CN107180194A - View-based access control model analysis system carries out the method and device of Hole Detection - Google Patents
View-based access control model analysis system carries out the method and device of Hole Detection Download PDFInfo
- Publication number
- CN107180194A CN107180194A CN201710328207.5A CN201710328207A CN107180194A CN 107180194 A CN107180194 A CN 107180194A CN 201710328207 A CN201710328207 A CN 201710328207A CN 107180194 A CN107180194 A CN 107180194A
- Authority
- CN
- China
- Prior art keywords
- webpage
- leak
- analysis system
- present
- signature data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiments of the invention provide the method and device that a kind of view-based access control model analysis system carries out Hole Detection, method includes:The visual signature data of the webpage are extracted by visual analysis system;According to the visual signature data of the webpage, detect the webpage with the presence or absence of abnormal;If detecting the webpage has exception, determine that the webpage has leak.The technical scheme of the embodiment of the present invention, can intuitively detect the leak in webpage, and process is simple, improves the operating efficiency of vulnerability scanning instrument.
Description
Technical field
Hole Detection is carried out the present embodiments relate to network technique field, more particularly to a kind of view-based access control model analysis system
Method and device.
Background technology
In recent years, developing rapidly with Internet technology, increasing user should based on Web by its key business
With.While showing and interacted with Web server of information of all kinds is being realized by using browser, criminal can be with
It can implement to steal the account of sorts of systems, distort or delete back-end data by various leaks, steal system sensitive data, fishing
Fish attack etc., so that data, property to user etc. cause harm.
At present, conventional vulnerability scanning instrument is generally carried out after the operation such as decoding process to webpage, the information inputted from user
Middle acquisition HTTP (HyperText Transfer Protocol, HTTP) request, is carried out for HTTP request
Detection, so as to know that webpage whether there is leak.
But, for some malicious datas, it is attacked after webpage by leak, and the visual effect of webpage can be caused to send out
Changing, now, detects that webpage whether there is leak according to the mode that HTTP request is obtained from the information that user inputs, its
Process is comparatively laborious, reduces the operating efficiency of vulnerability scanning instrument.
The content of the invention
The embodiment of the present invention provides the method and device that a kind of view-based access control model analysis system carries out Hole Detection, can be directly perceived
Detection webpage in leak, process is simple, improves the operating efficiency of vulnerability scanning instrument.
The embodiment of the present invention provides a kind of method that view-based access control model analysis system carries out Hole Detection, it is characterised in that bag
Include:
The visual signature data of the webpage are extracted by visual analysis system;
According to the visual signature data of the webpage, detect the webpage with the presence or absence of abnormal;
If detecting the webpage has exception, determine that the webpage has leak.
Further, in method described above, the visual signature data of the webpage include:
At least one in the background information of the text message of the webpage, the real-time pictures of the webpage and the webpage
Kind;
According to the visual signature data of the webpage, the webpage is detected with the presence or absence of exception, including:
Detect that the text message of the webpage is laid out with the presence or absence of entanglement, if the text message for detecting the webpage is present
Entanglement is laid out, and determines that the webpage is present abnormal;And/or
The real-time pictures of the webpage are detected with the presence or absence of increase and decrease picture phenomenon, if detecting the real-time pictures of the webpage
In the presence of increase and decrease picture phenomenon, determine that the webpage is present abnormal;And/or
Whether the background information and default background information for detecting the webpage match, if detecting the back of the body of the webpage
Scape information is mismatched with default background information, determines that the webpage is present abnormal.
Further, in method described above, the visual signature data of the webpage are extracted by visual analysis system,
Including:
The type of the webpage is determined by the visual analysis system;
According to the type of the webpage, the corresponding first suspicious leak of the webpage is determined;
According to the described first suspicious leak, the visual signature data of the webpage are extracted.
Further, in method described above, the visual signature data of the webpage are extracted by visual analysis system,
Including:
The security protection information of the webpage is determined by the visual analysis system;
According to the security protection information of the webpage, the corresponding second suspicious leak of the webpage is determined;
According to the described second suspicious leak, the visual signature data of the webpage are extracted.
Further, in method described above, the visual signature data of the webpage are extracted by visual analysis system
Before, in addition to:
Malicious data is obtained from presetting database;
Malicious data is injected to the webpage.
The embodiment of the present invention also provides the device that a kind of view-based access control model analysis system carries out Hole Detection, it is characterised in that
Including:
Extraction module, the visual signature data for extracting the webpage by visual analysis system;
Detection module, for the visual signature data according to the webpage, detects the webpage with the presence or absence of abnormal;
Determining module, if detecting the webpage for the detection module has exception, determines that the webpage has leakage
Hole.
Further, in device described above, the visual signature data of the webpage include:
At least one in the background information of the text message of the webpage, the real-time pictures of the webpage and the webpage
Kind;
The detection module, specifically for:
Detect that the text message of the webpage is laid out with the presence or absence of entanglement, if the text message for detecting the webpage is present
Entanglement is laid out, and determines that the webpage is present abnormal;And/or
The real-time pictures of the webpage are detected with the presence or absence of increase and decrease picture phenomenon, if detecting the real-time pictures of the webpage
In the presence of increase and decrease picture phenomenon, determine that the webpage is present abnormal;And/or
Whether the background information and default background information for detecting the webpage match, if detecting the back of the body of the webpage
Scape information is mismatched with default background information, determines that the webpage is present abnormal.
Further, in device described above, the extraction module, specifically for:
The type of the webpage is determined by the visual analysis system;
According to the type of the webpage, the corresponding first suspicious leak of the webpage is determined;
According to the described first suspicious leak, the visual signature data of the webpage are extracted.
Further, in device described above, the extraction module, specifically for:
The security protection information of the webpage is determined by the visual analysis system;
According to the security protection information of the webpage, the corresponding second suspicious leak of the webpage is determined;
According to the described second suspicious leak, the visual signature data of the webpage are extracted.
Further, device described above, in addition to:
Acquisition module, for obtaining malicious data from presetting database;
Injection module, for injecting malicious data to the webpage.
The view-based access control model analysis system of the embodiment of the present invention carries out the method and device of Hole Detection, passes through visual analysis system
System is extracted after the visual signature data of webpage, and according to the visual signature data of webpage, detection webpage is with the presence or absence of abnormal, if detection
Exist to webpage abnormal, determine that webpage has leak, it is to avoid carry out the operation such as decoding process to webpage, and inputted from user
Obtained in information after HTTP request, the leak in webpage could be detected.The technical scheme of the embodiment of the present invention, can intuitively be examined
Leak in survey grid page, process is simple, improves the operating efficiency of vulnerability scanning instrument.
Brief description of the drawings
Accompanying drawing described herein is used for providing further understanding the embodiment of the present invention, constitutes the embodiment of the present invention
A part, the schematic description and description of the embodiment of the present invention is used to explain the embodiment of the present invention, does not constitute to this hair
The improper restriction of bright embodiment.In the accompanying drawings:
Fig. 1 carries out the flow of the embodiment of the method one of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention
Figure;
Fig. 2 carries out the flow of the embodiment of the method two of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention
Figure;
Fig. 3 carries out the flow of the embodiment of the method three of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention
Figure;
The structure for the device embodiment one that Fig. 4 carries out Hole Detection for the view-based access control model analysis system of the embodiment of the present invention is shown
It is intended to;
The structure for the device embodiment two that Fig. 5 carries out Hole Detection for the view-based access control model analysis system of the embodiment of the present invention is shown
It is intended to.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
Technical scheme of the embodiment of the present invention is clearly and completely described for specific embodiment and corresponding accompanying drawing.Obviously, it is described
Embodiment is only a part of embodiment of the embodiment of the present invention, rather than whole embodiments.Based on the reality in the embodiment of the present invention
Example is applied, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made all belongs to
The scope protected in the embodiment of the present invention.
The (if present)s such as term " first ", " second " in specification and claims and above-mentioned accompanying drawing are to be used for area
Not similar part, without for describing specific order or precedence.It should be appreciated that the data so used are appropriate
In the case of can exchange, so that embodiments herein described herein can be real with the order in addition to illustrating herein
Apply.
Below in conjunction with accompanying drawing, the technical scheme that each embodiment of the embodiment of the present invention is provided is described in detail.
Embodiment one
Fig. 1 carries out the flow of the embodiment of the method one of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention
Figure, as shown in figure 1, the method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, can specifically be included such as
Lower step:
100th, the visual signature data of webpage are extracted by visual analysis system.
For example, for some malicious datas, it is attacked after webpage by leak, and the visual effect of webpage can be caused to send out
Changing, therefore, quickly finds to whether there is leak in webpage, the embodiment of the present invention can be in scanner in order to relatively
Middle setting visual analysis system, and pass through the visual signature data of visual analysis system extraction webpage.
During one implements, visual analysis system refers to the visual performance that people is realized with computer, main negative
Duty obtains image, processing image, output image etc..For example, after webpage is opened, it is possible to use visual analysis system is obtained should
The display content of webpage, forms image, and the processing etc. that zoomed in or out to the image of formation, and by the image after processing
Output.After visual analysis system exports the display content of webpage with image format, the embodiment of the present invention can be according to output
Image zooming-out webpage visual signature data.For example, the visual signature data of the webpage of the embodiment of the present invention can include but
It is not restricted to:At least one of background information of the text message of webpage, the real-time pictures of webpage and webpage.
101st, according to the visual signature data of webpage, detection webpage is with the presence or absence of abnormal.
Specifically, the user interface (User Interface, UI) of each webpage can be made according to demand before design
Determine design specification, when it is presented to user, maximized can meet Consumer's Experience, i.e., after some webpage is opened, present
UI to user has good display effect, for example, the design specification can include but is not limited to:Page text information is adopted
There is difference, layout specification be attractive in appearance, page background information is used color not with the font size of unified font, title and content
Influence page text information display effect, the page are forbidden playing advertisement or are not influenceed page text information display effect when playing advertisement
At least one of.
Therefore, the embodiment of the present invention is after the visual signature data of webpage are extracted, equivalent to can intuitively see webpage
UI display effects, for a webpage, if webpage be not present leak be that will not receive malicious data, or, receive dislike
The code corresponding to malicious data is not performed after meaning data, now, webpage can be according to design specification, by the UI of webpage after being opened
User is shown to, illustrates exception is not present in webpage;If webpage has leak, webpage is attacked by some malicious datas by the leak
After hitting, it may result in the webpage and be presented to the UI of user and change, influence UI display effect, illustrate to exist in webpage different
Often, therefore, the embodiment of the present invention can be extracted after the visual signature data of webpage, and detection webpage is with the presence or absence of abnormal.
If the 102, detecting webpage has exception, determine that webpage has leak.
For example, under normal circumstances, the text message of webpage is the layout structure of specification in the UI of webpage, therefore, the present invention
If the visual signature data of webpage include the text message of webpage in embodiment, it can detect that the text message of webpage whether there is
Entanglement is laid out, if the text message for detecting webpage has entanglement layout, determines that webpage is present abnormal, and then determine that webpage is present
Leak.There is word deformation or situations such as the word of context is not connected in text message such as webpage, it can be assumed that webpage
Text message there is entanglement layout, illustrate that webpage is present abnormal.
For another example it is not in one window of one window of unexpected ejection or reduction to be under normal circumstances, in the UI of webpage
The phenomenon of mouth, therefore, if the visual signature data of webpage include the real-time pictures of webpage in the embodiment of the present invention, it can detect
The real-time pictures of webpage are with the presence or absence of increase and decrease picture phenomenon, if the real-time pictures for detecting webpage have increase and decrease picture phenomenon, really
Determine webpage and there is exception, and then determine that webpage has leak.Occur a window suddenly in such as real-time pictures of webpage, this
When to can be assumed that webpage is present abnormal.
In another example, under normal circumstances, the UI background colors of webpage are set, therefore, if net in the embodiment of the present invention
Page visual signature data include the background information of webpage, can detect webpage background information and default background information whether
Match, if detecting the background information and default background information mismatch of webpage, determine that webpage is present abnormal, and then determine
There is leak in webpage.Background color such as some webpage is white, but gets by visual analysis system the background of the webpage
Color is green, now it can be assumed that webpage has exception.
Detect webpage with the presence or absence of abnormal mode with more than it should be noted that the present invention implements to be not intended to limit.
The executive agent that the view-based access control model analysis system of the embodiment of the present invention carries out the method for Hole Detection can be based on
Visual analysis system carries out the device of Hole Detection, and the device that the view-based access control model analysis system carries out Hole Detection can specifically lead to
Cross that software is integrated, the device that such as view-based access control model analysis system carries out Hole Detection is specifically as follows an application, this hair
It is bright to this without being particularly limited to.
The method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, is extracted by visual analysis system
After the visual signature data of webpage, according to the visual signature data of webpage, detection webpage is with the presence or absence of abnormal, if detecting webpage
In the presence of exception, determine that webpage has leak, it is to avoid the operation such as decoding process is carried out to webpage, and in the information inputted from user
Obtain after HTTP request, the leak in webpage could be detected.The technical scheme of the embodiment of the present invention, can intuitively detect webpage
In leak, process is simple, improves the operating efficiency of vulnerability scanning instrument.
Embodiment two
Fig. 2 carries out the flow of the embodiment of the method two of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention
Figure, as shown in Fig. 2 the method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, in embodiment illustrated in fig. 1
On the basis of, further technical scheme is described in further detail.
As shown in Fig. 2 the method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, can specifically be wrapped
Include following steps:
200th, malicious data is obtained from presetting database.
For example, because leak is that malicious data is used for attacking network, therefore, if a certain webpage has leak, malice number
According to when by leak attacking network, it is not desired to be detected, malicious data can be returned deliberately after by leak attacking network
Keep away and the UI of webpage display effect is caused to significantly affect, to prevent user can be very easy to find webpage from there is exception, now,
The method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection is can not to find there is exception in webpage, then can
Judge leak is not present in webpage, or, the webpage is attacked without malicious data, so as to cause failing to report for leak.
Therefore, in order to solve the above problems, the embodiment of the present invention is before webpage is opened or after opening webpage, actively
Malicious data is obtained from presetting database, so as to inject malicious data to webpage.
It should be noted that in order to carry out method to webpage, the embodiment of the present invention can open webpage in sandbox,
If the code corresponding to the malicious data of acquisition is performed, it can be impacted to the visual effect of webpage.
201st, malicious data is injected to webpage.
Got from presetting database after malicious data, inject malicious data to webpage, it is ensured that there is malicious data and attack
Webpage is hit, further, detection webpage whether there is leak.
202nd, the type of webpage is determined by visual analysis system.
The embodiment of the present invention can get the display content of webpage by visual analysis system, and according to the display of webpage
Keyword in content, determines the type of the webpage, for example, can be according to keywords such as " banks ", it is Net silver to learn the webpage
Class webpage, or, according to keywords such as " Sina News ", it is news category webpage etc. to learn the webpage.
203rd, according to the type of webpage, the corresponding first suspicious leak of webpage is determined.
