CN107180194A - View-based access control model analysis system carries out the method and device of Hole Detection - Google Patents

View-based access control model analysis system carries out the method and device of Hole Detection Download PDF

Info

Publication number
CN107180194A
CN107180194A CN201710328207.5A CN201710328207A CN107180194A CN 107180194 A CN107180194 A CN 107180194A CN 201710328207 A CN201710328207 A CN 201710328207A CN 107180194 A CN107180194 A CN 107180194A
Authority
CN
China
Prior art keywords
webpage
leak
analysis system
present
signature data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710328207.5A
Other languages
Chinese (zh)
Other versions
CN107180194B (en
Inventor
林榆坚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING AISEC TECHNOLOGY Co Ltd
Original Assignee
BEIJING AISEC TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING AISEC TECHNOLOGY Co Ltd filed Critical BEIJING AISEC TECHNOLOGY Co Ltd
Priority to CN201710328207.5A priority Critical patent/CN107180194B/en
Publication of CN107180194A publication Critical patent/CN107180194A/en
Application granted granted Critical
Publication of CN107180194B publication Critical patent/CN107180194B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiments of the invention provide the method and device that a kind of view-based access control model analysis system carries out Hole Detection, method includes:The visual signature data of the webpage are extracted by visual analysis system;According to the visual signature data of the webpage, detect the webpage with the presence or absence of abnormal;If detecting the webpage has exception, determine that the webpage has leak.The technical scheme of the embodiment of the present invention, can intuitively detect the leak in webpage, and process is simple, improves the operating efficiency of vulnerability scanning instrument.

