CN106033511A - Method and device for preventing website data from leaking - Google Patents
Method and device for preventing website data from leaking Download PDFInfo
- Publication number
- CN106033511A CN106033511A CN201510116924.2A CN201510116924A CN106033511A CN 106033511 A CN106033511 A CN 106033511A CN 201510116924 A CN201510116924 A CN 201510116924A CN 106033511 A CN106033511 A CN 106033511A
- Authority
- CN
- China
- Prior art keywords
- file
- operating system
- write
- web page
- page server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method and a device for preventing website data from leaking. Through validity check on an intercepted operating system calling interface, a web page server process can be prevented from being controlled maliciously, and security for the web page server process to call an operating system interface can be guaranteed. The method and the device prevent the web page server process which is maliciously controlled from leaking data in an important data source out of a web page server or tampering important data in a disk of the operating system. A web system can be operated on an original web page server is realized, no authority of the web page server needs withdrawing. An ISV can completely possess all authorities of the web page server. The method and the device prevent problems in the prior art that since all management authorities of a server are withdrawn, a web system needs transformation. The method and the device achieve zero migration cost.
Description
Technical field
The application relates to communication and computer realm, particularly relates to a kind of method preventing website data from revealing
And equipment.
Background technology
Due to the needs of business, ISV (independent software vendors) can buy server, and dispose theirs
Web station system uses to be supplied to client, the trade company of the most various shopping website of described client, seller etc., institute
State web station system as customized the order management system etc. of version.Owing to technology and the personal management level of ISV are irregular
Uneven, grasp again the important information of a large amount of trade company and consumer, it is easy to because various leaks and personnel
The carelessness of management, causes data to leak from server, and a kind of common scene is exactly malicious attacker profit
Obtain authority with special channel, directly pull the important information such as order of trade company and consumer from web station system
Data are also downloaded.
It is existing that to avoid data scheme of leaking from server be the administration authority of server all to be regained,
The code file of web station system can only be uploaded onto the server by ISV by the background management system of customization,
Decrease ISV and produce the chance of leak, although this scheme can prevention service device main frame quilt to a certain extent
People invades the leaking data caused, but, he it can not revises web station system by the way of login service device,
I.e. there is no server admin authority, owing to there is no server host authority, the customizable journey of web station system
Spending excessively poor, can only dispose the web station system of specific development language, existing web station system is if it is desired to transplant
On this server, cost can be the highest, even needs to rewrite the code file of web station system.
Summary of the invention
The purpose of the application is to provide a kind of method and apparatus preventing website data from revealing, it is possible to ensure
The safety that operating system interface is called by web page server process.
In view of this, a kind of side preventing website data from revealing is provided according to an aspect of the application
Method, including:
The operating system calling interface of web page server process is intercepted;
The operating system calling interface intercepted is carried out validity checking, if legal, let pass described behaviour
Make system call interfaces, if illegal, refuse described operating system calling interface.
Further, during the operating system calling interface of web page server process is intercepted, pass through
The operating system calling interface of web page server process is intercepted by the mode of API hook.
Further, by the way of API links up with, operating system to web page server process is called and is connect
During mouth intercepts,
By API hook by the operating system interface of the application layer bottom of web page server process
Call and intercept.
Further, the operating system calling interface intercepted is carried out validity checking, if legal,
Let pass described operating system calling interface, if illegal, refuse described operating system calling interface and include:
The network address of request in the operating system calling interface intercepted is carried out validity checking,
If legal, set up the connection of web page server process and this network address;
If illegal, refusal sets up the connection of web page server process and this network address.
Further, set up web page server process at least to wrap after the connection of this network address
Include the operation of following any one:
To described network address request data;
Data are sent to the described network address.
Further, the operating system calling interface intercepted is carried out validity checking, if legal,
Let pass described operating system calling interface, if illegal, refuse described operating system calling interface and include:
File write operation in the operating system calling interface intercepted is carried out validity checking,
If it is legal, it is allowed to the disk of operating system is write file;
If illegal, refuse the disk to operating system and write file.
Further, it is allowed to also include after the disk write file of operating system:
Judge whether the file write is doubtful high-risk file, if so, carries out this doubtful high-risk file
Report to the police and/or confirm to check.
Further, the operating system calling interface intercepted is carried out validity checking, if legal,
Let pass described operating system calling interface, if illegal, refuse described operating system calling interface and include:
File write operation in the operating system calling interface intercepted is carried out validity checking,
If legal, it is judged that whether the file of write is doubtful high-risk file, if so, refuse operation system
The disk write file of system, if it is not, allow the disk to operating system to write file;
If illegal, refuse the disk to operating system and write file.
Further, after refusing the write file of the disk to operating system, also include illegal
File or doubtful high-risk file carry out at least one operation following:
Report to the police;
Confirm to check.
Further, it is judged that whether the file of write is in doubtful high-risk file, is at least appointed by following
Whether one file judging write is doubtful high-risk file:
The file of write is carried out keyword inspection;
The file of write is carried out form validity checking;
The event of the file of write is carried out behavior inspection.
According to the another side of the application, also provide for a kind of equipment preventing website data from revealing, including:
First device, for intercepting the operating system calling interface of web page server process;
Second device, for carrying out validity checking to the operating system calling interface intercepted, if closing
Method, described operating system calling interface of letting pass, if illegal, refuse described operating system calling interface.
Further, described first device, to web page server process by the way of API links up with
Operating system calling interface intercepts.
Further, described first device, by API hook by the application layer of web page server process
Calling of the operating system interface of the bottom intercepts.
Further, described second device, for asking in the operating system calling interface intercepted
The network address carry out validity checking, if legal, set up web page server process and this network address
Connection;If illegal, refusal sets up the connection of web page server process and this network address.
Further, described equipment also includes the 3rd device, for set up web page server process with
The operation of following any one is at least included after the connection of this network address:
To described network address request data;
Data are sent to the described network address.
Further, described second device, for the literary composition in the operating system calling interface intercepted
Part write operation carries out validity checking, if legal, it is allowed to the disk of operating system is write file;If
Illegal, refuse the disk to operating system and write file.
Further, described equipment also includes the 4th device, for allowing the disk to operating system
After write file, it is judged that whether the file of write is doubtful high-risk file, if so, to this doubtful height
Danger file carries out reporting to the police and/or confirm to check.
Further, described second device is used for, to the literary composition in the operating system calling interface intercepted
Part write operation carries out validity checking, if legal, it is judged that whether the file of write is doubtful high-risk file,
If so, the write file of the disk to operating system is refused, if it is not, allow the disk write to operating system
Enter file;If illegal, refuse the disk to operating system and write file.
Further, described equipment also includes the 5th device, for refusing the disk to operating system
After write file, illegal file or doubtful high-risk file are carried out at least one operation following:
Report to the police;
Confirm to check.
Further, described second device or the 4th device judge whether the file of write is doubtful high-risk
During file, judged by following at least any one whether the file of write is doubtful high-risk file:
The file of write is carried out keyword inspection;
The file of write is carried out form validity checking;
The event of the file of write is carried out behavior inspection.
Compared with prior art, the application is legal by carrying out the operating system calling interface intercepted
Property check, it is possible to avoid web page server process maliciously to be controlled, it is ensured that web page server process is to behaviour
Make the safety called of system interface, it is to avoid the web page server process maliciously controlled is by important number
Enter to web page server outward leakage or by the significant data in the disk of operating system according to the data in source
Row is distorted, and realizes this web station system simultaneously and can run on original web page server, it is not necessary to web service
Device regains any authority, all permissions having web page server that ISV can be complete, it is to avoid existing skill
In art, the administration authority due to server is all regained, and needs web station system does the problem transformed, can
To reach zero moving costs.
Further, by API, (by the way of hook, the operating system to web page server process is called
Interface intercepts, and can realize carrying out the operating system calling interface of web page server process efficiently
Intercept, particularly by API hook, the operating system of the application layer bottom of web page server process is connect
Mouthful call and intercept, it is achieved the application layer bottom API hook only can intercept web page server
Process, will not intercept other process, reaches to reduce the interference carrying out other.
Further, by the network address of request in the operating system calling interface intercepted is carried out
Validity checking, stops the web page server process requested network address without permission, i.e. forbids webpage
Request is arbitrarily initiated in the arbitrary network address by server processes, it is ensured that after follow-up foundation connects, data obtain
The safety taking or sending.
Further, by the file write operation in the operating system calling interface intercepted is closed
Method checks, it is possible to stop web page server process that file without permission is written to disk, it is to avoid
Data on disk are tampered, it is ensured that the safety of hard disc data.
Further, whether the file write by judgement is doubtful high-risk file, it can be ensured that one
Under a little special screnes, even if malicious attacker has been passed through the operating system intercepted by any special measures
File write operation in calling interface carries out the step of validity checking, still can be by doubtful high-risk
The judgement of file finds this malicious act in the very first time.
Accompanying drawing explanation
The detailed description that non-limiting example is made made with reference to the following drawings by reading, this
The other features, objects and advantages of application will become more apparent upon:
Fig. 1 illustrates the flow chart of a kind of method preventing website data from revealing of one aspect of the application;
Fig. 2 illustrates the principle of the method preventing website data from revealing of the application one preferred embodiment
Figure;
Fig. 3 illustrates the flow process of the method preventing website data from revealing of another preferred embodiment of the application
Figure;
Fig. 4 illustrates the principle of the method preventing website data from revealing of the another preferred embodiment of the application
Figure;
Fig. 5 illustrates the flow process of the method preventing website data from revealing of the another preferred embodiment of the application
Figure;
Fig. 6 illustrates the flow process of the method preventing website data from revealing of the preferred embodiment of the application one
Figure;
Fig. 7 illustrates the stream of the method preventing website data from revealing of another preferred embodiment of the application
Cheng Tu;
Fig. 8 illustrates the stream of the method preventing website data from revealing of the another preferred embodiment of the application
Cheng Tu;
Fig. 9 illustrates the application a kind of equipment structure chart preventing website data from revealing in terms of another;
Figure 10 illustrates the equipment structure chart preventing website data from revealing of the application one preferred embodiment;
Figure 11 illustrates the device structure preventing website data from revealing of another preferred embodiment of the application
Figure;
Figure 12 illustrates the device structure preventing website data from revealing of the another preferred embodiment of the application
Figure;
In accompanying drawing, same or analogous reference represents same or analogous parts.
Detailed description of the invention
In one typical configuration of the application, terminal, the equipment of service network and trusted party all include
One or more processors (CPU), input/output interface, network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory
(RAM) and/or the form such as Nonvolatile memory, such as read only memory (ROM) or flash memory (flash
RAM).Internal memory is the example of computer-readable medium.
Computer-readable medium includes that removable media permanent and non-permanent, removable and non-is permissible
Information storage is realized by any method or technology.Information can be computer-readable instruction, data knot
Structure, the module of program or other data.The example of the storage medium of computer includes, but are not limited to phase
Become internal memory (PRAM), static RAM (SRAM), dynamic random access memory
(DRAM), other kinds of random access memory (RAM), read only memory (ROM), electricity
Erasable Programmable Read Only Memory EPROM (EEPROM), fast flash memory bank or other memory techniques, read-only
Compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical storage,
Magnetic cassette tape, magnetic disk storage or other magnetic storage apparatus or any other non-transmission medium,
Can be used for the information that storage can be accessed by a computing device.According to defining herein, computer-readable
Medium does not include non-temporary computer readable media (transitory media), as modulation data signal and
Carrier wave.
Fig. 1 illustrates a kind of method preventing website data from revealing according to one aspect of the application, in conjunction with
Fig. 1, the application proposes a kind of method preventing website data from revealing, including:
Step S1, intercepts the operating system calling interface of web page server process;Here, institute
Stating web page server process for running web station system, described web station system can be by ISV (stand alone software
Developer) it is deployed in webpage (Web) server, described web page server includes operating system and net
Page server software, described web station system disposed by web server software, and described web page server is soft
Part includes IIS (Internet Information Services, Internet Information Service), Apache (Apache
HTTP Server, Apache) etc., described operating system calling interface is that web page server process is to behaviour
Making the calling interface of system, described operating system can include that windows operating system, Linux grasp
Make system etc.;
Step S2, carries out validity checking to the operating system calling interface intercepted, if legal, puts
The described operating system calling interface of row, if illegal, refuses described operating system calling interface.Here,
By the strategy preset, the operating system calling interface intercepted can be carried out validity checking, legitimacy
Inspection is passed through, then described operating system calling interface of letting pass, validity checking is not passed through, then refuse
Exhausted described operating system calling interface, thus avoid web page server process maliciously to be controlled, it is ensured that net
The safety that operating system interface is called by page server processes, it is to avoid the webpage maliciously controlled takes
Business device process by the data in significant data source to web page server outward leakage or by the magnetic of operating system
Significant data in dish is distorted, and realizes this web station system simultaneously and can run on original web service
Device, it is not necessary to web page server is regained any authority, and what ISV can be complete has the institute of web page server
Have permission, it is to avoid in prior art, the administration authority due to server is all regained, and need website system
System does the problem transformed, and can reach zero moving costs.
In the preferred embodiment preventing method that website data reveals of the application, step S1 is right
During the operating system calling interface of web page server process intercepts, by API (Application
Programming Interface, application programming interface) mode linked up with is to web page server process
Operating system calling interface intercept, thus realize operation to web page server process efficiently
System call interfaces intercepts.
In the more excellent embodiment preventing method that website data reveals of the application, hung by API
In the step that the operating system calling interface of web page server process is intercepted by the mode of hook,
By API hook by the operating system interface of the application layer bottom of web page server process
Call and intercept, here, according to the design principle of modern operating system, the application layer bottom
Other processes will not be interfered by API hook, therefore, the application layer bottom API hook only
Web page server process can be intercepted, other process will not be intercepted, reach to reduce the interference that other is carried out,
Concrete, the application layer bottom of windows operating system includes NTDLL, ws2_32 etc..As
Shown in Fig. 2, in the operating system of web page server, the web server software such as Apache or IIS
Existing with independent web page server process 21 form, each web page server process 21 is in operation system
The application layer of system is individually present, and does not interfere with each other, NTDLL or ws2_32 module 22 is web service
The module of the application layer bottom of device process, for the checkpoint of API hook.As Apache or IIS
File write operation or network request behaviour is carried out etc. the web page server process 21 of web server software
When making, by program code call NTDLL in web page server process 21 or ws2_32 module 22
Interior interface, finally calls to realize the purpose of file or network operation in operating system nucleus 23,
In NTDLL or ws2_32 module 22, i.e. do the inspection of operation system call interfaces, by predefining
Strategy decision let pass or intercept.
As it is shown on figure 3, the preferred embodiment preventing method that website data reveals of the application
In, step S2, the operating system calling interface intercepted is carried out validity checking, if legal, puts
The described operating system calling interface of row, if illegal, refuse described operating system calling interface and includes:
Step S211, it is legal to carry out the network address of request in the operating system calling interface intercepted
Property check, if legal, forward step S212 to, if illegal, forward step S213 to;
Step S212, sets up the connection of web page server process and this network address;
Step S213, refusal is set up the connection of web page server process and this network address, thus is stoped
The web page server process requested network address without permission, i.e. forbids that web page server process is the most right
Request is initiated in the arbitrary network address, it is ensured that data acquisition or the safety of transmission after follow-up foundation connection
Property.
In the preferred embodiment preventing method that website data reveals of the application, step
S213, at least includes following arbitrary after setting up web page server process and the connection of this network address
:
To described network address request data;
Send data to the described network address, thus it is non-to prevent significant data from passing through web page server process
The network address without permission that method is leaked to outside web page server, or by web page server process from
The network address without permission obtains invalid data, it is ensured that the safety of data.Such as, such as Fig. 4 institute
Show, web page server process 41 can be set and can only obtain significant data from the legal network address 42,
And this significant data can only reside at web page server process 41 or be sent to user browser 43,
Other illegal network address 44 can not be sent to.
As it is shown in figure 5, in the preferred embodiment preventing method that website data reveals of the application,
Step S2, carries out validity checking to the operating system calling interface intercepted, if legal, clearance institute
State operating system calling interface, if illegal, refuse described operating system calling interface and include:
Step S221, carries out legitimacy to the file write operation in the operating system calling interface intercepted
Check, if legal, forward step S222 to, if illegal, forward step S223 to;Here, it is legal
File write operation can include allow web page server process write normal journal file, it is allowed to use
Legal picture file etc. is uploaded at family;
Step S222, it is allowed to the disk of operating system is write file;
Step S223, refuses the disk to operating system and writes file.Thus stop web page server to enter
File without permission is written to disk by journey, it is to avoid the data on disk are tampered, it is ensured that hard disk number
According to safety.
As shown in Figure 6, the preferred embodiment preventing method that website data reveals of the application
In, step S222, it is allowed to also include after the disk write file of operating system:
Step S224, it is judged that whether the file of write is doubtful high-risk file, if so, to this doubtful height
Danger file carries out reporting to the police and/or carry out doubtful high-risk file to confirm to check.Here, ensureing file
While the efficiency of write, the file content of write can be allowed to judge whether according to preset rules scanning
For doubtful high-risk file, when running into doubtful high-risk file, will carry out reporting to the police and/or by this doubtful high-risk literary composition
Part is submitted to specific server and does tightened up confirmation inspection, such that it is able to guarantee in some particular field
Under scape, even if malicious attacker has been passed through the operating system calling interface intercepted by any special measures
In file write operation carry out the step of validity checking, still can sentencing by doubtful high-risk file
Break and find this malicious act in the very first time, and initiate early warning or confirm further, here,
If not during doubtful high-risk file, then any work can not be made.
As shown in Fig. 7, the preferred embodiment preventing method that website data reveals of the application
In, step S2, the operating system calling interface intercepted is carried out validity checking, if legal, puts
The described operating system calling interface of row, if illegal, refuse described operating system calling interface and includes:
Step S231, carries out legitimacy to the file write operation in the operating system calling interface intercepted
Check, if legal, forward step S232 to, if illegal, forward step S233 to;
Step S232, it is judged that whether the file of write is doubtful high-risk file, if so, forwards step to
S233, if it is not, forward step S234 to;Here, write can be allowed according to preset rules scanning
File content determines whether doubtful high-risk file;
Step S233, refuses the disk to operating system and writes file;
Step S234, it is allowed to the disk of operating system is write file.Here, be different from abovementioned steps
File write operation in the embodiment of S221~S223 is carried out will file write after validity checking is passed through
Disk, is supplemented with the file of write is carried out high-risk file checking in follow-up step S224, this
In step S231 of embodiment~step S234, it is to carry out legitimacy and high-risk literary composition at file write operation
In the case of part inspection is all passed through, just by the disk of file write operations system, so that it is guaranteed that at some
Under special screne, even if malicious attacker has been passed through to adjust the operating system intercepted by any special measures
Validity checking is carried out with the file write operation in interface, still can sentencing by doubtful high-risk file
Break and find this malicious act in the very first time, to ensure the reliability of the file of write disk, this reality
Execute example to be realized by the equipment that data-handling capacity is higher.
As shown in Figure 8, the preferred embodiment preventing method that website data reveals of the application
In, after step S233, also include:
Step S235, reports to the police to this doubtful high-risk file and/or carries out doubtful high-risk file really
Recognize inspection.During here, run into doubtful high-risk file, will carry out reporting to the police and/or by this doubtful high-risk file
It is submitted to specific server and does tightened up confirmation inspection.
In the preferred embodiment preventing method that website data reveals of the application, step S224
Or in step S232, judged by following at least any one whether the file of write is doubtful high-risk literary composition
Part:
The file of write is carried out keyword inspection;
The file of write is carried out form validity checking;
The event of the file of write is carried out behavior inspection, thus more efficiently judges doubtful high-risk literary composition
Part.The event of file of write is carried out behavior inspection refer to for the specific tray that can be performed
Formula such as asp, file that php, jsp etc. are suffix name or other non-common or literary compositions of unknown format
, as at some time point, there is isolated write operation, then can be defined as high-risk file in part.
As it is shown in figure 9, the application also provides for a kind of equipment 100 preventing website data from revealing, wherein,
Including:
First device 101, for intercepting the operating system calling interface of web page server process;
Here, described web page server process is used for running web station system, described web station system can by ISV (solely
Vertical software developer) it is deployed in webpage (Web) server, described web page server includes operation system
Uniting and web server software, described web station system is disposed by web server software, and described webpage takes
Business device software include IIS (Internet Information Services, Internet Information Service),
Apache (Apache HTTP Server, Apache) etc., described operating system calling interface is webpage clothes
The business device process calling interface to operating system, described operating system can include that windows operation is
System, (SuSE) Linux OS etc.;
Second device 102, for the operating system calling interface intercepted is carried out validity checking,
If legal, described operating system calling interface of letting pass, if illegal, refuse described operating system and call
Interface.Here, legitimacy can be carried out the operating system calling interface intercepted by the strategy preset
Checking, validity checking is passed through, then described operating system calling interface of letting pass, validity checking is not
Pass through, then refuse described operating system calling interface, thus avoid web page server process by malice
Control, it is ensured that the safety that operating system interface is called by web page server process, it is to avoid by malice
Data in significant data source to web page server outward leakage or are incited somebody to action by the web page server process controlled
Significant data in the disk of operating system is distorted, and realizes this web station system simultaneously and can run on former
Some web page servers, it is not necessary to web page server is regained any authority, and what ISV can be complete has net
The all permissions of page server, it is to avoid in prior art, the administration authority due to server is all regained, and
Need web station system does the problem transformed, zero moving costs can be reached.
In the preferred embodiment preventing equipment that website data reveals of the application, described first dress
Put 101, by API (Application Programming Interface, application programming interface)
The operating system calling interface of web page server process is intercepted by the mode of hook, thus realizes height
The operating system calling interface of web page server process is intercepted by effect ground.
In the more excellent embodiment preventing equipment that website data reveals of the application, described first dress
Put 101, by API hook by the operating system interface of the application layer bottom of web page server process
Call and intercept.Here, according to the design principle of modern operating system, the application layer bottom
Other processes will not be interfered by API hook, therefore, the application layer bottom API hook only
Web page server process can be intercepted, other process will not be intercepted, reach to reduce the interference that other is carried out,
Concrete, the application layer bottom of windows operating system includes NTDLL, ws2_32 etc..As
Shown in Fig. 2, in the operating system of web page server, the web server software such as Apache or IIS
Existing with independent web page server process 21 form, each web page server process 21 is in operation system
The application layer of system is individually present, and does not interfere with each other, NTDLL or ws2_32 module 22 is web service
The module of the application layer bottom of device process, for the checkpoint of API hook.As Apache or IIS
File write operation or network request behaviour is carried out etc. the web page server process 21 of web server software
When making, by program code call NTDLL in web page server process 21 or ws2_32 module 22
Interior interface, finally calls to realize the purpose of file or network operation in operating system nucleus 23,
In NTDLL or ws2_32 module 22, i.e. do the inspection of operation system call interfaces, by predefining
Strategy decision let pass or intercept.
In the preferred embodiment preventing equipment that website data reveals of the application, described second dress
Put 102, for the network address of request in the operating system calling interface intercepted is carried out legitimacy
Check, if legal, set up the connection of web page server process and this network address;If illegal, refuse
Set up absolutely the connection of web page server process and this network address, thus stop web page server process to be asked
Ask the network address without permission, i.e. forbid that the arbitrary network address is arbitrarily sent out by web page server process
Play request, it is ensured that data acquisition or the safety of transmission after follow-up foundation connection.
As shown in Figure 10, the preferred enforcement preventing equipment that website data reveals of the application
In example, described equipment 100 also includes the 3rd device 103, for set up web page server process with
The operation of following any one is at least included after the connection of this network address:
To described network address request data;
Send data to the described network address, thus it is non-to prevent significant data from passing through web page server process
The network address without permission that method is leaked to outside web page server, or by web page server process from
The network address without permission obtains invalid data, it is ensured that the safety of data.Such as, such as Fig. 4 institute
Show, web page server process 41 can be set and can only obtain significant data from the legal network address 42,
And this significant data can only reside at web page server process 41 or be sent to user browser 43,
Other illegal network address 44 can not be sent to.
In the preferred embodiment preventing equipment that website data reveals of the application, described second dress
Put 102, for the file write operation in the operating system calling interface intercepted is carried out legitimacy inspection
Look into, if legal, it is allowed to the disk of operating system is write file;If illegal, refuse operation system
The disk write file of system.Here, legal file write operation can include allowing web page server to enter
Journey writes normal journal file, it is allowed to user uploads legal picture file etc., and the present embodiment is permissible
Stop web page server process that file without permission is written to disk, it is to avoid the data quilt on disk
Distort, it is ensured that the safety of hard disc data.
As shown in figure 11, the preferred enforcement preventing equipment that website data reveals of the application
In example, described equipment 100 also includes the 4th device 104, for allowing the disk to operating system
After write file, it is judged that whether the file of write is doubtful high-risk file, if so, to this doubtful height
Danger file carries out reporting to the police and/or confirm to check.Here, while ensureing the efficiency of write of file,
The file content of write can be allowed to determine whether doubtful high-risk file according to preset rules scanning, meet
During to doubtful high-risk file, will carry out reporting to the police and/or being submitted to specifically service by this doubtful high-risk file
Device does tightened up confirmation inspection, such that it is able to guarantee under some special screnes, malicious attacker is led to
Even if crossing any special measures to have passed through the file write operation in the operating system calling interface intercepted is entered
The step of row validity checking, still can be found in the very first time by the judgement of doubtful high-risk file
This malicious act, and initiate early warning or confirm further, if not during doubtful high-risk file,
Then can not make any work.
In the preferred embodiment preventing equipment that website data reveals of the application, described second dress
Put 102 for, the file write operation in the operating system calling interface intercepted is carried out legitimacy inspection
Look into, if legal, it is judged that whether the file of write is doubtful high-risk file, if so, refuses operation system
The disk write file of system, if it is not, allow the disk to operating system to write file;If it is illegal,
Refuse the disk to operating system and write file.Here, write can be allowed according to preset rules scanning
File content determine whether doubtful high-risk file, be different from the literary composition in the embodiment of aforementioned Figure 12
Part write operation carries out to write disk, in the enforcement of follow-up Figure 13 by file after validity checking is passed through
Being supplemented with in example the file of write is carried out high-risk file checking, in the present embodiment, the second device 102 is
In the case of file write operation carries out legitimacy and high-risk file checking is all passed through, just file is write
The disk of operating system, so that it is guaranteed that under some special screnes, malicious attacker passes through any special measures
Even if having passed through the file write operation in the operating system calling interface intercepted is carried out legitimacy inspection
Look into, still can find this malicious act by the judgement of doubtful high-risk file in the very first time, with
Ensureing the reliability of the file of write disk, the present embodiment can be come by the equipment that data-handling capacity is higher
Realize.
As shown in figure 12, the preferred enforcement preventing equipment that website data reveals of the application
In example, described equipment also includes the 5th device 105, for writing the disk of operating system at refusal
After file, illegal file or doubtful high-risk file are carried out at least one operation following:
Report to the police;
Confirm to check.During here, run into doubtful high-risk file, will carry out reporting to the police and/or by this doubtful height
Danger file is submitted to specific server and does tightened up confirmation inspection.
In the preferred embodiment preventing equipment that website data reveals of the application, described second dress
Put 102 or the 4th device 104 judge the file of write when whether being doubtful high-risk file, by following
At least any one judges whether the file of write is doubtful high-risk file:
The file of write is carried out keyword inspection;
The file of write is carried out form validity checking;
The event of the file of write is carried out behavior inspection, thus more efficiently judges doubtful high-risk literary composition
Part.The event of file of write is carried out behavior inspection refer to for the specific tray that can be performed
Formula such as asp, file that php, jsp etc. are suffix name or other non-common or literary compositions of unknown format
, as at some time point, there is isolated write operation, then can be defined as high-risk file in part.
In the actual application examples of the application one, web page server is entered by first device 101 by API hook
The calling of operating system interface of the application layer bottom of journey intercepts, described second device 102,
On the one hand, the network address of request in the operating system calling interface intercepted is carried out legitimacy inspection
Look into, if legal, set up the connection of web page server process and this network address;If illegal, refusal
Set up the connection of web page server process and this network address, to stop web page server process requested not
The network address through allowing, it is ensured that data acquisition or the safety of transmission after follow-up foundation connection, the 3rd
Device 103 is setting up connection rear to the described network address of web page server process and this network address
Request data or to the described network address send data, to prevent significant data from being entered by web page server
The network address without permission that Cheng Feifa is leaked to outside web page server, or entered by web page server
Journey obtains invalid data from the network address without permission, it is ensured that the safety of data;On the other hand,
File write operation in the second device 102 operating system calling interface to intercepting carries out legitimacy inspection
Look into, if legal, it is allowed to the disk of operating system is write file;If illegal, refuse operation system
The disk write file of system, to stop web page server process that file without permission is written to magnetic
Dish, it is to avoid the data on disk are tampered, it is ensured that the safety of hard disc data, the 4th device 104 exists
After allowing the disk to operating system to write file, it is judged that whether the file of write is doubtful high-risk literary composition
Part, if so, reports to the police to this doubtful high-risk file and/or confirms to check, to ensure writing of file
While the efficiency entered, the file content of write can be allowed to determine whether according to preset rules scanning
Doubtful high-risk file, when running into doubtful high-risk file, will carry out reporting to the police and/or by this doubtful high-risk file
It is submitted to specific server and does tightened up confirmation inspection, such that it is able to guarantee at some special screnes
Under, even if malicious attacker has been passed through in the operating system calling interface intercepted by any special measures
File write operation carry out the step of validity checking, still can be by the judgement of doubtful high-risk file
Find this malicious act in the very first time, and initiate early warning or confirm further.
In sum, the application is by carrying out legitimacy inspection to the operating system calling interface intercepted
Look into, if legal, described operating system calling interface of letting pass, if illegal, refuse described operating system
Calling interface, it is to avoid web page server process is maliciously controlled, it is ensured that web page server process is to operation
The safety called of system interface, it is to avoid the web page server process maliciously controlled is by significant data
Data in source are carried out to web page server outward leakage or by the significant data in the disk of operating system
Distort, realize this web station system simultaneously and can run on original web page server, it is not necessary to web page server
Regain any authority, all permissions having web page server that ISV can be complete, it is to avoid prior art
In all regain due to the administration authority of server, and need web station system does the problem transformed, permissible
Reach zero moving costs.
Further, by API, (by the way of hook, the operating system to web page server process is called
Interface intercepts, and can realize carrying out the operating system calling interface of web page server process efficiently
Intercept, particularly by API hook, the operating system of the application layer bottom of web page server process is connect
Mouthful call and intercept, it is achieved the application layer bottom API hook only can intercept web page server
Process, will not intercept other process, reaches to reduce the interference carrying out other.
Further, by the network address of request in the operating system calling interface intercepted is carried out
Validity checking, stops the web page server process requested network address without permission, i.e. forbids webpage
Request is arbitrarily initiated in the arbitrary network address by server processes, it is ensured that after follow-up foundation connects, data obtain
The safety taking or sending.
Further, by the file write operation in the operating system calling interface intercepted is closed
Method checks, it is possible to stop web page server process that file without permission is written to disk, it is to avoid
Data on disk are tampered, it is ensured that the safety of hard disc data.
Further, whether the file write by judgement is doubtful high-risk file, it can be ensured that one
Under a little special screnes, even if malicious attacker has been passed through the operating system intercepted by any special measures
File write operation in calling interface carries out the step of validity checking, still can be by doubtful high-risk
The judgement of file finds this malicious act in the very first time.
Obviously, those skilled in the art the application can be carried out various change and modification without deviating from
Spirit and scope.So, if these amendments of the application and modification belong to the application power
Profit requires and within the scope of equivalent technologies, then the application is also intended to comprise these changes and modification exists
In.
It should be noted that the application can be carried out in the assembly of hardware at software and/or software,
Such as, special IC (ASIC), general purpose computer can be used or any other is similar hard
Part equipment realizes.In one embodiment, the software program of the application can be performed by processor
To realize steps described above or function.Similarly, the software program of the application (includes the number being correlated with
According to structure) can be stored in computer readable recording medium storing program for performing, such as, and RAM memory, magnetic
Or CD-ROM driver or floppy disc and similar devices.It addition, some steps of the application or function can use
Hardware realizes, and such as, performs the circuit of each step or function as coordinating with processor.
It addition, the part of the application can be applied to computer program, such as computer program
Instruction, when it is computer-executed, by the operation of this computer, can call or provide basis
The present processes and/or technical scheme.And call the programmed instruction of the present processes, may be deposited
Store up fixing or movably in record medium, and/or by broadcast or other signal bearing medias
Data stream and be transmitted, and/or be stored in the computer equipment that runs according to described programmed instruction
In working storage.Here, include a device according to an embodiment of the application, this device bag
Include the memorizer for storing computer program instructions and for performing the processor of programmed instruction, its
In, when this computer program instructions is performed by this processor, trigger this plant running based on aforementioned
The method of multiple embodiments and/or technical scheme according to the application.
It is obvious to a person skilled in the art that the application is not limited to the thin of above-mentioned one exemplary embodiment
Joint, and in the case of without departing substantially from spirit herein or basic feature, it is possible to concrete with other
Form realizes the application.Therefore, no matter from the point of view of which point, embodiment all should be regarded as exemplary
, and be nonrestrictive, scope of the present application is limited by claims rather than described above
It is fixed, it is intended that all changes fallen in the implication of equivalency and scope of claim are included
In the application.Any reference in claim should not be considered as limit involved right want
Ask.Furthermore, it is to be understood that " an including " word is not excluded for other unit or step, odd number is not excluded for plural number.Dress
Multiple unit or the device of putting statement in claim can also be passed through software by a unit or device
Or hardware realizes.The first, the second word such as grade is used for representing title, and is not offered as any specific
Order.
Claims (20)
1. prevent the method that website data is revealed, wherein, including:
The operating system calling interface of web page server process is intercepted;
The operating system calling interface intercepted is carried out validity checking, if legal, let pass described behaviour
Make system call interfaces, if illegal, refuse described operating system calling interface.
The most the method for claim 1, wherein the operating system of web page server process is adjusted
In intercepting with interface, by the way of API links up with, the operating system of web page server process is adjusted
Intercept with interface.
3. method as claimed in claim 2, wherein, to web service by the way of API links up with
During the operating system calling interface of device process intercepts,
By API hook by the operating system interface of the application layer bottom of web page server process
Call and intercept.
4. the method as described in any one of claims 1 to 3, wherein, to the operating system intercepted
Calling interface carries out validity checking, if legal, described operating system calling interface of letting pass, if not conforming to
Method, refuses described operating system calling interface and includes:
The network address of request in the operating system calling interface intercepted is carried out validity checking,
If legal, set up the connection of web page server process and this network address;
If illegal, refusal sets up the connection of web page server process and this network address.
5. method as claimed in claim 4, wherein, sets up web page server process and this network ground
The operation of following any one is at least included after the connection of location:
To described network address request data;
Data are sent to the described network address.
6. the method as described in any one of claims 1 to 3, wherein, to the operating system intercepted
Calling interface carries out validity checking, if legal, described operating system calling interface of letting pass, if not conforming to
Method, refuses described operating system calling interface and includes:
File write operation in the operating system calling interface intercepted is carried out validity checking,
If it is legal, it is allowed to the disk of operating system is write file;
If illegal, refuse the disk to operating system and write file.
7. method as claimed in claim 6, wherein, it is allowed to the disk of operating system is write file
The most also include:
Judge whether the file write is doubtful high-risk file, if so, carries out this doubtful high-risk file
Report to the police and/or confirm to check.
8. the method as described in any one of claims 1 to 3, wherein, to the operating system intercepted
Calling interface carries out validity checking, if legal, described operating system calling interface of letting pass, if not conforming to
Method, refuses described operating system calling interface and includes:
File write operation in the operating system calling interface intercepted is carried out validity checking,
If legal, it is judged that whether the file of write is doubtful high-risk file, if so, refuse operation system
The disk write file of system, if it is not, allow the disk to operating system to write file;
If illegal, refuse the disk to operating system and write file.
9. method as claimed in claim 8, wherein, refuses the disk to operating system and writes file
Afterwards, also include illegal file or doubtful high-risk file are carried out at least one operation following:
Report to the police;
Confirm to check.
10. method as claimed in claim 7 or 8, wherein, it is judged that whether the file of write is doubtful
Like in high-risk file, judged by following at least any one whether the file of write is doubtful high-risk literary composition
Part:
The file of write is carried out keyword inspection;
The file of write is carried out form validity checking;
The event of the file of write is carried out behavior inspection.
11. 1 kinds of equipment preventing website data from revealing, wherein, including:
First device, for intercepting the operating system calling interface of web page server process;
Second device, for carrying out validity checking to the operating system calling interface intercepted, if closing
Method, described operating system calling interface of letting pass, if illegal, refuse described operating system calling interface.
12. equipment as claimed in claim 11, wherein, described first device, linked up with by API
Mode the operating system calling interface of web page server process is intercepted.
13. equipment as claimed in claim 12, wherein, described first device, linked up with by API
The calling of operating system interface of the application layer bottom of web page server process is intercepted.
14. equipment as described in any one of claim 11 to 13, wherein, described second device,
For the network address of request in the operating system calling interface intercepted is carried out validity checking, if
Legal, set up the connection of web page server process and this network address;If illegal, refusal sets up net
Page server processes and the connection of this network address.
15. equipment as claimed in claim 14, wherein, described equipment also includes the 3rd device, uses
In at least including following after setting up the connection with this network address of the web page server process
The operation of one:
To described network address request data;
Data are sent to the described network address.
16. equipment as described in any one of claim 11 to 13, wherein, described second device,
For the file write operation in the operating system calling interface intercepted is carried out validity checking, if closing
Method, it is allowed to the disk of operating system is write file;If illegal, the refusal disk to operating system
Write file.
17. equipment as claimed in claim 16, wherein, described equipment also includes the 4th device, uses
In after allowing the disk to operating system to write file, it is judged that whether the file of write is doubtful height
Danger file, if so, reports to the police to this doubtful high-risk file and/or confirms to check.
18. equipment as described in any one of claim 11 to 13, wherein, described second device is used
In, the file write operation in the operating system calling interface intercepted is carried out validity checking, if closing
Method, it is judged that whether the file of write is doubtful high-risk file, if so, refuses the disk to operating system
Write file, if it is not, allow the disk to operating system to write file;If illegal, refusal is to behaviour
Make the disk write file of system.
19. equipment as claimed in claim 18, wherein, described equipment also includes the 5th device, uses
After the disk of operating system being write file at refusal, to illegal file or doubtful high-risk literary composition
Part carries out at least one operation following:
Report to the police;
Confirm to check.
20. equipment as described in claim 17 or 18, wherein, described second device or the 4th dress
Put and judge that the file of write when whether being doubtful high-risk file, judges write by following at least any one
File whether be doubtful high-risk file:
The file of write is carried out keyword inspection;
The file of write is carried out form validity checking;
The event of the file of write is carried out behavior inspection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510116924.2A CN106033511A (en) | 2015-03-17 | 2015-03-17 | Method and device for preventing website data from leaking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510116924.2A CN106033511A (en) | 2015-03-17 | 2015-03-17 | Method and device for preventing website data from leaking |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106033511A true CN106033511A (en) | 2016-10-19 |
Family
ID=57150950
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510116924.2A Pending CN106033511A (en) | 2015-03-17 | 2015-03-17 | Method and device for preventing website data from leaking |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106033511A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110210220A (en) * | 2018-07-19 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of information leakage detection method, device and storage medium |
| CN111222130A (en) * | 2018-11-27 | 2020-06-02 | 钉钉控股(开曼)有限公司 | Page response method, page request method and device |
| WO2021189257A1 (en) * | 2020-03-24 | 2021-09-30 | 深圳市欢太科技有限公司 | Malicious process detection method and apparatus, electronic device, and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN1885224A (en) * | 2005-06-23 | 2006-12-27 | 福建东方微点信息安全有限责任公司 | Computer anti-virus protection system and method |
| CN102254113A (en) * | 2011-06-27 | 2011-11-23 | 深圳市安之天信息技术有限公司 | Method and system for detecting and intercepting malicious code of mobile terminal |
| CN103488947A (en) * | 2013-10-11 | 2014-01-01 | 北京金山网络科技有限公司 | Method and device for identifying instant messaging client-side account number stealing Trojan horse program |
-
2015
- 2015-03-17 CN CN201510116924.2A patent/CN106033511A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN1885224A (en) * | 2005-06-23 | 2006-12-27 | 福建东方微点信息安全有限责任公司 | Computer anti-virus protection system and method |
| CN102254113A (en) * | 2011-06-27 | 2011-11-23 | 深圳市安之天信息技术有限公司 | Method and system for detecting and intercepting malicious code of mobile terminal |
| CN103488947A (en) * | 2013-10-11 | 2014-01-01 | 北京金山网络科技有限公司 | Method and device for identifying instant messaging client-side account number stealing Trojan horse program |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110210220A (en) * | 2018-07-19 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of information leakage detection method, device and storage medium |
| CN111222130A (en) * | 2018-11-27 | 2020-06-02 | 钉钉控股(开曼)有限公司 | Page response method, page request method and device |
| CN111222130B (en) * | 2018-11-27 | 2023-10-03 | 钉钉控股(开曼)有限公司 | Page response method, page request method and page request device |
| WO2021189257A1 (en) * | 2020-03-24 | 2021-09-30 | 深圳市欢太科技有限公司 | Malicious process detection method and apparatus, electronic device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6326497B2 (en) | Dynamic application security verification | |
| CN103827881B (en) | Method and system for the dynamic platform safety in device operating system | |
| CN110263583A (en) | Card method, apparatus and electronic equipment are deposited in a kind of infringement based on block chain | |
| US10410004B2 (en) | Method of preventing access to sensitive data of a computing device | |
| CN101788982A (en) | Method of cross-domain interaction and for protecting Web application in unmodified browser and system thereof | |
| US11750652B2 (en) | Generating false data for suspicious users | |
| CN106576105A (en) | Non-invasive whitelisting | |
| CN106033511A (en) | Method and device for preventing website data from leaking | |
| CN110535857A (en) | The method and apparatus of protecting network attack | |
| CN111931246A (en) | File management method, equipment and medium based on block chain | |
| CN107835179A (en) | A kind of application program means of defence and device based on virtualization container | |
| US20240330450A1 (en) | Performing a security action based on a suspicious cross authorization event | |
| CN106209919A (en) | A kind of network safety protection method and network security protection system | |
| AU2012304788B2 (en) | Content handling for applications | |
| CN111639998A (en) | Method, device and medium for guaranteeing user deposit rights and interests based on block chain | |
| CN111046267A (en) | Method, device and medium for processing network rumors based on block chains | |
| CN111241547B (en) | Method, device and system for detecting override vulnerability | |
| CN116319026A (en) | Trust assessment method and device in zero-trust architecture and electronic equipment | |
| CN113285952B (en) | Network vulnerability plugging method, device, storage medium and processor | |
| CN111953637B (en) | Application service method and device | |
| CN113645210A (en) | Government affair cloud multi-region nano management method and equipment | |
| Nwebonyi et al. | Byod network: enhancing security through trust–aided access control mechanisms | |
| US20230132611A1 (en) | Abnormal classic authorization detection systems | |
| CN111327567A (en) | Method, device and system for sharing user information | |
| CN112818392B (en) | Webpage security processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161019 |
|
| RJ01 | Rejection of invention patent application after publication |