CN101895517A - Method and device for extracting script semantics - Google Patents
Method and device for extracting script semantics Download PDFInfo
- Publication number
- CN101895517A CN101895517A CN2009100842668A CN200910084266A CN101895517A CN 101895517 A CN101895517 A CN 101895517A CN 2009100842668 A CN2009100842668 A CN 2009100842668A CN 200910084266 A CN200910084266 A CN 200910084266A CN 101895517 A CN101895517 A CN 101895517A
- Authority
- CN
- China
- Prior art keywords
- script
- semanteme
- expression formula
- vocabulary
- expression
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method and a device for extracting script semantics. The method comprises the following steps of: 1, reading a script noted by a user; 2, sequentially reading the script vocabulary in the script, if the read script vocabulary is an operator, analyzing a script expression comprising the operator, or continuing reading; identifying and storing the semantics expressed by the analyzed script expression, continuing reading the script vocabulary in the script after the identification of the semantics of the script expression and executing step 3; during the identification of the semantics of the script expression, if the script expression contains a variable or a sub expression and stores the semantics of the variable or the sub expression, substituting the semantics of the variable or the sub expression for the variable or the sub expression in the expression and then performing identification; and 3, outputting the semantics of the script expression identified in step 2. The method and the device can improve the correctness and reliability of attack detection.
Description
Technical field
The present invention relates to technical field of the computer network, relate in particular to a kind of script semantic extracting method and extraction element.
Background technology
The Web technology is since being born, and the internet has obtained develop rapidly, and Web service also becomes topmost Web content presentation mode in the current internet.Along with the development of Web technology, Web is no longer only for the Internet user provides the static content service, and can provide various Dynamic Web content services according to user's needs.Because Web service has easy deployment and advantage such as easy-to-use, the application of now a lot of legacy clients/server modes all begins to be transformed into the application based on Web, comprises that those are to application such as very high e-bank of safety requirements and electronics security.
Web service has also brought a lot of safety problems when offering convenience for people's live and work.These safety problems comprise SQL (the Structured Query Language that threatens Web server safety, SQL) security attack incidents such as injection attacks, apocrypha execution and the object accesses of going beyond one's commission also comprise the security attack incidents such as script injection attacks that threaten the Web client secure.Organize the OWASP statistics according to the opening of internationally famous Web safety, 2007, script injection attacks incident (comprise the cross-site scripting attack incident, it belongs to script injection attacks category) occupy first of the ten big Web security incidents.Organize 2002 to 2007 statistics about script injection attacks incident in CVE storehouse from international vulnerability database, the occurrence frequency of script injection attacks security incident just is being growth trend year by year.
What the script injection attacks existed has its source in: there is defective in Web server equation code, it fails user input data is endured strict scrutiny and filters, to such an extent as to malicious attacker can be injected malicious script by user input fields, the malicious script of these injections can reflex to victim's Web browser by Web server and carry out, and steals victim's sensitive data or carry out purpose such as malicious action under victim's safe context environment thereby reach.
Since the script injection attacks was found, people had begun the research of detection of script injection attacks and defence aspect.These researchs can be divided into two classes: detect and defence based on the Web service end with based on the script injection attacks of Web client.
Comprise mainly that based on detection of Web service end script injection attacks and defence method content safety coding, html tag filter, wherein, the content safety coding method is that user input data is unified the text formatting coding, avoiding the Web client that it is used as the html format text makes an explanation, this method need just consider when the Web application service is developed that a lot of Web application developer do not have the experience of this respect; The responsive label that html tag exists in filtering and being meant in the web application code user input data filters, perhaps by the security gateway that is deployed in the Web server front end the responsive html tag that exists in the user input data is filtered, this method exists filters not strict or filtering rule such as easily hides at problem.
Detection of script injection attacks and defence method based on the Web client comprise that mainly script executing is forbidden, http response message purifies and Web client data stream tracking.Wherein, script executing forbids that method then is completely or partially to forbid the execution of script in the Web client, and this will make some web content correctly to present; Http response message purification method is that the Web content of pages that returns from the Web service end is filtered, wash the script that those may endanger client secure, this kind method shortcoming is, exists data cleansing clean or clean and too cause the Web content of pages correctly to present; Web client data stream tracking comprises based on other static data flow of source code level to be followed the tracks of and based on the trace analysis method of input traffic and output stream, this method need be revised the Web client software, exists to dispose and performance difficulty.
In a kind of script injection attack detection method of Web service end solution, data to user's input are carried out the grammaticality analysis according to the JavaScript/VBScript syntax gauge to it, as long as from the HTTP request, extract at least one section JavaScript/VBScript script that grammer is correct, just produce the script injection attacks and report to the police.
Whether the data that above method can detect user's injection comprise the correct script of grammer, can't make accurate judgement but whether content for script is had the implication of attack.For the attack to injection script is judged, (as: " document.cookie ", " Location.href " etc.) mates by predefined tagged word, one section script below having injected such as the user:
<script>
docoment.location.href=“http://www.hacker.com”
</script>
By characteristic matching, can detect the attack signature word (" Location.href ") that matches immediately, can draw the implication that this section script has the webpage redirection attack.
But, if the hacker has carried out the distortion of some grammers, as following script fragments:
<script>
b=document;
a=/loc/.source;
a+=/ation.href/.source;
b.a=“http://www.hacker.com”
</script>
Then, can't accurately judge whether to have the attack implication owing to do not find the attack signature word that matches; Therefore can cause the omission that has aggressive injection script, thus the potential safety hazard of bringing.
Summary of the invention
The technical problem to be solved in the present invention provides a kind of script semantic extracting method and extraction element, also can determine the semanteme that it is real for the script of process distortion, thereby can improve the correctness and the reliability of attack detecting.
In order to address the above problem, the invention provides a kind of script extraction of semantics device that is used for attack detecting, comprising:
The script input unit is used to read the script that the user injects;
The extraction of semantics unit is used for the script that reads is carried out semantic analysis, and extracts relevant semanteme;
Semantic output unit is used for the semanteme output of the script that will extract;
Described extraction of semantics unit comprises:
Basic semantic recognin unit and compound semantic recognin unit;
Described basic semantic recognin unit is used for after described script input unit reads script, or indicate when continuing to read described compound semantic recognin unit, read the script vocabulary that did not read in the described script successively, if the script vocabulary that reads is operator then parses the script expression formula at this operator place, then this script expression formula is sent to compound semantic recognin unit, otherwise continue to read the script vocabulary in the described script;
Described compound semantic recognin unit is used for the semanteme that the script expression formula that described basic semantic recognin unit resolves goes out is represented is discerned and preserved, the described basic semantic recognin of semantic back indication unit in this script expression formula of identification continues to read, and calls the semanteme that described semantic output unit is exported this script expression formula; When the semanteme of script expression formula is discerned, if comprise variable or subexpression in the script expression formula, and preserve the semanteme of this variable/subexpression, then with discerning after this variable/subexpression in the semanteme replacement expression formula of this variable/subexpression.
Further, described compound semantic recognin unit specifically comprises:
Scheduler module, the semantic identification module of all types of expression formula;
Described scheduler module is used to preserve the corresponding relation of operator and script type expression, discern this script type of expression according to the operator in this corresponding relation and the described script expression formula that parses, according to the type that identifies, this script expression formula is sent to the semantic identification module of expression formula of respective type; Preserve the semanteme that identifies that semantic identification module returned of described respective type, after the semanteme identification of this script expression formula is finished, call the semanteme that semantic output unit is exported this expression formula.
Further, when having compound script expression formula, described scheduler module is according to the priority of operator, parse the subexpression at operator place according to order from high to low, according to described corresponding relation recognin type of expression, subexpression is sent to the semantic identification module identification of expression formula of respective type, and receive and preserve the semanteme of this subexpression that this module returns.
Further, the semantic identification module of all types of expression formulas comprises:
The semantic identification module of assign representation formula, be used to receive the assignment operation expression formula, if the script vocabulary on the assignment operator left side is a variable, and its semanteme is not the object of a script, then the semanteme of the script vocabulary on assignment operator the right is composed to this variable, this variable and its semanteme are returned to scheduler module; Otherwise, obtain the semanteme of the semanteme of described assignment expression for the script vocabulary on the right of assignment operator, compose the script vocabulary of giving the assignment operator left side; Return this semanteme and give described scheduler module;
The semantic identification module of attribute expression formula is used to receive the attribute expression formula; If the attribute operator left side is a regular expression, and the right is source, then obtains the semanteme of the semanteme of described attribute expression formula for this regular expression; Otherwise the semanteme that obtains described attribute expression formula is sematic1.sematic2; Sematic1 and sematic2 are respectively the semanteme of the script vocabulary on the left and right limit of attribute operator; Return the semanteme that obtains and give described scheduler module;
The semantic identification module of concatenation operation expression formula is used to receive the concatenation operation expression formula, and it is continuous for the semanteme of the script vocabulary on the left and right limit of concatenation operator to obtain its semanteme; Return the semanteme that obtains and give described scheduler module;
The semantic identification module of exclusive disjunction expression formula, be used to receive the exclusive disjunction expression formula, if the semanteme of the script vocabulary on the exclusive disjunction symbol left side is empty or 0, the semanteme of then described exclusive disjunction expression formula is the semanteme of the script vocabulary on exclusive disjunction symbol the right, otherwise accords with the semanteme of the script vocabulary on the left side for exclusive disjunction; Return the semanteme that obtains and give described scheduler module;
The semantic identification module of conditional expression is used for the condition of acceptance operation expression, if the semanteme of the script vocabulary of expression condition is empty or 0, the semanteme of then described conditional operation expression formula is the semanteme of a script vocabulary, otherwise is the semanteme of another script vocabulary; Return the semanteme that obtains and give described scheduler module;
The semantic identification module of regular expression is used to receive regular expression, obtains its semanteme and is the script vocabulary in the canonical operator; Return the semanteme that obtains and give described scheduler module;
The semantic identification module of with operation expression is used to receive the with expression formula, obtains its semantic sematic1.sematic2 of being, the semanteme of the script vocabulary that sematic1, sematic2 are respectively in the with operator bracket, bracket is outer; Return the semanteme that obtains and give described scheduler module.
Further, described scheduler module sends with its semantic back that replaces having preserved semantic variable/subexpression in script expression formula or the subexpression when sending script expression formula or subexpression;
Or the expression formula module of respective type runs into variable/subexpression in identifying after, in scheduler module, search the semanteme of whether preserving this variable/subexpression, if having then replace discerning again after this variable/subexpression with the semanteme of this variable/subexpression.
The present invention also provides a kind of script semantic extracting method that is used for attack detecting, comprising:
S1, read the script that the user injects;
S2, read script vocabulary in the described script successively, if the script vocabulary that reads be operator then parse the script expression formula at this operator place, otherwise continue to read; The semanteme that the script expression formula that parses is represented is discerned and preserved, get script vocabulary in the described script semantic follow-up the resuming studies of this script expression formula of identification, and carry out step S3; When the semanteme of script expression formula is discerned, if comprise variable or subexpression in the script expression formula, and preserve the semanteme of this variable/subexpression, then with discerning after this variable/subexpression in the semanteme replacement expression formula of this variable/subexpression;
S3 is with the semanteme output of the script expression formula that identifies among the described step S2.
Further, described step S2 specifically comprises:
Step S21 judges whether in addition not processed script vocabulary, if execution in step S22 then, otherwise execution in step S29, i.e. process ends;
Step S22 reads first untreated script vocabulary as current script vocabulary;
Step S23 is if current script vocabulary is the basic keyword of script, then execution in step S24; Otherwise execution in step S25;
Step S24 discerns the semanteme of the basic keyword of script, and the basic keyword of this script as the script vocabulary of having discerned, is preserved the semanteme of this script vocabulary of having discerned, execution in step S21;
Step S25, if current script vocabulary is an operator, execution in step S26 then, otherwise execution in step S21;
Step S26, the expression formula that parses an operator place from script according to the corresponding relation of operator and type expression, identifies current script type of expression as current script expression formula;
Step S27 according to current script type of expression, carries out the identification of the semanteme of respective type expression formula, preserves the semanteme that identifies; Carry out step S3.
Further, also comprise among the described step S27:
When having compound script expression formula,, parse the subexpression at operator place according to order from high to low according to the priority of operator; According to described corresponding relation recognin type of expression, carry out the identification of the semanteme of respective type expression formula; Preserve the semanteme of this subexpression.
Further, the identification of carrying out the semanteme of respective type expression formula among the described step S27 specifically comprises:
For the assignment operation expression formula, if the script vocabulary on the assignment operator left side is a variable, and its semanteme is not the object of a script, then the semanteme of the script vocabulary on assignment operator the right composed to this variable, and recognition result be this variable and its semanteme; Otherwise, identify the semanteme of the semanteme of described assignment expression for the script vocabulary on the right of assignment operator, compose the script vocabulary of giving the assignment operator left side;
For the attribute expression formula; If the attribute operator left side is a regular expression, and the right is source, then identifies the semanteme of the semanteme of described attribute expression formula for this regular expression; Otherwise the semanteme that identifies described attribute expression formula is sematic1.sematic2; Sematic1 and sematic2 are respectively the semanteme of the script vocabulary on the left and right limit of attribute operator;
For the concatenation operation expression formula, it is continuous for the semanteme of the script vocabulary on the left and right limit of concatenation operator to identify its semanteme;
For the exclusive disjunction expression formula, if the semanteme of the script vocabulary on the exclusive disjunction symbol left side is empty or 0, the semanteme that then identifies described exclusive disjunction expression formula is the semanteme of the script vocabulary on exclusive disjunction symbol the right, otherwise accords with the semanteme of the script vocabulary on the left side for exclusive disjunction;
For the conditional operation expression formula, if the semanteme of the script vocabulary of expression condition is empty or 0, the semanteme that then identifies described conditional operation expression formula is the semanteme of a script vocabulary, otherwise is the semanteme of another script vocabulary;
For regular expression, identify its semanteme and be the script vocabulary in the canonical operator;
For the with expression formula, identify its semantic sematic1.sematic2 of being, the semanteme of the script vocabulary that sematic1, sematic2 are respectively in the with operator bracket, bracket is outer.
Further, also comprise among the step S27:
When the semanteme of script expression formula is discerned, comprise variable or subexpression in the IF expression, and preserve the semanteme of this variable/subexpression, then with discerning after this variable/subexpression in the semanteme replacement expression formula of this variable/subexpression.
Technical scheme of the present invention is extracted by the semanteme to user's injection script statement, thereby can judge whether the script that the user injects has the attack implication, thereby the injection script of having implemented the grammer distortion is accurately detected.
Description of drawings
Fig. 1 is the system configuration schematic diagram of the embodiment of the invention one;
Fig. 2 is the structural representation of the extraction of semantics module of system of the present invention;
Fig. 3 is the structural representation of the compound semantic identification module of system of the present invention;
Fig. 4 is the workflow diagram of the inventive method;
Fig. 5 is the semantic analysis of the inventive method and the embodiment flow chart of extraction step.
Embodiment
Below in conjunction with drawings and Examples technical scheme of the present invention is described in detail.
Embodiment one, and a kind of script extraction of semantics device can be used for attack detecting; As shown in Figure 1, comprising:
Extraction of semantics unit 102, the script that is used for script input unit 101 is read carries out semantic analysis, and extracts relevant semanteme;
In the present embodiment, described extraction of semantics unit 102 further comprises as shown in Figure 2: basic semantic recognin unit 201 and compound semantic recognin unit 202.
Basic semantic recognin unit 201, be used for after described script input unit 101 reads script, or indicate when continuing to read described compound semantic recognin unit 202, read the script vocabulary in the described script successively, if the script vocabulary that reads is operator then parses the script expression formula at this operator place, then this script expression formula is sent to compound semantic recognin unit 202, otherwise continue to read; Can also before reading script vocabulary, judge whether there is the script vocabulary that did not read in the described script earlier at every turn, have the script vocabulary that then continues to read in the described script, otherwise finish to read, read new script up to described script input unit 101;
Compound semantic recognin unit 202, be used for the semanteme that the script expression formula that described basic semantic recognin unit 201 parses is represented is discerned and preserved, the described basic semantic recognin of semantic back indication unit 201 in this script expression formula of identification continues to read, and calls the semanteme of described semantic output unit 103 these script expression formulas of output; When the semanteme of script expression formula is discerned, if comprise variable or subexpression in the script expression formula, and preserve the semanteme of this variable/subexpression, then with discerning after this variable/subexpression in the semanteme replacement expression formula of this variable/subexpression.
In the present embodiment, compound semantic recognin unit 202 also can call the semanteme that described semantic output unit 103 is exported this statement that is identified only when attribute assignment expression statement or eval function call Statement Completion, can improve recognition efficiency like this; During practical application, according to the difference of script, and the difference of actual demand, can be provided with and only when some Statement Completion, carry out semanteme output.
In the present embodiment, compound semantic recognin unit 202 can be worked as script after identification is finished, and when just described basic semantic recognin unit 201 finishes to read, the semanteme of being preserved that identifies is emptied; When preserving variable/subexpression semantic,, then cover in addition if there has been the semanteme of this variable/subexpression.
In the present embodiment, described compound semantic recognin unit 202 further comprises as shown in Figure 3:
Described scheduler module 301 is used to preserve the corresponding relation of operator and script type expression, discern this script type of expression according to the operator in this corresponding relation and the described script expression formula that parses, according to the type that identifies, this script expression formula is sent to the semantic identification module of expression formula of respective type; Preserve the semanteme that identifies that semantic identification module returned of described respective type, after the identification of the semanteme of this script expression formula is finished, just call the semanteme that semantic output unit is exported this expression formula during this script expression formula Statement Completion.Certainly, also can only when attribute assignment expression statement or eval function call Statement Completion, export.
When having compound script expression formula (when in the script expression formula a plurality of operator being arranged), described scheduler module 301 is according to the priority of operator, parse the subexpression at operator place according to order from high to low, according to described corresponding relation recognin type of expression, subexpression is sent to the semantic identification module identification of expression formula of respective type, and receive and preserve the semanteme of this subexpression that this module returns.
Described scheduler module 301 sends with its semantic back that replaces having preserved semantic variable/subexpression in script expression formula or the subexpression when sending script expression formula or subexpression; Also can be the expression formula module of respective type runs into variable/subexpression in identifying after, in scheduler module, search the semanteme of whether preserving this variable/subexpression, if having then replace discerning again after this variable/subexpression with the semanteme of this variable/subexpression.
If " expr1=expr2 " form, then type of expression is assignment operation expression formula (such as " x=10 ") such as current expression formula; If " expr1.expr2 " form, then type of expression is attribute expression formula (as " Docoment.Location "); If " expr1+expr2 " form, then type of expression is concatenation operation expression formula (as " x+1 "); If " expr1||expr2 " form, then type of expression is exclusive disjunction expression formula (as " 0||ash "); If " expr1? expr2:expr3 " form then type of expression be conditional expression (as " 0? ": i "); If "/expr/ " form then type of expression be regular expression (as "/loc/ "); If " with (expr1) expr2 " then type of expression be with expression formula (as " with (document) cookie ").In the practical application, in different applied environments, the operator of dissimilar expression formula correspondences may be different, is not limited to above-mentioned example; But scheduler module 301 all is to identify expression formula according to corresponding relation.
The semantic identification module 302 of assign representation formula is used for the semanteme that the assignment operation expression formula is represented is discerned, and returns the semanteme that identifies and give scheduler module 301; For the assignment expression of shape as " expr1=expr2 ", if " expr1 " is a user-defined variable, and its semanteme is not the object of a script, then the semanteme of expr2 is composed to expr1 (as s=1) and returned this variable " expr1 " and the semantic scheduler module 301 of giving, semanteme such as " expr2 " is that " sematic2 " (this semanteme can be the object of script, such as being basic keyword; Also can be character string, numerical value or URL address etc.), then return this variable " expr1 " and reach " sematic2 " to scheduler module 301; Otherwise, if the semanteme of " expr1 " is " sematic1 ", the semanteme of " expr2 " is " sematic2 ", the semanteme of " expr1=expr2 " is " sematic1=sematic2 ", such as the semanteme of " docoment.loaction=http: //www.attacker.com " be " Docoment.Loaction=http: //www.attacker.com; Return this semanteme and give scheduler module 301;
The semantic identification module 303 of attribute expression formula is used for the semanteme that the attribute expression formula is represented is discerned, and returns the semanteme that identifies and give scheduler module 301; " expr1 " is that the semanteme of a regular expression and " expr2 " is " Source " (promptly asking regular expressions source attribute) in the expression formula of shape as " expr1.expr2 ", then " expr1.expr2 " semanteme is the semanteme of regular expressions " expr1 ", as: the semanteme of "/loc/.source " is character string " loc "; Otherwise " expr1.expr2 " semanteme is " sematic1.sematic2 ", the semanteme of " sematic1 " expression " expr1 " wherein, the semanteme of " sematic2 " expression " expr2 " is " Location.Hash " as the semanteme of " location.hash ";
The semantic identification module 304 of concatenation operation expression formula is used for the represented semanteme of concatenation operation expression formula is discerned, and returns the semanteme that identifies and give scheduler module 301; Is " sematic1sematic2 " for shape as the semanteme of " expr1+expr2 ", the semanteme of " sematic1 " expression " expr1 " wherein, the semanteme of " sematic2 " expression " expr2 " is character string " location " as the semanteme of " loca+tion ";
The semantic identification module 305 of exclusive disjunction expression formula is used for the semanteme that the exclusive disjunction expression formula is represented is discerned, and returns the semanteme that identifies and give scheduler module 301; For the expression formula of shape as " expr1||expr2 ", the semantic expressiveness of " if expr1 " " sky " or " 0 " then the semanteme of " expr1||expr2 " is the semanteme of " expr2 ", otherwise be the semanteme of " expr1 ", semanteme as " ' ' || tion " is " tion ", and the semanteme of " str||0 " is " str ";
The semantic identification module 306 of conditional expression is used for the semanteme that the conditional operation expression formula is represented is discerned, and returns the semanteme that identifies and give scheduler module 301; For shape as " expr1? expr2:expr3 " expression formula, semantic expressiveness " sky " or " 0 " of semantic if " expr1 ", then " expr1? expr2:expr3 " get the semanteme of " expr3 ", otherwise get the semanteme of " expr2 ", as " 0? 1:i " semanteme be " i ";
The semantic identification module 307 of regular expression is used for the semanteme that regular expression is represented is discerned, and returns the semanteme that identifies and give scheduler module 301; For the regular expression of shape as "/expr/ ", its semanteme is that the semanteme of character string " expr " itself as "/loca/ " is " loca ";
The semantic identification module 308 of with operation expression is used for the semanteme that the with expression formula is represented is discerned, and returns the semanteme that identifies and give scheduler module 301; For the expression formula of shape as " with (expr1) expr2 ", its semanteme is " sematic1.sematic2 ", the semanteme of " sematic1 " expression " expr1 " wherein, the semanteme of " sematic2 " expression " expr2 ", semanteme as " with (Document) Cookie " is " Document.Cookie ", promptly asks the Cookie attribute of Document object.
Embodiment two, and a kind of script semantic extracting method can be used for attack detecting; As shown in Figure 4, comprising:
Step S1 reads the correct script of grammer that the user injects;
Step S2, the script that step S1 is read carries out semantic analysis, and extracts relevant semanteme; Specifically comprise: read the script vocabulary in the described script successively, if the script vocabulary that reads be operator then parse the script expression formula at this operator place, otherwise continue to read; The semanteme that the script expression formula that parses is represented is discerned and preserved, get script vocabulary in the described script semantic follow-up the resuming studies of this script expression formula of identification, and carry out step S3; When the semanteme of script expression formula is discerned, if comprise variable or subexpression in the script expression formula, and preserve the semanteme of this variable/subexpression, then with discerning after this variable/subexpression in the semanteme replacement expression formula of this variable/subexpression;
Step S3, whether with suitable form output, differentiating for other program is aggressive with the semanteme of the script expression formula that identifies among the step S2.
In the present embodiment, described expression formula also comprises set of semantics.
In the present embodiment, described step S2 further specifically comprises as shown in Figure 5:
Step S21 judges whether the script vocabulary that do not read in addition, if execution in step S22 then, otherwise execution in step S29, i.e. process ends;
Step S22 reads first untreated script vocabulary as current script vocabulary;
Step S23 is if current script vocabulary is the basic keyword of script, then execution in step S24; Otherwise execution in step S25;
The basic keyword of script is meant the vocabulary of the predefined expression specific meanings of script, as " window " among the Java Script, " location ", " if " etc.
Step S24 discerns the semanteme of the basic keyword of script, and the basic keyword of this script as the script vocabulary of having discerned, is preserved the semanteme of this script vocabulary of having discerned, execution in step S21;
Step S25, if current script vocabulary is an operator, execution in step S26 then, otherwise execution in step S21;
Operator is meant the character of the predefined expression computing of script, as "+", "=", " || ", " (" and ") " etc.
Step S26, the expression formula that parses a current script vocabulary (being operator) place from script according to the corresponding relation of operator and type expression, identifies current script type of expression as current script expression formula;
The script expression formula is meant a finite sequence of the script vocabulary that the script computing connects into, as
" x=1 ", " x+y ", " x.y ", " expr1? expr2:expr3 ", " expr1||expr1 " etc.
Step S27 according to current script type of expression, carries out the identification of the semanteme of respective type expression formula, preserves the semanteme that identifies; Carry out step S3.
In the present embodiment, step S27 also comprises: when the semanteme of script expression formula is discerned, comprise variable or subexpression in the IF expression, and preserve the semanteme of this variable/subexpression, then with discerning after this variable/subexpression in the semanteme replacement expression formula of this variable/subexpression.
In the present embodiment, step S27 also comprises: when having compound script expression formula, according to the priority of operator, parse the subexpression at operator place according to order from high to low; According to described corresponding relation recognin type of expression, carry out the identification of the semanteme of respective type expression formula; Preserve the semanteme of this subexpression.
Difference according to the script type expression, the semanteme identification of all types of expression formulas comprises following several: the semantic identification of assignment expression, the semantic identification of attribute expression formula, the semantic identification of concatenation operation expression formula, the semantic identification of exclusive disjunction expression formula, the semantic identification of conditional expression, semantic identification of regular expression and the semantic identification of with operation expression;
The identification of carrying out the semanteme of respective type expression formula among the described step S27 specifically comprises following mode:
The execution mode of the semantic identification of assignment expression is: for the assignment expression of shape as " expr1=expr2 ", if " expr1 " is a user-defined variable, and its semanteme is not the object of a script, then the semanteme of expr2 is composed to expr1 (as s=1) and write down this variable and semanteme thereof, otherwise, if the semanteme of " expr1 " is " sematic1 ", the semanteme of " expr2 " is " sematic2 ", then semanticly is " sematic1=sematic2 " (semanteme such as " docoment.loaction=http: //www.attacker.com " is " Docoment.Loaction=http: //www.attacker.com ");
The execution mode of the semantic identification of attribute expression formula is: if " expr1 " is that the semanteme of a regular expression and " expr2 " is " Source " (promptly asking regular expressions source attribute) in the expression formula of shape as " expr1.expr2 ", then " expr1.expr2 " is semantic is the semanteme of regular expressions " expr1 " (as: semanteme of "/loc/.source " is character string " loc "); Otherwise " expr1.expr2 " semanteme is " sematicl.sematic2 ", the semanteme of " sematic1 " expression " expr1 " wherein, the semanteme of " sematic2 " expression " expr2 " (semanteme as " location.hash " is " Location.Hash ");
The execution mode of the semantic identification of concatenation operation expression formula is: shape is " sematic1 sematic2 " as the semanteme of " expr1+expr2 ", the semanteme of " sematic1 " expression " expr1 " wherein, the semanteme of " sematic2 " expression " expr2 " (as " ' loca '+' tion ' " semanteme be character string " location ");
The execution mode of the semantic identification of exclusive disjunction expression formula is: for the expression formula of shape as " expr1||expr2 ", the semantic expressiveness of " if expr1 " " sky " or " 0 " then the semanteme of " expr1||expr2 " is the semanteme of " expr2 ", otherwise be the semanteme (semanteme as " ' ' || tion " is " tion ", and the semanteme of " str||0 " is " str ") of " expr1 ";
The execution mode of the semantic identification of conditional expression is: for shape as " expr1? expr2:expr3 " expression formula, semantic expressiveness " sky " or " 0 " of semantic if " expr1 ", then " expr1? expr2:expr3 " get the semanteme of " expr3 ", otherwise get " expr2 " semanteme (as " and 0? 1:i " semanteme for " i ");
The execution mode of the semantic identification of regular expression is: shape is as the regular expression of "/expr/ ", and its semanteme is character string " expr " itself (semanteme as "/loca/ " is " loca ");
The execution mode of the semantic identification of with expression formula is: shape is as the expression formula of " with (expr1) expr2 ", its semanteme is " sematic1.sematic2 ", the semanteme of " sematic1 " expression " expr1 " wherein, the semanteme of " sematic2 " expression " expr2 " (semanteme as " with (Document) Cookie " is " Document.Cookie ", promptly asks the Cookie attribute of Document object).
Step S28, with current script expression formula as discerning the script expression formula, write down its semanteme, with script vocabulary included after the operator in the current script expression formula as the script vocabulary of having handled; Return step S21;
Step S29, process ends.
The extraction of three, one sections script semantemes of embodiment.
At first, script input unit 101 reads following one section script that the user injects:
<script>
b=document;
a=/loc/.source;
c=a+/ation.href/.source;
b.c=http://www.hacker.com;
</script>
Basic semantic recognin unit 201 is at first judged and is had untreated script vocabulary, therefore reads in first script vocabulary: alphabetical b, and this letter is not the basic keyword of JavaScript language but user-defined variable; So then read in next script vocabulary again: character "=", this character are the assignment operators of JavaScript, then basic semantic recognin unit 201 two statement terminators "; " between parse the script expression formula " b=document " at "=" place, send to scheduler module 301 in the compound semantic recognin unit 202 as current script expression formula;
Described scheduler module 301 corresponding relations according to operator of being preserved and type expression, the type that identifies current script expression formula " b=document " is an assignment expression, sends to the semantic identification module 302 of assignment expression and handles.
The semantic identification module 302 of assign representation formula is discerned " b=document ", because b is an EXEC user defined variableEXEC, and " document " is a basic keyword, and its semanteme is document object " Document "; Then the semanteme of expression formula " b=document " is that the value of variable b is composed into document object " Document ", and variable b and the semanteme " Document " thereof that identifies returned to scheduler module 301; After scheduler module 301 is preserved variable b and semanteme " Document " thereof, indicate described basic semantic recognin unit 201 to continue to read script vocabulary.
Still there is Unidentified script vocabulary in 201 judgements of described basic semantic recognin unit, therefore then read in script vocabulary: alphabetical a; Equally, this letter is not the basic keyword of JavaScript language but user-defined variable, then read in a script vocabulary again: character "=", this character are the assignment operators of JavaScript, then basic semantic recognin unit 201 two statement terminators "; " between parse the script expression formula " a=/loc/.source " at "=" place, send to scheduler module 301 in the compound semantic recognin unit 202 as current script expression formula;
Described scheduler module 301 corresponding relations according to operator of being preserved and type expression, the type that identifies current script expression formula " a=/loc/.source " also is assignment expression, but the subexpression on its right is the compound of a regular expression and attribute expression formula; Because the priority of canonical operator is the highest, therefore earlier regular expression "/loc/ " is sent to the semantic identification module 307 of regular expression and handle;
The semanteme of the semantic identification module 307 identification regular expressions "/loc/ " of regular expression is character string " loc ", this semanteme is returned to described scheduler module 301 preserve; The attribute expression formula "/loc/.source " at the operator place that scheduler module 301 is time high with priority again sends to the semantic identification module 303 of attribute expression formula, scheduler module 301 can will "/loc/ " substitute the back with its semanteme " loc " and sent this moment, also can be searched the semanteme of "/loc/ " by the semantic identification module 303 of attribute expression formula when discerning again in the semanteme of scheduler module 301 preservations;
The semanteme that the semantic identification module 303 of attribute expression formula identifies attribute expression formula "/loc/.source " remains character string " loc ", this semanteme is returned to described scheduler module 301 preserve; Scheduler module 301 sends to " a=/loc/.source " the semantic identification module 302 of assign representation formula again.
The semantic identification module 302 of assign representation formula is according to the semanteme of "/loc/.source ", and the semanteme that can get script expression formula " a=/loc/.source " is that character string " loc " is composed to variable a; Variable a and semanteme " loc " thereof are returned to scheduler module 301 preservations.
Still there is Unidentified script vocabulary in 201 judgements of described basic semantic recognin unit, therefore read in script vocabulary again: alphabetical c; This letter also is user-defined variable, then read in a script vocabulary again: character "=", this character is the assignment operator of JavaScript, so parse the script expression formula " c=a+/ation.href/.source " of an assignment type again, send to scheduler module 301 in the compound semantic recognin unit 202 as current script expression formula;
Similar with top step, scheduler module 301 sends to "/ation.href/ " the semantic identification module 307 of regular expression earlier, and the semanteme that obtains returning is character string " ation.href " and preserves; "/ation.href/.source " sent to the semantic identification module 303 of attribute expression formula, the semanteme that obtains returning remains character string " ation.href " again; To connect expression formula " a+/ation.href/.source " again and send to the semantic identification module 304 of connection expression formula;
Because the semanteme of the variable a that is preserved in the scheduler module 301 is loc, therefore connecting the semanteme that the semantic identification module 304 of expression formula obtains connecting expression formula " a+/ation.href/.source " is character string " location.href ", this semanteme is returned to scheduler module 301 preserve;
Basic semantic recognin unit 201 reads in script vocabulary again: alphabetical b; This letter is user-defined variable, then read in a script vocabulary again: character ". ", this character is the attribute operator of JavaScript, so parse a script expression formula " b.c=http: //www.hacker.com ", send to scheduler module 301 in the compound semantic recognin unit 202 as current script expression formula;
Because the semanteme of variable b is " document " in the scheduler module 301, and the semanteme of c is " location.href ", therefore the semantic identification module 303 of the attribute expression formula semanteme that identifies attribute expression formula " b.c " is " Document.Location.Href ", this semanteme is returned to scheduler module 301 preserve.
201 judgements of basic semantic recognin unit do not exist Unidentified script vocabulary, process ends.
Be to finish the semanteme that this statement of being discerned is exported in the back in the present embodiment at the attribute assignment expression statement, therefore described scheduler module 301 is in the end called described semantic output unit 103 behind a Statement Completion, whether with the semanteme of appropriate format output " Document.Location.Href=http: //www.hacker.com ", differentiating for other program is aggressive.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of claim of the present invention.
Claims (10)
1. script extraction of semantics device that is used for attack detecting comprises:
The script input unit is used to read the script that the user injects;
The extraction of semantics unit is used for the script that reads is carried out semantic analysis, and extracts relevant semanteme;
Semantic output unit is used for the semanteme output of the script that will extract;
It is characterized in that described extraction of semantics unit comprises:
Basic semantic recognin unit and compound semantic recognin unit;
Described basic semantic recognin unit is used for after described script input unit reads script, or indicate when continuing to read described compound semantic recognin unit, read the script vocabulary that did not read in the described script successively, if the script vocabulary that reads is operator then parses the script expression formula at this operator place, then this script expression formula is sent to compound semantic recognin unit, otherwise continue to read the script vocabulary in the described script;
Described compound semantic recognin unit is used for the semanteme that the script expression formula that described basic semantic recognin unit resolves goes out is represented is discerned and preserved, the described basic semantic recognin of semantic back indication unit in this script expression formula of identification continues to read, and calls the semanteme that described semantic output unit is exported this script expression formula; When the semanteme of script expression formula is discerned, if comprise variable or subexpression in the script expression formula, and preserve the semanteme of this variable/subexpression, then with discerning after this variable/subexpression in the semanteme replacement expression formula of this variable/subexpression.
2. device as claimed in claim 1 is characterized in that, described compound semantic recognin unit specifically comprises:
Scheduler module, the semantic identification module of all types of expression formula;
Described scheduler module is used to preserve the corresponding relation of operator and script type expression, discern this script type of expression according to the operator in this corresponding relation and the described script expression formula that parses, according to the type that identifies, this script expression formula is sent to the semantic identification module of expression formula of respective type; Preserve the semanteme that identifies that semantic identification module returned of described respective type, after the semanteme identification of this script expression formula is finished, call the semanteme that semantic output unit is exported this expression formula.
3. device as claimed in claim 2 is characterized in that:
When having compound script expression formula, described scheduler module is according to the priority of operator, parse the subexpression at operator place according to order from high to low, according to described corresponding relation recognin type of expression, subexpression is sent to the semantic identification module identification of expression formula of respective type, and receive and preserve the semanteme of this subexpression that this module returns.
4. device as claimed in claim 2 is characterized in that, the semantic identification module of all types of expression formulas comprises:
The semantic identification module of assign representation formula, be used to receive the assignment operation expression formula, if the script vocabulary on the assignment operator left side is a variable, and its semanteme is not the object of a script, then the semanteme of the script vocabulary on assignment operator the right is composed to this variable, this variable and its semanteme are returned to scheduler module; Otherwise, obtain the semanteme of the semanteme of described assignment expression for the script vocabulary on the right of assignment operator, compose the script vocabulary of giving the assignment operator left side; Return this semanteme and give described scheduler module;
The semantic identification module of attribute expression formula is used to receive the attribute expression formula; If the attribute operator left side is a regular expression, and the right is source, then obtains the semanteme of the semanteme of described attribute expression formula for this regular expression; Otherwise the semanteme that obtains described attribute expression formula is sematic1.sematic2; Sematic1 and sematic2 are respectively the semanteme of the script vocabulary on the left and right limit of attribute operator; Return the semanteme that obtains and give described scheduler module;
The semantic identification module of concatenation operation expression formula is used to receive the concatenation operation expression formula, and it is continuous for the semanteme of the script vocabulary on the left and right limit of concatenation operator to obtain its semanteme; Return the semanteme that obtains and give described scheduler module;
The semantic identification module of exclusive disjunction expression formula, be used to receive the exclusive disjunction expression formula, if the semanteme of the script vocabulary on the exclusive disjunction symbol left side is empty or 0, the semanteme of then described exclusive disjunction expression formula is the semanteme of the script vocabulary on exclusive disjunction symbol the right, otherwise accords with the semanteme of the script vocabulary on the left side for exclusive disjunction; Return the semanteme that obtains and give described scheduler module;
The semantic identification module of conditional expression is used for the condition of acceptance operation expression, if the semanteme of the script vocabulary of expression condition is empty or 0, the semanteme of then described conditional operation expression formula is the semanteme of a script vocabulary, otherwise is the semanteme of another script vocabulary; Return the semanteme that obtains and give described scheduler module;
The semantic identification module of regular expression is used to receive regular expression, obtains its semanteme and is the script vocabulary in the canonical operator; Return the semanteme that obtains and give described scheduler module;
The semantic identification module of with operation expression is used to receive the with expression formula, obtains its semantic sematic1.sematic2 of being, the semanteme of the script vocabulary that sematic1, sematic2 are respectively in the with operator bracket, bracket is outer; Return the semanteme that obtains and give described scheduler module.
5. as each described device in the claim 2 to 4, it is characterized in that:
Described scheduler module sends with its semantic back that replaces having preserved semantic variable/subexpression in script expression formula or the subexpression when sending script expression formula or subexpression;
Or the expression formula module of respective type runs into variable/subexpression in identifying after, in scheduler module, search the semanteme of whether preserving this variable/subexpression, if having then replace discerning again after this variable/subexpression with the semanteme of this variable/subexpression.
6. script semantic extracting method that is used for attack detecting comprises:
S1, read the script that the user injects;
S2, read script vocabulary in the described script successively, if the script vocabulary that reads be operator then parse the script expression formula at this operator place, otherwise continue to read; The semanteme that the script expression formula that parses is represented is discerned and preserved, get script vocabulary in the described script semantic follow-up the resuming studies of this script expression formula of identification, and carry out step S3; When the semanteme of script expression formula is discerned, if comprise variable or subexpression in the script expression formula, and preserve the semanteme of this variable/subexpression, then with discerning after this variable/subexpression in the semanteme replacement expression formula of this variable/subexpression;
S3 is with the semanteme output of the script expression formula that identifies among the described step S2.
7. method as claimed in claim 6 is characterized in that, described step S2 specifically comprises:
Step S21 judges whether in addition not processed script vocabulary, if execution in step S22 then, otherwise execution in step S29, i.e. process ends;
Step S22 reads first untreated script vocabulary as current script vocabulary;
Step S23 is if current script vocabulary is the basic keyword of script, then execution in step S24; Otherwise execution in step S25;
Step S24 discerns the semanteme of the basic keyword of script, and the basic keyword of this script as the script vocabulary of having discerned, is preserved the semanteme of this script vocabulary of having discerned, execution in step S21;
Step S25, if current script vocabulary is an operator, execution in step S26 then, otherwise execution in step S21;
Step S26, the expression formula that parses an operator place from script according to the corresponding relation of operator and type expression, identifies current script type of expression as current script expression formula;
Step S27 according to current script type of expression, carries out the identification of the semanteme of respective type expression formula, preserves the semanteme that identifies; Carry out step S3.
8. method as claimed in claim 7 is characterized in that, also comprises among the described step S27:
When having compound script expression formula,, parse the subexpression at operator place according to order from high to low according to the priority of operator; According to described corresponding relation recognin type of expression, carry out the identification of the semanteme of respective type expression formula; Preserve the semanteme of this subexpression.
9. method as claimed in claim 7 is characterized in that, the identification of carrying out the semanteme of respective type expression formula among the described step S27 specifically comprises:
For the assignment operation expression formula, if the script vocabulary on the assignment operator left side is a variable, and its semanteme is not the object of a script, then the semanteme of the script vocabulary on assignment operator the right composed to this variable, and recognition result be this variable and its semanteme; Otherwise, identify the semanteme of the semanteme of described assignment expression for the script vocabulary on the right of assignment operator, compose the script vocabulary of giving the assignment operator left side;
For the attribute expression formula; If the attribute operator left side is a regular expression, and the right is source, then identifies the semanteme of the semanteme of described attribute expression formula for this regular expression; Otherwise the semanteme that identifies described attribute expression formula is sematic1.sematic2; Sematic1 and sematic2 are respectively the semanteme of the script vocabulary on the left and right limit of attribute operator;
For the concatenation operation expression formula, it is continuous for the semanteme of the script vocabulary on the left and right limit of concatenation operator to identify its semanteme;
For the exclusive disjunction expression formula, if the semanteme of the script vocabulary on the exclusive disjunction symbol left side is empty or 0, the semanteme that then identifies described exclusive disjunction expression formula is the semanteme of the script vocabulary on exclusive disjunction symbol the right, otherwise accords with the semanteme of the script vocabulary on the left side for exclusive disjunction;
For the conditional operation expression formula, if the semanteme of the script vocabulary of expression condition is empty or 0, the semanteme that then identifies described conditional operation expression formula is the semanteme of a script vocabulary, otherwise is the semanteme of another script vocabulary;
For regular expression, identify its semanteme and be the script vocabulary in the canonical operator;
For the with expression formula, identify its semantic sematic1.sematic2 of being, the semanteme of the script vocabulary that sematic1, sematic2 are respectively in the with operator bracket, bracket is outer.
10. as each described method in the claim 7 to 9, it is characterized in that, also comprise among the step S27:
When the semanteme of script expression formula is discerned, comprise variable or subexpression in the IF expression, and preserve the semanteme of this variable/subexpression, then with discerning after this variable/subexpression in the semanteme replacement expression formula of this variable/subexpression.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100842668A CN101895517B (en) | 2009-05-19 | 2009-05-19 | Method and device for extracting script semantics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100842668A CN101895517B (en) | 2009-05-19 | 2009-05-19 | Method and device for extracting script semantics |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101895517A true CN101895517A (en) | 2010-11-24 |
| CN101895517B CN101895517B (en) | 2013-05-15 |
Family
ID=43104584
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100842668A Expired - Fee Related CN101895517B (en) | 2009-05-19 | 2009-05-19 | Method and device for extracting script semantics |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101895517B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105100065A (en) * | 2015-06-26 | 2015-11-25 | 北京奇虎科技有限公司 | Cloud-based webshell attack detection method, cloud-based webshell attack detection device and gateway |
| CN105488399A (en) * | 2014-12-08 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Script virus detection method and system based on program keyword calling sequence |
| CN107659555A (en) * | 2016-08-30 | 2018-02-02 | 北京长亭科技有限公司 | Detection method and device, terminal device and the computer-readable storage medium of network attack |
| CN108804916A (en) * | 2017-12-19 | 2018-11-13 | 哈尔滨安天科技股份有限公司 | Detection method, device, electronic equipment and the storage medium of malicious file |
| CN109359045A (en) * | 2018-10-16 | 2019-02-19 | 武汉斗鱼网络科技有限公司 | A kind of test method, device, equipment and storage medium |
| CN110457551A (en) * | 2019-08-14 | 2019-11-15 | 梁冰 | The semantic recurrence of natural language indicates the building method of system |
| CN110825739A (en) * | 2019-10-30 | 2020-02-21 | 京东数字科技控股有限公司 | Table building statement generation method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040260754A1 (en) * | 2003-06-20 | 2004-12-23 | Erik Olson | Systems and methods for mitigating cross-site scripting |
| CN101217546A (en) * | 2008-01-18 | 2008-07-09 | 东南大学 | A realization method of high efficiency and secured protocol detecting system to deny the service attacking |
| CN101267357A (en) * | 2007-03-13 | 2008-09-17 | 北京启明星辰信息技术有限公司 | A SQL injection attack detection method and system |
-
2009
- 2009-05-19 CN CN2009100842668A patent/CN101895517B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040260754A1 (en) * | 2003-06-20 | 2004-12-23 | Erik Olson | Systems and methods for mitigating cross-site scripting |
| CN101267357A (en) * | 2007-03-13 | 2008-09-17 | 北京启明星辰信息技术有限公司 | A SQL injection attack detection method and system |
| CN101217546A (en) * | 2008-01-18 | 2008-07-09 | 东南大学 | A realization method of high efficiency and secured protocol detecting system to deny the service attacking |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488399A (en) * | 2014-12-08 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Script virus detection method and system based on program keyword calling sequence |
| CN105100065A (en) * | 2015-06-26 | 2015-11-25 | 北京奇虎科技有限公司 | Cloud-based webshell attack detection method, cloud-based webshell attack detection device and gateway |
| CN105100065B (en) * | 2015-06-26 | 2018-03-16 | 北京奇安信科技有限公司 | Webshell attack detection methods, device and gateway based on cloud |
| CN107659555A (en) * | 2016-08-30 | 2018-02-02 | 北京长亭科技有限公司 | Detection method and device, terminal device and the computer-readable storage medium of network attack |
| CN108804916A (en) * | 2017-12-19 | 2018-11-13 | 哈尔滨安天科技股份有限公司 | Detection method, device, electronic equipment and the storage medium of malicious file |
| CN108804916B (en) * | 2017-12-19 | 2022-01-28 | 安天科技集团股份有限公司 | Malicious file detection method and device, electronic equipment and storage medium |
| CN109359045A (en) * | 2018-10-16 | 2019-02-19 | 武汉斗鱼网络科技有限公司 | A kind of test method, device, equipment and storage medium |
| CN109359045B (en) * | 2018-10-16 | 2022-01-04 | 武汉斗鱼网络科技有限公司 | Test method, device, equipment and storage medium |
| CN110457551A (en) * | 2019-08-14 | 2019-11-15 | 梁冰 | The semantic recurrence of natural language indicates the building method of system |
| CN110825739A (en) * | 2019-10-30 | 2020-02-21 | 京东数字科技控股有限公司 | Table building statement generation method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101895517B (en) | 2013-05-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101895517B (en) | Method and device for extracting script semantics | |
| US9032516B2 (en) | System and method for detecting malicious script | |
| CN103559235B (en) | A kind of online social networks malicious web pages detection recognition methods | |
| US20150295942A1 (en) | Method and server for performing cloud detection for malicious information | |
| CN105706045B (en) | Semantic-Oriented analysis to log information content | |
| CN102542201B (en) | Detection method and system for malicious codes in web pages | |
| CN107341399B (en) | Method and device for evaluating security of code file | |
| CN111045678A (en) | Method, device and equipment for executing dynamic code on page and storage medium | |
| CN106909846B (en) | Vulnerability detection method and device based on virtual analysis | |
| CN112989348B (en) | Attack detection method, model training method, device, server and storage medium | |
| US11263062B2 (en) | API mashup exploration and recommendation | |
| IL225820A (en) | Real-time single-sweep detection of key words and content analysis | |
| CN111723265A (en) | Extensible news website universal crawler method and system | |
| CN103617213A (en) | Method and system for identifying newspage attributive characters | |
| CN105260357A (en) | Sensitive word checking method and device based on Hash sensitive words directed graph | |
| CN114528457A (en) | Web fingerprint detection method and related equipment | |
| CN112307478A (en) | Script virus detection method, system, electronic equipment and storage medium | |
| CN104778232B (en) | Searching result optimizing method and device based on long query | |
| CN101763432A (en) | Method for constructing lightweight webpage dynamic view | |
| CN108830082B (en) | XSS vulnerability detection parameter automatic selection method based on output point position | |
| CN110147839A (en) | The method that algorithm based on XGBoost generates domain name detection model | |
| CN111125704B (en) | Webpage Trojan horse recognition method and system | |
| CN103838865A (en) | Method and device for mining timeliness seed page | |
| KR101650316B1 (en) | Apparatus and method for collecting and analysing HTML5 documents based a distributed parallel processing | |
| CN110719344B (en) | Domain name acquisition method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130515 Termination date: 20180519 |