CN101605062A - The method of automatically monitoring website and device - Google Patents
The method of automatically monitoring website and device Download PDFInfo
- Publication number
- CN101605062A CN101605062A CNA2008101082978A CN200810108297A CN101605062A CN 101605062 A CN101605062 A CN 101605062A CN A2008101082978 A CNA2008101082978 A CN A2008101082978A CN 200810108297 A CN200810108297 A CN 200810108297A CN 101605062 A CN101605062 A CN 101605062A
- Authority
- CN
- China
- Prior art keywords
- information
- website
- comparison
- web
- automatically monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention provides a kind of method and device of automatically monitoring website, relate to web portal security.The comparison information of website is provided, reading unit reads the part or the full detail of website by certain frequency multiple scanning, site information and comparison information that comparing unit reads scanning are compared, when the website by black or other occur when unusual, comparison result reflects unusually, alarm is in time reported to the police, so that in time repair, prevents that the website is long-time unusual and the keeper does not still know to cause heavy losses.
Description
Affiliated technical field
The present invention relates to web portal security, method and device that particularly can automatically monitoring website.
Background technology
The application of the Internet has been created unlimited convenience to people.Various viruses, hacker attacks can not be avoided fully on the internet but the website is open, and particularly the various abnormal conditions of WEB application program also can't all be expected in advance, and the website does not have absolute safety, and well-known website is much by black situation.
When the website by black or other are unusual, keeper's discovery time of bringing various troubles, particularly website to businessman late, the website unusual, that deceived that allowed a large amount of client access may cause suffering heavy losses.
Method and device that the present invention aims to provide the scanning analysis website and in time notes abnormalities, the application number relevant with the present invention is 200610012276.7 application, introduced the method for comprehensive scans web sites.
Summary of the invention
The problem to be solved in the present invention is, when in time finding when unusual and reporting to the police appears in the website.
Based on a first aspect of the present invention, the method that provides may further comprise the steps:
A, the comparison information that is provided for comparing;
B, provide reading unit, be used to read site information;
C, provide comparing unit, can compare information and described comparison information that described reading unit reads;
D, described reading unit repeat to read needs the information compared in the website, comparing unit is partly compared corresponding in information that reading unit read and the comparison information, and the output comparison result.
Described method also comprises step e: comparing unit finds that by comparison result site information is unusual, triggers alarm equipment alarm.
Described comparison information can be selected to encrypt or do not encrypt, and embedded web page in advance, as a partly content of webpage basic element, the webpage basic element comprises email address, annotation information, text message, Cookies information, implicit information, script information, departures link.When comparing unit finds that the information of embedded web page changes in advance, judge that the website is destroyed.
The source of described comparison information is the portion copy of website WEB application program, or the part of website WEB application program copy, or all or partly copy is encrypted or changed by predetermined algorithm again.Reading unit reads site information simultaneously, also can read comparison information.When the comparison information of comparing unit discovery site information and copy is inconsistent, judge that the website is destroyed.
Described comparison information comprises the statistical information of website.Website some statistical informations under normal condition are preserved, and surpass the scope of reporting to the police when website abnormal or other what reasons cause the statistical information of website and the statistical information in the comparison, trigger alarm equipment alarm.
The information of described website comprises the web page content information of band URL address or the fileinfo on the WEB server.Webpage is as " http: // 192.168.11.222:80/news/1.htm ", file as " e: tomcat5 portal login.jsp ".Fileinfo comprises file content and file attribute.
" partly corresponding " of indication is that comparison rules is predefined among the described step D, comprises which partly comparison of certain webpage and comparison information on the website, which partly comparison of certain file on the WEB server and comparison information; The rule of comparison also comprises it being direct comparison, still by comparison again after certain algorithm conversion; When the website just often, the comparison result of output should be able to react normally, when the website was undesired, it is undesired that the comparison result of output can reflect the website.
Based on a second aspect of the present invention, be provided for realizing the device of above-mentioned purpose, comprising:
Reading unit, comparing unit, comparison information, described reading unit can read the info web of specified URL address, maybe can read the fileinfo of assigned catalogue, comparing unit can be compared site information and comparison information that reading unit read, and the output comparison result.
Described device also comprises alarm, by described when found that website abnormal, alarm equipment alarm.
The invention has the beneficial effects as follows, can automatically, in time find website abnormal, prevent that the website from further going to pot, be beneficial to timely reparation, reduce the loss.
Description of drawings
Fig. 1 is the system architecture diagram of the embodiment of the invention one.
Fig. 2 is the method flow diagram of the monitoring website of the embodiment of the invention one.
Fig. 3 is the system architecture diagram of the embodiment of the invention two.
Embodiment
Below the specific embodiment of the present invention is described.Should be noted that following description should not be used for limiting the present invention.
Embodiment one
Fig. 1 is the system architecture diagram of the embodiment of the invention one.System comprises database server 1, WEB server 2, WEB standby server 3, monitor server 4 and alarm 5.Wherein the relevant database information of database server 1 store website is connected comparatively safe Intranet; WEB server 2 is being disposed the WEB program, and open this serves the two network interface cards of utensil on the internet, and one of them network interface card connects Intranet, the fixedly IP on another network interface card tool the Internet; WEB standby server 3 is being disposed the WEB program same with WEB server 2, but only is connected Intranet, and is open to the Internet; Monitor server 4 can scan file content in the file directory on WEB server 2 and the WEB standby server 3, also can scan the info web content that WEB uses on WEB server 2 and the WEB standby server 3, and can the content of the webpage on same file under the same directory on two servers or the identical URL be compared, when finding that comparison result is unusual, trigger alarm 5 and report to the police.
WEB server 2 all is connected database server 1 with WEB standby server 3, and obtains the needed content of generation dynamic web page from database server 1.When WEB server 2 just often, the WEB application program on the WEB standby server 3 is exactly the portion copy of WEB server 2.From the angle of safety, WEB server 2 is opened on the internet, open to attack, destruction, and database server 1 and WEB standby server 3 are not easy to be attacked in Intranet, safer relatively.When the WEB server is attacked destruction 2 rounds,, can in time find by the application program of comparison WEB server 2 and WEB standby server 3.
Suppose, it is " d: tomcat5 portal " that WEB program on the WEB server 2 is disposed catalogue, IP address of visiting on the Internet and port numbers are " 192.168.11.222:80 ", it is " e: tomcat5 portal " that WEB program on the WEB standby server 3 is disposed catalogue, also is " 192.168.111.29:80 " in the visit IP address and the port numbers of Intranet.The website is under the normal condition, and under relative path " .. portal ", two-server has identical bibliographic structure and identical WEB application program; By browser access, http: // 192.168.11.222:80/news/1.htm is identical content with 192.168.111.29:80/news/1.htm.These directory informations are stored in the comparing unit, as comparison rules.
Monitor server 4 comprises reading unit 41, comparing unit 42, comparison information 43 and site information 44, and reading unit 41 comprises thread a and thread b; The a part of content of comparison information 43 is in advance from the catalogue of WEB server 2 " d: tomcat5 portal " copy down, this partly content storing directory be " d: comparison information local_file ", another part content is that thread b reads dynamic web page generation on the WEB standby server 3, content may constantly refresh, this partly content storing directory be " d: comparison information URL_file "; Site information 44 is that thread a reads gathering of file content on the WEB server 2 and web page contents, and the path that file is deposited is included as " d: web site contents local_file " and " d: web site contents URL_file ".
Comparing unit 42 pre-defines the task of comparison, can all files under " d: comparison information " and " d: than web site contents " catalogue be compared, and also can select wherein a part of file to compare; To one of them file, can compare in full, also can only compare a part of content wherein.When the file content under two catalogues of comparison discovery is inconsistent, judge that WEB server 2 is attacked, alarm 5 is reported to the police.Reading unit can also read on the WEB server 2 file attribute under " d: tomcat5 portal " catalogue, as information such as last modification date, file sizes, and this information existed in file or the database, this information also can compare with the file attribute under " d: comparison information local_file " catalogue.
Wherein, comparison information 43 can also be the statistical information of website, and as the per day flow of website, historical high flow, historical low flow etc., when the website flow on the same day that reading unit 41 reads is lower than the historical low flow, alarm 5 is reported to the police.
Wherein, for reducing the visit busy extent of webpage, can select file crucial on the WEB server 2 or webpage to scan and read.And, can prejudge unnecessary some temporary files that compare.And the frequency of scanning can be done suitable adjustment according to the performance of server.
When web site contents more, the time that run-down needs is when oversize, can also increase thread again, the file extent of each thread scanning limits, as thread a scanning " d: web site contents local_file jsp " under file, thread al scanning " d: web site contents local_file bin " following file, thread a2 scan " d: web site contents local_file images " under file.
Wherein comparing unit 42 can also be compared when thread a and thread b read information, and the content that reads is not preserved comparison again as file.
Fig. 2 is the method flow diagram of the monitoring website of the embodiment of the invention one.At step S201, reading unit 41 scans WEB program file and the info web that reads on the WEB server 2 respectively, and deposits site information 44; Reading unit 41 also scans the info web that reads on the WEB standby server 3, and deposits comparison information 43, and comparison information 43 also comprises the WEB program file that copies from WEB server 2 in advance.At step S202, the information in 42 pairs of site informations 44 of comparing unit and the comparison information 43 compares, and by comparison rules, corresponding file, information corresponding is compared.At step S203, if information inconsistency is found in comparison, enter step S207, alarm is reported to the police by sound, image, literal; If comparison discovery information unanimity forwards step S204 to.At step S204, whether the information of judging pre-defined this scanning of epicycle the end of scan, if finish, enters step S206, and the position reach of scanning continues scanning; If epicycle finishes, and enters step S205, wait for sweep time next time and arrive, arrive when sweep time next time, enter step S201, restart.
Embodiment two
Fig. 3 is the system architecture diagram of the embodiment of the invention two.Compared to Figure 1, no WEB standby server, the source of comparison information 43, some is in advance from the catalogue of WEB server 2 " d: tomcat5 portal " copy down, this partly content storing directory be " d: comparison information local_file ", catalogue and file under the catalogue under the catalogue of 42 pairs of WEB servers 2 of comparing unit " d: tomcat5 portal " and the catalogue of file and monitor server 4 " d: comparison information local_file " compare, if discovery is inconsistent, triggers alarm 5 and report to the police.Another of the source of comparison information 43 partly predicted, and the information that may be read into from webpage as the website just often, should contain following script in the webpage:
<script?language=″JavaScript″>
function?newwindow(url)
{
if(screen.width==1024)
ContentWindow=window.open(url,″_blank″,″toolbar=no,width=818,height=700;,directories=no,status=yes,scrollbars=yes,resizable=yes,menubar=no″)
else
ContentWindow=window.open(url,″_blank″,″toolbar=no,width=680,height=585;,directories=no,status=yes,scrollbars=yes,resizable=yes,menubar=no″)
}</script>
Comparing unit finds that some characteristic informations that just often should possess in the website in the webpage do not exist, and triggers alarm 5 and reports to the police.
Claims (9)
1. the method for automatically monitoring website is characterized in that, may further comprise the steps:
A, the comparison information that is provided for comparing;
B, provide reading unit, be used to read site information;
C, provide comparing unit, can compare information and described comparison information that described reading unit reads;
D, described reading unit repeat to read needs the information compared in the website, comparing unit is partly compared corresponding in information that reading unit read and the comparison information, and the output comparison result.
2. the method for automatically monitoring website as claimed in claim 1, its feature comprises step:
E, comparing unit find that by comparison result site information is unusual, trigger alarm equipment alarm.
3. the method for automatically monitoring website as claimed in claim 1, its feature comprises:
Described comparison information can be selected to encrypt or do not encrypt, and embedded web page in advance, as a partly content of webpage basic element, the webpage basic element comprises email address, annotation information, text message, Cookies information, implicit information, script information, departures link; When comparing unit finds that the information of embedded web page changes in advance, judge that the website is destroyed.
4. the method for automatically monitoring website as claimed in claim 1, its feature comprises:
The source of described comparison information is the portion copy of website WEB application program, or the part of website WEB application program copy, or all or partly copy is encrypted or changed by predetermined algorithm again.
5. the method for automatically monitoring website as claimed in claim 1, its feature comprises:
Described comparison information comprises the statistical information of website.
6. the method for automatically monitoring website as claimed in claim 1, its feature comprises:
The information of described website comprises the web page content information of band URL address or the fileinfo on the WEB server.
7. the method for automatically monitoring website as claimed in claim 1, its feature comprises:
" partly corresponding " of indication is that comparison rules is predefined among the described step D, comprises which partly comparison of certain webpage and comparison information on the website, which partly comparison of certain file on the WEB server and comparison information; The rule of comparison also comprises it being direct comparison, still by comparison again after certain algorithm conversion; When the website just often, the comparison result of output should be able to react normally, when the website was undesired, it is undesired that the comparison result of output can reflect the website.
8. the device of automatically monitoring website comprises:
Reading unit, comparing unit, comparison information, described reading unit can read the info web of specified URL address, maybe can read the fileinfo of assigned catalogue, comparing unit can be compared site information and comparison information that reading unit read, and the output comparison result.
9. the device of automatically monitoring website as claimed in claim 8, its feature comprises:
Described device also comprises alarm, by described when found that website abnormal, alarm equipment alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101082978A CN101605062A (en) | 2008-06-12 | 2008-06-12 | The method of automatically monitoring website and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101082978A CN101605062A (en) | 2008-06-12 | 2008-06-12 | The method of automatically monitoring website and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101605062A true CN101605062A (en) | 2009-12-16 |
Family
ID=41470622
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101082978A Pending CN101605062A (en) | 2008-06-12 | 2008-06-12 | The method of automatically monitoring website and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101605062A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102088369A (en) * | 2010-12-30 | 2011-06-08 | 天津市国瑞数码安全系统有限公司 | Automatic auditing method of Internet website record information |
| CN102546253A (en) * | 2012-01-05 | 2012-07-04 | 中国联合网络通信集团有限公司 | Webpage tamper-resistant method, system and management server |
| CN110224852A (en) * | 2019-04-28 | 2019-09-10 | 中电长城网际安全技术研究院(北京)有限公司 | Network security monitoring method and device based on HTM algorithm |
-
2008
- 2008-06-12 CN CNA2008101082978A patent/CN101605062A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102088369A (en) * | 2010-12-30 | 2011-06-08 | 天津市国瑞数码安全系统有限公司 | Automatic auditing method of Internet website record information |
| CN102546253A (en) * | 2012-01-05 | 2012-07-04 | 中国联合网络通信集团有限公司 | Webpage tamper-resistant method, system and management server |
| CN110224852A (en) * | 2019-04-28 | 2019-09-10 | 中电长城网际安全技术研究院(北京)有限公司 | Network security monitoring method and device based on HTM algorithm |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109495377B (en) | Instant E-mail embedded URL credit confirming equipment, system and method | |
| WO2020233022A1 (en) | Vulnerability detection method and apparatus, computer device, and storage medium | |
| US8677486B2 (en) | System and method for near-real time network attack detection, and system and method for unified detection via detection routing | |
| US8024804B2 (en) | Correlation engine for detecting network attacks and detection method | |
| CN103023710B (en) | A kind of safety test system and method | |
| US9876813B2 (en) | System and method for web-based log analysis | |
| KR102033169B1 (en) | intelligence type security log analysis method | |
| CN101388768B (en) | Method and device for detecting malicious HTTP request | |
| CA2633828A1 (en) | Email anti-phishing inspector | |
| JP2006526221A (en) | Apparatus and method for detecting network vulnerability and evaluating compliance | |
| CN104901975B (en) | Web log file safety analytical method, device and gateway | |
| WO2007046289A1 (en) | Information processing device, and method therefor | |
| CN112703496B (en) | Content policy based notification to application users regarding malicious browser plug-ins | |
| CN106713318B (en) | WEB site safety protection method and system | |
| CN102779245A (en) | Webpage abnormality detection method based on image processing technology | |
| CN103401849A (en) | Abnormal session analyzing method for website logs | |
| CN105138709A (en) | Remote evidence taking system based on physical memory analysis | |
| CN105337993A (en) | Dynamic and static combination-based mail security detection device and method | |
| CN102868694A (en) | Method, device and system for detecting whether to control client to visit network | |
| CN111314301A (en) | Website access control method and device based on DNS (Domain name Server) analysis | |
| US8407802B2 (en) | Method and system for providing security seals on web pages | |
| US8745010B2 (en) | Data storage and archiving spanning multiple data storage systems | |
| KR100736540B1 (en) | Web defacement checker and checking method thereof | |
| CN101605062A (en) | The method of automatically monitoring website and device | |
| CN110457900B (en) | Website monitoring method, device and equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20091216 |