WO2014048751A1 - Method and apparatus for detecting a malicious website - Google Patents

Method and apparatus for detecting a malicious website Download PDF

Info

Publication number
WO2014048751A1
WO2014048751A1 PCT/EP2013/068822 EP2013068822W WO2014048751A1 WO 2014048751 A1 WO2014048751 A1 WO 2014048751A1 EP 2013068822 W EP2013068822 W EP 2013068822W WO 2014048751 A1 WO2014048751 A1 WO 2014048751A1
Authority
WO
WIPO (PCT)
Prior art keywords
website
browser
specified
specified website
behavior
Prior art date
Application number
PCT/EP2013/068822
Other languages
French (fr)
Inventor
Jian Jun Hu
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2014048751A1 publication Critical patent/WO2014048751A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links

Definitions

  • the present invention relates to a method and apparatus for detecting a malicious website.
  • the embodiments of the present invention provide a method and apparatus for detecting a malicious website, which is capable of detecting out a malicious website containing an unknown malicious program and/or a known malicious program.
  • the method for detecting a malicious website comprises: operating at least one browser to access a specified website; monitoring a behavior of the at least one browser during the process in which the at least one browser accesses the specified website; detecting whether the monitored behavior contains an
  • the method can further comprise: checking whether the monitored behavior contains a behavior of downloading a content from the specified website; performing a virus scan on the content downloaded from the specified website if the check result is yes; and judging that the specified website is a malicious website if the scan result indicates that the content
  • the operation step can further comprise: operating each of the at least one browser to access the specified website multiple times, wherein a different security level is set for each browser each time it accesses the specified website.
  • the abovementioned manipulation step can further comprise:
  • the impermissible behavior comprises at least one of the following: downloading content from the specified website without permission; installing software without permission; redirecting from the specified website to other malicious websites without permission; and uploading content to the specified website without permission.
  • the at least one browser may work in a virtual environment.
  • the apparatus for detecting a malicious website comprises: a operation module for operating at least one browser to access a specified website; a monitoring module for monitoring a behavior of the at least one browser during the process in which the at least one browser accesses the specified website; a detection module for detecting whether the monitored behavior contains an impermissible behavior; and a determination module for judging that the specified website is a malicious website if the detection result is yes.
  • the apparatus can further comprise: a checking module for checking whether the monitored behavior contains a behavior of downloading content from the specified website; a scanning module for performing a virus scan on the content downloaded from the specified website if the check result is yes; and a judgment module for judging that the specified website is a malicious website if the scan result indicates that the content downloaded from the specified website contains a virus.
  • the manipulation module may be further used for operating each of the at least one browser to access the specified website multiple times, wherein a different security level is set for each browser each time it accesses the specified website.
  • the operation module may be further used for operating the at least one browser to traverse each webpage of the specified website .
  • the impermissible behavior comprises at least one of the following: downloading content from the specified website without permission; installing software without permission;
  • the at least one browser may work in a virtual environment.
  • the solution of the embodiments of the present invention uses an impermissible behavior of a browser which accesses website, rather than a signature of a malicious program, to detect malicious websites. Since the impermissible behavior of the browser occurs under the influence of known and unknown malicious programs contained in the visited website, the solution of the embodiments of the present invention is capable of detecting out websites that contain unknown malicious programs.
  • FIG. 1 shows a flowchart of a method for detecting a malicious website according to an embodiment of the present invention
  • Fig. 2 shows a schematic diagram of an apparatus for detecting a malicious website according to an embodiment of the present invention
  • Fig. 3 shows a schematic diagram of a device for detecting a malicious website according to an embodiment of the present invention .
  • the inventors have found that: when using a browser to visit a website, if the visited website contains a malicious program, then regardless of whether the malicious program is known or unknown, the browser will usually be affected by the malicious program contained in the visited website and perform an unapproved behavior, such as downloading a content from the website without approval, installing software without approval, redirecting to other malicious websites without approval and/or uploading a content to the website without approval.
  • the solution of the embodiments of the present invention is proposed on the basis of the abovementioned discovery of the inventors, which actively manipulates a browser to visit a website, detects whether the browser performs an unapproved behavior during the process in which the browser visits the website, and determines that the visited website is a malicious website when the detection result is yes.
  • an unapproved behavior of the browser which visits the website rather than a signature of a malicious program, is used to detect malicious websites. Since the unapproved behavior of the browser occurs under the influence of known and unknown malicious programs contained in the visited website, the solution of the
  • embodiments of the present invention is capable of detecting out websites that contain known and/or unknown malicious programs .
  • each of the embodiments of the present invention will be described in detail in conjunction with the
  • Fig. 1 shows a flowchart of a method for detecting a malicious website according to an embodiment of the present invention.
  • step S100 a method for detecting a malicious website according to an embodiment of the present invention.
  • each browser L of the plurality of browsers may be manipulated to visit the website Wl once; or, each browser L of the plurality of
  • browsers may be manipulated to visit the website Wl multiple times, wherein a different security level (for example, low, medium, high and so on) may be set each time the browser L visits the website Wl .
  • a different security level for example, low, medium, high and so on
  • the plurality of browsers may be various browsers that exist already or may appear in future, for example, but not limited to, the browser developed by
  • step S110 a behavior of the plurality of browsers is monitored during the process in which the plurality of browsers visits the website Wl .
  • step S120 whether the monitored behavior contains an unapproved behavior is detected.
  • a behavior performed by the browser is a behavior initiated by a user or a behavior initiated by the browser but which has been informed to the user and is approved by the user; and such behaviors belong to approved behaviors. If a behavior performed by the browser is initiated by the browser but is not approved by the user, the behavior belongs to an unapproved behavior, and such behaviors are often performed by the browser under the influence of a malicious program in the website.
  • unapproved behaviors may further comprise a malicious behavior disguised as a harmless behavior; such behavior appears
  • unapproved behaviors may include but are not limited to at least one of the following: downloading a content from the website Wl without approval, installing software without approval, redirecting from the website Wl to other malicious websites without approval and uploading a content to the website Wl without approval.
  • uploading a content to the website Wl without approval is for example unapproved pageload, uploading sensitive data of the user, such as account number, password, etc. to the website Wl without approval and so on.
  • step S130 it is determined that the website Wl is a
  • step S120 when the detection result of step S120 is yes, that is, the monitored behavior contains an unapproved behavior .
  • step S120 If the detection result of step S120 is no, that is, the monitored behavior does not contain unapproved behavior, then the flow ends.
  • this embodiment actively manipulates a plurality of browsers to traverse each webpage of a website Wl, and therefore, the detection is very comprehensive and the accuracy of the detection is very high.
  • the method described in the above embodiments may further comprise the steps of: checking whether the monitored behavior contains a behavior of downloading a content from the website Wl ;
  • the browser may be set to work in a virtual environment (such as using sandbox technology) , so that even an unapproved behavior occurs in the browser, the security of the system will not be compromised, and thus the security of the system can be enhanced .
  • a plurality of browsers are manipulated to visit the website Wl to be detected so as to traverse each webpage of the website Wl in step S100 of the above embodiments, the present invention is not limited to this.
  • a plurality of browsers can also be manipulated to only visit part of the webpages in the website Wl to be detected, such as the part of webpages in the website Wl that the user frequently visits. In most cases, malicious programs are often placed by hackers on the part of webpages in the website that the user frequently visits, and if no
  • unapproved behavior is detected when a browser visits the part of webpages in the website that the user frequently visits, then the website is usually not a malicious website.
  • FIG. 2 shows a schematic diagram of an apparatus for detecting a malicious website according to an embodiment of the present invention.
  • the apparatus shown in Fig. 2 may be realized using software, hardware (such as integrated circuit, Field Programmable Gate Array (FPGA) , etc.) or a combination of hardware and software.
  • FPGA Field Programmable Gate Array
  • the apparatus 200 for detecting a malicious website may comprise a manipulation module 210, a monitoring module 220, a detection module 230 and a determination module 240.
  • the manipulation module 210 may be used for manipulating at least one browser to visit a specified website ZH.
  • the monitoring module 220 may be used for monitoring a behavior of the at least one browser during the process in which the at least one browser visits the specified website ZH.
  • detection module 230 may be used for detecting whether the monitored behavior contains an unapproved behavior.
  • determination module 240 may be used for judging that the specified website ZH is a malicious website if the detection result is yes.
  • manipulation module 210 may be further used for manipulating each browser L of the at least one browser to visit the specified website ZH multiple times, wherein a different security level is set for the browser L each time it visits the specified website ZH.
  • manipulation module 210 may be further used for manipulating the at least one browser to traverse each webpage of the specified website ZH.
  • the apparatus 200 may further comprise a checking module 250, a scanning module 260, and a judgment module 270.
  • the checking module 250 may be used for checking whether the monitored behavior contains a behavior of downloading a content from the specified website ZH.
  • the scanning module 260 may be used for performing a virus scan on the content downloaded from the specified website ZH if the check result is yes.
  • the judgment module 270 may be used for judging that the specified website ZH is a malicious website if the scan result indicates that the content downloaded from the specified website ZH contains a virus.
  • the unapproved behavior can comprise at least one of the following: downloading a content from the specified website ZH without approval; installing software without approval; redirecting from the specified website ZH to other malicious websites without approval; and uploading a content to the specified website ZH without approval.
  • the at least one browser may work in a virtual environment.
  • the device 300 for detecting a malicious website can comprise a memory 310 for storing an executable instruction and a
  • the processor 320 may be used for performing the following operations according to the executable instruction stored in the memory 310: manipulating at least one browser to visit a specified website ZH; monitoring a behavior of the at least one browser during the process in which the at least one browser visits the specified website ZH; detecting whether the
  • monitored behavior contains an unapproved behavior; and judging that the specified website ZH is a malicious website if the detection result is yes.
  • the processor 320 may be further used for performing the following operations according to the executable instruction stored in the memory 310: manipulating each browser L of the at least one browser to visit the specified website ZH multiple times, wherein a different security level is set for the browser L each time it visits the specified website ZH.
  • the processor 320 may be used for further performing the following operations according to the executable instruction stored in the memory 310: manipulating each browser L of the at least one browser to traverse each webpage of the specified website ZH.
  • processor 320 may be further used for
  • the unapproved behavior can comprise at least one of the following: downloading a content from the specified website ZH without approval; installing software without approval; redirecting from the specified website ZH to other malicious websites without approval; and uploading a content to the specified website ZH without approval.
  • the at least one browser may work in a virtual environment.
  • the embodiments of the present invention also provide a machine readable medium, which stores thereon an executable instruction that enables a machine to execute operations executed by the processor 320 when the executable instruction is executed.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to a method and apparatus for detecting a malicious website, wherein the method comprises: manipulating at least one browser to visit a specified website; monitoring a behavior of the at least one browser during the process in which the at least one browser visits the specified website; detecting whether the monitored behavior contains an unapproved behavior; and judging that the specified website is a malicious website if the detection result is yes. By using the method and apparatus, a malicious website containing an unknown malicious program can be detected out.