Description

View-based access control model analysis system carries out the method and device of Hole Detection
Technical field
Hole Detection is carried out the present embodiments relate to network technique field, more particularly to a kind of view-based access control model analysis system Method and device.
Background technology
In recent years, developing rapidly with Internet technology, increasing user should based on Web by its key business With.While showing and interacted with Web server of information of all kinds is being realized by using browser, criminal can be with It can implement to steal the account of sorts of systems, distort or delete back-end data by various leaks, steal system sensitive data, fishing Fish attack etc., so that data, property to user etc. cause harm.
At present, conventional vulnerability scanning instrument is generally carried out after the operation such as decoding process to webpage, the information inputted from user Middle acquisition HTTP (HyperText Transfer Protocol, HTTP) request, is carried out for HTTP request Detection, so as to know that webpage whether there is leak.
But, for some malicious datas, it is attacked after webpage by leak, and the visual effect of webpage can be caused to send out Changing, now, detects that webpage whether there is leak according to the mode that HTTP request is obtained from the information that user inputs, its Process is comparatively laborious, reduces the operating efficiency of vulnerability scanning instrument.
The content of the invention
The embodiment of the present invention provides the method and device that a kind of view-based access control model analysis system carries out Hole Detection, can be directly perceived Detection webpage in leak, process is simple, improves the operating efficiency of vulnerability scanning instrument.
The embodiment of the present invention provides a kind of method that view-based access control model analysis system carries out Hole Detection, it is characterised in that bag Include:
The visual signature data of the webpage are extracted by visual analysis system;
According to the visual signature data of the webpage, detect the webpage with the presence or absence of abnormal;
If detecting the webpage has exception, determine that the webpage has leak.
Further, in method described above, the visual signature data of the webpage include:
At least one in the background information of the text message of the webpage, the real-time pictures of the webpage and the webpage Kind;
According to the visual signature data of the webpage, the webpage is detected with the presence or absence of exception, including:
Detect that the text message of the webpage is laid out with the presence or absence of entanglement, if the text message for detecting the webpage is present Entanglement is laid out, and determines that the webpage is present abnormal;And/or
The real-time pictures of the webpage are detected with the presence or absence of increase and decrease picture phenomenon, if detecting the real-time pictures of the webpage In the presence of increase and decrease picture phenomenon, determine that the webpage is present abnormal;And/or
Whether the background information and default background information for detecting the webpage match, if detecting the back of the body of the webpage Scape information is mismatched with default background information, determines that the webpage is present abnormal.
Further, in method described above, the visual signature data of the webpage are extracted by visual analysis system, Including:
The type of the webpage is determined by the visual analysis system;
According to the type of the webpage, the corresponding first suspicious leak of the webpage is determined;
According to the described first suspicious leak, the visual signature data of the webpage are extracted.
Further, in method described above, the visual signature data of the webpage are extracted by visual analysis system, Including:
The security protection information of the webpage is determined by the visual analysis system;
According to the security protection information of the webpage, the corresponding second suspicious leak of the webpage is determined;
According to the described second suspicious leak, the visual signature data of the webpage are extracted.
Further, in method described above, the visual signature data of the webpage are extracted by visual analysis system Before, in addition to:
Malicious data is obtained from presetting database;
Malicious data is injected to the webpage.
The embodiment of the present invention also provides the device that a kind of view-based access control model analysis system carries out Hole Detection, it is characterised in that Including:
Extraction module, the visual signature data for extracting the webpage by visual analysis system;
Detection module, for the visual signature data according to the webpage, detects the webpage with the presence or absence of abnormal;
Determining module, if detecting the webpage for the detection module has exception, determines that the webpage has leakage Hole.
Further, in device described above, the visual signature data of the webpage include:
At least one in the background information of the text message of the webpage, the real-time pictures of the webpage and the webpage Kind;
The detection module, specifically for:
Detect that the text message of the webpage is laid out with the presence or absence of entanglement, if the text message for detecting the webpage is present Entanglement is laid out, and determines that the webpage is present abnormal;And/or
The real-time pictures of the webpage are detected with the presence or absence of increase and decrease picture phenomenon, if detecting the real-time pictures of the webpage In the presence of increase and decrease picture phenomenon, determine that the webpage is present abnormal;And/or
Whether the background information and default background information for detecting the webpage match, if detecting the back of the body of the webpage Scape information is mismatched with default background information, determines that the webpage is present abnormal.
Further, in device described above, the extraction module, specifically for:
The type of the webpage is determined by the visual analysis system;
According to the type of the webpage, the corresponding first suspicious leak of the webpage is determined;
According to the described first suspicious leak, the visual signature data of the webpage are extracted.
Further, in device described above, the extraction module, specifically for:
The security protection information of the webpage is determined by the visual analysis system;
According to the security protection information of the webpage, the corresponding second suspicious leak of the webpage is determined;
According to the described second suspicious leak, the visual signature data of the webpage are extracted.
Further, device described above, in addition to:
Acquisition module, for obtaining malicious data from presetting database;
Injection module, for injecting malicious data to the webpage.
The view-based access control model analysis system of the embodiment of the present invention carries out the method and device of Hole Detection, passes through visual analysis system System is extracted after the visual signature data of webpage, and according to the visual signature data of webpage, detection webpage is with the presence or absence of abnormal, if detection Exist to webpage abnormal, determine that webpage has leak, it is to avoid carry out the operation such as decoding process to webpage, and inputted from user Obtained in information after HTTP request, the leak in webpage could be detected.The technical scheme of the embodiment of the present invention, can intuitively be examined Leak in survey grid page, process is simple, improves the operating efficiency of vulnerability scanning instrument.
Brief description of the drawings
Accompanying drawing described herein is used for providing further understanding the embodiment of the present invention, constitutes the embodiment of the present invention A part, the schematic description and description of the embodiment of the present invention is used to explain the embodiment of the present invention, does not constitute to this hair The improper restriction of bright embodiment.In the accompanying drawings:
Fig. 1 carries out the flow of the embodiment of the method one of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention Figure;
Fig. 2 carries out the flow of the embodiment of the method two of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention Figure;
Fig. 3 carries out the flow of the embodiment of the method three of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention Figure;
The structure for the device embodiment one that Fig. 4 carries out Hole Detection for the view-based access control model analysis system of the embodiment of the present invention is shown It is intended to;
The structure for the device embodiment two that Fig. 5 carries out Hole Detection for the view-based access control model analysis system of the embodiment of the present invention is shown It is intended to.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention Technical scheme of the embodiment of the present invention is clearly and completely described for specific embodiment and corresponding accompanying drawing.Obviously, it is described Embodiment is only a part of embodiment of the embodiment of the present invention, rather than whole embodiments.Based on the reality in the embodiment of the present invention Example is applied, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made all belongs to The scope protected in the embodiment of the present invention.
The (if present)s such as term " first ", " second " in specification and claims and above-mentioned accompanying drawing are to be used for area Not similar part, without for describing specific order or precedence.It should be appreciated that the data so used are appropriate In the case of can exchange, so that embodiments herein described herein can be real with the order in addition to illustrating herein Apply.
Below in conjunction with accompanying drawing, the technical scheme that each embodiment of the embodiment of the present invention is provided is described in detail.
Embodiment one
Fig. 1 carries out the flow of the embodiment of the method one of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention Figure, as shown in figure 1, the method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, can specifically be included such as Lower step:
100th, the visual signature data of webpage are extracted by visual analysis system.
For example, for some malicious datas, it is attacked after webpage by leak, and the visual effect of webpage can be caused to send out Changing, therefore, quickly finds to whether there is leak in webpage, the embodiment of the present invention can be in scanner in order to relatively Middle setting visual analysis system, and pass through the visual signature data of visual analysis system extraction webpage.
During one implements, visual analysis system refers to the visual performance that people is realized with computer, main negative Duty obtains image, processing image, output image etc..For example, after webpage is opened, it is possible to use visual analysis system is obtained should The display content of webpage, forms image, and the processing etc. that zoomed in or out to the image of formation, and by the image after processing Output.After visual analysis system exports the display content of webpage with image format, the embodiment of the present invention can be according to output Image zooming-out webpage visual signature data.For example, the visual signature data of the webpage of the embodiment of the present invention can include but It is not restricted to:At least one of background information of the text message of webpage, the real-time pictures of webpage and webpage.
101st, according to the visual signature data of webpage, detection webpage is with the presence or absence of abnormal.
Specifically, the user interface (User Interface, UI) of each webpage can be made according to demand before design Determine design specification, when it is presented to user, maximized can meet Consumer's Experience, i.e., after some webpage is opened, present UI to user has good display effect, for example, the design specification can include but is not limited to:Page text information is adopted There is difference, layout specification be attractive in appearance, page background information is used color not with the font size of unified font, title and content Influence page text information display effect, the page are forbidden playing advertisement or are not influenceed page text information display effect when playing advertisement At least one of.
Therefore, the embodiment of the present invention is after the visual signature data of webpage are extracted, equivalent to can intuitively see webpage UI display effects, for a webpage, if webpage be not present leak be that will not receive malicious data, or, receive dislike The code corresponding to malicious data is not performed after meaning data, now, webpage can be according to design specification, by the UI of webpage after being opened User is shown to, illustrates exception is not present in webpage;If webpage has leak, webpage is attacked by some malicious datas by the leak After hitting, it may result in the webpage and be presented to the UI of user and change, influence UI display effect, illustrate to exist in webpage different Often, therefore, the embodiment of the present invention can be extracted after the visual signature data of webpage, and detection webpage is with the presence or absence of abnormal.
If the 102, detecting webpage has exception, determine that webpage has leak.
For example, under normal circumstances, the text message of webpage is the layout structure of specification in the UI of webpage, therefore, the present invention If the visual signature data of webpage include the text message of webpage in embodiment, it can detect that the text message of webpage whether there is Entanglement is laid out, if the text message for detecting webpage has entanglement layout, determines that webpage is present abnormal, and then determine that webpage is present Leak.There is word deformation or situations such as the word of context is not connected in text message such as webpage, it can be assumed that webpage Text message there is entanglement layout, illustrate that webpage is present abnormal.
For another example it is not in one window of one window of unexpected ejection or reduction to be under normal circumstances, in the UI of webpage The phenomenon of mouth, therefore, if the visual signature data of webpage include the real-time pictures of webpage in the embodiment of the present invention, it can detect The real-time pictures of webpage are with the presence or absence of increase and decrease picture phenomenon, if the real-time pictures for detecting webpage have increase and decrease picture phenomenon, really Determine webpage and there is exception, and then determine that webpage has leak.Occur a window suddenly in such as real-time pictures of webpage, this When to can be assumed that webpage is present abnormal.
In another example, under normal circumstances, the UI background colors of webpage are set, therefore, if net in the embodiment of the present invention Page visual signature data include the background information of webpage, can detect webpage background information and default background information whether Match, if detecting the background information and default background information mismatch of webpage, determine that webpage is present abnormal, and then determine There is leak in webpage.Background color such as some webpage is white, but gets by visual analysis system the background of the webpage Color is green, now it can be assumed that webpage has exception.
Detect webpage with the presence or absence of abnormal mode with more than it should be noted that the present invention implements to be not intended to limit.
The executive agent that the view-based access control model analysis system of the embodiment of the present invention carries out the method for Hole Detection can be based on Visual analysis system carries out the device of Hole Detection, and the device that the view-based access control model analysis system carries out Hole Detection can specifically lead to Cross that software is integrated, the device that such as view-based access control model analysis system carries out Hole Detection is specifically as follows an application, this hair It is bright to this without being particularly limited to.
The method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, is extracted by visual analysis system After the visual signature data of webpage, according to the visual signature data of webpage, detection webpage is with the presence or absence of abnormal, if detecting webpage In the presence of exception, determine that webpage has leak, it is to avoid the operation such as decoding process is carried out to webpage, and in the information inputted from user Obtain after HTTP request, the leak in webpage could be detected.The technical scheme of the embodiment of the present invention, can intuitively detect webpage In leak, process is simple, improves the operating efficiency of vulnerability scanning instrument.
Embodiment two
Fig. 2 carries out the flow of the embodiment of the method two of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention Figure, as shown in Fig. 2 the method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, in embodiment illustrated in fig. 1 On the basis of, further technical scheme is described in further detail.
As shown in Fig. 2 the method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, can specifically be wrapped Include following steps:
200th, malicious data is obtained from presetting database.
For example, because leak is that malicious data is used for attacking network, therefore, if a certain webpage has leak, malice number According to when by leak attacking network, it is not desired to be detected, malicious data can be returned deliberately after by leak attacking network Keep away and the UI of webpage display effect is caused to significantly affect, to prevent user can be very easy to find webpage from there is exception, now, The method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection is can not to find there is exception in webpage, then can Judge leak is not present in webpage, or, the webpage is attacked without malicious data, so as to cause failing to report for leak.
Therefore, in order to solve the above problems, the embodiment of the present invention is before webpage is opened or after opening webpage, actively Malicious data is obtained from presetting database, so as to inject malicious data to webpage.
It should be noted that in order to carry out method to webpage, the embodiment of the present invention can open webpage in sandbox, If the code corresponding to the malicious data of acquisition is performed, it can be impacted to the visual effect of webpage.
201st, malicious data is injected to webpage.
Got from presetting database after malicious data, inject malicious data to webpage, it is ensured that there is malicious data and attack Webpage is hit, further, detection webpage whether there is leak.
202nd, the type of webpage is determined by visual analysis system.
The embodiment of the present invention can get the display content of webpage by visual analysis system, and according to the display of webpage Keyword in content, determines the type of the webpage, for example, can be according to keywords such as " banks ", it is Net silver to learn the webpage Class webpage, or, according to keywords such as " Sina News ", it is news category webpage etc. to learn the webpage.
203rd, according to the type of webpage, the corresponding first suspicious leak of webpage is determined.
During one implements, the species of leak present in the webpage of same type may be identical, but not The influence that same leak is caused to the UI of webpage display effect may be different, therefore, in order to faster detect webpage In whether there is leak, the embodiment of the present invention can determine webpage correspondence it is determined that after the type of webpage according to the type of webpage Which the first suspicious leak.
For example, being mainly cross-site scripting attack (Cross Site for Net silver class webpage leak that may be present Script, CSS) leak is mainly SQL (Structured for news category webpage leak that may be present Query Language, SQL) injection loophole.Therefore, the embodiment of the present invention if it is determined that the webpage be Net silver class webpage, can be true There is CSS leaks in the fixed webpage, similarly, however, it is determined that the webpage is news category webpage, it may be determined that the webpage has SQL injection Leakage.
204th, according to the first suspicious leak, the visual signature data of webpage are extracted.
For example, for CSS leaks, it is likely to result in after malicious data attacked some webpage, makes the UI of webpage One window of middle ejection, allows user clicks on links, for SQL injection leakage, is likely to result in malicious data and some webpage is entered After row attack, occurs the phenomenon of text message entanglement layout in the UI for making webpage, therefore, the embodiment of the present invention can be according to determination First suspicious leak, targetedly extracts the visual signature data of webpage, so that quick detection webpage whether there is leak.
205th, according to the visual signature data of webpage, detection webpage is with the presence or absence of abnormal, if detecting webpage has exception, Step 206 is performed, otherwise, if detecting webpage is not present abnormal, end.
The step is identical with the realization mechanism of the step 101 of above-mentioned embodiment illustrated in fig. 1, and above-mentioned related note is refer in detail Carry, will not be repeated here.
206th, determine that webpage has leak.
The step is identical with the realization mechanism of the step 102 of above-mentioned embodiment illustrated in fig. 1, and above-mentioned related note is refer in detail Carry, will not be repeated here.
The method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, by injecting malice number to webpage According to, and according to the type of webpage, determine after its corresponding first suspicious leak, according to the first suspicious leak, targetedly carry The visual signature data of webpage are taken, and according to the visual signature data of webpage, detection webpage whether there is leak, realize directly perceived Detection webpage in leak, reduce leak rate of failing to report, improve the operating efficiency of vulnerability scanning instrument.
Further, in above-mentioned Fig. 2 embodiments, can be stored with substantial amounts of malicious data in presetting database, but same The species for the leak that types of web pages is present may be identical, and the malicious data by these leak attacking networks is to be relatively fixed, because This, step 200 and step 201 can not be first performed in order to improve in the operating efficiency of vulnerability scanners, the embodiment of the present invention, and It is before the visual signature data of webpage " extract " of step 204, according to the first suspicious leak, to perform step 200 " from default Malicious data is obtained in database " and step 201 " to webpage inject malicious data " after, then perform step 204 " extract net The visual signature data of page ".
Embodiment three
Fig. 3 carries out the flow of the embodiment of the method three of Hole Detection for the view-based access control model analysis system of the embodiment of the present invention Figure, as shown in figure 3, the method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, in embodiment illustrated in fig. 1 On the basis of, further technical scheme is described in further detail.
As shown in figure 3, the method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, can specifically be wrapped Include following steps:
300th, malicious data is obtained from presetting database.
The step is identical with the realization mechanism of the step 200 of above-mentioned embodiment illustrated in fig. 2, and above-mentioned related note is refer in detail Carry, will not be repeated here.
301st, malicious data is injected to webpage.
The step is identical with the realization mechanism of the step 201 of above-mentioned embodiment illustrated in fig. 2, and above-mentioned related note is refer in detail Carry, will not be repeated here.
302nd, the security protection information of webpage is determined by visual analysis system.
The embodiment of the present invention can get the display content of webpage by visual analysis system, and according to the display of webpage Keyword in content, determines the security protection information of the webpage, for example, the net can be learnt according to keywords such as " banks " Page is related to the property safety of user, and its security protection information is height, or, according to keywords such as " Sina News ", learn the net Page, which is related to, browses information, and its security protection information is low.
303rd, according to the security protection information of webpage, the corresponding second suspicious leak of webpage is determined.
During one implements, the species of the leak of the webpage presence of identical security protection information may be identical, But the influence that different leaks is caused to the UI of webpage display effect may be different, therefore, in order to faster examine It whether there is leak in survey grid page, the embodiment of the present invention, can be according to webpage after it is determined that the security protection information of webpage is Security protection information is which the second suspicious leak of webpage correspondence determined.
For example, being mainly cross-site scripting attack (Cross for the higher webpage of security protection information leak that may be present Site Script, CSS) leak is mainly structuralized query for the relatively low webpage of security protection information leak that may be present Language (Structured Query Language, SQL) injection loophole.Therefore, the embodiment of the present invention is if it is determined that the webpage is peace The higher webpage of full protection information, it may be determined that the webpage has CSS leaks, similarly, however, it is determined that the webpage is believed for security protection The relatively low webpage of breath, it may be determined that the webpage has SQL injection leakage.
304th, according to the second suspicious leak, the visual signature data of webpage are extracted.
For example, for CSS leaks, it is likely to result in after malicious data attacked some webpage, makes the UI of webpage One window of middle ejection, allows user clicks on links, for SQL injection leakage, is likely to result in malicious data and some webpage is entered Occurs the phenomenon of text message entanglement layout in the UI for making webpage after row attack, therefore, the embodiment of the present invention can be according to determination First suspicious leak, targetedly extracts the visual signature data of webpage, so that quick detection webpage whether there is leak.
305th, according to the visual signature data of webpage, detection webpage is with the presence or absence of abnormal, if detecting webpage has exception, Step 306 is performed, otherwise, if detecting webpage is not present abnormal, end.
The step is identical with the realization mechanism of the step 101 of above-mentioned embodiment illustrated in fig. 1, and above-mentioned related note is refer in detail Carry, will not be repeated here.
306th, determine that webpage has leak.
The step is identical with the realization mechanism of the step 102 of above-mentioned embodiment illustrated in fig. 1, and above-mentioned related note is refer in detail Carry, will not be repeated here.
The method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, by injecting malice number to webpage According to, and according to the security protection information of webpage, determine after its corresponding second suspicious leak, according to the second suspicious leak, there is pin To the visual signature data of the extraction webpage of property, and according to the visual signature data of webpage, detection webpage whether there is leak, real The leak in intuitively detection webpage is showed, has reduced leak rate of failing to report, improve the operating efficiency of vulnerability scanning instrument.
Further, in above-mentioned embodiment illustrated in fig. 3, can be stored with substantial amounts of malicious data in presetting database, still The species for the leak that the webpage of identical security protection information is present may be identical, passes through the malicious data of these leak attacking networks It is to be relatively fixed, therefore, step can not be first performed in the operating efficiency of vulnerability scanners, the embodiment of the present invention in order to improve 300 and step 301, but before " the visual signature data for extracting webpage " of step 304, according to the second suspicious leak, hold After row step 300 " malicious data is obtained from presetting database " and step 301 " injecting malicious data to webpage ", then perform " the visual signature data for extracting webpage " of step 304.
Further, in above-mentioned Fig. 2 and embodiment illustrated in fig. 3, step 205 is being performed " according to the visual signature number of webpage According to detection webpage is with the presence or absence of abnormal " when, and/or, " according to the visual signature data of webpage, detect net performing step 305 Page is with the presence or absence of abnormal " when, if detect webpage be not present it is abnormal, according to the method for detection leak in the prior art or according to Following steps, further detection webpage is with the presence or absence of leak, to reduce leak rate of failing to report, leak rate of false alarm:
1) information of webpage is obtained.
During one implements, the webpage can be analyzed, and then obtain the various information of the webpage, example Such as, corresponding script function of various events etc. in the source code of webpage, webpage.
2) according to default keyword, whether detect in the information of webpage comprising the related script function of leak.
The embodiment of the present invention can be acquired for different leaks, and the leak of collection is analyzed, and obtain each The feature of kind of leak, so that the keyword according to corresponding to the various leaks of the feature-set of various leaks, and by the key of setting Word is stored.For example, each webpage includes multiple events, the different script function of different event correspondence, each script letter Necessarily to identify different script functions, and pass through the malicious data of leak attacking network comprising one section of specific code in number It is also to be made up of script function, these script functions can be defined as the related script function of leak by the embodiment of the present invention, because This, default keyword can be but be not restricted to the spy that the related script function of different leaks is included in the embodiment of the present invention Partial code or whole codes in fixed code.
During one implements, in requested webpage, if leak is not present in webpage, webpage may not receive malice The related script function of leak is not performed after data or reception malicious data, therefore whether there is leak in detection webpage When, it is necessary to obtain the information of webpage, and according to default keyword, whether detect in the information of webpage comprising the related pin of leak This function.
If 3) detect in the information of webpage comprising the script function that leak is related, the related script function of leak is performed, And judge whether the related script function of leak runs succeeded.
If detecting in the information of webpage comprising the script function that leak is related, illustrate that the webpage there is a possibility that leak It than larger, but can not directly determine that the webpage there is leak, the webpage can be now classified as to suspicious webpage.In a tool In body implementation process, to implement to steal the account of sorts of systems, distort or delete back-end data, steal by leak attacking network System sensitive data, phishing attack etc. are taken, then needs the script function for making leak related to be successfully executed, therefore, in order to enter one Step determines that the webpage whether there is leak, and the embodiment of the present invention can actively perform the related script function of the leak, and judge Whether the related script function of the leak runs succeeded.
If 4) judge spring a leak correlation script function run succeeded, determine that webpage has leak.
If for example, there is leak in a webpage, when performing the related script function of leak, the related script letter of the leak Number can be successfully executed;If leak is not present in a webpage, when performing the script function of leak correlation, leak correlation Script function can not be successfully executed.Therefore, in the embodiment of the present invention, if judgement springs a leak, the script function of correlation is performed into Work(, then can determine that webpage has leak.
