CN106202198A - A kind of based on BHO Technique dynamic detecting system - Google Patents

A kind of based on BHO Technique dynamic detecting system Download PDF

Info

Publication number
CN106202198A
CN106202198A CN201610484593.2A CN201610484593A CN106202198A CN 106202198 A CN106202198 A CN 106202198A CN 201610484593 A CN201610484593 A CN 201610484593A CN 106202198 A CN106202198 A CN 106202198A
Authority
CN
China
Prior art keywords
task
bho
module
url
detecting system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201610484593.2A
Other languages
Chinese (zh)
Inventor
董雄飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hefei Minzhongyixing Software Development Co Ltd
Original Assignee
Hefei Minzhongyixing Software Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hefei Minzhongyixing Software Development Co Ltd filed Critical Hefei Minzhongyixing Software Development Co Ltd
Priority to CN201610484593.2A priority Critical patent/CN106202198A/en
Publication of CN106202198A publication Critical patent/CN106202198A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a kind of based on BHO Technique dynamic detecting system, described BHO Technique dynamic detecting system includes that task reads distribution module, virtual machine task control module, BHO module, log pattern and log analysis module, the method can know when that IE is complete for web page access the most accurately, additionally multiple webpages can be detected in the case of an analog subscriber true environment by the method simultaneously, and after the detection of each webpage is complete, this webpage all can be repaired for any change of virtual machine, to ensure that whole system is not made any amendment by malicious web pages.The extraction that additionally the method utilizes machine learning method to judge for malicious web pages behavior determines, thus improves the accuracy rate of malicious web pages detection, by this method, efficiency and accuracy rate that system for malicious web pages detect can be greatly improved.

Description

A kind of based on BHO Technique dynamic detecting system
Technical field
The present invention relates to belong to internet arena, be specifically related to a kind of based on BHO Technique dynamic detecting system.
Background technology
In all malicious web pages detecting systems occurred now, basic mountain is all to utilize client honeypot system or true The virtual machine of real analog subscriber detects, but these systems once can only detect one during detecting malicious web pages Individual url (otherwise when there being malicious act to occur, very difficult differentiation which webpage on earth is malice), general client honey Tank or sandbox system can not analog subscriber environment really, what general malicious web pages utilized is all the leakage of third party control Hole or the true leak of IE, typically these systems are difficult to provide these environment, so just having very during detection Big fails to report.These detecting systems for having had open after having detected a url or next time is detected when again A dynamic new client honeypot or sandbox, efficiency is the lowest.And during the virtual machine of analog subscriber detects, add detection Be a malicious web pages, virtual machine more or less can be made some difference by this webpage, utilizing this virtual machine detection the next one The when of webpage, it is possible to detection can be occurred to fail to report situation, and (some malicious web pages is to utilize cookie to judge that client is No accessed this malicious web pages).Additionally most systems is utilizing IE to access webpage when, very difficult assurance when browser Complete to web page access at last, General System can judge according to pageview, or oneself sets a time-out time, the most also Can make some difference for detection efficiency and result.
Summary of the invention
It is an object of the invention to provide a kind of based on BHO Technique dynamic detecting system.
For achieving the above object, the present invention provides following technical scheme: a kind of based on BHO Technique dynamic detecting system, Described BHO Technique dynamic detecting system include task read distribution module, task control module, BHO module, log pattern and Log analysis module, described being set a file from a url to be detected being already prepared to by task distribution module middle will be treated The url of detection disposably reads into memory, and then these tasks is connect to task control module by socket communications distribution After receiving url to be detected, can individually create a mission thread and go to process this url, this thread main task is to create New IE process simulation user browses this url, and now BHO module can be by each row of IE in whole navigation process For recorded journal file, when this url browses complete, and IE process terminates automatically, and next mission thread calls log analysis The journal file of module analysis record, then according to certain decision rule is reached a conclusion, the result that last mission thread will obtain Pass to task distribution module by socket communication, final testing result can be deposited after task distribution module receives result Enter DBM.
Preferably, url set type of organization to be detected in above-mentioned flow process is a text, every in this document Provisional capital has one and treats url, and type of organization is " url1 url2 ", and wherein url1 is the webpage that available browser directly browses Url, url2 are generally in the webpage that url1 under a cloud represents the malice js script comprised, and generally url2 is empty.
Preferably, first task control module main thread initializes socket, monitors agreement port, then by socket Word SELECT model receives link and the task data bag that task processing module is initiated.
Preferably, defined in task control module, there iing a mission thread counting count, all right in whole module Adding reducing in this counting any is all atomic operation.Every time when creating new task thread, first determine whether currently to have appointed Whether business Thread Count count is more than the value of predefined MAXCLIENT, if it is then be left intact, the most just Whether inspection task map needing the url of detection, if there being a task of just taking out from task map, creating simultaneously Build a new mission thread this task is processed, mission thread is counted count simultaneously and add 1.
Preferably, BHO module is a dll, its position in registration table be HKLM SOFTWARE Microsoft Windows\CurrentVersion\Explorer\Browser HelperObj ects\。
Preferably, when this module creation file, first pass through GetCurrentProcessId () and obtain current IE and enter The Pid of journey, then by this Pid C create journal file Pid. log under I ELog file, if had under this document folder The journal file of identical journal file name, then newly created journal file will cover original journal file.
Above technical scheme is used to provide the benefit that: to the invention provides a kind of based on BHO Technique dynamic detecting system, Described BHO Technique dynamic detecting system includes that task reads distribution module, virtual machine task control module, BHO module, daily record Module and log analysis module, the method can know when that IE is complete for web page access the most accurately, additionally the method In the case of an analog subscriber true environment, multiple webpages can be detected simultaneously, and detect at each webpage After Biing, this webpage all can be repaired for any change of virtual machine, to ensure that whole system is not done by malicious web pages Any amendment.The extraction that additionally the method utilizes machine learning method to judge for malicious web pages behavior determines, thus improves evil The accuracy rate of meaning webpage detection, by this method, can be greatly improved efficiency and standard that system detects for malicious web pages Really rate.
Accompanying drawing explanation
Fig. 1 is the schematic diagram of embodiments of the invention.
Detailed description of the invention
For the technological means making the present invention realize, creation characteristic, reach purpose and be easy to understand with effect, below knot Close detailed description of the invention, the present invention is expanded on further.
Embodiment:
A kind of based on BHO Technique dynamic detecting system, it is characterised in that described BHO Technique dynamic detecting system includes that task is read Take distribution module, task control module, BHO module, log pattern and log analysis module, described by task distribution module from One url to be detected being already prepared to sets a file middle disposably being read into memory by url to be detected, then by this After a little tasks receive url to be detected by socket communications distribution to task control module, individually can create one Mission thread goes to process this url, and this thread main task is to create new IE process simulation user to browse this url, this Time BHO module can be by each behavior record of IE to journal file in whole navigation process, when this url has browsed Finishing, IE process terminates automatically, and next mission thread calls the journal file of log analysis module analysis record, then according to Certain decision rule is reached a conclusion, and the result obtained is passed to task distribution mould by socket communication by last mission thread Block, can be stored in DBM by final testing result after task distribution module receives result.
Url set type of organization to be detected in described above-mentioned flow process is a text, often goes in this document All having one and treat url, type of organization is " url1 url2 ", and wherein url1 is the webpage that available browser directly browses Url, url2 are generally in the webpage that url1 under a cloud represents the malice js script comprised, and generally url2 is empty. First described task control module main thread initializes socket, monitors agreement port, then by socket SELECT mould Type receives link and the task data bag that task processing module is initiated, and described having a task defined in task control module Thread count count, all in whole module to add reducing for this counting any be all atomic operation.Creating every time During new task thread, first determine whether whether currently to have mission thread number count more than predefined MAXCLIENT's Value, if it is then be left intact, otherwise just checks the url whether needing detection in task map, if just had From task map, take out a task, create a new mission thread simultaneously and this task is processed, simultaneously by task Thread count count adds 1, and described BHO module is a dll, its position in registration table be HKLM SOFTWARE Microsoft Windows CurrentVersion Explorer Browser HelperObj ects, described at this mould When block creates file, first pass through GetCurrentProcessId () and obtain the Pid of current IE process, then by this Pid C create journal file Pid. log under I ELog file, if there being the daily record of identical journal file name under this document folder File, then newly created journal file will cover original journal file.
The invention provides a kind of based on BHO Technique dynamic detecting system, described BHO Technique dynamic detecting system includes appointing Distribution module, virtual machine task control module, BHO module, log pattern and log analysis module are read in business, and the method can Knowing when that IE is complete for web page access the most accurately, additionally the method can be in the feelings of an analog subscriber true environment Under condition, multiple webpages are detected simultaneously, and after the detection of each webpage is complete, any for virtual machine of this webpage Change and all can be repaired, to ensure that whole system is not made any amendment by malicious web pages.Additionally the method utilizes engineering The extraction that learning method judges for malicious web pages behavior determines, thus improves the accuracy rate of malicious web pages detection, by this side Method, can be greatly improved efficiency and accuracy rate that system detects for malicious web pages.
As known by the technical knowledge, the present invention can be by other essence without departing from its spirit or the embodiment party of essential feature Case realizes.Therefore, embodiment disclosed above, for each side, all it is merely illustrative, is not only.Institute There is the change within the scope of the present invention or within being equal to the scope of the present invention all by the present invention.

Claims (6)

1. one kind based on BHO Technique dynamic detecting system, it is characterised in that described BHO Technique dynamic detecting system includes task Read distribution module, task control module, BHO module, log pattern and log analysis module, described by task distribution module Set a file from a url to be detected being already prepared to and middle url to be detected is disposably read into memory, then will After these tasks receive url to be detected by socket communications distribution to task control module, can individually create one Individual mission thread goes to process this url, and this thread main task is to create new IE process simulation user to browse this url, Now BHO module can be by each behavior record of IE to journal file in whole navigation process, when this url has browsed Finishing, IE process terminates automatically, and next mission thread calls the journal file of log analysis module analysis record, then according to Certain decision rule is reached a conclusion, and the result obtained is passed to task distribution mould by socket communication by last mission thread Block, can be stored in DBM by final testing result after task distribution module receives result.
One the most according to claim 1 is based on BHO Technique dynamic detecting system, it is characterised in that: in above-mentioned flow process Url set type of organization to be detected is a text, and in this document, every provisional capital has one and treats url, type of organization For " url1 url2 ", wherein url1 is that webpage url, url2 that available browser directly browses are generally url1 under a cloud The malice js script comprised in the webpage represented, generally url2 is empty.
3. according to the one of 2 described in claim based on BHO Technique dynamic detecting system, it is characterised in that: task control module First main thread initializes socket, monitors agreement port, then receives task by socket SELECT model and process The link of module initiation and task data bag.
One the most according to claim 1 is based on BHO Technique dynamic detecting system, it is characterised in that: at task control mould Having mission thread counting count defined in block, all in whole module to add reducing for this counting any be all former Child-operation, every time when creating new task thread, first determines whether whether currently to have mission thread number count more than predefined The value of MAXCLIENT, if it is then be left intact, otherwise just check in task map whether need detection Url, if having just from task map take out a task, simultaneously create a new mission thread this task is carried out Process, mission thread is counted count simultaneously and add 1.
One the most according to claim 1 is based on BHO Technique dynamic detecting system, it is characterised in that: BHO module is one Individual dll, its position in registration table is
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser HelperObj ects\。
One the most according to claim 1 is based on BHO Technique dynamic detecting system, it is characterised in that: at this module creation During file, first pass through GetCurrentProcessId () and obtain the Pid of current IE process, then by this Pid C I Journal file Pid. log is created under ELog file, if there being the journal file of identical journal file name under this document folder, The most newly created journal file will cover original journal file.
CN201610484593.2A 2016-06-29 2016-06-29 A kind of based on BHO Technique dynamic detecting system Withdrawn CN106202198A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610484593.2A CN106202198A (en) 2016-06-29 2016-06-29 A kind of based on BHO Technique dynamic detecting system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610484593.2A CN106202198A (en) 2016-06-29 2016-06-29 A kind of based on BHO Technique dynamic detecting system

Publications (1)

Publication Number Publication Date
CN106202198A true CN106202198A (en) 2016-12-07

Family

ID=57462406

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610484593.2A Withdrawn CN106202198A (en) 2016-06-29 2016-06-29 A kind of based on BHO Technique dynamic detecting system

Country Status (1)

Country Link
CN (1) CN106202198A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922052A (en) * 2019-02-22 2019-06-21 中南大学 A kind of malice URL detection method of combination multiple characteristics

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922052A (en) * 2019-02-22 2019-06-21 中南大学 A kind of malice URL detection method of combination multiple characteristics
CN109922052B (en) * 2019-02-22 2020-12-29 中南大学 Malicious URL detection method combining multiple features

Similar Documents

Publication Publication Date Title
CN107153630B (en) Training method and training system of machine learning system
CN106844132A (en) The fault repairing method and device of cluster server
CN106055980A (en) Rule-based JavaScript security testing method
CN112799923B (en) System abnormality cause determination method, device, equipment and storage medium
CN107547671A (en) A kind of URL matching process and device
CN110020339A (en) Based on without the webpage data acquiring method and device buried a little
CN104424240B (en) Multilist correlating method, main service node, calculate node and system
CN102855418A (en) Method for discovering Web intranet agent bugs
CN106815524A (en) The detection method and device of malicious script file
CN107340954A (en) A kind of information extracting method and device
CN104615765A (en) Data processing method and data processing device for browsing internet records of mobile subscribers
CN103699544B (en) The method and system of cross-page selection data
CN106886545A (en) The caching method and device of page display method, page resource
CN102073678B (en) System and method for analyzing information of websites
CN104199901A (en) Method for batch merging of hbase table regions
CN108270753B (en) Method and device for logging out user account
CN105915626A (en) Data copy initial placement method for cloud storage
CN106202198A (en) A kind of based on BHO Technique dynamic detecting system
CN106127048A (en) A kind of based on BHO Technique dynamic detecting system
CN106933903A (en) It is applied to the storage method and device of distributed storage
CN116760682A (en) Log acquisition and filtration method, device, equipment and medium
CN107592243A (en) A kind of method and device for verifying router static binding function
CN106941530A (en) A kind of static resource request processing method and device
CN103312785B (en) A kind of determination method and device of access relation
CN106648891A (en) MapReduce model-based task execution method and apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20161207

WW01 Invention patent application withdrawn after publication