CN103425930B - A kind of online script detection method and system in real time - Google Patents
A kind of online script detection method and system in real time Download PDFInfo
- Publication number
- CN103425930B CN103425930B CN201210578080.XA CN201210578080A CN103425930B CN 103425930 B CN103425930 B CN 103425930B CN 201210578080 A CN201210578080 A CN 201210578080A CN 103425930 B CN103425930 B CN 103425930B
- Authority
- CN
- China
- Prior art keywords
- script
- message
- content
- end mark
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a kind of online script detection method and system in real time, method includes: the beginning flag of scan script and end mark in each data message, if above-mentioned mark can be found in a message simultaneously, then call script detecting and alarm and script is detected;If only finding script beginning flag, then embedded script in current message being cached, then recombinate with the subsequent packet in same connection, until finding out the end mark of script, restoring complete script, calling script detecting and alarm, script is detected;Simultaneously in order to prevent cache contents too much, setting largest buffered length threshold values, if in regrouping process, the length of caching exceeds threshold values, then stop caching, existing cache contents is sent directly into script detecting and alarm and detects.Present invention also offers online script detecting system in real time.By the method for the present invention, greatly reduce web cache quantity, improve the process performance of equipment.
Description
Technical field
The present invention relates to webpage embedded script detection technique, particularly to one real-time script detection method and system online.
Background technology
Along with popularizing and fast-developing of the Internet, sharply increasing of netizen's quantity, Web content and network application are enriched greatly;The actual demand of user has promoted the fast development of Web Site Interactive ability.Network development engineer usually by the mode of script embedded in webpage, realizes the effect of its interaction.
The browser that domestic consumer's online is used, due to a variety of causes, it is understood that there may be such or such leak.These leaks are often utilized by hacker, by script embedded in webpage, trigger the execution of malicious code code, reach to propagate the purpose of malicious code, seek unlawful interests.
But network exists substantial amounts of web page access and connects, if be analyzed after all of web cache, may be far beyond the load of Network Security Device.This will cause cannot detecting script virus in network.Therefore, actual requirement Network Security Device is capable of a kind of efficient script detection system.
Summary of the invention
The present invention provides one online script detection method and system in real time, by the method for the present invention, solves and accesses the problem that cannot detect script virus in network that connection too much causes in network, it is possible to realizes the script detection that device resource real-time, low consumes.
A kind of online script detection method in real time, including:
Step 1, capture network packet;
Step 2, to capture network packet carry out protocol-decoding, isolate HTTP message;
Step 3, judge whether Connection Cache mark, if it is, current HTTP message has cached content for script, perform step 4, otherwise perform step 8;
Whether step 4, scanning message exist script end mark, if it is, perform step 5, otherwise performs step 6;
Step 5, remove Connection Cache mark, and by after the script in current message and the content for script restructuring cached, send into script engine and detect, if it find that threaten, then send warning, after script engine detection, perform step 8;
Step 6, judge current message length and the content for script length sum cached, if beyond preset length threshold values, if it is, perform step 7, otherwise cache the full content of message, return step 1;
Step 7, remove Connection Cache mark, and by after the script in current message and the content for script restructuring cached, send into script engine and detect, if it find that threaten, then send warning, terminate current message detection;
Step 8, from message processed to position scanning whether there is script beginning flag, if it is, perform step 9, otherwise terminate current message detection;
Step 9, from message processed to position scanning whether there is script end mark, if it is, perform step 10, otherwise perform step 11;
Step 10, from message, extract script beginning flag to the content of script end mark, send into script engine detection, if it find that threaten, then send warning, after script engine detection, return step 8;
In step 11, caching message, script beginning flag is to the content of script end mark, and returns step 1.
In described method, when scanning beginning flag or the end mark of message, automat reduction is used to there is script beginning flag and the script end mark of deformation.
A kind of online script detecting system in real time, including:
Data capture module, is used for capturing network packet;
Protocol-decoding module, carries out protocol-decoding to the network packet of capture, isolates HTTP message;
Caching judge module, is used for judging whether Connection Cache mark, if it is, current HTTP message has cached content for script, whether there is script end mark in scanning message, if it is, perform recombination module, otherwise performs script detection module;If there is not Connection Cache mark, then judge current message length and the content for script length sum cached, if beyond preset length threshold values, if it is perform recombination module, otherwise perform cache module;
Recombination module, is used for removing Connection Cache mark, and by after the script in current message and the content for script restructuring cached, sends into engine detection module and detect
Script detection module, for from message processed to position scanning whether there is script beginning flag, if, then from message processed to position scanning whether there is script end mark, if, then extracting script beginning flag from message to the content of script end mark, send into engine detection module, otherwise in caching message, script beginning flag to the content of script end mark and returns data capture module;Otherwise terminate current message detection;
Engine detection module, for detecting the content for script of caching, if it find that threaten, then sends warning, after script engine detection, performs script detection module, or terminates current message detection;
In described system, when scanning beginning flag or the end mark of message, automat reduction is used to there is script beginning flag and the script end mark of deformation.
The invention has the beneficial effects as follows, it is possible to reduce cache contents to the full extent, and in order to prevent from mixing the content that village is too much, set the threshold values of caching, if beyond threshold values, then stop caching, reduce the demand to detection equipment caching, improve disposal ability and the operational efficiency of Network Security Device;According to script coding characteristic in webpage, the most each section of embedded script all has beginning flag and end mark, by scan script beginning flag and end mark, quickly positions content for script, improves detection speed.
The invention provides a kind of online script detection method and system in real time, method includes: the beginning flag of scan script and end mark in each data message, if above-mentioned mark can be found in a message simultaneously, then call script detecting and alarm and script is detected;If only finding script beginning flag, then embedded script in current message being cached, then recombinate with the subsequent packet in same connection, until finding out the end mark of script, restoring complete script, calling script detecting and alarm, script is detected;Simultaneously in order to prevent cache contents too much, setting largest buffered length threshold values, if in regrouping process, the length of caching exceeds threshold values, then stop caching, existing cache contents is sent directly into script detecting and alarm and detects.Present invention also offers online script detecting system in real time.By the method for the present invention, greatly reduce web cache quantity, improve the process performance of equipment.
Accompanying drawing explanation
In order to be illustrated more clearly that the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in describing below is only some embodiments described in the present invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of online script detection method flow chart in real time of the present invention;
Fig. 2 is a kind of online script detecting system structural representation in real time of the present invention.
Detailed description of the invention
For the technical scheme making those skilled in the art be more fully understood that in the embodiment of the present invention, and it is understandable to enable the above-mentioned purpose of the present invention, feature and advantage to become apparent from, and is described in further detail technical scheme in the present invention below in conjunction with the accompanying drawings.
The present invention provides one online script detection method and system in real time, by the method for the present invention, solves and accesses the problem that cannot detect script virus in network that connection too much causes in network, it is possible to realizes the script detection that device resource real-time, low consumes.
A kind of online script detection method in real time, as it is shown in figure 1, include:
S101: capture network packet;The mode of capture network packet can catch bag to use pcap, zero-copy catches bag or special network adapter catches the modes such as bag;
S102: the network packet of capture is carried out protocol-decoding, isolates HTTP message;Can be whether that the initial key word (such as: get, post, http) of HTTP identifies http protocol according to the starting content that the port information of Transmission Control Protocol or transport layer load, and the server response content of HTTP connection is carried out protocol-decoding, isolate web page contents;
S103: judge whether Connection Cache mark, if it is, current HTTP message has cached content for script, performs S104, otherwise performs S105;
S104: whether there is script end mark in scanning message, if it is, perform S105, otherwise perform S106;
The script generally used in webpage is javascript, and its end mark is</script>, in actual web page code, the compatibility of browser can allow occur that some deform, and such as centre is mingled with the characters such as space, it is possible to use data convert after deformation is by automat</script>;
S105: remove Connection Cache mark, and by after the script in current message and the content for script restructuring cached, send into script engine and detect, if it find that threaten, then send warning, after script engine detection, perform S108;The detection of script virus can use existing commercial anti-virus engine, it is also possible to writes voluntarily;
S106: judge current message length and the content for script length sum cached, if beyond preset length threshold values, if it is, perform S107, otherwise caches the full content of message, returns S101;
Actual buffer storage length threshold values can be with self-defining, and as being set to 4096 bytes or 8192 bytes, the too short recall rate of length declines, and the utilization ratio of long caching reduces;
S107: remove Connection Cache mark, and by after the script in current message and the content for script restructuring cached, send into script engine and detect, if it find that threaten, then send warning, terminate current message detection;
S108: from message processed to position scanning whether there is script beginning flag, if it is, perform S109, otherwise terminate current message detection;
The script generally used in webpage is javascript, its opening flag be < script, in actual web page code, the compatibility of browser can allow occur that some deform, it is mingled with the characters such as space, it is possible to use after automat will deform, data convert is < script in the middle of such as;
S109: from message processed to position scanning whether there is script end mark, if it is, perform S110, otherwise perform S111;
S110: extract the script beginning flag content to script end mark from message, sends into script engine detection, if it find that threaten, then sends warning, after script engine detection, returns S108;
S111: in caching message, script beginning flag is to the content of script end mark, and returns S101.
In described method, when scanning beginning flag or the end mark of message, automat reduction is used to there is script beginning flag and the script end mark of deformation.
A kind of online script detecting system in real time, as in figure 2 it is shown, include:
Data capture module 201, is used for capturing network packet;
Protocol-decoding module 202, carries out protocol-decoding to the network packet of capture, isolates HTTP message;
Caching judge module 203, is used for judging whether Connection Cache mark, if it is, current HTTP message has cached content for script, whether there is script end mark in scanning message, if it is, perform recombination module, otherwise performs script detection module;If there is not Connection Cache mark, then judge current message length and the content for script length sum cached, if beyond preset length threshold values, if it is perform recombination module, otherwise perform cache module;
Recombination module 204, is used for removing Connection Cache mark, and by after the script in current message and the content for script restructuring cached, sends into engine detection module and detect
Script detection module 205, for from message processed to position scanning whether there is script beginning flag, if, then from message processed to position scanning whether there is script end mark, if, then extracting script beginning flag from message to the content of script end mark, send into engine detection module, otherwise in caching message, script beginning flag to the content of script end mark and returns data capture module;Otherwise terminate current message detection;
Engine detection module 206, for detecting the content for script of caching, if it find that threaten, then sends warning, after script engine detection, performs script detection module, or terminates current message detection;
In described system, when scanning beginning flag or the end mark of message, automat reduction is used to there is script beginning flag and the script end mark of deformation.
The invention has the beneficial effects as follows, it is possible to reduce cache contents to the full extent, and in order to prevent from mixing the content that village is too much, set the threshold values of caching, if beyond threshold values, then stop caching, reduce the demand to detection equipment caching, improve disposal ability and the operational efficiency of Network Security Device;According to script coding characteristic in webpage, the most each section of embedded script all has beginning flag and end mark, by scan script beginning flag and end mark, quickly positions content for script, improves detection speed.
The invention provides a kind of online script detection method and system in real time, method includes: the beginning flag of scan script and end mark in each data message, if above-mentioned mark can be found in a message simultaneously, then call script detecting and alarm and script is detected;If only finding script beginning flag, then embedded script in current message being cached, then recombinate with the subsequent packet in same connection, until finding out the end mark of script, restoring complete script, calling script detecting and alarm, script is detected;Simultaneously in order to prevent cache contents too much, setting largest buffered length threshold values, if in regrouping process, the length of caching exceeds threshold values, then stop caching, existing cache contents is sent directly into script detecting and alarm and detects.Present invention also offers online script detecting system in real time.By the method for the present invention, greatly reduce web cache quantity, improve the process performance of equipment.
Each embodiment in this specification all uses the mode gone forward one by one to describe, and between each embodiment, identical similar part sees mutually, and what each embodiment stressed is the difference with other embodiments.For system embodiment, owing to it is substantially similar to embodiment of the method, so describe is fairly simple, relevant part sees the part of embodiment of the method and illustrates.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention has many deformation and the change spirit without deviating from the present invention, it is desirable to appended claim includes these deformation and the change spirit without deviating from the present invention.
Claims (4)
1. an online script detection method in real time, it is characterised in that including:
Step 1, capture network packet;
Step 2, to capture network packet carry out protocol-decoding, isolate HTTP message;
Step 3, judge whether Connection Cache mark, if it is, current HTTP message has cached content for script, perform step 4, otherwise perform step 8;
Whether step 4, scanning message exist script end mark, if it is, perform step 5, otherwise performs step 6;
Step 5, remove Connection Cache mark, and by after the script in current message and the content for script restructuring cached, send into script engine and detect, if it find that threaten, then send warning, after script engine detection, perform step 8;
Step 6, judge current message length and the content for script length sum cached, if beyond preset length threshold values, if it is, perform step 7, otherwise cache the full content of message, return step 1;
Step 7, remove Connection Cache mark, and by after the script in current message and the content for script restructuring cached, send into script engine and detect, if it find that threaten, then send warning, terminate current message detection;
Step 8, from message processed to position scanning whether there is script beginning flag, if it is, perform step 9, otherwise terminate current message detection;
Step 9, from message processed to position scanning whether there is script end mark, if it is, perform step 10, otherwise perform step 11;
Step 10, from message, extract script beginning flag to the content of script end mark, send into script engine detection, if it find that threaten, then send warning, after script engine detection, return step 8;
In step 11, caching message, script beginning flag is to the content of script end mark, and returns step 1.
2. the method for claim 1, it is characterised in that when scanning beginning flag or the end mark of message, uses automat reduction to there is script beginning flag and the script end mark of deformation.
3. an online script detecting system in real time, it is characterised in that including:
Data capture module, is used for capturing network packet;
Protocol-decoding module, carries out protocol-decoding to the network packet of capture, isolates HTTP message;
Caching judge module, is used for judging whether Connection Cache mark, if it is, current HTTP message has cached content for script, whether there is script end mark in scanning message, if it is, perform recombination module, otherwise performs script detection module;If there is not Connection Cache mark, then judge current message length and the content for script length sum cached, if beyond preset length threshold values, if it is perform recombination module, otherwise perform cache module;
Recombination module, is used for removing Connection Cache mark, and by after the script in current message and the content for script restructuring cached, sends into engine detection module and detect
Script detection module, for from message processed to position scanning whether there is script beginning flag, if, then from message processed to position scanning whether there is script end mark, if, then extracting script beginning flag from message to the content of script end mark, send into engine detection module, otherwise in caching message, script beginning flag to the content of script end mark and returns data capture module;Otherwise terminate current message detection;
Engine detection module, for detecting the content for script of caching, if it find that threaten, then sends warning, after script engine detection, performs script detection module, or terminates current message detection.
4. system as claimed in claim 3, it is characterised in that when scanning beginning flag or the end mark of message, uses automat reduction to there is script beginning flag and the script end mark of deformation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210578080.XA CN103425930B (en) | 2012-12-27 | 2012-12-27 | A kind of online script detection method and system in real time |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210578080.XA CN103425930B (en) | 2012-12-27 | 2012-12-27 | A kind of online script detection method and system in real time |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103425930A CN103425930A (en) | 2013-12-04 |
| CN103425930B true CN103425930B (en) | 2016-09-07 |
Family
ID=49650651
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210578080.XA Active CN103425930B (en) | 2012-12-27 | 2012-12-27 | A kind of online script detection method and system in real time |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103425930B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105677558A (en) * | 2015-07-02 | 2016-06-15 | 哈尔滨安天科技股份有限公司 | Script heuristic detection method and system based on form normalization |
| CN106529278B (en) * | 2016-11-07 | 2019-07-05 | 深圳盛灿科技股份有限公司 | Non-invasive monitoring method and device |
| CN107203580B (en) * | 2017-02-27 | 2018-06-26 | 广州旺加旺网络科技有限公司 | Webpage display method and mobile terminal using same |
| CN110351220A (en) * | 2018-04-02 | 2019-10-18 | 蓝盾信息安全技术有限公司 | One kind realizing gateway efficient data scanning technique based on packet filtering |
| CN110765455A (en) * | 2018-09-04 | 2020-02-07 | 哈尔滨安天科技集团股份有限公司 | Malicious document detection method, device and system based on attribute domain abnormal calling |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7707635B1 (en) * | 2005-10-06 | 2010-04-27 | Trend Micro Incorporated | Script-based pattern for detecting computer viruses |
| CN102043919A (en) * | 2010-12-27 | 2011-05-04 | 北京安天电子设备有限公司 | Universal vulnerability detection method and system based on script virtual machine |
| CN102609649A (en) * | 2012-02-06 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for collecting malicious software automatically |
| CN102769607A (en) * | 2011-12-30 | 2012-11-07 | 北京安天电子设备有限公司 | Malicious code detecting method and system based on network packet |
| CN102769658A (en) * | 2011-12-06 | 2012-11-07 | 北京安天电子设备有限公司 | Method and device for restoring network files |
-
2012
- 2012-12-27 CN CN201210578080.XA patent/CN103425930B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7707635B1 (en) * | 2005-10-06 | 2010-04-27 | Trend Micro Incorporated | Script-based pattern for detecting computer viruses |
| CN102043919A (en) * | 2010-12-27 | 2011-05-04 | 北京安天电子设备有限公司 | Universal vulnerability detection method and system based on script virtual machine |
| CN102769658A (en) * | 2011-12-06 | 2012-11-07 | 北京安天电子设备有限公司 | Method and device for restoring network files |
| CN102769607A (en) * | 2011-12-30 | 2012-11-07 | 北京安天电子设备有限公司 | Malicious code detecting method and system based on network packet |
| CN102609649A (en) * | 2012-02-06 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for collecting malicious software automatically |
Non-Patent Citations (1)
| Title |
|---|
| 《网页恶意脚本检测方法研究》;张昊 等;《全国网络与信息安全技术研讨会论文集》;20070701;第84-90页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103425930A (en) | 2013-12-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103425930B (en) | A kind of online script detection method and system in real time | |
| CN101834866B (en) | CC (Communication Center) attack protective method and system thereof | |
| CN104954372A (en) | Method and system for performing evidence acquisition and verification on phishing website | |
| CN104462509A (en) | Review spam detection method and device | |
| CN103746992B (en) | Based on reverse intruding detection system and method thereof | |
| CN101119385A (en) | Method for enhancing HTTP network velocity using WebPush | |
| CN104113519A (en) | Network attack detection method and device thereof | |
| CN103139307B (en) | A kind of Internet resources download the restoration methods and download system of interrupting | |
| CN104348789A (en) | Web server and method for preventing cross-site scripting attack | |
| CN103916379B (en) | A kind of CC attack recognition method and system based on high frequency statistics | |
| US8789177B1 (en) | Method and system for automatically obtaining web page content in the presence of redirects | |
| CN103428183A (en) | Method and device for identifying malicious website | |
| CN103401850A (en) | Message filtering method and device | |
| CN107276979B (en) | Method for automatically detecting interconnection behaviors of internal network and external network of terminal equipment | |
| CN103401845A (en) | Detection method and device for website safety | |
| CN102624716A (en) | P | |
| CN101582897A (en) | Deep packet inspection method and device | |
| CN103269313A (en) | Method for achieving embedded linux home gateway captive portal | |
| CN103905421A (en) | Suspicious event detection method and system based on URL heterogeneity | |
| CN114357457A (en) | Vulnerability detection method and device, electronic equipment and storage medium | |
| CN102754488A (en) | User access control method, apparatus and system | |
| CN102647404A (en) | Flow converging method and device for resisting flood attack | |
| CN105653941A (en) | Heuristic detection method and system for phishing website | |
| CN106209894A (en) | A kind of method based on NGINX unified certification and system | |
| CN102769607A (en) | Malicious code detecting method and system based on network packet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 100080 Beijing city Haidian District minzhuang Road No. 3, Tsinghua Science Park Building 1 Yuquan Huigu a Patentee after: Beijing ahtech network Safe Technology Ltd Address before: 100080 Haidian District City, Zhongguancun, the main street, No. 1 Hailong building, room 1415, room 14 Patentee before: Beijing Antiy Electronic Installation Co., Ltd. |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Online real-time script detecting method and online real-time script detecting system Effective date of registration: 20190719 Granted publication date: 20160907 Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch Pledgor: Beijing ahtech network Safe Technology Ltd Registration number: 2019230000008 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20210810 Granted publication date: 20160907 Pledgee: Bank of Longjiang Limited by Share Ltd. Harbin Limin branch Pledgor: BEIJING ANTIY NETWORK TECHNOLOGY Co.,Ltd. Registration number: 2019230000008 |