Description

Description
Method and apparatus for detecting a malicious website
Technical Field
The present invention relates to a method and apparatus for detecting a malicious website.
Background Art
With the in-depth development of network technology, more and more websites appear on the Internet to provide people with a wide variety of businesses and services. Under this
circumstance, it has become a trend for people to visit
websites to obtain required businesses and services.
Security is a very important factor when it comes to obtaining businesses and services through websites. However, with the development of hacking technology, some websites have been controlled by malicious attackers and are illegally deployed with malicious programs such as Trojan programs or worms and the like, and thus become malicious websites. Under this circumstance, if people visit these malicious websites, people's computers will be illegally installed with malicious programs, and will thereby be controlled by malicious attackers to perform illegal operations.
For this reason, malicious websites need to be found out, be shielded or be informed to people so that people will not visit these malicious websites. Currently available solutions for detecting malicious websites are performed on the basis of the signatures of malicious programs, that is, scanning webpage files of a website to check whether it contains a signature of a malicious program, and judging that the website is a
malicious website when it is found through scanning that the webpage files of the website contain the signature of the malicious program. However, existing solutions that detect malicious websites based on signatures can only detect
malicious websites that contain known malicious programs.
Contents of the Invention
Taking the above problems in the prior art into consideration, the embodiments of the present invention provide a method and apparatus for detecting a malicious website, which is capable of detecting out a malicious website containing an unknown malicious program and/or a known malicious program.
The method for detecting a malicious website according to the embodiments of the present invention comprises: operating at least one browser to access a specified website; monitoring a behavior of the at least one browser during the process in which the at least one browser accesses the specified website; detecting whether the monitored behavior contains an
impermissible behavior; and judging that the specified website is a malicious website if the detection result is yes.
The method can further comprise: checking whether the monitored behavior contains a behavior of downloading a content from the specified website; performing a virus scan on the content downloaded from the specified website if the check result is yes; and judging that the specified website is a malicious website if the scan result indicates that the content
downloaded from the specified website contains a virus.
The operation step can further comprise: operating each of the at least one browser to access the specified website multiple times, wherein a different security level is set for each browser each time it accesses the specified website. The abovementioned manipulation step can further comprise:
operating the at least one browser to traverse each webpage of the specified website.
The impermissible behavior comprises at least one of the following: downloading content from the specified website without permission; installing software without permission; redirecting from the specified website to other malicious websites without permission; and uploading content to the specified website without permission.
The at least one browser may work in a virtual environment.
The apparatus for detecting a malicious website according to the embodiments of the present invention comprises: a operation module for operating at least one browser to access a specified website; a monitoring module for monitoring a behavior of the at least one browser during the process in which the at least one browser accesses the specified website; a detection module for detecting whether the monitored behavior contains an impermissible behavior; and a determination module for judging that the specified website is a malicious website if the detection result is yes.
The apparatus can further comprise: a checking module for checking whether the monitored behavior contains a behavior of downloading content from the specified website; a scanning module for performing a virus scan on the content downloaded from the specified website if the check result is yes; and a judgment module for judging that the specified website is a malicious website if the scan result indicates that the content downloaded from the specified website contains a virus.
The manipulation module may be further used for operating each of the at least one browser to access the specified website multiple times, wherein a different security level is set for each browser each time it accesses the specified website.
The operation module may be further used for operating the at least one browser to traverse each webpage of the specified website .
The impermissible behavior comprises at least one of the following: downloading content from the specified website without permission; installing software without permission;
redirecting from the specified website to other malicious websites without permission; and uploading content to the specified website without permission.
The at least one browser may work in a virtual environment.
As may be seen from the above description, the solution of the embodiments of the present invention uses an impermissible behavior of a browser which accesses website, rather than a signature of a malicious program, to detect malicious websites. Since the impermissible behavior of the browser occurs under the influence of known and unknown malicious programs contained in the visited website, the solution of the embodiments of the present invention is capable of detecting out websites that contain unknown malicious programs.
Description of the accompanying drawings
The features, characteristics, advantages and benefits of the present invention will become more apparent by way of the detailed description herein below in conjunction with the accompanying drawings . In the drawings :
Fig. 1 shows a flowchart of a method for detecting a malicious website according to an embodiment of the present invention; Fig. 2 shows a schematic diagram of an apparatus for detecting a malicious website according to an embodiment of the present invention; and
Fig. 3 shows a schematic diagram of a device for detecting a malicious website according to an embodiment of the present invention .
Particular embodiments
After a large number of experiments, the inventors have found that: when using a browser to visit a website, if the visited website contains a malicious program, then regardless of whether the malicious program is known or unknown, the browser will usually be affected by the malicious program contained in the visited website and perform an unapproved behavior, such as downloading a content from the website without approval, installing software without approval, redirecting to other malicious websites without approval and/or uploading a content to the website without approval.
The solution of the embodiments of the present invention is proposed on the basis of the abovementioned discovery of the inventors, which actively manipulates a browser to visit a website, detects whether the browser performs an unapproved behavior during the process in which the browser visits the website, and determines that the visited website is a malicious website when the detection result is yes. Here, an unapproved behavior of the browser which visits the website, rather than a signature of a malicious program, is used to detect malicious websites. Since the unapproved behavior of the browser occurs under the influence of known and unknown malicious programs contained in the visited website, the solution of the
embodiments of the present invention is capable of detecting out websites that contain known and/or unknown malicious programs . Herein below, each of the embodiments of the present invention will be described in detail in conjunction with the
accompanying drawings .
Referring to Fig. 1, it shows a flowchart of a method for detecting a malicious website according to an embodiment of the present invention. As shown in Fig. 1, in step S100, a
plurality of browsers are manipulated to visit a website Wl to be detected so as to traverse each webpage of the website Wl . Here, the plurality of browsers may be manipulated to visit the website Wl simultaneously or successively. Here, each browser L of the plurality of browsers may be manipulated to visit the website Wl once; or, each browser L of the plurality of
browsers may be manipulated to visit the website Wl multiple times, wherein a different security level (for example, low, medium, high and so on) may be set each time the browser L visits the website Wl . Here, the plurality of browsers may be various browsers that exist already or may appear in future, for example, but not limited to, the browser developed by
Microsoft Corporation, Firefox browser, Google browser
(Chrome) , Sogou browser and so on.
In step S110, a behavior of the plurality of browsers is monitored during the process in which the plurality of browsers visits the website Wl .
In step S120, whether the monitored behavior contains an unapproved behavior is detected. Under normal circumstances, a behavior performed by the browser is a behavior initiated by a user or a behavior initiated by the browser but which has been informed to the user and is approved by the user; and such behaviors belong to approved behaviors. If a behavior performed by the browser is initiated by the browser but is not approved by the user, the behavior belongs to an unapproved behavior, and such behaviors are often performed by the browser under the influence of a malicious program in the website. In addition, unapproved behaviors may further comprise a malicious behavior disguised as a harmless behavior; such behavior appears
harmless from the outside and the disguised malicious behavior has been approved by the user, but in fact the user is not aware of the malicious behavior itself and does not know that the malicious behavior will cause damage. Here, for example, it is possible to define approved behaviors in advance and store them, so as to detect whether the monitored behavior contains an unapproved behavior by comparing the monitored behavior with the stored approved behavior. Of course, other methods can also be employed to detect whether the monitored behavior contains an unapproved behavior .
Here, unapproved behaviors may include but are not limited to at least one of the following: downloading a content from the website Wl without approval, installing software without approval, redirecting from the website Wl to other malicious websites without approval and uploading a content to the website Wl without approval. Here, uploading a content to the website Wl without approval is for example unapproved pageload, uploading sensitive data of the user, such as account number, password, etc. to the website Wl without approval and so on.
In step S130, it is determined that the website Wl is a
malicious website when the detection result of step S120 is yes, that is, the monitored behavior contains an unapproved behavior .
If the detection result of step S120 is no, that is, the monitored behavior does not contain unapproved behavior, then the flow ends.
As may be seen from the above description, this embodiment actively manipulates a plurality of browsers to traverse each webpage of a website Wl, and therefore, the detection is very comprehensive and the accuracy of the detection is very high.
Other Variants
It should be understood by those skilled in the art that the method described in the above embodiments may further comprise the steps of: checking whether the monitored behavior contains a behavior of downloading a content from the website Wl ;
performing a virus scan on the content downloaded from the website Wl if the check result indicates that the monitored behavior contains a behavior of downloading a content from the website Wl ; and judging that the website Wl is a malicious website if the scan result indicates that the content
downloaded from the website Wl contains a virus.
It should be understood by those skilled in the art that the plurality of browsers described in the above embodiments may be browsers developed by various manufacturers or be reprogrammed and obtained by imitating browsers developed by various
manufacturers .
It should be understood by those skilled in the art that although a plurality of browsers are manipulated to visit the website Wl in the above embodiments, the present invention is not limited to this. In some other embodiments of the present invention, it is also possible to manipulate only one browser to visit the website Wl .
Meanwhile, it should be understood by those skilled in the art that the browser may be set to work in a virtual environment (such as using sandbox technology) , so that even an unapproved behavior occurs in the browser, the security of the system will not be compromised, and thus the security of the system can be enhanced . It should be understood by those skilled in the art that although a plurality of browsers are manipulated to visit the website Wl to be detected so as to traverse each webpage of the website Wl in step S100 of the above embodiments, the present invention is not limited to this. In some other embodiments of the present invention, a plurality of browsers can also be manipulated to only visit part of the webpages in the website Wl to be detected, such as the part of webpages in the website Wl that the user frequently visits. In most cases, malicious programs are often placed by hackers on the part of webpages in the website that the user frequently visits, and if no
unapproved behavior is detected when a browser visits the part of webpages in the website that the user frequently visits, then the website is usually not a malicious website.
Apparently, if a plurality of browsers are manipulated to visit only part of the webpages in the website to be detected, then it will greatly accelerate the detection speed.
Now referring to Fig. 2, it shows a schematic diagram of an apparatus for detecting a malicious website according to an embodiment of the present invention. The apparatus shown in Fig. 2 may be realized using software, hardware (such as integrated circuit, Field Programmable Gate Array (FPGA) , etc.) or a combination of hardware and software.
As shown in Fig. 2, the apparatus 200 for detecting a malicious website may comprise a manipulation module 210, a monitoring module 220, a detection module 230 and a determination module 240. The manipulation module 210 may be used for manipulating at least one browser to visit a specified website ZH. The monitoring module 220 may be used for monitoring a behavior of the at least one browser during the process in which the at least one browser visits the specified website ZH. The
detection module 230 may be used for detecting whether the monitored behavior contains an unapproved behavior. The
determination module 240 may be used for judging that the specified website ZH is a malicious website if the detection result is yes.
In addition, the manipulation module 210 may be further used for manipulating each browser L of the at least one browser to visit the specified website ZH multiple times, wherein a different security level is set for the browser L each time it visits the specified website ZH.
In addition, the manipulation module 210 may be further used for manipulating the at least one browser to traverse each webpage of the specified website ZH.
In addition, the apparatus 200 may further comprise a checking module 250, a scanning module 260, and a judgment module 270. The checking module 250 may be used for checking whether the monitored behavior contains a behavior of downloading a content from the specified website ZH. The scanning module 260 may be used for performing a virus scan on the content downloaded from the specified website ZH if the check result is yes. The judgment module 270 may be used for judging that the specified website ZH is a malicious website if the scan result indicates that the content downloaded from the specified website ZH contains a virus.
In addition, the unapproved behavior can comprise at least one of the following: downloading a content from the specified website ZH without approval; installing software without approval; redirecting from the specified website ZH to other malicious websites without approval; and uploading a content to the specified website ZH without approval. In addition, the at least one browser may work in a virtual environment.
Now referring to Fig. 3, it shows a schematic diagram of a device for detecting a malicious website according to an embodiment of the present invention. As shown in Fig. 3, the device 300 for detecting a malicious website can comprise a memory 310 for storing an executable instruction and a
processor 320.
The processor 320 may be used for performing the following operations according to the executable instruction stored in the memory 310: manipulating at least one browser to visit a specified website ZH; monitoring a behavior of the at least one browser during the process in which the at least one browser visits the specified website ZH; detecting whether the
monitored behavior contains an unapproved behavior; and judging that the specified website ZH is a malicious website if the detection result is yes.
In addition, for the operation of manipulating the at least one browser to visit the specified website ZH, the processor 320 may be further used for performing the following operations according to the executable instruction stored in the memory 310: manipulating each browser L of the at least one browser to visit the specified website ZH multiple times, wherein a different security level is set for the browser L each time it visits the specified website ZH.
In addition, for the operation of manipulating the at least one browser to visit the specified website ZH, the processor 320 may be used for further performing the following operations according to the executable instruction stored in the memory 310: manipulating each browser L of the at least one browser to traverse each webpage of the specified website ZH.
In addition, the processor 320 may be further used for
performing the following operations according to the executable instruction stored in the memory 310: checking whether the monitored behavior contains a behavior of downloading a content from the specified website ZH; performing a virus scan on the content downloaded from the specified website ZH if the check result is yes; and judging that the specified website ZH is a malicious website if the scan result indicates that the content downloaded from the specified website ZH contains a virus.
In addition, the unapproved behavior can comprise at least one of the following: downloading a content from the specified website ZH without approval; installing software without approval; redirecting from the specified website ZH to other malicious websites without approval; and uploading a content to the specified website ZH without approval. In addition, the at least one browser may work in a virtual environment.
The embodiments of the present invention also provide a machine readable medium, which stores thereon an executable instruction that enables a machine to execute operations executed by the processor 320 when the executable instruction is executed.
It should be understood by those skilled in the art that various variations and modifications may be made to each of the embodiments disclosed above without departing from the essence of the invention, and all these variations and modifications should be within the protection scope of the present invention. Therefore, the protection scope of the present invention is to be defined by the attached claims.

Claims

Claims
1. A method for detecting a malicious website, comprising: operating a browser to access a specified website;
monitoring a behavior of the browser during accessing the specified website;
detecting whether the monitored behavior contains an
impermissible behavior; and
judging that the specified website is a malicious website if the detection result is yes.
2. The method as claimed in claim 1, further comprising:
checking whether the monitored behavior contains a behavior of downloading content from the specified website;
performing a virus scan on the content downloaded from the specified website if the check result is yes; and
judging that the specified website is a malicious website if the scan result indicates that the content downloaded from the specified website contains a virus.
3. The method as claimed in claim 1, wherein the step of operating the browser to access the specified website
comprises :
operating the browser to access the specified website multiple times, wherein a different security level is set the browser each time it visits the specified website.
4. The method as claimed in claim 1, wherein
the step of operating the browser to access the specified website comprises:
operating the browser to traverse each webpage of the specified website .
5. The method as claimed in claim 1, wherein the
impermissible behavior comprises at least one of the following behaviors : downloading content from the specified website without permission;
installing software without permission;
redirecting from the specified website to another malicious website without permission; and
uploading content to the specified website without permission.
6. The method as claimed in claim 1, wherein
the browser works in a virtual environment.
7. An apparatus for detecting a malicious website,
comprising :
an operation module for operating a browser to access a
specified website;
a monitoring module for monitoring a behavior of the browser during accessing the specified website;
a detection module for detecting whether the monitored behavior contains an impermissible behavior; and
a determination module for judging that the specified website is a malicious website if the detection result is yes.
8. The apparatus as claimed in claim 7, further comprising: a checking module for checking whether the monitored behavior contains a behavior of downloading content from the specified website ;
a scanning module for performing a virus scan on the content downloaded from the specified website if the check result is yes; and
a judgment module for judging that the specified website is a malicious website if the scan result indicates that the content downloaded from the specified website contains a virus.
9. The apparatus as claimed in claim 7, wherein
the operation module is further used for operating the browser to access the specified website multiple times, wherein a different security level is set for the browser each time it accesses the specified website.
10. The apparatus as claimed in claim 7, wherein
the operation module is further used for operating the browser to traverse each webpage of the specified website.
11. The apparatus as claimed in claim 7, wherein the
impermissible behavior comprises at least one of the following: downloading content from the specified website without
permission;
installing software without permission;
redirecting from the specified website to another maliciou website without permission; and
uploading a content to the specified website without
permission .
12. The apparatus as claimed in claim 7, wherein
the browser works in a virtual environment.
13. A device for detecting a malicious website, comprising: a memory for storing an executable instruction; and
a processor for performing all steps in any one of the claims 1 to 6 according to the stored executable instruction.
14. A machine readable medium, which stores thereon an
executable instruction that causes a machine to execute all steps comprised in any one of the claims 1 to 6 when the executable instruction is executed.
PCT/EP2013/068822 2012-09-27 2013-09-11 Method and apparatus for detecting a malicious website WO2014048751A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210365857.4 2012-09-27
CN201210365857.4A CN103701759A (en) 2012-09-27 2012-09-27 Method and device for detecting malicious website

Publications (1)

Publication Number Publication Date
WO2014048751A1 true WO2014048751A1 (en) 2014-04-03

Family

ID=49182241

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2013/068822 WO2014048751A1 (en) 2012-09-27 2013-09-11 Method and apparatus for detecting a malicious website

Country Status (2)

Country Link
CN (1) CN103701759A (en)
WO (1) WO2014048751A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105100119A (en) * 2015-08-31 2015-11-25 百度在线网络技术(北京)有限公司 URL detection method and device
WO2024058399A1 (en) * 2022-09-16 2024-03-21 삼성전자주식회사 Electronic device for giving warning about or restricting web page and content according to security level, and method for operating same

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100527147C (en) * 2007-10-17 2009-08-12 深圳市迅雷网络技术有限公司 Web page safety information detecting system and method
KR101027928B1 (en) * 2008-07-23 2011-04-12 한국전자통신연구원 Apparatus and Method for detecting obfuscated web page
CN102547710B (en) * 2010-12-22 2015-09-02 西门子公司 The method and apparatus of detecting virus in mobile communication system
US8832836B2 (en) * 2010-12-30 2014-09-09 Verisign, Inc. Systems and methods for malware detection and scanning
CN102088379B (en) * 2011-01-24 2013-03-13 国家计算机网络与信息安全管理中心 Detecting method and device of client honeypot webpage malicious code based on sandboxing technology
CN102255915A (en) * 2011-07-20 2011-11-23 中兴通讯股份有限公司 Internet virus detection method, apparatus thereof and system thereof
CN102375951B (en) * 2011-10-18 2014-07-23 北龙中网(北京)科技有限责任公司 Webpage security detection method and system
CN102609649B (en) * 2012-02-06 2015-09-02 北京百度网讯科技有限公司 A kind of method and apparatus of automatic collection Malware

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "McAfee AntiVirus 2011 Review & Download", 1 January 2012 (2012-01-01), XP055090513, Retrieved from the Internet <URL:http://www.antivirusware.com/mcafee/antivirus/> [retrieved on 20131127] *
ANONYMOUS: "Securing Your Web Browser", 14 February 2008 (2008-02-14), XP055090516, Retrieved from the Internet <URL:http://www.cert.org/tech_tips/securing_browser/> [retrieved on 20131127] *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105100119A (en) * 2015-08-31 2015-11-25 百度在线网络技术(北京)有限公司 URL detection method and device
WO2024058399A1 (en) * 2022-09-16 2024-03-21 삼성전자주식회사 Electronic device for giving warning about or restricting web page and content according to security level, and method for operating same

Also Published As

Publication number Publication date
CN103701759A (en) 2014-04-02

Similar Documents

Publication Publication Date Title
CN111488571B (en) Configuring a sandbox environment for malware testing
JP6223458B2 (en) Method, processing system, and computer program for identifying whether an application is malicious
KR101265173B1 (en) Apparatus and method for inspecting non-portable executable files
EP3039608B1 (en) Hardware and software execution profiling
US9235706B2 (en) Preventing execution of task scheduled malware
JP5265061B1 (en) Malicious file inspection apparatus and method
US20190141075A1 (en) Method and system for a protection mechanism to improve server security
JP6176622B2 (en) Malware detection method
US20130139264A1 (en) Application sandboxing using a dynamic optimization framework
EP2756441B1 (en) Apparatus and methods for preventing payment webpage tampering
WO2014121713A1 (en) Url interception processing method, device and system
JP2014038596A (en) Method for identifying malicious executable
US8549626B1 (en) Method and apparatus for securing a computer from malicious threats through generic remediation
US20170353434A1 (en) Methods for detection of reflected cross site scripting attacks
WO2017091876A1 (en) Keyboard monitoring to protect confidential data
EP3353983B1 (en) Method and system with a passive web application firewall
CN111177727A (en) Vulnerability detection method and device
WO2014124806A1 (en) Improved malware detection
US20120222116A1 (en) System and method for detecting web browser attacks
KR102156340B1 (en) Method and apparatus for blocking web page attack
KR101311367B1 (en) Method and apparatus for diagnosing attack that bypass the memory protection
WO2014048751A1 (en) Method and apparatus for detecting a malicious website
KR102292844B1 (en) Apparatus and method for detecting malicious code
WO2019136428A1 (en) Systems and methods for detecting and mitigating code injection attacks
US11736512B1 (en) Methods for automatically preventing data exfiltration and devices thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13762797

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13762797

Country of ref document: EP

Kind code of ref document: A1