CN105488398A - Web application program behavior extraction method and malicious behavior detection method - Google Patents
Web application program behavior extraction method and malicious behavior detection method Download PDFInfo
- Publication number
- CN105488398A CN105488398A CN201510881765.5A CN201510881765A CN105488398A CN 105488398 A CN105488398 A CN 105488398A CN 201510881765 A CN201510881765 A CN 201510881765A CN 105488398 A CN105488398 A CN 105488398A
- Authority
- CN
- China
- Prior art keywords
- web application
- function
- behavior
- malicious act
- measured
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a Web application program behavior extraction method and a malicious behavior detection method. The Web application program behavior extraction method comprises the following steps: a Web application program behavior record module intercepts a JavaScript function, and extracts a behavior record of the Web application program to be detected, wherein the behavior record comprises the name of the JavaScript function called by the Web application program to be detected, a receiving parameter and function call stack information; and the behavior record of the Web application program to be detected is sent to a malicious behavior detection module, and is written into a log file. The methods provided by the embodiment of the invention are simple in implementation and good in applicability, comprehensive monitor of Web application program behaviors can be realized, and malicious behavior detection is facilitated.
Description
Technical field
The present invention relates to network and information security technical field, particularly a kind of web application behavior extracting method and malicious act detection method.
Background technology
Web (network) application program uses the language supported of browser (as JavaScript (a kind of literal translation formula script), HTML (HyperTextMarkupLanguage, HyperText Markup Language), CSS (CascadingStyleSheets, CSS (cascading style sheet)) etc.) write, run in browser environment and application software for supporting Web service.Using Web browser as the web application of client, various platform can be deployed to easily, as desktop platform such as Windows (Windows), and the mobile platform such as Android (a kind of operating system being mainly used in mobile device).Due to the easy to use and feature richness of web application, the application such as present Email, ecommerce, online dictionary substantially all sing on web application program have come, and make it become very important part in people's daily life.
Along with popularizing of web application, it also becomes the target of attack of more and more assailant gradually.Assailant reaches the object of attack by making web application perform malicious act.Therefore, if web application behavior can be extracted efficiently, malicious act wherein just effectively can be detected.
At present, the extraction for web application behavior is that this implementation procedure is comparatively complicated, cannot be used by domestic consumer by realizing the amendment of Web browser source code mostly, and is more difficultly generalized in the browser of other versions and brand.Further, the web application behavior that the method is extracted is only limitted to the information that single JavaScript function is called, and does not realize the overall monitor to web application behavior, cannot realize the analysis of the web application behavior to complexity.
Summary of the invention
The present invention is intended to solve one of technical matters in correlation technique at least to a certain extent.For this reason, the object of the invention is to propose a kind of web application behavior extracting method, realize simple, applicability is good, and can realize the overall monitor to web application behavior, contribute to realizing the detection to malicious act.
Second object of the present invention is that proposing one carries out malicious act detection method by web application behavior.
The web application behavior extracting method of embodiment according to a first aspect of the present invention, comprise the following steps: web application behavior record block intercepts JavaScript function, and extract the behavior record of described web application to be measured, wherein, described behavior record comprises title, the receiving parameter sum functions call stack information of the JavaScript function that described web application to be measured calls; The behavior record of described web application to be measured is sent to malicious act detection module, and by the behavior record of described web application to be measured write behavior journal file.
According to the web application behavior extracting method of the embodiment of the present invention, by obtaining the title of the JavaScript function that web application to be measured calls, the behavior records such as receiving parameter and function call stack information, and above-mentioned behavior record is sent to malicious act detection module, simultaneously by above-mentioned behavior record write behavior journal file, thus, the amendment to Web browser source code can be avoided, realization is simple and applicability is better, simultaneously by extracting function call stack information, the relation between multiple invoked function can be obtained, thus the overall monitor achieved web application behavior, contribute to realizing the follow-up detection to malicious act.
In addition, web application behavior extracting method according to the above embodiment of the present invention can also have following additional technical characteristic:
According to one embodiment of present invention, described method also comprises: behavior drafting module adds up call number and the html element element access times of described function according to the behavior record of described web application to be measured, and draw the real-time ethogram of web application to be measured, to show the behavior record of described web application to be measured in real time according to the call number of described function and html element element access times.
Further, in popup (ejection) page of described Web browser, the real-time ethogram of described web application to be measured is drawn.
According to one embodiment of present invention, the behavior record of the described web application to be measured of described extraction comprises: by described JavaScript function rename to be tackled; Definition new function, the described JavaScript function before described new function and rename is of the same name; Code is added with the receiving parameter of the title and described function that obtain described JavaScript function in described new function; The error handling mechanism of described JavaScript function is utilized to obtain described function call stack information.
According to one embodiment of present invention, described JavaScript function is arranged in described Web browser.
According to a second aspect of the present invention embodiment carry out malicious act detection method by web application behavior, it is characterized in that, comprise the following steps: the behavior record obtaining described web application to be measured; Obtain predetermined malicious act pattern base, the behavior record of described web application to be measured mates with each malicious act pattern in described malicious act pattern base by malicious act detection module, and the behavior record of the web application described to be measured that the match is successful is defined as abnormal behaviour; Obtain predetermined normal behaviour mode list, malicious act confirms that described abnormal behaviour is mated with each normal behaviour pattern in described normal behaviour mode list by module, and the described abnormal behaviour that it fails to match is defined as doubtful malicious act; If the quantity of described doubtful malicious act exceedes predetermined threshold value, then send malicious act alarm.
Malicious act detection method is carried out by web application behavior according to the embodiment of the present invention, by obtaining the behavior record of web application to be measured, and it is mated with malicious act pattern, tentatively to determine abnormal behaviour, then abnormal behaviour is mated with normal behaviour pattern, to determine doubtful malicious act further, when doubtful malicious act is too much, alarm can be sent, thus, malicious act detection is carried out in the web application behavior of being extracted by the web application behavior extracting method of the embodiment of the present invention, can in conjunction with the relation between multiple invoked function, effectively detect and such as detect the comparatively hidden malicious act of the attack effects such as attack, thus substantially increase the accuracy of malicious act detection.
In addition, according to the above embodiment of the present inventionly carry out malicious act detection method by web application behavior and can also have following additional technical characteristic:
According to one embodiment of present invention, described method also comprises: whether the doubtful malicious act judging described web application to be measured is malicious act, if the doubtful malicious act of described web application to be measured is not malicious act, then described doubtful malicious act is added described normal behaviour mode list.
According to one embodiment of present invention, described malicious act pattern is when malicious act occurs, the character string pair of the title composition of the title of invoked current JavaScript function and father's function of described current JavaScript function, wherein, described father's function is the function directly or indirectly calling described current JavaScript function; Described normal behaviour pattern is when normal behaviour occurs, the character string group of the title composition of the title of invoked current JavaScript function and father's functions at different levels of described current JavaScript function, wherein, in described character string group, the function of rear character string representative is father's function of the function of previous character string representative.
Further, if the title of the JavaScript function in the behavior record of described web application to be measured is identical with the title of the described current JavaScript function in described malicious act pattern, and when father's function of the described JavaScript function determined according to the function call stack information in described behavior record is identical with the title of father's function of current JavaScript function described in described malicious act pattern, the match is successful for the behavior record of then described web application to be measured, otherwise the behavior record of described web application to be measured it fails to match; If the title of the JavaScript function of described abnormal behaviour in the behavior record of described web application to be measured is identical with the title of the described current JavaScript function in described normal behaviour pattern, and when father's function at different levels of the described JavaScript function determined according to the function call stack information in described behavior record is identical with the title of father's functions at different levels of current JavaScript function described in described normal behaviour pattern, then the match is successful for described abnormal behaviour, otherwise it fails to match for described abnormal behaviour.
Accompanying drawing explanation
Fig. 1 is the process flow diagram of web application behavior extracting method according to an embodiment of the invention;
Fig. 2 is the schematic diagram of web application behavior extraction and malicious act testing process according to an embodiment of the invention;
Fig. 3 is the process flow diagram being carried out malicious act detection method by web application behavior according to the embodiment of the present invention.
Embodiment
Be described below in detail embodiments of the invention, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Be exemplary below by the embodiment be described with reference to the drawings, be intended to for explaining the present invention, and can not limitation of the present invention be interpreted as.
Describe the web application behavior extracting method of the embodiment of the present invention below in conjunction with accompanying drawing and carry out malicious act detection method by web application behavior.
Fig. 1 is the process flow diagram of web application behavior extracting method according to an embodiment of the invention.
As shown in Figure 1, the web application behavior extracting method of the embodiment of the present invention, comprises the following steps:
S101, web application behavior record block intercepts JavaScript function, and extract the behavior record of web application to be measured, wherein, behavior record comprises title, the receiving parameter sum functions call stack information of the JavaScript function that web application to be measured calls.
In an embodiment of the present invention, the Web browser running web application to be measured can be provided with web application behavior record browser extension plug-in unit.
In an embodiment of the present invention, by web application behavior record browser extension plug-in unit Block JavaScript function, and extract the behavior record of web application to be measured, specifically can comprise: by JavaScript function rename to be tackled; Definition new function, the JavaScript function before new function and rename is of the same name; Code is added to obtain the receiving parameter of the title sum functions of JavaScript function in new function; The error handling mechanism of JavaScript function is utilized to obtain function call stack information.Wherein, JavaScript function is arranged in Web browser.
Particularly, in JavaScript function code, by JavaScript function rename to be tackled, then the function of the same name with JavaScript function to be tackled is defined, thus when web application calls JavaScript function according to the function name of JavaScript function, web application invokes new functions can be made, simultaneously, function name according to JavaScript function in new function calls JavaScript function, thus can avoid the normal function of influence function.The code realizing above-mentioned steps is as follows:
In an embodiment of the present invention, above-mentioned steps can not specify the receiving parameter of new function, thus enables new function receive the parameter of any amount.The parameter that new function receives passes to former JavaScript function by the mode of " .apply (this; arguments) ", and make this new function return the rreturn value of former JavaScript function, thus ensure that the function of former JavaScript function is not affected.
The step that above-mentioned code realizes is only applicable to the global system function of JavaScript, and for the member function of html element element, then need obtain these html element elements one by one and modify one by one to its member function, these html element elements comprise the html element element of existing html element element and new establishment afterwards, and its code sample is as follows:
In above-mentioned new function, add code, the receiving parameter of the title sum functions of JavaScript function can be obtained.Can realize by reading " arguments (a kind of independent variable) " this variable the record of parameter, particularly, first can transfer " arguments " variable to array, each element of array is made to deposit the value that imports parameter into, again these values be converted to character string afterwards and couple together, form a complete character string, so that record.Its code sample is as follows:
Wherein, " " can separate parameters.
The title of JavaScript function and receiving parameter illustrate only the recalls information of single call function, in an embodiment of the present invention, represent the relation between the function repeatedly called by function call stack information.Utilize the error handling mechanism of JavaScript function to obtain function call stack information specifically to comprise: first define a try block (abnormal code likely occurs a kind of supervision), deliberately trigger a mistake wherein, as access does not have the variable of predefined, then in the catch block (a kind of process abnormal code) of correspondence, read the current function call stack information that this mistake provides, finally function call stack information is transferred to character string and writes behavior record.Its code sample is as follows:
Thus, the title of JavaScript function that web application to be measured calls, the receiving parameter of function and function call stack information has been extracted by said method.
S102, is sent to malicious act detection module by the behavior record of web application to be measured, and by the behavior record of web application to be measured write behavior journal file.
In an embodiment of the present invention, with reference to Fig. 2, malicious act detection module can be in together in content_script.js script with the behavior extraction module of the behavior record extracting web application to be measured, therefore, malicious act detection module can read the behavior record of web application to be measured in real time from content_script.js script, thus carries out real-time malicious act detection.
In step S101, the web application behavior record to be measured extracted can be written into the control desk of Web browser, therefore, and can by the behavior record of the web application to be measured in control desk write behavior journal file.In an embodiment of the present invention, for Chrome browser, adding when running Chrome browser--enable-logging parameter, can make Chrome browser by the chrome_debug.log file under the content write Chrome browser customer data catalogue in control desk.
According to the web application behavior extracting method of the embodiment of the present invention, by obtaining the title of the JavaScript function that web application to be measured calls, the behavior records such as receiving parameter and function call stack information, and above-mentioned behavior record is sent to malicious act detection module, simultaneously by above-mentioned behavior record write behavior journal file, thus, the amendment to Web browser source code can be avoided, realization is simple and applicability is better, simultaneously by extracting function call stack information, the relation between multiple invoked function can be obtained, thus the overall monitor achieved web application behavior, contribute to realizing the follow-up detection to malicious act.
For Web browser user, the behavior of web application is hidden in backstage often, and this is unfavorable for that Web browser user understands web application and finds wherein concealed malice behavior.Given this, the web application behavior extracting method of the embodiment of the present invention, further comprises the step shown by the behavior record of web application to be measured.Particularly, behavior drafting module in Fig. 2 can according to the call number of the behavior record statistical function of web application to be measured and html element element access times, and draw the real-time ethogram of web application to be measured, to show the behavior record of web application to be measured in real time according to the call number of function and html element element access times.
In an embodiment of the present invention, in order to avoid blocking web application itself, the real-time ethogram of web application to be measured can be drawn in the popup page of Web browser.Therefore, the call number and html element element access times data that result from the function of web application inside can be delivered in the popup.js script of Web browser expansion.In an embodiment of the present invention, can using Web browser expand content_script.js script as middle bridge, by the popup.js script of data from web application internal delivery to browser extension.Therefore concrete transmittance process can as following step a and b.
A, content_script.js script from web application internal delivery to browser extension.
Particularly, for the call number data of function, can be each JavaScript function and create a counting html element element (if this JavaScript system function is the member function of html element element, then all html element element shares same counting html element element), record the title of corresponding JavaScript function and the call number of this function with the property value of this counting html element element.The statistic processes code sample of function call number of times is as follows:
For html element element access times data, can be each html element element and create a counting html element element, record the unique number of this element in whole web application, the tag name of this element and the invoked number of times of member function of this element with the property value of this counting html element element.Wherein, the unique number of this html element element is that the order being added into DOM (DocumentObjectModel, DOM Document Object Model) according to this element in the leaching process of behavior record carries out serial number and obtains.Namely the tag name e of this element is the html element element tag name such as <p>, <img>.Can once be defined as being called once of certain member function of this html element element by accessed for certain html element element at this, therefore the invoked total degree of member function is exactly corresponding html element element access times.
B, the popup.js script expanded to Web browser from the content_script.js scripts pass of Web browser expansion.
Particularly, first popup.js script sends a request to content_script.js script, content_script.js script receives the backward popup.js script return data of request, and last popup.js script obtains the data that content_script.js script returns.Its code sample is as follows:
After popup.js receives data, the mode of periodic refreshing html table element data can be used to realize the dynamic drafting of real-time ethogram.Each row of this form represents each JavaScript system function or html element element, each row represent elapsed time, then each table element represents the call number of certain function or the access times of certain html element element in a period of time, and the numeral of form inside and cylindrical image specifically can be used to represent.
At set intervals, popup.js obtains call number and the html element element access times data of linear function, then the data of each element in form are arranged (giving up original left column data) to left one, finally the data just obtained and the difference of the last data obtained are placed in the right column of new form, so just achieve whole list data along with before the time and then constantly to left, thus form the real-time ethogram of web application.
In a specific embodiment, the call number of the window.alert function that certain obtains is 30 times, No. 1 IMG unit prime element access times are 70 times, after certain interval of time, the call number of the window.alert function obtained is 60 times, No. 1 IMG unit prime element access times are 120 times, and concrete code sample is as follows:
Thus, shown the behavior record of web application to be measured in real time by the real-time ethogram of web application to be measured, Web browser user can be made rule of thumb from the behavior record of web application, to find concealed malice behavior.
The web application behavior extracting method of corresponding the above embodiment of the present invention, the present invention also proposes one and carries out malicious act detection method by web application behavior.
Fig. 3 is the process flow diagram being carried out malicious act detection method by web application behavior according to the embodiment of the present invention.
As shown in Figure 3, the embodiment of the present invention carry out malicious act detection method by web application behavior, comprise the following steps:
S301, obtains the behavior record of web application to be measured.
In an embodiment of the present invention, detect if carry out real-time malicious act, then can obtain the behavior record of web application to be measured by subordinate act extraction module, from content_script.js script, the behavior record of web application to be measured can be read in real time.
If carry out non real-time malicious act detection, then can obtain the behavior record of web application to be measured in subordinate act journal file.In an embodiment of the present invention, in order to the behavior record and web application to be measured itself of distinguishing web application to be measured write the content of browser control desk, all identification strings can be added at the beginning and end of every bar behavior record.Therefore the final part filtered out from chrome_debug.log file between above-mentioned identification strings, namely obtains the behavior record of web application to be measured.
S302, obtain predetermined malicious act pattern base, the behavior record of web application to be measured mates with each malicious act pattern in malicious act pattern base by malicious act detection module, and the behavior record of the web application to be measured that the match is successful is defined as abnormal behaviour.
S303, obtains predetermined normal behaviour pattern base, and malicious act confirms that abnormal behaviour is mated with each normal behaviour pattern in normal behaviour pattern base by module, and the abnormal behaviour that it fails to match is defined as doubtful malicious act.
In an embodiment of the present invention, malicious act pattern is when malicious act occurs, the character string pair of the title composition of the title of invoked current JavaScript function and father's function of current JavaScript function, wherein, father's function is the function directly or indirectly calling current JavaScript function; Normal behaviour pattern is when normal behaviour occurs, the character string group of the title composition of the title of invoked current JavaScript function and father's functions at different levels of current JavaScript function, wherein, in character string group, the function of rear character string representative is father's function of the function of previous character string representative.
With reference to Fig. 2, in an embodiment of the present invention, if the title of the JavaScript function in the behavior record of web application to be measured is identical with the title of the current JavaScript function in malicious act pattern, and when father's function of the JavaScript function determined according to the function call stack information in behavior record is identical with the title of father's function of current JavaScript function in malicious act pattern, the match is successful for the behavior record of then web application to be measured, otherwise the behavior record of web application to be measured it fails to match; If the title of the JavaScript function of abnormal behaviour in the behavior record of web application to be measured is identical with the title of the current JavaScript function in normal behaviour pattern, and when the father's function at different levels of JavaScript function determined according to the function call stack information in behavior record is identical with the title of father's functions at different levels of current JavaScript function in normal behaviour pattern, then the match is successful for abnormal behaviour, otherwise it fails to match for abnormal behaviour.
S304, if the quantity of doubtful malicious act exceedes predetermined threshold value, then sends malicious act alarm.
As shown in Figure 2, in an embodiment of the present invention, when the quantity according to the determined doubtful malicious act of above-mentioned steps is too much, malicious act alarm can be sent to Security Officer.In an embodiment of the present invention, predetermined threshold value can be determined according to conditions such as the classification of doubtful malicious act and concrete testing requirements, is not defined as concrete numerical value at this.
In an embodiment of the present invention, when safety analysis personnel receive malicious act alarm, manual analysis can be carried out to web application, to judge that whether the doubtful malicious act of web application to be measured is for malicious act (whether the source code that Web applies as judged comprises malicious act code sample corresponding to doubtful malicious act) in conjunction with information such as the source codes of web application.If web application containing the malicious act described in alarm, then can process this web application really further, run as taked corresponding measure terminator or stop malicious act etc.
In an embodiment of the present invention, if the doubtful malicious act of web application to be measured is not malicious act, then doubtful malicious act can be added normal behaviour pattern base.Be to be understood that, if the doubtful malicious act of web application to be measured is not malicious act, the doubtful malicious act that then can judge this web application to be measured is normal behaviour, is added normal behaviour pattern base, can avoid again thinking this normal behaviour by mistake to be malicious act.
Malicious act detection method is carried out by web application behavior according to the embodiment of the present invention, by obtaining the behavior record of web application to be measured, and it is mated with malicious act pattern, tentatively to determine abnormal behaviour, then abnormal behaviour is mated with normal behaviour pattern, to determine doubtful malicious act further, when doubtful malicious act is too much, alarm can be sent, thus, malicious act detection is carried out in the web application behavior of being extracted by the web application behavior extracting method of the embodiment of the present invention, can in conjunction with the relation between multiple invoked function, effectively detect and such as detect the comparatively hidden malicious act of the attack effects such as attack, thus substantially increase the accuracy of malicious act detection.
In describing the invention, it will be appreciated that, term " " center ", " longitudinal direction ", " transverse direction ", " length ", " width ", " thickness ", " on ", D score, " front ", " afterwards ", " left side ", " right side ", " vertically ", " level ", " top ", " end ", " interior ", " outward ", " clockwise ", " counterclockwise ", " axis ", " radial direction ", orientation or the position relationship of the instruction such as " circumference " are based on orientation shown in the drawings or position relationship, only the present invention for convenience of description and simplified characterization, instead of indicate or imply that the device of indication or element must have specific orientation, with specific azimuth configuration and operation, therefore limitation of the present invention can not be interpreted as.
In addition, term " first ", " second " only for describing object, and can not be interpreted as instruction or hint relative importance or imply the quantity indicating indicated technical characteristic.Thus, be limited with " first ", the feature of " second " can express or impliedly comprise one or more these features.In describing the invention, the implication of " multiple " is two or more, unless otherwise expressly limited specifically.
In the present invention, unless otherwise clearly defined and limited, the term such as term " installation ", " being connected ", " connection ", " fixing " should be interpreted broadly, and such as, can be fixedly connected with, also can be removably connect, or integral; Can be mechanical connection, also can be electrical connection; Can be directly be connected, also indirectly can be connected by intermediary, can be the connection of two element internals or the interaction relationship of two elements.For the ordinary skill in the art, above-mentioned term concrete meaning in the present invention can be understood as the case may be.
In the present invention, unless otherwise clearly defined and limited, fisrt feature second feature " on " or D score can be that the first and second features directly contact, or the first and second features are by intermediary indirect contact.And, fisrt feature second feature " on ", " top " and " above " but fisrt feature directly over second feature or oblique upper, or only represent that fisrt feature level height is higher than second feature.Fisrt feature second feature " under ", " below " and " below " can be fisrt feature immediately below second feature or tiltedly below, or only represent that fisrt feature level height is less than second feature.
In the description of this instructions, specific features, structure, material or feature that the description of reference term " embodiment ", " some embodiments ", " example ", " concrete example " or " some examples " etc. means to describe in conjunction with this embodiment or example are contained at least one embodiment of the present invention or example.In this manual, to the schematic representation of above-mentioned term not must for be identical embodiment or example.And the specific features of description, structure, material or feature can combine in one or more embodiment in office or example in an appropriate manner.In addition, when not conflicting, the feature of the different embodiment described in this instructions or example and different embodiment or example can carry out combining and combining by those skilled in the art.
Although illustrate and describe embodiments of the invention above, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, and those of ordinary skill in the art can change above-described embodiment within the scope of the invention, revises, replace and modification.
Claims (9)
1. a web application behavior extracting method, is characterized in that, comprises the following steps:
Web application behavior record block intercepts JavaScript function, and extract the behavior record of described web application to be measured, wherein, described behavior record comprises title, the receiving parameter sum functions call stack information of the described JavaScript function that described web application to be measured calls;
The behavior record of described web application to be measured is sent to malicious act detection module, and by the behavior record of described web application to be measured write behavior journal file.
2. web application behavior extracting method according to claim 1, is characterized in that, also comprise:
Behavior drafting module adds up call number and the html element element access times of described function according to the behavior record of described web application to be measured, and draw the real-time ethogram of web application to be measured, to show the behavior record of described web application to be measured in real time according to the call number of described function and html element element access times.
3. web application behavior extracting method according to claim 2, is characterized in that, draws the real-time ethogram of described web application to be measured in the popup page of described Web browser.
4. web application behavior extracting method according to claim 1, is characterized in that, the behavior record of the described web application to be measured of described extraction comprises:
By described JavaScript function rename to be tackled;
Definition new function, the described JavaScript function before described new function and rename is of the same name;
Code is added with the receiving parameter of the title and described function that obtain described JavaScript function in described new function;
The error handling mechanism of described JavaScript function is utilized to obtain described function call stack information.
5. the web application behavior extracting method according to claim 1 or 4, it is characterized in that, described JavaScript function is arranged in described Web browser.
6. carry out a malicious act detection method by web application behavior according to claim 1, it is characterized in that, comprise the following steps:
Obtain the behavior record of described web application to be measured;
Obtain predetermined malicious act pattern base, the behavior record of described web application to be measured mates with each malicious act pattern in described malicious act pattern base by malicious act detection module, and the behavior record of the web application described to be measured that the match is successful is defined as abnormal behaviour;
Obtain predetermined normal behaviour pattern base, malicious act confirms that described abnormal behaviour is mated with each normal behaviour pattern in described normal behaviour pattern base by module, and the described abnormal behaviour that it fails to match is defined as doubtful malicious act;
If the quantity of described doubtful malicious act exceedes predetermined threshold value, then send malicious act alarm.
7. according to claim 6ly carry out malicious act detection method by described web application behavior, it is characterized in that, also comprise:
Whether the doubtful malicious act judging described web application to be measured is malicious act, if the doubtful malicious act of described web application to be measured is not malicious act, then described doubtful malicious act is added described normal behaviour pattern base.
8. according to claim 6ly carry out malicious act detection method by described web application behavior, it is characterized in that,
Described malicious act pattern is when malicious act occurs, the character string pair of the title composition of the title of invoked current JavaScript function and father's function of described current JavaScript function, wherein, described father's function is the function directly or indirectly calling described current JavaScript function;
Described normal behaviour pattern is when normal behaviour occurs, the character string group of the title composition of the title of invoked current JavaScript function and father's functions at different levels of described current JavaScript function, wherein, in described character string group, the function of rear character string representative is father's function of the function of previous character string representative.
9. according to claim 6 or 8, carry out malicious act detection method by described web application behavior, it is characterized in that,
If the title of the JavaScript function in the behavior record of described web application to be measured is identical with the title of the described current JavaScript function in described malicious act pattern, and when father's function of the described JavaScript function determined according to the function call stack information in described behavior record is identical with the title of father's function of current JavaScript function described in described malicious act pattern, the match is successful for the behavior record of then described web application to be measured, otherwise the behavior record of described web application to be measured it fails to match;
If the title of the JavaScript function of described abnormal behaviour in the behavior record of described web application to be measured is identical with the title of the described current JavaScript function in described normal behaviour pattern, and when father's function at different levels of the described JavaScript function determined according to the function call stack information in described behavior record is identical with the title of father's functions at different levels of current JavaScript function described in described normal behaviour pattern, then the match is successful for described abnormal behaviour, otherwise it fails to match for described abnormal behaviour.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510881765.5A CN105488398B (en) | 2015-12-04 | 2015-12-04 | Web application behavior extracting method and malicious act detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510881765.5A CN105488398B (en) | 2015-12-04 | 2015-12-04 | Web application behavior extracting method and malicious act detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105488398A true CN105488398A (en) | 2016-04-13 |
| CN105488398B CN105488398B (en) | 2018-06-15 |
Family
ID=55675372
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510881765.5A Active CN105488398B (en) | 2015-12-04 | 2015-12-04 | Web application behavior extracting method and malicious act detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105488398B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105893102A (en) * | 2016-06-29 | 2016-08-24 | 北京金山安全软件有限公司 | Processing method and device for triggering blue screen by anti-virus security software and electronic equipment |
| CN106055982A (en) * | 2016-06-29 | 2016-10-26 | 北京金山安全软件有限公司 | Interception method and device for malicious program triggering blue screen and electronic equipment |
| CN108280346A (en) * | 2017-01-05 | 2018-07-13 | 腾讯科技(深圳)有限公司 | A kind of application protecting, monitoring method, apparatus and system |
| CN108563577A (en) * | 2018-04-19 | 2018-09-21 | 武汉极意网络科技有限公司 | The method for detecting simulator based on JavaScript stack informations |
| CN108595328A (en) * | 2018-04-19 | 2018-09-28 | 武汉极意网络科技有限公司 | The method for detecting browser based on JavaScript stack informations |
| CN109309664A (en) * | 2018-08-14 | 2019-02-05 | 中国科学院数据与通信保护研究教育中心 | A kind of browser fingerprint detection behavior monitoring method |
| CN109558730A (en) * | 2018-12-29 | 2019-04-02 | 360企业安全技术(珠海)有限公司 | A kind of safety protecting method and device of browser |
| CN109726548A (en) * | 2018-12-29 | 2019-05-07 | 360企业安全技术(珠海)有限公司 | Processing method, server, system and the storage medium of application behavior |
| CN110032833A (en) * | 2018-01-11 | 2019-07-19 | 武汉斗鱼网络科技有限公司 | A kind of processing method and processing device of web application |
| CN110287694A (en) * | 2019-06-26 | 2019-09-27 | 维沃移动通信有限公司 | Application management method, mobile terminal and storage medium |
| CN110633568A (en) * | 2019-09-19 | 2019-12-31 | 北京广成同泰科技有限公司 | Monitoring system for host and method thereof |
| CN111898128A (en) * | 2020-08-04 | 2020-11-06 | 北京丁牛科技有限公司 | Defense method and device for cross-site scripting attack |
| CN113010892A (en) * | 2021-03-26 | 2021-06-22 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting malicious behavior of small program |
| CN113672902A (en) * | 2021-08-31 | 2021-11-19 | 挂号网(杭州)科技有限公司 | Application program detection method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102737188A (en) * | 2012-06-27 | 2012-10-17 | 北京奇虎科技有限公司 | Method and device for detecting malicious webpage |
| CN104331663A (en) * | 2014-10-31 | 2015-02-04 | 北京奇虎科技有限公司 | Detection method of web shell and web server |
| CN105095741A (en) * | 2014-05-13 | 2015-11-25 | 北京奇虎测腾科技有限公司 | Behavior monitoring method and behavior monitoring system of application program |
-
2015
- 2015-12-04 CN CN201510881765.5A patent/CN105488398B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102737188A (en) * | 2012-06-27 | 2012-10-17 | 北京奇虎科技有限公司 | Method and device for detecting malicious webpage |
| CN105095741A (en) * | 2014-05-13 | 2015-11-25 | 北京奇虎测腾科技有限公司 | Behavior monitoring method and behavior monitoring system of application program |
| CN104331663A (en) * | 2014-10-31 | 2015-02-04 | 北京奇虎科技有限公司 | Detection method of web shell and web server |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105893102B (en) * | 2016-06-29 | 2019-11-12 | 珠海豹趣科技有限公司 | A kind of processing method, device and the electronic equipment of anti-virus security software triggering blue screen |
| CN106055982A (en) * | 2016-06-29 | 2016-10-26 | 北京金山安全软件有限公司 | Interception method and device for malicious program triggering blue screen and electronic equipment |
| CN105893102A (en) * | 2016-06-29 | 2016-08-24 | 北京金山安全软件有限公司 | Processing method and device for triggering blue screen by anti-virus security software and electronic equipment |
| CN108280346A (en) * | 2017-01-05 | 2018-07-13 | 腾讯科技(深圳)有限公司 | A kind of application protecting, monitoring method, apparatus and system |
| CN108280346B (en) * | 2017-01-05 | 2022-05-31 | 腾讯科技(深圳)有限公司 | Application protection monitoring method, device and system |
| CN110032833B (en) * | 2018-01-11 | 2021-06-15 | 武汉斗鱼网络科技有限公司 | Web application processing method and device |
| CN110032833A (en) * | 2018-01-11 | 2019-07-19 | 武汉斗鱼网络科技有限公司 | A kind of processing method and processing device of web application |
| CN108563577A (en) * | 2018-04-19 | 2018-09-21 | 武汉极意网络科技有限公司 | The method for detecting simulator based on JavaScript stack informations |
| CN108595328A (en) * | 2018-04-19 | 2018-09-28 | 武汉极意网络科技有限公司 | The method for detecting browser based on JavaScript stack informations |
| CN109309664A (en) * | 2018-08-14 | 2019-02-05 | 中国科学院数据与通信保护研究教育中心 | A kind of browser fingerprint detection behavior monitoring method |
| CN109558730B (en) * | 2018-12-29 | 2020-10-16 | 360企业安全技术(珠海)有限公司 | Safety protection method and device for browser |
| CN109726548A (en) * | 2018-12-29 | 2019-05-07 | 360企业安全技术(珠海)有限公司 | Processing method, server, system and the storage medium of application behavior |
| CN109558730A (en) * | 2018-12-29 | 2019-04-02 | 360企业安全技术(珠海)有限公司 | A kind of safety protecting method and device of browser |
| CN110287694A (en) * | 2019-06-26 | 2019-09-27 | 维沃移动通信有限公司 | Application management method, mobile terminal and storage medium |
| CN110633568A (en) * | 2019-09-19 | 2019-12-31 | 北京广成同泰科技有限公司 | Monitoring system for host and method thereof |
| CN111898128A (en) * | 2020-08-04 | 2020-11-06 | 北京丁牛科技有限公司 | Defense method and device for cross-site scripting attack |
| CN111898128B (en) * | 2020-08-04 | 2024-04-26 | 北京丁牛科技有限公司 | Defending method and device for cross-site script attack |
| CN113010892A (en) * | 2021-03-26 | 2021-06-22 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting malicious behavior of small program |
| CN113010892B (en) * | 2021-03-26 | 2022-09-20 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting malicious behavior of small program |
| CN113672902A (en) * | 2021-08-31 | 2021-11-19 | 挂号网(杭州)科技有限公司 | Application program detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105488398B (en) | 2018-06-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105488398A (en) | Web application program behavior extraction method and malicious behavior detection method | |
| CN105528295B (en) | Mobile applications anomaly detection method and device | |
| CN101902366B (en) | Method and system for detecting abnormal service behaviors | |
| CN105138599B (en) | It is a kind of can in the automatically monitoring website whole page each link clicks amount method | |
| CN109120429B (en) | Risk identification method and system | |
| CN108566399B (en) | Phishing website identification method and system | |
| CN110602045B (en) | Malicious webpage identification method based on feature fusion and machine learning | |
| CN103281217B (en) | A kind of measuring method of User Page stay time | |
| CN108446394B (en) | File difference comparison method and device | |
| CN104462183B (en) | Webpage jumps processing method and processing device | |
| CN107085549B (en) | Method and device for generating fault information | |
| CN102664925A (en) | Method and apparatus for displaying searching result | |
| CN101751530A (en) | Method for detecting loophole aggressive behavior and device | |
| CN110278207A (en) | Leak detection method, device and computer equipment are kidnapped in a kind of click | |
| CN105993006B (en) | Content processing method and terminal based on call back function | |
| CN101895517B (en) | Method and device for extracting script semantics | |
| CN108280102B (en) | Internet surfing behavior recording method and device and user terminal | |
| CN105074670B (en) | Daily record output control equipment, method and computer readable recording medium storing program for performing | |
| CN105224465A (en) | Webpage adjustment method and device | |
| CN101471781A (en) | Method and system for processing script injection event | |
| CN113535587A (en) | Target application detection method and device and computer equipment | |
| US9323987B2 (en) | Apparatus and method for detecting forgery/falsification of homepage | |
| CN115730160A (en) | Dark chain detection method and device, electronic equipment and readable storage medium | |
| CN109032924A (en) | Identify method, apparatus, equipment and the storage medium of resource type in the page | |
| CN113626340A (en) | Test requirement identification method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |