CN103561012A - WEB backdoor detection method and system based on relevance tree - Google Patents
WEB backdoor detection method and system based on relevance tree Download PDFInfo
- Publication number
- CN103561012A CN103561012A CN201310517193.3A CN201310517193A CN103561012A CN 103561012 A CN103561012 A CN 103561012A CN 201310517193 A CN201310517193 A CN 201310517193A CN 103561012 A CN103561012 A CN 103561012A
- Authority
- CN
- China
- Prior art keywords
- link
- web
- links
- tree
- relevance tree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to a WEB backdoor detection method and system based on a relevance tree. The WEB backdoor detection system comprises a link relevance tree generation module and an attack real-time detection module. The detection system does not depend on antivirus software or file feature detection software, instead, initiative crawling and access record collecting are conducted on WEB links first, a link set of all URLs of a WEB is established through analysis and process, and the link and skip relation of the URLs is marked in a computerized algorithm in a tree mode, so that a link relevance tree is formed. If a backdoor URL request does not exist in the link relevance tree, a security monitoring module of the system gives an alarm, and the attack request is stopped. By means of the detection method, the safety of WEB application is improved, the problem of WEB backdoor attack which can not be detected and prevented by security products such as the antivirus software and a firewall is solved, the university is good, there is no need to mount software programs on a WEB server, and the type of the WEB server, WEB programming languages, customer usage and the like are all made to be transparent.
Description
Technical field
The present invention relates to WEB back door detection method and system, be specifically related to WEB back door detection method and system based on relevance tree, belong to computer network security and information security field.
Background technology
Current WEB application has occupied the main positions of network application, flourish along with WEB application, and the thing followed is the WEB application safety problem of covering the sky and the earth, WEB application faces safely great threat.Along with the raising of development and the cyber-attack techniques of WEB technology, for the attack method of WEB application, also make rapid progress.Due to the extensive use in all trades and professions of WEB service platform, assailant also by attentiveness from the attack of the webserver is transferred to the attack to WEB service, at this level, assailant can utilize security breaches to obtain the control authority of WEB server, steal important internal data, thereby obtain unlawful interests.The research report that the Gartner of WEB application market research agency delivers has recently been emphasized and has predicted that current successful attack has more than 75% to occur in WEB application layer.According to the up-to-date issue internet security of CNCERT, threaten report to show, in the network safety event of CNCERT reception in 2011, web portal security class event accounts for 61.7%, the Websites quantity being tampered is within the border 36612, the domestic website that increased implanted back door in 5.1%, 4 to December compared with 2010 is 12513.After implanted back door, website, assailant can log in and easily implement to comprise that system invasion, WEB system destruction, website webpage tamper, key message the attack such as steal at any time.
Therefore WEB website is implanted and is similar to the significant threat that the backdoor programs such as WEBshell and link have become the safety of website, backdoor programs or link invaded person as website being implemented to the powerful of attack operation.And the backdoor programs such as WEBshell are mostly by page script language compilation, the same with other normal webpages, their running environment is identical, serve port is identical, therefore be easy to the detection of firewall-penetrating and escape antivirus software, so invader generally tends to use it as the back door of Control Server.With respect to binary-coded program, WEBshell is text-only file, and distortion is simple, and script is used flexibly, is easy to condition code to obscure or hides, and this makes the detection method based on characteristic matching be difficult to quick and precisely detect.The methods such as tradition anti-virus, fire compartment wall are helpless to WEB backdoor programs, must take new safety method, guarantee server security.
Summary of the invention
In view of this, the invention discloses a kind of WEB back door detection method based on relevance tree, WEB web site url is carried out to active to be crawled with Visitor Logs and collects, process by analysis, construct the link set of whole URL of WEB website, optimize the complicated association of figure shape or netted association, form link relevance tree; When assailant accesses the WEB back door WEB page of its implantation, URL request in this back door does not exist in link relevance tree, and the security monitoring module of system is sent warning, and blocks this query-attack.
The present invention is disclosed a kind of WEB back door on-line detecting system based on relevance tree also, this detection system does not rely on antivirus software or file characteristic detects software, but first WEB web site url is carried out to active, crawl with Visitor Logs and collect, process by analysis, construct the link set of whole URL of WEB website, with link and the redirect relation of the formal notation URL that sets in computerized algorithm, form link relevance tree; Described link relevance tree is a kind of identification method of computerized algorithm, by link and linking relationship, forms the topological relation of a tree root, branch, Leaves'Shape.Set with chained list, the storage of hash sheet form simultaneously, can be stored in database.
Particularly, technical scheme of the present invention is as follows: a kind of WEB back door detection method based on relevance tree, and its step comprises:
1) WEB website homepage link is set and obtains WEB web site url and crawl entrance, according to described, crawl the all-links information that entrance captures WEB website;
2) described all-links information is carried out to fan-in and/or fanout system calculating, by fan-in ratio Link
in>=1 or fan-out Link
outthe link of >=1 pools a plurality of original link set;
3) described original link set is optimized to processing and sets up tree-like linking relationship set, obtain linking relevance tree WTree (links);
4) described link relevance tree WTree (links) is set for credible link;
5) when the WEB page at WEB back door has been implanted in assailant's access, by judgement this back door linking request in described link relevance tree, detect WEB back door.
Further, by the link of the fan-in ratio Linkin=0 of page link and the fan leaves coefficient Linkout=0, generate corpse chained library Blib (Links) and set up corpse chained record; Described corpse chained record table, as backdoor attack Rapid matching record sheet, when attacking real-time detection, has precedence over link relevance tree WTree (links) and carries out requesting query coupling.
Further, when attacking real-time detection, first using those corpse links as suspicious back door, send security alarm, before WEB system manager has examined, all acquiescence is closed, and sends backdoor attack alarm if receive, WEB application keeper can manually examine, artificially to revise particular link, this link is set to credible link, and adds link relevance tree WTree (links) or according to the access control policy of IP address range, time period this link of setup of attribute.
Further, when user sends page link request, by WEB application proxy gateway, this hyperlink request is intercepted and captured, and carried out fast finding in link relevance tree WTree (links):
If searched, hitting record, is legal linking request, and gateway is let pass and asked, and WEB server directly feeds back to client to the response of request;
If search miss record, gateway proxy client continues to send request to WEB server:
If WEB server has the link of this request to exist, returned to the page of an existence, send backdoor attack alarm, according to the security strategy pre-establishing, block this linking request;
If 404 non-existent error codes are returned in being linked on WEB server of request, gateway directly returns to client by the error message of response.
Further, described original link set is optimized and processes that to set up the method for tree-like linking relationship set as follows:
1) optimize complicated figure shape association or netted association in original link set, be reduced to linking relationship tree type associated;
2) for each node in link relevance tree WTree (links), adopt RBTree or binary chop tree algorithm to be optimized storage organization and be optimized storage;
3) for leaf node at the same level, adopt Hash table mode to store.
Further, by adjusting threshold value N, the set that will link tree-like collector node M<N in relevance tree WTree (links) is got rid of within credible scope, for identifying the back door link interlinking on a small quantity.
Further, according to the described method that crawls the all-links information of entrance crawl WEB website, be:
1) from the homepage of WEB website, start to capture link, or manually input homepage and subsystem homepage;
2), while capturing web page interlinkage, adopt breadth First algorithm or depth-first algorithm traversal website all-links;
3) while capturing webpage, adopt mode of learning is provided, when mode of learning, by a small amount of access request, automatically determine the start page link that webpage captures.
Further, described all-links information is carried out, before fan-in and/or fanout system calculating, the web page interlinkage recorded information capturing being removed to heavy de-redundancy and processing, form the simplest full set.
The system the invention discloses is specific as follows: a kind of WEB back door detection system based on relevance tree, comprise the WEB application service system that client, gateway proxy and web server cluster form, it is characterized in that, also comprise a link relevance tree generation module and the real-time detection module of an attack;
Described link relevance tree generation module, obtains WEB web site url and crawls entrance for WEB website homepage link is set, and according to described, crawls the all-links information that entrance captures WEB website; Described all-links information is carried out to fan-in and/or fanout system calculating, by fan-in ratio Link
in>=1 or fan-out Link
outthe link of >=1 pools a plurality of original link set; Described original link set is optimized to process and sets up tree-like linking relationship set, obtain linking relevance tree WTree (links); Described link relevance tree WTree (links) is set for credible link;
The real-time detection module of described attack obtains hyperlink request in gateway proxy mode, by judgement this back door linking request in described link relevance tree, when the WEB page at WEB back door has been implanted in assailant's access, detect WEB back door, attack real-time detection module and send backdoor attack alarm, and block this attack linking request.
Further, described link relevance tree generation module is by the fan-in ratio Link of page link
in=0 and the fan leaves coefficient Link
out=0 link, generates corpse chained library B
liband set up corpse chained record (Links); Described corpse chained record table, as backdoor attack Rapid matching record sheet, when attacking real-time detection, has precedence over link relevance tree WTree (links) and carries out requesting query coupling.
Good effect of the present invention is:
The present invention can effectively detect the implantation back door of WEB website, and the fail safe that has improved WEB application has solved the WEB backdoor attack that the safety products such as antivirus software, fire compartment wall cannot detect and protect.The relation of the link relevance tree that the present invention proposes is than the real network structure of URL or figure shape structure, more succinct, efficient, and there is no redundancy, so efficiency is high.And detection algorithm efficiency is high, versatility good, have nothing to do with WEB type of server, WEB programming language, WEB server, without mounting software program, does not change user's use habit.
Accompanying drawing explanation
Fig. 1 the present invention is based on website WEB link relevance tree in the embodiment of WEB back door detection method of relevance tree to generate method flow diagram.
Fig. 2 the present invention is based in WEB back door detection system one embodiment of relevance tree to carry out WEB back door online test method flow chart by detection system.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, be understandable that, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those skilled in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
To the present invention is based on website WEB link relevance tree in the embodiment of WEB back door detection method of relevance tree to generate method flow diagram as shown in Figure 1, when assailant accesses the WEB back door WEB page of its implantation, this back door of system quick search URL request, when inquire its link relevance tree in time, and by the method that continues the to send request URL input error that really admits a fault to server, the security monitoring module of system is sent warning, and block this query-attack, thereby interception utilizes the attack at this WEB back door.
In the WEB application service system forming at client, gateway proxy, web server cluster, system of the present invention mainly comprises two parts content improvement: link relevance tree generation module and the real-time detection module of attack.
The methods such as described link relevance tree generation module Adoption Network reptile method and Visitor Logs, capture the all-links information of WEB application system, and form mutually quote, the linking relationship set such as redirect, by linking relationship set, form link relevance tree, using this database as all legal links of WEB application.
The information that can obtain as follows all URL of WEB and interlink:
Link relevance tree generation module acquiescence starts to capture link from the homepage of WEB website, also can manually input homepage and subsystem homepage.While capturing web page interlinkage, link relevance tree generation module can adopt depth-first algorithm traversal website all-links, also can adopt breadth First algorithm traversal website all-links.
Or when link relevance tree generation module captures webpage, except acquiescence starts to start the page with manual input from homepage, also provide mode of learning, when mode of learning, by a small amount of access request, automatically determine that the start page of webpage crawl links.
The URL obtaining is calculated to fan-in the fan leaves coefficient:
Before link relevance tree generation module is generating link relevance tree, by isolated corpse link, be also the fan-in ratio Link of page link
in=0 and the fan leaves coefficient Link
out=0 link, forms corpse link Rapid matching storehouse B
lib(Links) be stored in cloud system inside, local storage is local to be used.。
Link relevance tree generation module, to the web page interlinkage recorded information capturing, removes heavy de-redundancy and processes, and forms the simplest full set, and according to fan-in fan-out relation, by fan-in ratio Link
in>=1 or fan-out Link
outthe chained record of >=1 is set up tree-like linking relationship set, and one or more linking relationship combinations form link relevance tree WTree (links).
Can to the link relevance tree in the present invention, be optimized as follows:
Link relevance tree generation module, for the complicated association of figure shape or the netted association of the association link obtaining, is reduced to linking relationship tree type associated, to improve storage and search efficiency.
Also, for each node in link relevance tree WTree (links), be optimized storage, to improve match query efficiency: adopt RBTree or binary chop tree algorithm to be optimized storage organization; For leaf node at the same level, adopt Hash table mode to store.
Link relevance tree generation module obtains WEB access request record from attacking real-time detection module; Link relevance tree WTree (links) can regularly trigger and upgrade or manual triggers renewal.
By adjusting threshold value N, will link the set of tree-like collector node M<N in relevance tree WTree (links), get rid of within credible scope, to identify the back door link interlinking on a small quantity.
The method that generates corpse link Rapid matching storehouse is as follows:
Attack real-time detection module and in gateway proxy mode, obtain the access request link of client, and this is recorded in to corpse link Rapid matching storehouse B
lib(Links) and in link relevance tree WTree (links) efficiently mate.
Generating corpse link Rapid matching storehouse can be optimized as follows:
Attack real-time detection module at the corpse link Rapid matching storehouse B that receives the submission of link relevance tree generation module
lib(Links) time, attack real-time detection module first using these corpse links as the link of suspicious back door, send security alarm, before WEB system manager has examined, all acquiescence is closed.
And, attack real-time detection module by corpse chained record storehouse B
lib(Links) as backdoor attack Rapid matching storehouse; When receiving the access request of client, first inquire about this corpse link Rapid matching storehouse B
lib(Links), have precedence over link relevance tree WTree (links) and carry out requesting query coupling.
Attack real-time detection module and do not mate corpse link Rapid matching storehouse B in the access request of client
lib(Links) after, this access request is efficiently mated at link relevance tree: if searched, hitting record, is legal linking request, gateway is let pass and is asked; If search miss record, attack real-time detection module and send backdoor attack alarm, according to the security strategy pre-establishing, block this linking request.
For attacking real-time detection module, send backdoor attack alarm, WEB application keeper can manually examine, and artificially to revise particular link, this link is set to credible link, can add link relevance tree WTree (links), makes it forever credible; Also can be according to the access control policy of these links of setup of attribute such as IP address range, time period.
Specifically comprise following steps:
Step 1: the homepage link of setting or study website.
A) acquiescence starts to capture link from the homepage of WEB website;
B) also can manually input homepage and subsystem homepage; Subsystem homepage refers to the autonomous system that main website homepage chain does not receive, and input the homepage of this subsystem;
C) can also allow system carry out self study, by the access log of analyzing web site, find the homepage of website, namely link core and assemble the page.
Step 2: obtain the entrance that website crawls, capture the all-links information of WEB application system, and form mutually quote, the linking relationship raw information such as redirect.
Step 3: to the web page interlinkage recorded information capturing, remove heavy de-redundancy and process, form the simplest full set.Calculate fan-in fanout system, wherein fan-in system refers to the number of times of other this page of page invocation simultaneously; The fan leaves coefficient refers to the number of times of other page of this page invocation.If fan-in ratio Link
in>=1 or fan-out Link
out>=1, enters step 5; Otherwise, enter step 4.
Step 4: for the fan-in ratio Link of page link
in=0 and the fan leaves coefficient Link
out=0 link, also i.e. isolated corpse link, accumulates corpse link Rapid matching storehouse B
lib(Links), submit to and attack real-time detection module, attack real-time detection module at the corpse link Rapid matching storehouse B that receives the submission of link relevance tree generation module
lib(Links) time, attack real-time detection module first using these corpse links as the link of suspicious back door, send security alarm, before WEB system manager has examined, all acquiescence is closed.Exit.
Step 5: for fan-in ratio Link
in>=1 or fan-out Link
outthe link of >=1, pools a plurality of link set by chained record.
Step 6: link relevance tree generation module, for the complicated association of figure shape or the netted association of the association link obtaining, is reduced to linking relationship tree type associated; Also, for each node in tree, adopt RBTree or binary chop tree algorithm to be optimized storage organization; For leaf node at the same level, adopt Hash table mode to store.
Step 7: be optimized after storage, set up tree-like linking relationship set, one or more linking relationship combinations, form link relevance tree WTree (links).By adjusting threshold value N, will link the set of tree-like collector node M<N in relevance tree WTree (links), get rid of within credible scope, to identify the back door link interlinking on a small quantity.Link relevance tree WTree (links) can regularly trigger and upgrade or manual triggers renewal.
Be illustrated in figure 2 in WEB back door detection system one embodiment that the present invention is based on relevance tree and carry out WEB back door online test method flow chart by detection system, comprise following steps:
Step 1: the real-time detection module of described attack obtains the access request link of client in gateway proxy mode.
Step 2: attack real-time detection module access request chained record is linked to Rapid matching storehouse B at corpse
lib(Links) in, efficiently mate.If hit record, enter step 5; Otherwise, enter step 3.
Step 3: attack real-time detection module and do not mate corpse link Rapid matching storehouse B in the access request of client
lib(Links), after, this access request is efficiently mated at link relevance tree: if searched, hit record, enter step 4, otherwise enter step 5.
Step 4: ask as legal linking request, gateway is let pass request to web server, by web server response request, and returns to client.
Step 5: attacking real-time detection module, to detect this hyperlink request be back door access request, according to the security strategy pre-establishing, sends security alarm and block this back door request.Attack real-time detection module and send after backdoor attack alarm, WEB application keeper can manually examine, and artificially to revise particular link, this link is set to credible link, can add link relevance tree WTree (links), makes it forever credible; Also can be according to the access control policy of these links of setup of attribute such as IP address range, time period.
Step 6: wait for client-access request next time.
The above the specific embodiment of the present invention object is in order to understand better use of the present invention, not form limiting the scope of the present invention.Any modification of making within the spirit and principles in the present invention essence, be out of shape and be equal to replacement etc., within all should belonging to the protection range of claim of the present invention.
Claims (10)
1. the WEB back door detection method based on relevance tree, its step comprises:
1) WEB website homepage link is set and obtains WEB web site url and crawl entrance, according to described, crawl the all-links information that entrance captures WEB website;
2) described all-links information is carried out to fan-in and/or fanout system calculating, by fan-in ratio Link
in>=1 or fan-out Link
outthe link of >=1 pools a plurality of original link set;
3) described original link set is optimized to processing and sets up tree-like linking relationship set, obtain linking relevance tree WTree (links);
4) described link relevance tree WTree (links) is set for credible link;
5) when the WEB page at WEB back door has been implanted in assailant's access, by judgement this back door linking request in described link relevance tree, detect WEB back door.
2. the WEB back door detection method based on relevance tree as claimed in claim 1, is characterized in that, by the fan-in ratio Link of page link
in=0 and the fan leaves coefficient Link
out=0 link, generates corpse chained library B
liband set up corpse chained record (Links); Described corpse chained record table, as backdoor attack Rapid matching record sheet, when attacking real-time detection, has precedence over link relevance tree WTree (links) and carries out requesting query coupling.
3. the WEB back door detection method based on relevance tree as claimed in claim 2, it is characterized in that, when attacking real-time detection, first using those corpse links as suspicious back door, send security alarm, before WEB system manager has examined, all acquiescence is closed, if receive, send backdoor attack alarm, WEB application keeper can manually examine, artificially to revise particular link, this link is set to credible link, and adds link relevance tree WTree (links) or according to the access control policy of IP address range, time period this link of setup of attribute.
4. the WEB back door detection method based on relevance tree as described in claim 1 or 2 any one, is characterized in that,
When user sends page link request, by WEB application proxy gateway, this hyperlink request is intercepted and captured, and carried out fast finding in link relevance tree WTree (links):
If searched, hitting record, is legal linking request, and gateway is let pass and asked, and WEB server directly feeds back to client to the response of request;
If search miss record, gateway proxy client continues to send request to WEB server:
If WEB server has the link of this request to exist, returned to the page of an existence, send backdoor attack alarm, according to the security strategy pre-establishing, block this linking request;
If 404 non-existent error codes are returned in being linked on WEB server of request, gateway directly returns to client by the error message of response.
5. the WEB back door detection method based on relevance tree as described in claim 1 or 2 any one, is characterized in that, described original link set is optimized and processes that to set up the method for tree-like linking relationship set as follows:
1) optimize complicated figure shape association or netted association in original link set, be reduced to linking relationship tree type associated;
2) for each node in link relevance tree WTree (links), adopt RBTree or binary chop tree algorithm to be optimized storage organization and be optimized storage;
3) for leaf node at the same level, adopt Hash table mode to store.
6. the WEB back door detection method based on relevance tree as described in claim 1 or 2 any one, it is characterized in that, by adjusting threshold value N, the set that will link tree-like collector node M<N in relevance tree WTree (links) is got rid of within credible scope, for identifying the back door link interlinking on a small quantity.
7. the WEB back door detection method based on relevance tree as described in claim 1 or 2 any one, is characterized in that, according to the described method that crawls the all-links information of entrance crawl WEB website, is:
1) from the homepage of WEB website, start to capture link, or manually input homepage and subsystem homepage;
2), while capturing web page interlinkage, adopt breadth First algorithm or depth-first algorithm traversal website all-links;
3) while capturing webpage, adopt mode of learning is provided, when mode of learning, by a small amount of access request, automatically determine the start page link that webpage captures.
8. the WEB back door detection method based on relevance tree as described in claim 1 or 2 any one, it is characterized in that, described all-links information is carried out, before fan-in and/or fanout system calculating, the web page interlinkage recorded information capturing being removed to heavy de-redundancy and processing, form the simplest full set.
9. the WEB back door detection system based on relevance tree, comprises the WEB application service system that client, gateway proxy and web server cluster form, and it is characterized in that, also comprises a link relevance tree generation module and the real-time detection module of an attack;
Described link relevance tree generation module, obtains WEB web site url and crawls entrance for WEB website homepage link is set, and according to described, crawls the all-links information that entrance captures WEB website; Described all-links information is carried out to fan-in and/or fanout system calculating, by fan-in ratio Link
in>=1 or fan-out Link
outthe link of >=1 pools a plurality of original link set; Described original link set is optimized to process and sets up tree-like linking relationship set, obtain linking relevance tree WTree (links); Described link relevance tree WTree (links) is set for credible link;
The real-time detection module of described attack obtains hyperlink request in gateway proxy mode, by judgement this back door linking request in described link relevance tree, when the WEB page at WEB back door has been implanted in assailant's access, detect WEB back door, attack real-time detection module and send backdoor attack alarm, and block this attack linking request.
10. the WEB back door detection system based on relevance tree as claimed in claim 9, is characterized in that, described link relevance tree generation module is by the fan-in ratio Link of page link
in=0 and the fan leaves coefficient Link
out=0 link, generates corpse chained library B
liband set up corpse chained record (Links); Described corpse chained record table, as backdoor attack Rapid matching record sheet, when attacking real-time detection, has precedence over link relevance tree WTree (links) and carries out requesting query coupling.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310517193.3A CN103561012B (en) | 2013-10-28 | 2013-10-28 | WEB backdoor detection method and system based on relevance tree |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310517193.3A CN103561012B (en) | 2013-10-28 | 2013-10-28 | WEB backdoor detection method and system based on relevance tree |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103561012A true CN103561012A (en) | 2014-02-05 |
| CN103561012B CN103561012B (en) | 2017-01-25 |
Family
ID=50015162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310517193.3A Active CN103561012B (en) | 2013-10-28 | 2013-10-28 | WEB backdoor detection method and system based on relevance tree |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103561012B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105760379A (en) * | 2014-12-16 | 2016-07-13 | 中国移动通信集团公司 | Webshell page detection method and device based on intra-domain page association |
| CN105812196A (en) * | 2014-12-30 | 2016-07-27 | 中国移动通信集团公司 | WebShell detection method and electronic device |
| CN106951784A (en) * | 2017-02-23 | 2017-07-14 | 南京航空航天大学 | A kind of Web application conversed analysis methods towards XSS Hole Detections |
| CN106992981A (en) * | 2017-03-31 | 2017-07-28 | 北京知道创宇信息技术有限公司 | A kind of website back door detection method, device and computing device |
| CN107241296A (en) * | 2016-03-28 | 2017-10-10 | 阿里巴巴集团控股有限公司 | A kind of Webshell detection method and device |
| CN107508705A (en) * | 2017-08-21 | 2017-12-22 | 北京蓝海讯通科技股份有限公司 | The resource tree constructing method and computing device of a kind of HTTP elements |
| CN107622202A (en) * | 2017-09-20 | 2018-01-23 | 杭州安恒信息技术有限公司 | Webpage back door detection method and device |
| CN107911355A (en) * | 2017-11-07 | 2018-04-13 | 杭州安恒信息技术有限公司 | A kind of website back door based on attack chain utilizes event recognition method |
| CN110008456A (en) * | 2019-04-03 | 2019-07-12 | 平安信托有限责任公司 | Report penetrating method, device, computer equipment and storage medium |
| CN110135162A (en) * | 2019-05-27 | 2019-08-16 | 深信服科技股份有限公司 | The recognition methods of the back door WEBSHELL, device, equipment and storage medium |
| WO2020000743A1 (en) * | 2018-06-27 | 2020-01-02 | 平安科技(深圳)有限公司 | Webshell detection method and related device |
| CN110851840A (en) * | 2019-11-13 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | WEB backdoor detection method and device based on website vulnerability |
| CN111327569A (en) * | 2018-12-14 | 2020-06-23 | 中国电信股份有限公司 | Web backdoor detection method and system and storage computing layer |
| CN111522999A (en) * | 2020-04-22 | 2020-08-11 | 北京思特奇信息技术股份有限公司 | Method and device for managing service operation tree |
| CN111756707A (en) * | 2020-06-08 | 2020-10-09 | 中国电信集团工会上海市委员会 | Back door safety protection device and method applied to global wide area network |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090320131A1 (en) * | 2008-06-18 | 2009-12-24 | Chiung-Ying Huang | Method and System for Preventing Malicious Communication |
| CN101771582A (en) * | 2009-12-28 | 2010-07-07 | 北京神州泰岳软件股份有限公司 | Safety monitoring correlation analysis method based on state machine |
| CN102647421A (en) * | 2012-04-09 | 2012-08-22 | 北京百度网讯科技有限公司 | Web back door detection method and device based on behavioral characteristics |
| US8341744B1 (en) * | 2006-12-29 | 2012-12-25 | Symantec Corporation | Real-time behavioral blocking of overlay-type identity stealers |
-
2013
- 2013-10-28 CN CN201310517193.3A patent/CN103561012B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8341744B1 (en) * | 2006-12-29 | 2012-12-25 | Symantec Corporation | Real-time behavioral blocking of overlay-type identity stealers |
| US20090320131A1 (en) * | 2008-06-18 | 2009-12-24 | Chiung-Ying Huang | Method and System for Preventing Malicious Communication |
| CN101771582A (en) * | 2009-12-28 | 2010-07-07 | 北京神州泰岳软件股份有限公司 | Safety monitoring correlation analysis method based on state machine |
| CN102647421A (en) * | 2012-04-09 | 2012-08-22 | 北京百度网讯科技有限公司 | Web back door detection method and device based on behavioral characteristics |
Non-Patent Citations (1)
| Title |
|---|
| 胡建康,徐震,马多贺,杨婧: "《基于决策树的Webshell检测方法研究》", 《网络新媒体技术》, vol. 1, no. 6, 30 November 2012 (2012-11-30), pages 15 - 19 * |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105760379B (en) * | 2014-12-16 | 2020-01-21 | 中国移动通信集团公司 | Method and device for detecting webshell page based on intra-domain page association relation |
| CN105760379A (en) * | 2014-12-16 | 2016-07-13 | 中国移动通信集团公司 | Webshell page detection method and device based on intra-domain page association |
| CN105812196A (en) * | 2014-12-30 | 2016-07-27 | 中国移动通信集团公司 | WebShell detection method and electronic device |
| CN107241296A (en) * | 2016-03-28 | 2017-10-10 | 阿里巴巴集团控股有限公司 | A kind of Webshell detection method and device |
| CN107241296B (en) * | 2016-03-28 | 2020-06-05 | 阿里巴巴集团控股有限公司 | Webshell detection method and device |
| CN106951784A (en) * | 2017-02-23 | 2017-07-14 | 南京航空航天大学 | A kind of Web application conversed analysis methods towards XSS Hole Detections |
| CN106951784B (en) * | 2017-02-23 | 2020-07-07 | 南京航空航天大学 | XSS vulnerability detection-oriented Web application reverse analysis method |
| CN106992981A (en) * | 2017-03-31 | 2017-07-28 | 北京知道创宇信息技术有限公司 | A kind of website back door detection method, device and computing device |
| CN106992981B (en) * | 2017-03-31 | 2020-04-07 | 北京知道创宇信息技术股份有限公司 | Website backdoor detection method and device and computing equipment |
| CN107508705A (en) * | 2017-08-21 | 2017-12-22 | 北京蓝海讯通科技股份有限公司 | The resource tree constructing method and computing device of a kind of HTTP elements |
| CN107508705B (en) * | 2017-08-21 | 2020-07-07 | 北京蓝海讯通科技股份有限公司 | Resource tree construction method of HTTP element and computing equipment |
| CN107622202A (en) * | 2017-09-20 | 2018-01-23 | 杭州安恒信息技术有限公司 | Webpage back door detection method and device |
| CN107911355B (en) * | 2017-11-07 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | Website backdoor utilization event identification method based on attack chain |
| CN107911355A (en) * | 2017-11-07 | 2018-04-13 | 杭州安恒信息技术有限公司 | A kind of website back door based on attack chain utilizes event recognition method |
| WO2020000743A1 (en) * | 2018-06-27 | 2020-01-02 | 平安科技(深圳)有限公司 | Webshell detection method and related device |
| CN111327569A (en) * | 2018-12-14 | 2020-06-23 | 中国电信股份有限公司 | Web backdoor detection method and system and storage computing layer |
| CN111327569B (en) * | 2018-12-14 | 2022-05-10 | 中国电信股份有限公司 | Web backdoor detection method and system and storage computing device |
| CN110008456A (en) * | 2019-04-03 | 2019-07-12 | 平安信托有限责任公司 | Report penetrating method, device, computer equipment and storage medium |
| CN110135162A (en) * | 2019-05-27 | 2019-08-16 | 深信服科技股份有限公司 | The recognition methods of the back door WEBSHELL, device, equipment and storage medium |
| CN110851840A (en) * | 2019-11-13 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | WEB backdoor detection method and device based on website vulnerability |
| CN111522999A (en) * | 2020-04-22 | 2020-08-11 | 北京思特奇信息技术股份有限公司 | Method and device for managing service operation tree |
| CN111756707A (en) * | 2020-06-08 | 2020-10-09 | 中国电信集团工会上海市委员会 | Back door safety protection device and method applied to global wide area network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103561012B (en) | 2017-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103561012A (en) | WEB backdoor detection method and system based on relevance tree | |
| CN103685575B (en) | A kind of web portal security monitoring method based on cloud framework | |
| CN113486351A (en) | Civil aviation air traffic control network safety detection early warning platform | |
| CN101610174B (en) | Log correlation analysis system and method | |
| CN104283889B (en) | APT attack detectings and early warning system inside electric system based on the network architecture | |
| CN109861995A (en) | A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium | |
| CN109885562A (en) | A kind of big data intelligent analysis system based on cyberspace safety | |
| CN108282440B (en) | Safety detection method, safety detection device and server | |
| CN105933268A (en) | Webshell detection method and apparatus based on total access log analysis | |
| CN108154029A (en) | Intrusion detection method, electronic equipment and computer storage media | |
| CN104811447A (en) | Security detection method and system based on attack association | |
| US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
| CN101127638A (en) | Active virus automatic prevention and control system and method | |
| KR100912794B1 (en) | Web hacking management system and manegement method thereof for real time web server hacking analysis and homepage hacking search | |
| CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
| CN107612924A (en) | Attacker's localization method and device based on wireless network invasion | |
| CN108683685A (en) | A kind of cloud security CDN system and monitoring method for XSS attack | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| CN112822147A (en) | Method, system and equipment for analyzing attack chain | |
| CN103312692B (en) | Chained address safety detecting method and device | |
| CN110378115B (en) | Data layer system of information security attack and defense platform | |
| Singh et al. | A survey on different phases of web usage mining for anomaly user behavior investigation | |
| CN111510463A (en) | Abnormal behavior recognition system | |
| CN104143064A (en) | Website data security system based on association analysis of database activity and web access | |
| CN114297462A (en) | Intelligent website asynchronous sequence data acquisition method based on dynamic self-adaption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |