CN107124386B - Method and device for detecting and analyzing black industry content - Google Patents
Method and device for detecting and analyzing black industry content Download PDFInfo
- Publication number
- CN107124386B CN107124386B CN201610102490.5A CN201610102490A CN107124386B CN 107124386 B CN107124386 B CN 107124386B CN 201610102490 A CN201610102490 A CN 201610102490A CN 107124386 B CN107124386 B CN 107124386B
- Authority
- CN
- China
- Prior art keywords
- content
- black
- data
- server
- detecting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a detection and analysis method of black industrial content, which comprises the steps of obtaining a data packet of interaction between a server to be detected and a client, wherein the data packet comprises request data sent by the client to the server or reply data sent by the server to the client; detecting black industry content of the request data or the reply data; when it is detected that black industry content exists in the request data or the reply data, the category of the black industry content is analyzed according to the detected black industry content and a preset first rule base, wherein the first rule base comprises a corresponding relation between the black industry content and the category. The invention also discloses a device for detecting and analyzing the black industrial content. The invention realizes the purposes of identifying the black industrial content, analyzing the category of the black industrial content, carrying out all-around detection on whether the black industrial content exists in the server and the existing content and category and prompting the user.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for detecting and analyzing black industrial content.
Background
The development of network technology brings convenience to people's life, and various information in education and medical treatment can be searched by browsing webpages through connecting the Internet in daily life, and related affairs can be handled through government websites and the like. Meanwhile, an organization or an individual who attempts to be ill often attacks the website by using the website vulnerability and uses resources on the server/client to perform transaction or occupy the resources of the server/client, so that a complete industry chain for attacking, making black industry content, spreading and transaction, namely a black industry chain, is formed. In the black industrial chain, an attacker executes malicious operations on target equipment, and various data are generated through the malicious operations, so that benefits are obtained, and hidden dangers are caused for network security.
In the prior art, in order to prevent black industrial content from being attacked or not, security defense mechanisms such as feature detection and statistical detection are usually used to detect whether a server is attacked or not, after detection, a user may be prompted to intercept a trojan communication link or block a Structured Query language (Sql) injection attack or a webshell attack, however, for the black industrial content existing after the server is attacked, the type of the black industrial content is usually not detected and analyzed.
Disclosure of Invention
The invention mainly aims to provide a method and a device for detecting and analyzing black industrial content, and aims to realize the purposes of identifying the black industrial content and analyzing the type of the black industrial content.
In order to achieve the above object, the method for detecting and analyzing black industrial content provided by the present invention comprises the following steps:
acquiring a data packet of interaction between a server to be detected and a client, wherein the data packet comprises request data sent by the client to the server or reply data sent by the server to the client;
detecting black industry content of the request data or the reply data;
when it is detected that black industry content exists in the request data or the reply data, the category of the black industry content is analyzed according to the detected black industry content and a preset first rule base, wherein the first rule base comprises a corresponding relation between the black industry content and the category.
Preferably, the black industry content detection on the request data or the reply data comprises:
detecting the request data or the reply data through a preset regular expression, wherein the preset regular expression is used for matching the request data or the reply data with data in a preset second rule base;
when the data packet contains the request data and matches to data in the second rule base, confirming that the black industry content exists in the request data; and when the data packet contains the reply data and is matched with the information in the second rule base, confirming that the reply data has the black industry content.
Preferably, the black industry content detection on the request data or the reply data further comprises:
detecting whether the request data or the reply data have the characteristic information of preset application or not;
confirming that the requested data has the black industry content when the data packet contains the requested data and the characteristic information exists; and when the data packet contains the reply data and the characteristic information exists, confirming that the reply data has the black industry content.
Preferably, before the black industry content detection on the request data or the reply data, the method further includes:
carrying out intrusion detection on the acquired data packet, and judging whether the server is attacked by intrusion;
and when the server is attacked by the intrusion, executing the step of detecting whether the black industry content exists in the request data or the reply data.
Preferably, the method for detecting and analyzing black industrial content further comprises:
and when detecting that the server is attacked by the intrusion or the request data or the reply data exists in the black industry content, sending corresponding alarm information to the client.
In order to achieve the above object, the present invention also provides a black industrial content detection and analysis device, comprising:
the acquisition module is used for acquiring a data packet of interaction between a server to be detected and a client, wherein the data packet comprises request data sent by the client to the server or reply data sent by the server to the client;
the black industry content detection module is used for detecting the black industry content of the request data or the reply data;
and the black industry content analysis module is used for analyzing the category of the black industry content according to the detected black industry content and a preset first rule base when the request data or the reply data is detected to have the black industry content, wherein the first rule base comprises the corresponding relation between the black industry content and the category.
Preferably, the black industry content detection module includes:
the first detection unit is used for detecting the request data or the reply data through a preset regular expression, and the preset regular expression is used for matching the request data or the reply data with data in a preset second rule base;
a first confirming unit configured to confirm that the requested data has the black industry content when the data packet includes the requested data and matches the data in the second rule base; and when the data packet contains the reply data and is matched with the information in the second rule base, confirming that the reply data has the black industry content.
Preferably, the black industry content detection module further comprises:
the second detection unit is used for detecting whether the request data or the reply data has the characteristic information of the preset application or not;
a second confirming unit configured to confirm that the requested data has the black industrial content when the data packet includes the requested data and the characteristic information exists; and when the data packet contains the reply data and the characteristic information exists, confirming that the reply data has the black industry content.
Preferably, the apparatus for detecting and analyzing black industrial content further includes:
the intrusion detection module is used for carrying out intrusion detection on the acquired data packet and judging whether the server is attacked by intrusion;
the black industry content detection module is further used for detecting whether black industry content exists in the request data or the reply data when the server is attacked by the intrusion.
Preferably, the apparatus for detecting and analyzing black industrial content further includes:
and the warning module is used for sending corresponding warning information to the client when detecting that the server is attacked by the intrusion or the request data or the reply data has the black industry content.
The method comprises the steps that a data packet of interaction between a server to be detected and a client is obtained, wherein the data packet comprises request data sent by the client to the server or reply data sent by the server to the client; detecting black industry content of the request data or the reply data; when it is detected that black industry content exists in the request data or the reply data, the category of the black industry content is analyzed according to the detected black industry content and a preset first rule base, wherein the first rule base comprises a corresponding relation between the black industry content and the category. The detected black industrial content is the existing black industrial content, so that the purpose of identifying the black industrial content is realized, the category of the detected black industrial content is determined by utilizing the first rule base, the purpose of analyzing the category of the black industrial content is effectively realized, and whether the black industrial content exists in the server or not and the existing content and category are comprehensively detected.
Drawings
FIG. 1 is a schematic flow chart illustrating a first embodiment of a method for detecting and analyzing black industrial content according to the present invention;
FIG. 2 is a schematic flow chart illustrating a second embodiment of the black industry content detection and analysis method according to the present invention;
FIG. 3 is a schematic flow chart illustrating a third embodiment of the black industry content detection and analysis method according to the present invention;
FIG. 4 is a schematic flow chart illustrating a fourth embodiment of the black industry content detection and analysis method according to the present invention;
FIG. 5 is a schematic structural diagram of functional modules of a first embodiment of an apparatus for detecting and analyzing black industrial content according to the present invention;
FIG. 6 is a schematic structural diagram of functional modules of a second embodiment of an apparatus for detecting and analyzing black industrial content according to the present invention;
FIG. 7 is a schematic structural diagram of functional modules of a third embodiment of an apparatus for detecting and analyzing black industrial content according to the present invention;
fig. 8 is a schematic structural diagram of functional modules of a fourth embodiment of an apparatus for detecting and analyzing black industrial content according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention relates to a detection and analysis method for black industrial content. Referring to fig. 1, in a first embodiment, the method for detecting and analyzing black industrial content includes:
step S10, acquiring a data packet of interaction between a server to be detected and a client, wherein the data packet comprises request data sent by the client to the server or reply data sent by the server to the client;
step S20, detecting the black industry content of the request data or the reply data;
step S30, when it is detected that the request data or the reply data has black industry content, analyzing the category of the black industry content according to the detected black industry content and a preset first rule base, where the first rule base includes a corresponding relationship between the black industry content and the category.
The method for detecting and analyzing the black industrial content is mainly applied to the server, and is used for detecting the black industrial content of the server and analyzing the type of the black industrial content.
In this embodiment, the server and the client are a server to be detected and a corresponding client. The content of the data packet is request data sent by the client to the server or reply data sent by the server to the client. The black industrial content refers to content of malicious operation executed by an attacker on a target device, such as false drug advertisements, game promotion, lottery content or bit coins dug and put on the target device, and the client can see the black industrial content after opening a webpage, and even a link page pointed by the black industrial content has trojans which can poison a user computer, thereby causing a series of network security problems. Black industrial content may be uploaded to the server when an attacker attacks the server; when the server already has black industrial content, the data returned to the client may contain the black industrial content. Therefore, whether the black industrial content exists or not is judged by detecting request data sent by the client to the server or reply data sent by the server to the client, or the black industrial content already exists after the server is attacked and the black industrial content is sent to the client.
When the detection is carried out, the acquired data packet interacted between the server and the client is firstly analyzed through protocol standards defined by RFC, and then the black industry content detection is carried out. RFC (request For comments) is a series of numbered documents, and the Internet protocol is specified in the RFC document. When detecting that the data packet of the server and the client interaction contains the black industry content, namely the data sent by the client to the server or the data sent by the server to the client contains the black industry content, analyzing the category of the black industry content at the moment. For example, when baccarat is detected, the black industry content is judged to be the lottery category according to a preset rule base, and the preset first rule base comprises the corresponding relation between the black industry content and the category. After the detection and analysis, the result can be stored in a system log, and the black industrial content and the category of the black industrial content existing in the server are prompted to the client.
The method comprises the steps that a data packet of interaction between a server to be detected and a client is obtained, wherein the data packet comprises request data sent by the client to the server or reply data sent by the server to the client; detecting black industry content of the request data or the reply data; when it is detected that black industry content exists in the request data or the reply data, the category of the black industry content is analyzed according to the detected black industry content and a preset first rule base, wherein the first rule base comprises a corresponding relation between the black industry content and the category. The detected black industrial content is the existing black industrial content, so that the purpose of identifying the black industrial content is realized, the category of the detected black industrial content is determined by utilizing the first rule base, the purpose of analyzing the category of the black industrial content is effectively realized, and whether the black industrial content exists in the server or not and the existing content and category are comprehensively detected.
Further, referring to fig. 2, based on the first embodiment of the method for detecting and analyzing black industrial content according to the present invention, in the second embodiment of the method for detecting and analyzing black industrial content according to the present invention, the step S20 includes:
step S211, detecting the request data or the reply data through a preset regular expression, where the preset regular expression is used to match the request data or the reply data with data in a preset second rule base;
step S212, when the data packet contains the request data and matches with the data in the second rule base, confirming that the black industry content exists in the request data; and when the data packet contains the reply data and is matched with the information in the second rule base, confirming that the reply data has the black industry content.
In this embodiment, the preset regular expression is used to match the request data or the reply data with data in the preset second rule base, and when the regular expression is used for matching, the parsing engine is used to parse the content of the regular expression during program running. For example, when the expression [ pcre: "(network lottery net | ao gambling net | baccarat)"; when the request data or the reply data in the data packet is detected, whether the request data or the reply data contains keywords such as a network lottery network, a Macau network, baccarat, and the like is detected. The content to be matched of the preset regular expression is from a preset rule base, the preset second rule base may include preset keywords, such as baccarat, a game platform, and the like, may also include preset malicious links, may also include a detection regular expression of black industrial content, and the like, and may be specifically set as required. For example, at a page of a government website, the page matches: [ pcre: "('Bar model night club) recruitment'; b, indicating that pornographic black industrial content is inserted, page title matching: pcre: ". The (big healthcare | delayed drug |) </title >); and (c) represents the black industrial content of the implanted false drug. The black industry content part in the first rule base may include all contents in the second rule base, or may include other black industry contents except all contents in the second rule base.
When the content in the rule base is matched through the regular expression, if the acquired data packet contains request data sent to the server by the client, the fact that an attacker submits black industry content to the server is shown, the black industry content is intercepted and analyzed at the moment, and the result of the interception and analysis is prompted to a user. When the acquired data packet contains reply data sent by the server to the client, for example, black industrial content such as 'big 888 game platform' is matched with an education website, and the link pointed by the information is judged to be a link not in the website (possibly 123.game.com), the server can be confirmed to have the black industrial content, and then the relevant information of the user is analyzed and prompted.
In the embodiment, whether black industrial content exists is judged by matching the request data or the reply data in the data packet through a preset regular expression, the matched black industrial content is the black industrial content submitted to the server by an attacker or the black industrial content returned to the client by the server, and the information is the existing black industrial content, so that the purpose of identifying the black industrial content is achieved.
Further, referring to fig. 3, based on the first embodiment of the method for detecting and analyzing black industrial content according to the present invention, in the third embodiment of the method for detecting and analyzing black industrial content according to the present invention, the step S20 further includes:
step S221, detecting whether the request data or the reply data has the characteristic information of the preset application;
step S222, when the data packet includes the request data and the feature information exists, determining that the request data has the black industry content; and when the data packet contains the reply data and the characteristic information exists, confirming that the reply data has the black industry content.
In this embodiment, the preset application refers to a predefined malicious application, for example, an application for mining bitcoins, and the application may be selected according to needs. The characteristic information of the preset application refers to information reflecting the behavior of the preset application, and each application has some specific behavior characteristics when running, such as connecting to a specific server or using some specific communication protocol. The detection of whether the request data or the reply data has the characteristic information of the preset application is to detect whether a certain specific communication protocol is used in the data packet, whether a specific server is connected for uploading or downloading information and the like, and the specific information of which applications is detected can be selected according to needs. For example, a server connected to the mined bitcoin is detected, indicating that there may be malicious activity that mines the bitcoin. At this point, further analysis may be performed and recorded in a log while alerting the user.
In this embodiment, the black industry content is identified by the preset applied characteristic information, and the request data or the reply data in the data packet is detected by the preset applied characteristic information, so as to achieve the purpose of identifying the black industry content. It can be understood that this detection can be performed by a data packet obtained by the server interacting with the client, and can also be performed on the information already existing in the entire server on the server to be detected.
Further, referring to fig. 4, in the fourth embodiment of the method for detecting and analyzing black industrial content according to the present invention, the step S20 includes:
step S40, carrying out intrusion detection on the acquired data packet, and judging whether the server is attacked by intrusion; when the server is subjected to the intrusion attack, step S20 is performed.
In this embodiment, intrusion detection is performed on an attacker invading a server, and usable detection methods include Sql injection detection, Cross Site Scripting (Xss) attack detection, and the like, and one or more of them may be selected for use in combination as needed. And when the server is detected to be attacked by intrusion, the black industry content is detected when the server is possibly tampered with by the black industry content.
The Sql injection is that an attacker inserts malicious codes into SQL by utilizing the vulnerability of Sql sentences and enables the malicious codes to be executed. For example, there are the following Sql statements: the user name admin, password admin, can normally log in the system when the user and password are admin, however, the user can normally log in the system when inputting admin ' -, password input 123, or the client inputs admin ' -, and password input 345 can normally log in the system because, after the backstage obtains the information of the input box, the Sql statement to be executed is selected count (, from where user name ' - -admin ' - -password 123 ', where the following statement is identified as the gaze symbol, and the following statement is omitted and successfully logged in. When the sql injection is detected, whether the sql injection exists can be judged by scanning and detecting the sql injection statement, and the specific implementation modes are many in the prior art and can be selected and used as required.
An attacker making Xss attacks typically embeds a client-side script (e.g., JavaScript) in a web page, which is executed on the user's browser when the user browses the web page, for the purpose of the attacker. Such as obtaining a Cookie for the user, linking to a malicious connection, etc. Xss the attack detection method can be realized by analyzing the data transmission condition in the Web application program code, and the specific implementation mode can be selected according to the need.
The embodiment judges whether an attacker invades the server by detecting the interaction information between the server and the client. The client side can know whether the client side has malicious attack before the server has black industrial content.
Further, based on the above embodiment of the method for detecting and analyzing black industrial content according to the present invention, in a fifth embodiment of the method for detecting and analyzing black industrial content according to the present invention, the method for detecting and analyzing black industrial content further includes:
and when detecting that the server is attacked by the intrusion or the request data or the reply data exists in the black industry content, sending corresponding alarm information to the client.
In this embodiment, the warning information may remind the client when the intrusion detection finds that a malicious attack exists, or send the warning information to remind the client when the server finds that black industry content exists in an interaction process with the client. The content of the warning message may include black industrial content included in the content prompting the client to interact with or existing black industrial content in the server of the interaction (the server in which the black industrial content exists may be referred to as a black host), and a category of the black industrial content. The prompting mode of the alarm information can be selected according to needs, and a window can be popped up at the user side to prompt the user of the existing black industry content, for example, the server is prompted to be invaded by a malicious attacker and false drug information is added.
In the embodiment, the warning information is sent to the client when the malicious attack or the black industry content is found, so that the user can know the attacked condition of the server and the specific black industry content and category.
The present invention also provides a black industrial content detection and analysis device, and in a first embodiment of the black industrial content detection and analysis device according to the present invention, referring to fig. 5, the black industrial content detection and analysis device includes:
an obtaining module 10, configured to obtain a data packet of interaction between a server to be detected and a client, where the data packet includes request data sent by the client to the server or reply data sent by the server to the client;
a black industry content detection module 20, configured to perform black industry content detection on the request data or the reply data;
a black industry content analysis module 30, configured to, when it is detected that the request data or the reply data has the black industry content, analyze a category of the black industry content according to the detected black industry content and a preset first rule base, where the first rule base includes a correspondence between the black industry content and the category.
The invention provides a black industrial content detection and analysis device which is mainly applied to a server and is used for detecting the black industrial content of the server and analyzing the type of the black industrial content.
In this embodiment, the server and the client are a server to be detected and a corresponding client. The content of the data packet is request data sent by the client to the server or reply data sent by the server to the client. The black industrial content refers to content of malicious operation executed by an attacker on a target device, such as false drug advertisements, game promotion, lottery content or bit coins dug and put on the target device, and the client can see the black industrial content after opening a webpage, and even a link page pointed by the black industrial content has trojans which can poison a user computer, thereby causing a series of network security problems. Black industrial content may be uploaded to the server when an attacker attacks the server; when the server already has black industrial content, the data returned to the client may contain the black industrial content. Therefore, whether the black industrial content exists or not is judged by detecting request data sent by the client to the server or reply data sent by the server to the client, or the black industrial content already exists after the server is attacked and the black industrial content is sent to the client.
When the black industry content detection module 20 detects, the acquired data packet of the interaction between the server and the client is firstly analyzed by the protocol standard defined by RFC, and then the black industry content detection is performed. RFC (request For comments) is a series of numbered documents, and the Internet protocol is specified in the RFC document. When detecting that the data packet of the server and the client interaction contains the black industry content, namely the data sent by the client to the server or the data sent by the server to the client contains the black industry content, analyzing the category of the black industry content at the moment. For example, when baccarat is detected, the black industry content is judged to be the lottery category according to a preset rule base, and the preset first rule base comprises the corresponding relation between the black industry content and the category. After the detection and analysis, the result can be stored in a system log, and the existing black industrial content and the category of the black industrial content are prompted to the client.
The method comprises the steps that a data packet of interaction between a server to be detected and a client is obtained, wherein the data packet comprises request data sent by the client to the server or reply data sent by the server to the client; detecting black industry content of the request data or the reply data; when it is detected that black industry content exists in the request data or the reply data, the category of the black industry content is analyzed according to the detected black industry content and a preset first rule base, wherein the first rule base comprises a corresponding relation between the black industry content and the category. The detected black industrial content is the existing black industrial content, so that the purpose of identifying the black industrial content is realized, the category of the detected black industrial content is determined by utilizing the first rule base, the purpose of analyzing the category of the black industrial content is effectively realized, and whether the black industrial content exists in the server or not and the existing content and category are comprehensively detected.
Further, referring to fig. 6, based on the first embodiment of the black industrial content detection and analysis apparatus of the present invention, in the second embodiment of the black industrial content detection and analysis apparatus of the present invention, the black industrial content detection module 20 further includes:
a first detecting unit 211, configured to detect the request data or the reply data through a preset regular expression, where the preset regular expression is used to match data in the data packet with data in a preset second rule base;
a first confirming unit 212, configured to confirm that the requested data has the black industry content when the data packet includes the requested data and matches to the data in the second rule base; and when the data packet contains the reply data and is matched with the information in the second rule base, confirming that the reply data has the black industry content.
In this embodiment, the preset regular expression is used to match the request data or the reply data with data in the preset second rule base, and when the regular expression is used for matching, the parsing engine is used to parse the content of the regular expression during program running. For example, when the expression [ pcre: "(network lottery net | ao gambling net | baccarat)"; when the request data or the reply data in the data packet is detected, whether the request data or the reply data contains keywords such as a network lottery network, a Macau network, baccarat, and the like is detected. The content to be matched of the preset regular expression is from a preset rule base, the preset second rule base may include preset keywords, such as baccarat, a game platform, and the like, may also include preset malicious links, may also include a detection regular expression of black industrial content, and the like, and may be specifically set as required. For example, at a page of a government website, the page matches: [ pcre: "('Bar model night club) recruitment'; b, indicating that pornographic black industrial content is inserted, page title matching: pcre: ". The (big healthcare | delayed drug |) </title >); and (c) represents the black industrial content of the implanted false drug. The black industry content part in the first rule base may include all contents in the second rule base, or may include other black industry contents except all contents in the second rule base.
When the first detection unit 211 matches the content in the rule base through the regular expression, if the acquired data packet includes request data sent by the client to the server, it indicates that an attacker submits black industrial content to the server, and at this time, the black industrial content is intercepted and analyzed, and the result of the interception and analysis is prompted to the user. When the acquired data packet contains reply data sent by the server to the client, for example, black industrial content such as 'big 888 game platform' is matched with an education website, and the link pointed by the information is judged to be a link not in the website (possibly 123.game.com), the server can be confirmed to have the black industrial content, and then the relevant information of the user is analyzed and prompted.
In the embodiment, whether black industrial content exists is judged by matching the request data or the reply data in the data packet through a preset regular expression, the matched black industrial content is the black industrial content submitted to the server by an attacker or the black industrial content returned to the client by the server, and the information is the black industrial content existing in the server, so that the purpose of identifying the black industrial content is achieved.
Further, referring to fig. 7, based on the first embodiment of the black industrial content detection and analysis apparatus of the present invention, in the third embodiment of the black industrial content detection and analysis apparatus of the present invention, the black industrial content detection module 20 further includes:
a second detecting unit 221, configured to detect whether feature information of a preset application exists in the request data or the reply data;
a second confirming unit 222, configured to confirm that the requested data has the black industrial content when the data packet includes the requested data and the characteristic information exists; and when the data packet contains the reply data and the characteristic information exists, confirming that the reply data has the black industry content.
In this embodiment, the preset application refers to a predefined malicious application, for example, an application for mining bitcoins, and the application may be selected according to needs. The characteristic information of the preset application refers to information reflecting the behavior of the preset application, and each application has some specific behavior characteristics when running, such as connecting to a specific server or using some specific communication protocol. The second detecting unit 221 detects whether the request data or the reply data has the feature information of the preset application, that is, whether some specific communication protocols are used in the data packet, whether a specific server is connected to upload or download information, and the like, and can select which specific information of which applications is detected according to needs. For example, a server connected to the mined bitcoin is detected, indicating that there may be malicious activity that mines the bitcoin. At this point, further analysis may be performed and recorded in a log while alerting the user.
In this embodiment, the black industry content is identified by the preset applied characteristic information, and the request data or the reply data in the data packet is detected by the preset applied characteristic information, so as to achieve the purpose of identifying the black industry content. It can be understood that this detection can be performed by a data packet obtained by the server interacting with the client, and can also be performed on the information already existing in the entire server on the server to be detected.
Further, referring to fig. 8, in the fourth embodiment of the black industrial content detection and analysis device according to the present invention, the black industrial content detection and analysis device further includes:
and the intrusion detection module 40 is used for carrying out intrusion detection on the acquired data packet and judging whether the server is attacked by intrusion.
The black industry content detection module 20 is further configured to detect whether black industry content exists in the request data or the reply data when the server is attacked by the intrusion.
In this embodiment, intrusion detection is performed on an attacker invading a server, and usable detection methods include Sql injection detection, Cross Site Scripting (Xss) attack detection, and the like, and one or more of them may be selected for use in combination as needed. When it is detected that the server is attacked by intrusion, it indicates that there may be a black industry content tampering server, and at this time, the black industry content detection module 20 is invoked to perform black industry content detection.
The Sql injection is that an attacker inserts malicious codes into SQL by utilizing the vulnerability of Sql sentences and enables the malicious codes to be executed. For example, there are the following Sql statements: the user name admin, password admin, can normally log in the system when the user and password are admin, however, the user can normally log in the system when inputting admin ' -, password input 123, or the client inputs admin ' -, and password input 345 can normally log in the system because, after the backstage obtains the information of the input box, the Sql statement to be executed is selected count (, from where user name ' - -admin ' - -password 123 ', where the following statement is identified as the gaze symbol, and the following statement is omitted and successfully logged in. When the sql injection is detected, whether the sql injection exists can be judged by scanning and detecting the sql injection statement, and the specific implementation modes are many in the prior art and can be selected and used as required.
An attacker making Xss attacks typically embeds a client-side script (e.g., JavaScript) in a web page, which is executed on the user's browser when the user browses the web page, for the purpose of the attacker. Such as obtaining a Cookie for the user, linking to a malicious connection, etc. Xss the attack detection method can be realized by analyzing the data transmission condition in the Web application program code, and the specific implementation mode can be selected according to the need.
The embodiment judges whether an attacker invades the server by detecting the interaction information between the server and the client. The client side can know whether the client side has malicious attack before the server has black industrial content.
Further, according to the above-described embodiment of the black industrial content detection and analysis device of the present invention, in a fifth embodiment of the black industrial content detection and analysis device of the present invention, the black industrial content detection and analysis device further includes:
and the warning module is used for sending corresponding warning information to the client when detecting that the server is attacked by the intrusion or the request data or the reply data has the black industry content.
In this embodiment, the warning information may be used to remind the user after the intrusion detection module 40 or the black industry content detection module 20 detects the black industry content. Specifically, the alarm information may remind the client when the intrusion detection finds that a malicious attack exists, or send the alarm information to remind the client when the server finds that black industry content exists in the interaction process with the client. The content of the warning message may include black industrial content included in the content prompting the client to interact with or existing black industrial content in the server of the interaction (the server in which the black industrial content exists may be referred to as a black host), and a category of the black industrial content. The prompting mode of the alarm information can be selected according to needs, and a window can be popped up at the user side to prompt the user of the existing black industry content, for example, the server is prompted to be invaded by a malicious attacker and false drug information is added.
In the embodiment, the warning information is sent to the client when the malicious attack or the black industry content is found, so that the user can know the attacked condition of the server and the specific black industry content and category.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A method for detecting and analyzing black industrial content, comprising the steps of:
acquiring a data packet of interaction between a server to be detected and a client, wherein the data packet comprises request data sent by the client to the server or reply data sent by the server to the client;
performing black industrial content detection on the request data or the reply data, wherein the black industrial content represents the content of malicious operation executed on a target device by an attacker;
when it is detected that black industry content exists in the request data or the reply data, analyzing the category of the black industry content according to the detected black industry content and a preset first rule base, wherein the first rule base comprises a corresponding relation between the black industry content and the category;
when the data packet contains reply data sent by the server to the client, judging that a link pointed by the reply data is a non-local link, and confirming that black industrial content exists in the server;
and prompting the existing black industrial content and the category of the black industrial content for the client.
2. The method for detecting and analyzing black industrial content according to claim 1, wherein the detecting black industrial content of the request data or the reply data comprises:
detecting the request data or the reply data through a preset regular expression, wherein the preset regular expression is used for matching the request data or the reply data with data in a preset second rule base;
when the data packet contains the request data and matches to data in the second rule base, confirming that the black industry content exists in the request data; and when the data packet contains the reply data and is matched with the information in the second rule base, confirming that the reply data has the black industry content.
3. The method for detecting and analyzing black industrial content according to claim 1, wherein the detecting black industrial content of the request data or the reply data comprises:
detecting whether the request data or the reply data have the characteristic information of preset application or not;
confirming that the requested data has the black industry content when the data packet contains the requested data and the characteristic information exists; and when the data packet contains the reply data and the characteristic information exists, confirming that the reply data has the black industry content.
4. The method for detecting and analyzing black industrial content according to any one of claims 1 to 3, wherein before detecting black industrial content from the request data or the reply data, the method further comprises:
carrying out intrusion detection on the acquired data packet, and judging whether the server is attacked by intrusion;
and when the server is attacked by the intrusion, executing the step of detecting whether the black industry content exists in the request data or the reply data.
5. The method for detecting and analyzing black industrial content according to claim 4, further comprising:
and when detecting that the server is attacked by the intrusion or the request data or the reply data exists in the black industry content, sending corresponding alarm information to the client.
6. A device for detecting and analyzing black industrial content, comprising:
the acquisition module is used for acquiring a data packet of interaction between a server to be detected and a client, wherein the data packet comprises request data sent by the client to the server or reply data sent by the server to the client;
the black industry content detection module is used for detecting black industry content of the request data or the reply data, wherein the black industry content represents the content of malicious operation executed by an attacker on target equipment;
a black industry content analysis module, configured to, when it is detected that there is black industry content in the request data or the reply data, analyze a category of the black industry content according to the detected black industry content and a preset first rule base, where the first rule base includes a correspondence between the black industry content and the category;
the first detection unit is used for judging that a link pointed by the reply data is a non-local link when the data packet contains the reply data sent by the server to the client, and confirming that the server has black industrial content;
the black industry content detection module is also used for prompting the existing black industry content and the category of the black industry content to the client.
7. The apparatus for detecting and analyzing black industrial content according to claim 6, wherein the black industrial content detecting module comprises:
the first detection unit is used for detecting the request data or the reply data through a preset regular expression, and the preset regular expression is used for matching the request data or the reply data with data in a preset second rule base;
a first confirming unit configured to confirm that the requested data has the black industry content when the data packet includes the requested data and matches the data in the second rule base; and when the data packet contains the reply data and is matched with the information in the second rule base, confirming that the reply data has the black industry content.
8. The apparatus for detecting and analyzing black industrial content according to claim 6, wherein the black industrial content detecting module further comprises:
the second detection unit is used for detecting whether the request data or the reply data has the characteristic information of the preset application or not;
a second confirming unit configured to confirm that the requested data has the black industrial content when the data packet includes the requested data and the characteristic information exists; and when the data packet contains the reply data and the characteristic information exists, confirming that the reply data has the black industry content.
9. The apparatus for detecting and analyzing black industrial content according to any one of claims 6 to 8, further comprising:
the intrusion detection module is used for carrying out intrusion detection on the acquired data packet and judging whether the server is attacked by intrusion;
the black industry content detection module is further used for detecting whether black industry content exists in the request data or the reply data when the server is attacked by the intrusion.
10. The apparatus for detecting and analyzing black industrial content according to claim 9, further comprising:
and the warning module is used for sending corresponding warning information to the client when detecting that the server is attacked by the intrusion or the request data or the reply data has the black industry content.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610102490.5A CN107124386B (en) | 2016-02-24 | 2016-02-24 | Method and device for detecting and analyzing black industry content |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610102490.5A CN107124386B (en) | 2016-02-24 | 2016-02-24 | Method and device for detecting and analyzing black industry content |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107124386A CN107124386A (en) | 2017-09-01 |
| CN107124386B true CN107124386B (en) | 2021-05-04 |
Family
ID=59717610
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610102490.5A Active CN107124386B (en) | 2016-02-24 | 2016-02-24 | Method and device for detecting and analyzing black industry content |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107124386B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111277488B (en) * | 2020-01-19 | 2022-09-23 | 上海掌门科技有限公司 | Session processing method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1760901A (en) * | 2005-11-03 | 2006-04-19 | 上海交通大学 | System for filtering E-mails |
| CN103246705A (en) * | 2013-04-09 | 2013-08-14 | 无锡安康讯信息科技有限公司 | Network text data content detecting and high-speed processing method |
| CN104270304A (en) * | 2014-10-14 | 2015-01-07 | 四川神琥科技有限公司 | Detection and analysis method for image emails |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ATE532142T1 (en) * | 2004-03-16 | 2011-11-15 | Microdasys Inc | CONTENT MONITORING FOR XML |
| CN101656710B (en) * | 2008-08-21 | 2013-07-24 | 北京神州绿盟信息安全科技股份有限公司 | Proactive audit system and method |
| CN104598815B (en) * | 2013-10-30 | 2018-09-11 | 北京猎豹移动科技有限公司 | Recognition methods, device and the client of malice advertising program |
| CN103763124B (en) * | 2013-12-26 | 2017-04-05 | 孙伟力 | A kind of Internet user's behavior analysiss early warning system and method |
| CN103731426A (en) * | 2013-12-31 | 2014-04-16 | 曙光云计算技术有限公司 | Intrusion alarming system based on virtual network |
| CN104866478B (en) * | 2014-02-21 | 2020-06-05 | 腾讯科技(深圳)有限公司 | Malicious text detection and identification method and device |
| CN105262672A (en) * | 2015-08-31 | 2016-01-20 | 小米科技有限责任公司 | Intra-group anti-harassment method and device |
| CN105208037B (en) * | 2015-10-10 | 2018-05-08 | 中国人民解放军信息工程大学 | A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection |
-
2016
- 2016-02-24 CN CN201610102490.5A patent/CN107124386B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1760901A (en) * | 2005-11-03 | 2006-04-19 | 上海交通大学 | System for filtering E-mails |
| CN103246705A (en) * | 2013-04-09 | 2013-08-14 | 无锡安康讯信息科技有限公司 | Network text data content detecting and high-speed processing method |
| CN104270304A (en) * | 2014-10-14 | 2015-01-07 | 四川神琥科技有限公司 | Detection and analysis method for image emails |
Non-Patent Citations (2)
| Title |
|---|
| 中文垃圾邮件过滤技术研究及应用;朱军;《中国优秀博硕士学位论文全文数据库信息科技辑(月刊)》;20060415;第I139-115页 * |
| 基于内容的垃圾邮件检测方法研究;罗常泳;《中国优秀硕士学位论文全文数据库信息科技辑(月刊 )》;20140915;第I139-76页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107124386A (en) | 2017-09-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhang et al. | Crawlphish: Large-scale analysis of client-side cloaking techniques in phishing | |
| CN101964025B (en) | XSS detection method and equipment | |
| CA2595758C (en) | System for detecting vulnerabilities in web applications using client-side application interfaces | |
| CN101895516B (en) | Method and device for positioning cross-site scripting attack source | |
| US10148681B2 (en) | Automated identification of phishing, phony and malicious web sites | |
| US10904286B1 (en) | Detection of phishing attacks using similarity analysis | |
| US9270691B2 (en) | Web based remote malware detection | |
| CN107209831B (en) | System and method for identifying network attacks | |
| CN105491053A (en) | Web malicious code detection method and system | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| CN105184159A (en) | Web page falsification identification method and apparatus | |
| CN109347882B (en) | Webpage Trojan horse monitoring method, device, equipment and storage medium | |
| Barua et al. | Server side detection of content sniffing attacks | |
| CN107612926B (en) | One-sentence speech WebShell interception method based on client recognition | |
| WO2017056121A1 (en) | Method for the identification and prevention of client-side web attacks | |
| EP3021550A1 (en) | System and method for identifying internet attacks | |
| Ambedkar et al. | A comprehensive inspection of cross site scripting attack | |
| Canfora et al. | A set of features to detect web security threats | |
| CN114006746A (en) | Attack detection method, device, equipment and storage medium | |
| CN107124386B (en) | Method and device for detecting and analyzing black industry content | |
| Priya et al. | A static approach to detect drive-by-download attacks on webpages | |
| US20220210180A1 (en) | Automated Detection of Cross Site Scripting Attacks | |
| CN113114609A (en) | Webshell detection evidence obtaining method and system | |
| KR20210076455A (en) | Method and apparatus for automated verifying of xss attack | |
| Karthik et al. | W3-Scrape-A windows based reconnaissance tool for web application fingerprinting |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 518000 the first floor of A1 building, Nanshan Zhiyuan 1001, Nanshan District Xue Yuan Avenue, Shenzhen, Guangdong. Applicant after: SANGFOR TECHNOLOGIES Inc. Address before: 518052 the first floor of A1 building, Nanshan Zhiyuan 1001, Nanshan District Xue Yuan Avenue, Shenzhen, Guangdong. Applicant before: Sangfor Technologies Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |