CN107231379A - The recognition methods of web extension horse webpages - Google Patents

The recognition methods of web extension horse webpages Download PDF

Info

Publication number
CN107231379A
CN107231379A CN201710647307.4A CN201710647307A CN107231379A CN 107231379 A CN107231379 A CN 107231379A CN 201710647307 A CN201710647307 A CN 201710647307A CN 107231379 A CN107231379 A CN 107231379A
Authority
CN
China
Prior art keywords
webpage
detected
horse
labels
extension
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710647307.4A
Other languages
Chinese (zh)
Inventor
陈晓兵
赵敏
何建锋
陈宏伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiepu Network Science & Technology Co Ltd Xi'an Jiaoda
Original Assignee
Jiepu Network Science & Technology Co Ltd Xi'an Jiaoda
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiepu Network Science & Technology Co Ltd Xi'an Jiaoda filed Critical Jiepu Network Science & Technology Co Ltd Xi'an Jiaoda
Priority to CN201710647307.4A priority Critical patent/CN107231379A/en
Publication of CN107231379A publication Critical patent/CN107231379A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a kind of recognition methods of web extension horses webpage, the Trojan characteristics that are stored with Trojan characteristics storehouse, the Trojan characteristics storehouse are set up;Obtain the source file of webpage to be detected, and tag identification code related to extension horse in webpage to be detected is extracted from the source file, the finger URL URL of webpage to be detected is extracted from the tag identification code, the finger URL URL of the webpage to be detected is matched with the URL in Trojan characteristics storehouse, if the match is successful, it is determined that the webpage to be detected is extension horse webpage.The present invention carries out effectively knowing method for distinguishing under web environment to page extension horse, to strengthen webpage Trojan horse killing validity, web portal security problem risk caused by reduction web extension horses.

Description

The recognition methods of web extension horse webpages
Technical field
The invention belongs to technical field of network security, and in particular to a kind of recognition methods of web extension horses webpage.
Background technology
Webpage Trojan horse is the virus destroyed using webpage, and it is included among malicious web pages, uses script Malicious code is write, by the leak of system, leak that such as IE browser is present realizes the propagation of virus;When User logs in During malicious websites comprising web page mark, webpage Trojan horse is just activated, and impacted system once infects web page mark, will meet with To destruction, gently then browser homepage is changed, and title changes, and system automatic spring advertisement is heavy then be assembled with wooden horse, and infection is sick Poison, makes user not used normally, or even can cause system crash, the serious consequence such as sensitive information is lost.
Because script is easy to grasp, so webpage Trojan horse is very easy to write and changed, cause to be difficult to extract feature Value, adds the difficulty of antivirus software killing and user's prevention.
The content of the invention
In view of this, it is a primary object of the present invention to provide a kind of recognition methods of web extension horses webpage.
To reach above-mentioned purpose, the technical proposal of the invention is realized in this way:
The embodiment of the present invention provides a kind of recognition methods of web extension horses webpage, and this method is:Set up Trojan characteristics storehouse, the wood Be stored with Trojan characteristics in horse feature database;The source file of webpage to be detected is obtained, and extraction is extracted from the source file and is treated Tag identification code related to extension horse in webpage is detected, the finger URL URL of webpage to be detected is extracted from the tag identification code, by institute The finger URL URL for stating webpage to be detected is matched with the URL in Trojan characteristics storehouse, if the match is successful, it is determined that this is to be checked Survey grid page is extension horse webpage.
In such scheme, this method also includes:If it fails to match, then carry out dynamic detection to the webpage to be detected, If testing result is extension horse webpage, the characteristic information of the extension horse webpage is extracted, and this feature information is added to the wooden horse In feature database.
It is described to set up Trojan characteristics storehouse in such scheme, be specially:The wooden horse of extension horse webpage is crawled from major secure sites Characteristic information, the Trojan characteristics information includes webpage Trojan horse carry position, carry position corresponding match pattern string, wooden horse Backstage network address, removes from the Trojan characteristics information and Trojan characteristics storehouse is stored in after the Trojan characteristics information of repetition.
It is described that dynamic detection is carried out to the webpage to be detected in such scheme, be specially:According to sandbox technology simulation pair Webpage to be detected carry out page loading, render, dom generations, it is determined that whether the simulation page can trigger download or change system file Or edit the registry behavior, if any one behavior is considered extension horse behavior, and the webpage to be detected is accordingly included The corresponding match pattern string in wooden horse carry position and the carry position and the wooden horse backstage network address are added in Trojan characteristics storehouse.
In such scheme, the finger URL URL that webpage to be detected is extracted from the tag identification code is specially:It is described Tag identification code includes Javascript labels, a labels, img labels, style labels, iframe labels, link labels;Root Determined according to the Javascript labels, a labels, img labels, style labels, iframe labels, link labels to be detected The finger URL URL of webpage.
Compared with prior art, beneficial effects of the present invention:
The present invention carries out effectively knowing method for distinguishing under web environment to page extension horse, to strengthen webpage Trojan horse killing validity, drop Web portal security problem risk caused by low web extension horses.
Brief description of the drawings
Fig. 1 provides a kind of flow chart of the recognition methods of web extension horses webpage for the embodiment of the present invention.
Embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
The embodiment of the present invention provides a kind of recognition methods of web extension horses webpage, and this method is:Set up Trojan characteristics storehouse, institute State the Trojan characteristics that are stored with Trojan characteristics storehouse;The source file of webpage to be detected is obtained, and is carried from the source file Tag identification code related to extension horse in webpage to be detected is taken, the finger URL URL of webpage to be detected is extracted from the tag identification code, The finger URL URL of the webpage to be detected is matched with the URL in Trojan characteristics storehouse, if the match is successful, it is determined that should Webpage to be detected is extension horse webpage.
This method also includes:If it fails to match, then carry out dynamic detection to the webpage to be detected, if testing result is Extension horse webpage, then extract the characteristic information of the extension horse webpage, and this feature information is added in the Trojan characteristics storehouse, instead It, if testing result is not extension horse webpage, allows the server access webpage;
It is described to set up Trojan characteristics storehouse, be specially:The Trojan characteristics information of extension horse webpage, the wood are crawled from major secure sites Horse characteristic information includes webpage Trojan horse carry position, the corresponding match pattern string in carry position, the backstage network address of wooden horse, from described Removed in Trojan characteristics information and Trojan characteristics storehouse is stored in after the Trojan characteristics information of repetition.
It is described that dynamic detection is carried out to the webpage to be detected, be specially:According to sandbox technology simulation to webpage to be detected Carry out page loading, render, dom generations, it is determined that whether the simulation page can trigger download or change system file or modification registration Table row is, if any one behavior is considered extension horse behavior, and by the webpage to be detected accordingly including wooden horse carry position Put and the corresponding match pattern string in the carry position and the wooden horse backstage network address are added in Trojan characteristics storehouse.
The finger URL URL that webpage to be detected is extracted from the tag identification code, be specially:The tag identification code includes Javascript labels, a labels, img labels, style labels, iframe labels, link labels;According to described Javascript labels, a labels, img labels, style labels, iframe labels, link labels determine webpage to be detected Finger URL URL.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.

Claims (5)

1. a kind of recognition methods of web extension horses webpage, it is characterised in that this method is:Trojan characteristics storehouse is set up, the wooden horse is special Levy the Trojan characteristics that are stored with storehouse;The source file of webpage to be detected is obtained, and extracts to be detected from the source file The tag identification code related to extension horse in webpage, the finger URL URL of webpage to be detected is extracted from the tag identification code, is treated described The finger URL URL of detection webpage is matched with the URL in Trojan characteristics storehouse, if the match is successful, it is determined that the survey grid to be checked Page is extension horse webpage.
2. the recognition methods of web extension horses webpage according to claim 1, it is characterised in that this method also includes:If Dynamic detection is carried out with failure, then to the webpage to be detected, if testing result is extension horse webpage, the extension horse webpage is extracted Characteristic information, and this feature information is added in the Trojan characteristics storehouse.
3. the recognition methods of web extension horses webpage according to claim 1 or 2, it is characterised in that described to set up Trojan characteristics Storehouse, be specially:The Trojan characteristics information of extension horse webpage is crawled from major secure sites, the Trojan characteristics information includes webpage wood Horse carry position, the corresponding match pattern string in carry position, the backstage network address of wooden horse, remove weight from the Trojan characteristics information Trojan characteristics storehouse is stored in after multiple Trojan characteristics information.
4. the recognition methods of web extension horses webpage according to claim 2, it is characterised in that described to the survey grid to be checked Page carries out dynamic detection, is specially:According to sandbox technology simulation webpage to be detected is carried out page loading, render, dom is generated, It is determined that whether the simulation page can trigger download or change system file or edit the registry behavior, if any one behavior is recognized To be extension horse behavior, and the webpage to be detected is accordingly included into wooden horse carry position and the corresponding match pattern in carry position String and the wooden horse backstage network address are added in Trojan characteristics storehouse.
5. the recognition methods of web extension horses webpage according to claim 1, it is characterised in that described from the tag identification code The middle finger URL URL for extracting webpage to be detected, be specially:The tag identification code includes Javascript labels, a labels, img Label, style labels, iframe labels, link labels;According to the Javascript labels, a labels, img labels, Style labels, iframe labels, link labels determine the finger URL URL of webpage to be detected.
CN201710647307.4A 2017-08-01 2017-08-01 The recognition methods of web extension horse webpages Pending CN107231379A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710647307.4A CN107231379A (en) 2017-08-01 2017-08-01 The recognition methods of web extension horse webpages

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710647307.4A CN107231379A (en) 2017-08-01 2017-08-01 The recognition methods of web extension horse webpages

Publications (1)

Publication Number Publication Date
CN107231379A true CN107231379A (en) 2017-10-03

Family

ID=59957834

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710647307.4A Pending CN107231379A (en) 2017-08-01 2017-08-01 The recognition methods of web extension horse webpages

Country Status (1)

Country Link
CN (1) CN107231379A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107918735A (en) * 2017-11-29 2018-04-17 中科信息安全共性技术国家工程研究中心有限公司 A kind of Web page wooden horse detecting method based on isolated island file
CN109190376A (en) * 2018-08-30 2019-01-11 郑州云海信息技术有限公司 A kind of Web page wooden horse detecting method, system and electronic equipment and storage medium
CN109657088A (en) * 2018-09-30 2019-04-19 阿里巴巴集团控股有限公司 A kind of picture risk checking method, device, equipment and medium
CN111125704A (en) * 2019-12-27 2020-05-08 北京安信天行科技有限公司 Webpage Trojan horse recognition method and system
CN113709154A (en) * 2021-08-25 2021-11-26 平安国际智慧城市科技股份有限公司 Browser security processing method and device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1351137A2 (en) * 2002-04-04 2003-10-08 Intrinsyc Software International, Inc. Internet-enabled boot loader and booting method
CN101630325A (en) * 2009-08-18 2010-01-20 北京大学 Webpage clustering method based on script feature
CN101820419A (en) * 2010-03-23 2010-09-01 北京大学 Method for automatically positioning webpage Trojan mount point in Trojan linked webpage
CN102469113A (en) * 2010-11-01 2012-05-23 北京启明星辰信息技术股份有限公司 Security gateway and method for forwarding webpage by using security gateway
CN102546576A (en) * 2010-12-31 2012-07-04 北京启明星辰信息技术股份有限公司 Webpagehanging trojan detecting and protecting method and system as well as method for extracting corresponding code

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1351137A2 (en) * 2002-04-04 2003-10-08 Intrinsyc Software International, Inc. Internet-enabled boot loader and booting method
CN101630325A (en) * 2009-08-18 2010-01-20 北京大学 Webpage clustering method based on script feature
CN101820419A (en) * 2010-03-23 2010-09-01 北京大学 Method for automatically positioning webpage Trojan mount point in Trojan linked webpage
CN102469113A (en) * 2010-11-01 2012-05-23 北京启明星辰信息技术股份有限公司 Security gateway and method for forwarding webpage by using security gateway
CN102546576A (en) * 2010-12-31 2012-07-04 北京启明星辰信息技术股份有限公司 Webpagehanging trojan detecting and protecting method and system as well as method for extracting corresponding code

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107918735A (en) * 2017-11-29 2018-04-17 中科信息安全共性技术国家工程研究中心有限公司 A kind of Web page wooden horse detecting method based on isolated island file
CN109190376A (en) * 2018-08-30 2019-01-11 郑州云海信息技术有限公司 A kind of Web page wooden horse detecting method, system and electronic equipment and storage medium
CN109657088A (en) * 2018-09-30 2019-04-19 阿里巴巴集团控股有限公司 A kind of picture risk checking method, device, equipment and medium
CN111125704A (en) * 2019-12-27 2020-05-08 北京安信天行科技有限公司 Webpage Trojan horse recognition method and system
CN111125704B (en) * 2019-12-27 2022-06-28 北京安信天行科技有限公司 Webpage Trojan horse recognition method and system
CN113709154A (en) * 2021-08-25 2021-11-26 平安国际智慧城市科技股份有限公司 Browser security processing method and device, computer equipment and storage medium
CN113709154B (en) * 2021-08-25 2023-08-15 平安国际智慧城市科技股份有限公司 Browser security processing method and device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
CN107231379A (en) The recognition methods of web extension horse webpages
KR101083311B1 (en) System for detecting malicious script and method for detecting malicious script using the same
CN105184159B (en) The recognition methods of webpage tamper and device
Wang et al. TT-XSS: A novel taint tracking based dynamic detection framework for DOM Cross-Site Scripting
US9509714B2 (en) Web page and web browser protection against malicious injections
KR101514984B1 (en) Detecting system for detecting Homepage spreading Virus and Detecting method thereof
CN103532944B (en) A kind of method and apparatus capturing unknown attack
CN102436563B (en) Method and device for detecting page tampering
CN105760379B (en) Method and device for detecting webshell page based on intra-domain page association relation
CN102663319B (en) Prompting method and device for download link security
JP2016053956A (en) System and method for detecting web-based malicious codes
CN102446255B (en) Method and device for detecting page tamper
KR20090108000A (en) Method and apparatus for detecting computer fraud
CN102737183A (en) Method and device for webpage safety access
CN102624713A (en) Website tampering identification method and website tampering identification device
CN105488400A (en) Comprehensive detection method and system of malicious webpage
CN105975523A (en) Hidden hyperlink detection method based on stack
CN106022132A (en) Real-time webpage Trojan detection method based on dynamic content analysis
CN104036190A (en) Method and device for detecting page tampering
CN107506649A (en) A kind of leak detection method of html web page, device and electronic equipment
CN103475673B (en) Fishing website recognition methods, device and client
KR20120070018A (en) Javascript obfuscation by hooking automatically decrypted and how to detect malicious web sites
CN108270754A (en) A kind of detection method and device of fishing website
CN104036189A (en) Page distortion detecting method and black link database generating method
KR101699009B1 (en) Method for collecting blackmarket crawler for mobile malware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171003