The method that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection, realizes and intuitively detects webpage In leak, improve the operating efficiency of vulnerability scanning instrument, reduce leak rate of failing to report, leak rate of false alarm.
Example IV
The structure for the device embodiment one that Fig. 4 carries out Hole Detection for the view-based access control model analysis system of the embodiment of the present invention is shown It is intended to, as shown in figure 4, the device that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection can include extracting mould Block 10, detection module 11 and determining module 12, during one implements, can carry out data interaction between each module.
Extraction module 10, the visual signature data for extracting webpage;
For example, in the embodiment of the present invention, the visual signature data of webpage can include but is not limited to:
At least one of background information of the text message of webpage, the real-time pictures of webpage and webpage.
Detection module 11, for the visual signature data according to webpage, detection webpage is with the presence or absence of abnormal;
Specifically, detection module 11, for detecting that the text message of webpage is laid out with the presence or absence of entanglement, if detecting webpage Text message there is entanglement layout, determine that webpage is present abnormal;And/or, the real-time pictures of detection webpage are with the presence or absence of increase and decrease Picture phenomenon, if the real-time pictures for detecting webpage have increase and decrease picture phenomenon, determines that webpage is present abnormal;And/or, detect net Whether the background information of page matches with default background information, if detecting the background information and default background information of webpage Mismatch, determine that webpage is present abnormal.
Determining module 12, if detecting webpage for detection module 11 has exception, determines that webpage has leak.
The view-based access control model analysis system of the embodiment of the present invention carries out the device of Hole Detection, real by using above-mentioned each module Now the realization mechanism of detection webpage leak is identical with the realization mechanism of above-mentioned embodiment illustrated in fig. 1, and above-mentioned Fig. 1 is may be referred in detail The record of illustrated embodiment, will not be repeated here.
The view-based access control model analysis system of the embodiment of the present invention carries out the device of Hole Detection, can be led to using above-mentioned each module Cross after the visual signature data that visual analysis system extracts webpage, according to the visual signature data of webpage, whether detection webpage is deposited In exception, exist abnormal if detecting webpage, determine that webpage has leak, it is to avoid the operation such as decoding process is carried out to webpage, And obtained in the information inputted from user after HTTP request, the leak in webpage could be detected.The technical side of the embodiment of the present invention Case, can intuitively detect the leak in webpage, and process is simple, improves the operating efficiency of vulnerability scanning instrument.
Embodiment five
The structure for the device embodiment two that Fig. 5 carries out Hole Detection for the view-based access control model analysis system of the embodiment of the present invention is shown It is intended to, as shown in figure 5, the device that the view-based access control model analysis system of the embodiment of the present invention carries out Hole Detection is being implemented shown in Fig. 4 It can further include acquisition module 13 and injection module 14 on the basis of example.
Acquisition module 13, for obtaining malicious data from presetting database;
Injection module 14, for injecting malicious data to webpage.
During one implements, extraction module 10, specifically for:The class of webpage is determined by visual analysis system Type;According to the type of webpage, the corresponding first suspicious leak of webpage is determined;According to the first suspicious leak, the vision of webpage is extracted Characteristic;And/or, the security protection information of webpage is determined by visual analysis system;According to the security protection information of webpage, Determine the corresponding second suspicious leak of webpage;According to the second suspicious leak, the visual signature data of webpage are extracted.
The view-based access control model analysis system of the embodiment of the present invention carries out the device of Hole Detection, real by using above-mentioned each module Now the realization mechanism of detection webpage leak is identical with above-mentioned Fig. 2 and embodiment illustrated in fig. 3 realization mechanism, may be referred in detail The record of Fig. 2 and embodiment illustrated in fig. 3 is stated, be will not be repeated here.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or computer program Product.Therefore, the present invention can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware Apply the form of example.Moreover, the present invention can be used in one or more computers for wherein including computer usable program code The computer program production that usable storage medium is implemented on (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The present invention is the flow with reference to method according to embodiments of the present invention, equipment (system) and computer program product Figure and/or block diagram are described.It should be understood that can be by every first-class in computer program instructions implementation process figure and/or block diagram Journey and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for real The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which is produced, to be included referring to Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, thus in computer or The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in individual square frame or multiple square frames.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net Network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer-readable instruction, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moved State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM), Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus Or any other non-transmission medium, the information that can be accessed by a computing device available for storage.Define, calculate according to herein Machine computer-readable recording medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
It should also be noted that, term " comprising ", "comprising" or its any other variant are intended to nonexcludability Comprising so that process, method, commodity or equipment including a series of key elements are not only including those key elements, but also wrap Include other key elements being not expressly set out, or also include for this process, method, commodity or equipment intrinsic want Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including described Also there is other identical element in process, method, commodity or the equipment of element.
It will be understood by those skilled in the art that the embodiment of the embodiment of the present invention can be provided as method, system or computer journey Sequence product.Therefore, the embodiment of the present invention can be using complete hardware embodiment, complete software embodiment or with reference to software and hardware side The form of the embodiment in face.Moreover, the embodiment of the present invention can be used wherein includes computer available programs one or more Implement in the computer-usable storage medium (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.) of code The form of computer program product.
Embodiments herein is the foregoing is only, the application is not limited to.For those skilled in the art For, the application can have various modifications and variations.It is all any modifications made within spirit herein and principle, equivalent Replace, improve etc., it should be included within the scope of claims hereof.

Claims (10)

1. a kind of method that view-based access control model analysis system carries out Hole Detection, it is characterised in that including:
The visual signature data of the webpage are extracted by visual analysis system;
According to the visual signature data of the webpage, detect the webpage with the presence or absence of abnormal;
If detecting the webpage has exception, determine that the webpage has leak.
2. according to the method described in claim 1, it is characterised in that the visual signature data of the webpage include:
At least one of background information of the text message of the webpage, the real-time pictures of the webpage and the webpage;
According to the visual signature data of the webpage, the webpage is detected with the presence or absence of exception, including:
Detect that the text message of the webpage is laid out with the presence or absence of entanglement, if the text message for detecting the webpage has entanglement Layout, determines that the webpage is present abnormal;And/or
The real-time pictures of the webpage are detected with the presence or absence of increase and decrease picture phenomenon, if the real-time pictures for detecting the webpage are present Increase and decrease picture phenomenon, determine that the webpage is present abnormal;And/or
Whether the background information and default background information for detecting the webpage match, if detecting the background letter of the webpage Breath is mismatched with default background information, determines that the webpage is present abnormal.
3. according to the method described in claim 1, it is characterised in that the vision for extracting the webpage by visual analysis system is special Data are levied, including:
The type of the webpage is determined by the visual analysis system;
According to the type of the webpage, the corresponding first suspicious leak of the webpage is determined;
According to the described first suspicious leak, the visual signature data of the webpage are extracted.
4. according to the method described in claim 1, it is characterised in that the vision for extracting the webpage by visual analysis system is special Data are levied, including:
The security protection information of the webpage is determined by the visual analysis system;
According to the security protection information of the webpage, the corresponding second suspicious leak of the webpage is determined;
According to the described second suspicious leak, the visual signature data of the webpage are extracted.
5. according to any described methods of claim 1-4, it is characterised in that extract the webpage by visual analysis system Before visual signature data, in addition to:
Malicious data is obtained from presetting database;
Malicious data is injected to the webpage.
6. a kind of view-based access control model analysis system carries out the device of Hole Detection, it is characterised in that including:
Extraction module, the visual signature data for extracting the webpage by visual analysis system;
Detection module, for the visual signature data according to the webpage, detects the webpage with the presence or absence of abnormal;
Determining module, if detecting the webpage for the detection module has exception, determines that the webpage has leak.
7. device according to claim 6, it is characterised in that the visual signature data of the webpage include:
At least one of background information of the text message of the webpage, the real-time pictures of the webpage and the webpage;
The detection module, specifically for:
Detect that the text message of the webpage is laid out with the presence or absence of entanglement, if the text message for detecting the webpage has entanglement Layout, determines that the webpage is present abnormal;And/or
The real-time pictures of the webpage are detected with the presence or absence of increase and decrease picture phenomenon, if the real-time pictures for detecting the webpage are present Increase and decrease picture phenomenon, determine that the webpage is present abnormal;And/or
Whether the background information and default background information for detecting the webpage match, if detecting the background letter of the webpage Breath is mismatched with default background information, determines that the webpage is present abnormal.
8. device according to claim 6, it is characterised in that the extraction module, specifically for:
The type of the webpage is determined by the visual analysis system;
According to the type of the webpage, the corresponding first suspicious leak of the webpage is determined;
According to the described first suspicious leak, the visual signature data of the webpage are extracted.
9. device according to claim 6, it is characterised in that the extraction module, specifically for:
The security protection information of the webpage is determined by the visual analysis system;
According to the security protection information of the webpage, the corresponding second suspicious leak of the webpage is determined;
According to the described second suspicious leak, the visual signature data of the webpage are extracted.
10. according to any described devices of claim 6-9, it is characterised in that also include:
Acquisition module, for obtaining malicious data from presetting database;
Injection module, for injecting malicious data to the webpage.
CN201710328207.5A 2017-05-11 2017-05-11 Method and device for vulnerability detection based on visual analysis system Active CN107180194B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710328207.5A CN107180194B (en) 2017-05-11 2017-05-11 Method and device for vulnerability detection based on visual analysis system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710328207.5A CN107180194B (en) 2017-05-11 2017-05-11 Method and device for vulnerability detection based on visual analysis system

Publications (2)

Publication Number Publication Date
CN107180194A true CN107180194A (en) 2017-09-19
CN107180194B CN107180194B (en) 2020-05-05

Family

ID=59832197

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710328207.5A Active CN107180194B (en) 2017-05-11 2017-05-11 Method and device for vulnerability detection based on visual analysis system

Country Status (1)

Country Link
CN (1) CN107180194B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108810025A (en) * 2018-07-19 2018-11-13 平安科技(深圳)有限公司 A kind of security assessment method of darknet, server and computer-readable medium
CN110135140A (en) * 2019-04-18 2019-08-16 深圳壹账通智能科技有限公司 Information protecting method, device, computer equipment and storage medium
CN113316786A (en) * 2019-01-30 2021-08-27 国际商业机器公司 Vulnerability exploitation toolkit detection
CN113641933A (en) * 2021-06-30 2021-11-12 北京百度网讯科技有限公司 Abnormal webpage identification method, abnormal site identification method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102622435A (en) * 2012-02-29 2012-08-01 百度在线网络技术(北京)有限公司 Method and device for detecting black chain
CN102779245A (en) * 2011-05-12 2012-11-14 李朝荣 Webpage abnormality detection method based on image processing technology
CN103065089A (en) * 2012-12-11 2013-04-24 深信服网络科技(深圳)有限公司 Method and device for detecting webpage Trojan horses
CN103425931A (en) * 2012-12-27 2013-12-04 北京安天电子设备有限公司 Abnormal web script detection method and system
CN104951700A (en) * 2014-10-11 2015-09-30 腾讯科技(深圳)有限公司 Webpage loophole detecting method and device
WO2015188743A1 (en) * 2014-06-11 2015-12-17 Tencent Technology (Shenzhen) Company Limited Web page vulnerability detection method and apparatus
CN106485152A (en) * 2016-09-30 2017-03-08 北京奇虎科技有限公司 Leak detection method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102779245A (en) * 2011-05-12 2012-11-14 李朝荣 Webpage abnormality detection method based on image processing technology
CN102622435A (en) * 2012-02-29 2012-08-01 百度在线网络技术(北京)有限公司 Method and device for detecting black chain
CN103065089A (en) * 2012-12-11 2013-04-24 深信服网络科技(深圳)有限公司 Method and device for detecting webpage Trojan horses
CN103425931A (en) * 2012-12-27 2013-12-04 北京安天电子设备有限公司 Abnormal web script detection method and system
WO2015188743A1 (en) * 2014-06-11 2015-12-17 Tencent Technology (Shenzhen) Company Limited Web page vulnerability detection method and apparatus
CN104951700A (en) * 2014-10-11 2015-09-30 腾讯科技(深圳)有限公司 Webpage loophole detecting method and device
CN106485152A (en) * 2016-09-30 2017-03-08 北京奇虎科技有限公司 Leak detection method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108810025A (en) * 2018-07-19 2018-11-13 平安科技(深圳)有限公司 A kind of security assessment method of darknet, server and computer-readable medium
CN113316786A (en) * 2019-01-30 2021-08-27 国际商业机器公司 Vulnerability exploitation toolkit detection
CN110135140A (en) * 2019-04-18 2019-08-16 深圳壹账通智能科技有限公司 Information protecting method, device, computer equipment and storage medium
CN113641933A (en) * 2021-06-30 2021-11-12 北京百度网讯科技有限公司 Abnormal webpage identification method, abnormal site identification method and device
CN113641933B (en) * 2021-06-30 2023-10-20 北京百度网讯科技有限公司 Abnormal webpage identification method, abnormal site identification method and device

Also Published As

Publication number Publication date
CN107180194B (en) 2020-05-05

Similar Documents

Publication Publication Date Title
US8146135B2 (en) Establishing and enforcing security and privacy policies in web-based applications
US9712560B2 (en) Web page and web browser protection against malicious injections
US9935967B2 (en) Method and device for detecting malicious URL
CN103559235B (en) A kind of online social networks malicious web pages detection recognition methods
CN107180194A (en) View-based access control model analysis system carries out the method and device of Hole Detection
US11716349B2 (en) Machine learning detection of database injection attacks
US20140359760A1 (en) System and method for detecting phishing webpages
CN109922052A (en) A kind of malice URL detection method of combination multiple characteristics
CN102436563B (en) Method and device for detecting page tampering
CN102799830B (en) Improved SQL (Structured Query Language) injection flaw detection method
Zhao et al. A review of computer vision methods in network security
Zhang et al. Web phishing detection based on page spatial layout similarity
CN105871850A (en) Crawler detection method and crawler detection system
CN109241484A (en) A kind of sending method and equipment of the web data based on encryption technology
CN112182614B (en) Dynamic Web application protection system
CN109104421A (en) A kind of web site contents altering detecting method, device, equipment and readable storage medium storing program for executing
CN105868290A (en) Search result presentation method and apparatus
CN107103243A (en) The detection method and device of leak
Bird et al. Actions speak louder than words: Semi-supervised learning for browser fingerprinting detection
US10002254B2 (en) Systems and methods for SQL type evaluation to detect evaluation flaws
Yiğit et al. SQL injection attacks detection & prevention techniques
US10025936B2 (en) Systems and methods for SQL value evaluation to detect evaluation flaws
Das et al. Detection of cross-site scripting attack under multiple scenarios
Kaur et al. Five-tier barrier anti-phishing scheme using hybrid approach
US20190303577A1 (en) System and method of detecting a modification of a web resource

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant