method according to claim 4, wherein: the analysis mode of the validity influence weight of the residual website redirection path is as follows:
Acquiring each path target URL redirected by the residual website, simulating each path target URL which is redirected by a user by using a network monitoring tool, acquiring returned response content through an interface provided by the tool, and storing the response content as various variable indexes, wherein the variable indexes comprise IP addresses corresponding to website domain names, HTTP state codes of the websites and URL return content;
analyzing each variable index according to the expected content design verification rule and verifying to obtain a verification result of each variable index, wherein the verification result comprises valid and invalid;
if the verification result of a certain variable index is effective, marking the influence weight corresponding to the variable index as 1, otherwise marking the influence weight as 0, adding the influence weights corresponding to the variable indexes to obtain the comprehensive influence weight of the paths, and further adding the comprehensive influence weights of the paths to obtain the website redirection path effectiveness influence weight;
The verification result corresponding analysis content of each variable index comprises the following steps: e1, before accessing the URL, resolving the domain name of the URL into an IP address, and if the IP address corresponding to the URL cannot be resolved, considering that the URL is invalid;
E2, acquiring an HTTP status code of the website, and analyzing whether the HTTP status code of the website is effective;
And E3, acquiring the returned content of the URL, judging whether the returned content meets the expectation, and if not, invalidating the URL.
6. The network space data security monitoring and analyzing method according to claim 1, wherein: the extraction mode of the key mark website is as follows: setting a suspicion threshold range, if the suspicion of a certain residual website is greater than the maximum value of the suspicion threshold range, marking the residual website as an abnormal website, and carrying out interception shielding on the abnormal website; if the suspicion degree of a certain residual website is within the suspicion degree threshold, the residual website is marked as a key mark website.
7. The network space data security monitoring and analyzing method according to claim 1, wherein: the method for setting the irregular extraction rule comprises the following steps:
f1, determining an initial time range, generating a random time point in the initial time range by using a random function, and taking the random time point as a starting time point of timing task execution ;
F2, extracting the peak access time in the initial time range in the system security log at the end time of the initial time range, and marking asTo/>As a first indefinite moment;
f3, will 、/>As the start access time and the end access time of the next time range, extracting the peak access time/>, in the next time range, of the system security log at the end access time of the next time rangeFurther byAs a second irregular time, according to the irregular time setting rule, the irregular time is set during the user access.
8. The network space data security monitoring and analyzing method according to claim 1, wherein: the performing the untimely analysis on the corresponding content of the system security log comprises:
acquiring a system security log according to time points in an irregular extraction rule, extracting a downloading event and an abnormal login event in a current time range from the system security log, analyzing an abnormal coefficient of the downloading event and an abnormal coefficient of the abnormal login event, and marking the abnormal coefficient and the abnormal coefficient as ;
Evaluating an abnormal event impact coefficient in a system security log,/>,/>Setting correction factors for abnormal event influence coefficients, when/>When judging that the browser needs to execute autonomous searching and killing operation,/>The set abnormal event influence coefficient threshold value is indicated.
9. The network space data security monitoring and analyzing method according to claim 8, wherein: the steps of analyzing the anomaly coefficient of the downloading event are as follows:
identifying whether the downloading event is the autonomous downloading action of the user, if the downloading event is the webpage downloading action, acquiring a downloading source website, pre-warning the downloading source website, and carrying out early warning As an anomaly coefficient for the download event;
if the download event is the autonomous download behavior of the user, extracting the webpage upload data of the download file corresponding to the download event and the download data of the user side, and comparing and calculating the health index of the download file package of the download event Wherein/>Download start time and download end time in user download data,/>, respectivelyRepresenting the download file size,/>Indicates the normal download time length corresponding to the set unit file size,/>Representing a set download speed error tolerance value,/>Representing the degree of abnormality corresponding to the size of the downloaded file in the downloaded data of the user, and then/>As an anomaly coefficient of the download event, the anomaly coefficient of the download event is/>;
The abnormality degree obtaining mode corresponding to the size of the downloaded file in the user downloaded data is as follows: the file upload size is noted asIf/>Binding files exist in the downloaded files, and then the anomaly degree corresponding to the size of the downloaded files in the downloaded data of the user is recorded as/>Analyzing the content of the downloaded file package by using a security analysis tool, identifying the hidden file which exists, tracking the position of the hidden file by searching a registry item, a file path and a process, and further automatically deleting the hidden file; if/>If the downloaded file is in shortage, the abnormality degree corresponding to the size of the downloaded file in the downloaded data of the user is recorded as/>And sending early warning information to a background system of the file downloading end to obtain the degree of abnormality/>, corresponding to the size of the downloaded file, in the user downloading data。
10. The network space data security monitoring and analyzing method according to claim 8, wherein: the step of analyzing the abnormal coefficient of the abnormal login event comprises the following steps:
Recording each abnormal login event before the access starting time corresponding to the current time range as each historical login event, acquiring the login information of the abnormal login event corresponding to the current time point, comparing the login information with the login information of each historical login event, calculating the login address evaluation coefficient of each historical login event, counting the number of the historical login events exceeding the threshold value of the set login address evaluation coefficient, and recording as ;
Extracting login equipment from login information of an abnormal login event corresponding to the current time point, comparing the login equipment with common equipment of a user, and calculating an abnormal coefficient of the abnormal login event,/>Wherein/>Representing the number of historic login events,/>Setting deviation correction factor corresponding to abnormality coefficient indicating abnormal login event,/>Represents a set constant greater than 2,/>Indicating that the login device can be matched with the user's usual device,/>Representation/>Login device impact weight set in state,/>Representation/>The login device set in the state affects the weight.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311537519.9A CN117336098B (en) | 2023-11-17 | 2023-11-17 | Network space data security monitoring and analyzing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311537519.9A CN117336098B (en) | 2023-11-17 | 2023-11-17 | Network space data security monitoring and analyzing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117336098A CN117336098A (en) | 2024-01-02 |
| CN117336098B true CN117336098B (en) | 2024-04-19 |
Family
ID=89277603
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311537519.9A Active CN117336098B (en) | 2023-11-17 | 2023-11-17 | Network space data security monitoring and analyzing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117336098B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117892279B (en) * | 2024-03-14 | 2024-05-14 | 成都信息工程大学 | Computer system encryption method for software development |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101594261A (en) * | 2008-05-28 | 2009-12-02 | 北京百问百答网络技术有限公司 | A kind of forgery website monitoring method and system thereof |
| CN108881608A (en) * | 2018-04-26 | 2018-11-23 | Oppo广东移动通信有限公司 | Web data screen method, device and mobile terminal |
| CN111163054A (en) * | 2019-12-04 | 2020-05-15 | 华为终端有限公司 | Method and device for detecting malicious behavior of webpage |
| CN115017491A (en) * | 2022-03-28 | 2022-09-06 | 北京来也网络科技有限公司 | Abnormal mail monitoring method and device combining RPA and AI and electronic equipment |
| WO2023175758A1 (en) * | 2022-03-16 | 2023-09-21 | 日本電気株式会社 | Information processing device, phishing site detection method, and program |
-
2023
- 2023-11-17 CN CN202311537519.9A patent/CN117336098B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101594261A (en) * | 2008-05-28 | 2009-12-02 | 北京百问百答网络技术有限公司 | A kind of forgery website monitoring method and system thereof |
| CN108881608A (en) * | 2018-04-26 | 2018-11-23 | Oppo广东移动通信有限公司 | Web data screen method, device and mobile terminal |
| CN111163054A (en) * | 2019-12-04 | 2020-05-15 | 华为终端有限公司 | Method and device for detecting malicious behavior of webpage |
| WO2023175758A1 (en) * | 2022-03-16 | 2023-09-21 | 日本電気株式会社 | Information processing device, phishing site detection method, and program |
| CN115017491A (en) * | 2022-03-28 | 2022-09-06 | 北京来也网络科技有限公司 | Abnormal mail monitoring method and device combining RPA and AI and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 基于域名重定向的可疑域名拦截技术;杨小国;周华春;孙道平;;电脑知识与技术;20110215(05);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117336098A (en) | 2024-01-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110324311B (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| US10498761B2 (en) | Method for identifying phishing websites and hindering associated activity | |
| KR101001132B1 (en) | Method and System for Determining Vulnerability of Web Application | |
| US8024804B2 (en) | Correlation engine for detecting network attacks and detection method | |
| Burnett et al. | Encore: Lightweight measurement of web censorship with cross-origin requests | |
| Ismail et al. | A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability | |
| CN101340434B (en) | Malicious content detection and verification method and system for network station | |
| JP4358188B2 (en) | Invalid click detection device in Internet search engine | |
| KR100732689B1 (en) | Web Security Method and apparatus therefor | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| CN110535806B (en) | Method, device and equipment for monitoring abnormal website and computer storage medium | |
| CN117336098B (en) | Network space data security monitoring and analyzing method | |
| CN103634317A (en) | Method and system of performing safety appraisal on malicious web site information on basis of cloud safety | |
| CN112929390B (en) | Network intelligent monitoring method based on multi-strategy fusion | |
| US20100023850A1 (en) | Method And System For Characterising A Web Site By Sampling | |
| CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
| CN111756724A (en) | Detection method, device and equipment for phishing website and computer readable storage medium | |
| CN108337269A (en) | A kind of WebShell detection methods | |
| CN114244564B (en) | Attack defense method, device, equipment and readable storage medium | |
| CN113518077A (en) | Malicious web crawler detection method, device, equipment and storage medium | |
| JP5656266B2 (en) | Blacklist extraction apparatus, extraction method and extraction program | |
| Hassan et al. | SAISAN: An automated Local File Inclusion vulnerability detection model | |
| CN110909350B (en) | Method for remotely and accurately identifying WebShell backdoor | |
| Cigoj et al. | An intelligent and automated WCMS vulnerability-discovery tool: the current state of the web | |
| Farah et al. | SQLi penetration testing of financial Web applications: Investigation of Bangladesh region |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |