CN104580203A - Website malicious program detection method and device - Google Patents
Website malicious program detection method and device Download PDFInfo
- Publication number
- CN104580203A CN104580203A CN201410856928.XA CN201410856928A CN104580203A CN 104580203 A CN104580203 A CN 104580203A CN 201410856928 A CN201410856928 A CN 201410856928A CN 104580203 A CN104580203 A CN 104580203A
- Authority
- CN
- China
- Prior art keywords
- malicious code
- code
- doubtful
- website
- web page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention relates to a website malicious program detection method and device. The method includes the steps that a webpage file of a target website is obtained; source codes in the webpage file are detected according to a malicious program feature library, and suspected malicious codes in the webpage file are recognized; the suspected malicious codes and/or the webpage file are transmitted to a preset server, and then the preset server can judge whether the suspected malicious codes are malicious codes or not; a judgment result of the suspected malicious codes fed back by the preset server is obtained. According to the technical scheme, the malicious codes existing in the target website can be detected quickly and accurately, therefore the possibility that the website is maliciously attacked can be reduced, and the safety of the website can be improved.
Description
Technical field
The present invention relates to technical field of network security, in particular to a kind of website malware detection methods, a kind of website rogue program pick-up unit, a kind of website malicious code determination methods and a kind of website malicious code judgment means.
Background technology
In today that network is day by day flourishing, network security problem has become the focus of each website and user.Existing network security detection technique is generally for user terminal, the safety detection of the personal devices such as such as PC, panel computer, smart mobile phone, intelligent television, and the object detected is generally also just for the file in equipment.
Although above-mentioned detection technique can make user terminal obtain certain safety guarantee, the potential safety hazard that website exists but cannot be detected.Hacker is except meeting malicious attack user terminal, also can attack the server of each website, mainly by implanting malicious code in the web page files of website, such as implant backdoor programs, or the mode of entrance of intrinsic backdoor programs is stolen by malicious code, thus the security control of website is walked around by back door, and then obtain the authority of access websites data, great potential safety hazard is caused to website visiting user and even website webmaster.
Summary of the invention
Technical matters to be solved by this invention is, how to detect in the web page files of website whether there is malicious code, thus the supvr of prompting website carries out respective handling, to ensure the security of website.
For this purpose, the present invention proposes a kind of website malware detection methods, comprising:
Obtain the web page files of targeted website;
According to rogue program feature database, the source code in described web page files is detected, identify the doubtful malicious code in described web page files;
Described doubtful malicious code and/or web page files are transferred to preset service device, judges that to make described preset service device whether described doubtful malicious code is for malicious code;
Obtain the doubtful malicious code judged result that described preset service device returns.
Preferably, also comprise:
Generate information according to described judged result, whether comprise to point out described targeted website the web page files that there is malicious code.
Preferably, if judge, described doubtful malicious code is as malicious code, then described method also comprises:
Described malicious code is added into white list by the first instruction according to receiving, and is identified as non-malicious code with the malicious code making to be added into white list when detection resources code again;
Or
Described malicious code is added into blacklist by the second instruction according to receiving, and is identified as malicious code with the code making to be added into blacklist when detection resources code again.
Preferably, the doubtful malicious code identified described in described web page files also comprises:
Described doubtful malicious code is also added into the number of users of white list by doubtful malicious code described in queried access, if described number of users is greater than preset number, then described doubtful malicious code is judged to be that non-malicious code is pointed out.
The invention allows for a kind of website malicious code determination methods, comprising:
Obtain terminal judge doubtful malicious code and/or from the doubtful malicious code in the web page files of described terminal;
Respectively described doubtful malicious code is detected by multiple engine, judge whether described doubtful malicious code is malicious code according to the testing result of each engine;
Doubtful malicious code judged result is sent to described terminal.
The present invention also proposes a kind of website rogue program pick-up unit, comprising:
File obtaining unit, for obtaining the web page files of targeted website;
Recognition unit, for detecting the source code in described web page files according to rogue program feature database, identifies the doubtful malicious code in described web page files;
Whether transmission unit, for described doubtful malicious code and/or web page files are transferred to server, detect described doubtful malicious code for malicious code to make described preset service device;
Result acquiring unit, for obtaining the doubtful Malicious Code Detection result that described preset service device returns.
Preferably, also comprise:
Whether Tip element, for generating information according to described judged result, comprise to point out described targeted website the web page files that there is malicious code.
Preferably, also comprise:
Adding device, when described doubtful malicious code is malicious code, described malicious code is added into white list by the first instruction according to receiving, and is identified as non-malicious code with the code making to be added into white list when detection resources code again;
Or
When described doubtful malicious code is malicious code, described malicious code is added into blacklist by the second instruction according to receiving, and is identified as malicious code with the code making to be added into blacklist when detection resources code again.
Preferably, also comprise:
By described doubtful malicious code, query unit, for inquiring about the number of times that described doubtful malicious code is accessed by specific user, if be greater than preset times by the number of times that described specific user accesses, is then judged to be that non-malicious code is pointed out.
The present invention also except a kind of website malicious code judgment means, comprising:
Code obtaining unit, for obtain terminal judge doubtful malicious code and/or from the doubtful malicious code in the web page files of described terminal;
According to the testing result of each engine, detecting unit, for being detected described doubtful malicious code respectively by multiple engine, judges whether described doubtful malicious code is malicious code;
Transmitting element, for being sent to described terminal by doubtful malicious code judged result.
According to technique scheme, at least following technique effect can be realized:
1, by the successively detection of doubtful malicious code and malicious code, can detect in web page files whether there is malicious code exactly, and then point out accurately for the security of website provides;
2, can be that malicious code adds different marks according to the instruction received, malicious code is added into white list or blacklist, thus when detection resources code again, without the need to again mating the code adding mark, the type of code can be determined fast, and then point out;
3, by multiple engine comprehensive detection malicious code, can judge whether doubtful malicious code is malicious code more comprehensively and accurately, thus obtain judged result more accurately and point out.
Accompanying drawing explanation
Can understanding the features and advantages of the present invention clearly by reference to accompanying drawing, accompanying drawing is schematic and should not be construed as and carry out any restriction to the present invention, in the accompanying drawings:
Fig. 1 shows the schematic flow diagram of website malware detection methods according to an embodiment of the invention;
Fig. 2 shows the schematic flow diagram of website malicious code determination methods according to an embodiment of the invention;
Fig. 3 shows the schematic block diagram of website rogue program pick-up unit according to an embodiment of the invention;
Fig. 4 shows the schematic block diagram of website malicious code judgment means according to an embodiment of the invention;
Fig. 5 shows the mutual schematic diagram of website rogue program pick-up unit and website malicious code judgment means according to an embodiment of the invention.
Embodiment
Be described below in detail embodiments of the invention, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Being exemplary below by the embodiment be described with reference to the drawings, only for explaining the present invention, and can not limitation of the present invention being interpreted as.
Those skilled in the art of the present technique are appreciated that unless expressly stated, and singulative used herein " ", " one ", " described " and " being somebody's turn to do " also can comprise plural form.Should be further understood that, the wording used in instructions of the present invention " comprises " and refers to there is described feature, integer, step, operation, element and/or assembly, but does not get rid of and exist or add other features one or more, integer, step, operation, element, assembly and/or their group.Should be appreciated that, when we claim element to be " connected " or " coupling " to another element time, it can be directly connected or coupled to other elements, or also can there is intermediary element.In addition, " connection " used herein or " coupling " can comprise wireless connections or wirelessly to couple.Wording "and/or" used herein comprises one or more whole or arbitrary unit listing item be associated and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, and all terms used herein (comprising technical term and scientific terminology), have the meaning identical with the general understanding of the those of ordinary skill in field belonging to the present invention.It should also be understood that, those terms defined in such as general dictionary, should be understood to that there is the meaning consistent with the meaning in the context of prior art, unless and by specific definitions as here, otherwise can not explain by idealized or too formal implication.
Those skilled in the art of the present technique are appreciated that, here used " terminal ", " terminal device " had both comprised the equipment of wireless signal receiver, it only possesses the equipment of the wireless signal receiver without emissive ability, comprise again the equipment receiving and launch hardware, it has and on bidirectional communication link, can perform the reception of two-way communication and launch the equipment of hardware.This equipment can comprise: honeycomb or other communication facilitiess, its honeycomb or other communication facilities of having single line display or multi-line display or not having multi-line display; PCS (Personal Communications Service, PCS Personal Communications System), it can combine voice, data processing, fax and/or its communication ability; PDA (Personal Digital Assistant, personal digital assistant), it can comprise radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, calendar and/or GPS (Global Positioning System, GPS) receiver; Conventional laptop and/or palmtop computer or other equipment, it has and/or comprises the conventional laptop of radio frequency receiver and/or palmtop computer or other equipment.Here used " terminal ", " terminal device " can be portable, can transport, be arranged in the vehicles (aviation, sea-freight and/or land), or be suitable for and/or be configured at local runtime, and/or with distribution form, any other position operating in the earth and/or space is run.Here used " terminal ", " terminal device " can also be communication terminal, access terminals, music/video playback terminal, can be such as PDA, MID (Mobile Internet Device, mobile internet device) and/or there is the mobile phone of music/video playing function, also can be the equipment such as intelligent television, Set Top Box.
Those skilled in the art of the present technique are appreciated that, the concepts such as server used here, high in the clouds, remote network devices, have effects equivalent, it includes but not limited to the cloud that computing machine, network host, single network server, multiple webserver collection or multiple server are formed.At this, cloud is formed by based on a large amount of computing machine of cloud computing (Cloud Computing) or the webserver, and wherein, cloud computing is the one of Distributed Calculation, the super virtual machine be made up of a group loosely-coupled computing machine collection.In embodiments of the invention, realize communicating by any communication mode between remote network devices, terminal device with WNS server, include but not limited to, the mobile communication based on 3GPP, LTE, WIMAX, the computer network communication based on TCP/IP, udp protocol and the low coverage wireless transmission method based on bluetooth, Infrared Transmission standard.
Those skilled in the art are to be understood that, " application ", " application program ", " application software " alleged by the present invention and the concept of similar statement, be those skilled in the art known same concept, refer to and be suitable for by the instruction of series of computation machine and the organic structure of related data resource the computer software that electronics runs.Unless specified, this name itself, not by programming language kind, rank, also not limited by the operating system of its operation of relying or platform.In the nature of things, this genus also not limited by any type of terminal.
As shown in Figure 1, website malware detection methods comprises according to an embodiment of the invention:
S1, obtains the web page files of targeted website;
Acquisition operation can be completed by graphic user interface by user (such as webmaster), except comprising the targeted website can specified for user in graphic user interface, web page files to be detected in concrete website can also be provided for user, make user can select corresponding website as required, and concrete web page files, further, concrete surveyed area can also be provided for user, detect position, detect path etc., such as user can be specified by graphical interface of user and detect file overall in the server of targeted website, also the file only detecting backup region can be specified, also or only certain file is detected, thus realize detecting pointedly.
S2, detects the source code in web page files according to rogue program feature database, identifies the doubtful malicious code in web page files;
The interpolation of malicious code, mainly carry out for the source code of web page files, such as hacker at implantation back door, website (certainly, malicious code comprises and is not limited in back door, can also be the computer viruses such as wooden horse) time, utilize the means of deception, Email or file is sent to webmaster, when keeper opens or run this mail or file, the program in mail or file will revise the source code in web page files, thus creates a back door on the server of website.
Detect the source code of web page files, can extract rogue program template from rogue program feature database and mate the source code in web page files, code matching degree being greater than preset matching value is judged to be doubtful malicious code.
S3, transfers to preset service device by doubtful malicious code and/or web page files, judges that whether doubtful malicious code is for malicious code to make preset service device;
Preferably, preset service device can be cloud server, and its calculation processing power is comparatively strong, and can comprise multiple engine and detect doubtful malicious code, the calculation process pressure of place, website server can be reduced on the one hand, the accuracy of judgement degree of malicious code can be improved on the other hand.
Preset service device is except judging whether doubtful malicious code is malicious code, can also directly detect the web page files received, identify doubtful malicious code wherein, thus perform all operations of malicious code judgement completely, reduce the calculation process pressure of place, website server further.
S4, obtains the doubtful malicious code judged result that preset service device returns.
Preferably, except returning judged result, corresponding information can also be generated and return.
Preferably, also comprise:
Generate information according to judged result, whether comprise to point out targeted website the web page files that there is malicious code.
Information is relevant to judged result, such as judge to there is many places malicious code in web page files, then there is malicious code in prompting, and safety coefficient is very low, and indicate malicious code, if judge to there is place's malicious code in web page files, then there is malicious code in prompting, and safety coefficient is lower, and indicate malicious code.Certainly, information, except comprising above-mentioned suggestion content, can also comprise other guide, such as, point out the concrete number of malicious code, and the particular content etc. of malicious code.
Preferably, if judge, doubtful malicious code is as malicious code, then method also comprises:
Malicious code is added into white list by the first instruction according to receiving, and is identified as non-malicious code with the code making to be added into white list when detection resources code again;
Or
Malicious code is added into blacklist by the second instruction according to receiving, and is identified as malicious code with the code making to be added into blacklist when detection resources code again.
As an example, malicious code includes but not limited to backdoor programs, and backdoor programs is mainly divided into two kinds, a kind of webmaster of being introduces in Website development process, webmaster can be tested website by these back doors or defect (hereinafter referred to as the first backdoor programs) in update routine, and another kind is that assailant implants website (hereinafter referred to as the second backdoor programs) by back door.
Above-mentioned two kinds of backdoor programs, essence difference is there is no in testing process, so all can malicious code be judged as, but for the first backdoor programs, owing to being that webmaster introduces, when being judged as malicious code prompting, so webmaster can identify it, thus be added into white list, when again detecting web page source code, the backdoor programs of webmaster's introducing can be determined that it is for the code in white list, thus directly skip this section of code, without the need to detecting further it.For the second backdoor programs, when being judged as malicious code prompting, webmaster can be added into blacklist for it, when again detecting web page source code, the backdoor programs of malice can be determined that it is for the code in blacklist, thus directly it is pointed out, without the need to detecting further it.
By above-mentioned two kinds of mark operations, the duplicate detection to web page files source code can be reduced, thus reduce resource consumption, and the malicious code type in web page files can be judged fast, carry out fast and accurately pointing out.
Preferably, the doubtful malicious code identified in web page files also comprises:
Doubtful malicious code is also added into the number of users of white list by the doubtful malicious code of queried access, if number of users is greater than preset number, then doubtful malicious code is judged to be that non-malicious code is pointed out.
When doubtful malicious code is added into white list by the user exceeding preset number, then can the confidence level of this doubtful malicious code of preliminary judgement higher, this doubtful malicious code is prompted to webmaster as non-malicious code specifically differentiate, to reduce the process being uploaded to preset service device and carrying out detecting further, improve the detection efficiency of doubtful malicious code.
Preferably, when certain section of doubtful malicious code is greater than preset times by the number of times that webmaster accesses, then can preliminary judgement its be webmaster introduce, for the defect of being undertaken by it testing or in update routine, then preliminary judgement result is pointed out, to reduce the process being uploaded to preset service device and carrying out detecting further, improve the detection efficiency of doubtful malicious code.
Further, a kind of rogue program delet method that the present invention also proposes, effectively can delete for the rogue program detected.Such as the rogue program existed in Web page picture, can by obtaining the picture in web page files, detect in picture and whether embed rogue program, if there is rogue program in picture, then obtain the position of rogue program in picture, and utilize to fill character rogue program replaced, thus, detect the rogue program of picture in website in time, effectively can process it, not only reduce the probability of the harm brought to website, improve the safe class of website simultaneously.
In order to understand better and the above-mentioned delet method of application, the present invention is directed to jpeg format picture in webpage and carry out detecting and the particular problem of killing rogue program carries out example, but the present invention not only limit to following example.
Jpeg image leak relates generally to the file of a GdiPlus.dll by name in operating system, because numerous software all have invoked this dynamic link library process JPEG picture, make this leak to relate to face very wide.Such as, Windows XP SP1, MS Office, QQ2004 etc.Rogue program can be inserted in picture by this leak principle by invader, there is the unconditional rogue program run in picture of rogue program meeting of this leak like this, thus controls affected system.
From the leak principle of jpeg image described above, we can find out this leak invasion gimmick of invader is had very large performance leeway, such as, invader can insert the rogue programs such as wooden horse back door in picture, viewer's rogue program such as wooden horse back door while opening picture is run silently, or in picture, insert some third party's linkers, the picture revised is arranged as similar wooden horse server, connect this picture and can connect the rogue programs such as back door.
Particularly, be inserted in picture by rogue programs such as wooden horse back doors, as long as such viewer one opens webpage, mail etc. containing picture, automatically will open picture, also just run the rogue programs such as wooden horse back door, this is most typical vulnerability exploit method simultaneously.Such as, utilize a instrument: JPEG Downloader, it can help us to be inserted in designated pictures file by rogue programs such as wooden horse files effectively, open it, in Downloader file mono-hurdle, fill in the download address of the rogue programs such as the wooden horse being about to insert, fill in complete, double-click " make " button, can generate a picture file like this under same catalogue, only this inserts the malicious program code such as wooden horse.
Further, above-mentioned picture file seems identical with ordinary picture file on the surface, but once open it, so automatically will download and run the rogue programs such as the wooden horse of previously having specified, and unique surface can not normally show unlike opening picture, but to include but not limited to that the red display mode of No. X shows.
Further, because jpeg image leak relates generally to the file of a GdiPlus.dll by name in operating system, and numerous software all have invoked this dynamic link library process JPEG picture, make this leak to relate to face very wide, so how to carry out the killing of the rogue programs such as back door for jpeg image leak, the present invention proposes a kind of website protection method.
Particularly, CDN (Content Delivery Network, content distributing network) record is passed through to the web log file file of website, and analyzes, identify the every bar daily record data in the journal file of website and be further analyzed.Wherein, the daily record data of website comprises: host, time, IP address, URL (Uniform Resource Location, URL(uniform resource locator)), the information such as webpage parameter, can the webpage parameter extraction of the daily record data of website be detected out, obtain web page files.
Further, web page files and the web page files prestored in a database are compared.Particularly, the visiting frequency of each webpage in statistics website, namely the visit capacity PV in a period of time, is identified as suspicious web page files by visiting frequency lower than the web page files of default visiting frequency threshold value, wherein, the visiting frequency of the abnormal weights of visiting frequency and web page files is inversely proportional to, namely visiting frequency is less, and the abnormal weights of visiting frequency are larger, otherwise, visiting frequency is larger, then the abnormal weights of visiting frequency are less; And/or the access source number of each webpage in statistics website, access source number is identified as suspicious web page files lower than default web page files of accessing source number threshold value, wherein, the access abnormal weights in source and the access of web page files number of originating is inversely proportional to, namely access source number is less, and the abnormal weights in access source are larger, otherwise, access source number is larger, then the abnormal weights in access source are less; And/or add up the visit capacity of website each webpage at times, visit capacity is at times exceeded the web page files that the number of times presetting requesting threshold is at times greater than stipulated number and be identified as apocrypha, and calculate the weights of access exception at times of suspicious web page files.
Such as, according to certain hour section, Webpage log is analyzed, such as, analyze according to over sky, there is evident regularity visit capacity and the peak period of general All Files, if the words of user's access, will according to time acclive lifting, if machine automatic access, then the access of file has regular time point, and the access only having the rogue programs such as backdoor file, wooden horse, virus is unordered.Therefore, can be detected by geo-statistic visit capacity at times, arrange threshold value at times according to practical application situation, the number of times exceeding threshold value at times for visit capacity is at times greater than the web page files of stipulated number, can be identified as suspicious web page files.Such as, be divided into 12 periods, each period arranges different threshold values at times, and the number of times that regulation exceedes threshold value at times should be less than 3 times, when web page files have exceed the threshold value at times of corresponding period more than the visit capacity of 3 periods time, then above-mentioned webpage is identified as suspicious webpage.
Further, suspicious web page files and the web page files prestored in a database are compared, if the picture in web page files is different from the picture prestored in a database, then obtains the picture in webpage, thus, improve the high efficiency obtaining picture in web page files and accuracy.
Further, detect in picture whether embed rogue program.Particularly, rogue program rule base is loaded; Rule in service regeulations storehouse is mated picture.Thus, improve the accuracy obtaining and embed rogue program in picture.
Further, the image attribute information in webpage is obtained; According to the picture creation-time in image attribute information and/or picture authority, determine the attribute abnormal degree of picture; Picture attribute abnormal degree being greater than default abnormality degree threshold value is judged as the picture embedding rogue program.
Further, according to the picture creation-time in image attribute information and/or picture authority, determine the attribute abnormal degree of picture, comprise further: the attribute abnormal degree according to picture creation-time determination picture is: calculate the creation-time of picture and the dispersion with the time of other pictures in webpage, determine that chronodispersion is greater than the picture of default dispersion threshold value, and give creation-time abnormal weights for it.Wherein, the computing method of chronodispersion include but not limited to under type:
Obtain the creation-time with pictures all under catalogue, according to time order and function sequence, calculate the chronodispersion of each picture.Dispersion can adopt the mathematical methods such as the quadratic sum of extreme difference, distance inequality, variance or standard deviation to calculate, and thus, improves diversity and the accuracy of the chronodispersion obtaining picture.Such as, calculate in the mode of extreme difference, Ke Yiwei:
The creation-time of the chronodispersion=photo current of photo current-with the creation-time of the picture created at first under catalogue.Such as, the creation-time of photo current is the 10:30 of some day, and is 10:28 on the same day with the creation-time of the picture created at first under catalogue, then now the chronodispersion of photo current is 2 minutes.
Judge whether the chronodispersion of each picture exceedes default dispersion threshold value, determine that chronodispersion is greater than the picture of default dispersion threshold value, and give creation-time abnormal weights for it.Such as, default number of discreteness is 5, then think that the photo current in above-mentioned example is normal picture, otherwise be abnormal picture.
Further, according to picture authority determination picture attribute abnormality degree be: judge whether picture authority is default privilege, if not, then for picture gives authority abnormal weights; According to the attribute abnormal degree of the abnormal weights of creation-time and/or authority abnormal weights determination picture.Namely can be understood as whether the authority judging picture is default privilege, if find that picture authority is not default privilege, then give a constant as the abnormal weights of authority.Such as, under linux, the default privilege of picture is generally 0744.
Further, if there is rogue program in picture, then obtain the position of rogue program in picture, and utilize to fill character rogue program replaced.Wherein, fill character and comprise: alphabetical safe character, such as, a-z or A-Z, numeric security character and/or blank placeholder.Thus, improve the diversity of filling character and selectivity.
According to the rogue program delet method that the present invention proposes, by obtaining the picture in web page files, detect in picture and whether embed rogue program, if there is rogue program in picture, then obtain the position of rogue program in picture, and utilize to fill character rogue program replaced, thus, detect the rogue program of picture in website in time, effectively can process it, not only reduce the probability of the harm brought to website, improve the safe class of website simultaneously.
As shown in Figure 2, website malicious code determination methods according to an embodiment of the invention, comprising:
S1 ', obtains the doubtful malicious code that terminal judges and/or the doubtful malicious code come in the web page files of self terminal;
S2 ', is detected doubtful malicious code respectively by multiple engine, judges whether doubtful malicious code is malicious code according to the testing result of each engine;
S3 ', is sent to terminal by doubtful malicious code judged result.
Because different engine is different for the detection mode of doubtful malicious code, the result of judgement also there are differences, and therefore can get common factor to the decision structure of each engine, such as, get three sections of doubtful malicious codes,
First engine for the testing result of three sections of doubtful malicious codes is: non-malicious code, malicious code, malicious code;
Second engine for the testing result of three sections of doubtful malicious codes is: non-malicious code, malicious code, malicious code;
3rd engine for the testing result of three sections of doubtful malicious codes is: non-malicious code, malicious code, non-malicious code,
So the result of determination of three engines is got the testing result that can obtain three sections of doubtful malicious codes of occuring simultaneously and is: non-malicious code, malicious code, malicious code, that is, for one section of doubtful malicious code, when multiple engine all detects it for non-malicious code, so just determine that it is non-malicious code, when at least one detects it for malicious code in multiple engine, so just determine that it is malicious code, thus improve the accuracy that doubtful malicious code is judged.
As shown in Figure 3, website rogue program pick-up unit 10 comprises according to an embodiment of the invention:
File obtaining unit 11, for obtaining the web page files of targeted website;
Recognition unit 12, for detecting the source code in web page files according to rogue program feature database, identifies the doubtful malicious code in web page files;
Whether transmission unit 13, for doubtful malicious code and/or web page files are transferred to server, detect doubtful malicious code for malicious code to make preset service device;
Result acquiring unit 14, for obtaining the doubtful Malicious Code Detection result that preset service device returns.
Preferably, also comprise:
Whether Tip element 15, for generating information according to judged result, comprise to point out targeted website the web page files that there is malicious code.
Preferably, also comprise:
Identify unit 16, when doubtful malicious code is malicious code, is that malicious code adds the first mark according to the first instruction received, and is identified as non-malicious code with the malicious code making to be added the first mark when detection resources code again;
Or
When doubtful malicious code is malicious code, be that malicious code adds the second mark according to the second instruction received, be identified as malicious code with the malicious code making to be added the second mark when detection resources code again.
Preferably, also comprise:
By doubtful malicious code, query unit 17, for inquiring about the number of times that doubtful malicious code is accessed by specific user, if be greater than preset times by the number of times that specific user accesses, is then judged to be that non-malicious code is pointed out.
As shown in Figure 4, website malicious code judgment means 20 comprises according to an embodiment of the invention:
Code obtaining unit 21, for obtaining the doubtful malicious code that terminal judges and/or the doubtful malicious code come in the web page files of self terminal;
According to the testing result of each engine, detecting unit 22, for being detected doubtful malicious code respectively by multiple engine, judges whether doubtful malicious code is malicious code;
Transmitting element 23, for being sent to terminal by doubtful malicious code judged result.
The reciprocal process of website rogue program pick-up unit 10 and website malicious code judgment means 20 as shown in Figure 5, wherein, website rogue program pick-up unit 10 includes but are not limited to the home server of website, website malicious code judgment means 20 includes but are not limited to cloud server, home server carries out Preliminary detection for the source code in web page files, cloud server then accurately detects doubtful malicious code, improve the accuracy of testing result on the one hand, reduce the computing pressure of home server on the other hand, improve the bulk velocity of code detection.
In sum, the present invention is by detecting the source code in web page files, and by preset service device, doubtful malicious code is detected, can fast and accurately detect the malicious code existed in targeted website, thus reduce website by the probability of malicious attack, improve the security of website.
It should be noted that the algorithm provided at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with formula.Various general-purpose system also can with use based on together with this example.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the present invention and to help to understand in various aspects of the present invention one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method and apparatus of the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the web portal security checkout equipment of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The above is only some embodiments of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. a website malware detection methods, is characterized in that, comprising:
Obtain the web page files of targeted website;
According to rogue program feature database, the source code in described web page files is detected, identify the doubtful malicious code in described web page files;
Described doubtful malicious code and/or web page files are transferred to preset service device, judges that to make described preset service device whether described doubtful malicious code is for malicious code;
Obtain the doubtful malicious code judged result that described preset service device returns.
2. website according to claim 1 malware detection methods, is characterized in that, also comprise:
Generate information according to described judged result, whether comprise to point out described targeted website the web page files that there is malicious code.
3. the website malware detection methods according to any one of claim 1 and 2, is characterized in that, if judge, described doubtful malicious code is as malicious code, then described method also comprises:
Described malicious code is added into white list by the first instruction according to receiving, and is identified as non-malicious code with the code making to be added into white list when detection resources code again;
Or
Described malicious code is added into blacklist by the second instruction according to receiving, and is identified as malicious code with the code making to be added into blacklist when detection resources code again.
4. website according to any one of claim 1 to 3 malware detection methods, is characterized in that, described in the doubtful malicious code identified in described web page files also comprise:
Described doubtful malicious code is also added into the number of users of white list by doubtful malicious code described in queried access, if described number of users is greater than preset number, then described doubtful malicious code is judged to be that non-malicious code is pointed out.
5. a website malicious code determination methods, is characterized in that, comprising:
Obtain terminal judge doubtful malicious code and/or from the doubtful malicious code in the web page files of described terminal;
Respectively described doubtful malicious code is detected by multiple engine, judge whether described doubtful malicious code is malicious code according to the testing result of each engine;
Doubtful malicious code judged result is sent to described terminal.
6. a website rogue program pick-up unit, is characterized in that, comprising:
File obtaining unit, for obtaining the web page files of targeted website;
Recognition unit, for detecting the source code in described web page files according to rogue program feature database, identifies the doubtful malicious code in described web page files;
Whether transmission unit, for described doubtful malicious code and/or web page files are transferred to server, detect described doubtful malicious code for malicious code to make described preset service device;
Result acquiring unit, for obtaining the doubtful Malicious Code Detection result that described preset service device returns.
7. website rogue program pick-up unit according to claim 6, is characterized in that, also comprise:
Whether Tip element, for generating information according to described judged result, comprise to point out described targeted website the web page files that there is malicious code.
8. website rogue program pick-up unit according to any one of claim 6 and 7, is characterized in that, also comprise:
Adding device, when described doubtful malicious code is malicious code, described malicious code is added into white list by the first instruction according to receiving, and is identified as non-malicious code with the code making to be added into white list when detection resources code again;
Or
When described doubtful malicious code is malicious code, described malicious code is added into blacklist by the second instruction according to receiving, and is identified as malicious code with the code making to be added into blacklist when detection resources code again.
9. website rogue program pick-up unit according to any one of claim 6 to 8, is characterized in that, also comprise:
Query unit, is added into the number of users of white list for malicious code doubtful described in queried access, if described number of users is greater than preset number, then described doubtful malicious code is judged to be that non-malicious code is pointed out by described doubtful malicious code.
10. a website malicious code judgment means, is characterized in that, comprising:
Code obtaining unit, for obtain terminal judge doubtful malicious code and/or from the doubtful malicious code in the web page files of described terminal;
According to the testing result of each engine, detecting unit, for being detected described doubtful malicious code and/or web page files respectively by multiple engine, judges whether described doubtful malicious code is malicious code;
Transmitting element, for being sent to described terminal by doubtful malicious code judged result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410856928.XA CN104580203A (en) | 2014-12-31 | 2014-12-31 | Website malicious program detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410856928.XA CN104580203A (en) | 2014-12-31 | 2014-12-31 | Website malicious program detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104580203A true CN104580203A (en) | 2015-04-29 |
Family
ID=53095384
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410856928.XA Pending CN104580203A (en) | 2014-12-31 | 2014-12-31 | Website malicious program detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104580203A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262739A (en) * | 2015-09-25 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Security defense method, terminal, server, and system |
| CN105653942A (en) * | 2015-07-31 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Detection method and apparatus for picture backdoor |
| CN106295333A (en) * | 2015-05-27 | 2017-01-04 | 安恒通(北京)科技有限公司 | For detecting the method and system of malicious code |
| CN107070913A (en) * | 2017-04-07 | 2017-08-18 | 杭州安恒信息技术有限公司 | A kind of detection and means of defence and system based on webshell attacks |
| CN108549813A (en) * | 2018-03-02 | 2018-09-18 | 彭根 | Method of discrimination, device and pocessor and storage media |
| CN109104429A (en) * | 2018-09-05 | 2018-12-28 | 广东石油化工学院 | A kind of detection method for network fraud information |
| CN110443050A (en) * | 2019-07-26 | 2019-11-12 | 武汉天喻软件股份有限公司 | A kind of processing method and system of forgery process in file transparent encrypting and deciphering system |
| CN111027065A (en) * | 2019-10-28 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Lesovirus identification method and device, electronic equipment and storage medium |
| CN111259985A (en) * | 2020-02-19 | 2020-06-09 | 腾讯科技(深圳)有限公司 | Classification model training method and device based on business safety and storage medium |
| CN111740999A (en) * | 2020-06-22 | 2020-10-02 | 杭州安恒信息技术股份有限公司 | DDOS attack identification method, system and related device |
| CN113067796A (en) * | 2020-01-02 | 2021-07-02 | 深信服科技股份有限公司 | Hidden page detection method, device, equipment and storage medium |
| CN113792294A (en) * | 2021-11-15 | 2021-12-14 | 北京升鑫网络科技有限公司 | Malicious class detection method, system, device, equipment and medium |
| CN113806131A (en) * | 2021-09-23 | 2021-12-17 | 深圳市元征软件开发有限公司 | Access control method and device for fault code library, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891861A (en) * | 2012-10-29 | 2013-01-23 | 珠海市君天电子科技有限公司 | Client-based phishing website detecting method and device |
| CN103593613A (en) * | 2013-11-26 | 2014-02-19 | 北京网秦天下科技有限公司 | Method, terminal, server and system for computer virus detection |
| CN104077396A (en) * | 2014-07-01 | 2014-10-01 | 清华大学深圳研究生院 | Method and device for detecting phishing website |
-
2014
- 2014-12-31 CN CN201410856928.XA patent/CN104580203A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891861A (en) * | 2012-10-29 | 2013-01-23 | 珠海市君天电子科技有限公司 | Client-based phishing website detecting method and device |
| CN103593613A (en) * | 2013-11-26 | 2014-02-19 | 北京网秦天下科技有限公司 | Method, terminal, server and system for computer virus detection |
| CN104077396A (en) * | 2014-07-01 | 2014-10-01 | 清华大学深圳研究生院 | Method and device for detecting phishing website |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10511617B2 (en) | 2015-05-27 | 2019-12-17 | Iyuntian Co., Ltd. | Method and system for detecting malicious code |
| CN106295333A (en) * | 2015-05-27 | 2017-01-04 | 安恒通(北京)科技有限公司 | For detecting the method and system of malicious code |
| CN106295333B (en) * | 2015-05-27 | 2018-08-17 | 安一恒通(北京)科技有限公司 | method and system for detecting malicious code |
| CN105653942A (en) * | 2015-07-31 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Detection method and apparatus for picture backdoor |
| CN105262739A (en) * | 2015-09-25 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Security defense method, terminal, server, and system |
| CN107070913A (en) * | 2017-04-07 | 2017-08-18 | 杭州安恒信息技术有限公司 | A kind of detection and means of defence and system based on webshell attacks |
| CN107070913B (en) * | 2017-04-07 | 2020-04-28 | 杭州安恒信息技术股份有限公司 | Webshell attack-based detection and protection method and system |
| CN108549813A (en) * | 2018-03-02 | 2018-09-18 | 彭根 | Method of discrimination, device and pocessor and storage media |
| CN109104429B (en) * | 2018-09-05 | 2021-09-28 | 广东石油化工学院 | Detection method for phishing information |
| CN109104429A (en) * | 2018-09-05 | 2018-12-28 | 广东石油化工学院 | A kind of detection method for network fraud information |
| CN110443050A (en) * | 2019-07-26 | 2019-11-12 | 武汉天喻软件股份有限公司 | A kind of processing method and system of forgery process in file transparent encrypting and deciphering system |
| CN110443050B (en) * | 2019-07-26 | 2021-02-09 | 武汉天喻软件股份有限公司 | Method and system for processing counterfeit process in file transparent encryption and decryption system |
| CN111027065A (en) * | 2019-10-28 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Lesovirus identification method and device, electronic equipment and storage medium |
| CN111027065B (en) * | 2019-10-28 | 2023-09-08 | 安天科技集团股份有限公司 | Leucavirus identification method and device, electronic equipment and storage medium |
| CN113067796A (en) * | 2020-01-02 | 2021-07-02 | 深信服科技股份有限公司 | Hidden page detection method, device, equipment and storage medium |
| CN111259985A (en) * | 2020-02-19 | 2020-06-09 | 腾讯科技(深圳)有限公司 | Classification model training method and device based on business safety and storage medium |
| CN111259985B (en) * | 2020-02-19 | 2023-06-30 | 腾讯云计算(长沙)有限责任公司 | Classification model training method and device based on business safety and storage medium |
| CN111740999A (en) * | 2020-06-22 | 2020-10-02 | 杭州安恒信息技术股份有限公司 | DDOS attack identification method, system and related device |
| CN113806131A (en) * | 2021-09-23 | 2021-12-17 | 深圳市元征软件开发有限公司 | Access control method and device for fault code library, electronic equipment and storage medium |
| CN113792294A (en) * | 2021-11-15 | 2021-12-14 | 北京升鑫网络科技有限公司 | Malicious class detection method, system, device, equipment and medium |
| CN113792294B (en) * | 2021-11-15 | 2022-03-08 | 北京升鑫网络科技有限公司 | Malicious class detection method, system, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104580203A (en) | Website malicious program detection method and device | |
| US10089464B2 (en) | De-obfuscating scripted language for network intrusion detection using a regular expression signature | |
| KR101574652B1 (en) | Sytem and method for mobile incident analysis | |
| CN102332072B (en) | System and method for detection of malware and management of malware-related information | |
| CN105427096B (en) | Payment security sandbox implementation method and system and application program monitoring method and system | |
| CN101986323B (en) | Method and system for detection of previously unknown malware | |
| CN104376255B (en) | Application program running control method and device | |
| KR101724307B1 (en) | Method and system for detecting a malicious code | |
| KR101901911B1 (en) | Method and apparatus for detecting malware and medium record of | |
| US8505102B1 (en) | Detecting undesirable content | |
| CN104462879A (en) | Root-free running control method and device of application program | |
| CN105491053A (en) | Web malicious code detection method and system | |
| US20140380480A1 (en) | Method, device and system for identifying harmful websites | |
| CN104519070A (en) | Method and system for detecting website permission vulnerabilities | |
| CN103023905B (en) | A kind of equipment, method and system for detection of malicious link | |
| KR102093274B1 (en) | Content scanning agent, content scanning method, and storage media on which the program is recorded | |
| CN107911355A (en) | A kind of website back door based on attack chain utilizes event recognition method | |
| CN104462880A (en) | Application program packing configuration method and device | |
| CN103368957A (en) | Method, system, client and server for processing webpage access behavior | |
| CN103986731A (en) | Method and device for detecting phishing web pages through picture matching | |
| CN113342639B (en) | Applet security risk assessment method and electronic device | |
| CN105631312A (en) | Method and system for processing rogue programs | |
| CN116303290B (en) | Office document detection method, device, equipment and medium | |
| CN103036896B (en) | Method and system for testing malicious links | |
| CN104158828A (en) | Method and system for identifying doubtful phishing webpage on basis of cloud content rule base |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20161227 Address after: 100015 Chaoyang District Road, Jiuxianqiao, No. 10, building No. 3, floor 15, floor 17, 1701-26, Applicant after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before: Beijing Qihoo Technology Co., Ltd. Applicant before: Qizhi Software (Beijing) Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150429 |
|
| RJ01 | Rejection of invention patent application after publication |