CN105491053A - Web malicious code detection method and system - Google Patents

Web malicious code detection method and system Download PDF

Info

Publication number
CN105491053A
CN105491053A CN201510967518.7A CN201510967518A CN105491053A CN 105491053 A CN105491053 A CN 105491053A CN 201510967518 A CN201510967518 A CN 201510967518A CN 105491053 A CN105491053 A CN 105491053A
Authority
CN
China
Prior art keywords
malicious code
file
detection
module
white list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510967518.7A
Other languages
Chinese (zh)
Inventor
郄军利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yonyou Network Technology Co Ltd
Original Assignee
Yonyou Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yonyou Network Technology Co Ltd filed Critical Yonyou Network Technology Co Ltd
Priority to CN201510967518.7A priority Critical patent/CN105491053A/en
Publication of CN105491053A publication Critical patent/CN105491053A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/02Network-specific arrangements or communication protocols supporting networked applications involving the use of web-based technology, e.g. hyper text transfer protocol [HTTP]

Abstract

The invention relates to a Web malicious code detection method and system. Based on a Web application source code database, a malicious code feature database, a webpage code behavior analysis, a white list and a manual analysis, whether a web malicious code exists is detected and determined comprehensively. The system comprises a malicious code detection agent module, a malicious code detection server white list module, a source code database query and detection module, a malicious code feature detection module, a malicious code behavior detection module, a detection result determination and alarm module, a detection result query module and a management module. According to the invention, through comprehensive application of the Web application source code database, the malicious code feature database, the webpage code behavior analysis, the white list and the manual analysis, missed alarm behaviors of malicious code detection can be effectively solved, the accuracy of the malicious code detection is improved, the natural contradiction between the rate of false alarm and the missed alarm rate in a malicious code detection process is balanced, and the response efficiency in the malicious code detection process is optimized.

Description

A kind of Web malicious code detecting method and system
Technical field
The present invention relates to about Web Malicious Code Detection and technical field, particularly relate to real-time detection method and the system of the malicious codes such as the wooden horse of Web type, virus.
Background technology
Along with the develop rapidly of the Internet, the attack for internet, applications is also spread unchecked further.In various attack, carry out malicious code implantation (web page horse hanging, web page mark, Webshell back door etc.) for website and become the most popular, endanger also one of attack pattern the most widely.
Malicious code (UnwantedCode) refers to not have to act on and but can bring dangerous code, and a safest definition is that all unnecessary codes are all regarded as malice.The analytical method of malicious code has polytype, and general traditional malicious code analysis method is divided into the analytical method based on code characteristic, the analytical method based on semanteme, analytical method three kinds based on code behavior, and these methods all have certain limitation:
Manual detection: open webpage, click right checks source file, and the kind according to web virus also can check whether comprise malicious code, but this method limitation is very large.
The detection method of feature based code: this uses extensively the most ancient method, their exclusive feature command sequence is gathered by the sample analysis of extracting malicious code, when inspection software scanning document, current file and condition code storehouse are contrasted, judge whether whether file fragment mates with known features code, this is detected by script virus process by the script of web page horse hanging, but page script mode of texturing, cipher mode are more various compared with traditional PE form virus, detect also more difficult.
Heuristic detection method: the thought of this method is the feature-set threshold value for malicious code, scanner analysis, when the characteristic length of the similar malicious code of characteristic value of file, is just seen as malicious code.Such as certain malicious code, general all can fix call more specific kernel function (especially those to process list, function that registration table is relevant with system service list), usually the order that these functions occur in code also has certain rule, and title and number of times therefore by calling kernel function to certain malicious code are analyzed.
Behavior-based detection method: the exact matching and the fuzzy matching that comprise Behavior-based control.Exact matching, mainly for some more direct malicious acts, as add items in registry boot item, revises the content etc. under system folder.Fuzzy matching is main method of discrimination, the api function that major part rogue program operationally calls is all used by some ordinary procedures, but contrast and just can find that rogue program can some specially or less at ordinary times seems api function with the frequency coordination of exception, or call correlation function with certain particular combination, fuzzy matching is exactly judge based on this point, and this method can be combined with heuristic detection method.
For the weak point of above-mentioned technology, the Corpus--based Method that prior art adopts some new and signature analysis also adopt virtual machine technique, main new technology has: client honeypot technology web virus is hidden in normal WEB communication, traditional fire compartment wall based on port (Firewall) is difficult to the propagation stoping it, fire compartment wall or the intruding detection system (IDS) of content-based (Payload) can detect known web virus, but web virus upgrades very fast, obscure or encryption technology application general, this just makes traditional safety means effectively not detect.In order to collect the information of potential threat, finding new instrument, determining attack signature, and the motivation of research assailant, there is Honeypot Techniques (honeypot), exactly by meticulously arranging that network trap attracts hacker attacks.Traditional honey jar mainly refers to server end honey jar, but web virus runs at client-side, and therefore, LanceSpitzner first proposed client honeypot (client-sidehoneypot or honeyclient) this concept.
Different from traditional honey jar, the security vulnerability that client honeypot may exist for client software, server is visited by opening client software on one's own initiative, monitoring occurs with or without abnormal behaviour, trace analysis is carried out to unknown rogue program, and then reaches research learning and safing object.Client honeypot mainly for be Web browser and E-mail client, therefore it needs data source, is faced with the challenge in the network coverage face how reaching large.In order to solve this point, honey jar and reptile (spider) combine by client honeypot, crawl network url to find the Malware performed by client software that may exist with reptile.Substantially the client of all kinds all includes three continuous print treatment steps: first, all pending objects are put into a queue, then, client carrys out the object in request queue, whether contains malice composition finally by analyzing the object determined in queue.While request with handling object, object queue can be expanded.
Sandbox filtering technique gateway-level safety product blocks a malicious web pages subject matter is technically exactly how to judge whether a webpage is malicious web pages.Malicious code JavaScript in present most of malicious web pages writes, these JavaScript trigger the leak of local ActiveX control by HeapSpray technology and carry out wooden horse download and run, and the JavaScript code of these malice has generally all carried out obscuring encryption to hide to detect, the JavaScript code in one section of real malicious web pages as follows: faced by obscure encryption after JavaScript code, by keyword search, simple identifies that the way of malicious web pages will lose efficacy, the most effective way is exactly in a virtual environment, carry out actual parsing by built-in HTML and JavaScript analytics engine to the JavaScript in webpage to perform in this case, and resolving the behavior following the tracks of JavaScript code in implementation, such as create ActiveX control and concentrate a large amount of application internal memories etc., thus accurately identify malicious web pages.This detection mode is called that sandbox detects (Sandbox), and verification and measurement ratio is very high in theory by this method.
But when reality realizes this detection scheme, built-in HTML and the JavaScript analytics engine of trace routine does not likely functionally realize complete, or some behaviors and real browser have deviation, running environment is also had to be different with real client computer after all, can have more or less such or such different from browser in a word, and these differences can utilize by the author of malicious web pages the follow-up investigations of hiding trace routine, that is first malicious web pages checked to see oneself whether to operate in real browser before operation malicious code, if not, what it understands and does not do, it is a malicious web pages that built-in HTML and the JavaScript analytics engine of such trace routine cannot discover this, because malicious code does not run at all.On the contrary, when malicious web pages inspection find oneself be operate in real browser time, it just can run malicious code.Just specifically introduce several possible mode below:
1., in DOM, some objects have many another names, as
: document.location, window.location, document.URL are of equal value;
Window, window.window, window.self, window.parent, window.self.self.self.self are of equal value;
Any one global variable becomes the member of window all automatically.
Whether malicious web pages can utilize this point oneself to operate in real browser to detect, if the JavaScript analytics engine that in safety product, oneself realizes realizes incomplete words to the characteristic that DOM calls, just can be found by malicious code, thus allow malicious web pages escape from detection.
2. by using some functions of HTMLtag to test, judge that current running environment is Sandbox or browser, as meta employs HttpOnly attribute when the Set-Cookie of setting, after HTML agreement is defined in and employs HttpOnly attribute, the Cookie that this meta sets can not be had access to by the script in the page, if the JavaScript analytics engine of safety product some characteristics to meta realize incomplete words, just may be utilized by malicious web pages and escape from detection.
3.Image is to the built-in object liking JavaScript, object can be created by statement varimg=newImage (), statement img.src=http can be passed through: //www.exist.com/a.jpg obtains picture from network after establishment Image object, when browser runs into the words, http request can be sent to www.exist.com, obtain picture a.jpg, if this picture successfully obtains from www.exist.com, browser can call the onload () method of img, if this picture does not exist on www.exist.com or www.exist.com not exists, browser can call the onerror () method of img, malicious web pages can utilize these characteristics to judge current running environment to be Sandbox or browser.
4. work as the mistake of the infinite recursive call occurring syntax error or function in javascript code, browser can call window.onerror (), mistake by deliberately introducing syntax error or infinite recursive call in malicious web pages judges that current running environment is Sandbox or browser, if the sandbox of safety product realizes incomplete words to error handle, such as may stop when running into syntax error having resolved, and do not have probable browser to remove to call window.onerror like that, so just may be utilized by malicious web pages and escape from detection.
Also have other method that can adopt a lot of as detected the characteristic of Ajax, to the processing sequence of event, to the test of plug-in, can be used for detecting current running environment to the test etc. of same source policy is in browser or in sandbox.
The mode that sandbox will be utilized to detect as seen through the above analysis detects malicious web pages, and the very important point is exactly will simulate as far as possible some key characteristics of browser.
But, no matter be new technology or conventional art, all there is certain weak point:
In current Web Malicious Code Detection technology, normally used detection method is mainly based on the periodic detection contrasted with malicious code feature database, the general principle of its test is, first all chained addresses of target application and content is obtained by reptile, or on web application server, regularly obtain web page source code content, then detect one by one content according to the malicious code feature database of predefined, contrast matching result is to determine whether there are security breaches.
The following problem that the method at least exists: 1) malicious code feature database is difficult to accomplish comprehensively and upgrades lag behind malicious code appearance, and testing result will produce and fail to report.2) detection action is cyclic behaviour, there is certain hysteresis quality.3) Malicious Code Detection under large scale deployment environment is difficult to accomplish real-time high-efficiency.
Summary of the invention
The object of the invention is to: for the above-mentioned technical problem existed in prior art, provide one can web Malicious Code Detection detection method and system fast and accurately, realize web Malicious Code Detection real-time, improve the coverage rate of web Malicious Code Detection.
The present invention is achieved by the following technical solutions: a kind of Web malicious code detecting method, based on web application source code storehouse, malicious code feature database, web page code behavioural analysis, white list and manual analysis, comprehensive detection also determines whether to there is web malicious code; Comprise the following steps:
(1) at web application server, Malicious Code Detection is installed and acts on behalf of instrument, the write operation of real-time monitoring mechanism to specific web site catalogue file is provided to monitor, when find that there is new file be written into or original file content has a change time, be then real-time transmitted to Malicious Code Detection server after change file mark being packed with file content;
(2) after Malicious Code Detection server receives the submission content of Malicious Code Detection agency, start detection mechanism;
(3) result of testing result determination step (2);
(4) suspected malicious code is reported to the police;
(5) safety detection result is returned to Malicious Code Detection agency, and this result of Malicious Code Detection proxy records.
Further, the Malicious Code Detection in described step (1) is acted on behalf of instrument and is automatically run when os starting.
Further, the testing mechanism in described step (2) comprises the steps:
A, extraction document mark and content, contrast detects white list; If file coupling white list, performs step (5);
B, obtains this file latest edition content to web application source code storehouse according to file identification, and acts on behalf of with Malicious Code Detection the file content submitted to and contrast, and Record Comparison result;
C, mates the file content that Malicious Code Detection agency submits to malicious code feature database, record result;
D, carries out behavioural analysis by the file content that Malicious Code Detection agency submits to, judges that whether webpage is containing malice attribute, and records testing result.
Further, described step (3) detects that in step (b) in step (2), (c), (d), testing result has any one abnormal, then perform step (4) and report to the police.
Further, described suspected malicious code is reported to the police as testing result being carried out Realtime Alerts and being recorded to database.
Further, it is by artificial treatment testing result that described suspected malicious code is reported to the police, if be judged as normal, then this file identification and content is added Malicious Code Detection server white list.
A kind of Web malicious code detection system, comprising: the inquiry of Malicious Code Detection proxy module, Malicious Code Detection server white list module, source code library and detection module, malicious code feature detection module, malicious code behavioral value module, testing result judgement and alarm module, testing result enquiry module and administration module;
Described Malicious Code Detection proxy module is user monitoring Web server document change, and submits change file mark and content to Malicious Code Detection server, obtains testing result;
Described Malicious Code Detection server white list module is used for carrying out white list inquiry to file destination, Output rusults;
Described source code library inquiry and detection module be used for carrying out file polling to application source code and and file destination contrast, Output rusults;
Described malicious code feature detection module is used for and carries out malicious code feature detection to file destination, Output rusults;
Described malicious code behavioral value module: based on analytics engine, for performing and the behavior of tracking target file, output detections result;
Described testing result judges and alarm module: for judging testing result, and carry out the warning of various ways;
Described testing result enquiry module: inquire about alarming result and history testing result for keeper;
Described administration module: for administering and maintaining white list, malicious code feature database, malicious code rule of conduct.
In sum, owing to have employed technique scheme, the invention has the beneficial effects as follows: the present invention is by the contrast of integrated use web application source code storehouse, malicious code feature database, web page code behavioural analysis, white list and manual analysis, what effectively can solve Malicious Code Detection fails to report behavior, improve the accuracy rate of Malicious Code Detection, balance the natural contradiction that in Malicious Code Detection process, rate of false alarm and rate of failing to report exist, optimize the response efficiency in Malicious Code Detection process, and under solving large-scale application deployment scenario, effectively cannot find the problem of malicious code fast.
Accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is detection method schematic flow sheet of the present invention;
Fig. 2 is system module relation schematic diagram of the present invention;
Fig. 3 is that white list of the present invention is set up, maintenance process schematic block diagram;
Fig. 4 is that malicious code feature database of the present invention is set up, maintenance process schematic block diagram.
Embodiment
All features disclosed in this specification, or the step in disclosed all methods or process, except mutually exclusive feature and/or step, all can combine by any way.
Arbitrary feature disclosed in this specification (comprising any accessory claim, summary and accompanying drawing), unless specifically stated otherwise, all can be replaced by other equivalences or the alternative features with similar object.That is, unless specifically stated otherwise, each feature is an example in a series of equivalence or similar characteristics.
As illustrated in fig. 1 and 2, a few system of a kind of Web malicious code detecting method, based on web application source code storehouse, malicious code feature database, web page code behavioural analysis, white list and manual analysis, comprehensive detection also determines whether to there is web malicious code; Comprise the following steps:
(1) at web application server, Malicious Code Detection is installed and acts on behalf of instrument.Malicious Code Detection is acted on behalf of instrument and is automatically run when os starting, the write operation of real-time monitoring mechanism to specific web site catalogue file is provided to monitor, when find that there is new file be written into or original file content has a change time, be then real-time transmitted to Malicious Code Detection server after change file mark being packed with file content.
Malicious Code Detection acts on behalf of instrument can be deployed in multiple stage web server, simultaneously to Malicious Code Detection server communication, to realize the Malicious Code Detection under extensive web deployed environment.With IP and main frame mark by name, Malicious Code Detection server identifies that Malicious Code Detection acts on behalf of instrument.
(2) after Malicious Code Detection server receives the submission content of Malicious Code Detection agency, start detection mechanism; After Malicious Code Detection server receives the submission content of Malicious Code Detection agency, start detection mechanism.Concrete steps comprise:
A, extraction document mark, file path, file content, and be recorded to document data bank after calculating Hash.Then contrast detects white list.If file coupling white list, performs step (5), otherwise continues to perform step (b).File white list is safeguarded separately by Malicious Code Detection server, log file mark, file path, file Hash result, file detailed content etc.;
B, obtains this file latest edition content to web application source code storehouse according to file identification, and acts on behalf of with Malicious Code Detection the file content submitted to and contrast.Record Comparison result.This function is inquired about by source code library and detection module realizes, and achieves the support to main flow source code maintenance tool, as svn, git, SourceSafe etc., will not enumerate;
C, mates the file content that Malicious Code Detection agency submits to malicious code feature database, record result;
D, carries out behavioural analysis by the file content that Malicious Code Detection agency submits to, namely under virtual environment, carries out parsing by built-in analytics engine and perform and follow the tracks of its behavior, judges that whether webpage is containing malice attribute, record testing result.The behavioural analysis of object code comprises two aspect contents, and one is the operation behavior to web server after performing based on program code, to judge that it is to the issuable harm of web server; Behavioural analysis is carried out, to judge that it is to finally browsing the issuable harm of user on the other hand for HTML and the JAVASCRIPT code produced by it.
(3) testing result judges.Specifically comprise, if step B, testing result has any one abnormal in C, D, then perform step (4) and report to the police.
(4) suspected malicious code is reported to the police, and specifically comprises: first testing result is carried out Realtime Alerts and is recorded to database.Secondly by artificial treatment testing result, if be judged as normal, then this file identification and content are added Malicious Code Detection server white list.If be judged as malicious code, then analytical characteristic adds malicious code feature database.
(5) safety detection result is returned to Malicious Code Detection agency.Comprise: to Malicious Code Detection, agency returns testing result, this result of Malicious Code Detection proxy records.
As shown in Figure 3, white list process of establishing, maintenance process is specifically set up in white list storehouse and rule is as follows.
File white list storehouse is safeguarded by the white list module in Malicious Code Detection server, and user carries out the foundation in white list storehouse by administration module.White list can, based on the analysis result in step 7 in step D, also directly can be initiated to set up by user.Its step comprises:
First: user initiates to add or delete white list in administration module, adds the whitelist file type that white list can specify two kinds of modes: based on the concrete path of file, based on file identification.The concrete path of file be file in service server relatively or absolute path, if use this kind of mode to set up white list, then white list module only authenticating documents path and file name and not authenticating documents Hash.The unique identification of file identification to be administration module be each file maintenance, file identification is relevant to file path and file Hash content, if use this kind of mode to set up white list, then authenticating documents identifies by white list module, comprising file path, file name, file Hash etc.;
Secondly: the file path that white list module is specified according to user or file identification, from document data bank extraction document mark, file path, file Hash result, and according to white list type, add and enter white list database or delete content from white list database.Document data bank content is set up by step B in step (2) herein.
As shown in Figure 4, malicious code feature database process of establishing, malicious code feature database sets up maintenance process and rule is as follows:
Malicious code feature database can be safeguarded by calling malicious code behavioral value module in administration module, also can carry out external data importing by setting up feature based on the large data of malicious code sample.
First, feature is set up based on the large data of malicious code sample.Obtain initial large data sample by carrying out for the malicious code for web application popular in network collecting, detecting, carry out unified signature analysis for wherein sample, set up initial malicious code feature database;
Secondly, in system operation, carrying out manual analysis for alarm content in step (4), if be judged to be malicious code, adding malicious code feature database by extracting malicious code feature.
Above-described specific embodiment, further describes object of the present invention, technical scheme and beneficial effect, and institute it should be understood that and the foregoing is only specific embodiments of the invention, is not limited to the present invention.The present invention expands to any new feature of disclosing in this manual or any combination newly, and the step of the arbitrary new method disclosed or process or any combination newly.

Claims (9)

1. a Web malicious code detecting method, is characterized in that: based on web application source code storehouse, malicious code feature database, web page code behavioural analysis, white list and manual analysis, and comprehensive detection also determines whether to there is web malicious code; Comprise the following steps:
(1) at web application server, Malicious Code Detection is installed and acts on behalf of instrument, the write operation of real-time monitoring mechanism to specific web site catalogue file is provided to monitor, when find that there is new file be written into or original file content has a change time, be then real-time transmitted to Malicious Code Detection server after change file mark being packed with file content;
(2) after Malicious Code Detection server receives the submission content of Malicious Code Detection agency, start detection mechanism;
(3) result of testing result determination step (2);
(4) suspected malicious code is reported to the police;
(5) safety detection result is returned to Malicious Code Detection agency, and this result of Malicious Code Detection proxy records.
2. Web malicious code detecting method according to claim 1, is characterized in that, the Malicious Code Detection in described step (1) is acted on behalf of instrument and automatically run when os starting.
3. Web malicious code detecting method according to claim 1, is characterized in that, the testing mechanism in described step (2) comprises the steps:
A, extraction document mark and content, contrast detects white list; If file coupling white list, performs step (5);
B, obtains this file latest edition content to web application source code storehouse according to file identification, and acts on behalf of with Malicious Code Detection the file content submitted to and contrast, and Record Comparison result;
C, mates the file content that Malicious Code Detection agency submits to malicious code feature database, record result;
D, carries out behavioural analysis by the file content that Malicious Code Detection agency submits to, judges that whether webpage is containing malice attribute, and records testing result.
4. Web malicious code detecting method according to claim 1, is characterized in that, described step (3) detects that in step (b) in step (2), (c), (d), testing result has any one abnormal, then perform step (4) and report to the police.
5. Web malicious code detecting method according to claim 1, is characterized in that, described suspected malicious code is reported to the police as testing result being carried out Realtime Alerts and being recorded to database.
6. Web malicious code detecting method according to claim 1, is characterized in that, it is by artificial treatment testing result that described suspected malicious code is reported to the police, if be judged as normal, then this file identification and content is added Malicious Code Detection server white list.
7. a Web malicious code detection system, it is characterized in that, comprising: the inquiry of Malicious Code Detection proxy module, Malicious Code Detection server white list module, source code library and detection module, malicious code feature detection module, malicious code behavioral value module, testing result judgement and alarm module, testing result enquiry module and administration module;
Described Malicious Code Detection proxy module is user monitoring Web server document change, and submits change file mark and content to Malicious Code Detection server, obtains testing result;
Described Malicious Code Detection server white list module is used for carrying out white list inquiry to file destination, Output rusults;
Described source code library inquiry and detection module be used for carrying out file polling to application source code and and file destination contrast, Output rusults;
Described malicious code feature detection module is used for and carries out malicious code feature detection to file destination, Output rusults;
Described malicious code behavioral value module: based on analytics engine, for performing and the behavior of tracking target file, output detections result;
Described testing result judges and alarm module: for judging testing result, and carry out the warning of various ways;
Described testing result enquiry module: inquire about alarming result and history testing result for keeper;
Described administration module: for administering and maintaining white list, malicious code feature database, malicious code rule of conduct.
8. a kind of Web malicious code detection system according to claim 6, it is characterized in that, described Malicious Code Detection server white list module is set up entry form and safeguards, its concrete steps comprise: first, and user initiates to add or delete white list in administration module; Next, white list module is added according to the white list that user specifies to enter white list database or deletes content from white list database.
9. a kind of Web malicious code detection system according to claim 7, is characterized in that, described interpolation white list can specify the whitelist file type of two kinds of modes, is respectively based on the concrete path of file with based on file identification;
The concrete path of described file be file in service server relatively or absolute path, if use this kind of mode to set up white list, then white list module only authenticating documents path and file name and not authenticating documents Hash;
The unique identification of described file identification to be administration module be each file maintenance, file identification is relevant to file path and file Hash content, this kind of mode is used to set up white list, then authenticating documents identifies by white list module, and described file identification comprises file path, file name, file Hash.
CN201510967518.7A 2015-12-21 2015-12-21 Web malicious code detection method and system Pending CN105491053A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510967518.7A CN105491053A (en) 2015-12-21 2015-12-21 Web malicious code detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510967518.7A CN105491053A (en) 2015-12-21 2015-12-21 Web malicious code detection method and system

Publications (1)

Publication Number Publication Date
CN105491053A true CN105491053A (en) 2016-04-13

Family

ID=55677767

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510967518.7A Pending CN105491053A (en) 2015-12-21 2015-12-21 Web malicious code detection method and system

Country Status (1)

Country Link
CN (1) CN105491053A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106485152A (en) * 2016-09-30 2017-03-08 北京奇虎科技有限公司 Leak detection method and device
CN107341371A (en) * 2017-07-04 2017-11-10 北京工业大学 A kind of script control method suitable for web configurations
CN107463843A (en) * 2016-06-02 2017-12-12 重庆达特科技有限公司 Malicious code noise reduction big data detecting system
CN108183902A (en) * 2017-12-28 2018-06-19 北京奇虎科技有限公司 A kind of recognition methods of malicious websites and device
CN108319822A (en) * 2018-01-05 2018-07-24 武汉斗鱼网络科技有限公司 A kind of method, storage medium, electronic equipment and the system of protection web page code
CN108334777A (en) * 2017-04-17 2018-07-27 北京安天网络安全技术有限公司 A kind of method of sample analysis and system based on user perspective
CN109711123A (en) * 2018-11-21 2019-05-03 武汉极意网络科技有限公司 Behavioral value method and device based on simulation browser detection
CN109791586A (en) * 2016-06-16 2019-05-21 比斯垂普有限责任公司 Appreciation and the method for removing Malware
CN110417718A (en) * 2018-12-27 2019-11-05 腾讯科技(深圳)有限公司 Handle method, apparatus, equipment and the storage medium of the risk data in website
CN110543759A (en) * 2019-08-12 2019-12-06 中国南方电网有限责任公司 Malicious file detection method and device, computer equipment and storage medium
CN110868421A (en) * 2019-11-19 2020-03-06 泰康保险集团股份有限公司 Malicious code identification method, device, equipment and storage medium
CN110909352A (en) * 2019-11-26 2020-03-24 杭州安恒信息技术股份有限公司 Malicious process detection method under Linux server

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107463843A (en) * 2016-06-02 2017-12-12 重庆达特科技有限公司 Malicious code noise reduction big data detecting system
CN109791586A (en) * 2016-06-16 2019-05-21 比斯垂普有限责任公司 Appreciation and the method for removing Malware
CN106485152A (en) * 2016-09-30 2017-03-08 北京奇虎科技有限公司 Leak detection method and device
CN108334777A (en) * 2017-04-17 2018-07-27 北京安天网络安全技术有限公司 A kind of method of sample analysis and system based on user perspective
CN108334777B (en) * 2017-04-17 2020-04-24 北京安天网络安全技术有限公司 Sample analysis method and system based on user view angle
CN107341371A (en) * 2017-07-04 2017-11-10 北京工业大学 A kind of script control method suitable for web configurations
CN108183902A (en) * 2017-12-28 2018-06-19 北京奇虎科技有限公司 A kind of recognition methods of malicious websites and device
CN108319822A (en) * 2018-01-05 2018-07-24 武汉斗鱼网络科技有限公司 A kind of method, storage medium, electronic equipment and the system of protection web page code
CN108319822B (en) * 2018-01-05 2020-05-12 武汉斗鱼网络科技有限公司 Method, storage medium, electronic device and system for protecting webpage code
CN109711123A (en) * 2018-11-21 2019-05-03 武汉极意网络科技有限公司 Behavioral value method and device based on simulation browser detection
CN110417718A (en) * 2018-12-27 2019-11-05 腾讯科技(深圳)有限公司 Handle method, apparatus, equipment and the storage medium of the risk data in website
CN110543759A (en) * 2019-08-12 2019-12-06 中国南方电网有限责任公司 Malicious file detection method and device, computer equipment and storage medium
CN110868421A (en) * 2019-11-19 2020-03-06 泰康保险集团股份有限公司 Malicious code identification method, device, equipment and storage medium
CN110909352A (en) * 2019-11-26 2020-03-24 杭州安恒信息技术股份有限公司 Malicious process detection method under Linux server

Similar Documents

Publication Publication Date Title
CN105491053A (en) Web malicious code detection method and system
US9680866B2 (en) System and method for analyzing web content
US9509714B2 (en) Web page and web browser protection against malicious injections
US9300682B2 (en) Composite analysis of executable content across enterprise network
US8850585B2 (en) Systems and methods for automated malware artifact retrieval and analysis
Canali et al. Prophiler: a fast filter for the large-scale detection of malicious web pages
Dumitraş et al. Toward a standard benchmark for computer security research: The Worldwide Intelligence Network Environment (WINE)
US7287279B2 (en) System and method for locating malware
US20150180899A1 (en) System and method of analyzing web content
CN103279710B (en) The detection method of Internet information system malicious code and system
CN107209831B (en) System and method for identifying network attacks
US20060075468A1 (en) System and method for locating malware and generating malware definitions
US20060075490A1 (en) System and method for actively operating malware to generate a definition
RU2726032C2 (en) Systems and methods for detecting malicious programs with a domain generation algorithm (dga)
CN104967628B (en) A kind of decoy method of protection web applications safety
CN106250761B (en) Equipment, device and method for identifying web automation tool
CN101895516A (en) Method and device for positioning cross-site scripting attack source
JPWO2018143097A1 (en) Judgment apparatus, judgment method, and judgment program
KR20150124020A (en) System and method for setting malware identification tag, and system for searching malware using malware identification tag
CN107612924A (en) Attacker's localization method and device based on wireless network invasion
Gorji et al. Detecting obfuscated JavaScript malware using sequences of internal function calls
KR101968633B1 (en) Method for providing real-time recent malware and security handling service
Tian et al. Framehanger: Evaluating and classifying iframe injection at large scale
US10505986B1 (en) Sensor based rules for responding to malicious activity
Takata et al. MineSpider: Extracting hidden URLs behind evasive drive-by download attacks

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20160413

RJ01 Rejection of invention patent application after publication