During one implements, the species of leak present in the webpage of same type may be identical, but not
The influence that same leak is caused to the UI of webpage display effect may be different, therefore, in order to faster detect webpage
In whether there is leak, the embodiment of the present invention can determine webpage correspondence it is determined that after the type of webpage according to the type of webpage
Which the first suspicious leak.
For example, being mainly cross-site scripting attack (Cross Site for Net silver class webpage leak that may be present
Script, CSS) leak is mainly SQL (Structured for news category webpage leak that may be present
Query Language, SQL) injection loophole.Therefore, the embodiment of the present invention if it is determined that the webpage be Net silver class webpage, can be true
There is CSS leaks in the fixed webpage, similarly, however, it is determined that the webpage is news category webpage, it may be determined that the webpage has SQL injection
Leakage.
204th, according to the first suspicious leak, the visual signature data of webpage are extracted.
For example, for CSS leaks, it is likely to result in after malicious data attacked some webpage, makes the UI of webpage
One window of middle ejection, allows user clicks on links, for SQL injection leakage, is likely to result in malicious data and some webpage is entered
After row attack, occurs the phenomenon of text message entanglement layout in the UI for making webpage, therefore, the embodiment of the present invention can be according to determination
First suspicious leak, targetedly extracts the visual signature data of webpage, so that quick detection webpage whether there is leak.
205th, according to the visual signature data of webpage, detection webpage is with the presence or absence of abnormal, if detecting webpage has exception,
Step 206 is performed, otherwise, if detecting webpage is not present abnormal, end.
The step is identical with the realization mechanism of the step 101 of above-mentioned embodiment illustrated in fig. 1, and above-mentioned related note is refer in detail
Carry, will not be repeated here.
206th, determine that webpage has leak.
The step is identical with the realization mechanism of the step 102 of above-mentioned embodiment illustrated in fig. 1, and above-mentioned related note is refer in detail
Carry, will not be repeated here.
The method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, by injecting malice number to webpage
According to, and according to the type of webpage, determine after its corresponding first suspicious leak, according to the first suspicious leak, targetedly carry
The visual signature data of webpage are taken, and according to the visual signature data of webpage, detection webpage whether there is leak, realize directly perceived
Detection webpage in leak, reduce leak rate of failing to report, improve the operating efficiency of vulnerability scanning instrument.
Further, in above-mentioned Fig. 2 embodiments, can be stored with substantial amounts of malicious data in presetting database, but same
The species for the leak that types of web pages is present may be identical, and the malicious data by these leak attacking networks is to be relatively fixed, because
This, step 200 and step 201 can not be first performed in order to improve in the operating efficiency of vulnerability scanners, the embodiment of the present invention, and
It is before the visual signature data of webpage " extract " of step 204, according to the first suspicious leak, to perform step 200 " from default
Malicious data is obtained in database " and step 201 " to webpage inject malicious data " after, then perform step 204 " extract net
The visual signature data of page ".
Embodiment three
Fig. 3 carries out the flow of the embodiment of the method three of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention
Figure, as shown in figure 3, the method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, in embodiment illustrated in fig. 1
On the basis of, further technical scheme is described in further detail.
As shown in figure 3, the method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, can specifically be wrapped
Include following steps:
300th, malicious data is obtained from presetting database.
The step is identical with the realization mechanism of the step 200 of above-mentioned embodiment illustrated in fig. 2, and above-mentioned related note is refer in detail
Carry, will not be repeated here.
301st, malicious data is injected to webpage.
The step is identical with the realization mechanism of the step 201 of above-mentioned embodiment illustrated in fig. 2, and above-mentioned related note is refer in detail
Carry, will not be repeated here.
302nd, the security protection information of webpage is determined by visual analysis system.
The embodiment of the present invention can get the display content of webpage by visual analysis system, and according to the display of webpage
Keyword in content, determines the security protection information of the webpage, for example, the net can be learnt according to keywords such as " banks "
Page is related to the property safety of user, and its security protection information is height, or, according to keywords such as " Sina News ", learn the net
Page, which is related to, browses information, and its security protection information is low.
303rd, according to the security protection information of webpage, the corresponding second suspicious leak of webpage is determined.
During one implements, the species of the leak of the webpage presence of identical security protection information may be identical,
But the influence that different leaks is caused to the UI of webpage display effect may be different, therefore, in order to faster examine
It whether there is leak in survey grid page, the embodiment of the present invention, can be according to webpage after it is determined that the security protection information of webpage is
Security protection information is which the second suspicious leak of webpage correspondence determined.
For example, being mainly cross-site scripting attack (Cross for the higher webpage of security protection information leak that may be present
Site Script, CSS) leak is mainly structuralized query for the relatively low webpage of security protection information leak that may be present
Language (Structured Query Language, SQL) injection loophole.Therefore, the embodiment of the present invention is if it is determined that the webpage is peace
The higher webpage of full protection information, it may be determined that the webpage has CSS leaks, similarly, however, it is determined that the webpage is believed for security protection
The relatively low webpage of breath, it may be determined that the webpage has SQL injection leakage.
304th, according to the second suspicious leak, the visual signature data of webpage are extracted.
For example, for CSS leaks, it is likely to result in after malicious data attacked some webpage, makes the UI of webpage
One window of middle ejection, allows user clicks on links, for SQL injection leakage, is likely to result in malicious data and some webpage is entered
Occurs the phenomenon of text message entanglement layout in the UI for making webpage after row attack, therefore, the embodiment of the present invention can be according to determination
First suspicious leak, targetedly extracts the visual signature data of webpage, so that quick detection webpage whether there is leak.
305th, according to the visual signature data of webpage, detection webpage is with the presence or absence of abnormal, if detecting webpage has exception,
Step 306 is performed, otherwise, if detecting webpage is not present abnormal, end.
The step is identical with the realization mechanism of the step 101 of above-mentioned embodiment illustrated in fig. 1, and above-mentioned related note is refer in detail
Carry, will not be repeated here.
306th, determine that webpage has leak.
The step is identical with the realization mechanism of the step 102 of above-mentioned embodiment illustrated in fig. 1, and above-mentioned related note is refer in detail
Carry, will not be repeated here.
The method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, by injecting malice number to webpage
According to, and according to the security protection information of webpage, determine after its corresponding second suspicious leak, according to the second suspicious leak, there is pin
To the visual signature data of the extraction webpage of property, and according to the visual signature data of webpage, detection webpage whether there is leak, real
The leak in intuitively detection webpage is showed, has reduced leak rate of failing to report, improve the operating efficiency of vulnerability scanning instrument.
Further, in above-mentioned embodiment illustrated in fig. 3, can be stored with substantial amounts of malicious data in presetting database, still
The species for the leak that the webpage of identical security protection information is present may be identical, passes through the malicious data of these leak attacking networks
It is to be relatively fixed, therefore, step can not be first performed in the operating efficiency of vulnerability scanners, the embodiment of the present invention in order to improve
300 and step 301, but before " the visual signature data for extracting webpage " of step 304, according to the second suspicious leak, hold
After row step 300 " malicious data is obtained from presetting database " and step 301 " injecting malicious data to webpage ", then perform
" the visual signature data for extracting webpage " of step 304.
Further, in above-mentioned Fig. 2 and embodiment illustrated in fig. 3, step 205 is being performed " according to the visual signature number of webpage
According to detection webpage is with the presence or absence of abnormal " when, and/or, " according to the visual signature data of webpage, detect net performing step 305
Page is with the presence or absence of abnormal " when, if detect webpage be not present it is abnormal, according to the method for detection leak in the prior art or according to
Following steps, further detection webpage is with the presence or absence of leak, to reduce leak rate of failing to report, leak rate of false alarm:
1) information of webpage is obtained.
During one implements, the webpage can be analyzed, and then obtain the various information of the webpage, example
Such as, corresponding script function of various events etc. in the source code of webpage, webpage.
2) according to default keyword, whether detect in the information of webpage comprising the related script function of leak.
The embodiment of the present invention can be acquired for different leaks, and the leak of collection is analyzed, and obtain each
The feature of kind of leak, so that the keyword according to corresponding to the various leaks of the feature-set of various leaks, and by the key of setting
Word is stored.For example, each webpage includes multiple events, the different script function of different event correspondence, each script letter
Necessarily to identify different script functions, and pass through the malicious data of leak attacking network comprising one section of specific code in number
It is also to be made up of script function, these script functions can be defined as the related script function of leak by the embodiment of the present invention, because
This, default keyword can be but be not restricted to the spy that the related script function of different leaks is included in the embodiment of the present invention
Partial code or whole codes in fixed code.
During one implements, in requested webpage, if leak is not present in webpage, webpage may not receive malice
The related script function of leak is not performed after data or reception malicious data, therefore whether there is leak in detection webpage
When, it is necessary to obtain the information of webpage, and according to default keyword, whether detect in the information of webpage comprising the related pin of leak
This function.
If 3) detect in the information of webpage comprising the script function that leak is related, the related script function of leak is performed,
And judge whether the related script function of leak runs succeeded.
If detecting in the information of webpage comprising the script function that leak is related, illustrate that the webpage there is a possibility that leak
It than larger, but can not directly determine that the webpage there is leak, the webpage can be now classified as to suspicious webpage.In a tool
In body implementation process, to implement to steal the account of sorts of systems, distort or delete back-end data, steal by leak attacking network
System sensitive data, phishing attack etc. are taken, then needs the script function for making leak related to be successfully executed, therefore, in order to enter one
Step determines that the webpage whether there is leak, and the embodiment of the present invention can actively perform the related script function of the leak, and judge
Whether the related script function of the leak runs succeeded.
If 4) judge spring a leak correlation script function run succeeded, determine that webpage has leak.
If for example, there is leak in a webpage, when performing the related script function of leak, the related script letter of the leak
Number can be successfully executed;If leak is not present in a webpage, when performing the script function of leak correlation, leak correlation
Script function can not be successfully executed.Therefore, in the embodiment of the present invention, if judgement springs a leak, the script function of correlation is performed into
Work(, then can determine that webpage has leak.
The method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, realizes and intuitively detects webpage
In leak, improve the operating efficiency of vulnerability scanning instrument, reduce leak rate of failing to report, leak rate of false alarm.
Example IV
The structure for the device embodiment one that Fig. 4 carries out Hole Detection for the view-based access control model analysis system of the embodiment of the present invention is shown
It is intended to, as shown in figure 4, the device that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection can include extracting mould
Block 10, detection module 11 and determining module 12, during one implements, can carry out data interaction between each module.
Extraction module 10, the visual signature data for extracting webpage;
For example, in the embodiment of the present invention, the visual signature data of webpage can include but is not limited to:
At least one of background information of the text message of webpage, the real-time pictures of webpage and webpage.
Detection module 11, for the visual signature data according to webpage, detection webpage is with the presence or absence of abnormal;
Specifically, detection module 11, for detecting that the text message of webpage is laid out with the presence or absence of entanglement, if detecting webpage
Text message there is entanglement layout, determine that webpage is present abnormal;And/or, the real-time pictures of detection webpage are with the presence or absence of increase and decrease
Picture phenomenon, if the real-time pictures for detecting webpage have increase and decrease picture phenomenon, determines that webpage is present abnormal;And/or, detect net
Whether the background information of page matches with default background information, if detecting the background information and default background information of webpage
Mismatch, determine that webpage is present abnormal.
Determining module 12, if detecting webpage for detection module 11 has exception, determines that webpage has leak.
The view-based access control model analysis system of the embodiment of the present invention carries out the device of Hole Detection, real by using above-mentioned each module
Now the realization mechanism of detection webpage leak is identical with the realization mechanism of above-mentioned embodiment illustrated in fig. 1, and above-mentioned Fig. 1 is may be referred in detail
The record of illustrated embodiment, will not be repeated here.
The view-based access control model analysis system of the embodiment of the present invention carries out the device of Hole Detection, can be led to using above-mentioned each module
Cross after the visual signature data that visual analysis system extracts webpage, according to the visual signature data of webpage, whether detection webpage is deposited
In exception, exist abnormal if detecting webpage, determine that webpage has leak, it is to avoid the operation such as decoding process is carried out to webpage,
And obtained in the information inputted from user after HTTP request, the leak in webpage could be detected.The technical side of the embodiment of the present invention
Case, can intuitively detect the leak in webpage, and process is simple, improves the operating efficiency of vulnerability scanning instrument.
Embodiment five
The structure for the device embodiment two that Fig. 5 carries out Hole Detection for the view-based access control model analysis system of the embodiment of the present invention is shown
It is intended to, as shown in figure 5, the device that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection is being implemented shown in Fig. 4
It can further include acquisition module 13 and injection module 14 on the basis of example.
Acquisition module 13, for obtaining malicious data from presetting database;
Injection module 14, for injecting malicious data to webpage.
During one implements, extraction module 10, specifically for:The class of webpage is determined by visual analysis system
Type;According to the type of webpage, the corresponding first suspicious leak of webpage is determined;According to the first suspicious leak, the vision of webpage is extracted
Characteristic;And/or, the security protection information of webpage is determined by visual analysis system;According to the security protection information of webpage,
Determine the corresponding second suspicious leak of webpage;According to the second suspicious leak, the visual signature data of webpage are extracted.
The view-based access control model analysis system of the embodiment of the present invention carries out the device of Hole Detection, real by using above-mentioned each module
Now the realization mechanism of detection webpage leak is identical with above-mentioned Fig. 2 and embodiment illustrated in fig. 3 realization mechanism, may be referred in detail
The record of Fig. 2 and embodiment illustrated in fig. 3 is stated, be will not be repeated here.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or computer program
Product.Therefore, the present invention can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Apply the form of example.Moreover, the present invention can be used in one or more computers for wherein including computer usable program code
The computer program production that usable storage medium is implemented on (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The present invention is the flow with reference to method according to embodiments of the present invention, equipment (system) and computer program product
Figure and/or block diagram are described.It should be understood that can be by every first-class in computer program instructions implementation process figure and/or block diagram
Journey and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for real
The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which is produced, to be included referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, thus in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net
Network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moved
State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable
Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM),
Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus
Or any other non-transmission medium, the information that can be accessed by a computing device available for storage.Define, calculate according to herein
Machine computer-readable recording medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
It should also be noted that, term " comprising ", "comprising" or its any other variant are intended to nonexcludability
Comprising so that process, method, commodity or equipment including a series of key elements are not only including those key elements, but also wrap
Include other key elements being not expressly set out, or also include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including described
Also there is other identical element in process, method, commodity or the equipment of element.
It will be understood by those skilled in the art that the embodiment of the embodiment of the present invention can be provided as method, system or computer journey
Sequence product.Therefore, the embodiment of the present invention can be using complete hardware embodiment, complete software embodiment or with reference to software and hardware side
The form of the embodiment in face.Moreover, the embodiment of the present invention can be used wherein includes computer available programs one or more
Implement in the computer-usable storage medium (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.) of code
The form of computer program product.
Embodiments herein is the foregoing is only, the application is not limited to.For those skilled in the art
For, the application can have various modifications and variations.It is all any modifications made within spirit herein and principle, equivalent
Replace, improve etc., it should be included within the scope of claims hereof.
Claims (10)
1. a kind of method that view-based access control model analysis system carries out Hole Detection, it is characterised in that including:
The visual signature data of the webpage are extracted by visual analysis system;
According to the visual signature data of the webpage, detect the webpage with the presence or absence of abnormal;
If detecting the webpage has exception, determine that the webpage has leak.
2. according to the method described in claim 1, it is characterised in that the visual signature data of the webpage include:
At least one of background information of the text message of the webpage, the real-time pictures of the webpage and the webpage;
According to the visual signature data of the webpage, the webpage is detected with the presence or absence of exception, including:
Detect that the text message of the webpage is laid out with the presence or absence of entanglement, if the text message for detecting the webpage has entanglement
Layout, determines that the webpage is present abnormal;And/or
The real-time pictures of the webpage are detected with the presence or absence of increase and decrease picture phenomenon, if the real-time pictures for detecting the webpage are present
Increase and decrease picture phenomenon, determine that the webpage is present abnormal;And/or
Whether the background information and default background information for detecting the webpage match, if detecting the background letter of the webpage
Breath is mismatched with default background information, determines that the webpage is present abnormal.
3. according to the method described in claim 1, it is characterised in that the vision for extracting the webpage by visual analysis system is special
Data are levied, including:
The type of the webpage is determined by the visual analysis system;
According to the type of the webpage, the corresponding first suspicious leak of the webpage is determined;
According to the described first suspicious leak, the visual signature data of the webpage are extracted.
4. according to the method described in claim 1, it is characterised in that the vision for extracting the webpage by visual analysis system is special
Data are levied, including:
The security protection information of the webpage is determined by the visual analysis system;
According to the security protection information of the webpage, the corresponding second suspicious leak of the webpage is determined;
According to the described second suspicious leak, the visual signature data of the webpage are extracted.
5. according to any described methods of claim 1-4, it is characterised in that extract the webpage by visual analysis system
Before visual signature data, in addition to:
Malicious data is obtained from presetting database;
Malicious data is injected to the webpage.
6. a kind of view-based access control model analysis system carries out the device of Hole Detection, it is characterised in that including:
Extraction module, the visual signature data for extracting the webpage by visual analysis system;
Detection module, for the visual signature data according to the webpage, detects the webpage with the presence or absence of abnormal;
Determining module, if detecting the webpage for the detection module has exception, determines that the webpage has leak.
7. device according to claim 6, it is characterised in that the visual signature data of the webpage include:
At least one of background information of the text message of the webpage, the real-time pictures of the webpage and the webpage;
The detection module, specifically for:
Detect that the text message of the webpage is laid out with the presence or absence of entanglement, if the text message for detecting the webpage has entanglement
Layout, determines that the webpage is present abnormal;And/or
The real-time pictures of the webpage are detected with the presence or absence of increase and decrease picture phenomenon, if the real-time pictures for detecting the webpage are present
Increase and decrease picture phenomenon, determine that the webpage is present abnormal;And/or
Whether the background information and default background information for detecting the webpage match, if detecting the background letter of the webpage
Breath is mismatched with default background information, determines that the webpage is present abnormal.
8. device according to claim 6, it is characterised in that the extraction module, specifically for:
The type of the webpage is determined by the visual analysis system;
According to the type of the webpage, the corresponding first suspicious leak of the webpage is determined;
According to the described first suspicious leak, the visual signature data of the webpage are extracted.
9. device according to claim 6, it is characterised in that the extraction module, specifically for:
The security protection information of the webpage is determined by the visual analysis system;
According to the security protection information of the webpage, the corresponding second suspicious leak of the webpage is determined;
According to the described second suspicious leak, the visual signature data of the webpage are extracted.
10. according to any described devices of claim 6-9, it is characterised in that also include:
Acquisition module, for obtaining malicious data from presetting database;
Injection module, for injecting malicious data to the webpage.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710328207.5A CN107180194B (en) | 2017-05-11 | 2017-05-11 | Method and device for vulnerability detection based on visual analysis system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710328207.5A CN107180194B (en) | 2017-05-11 | 2017-05-11 | Method and device for vulnerability detection based on visual analysis system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107180194A true CN107180194A (en) | 2017-09-19 |
CN107180194B CN107180194B (en) | 2020-05-05 |
Family
ID=59832197
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710328207.5A Active CN107180194B (en) | 2017-05-11 | 2017-05-11 | Method and device for vulnerability detection based on visual analysis system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107180194B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108810025A (en) * | 2018-07-19 | 2018-11-13 | 平安科技(深圳)有限公司 | A kind of security assessment method of darknet, server and computer-readable medium |
CN110135140A (en) * | 2019-04-18 | 2019-08-16 | 深圳壹账通智能科技有限公司 | Information protecting method, device, computer equipment and storage medium |
CN113316786A (en) * | 2019-01-30 | 2021-08-27 | 国际商业机器公司 | Vulnerability exploitation toolkit detection |
CN113641933A (en) * | 2021-06-30 | 2021-11-12 | 北京百度网讯科技有限公司 | Abnormal webpage identification method, abnormal site identification method and device |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102622435A (en) * | 2012-02-29 | 2012-08-01 | 百度在线网络技术(北京)有限公司 | Method and device for detecting black chain |
CN102779245A (en) * | 2011-05-12 | 2012-11-14 | 李朝荣 | Webpage abnormality detection method based on image processing technology |
CN103065089A (en) * | 2012-12-11 | 2013-04-24 | 深信服网络科技(深圳)有限公司 | Method and device for detecting webpage Trojan horses |
CN103425931A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Abnormal web script detection method and system |
CN104951700A (en) * | 2014-10-11 | 2015-09-30 | 腾讯科技(深圳)有限公司 | Webpage loophole detecting method and device |
WO2015188743A1 (en) * | 2014-06-11 | 2015-12-17 | Tencent Technology (Shenzhen) Company Limited | Web page vulnerability detection method and apparatus |
CN106485152A (en) * | 2016-09-30 | 2017-03-08 | 北京奇虎科技有限公司 | Leak detection method and device |
-
2017
- 2017-05-11 CN CN201710328207.5A patent/CN107180194B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102779245A (en) * | 2011-05-12 | 2012-11-14 | 李朝荣 | Webpage abnormality detection method based on image processing technology |
CN102622435A (en) * | 2012-02-29 | 2012-08-01 | 百度在线网络技术(北京)有限公司 | Method and device for detecting black chain |
CN103065089A (en) * | 2012-12-11 | 2013-04-24 | 深信服网络科技(深圳)有限公司 | Method and device for detecting webpage Trojan horses |
CN103425931A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Abnormal web script detection method and system |
WO2015188743A1 (en) * | 2014-06-11 | 2015-12-17 | Tencent Technology (Shenzhen) Company Limited | Web page vulnerability detection method and apparatus |
CN104951700A (en) * | 2014-10-11 | 2015-09-30 | 腾讯科技(深圳)有限公司 | Webpage loophole detecting method and device |
CN106485152A (en) * | 2016-09-30 | 2017-03-08 | 北京奇虎科技有限公司 | Leak detection method and device |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108810025A (en) * | 2018-07-19 | 2018-11-13 | 平安科技(深圳)有限公司 | A kind of security assessment method of darknet, server and computer-readable medium |
CN113316786A (en) * | 2019-01-30 | 2021-08-27 | 国际商业机器公司 | Vulnerability exploitation toolkit detection |
CN110135140A (en) * | 2019-04-18 | 2019-08-16 | 深圳壹账通智能科技有限公司 | Information protecting method, device, computer equipment and storage medium |
CN113641933A (en) * | 2021-06-30 | 2021-11-12 | 北京百度网讯科技有限公司 | Abnormal webpage identification method, abnormal site identification method and device |
CN113641933B (en) * | 2021-06-30 | 2023-10-20 | 北京百度网讯科技有限公司 | Abnormal webpage identification method, abnormal site identification method and device |
Also Published As
Publication number | Publication date |
---|---|
CN107180194B (en) | 2020-05-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8146135B2 (en) | Establishing and enforcing security and privacy policies in web-based applications | |
US9712560B2 (en) | Web page and web browser protection against malicious injections | |
US9935967B2 (en) | Method and device for detecting malicious URL | |
CN103559235B (en) | A kind of online social networks malicious web pages detection recognition methods | |
CN107180194A (en) | View-based access control model analysis system carries out the method and device of Hole Detection | |
US11716349B2 (en) | Machine learning detection of database injection attacks | |
US20140359760A1 (en) | System and method for detecting phishing webpages | |
CN109922052A (en) | A kind of malice URL detection method of combination multiple characteristics | |
CN102436563B (en) | Method and device for detecting page tampering | |
CN102799830B (en) | Improved SQL (Structured Query Language) injection flaw detection method | |
Zhao et al. | A review of computer vision methods in network security | |
Zhang et al. | Web phishing detection based on page spatial layout similarity | |
CN105871850A (en) | Crawler detection method and crawler detection system | |
CN109241484A (en) | A kind of sending method and equipment of the web data based on encryption technology | |
CN112182614B (en) | Dynamic Web application protection system | |
CN109104421A (en) | A kind of web site contents altering detecting method, device, equipment and readable storage medium storing program for executing | |
CN105868290A (en) | Search result presentation method and apparatus | |
CN107103243A (en) | The detection method and device of leak | |
Bird et al. | Actions speak louder than words: Semi-supervised learning for browser fingerprinting detection | |
US10002254B2 (en) | Systems and methods for SQL type evaluation to detect evaluation flaws | |
Yiğit et al. | SQL injection attacks detection & prevention techniques | |
US10025936B2 (en) | Systems and methods for SQL value evaluation to detect evaluation flaws | |
Das et al. | Detection of cross-site scripting attack under multiple scenarios | |
Kaur et al. | Five-tier barrier anti-phishing scheme using hybrid approach | |
US20190303577A1 (en) | System and method of detecting a modification of a web resource |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |