CN107231379A - The recognition methods of web extension horse webpages - Google Patents
The recognition methods of web extension horse webpages Download PDFInfo
- Publication number
- CN107231379A CN107231379A CN201710647307.4A CN201710647307A CN107231379A CN 107231379 A CN107231379 A CN 107231379A CN 201710647307 A CN201710647307 A CN 201710647307A CN 107231379 A CN107231379 A CN 107231379A
- Authority
- CN
- China
- Prior art keywords
- webpage
- detected
- horse
- labels
- extension
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a kind of recognition methods of web extension horses webpage, the Trojan characteristics that are stored with Trojan characteristics storehouse, the Trojan characteristics storehouse are set up;Obtain the source file of webpage to be detected, and tag identification code related to extension horse in webpage to be detected is extracted from the source file, the finger URL URL of webpage to be detected is extracted from the tag identification code, the finger URL URL of the webpage to be detected is matched with the URL in Trojan characteristics storehouse, if the match is successful, it is determined that the webpage to be detected is extension horse webpage.The present invention carries out effectively knowing method for distinguishing under web environment to page extension horse, to strengthen webpage Trojan horse killing validity, web portal security problem risk caused by reduction web extension horses.
Description
Technical field
The invention belongs to technical field of network security, and in particular to a kind of recognition methods of web extension horses webpage.
Background technology
Webpage Trojan horse is the virus destroyed using webpage, and it is included among malicious web pages, uses script
Malicious code is write, by the leak of system, leak that such as IE browser is present realizes the propagation of virus;When User logs in
During malicious websites comprising web page mark, webpage Trojan horse is just activated, and impacted system once infects web page mark, will meet with
To destruction, gently then browser homepage is changed, and title changes, and system automatic spring advertisement is heavy then be assembled with wooden horse, and infection is sick
Poison, makes user not used normally, or even can cause system crash, the serious consequence such as sensitive information is lost.
Because script is easy to grasp, so webpage Trojan horse is very easy to write and changed, cause to be difficult to extract feature
Value, adds the difficulty of antivirus software killing and user's prevention.
The content of the invention
In view of this, it is a primary object of the present invention to provide a kind of recognition methods of web extension horses webpage.
To reach above-mentioned purpose, the technical proposal of the invention is realized in this way:
The embodiment of the present invention provides a kind of recognition methods of web extension horses webpage, and this method is:Set up Trojan characteristics storehouse, the wood
Be stored with Trojan characteristics in horse feature database;The source file of webpage to be detected is obtained, and extraction is extracted from the source file and is treated
Tag identification code related to extension horse in webpage is detected, the finger URL URL of webpage to be detected is extracted from the tag identification code, by institute
The finger URL URL for stating webpage to be detected is matched with the URL in Trojan characteristics storehouse, if the match is successful, it is determined that this is to be checked
Survey grid page is extension horse webpage.
In such scheme, this method also includes:If it fails to match, then carry out dynamic detection to the webpage to be detected,
If testing result is extension horse webpage, the characteristic information of the extension horse webpage is extracted, and this feature information is added to the wooden horse
In feature database.
It is described to set up Trojan characteristics storehouse in such scheme, be specially:The wooden horse of extension horse webpage is crawled from major secure sites
Characteristic information, the Trojan characteristics information includes webpage Trojan horse carry position, carry position corresponding match pattern string, wooden horse
Backstage network address, removes from the Trojan characteristics information and Trojan characteristics storehouse is stored in after the Trojan characteristics information of repetition.
It is described that dynamic detection is carried out to the webpage to be detected in such scheme, be specially:According to sandbox technology simulation pair
Webpage to be detected carry out page loading, render, dom generations, it is determined that whether the simulation page can trigger download or change system file
Or edit the registry behavior, if any one behavior is considered extension horse behavior, and the webpage to be detected is accordingly included
The corresponding match pattern string in wooden horse carry position and the carry position and the wooden horse backstage network address are added in Trojan characteristics storehouse.
In such scheme, the finger URL URL that webpage to be detected is extracted from the tag identification code is specially:It is described
Tag identification code includes Javascript labels, a labels, img labels, style labels, iframe labels, link labels;Root
Determined according to the Javascript labels, a labels, img labels, style labels, iframe labels, link labels to be detected
The finger URL URL of webpage.
Compared with prior art, beneficial effects of the present invention:
The present invention carries out effectively knowing method for distinguishing under web environment to page extension horse, to strengthen webpage Trojan horse killing validity, drop
Web portal security problem risk caused by low web extension horses.
Brief description of the drawings
Fig. 1 provides a kind of flow chart of the recognition methods of web extension horses webpage for the embodiment of the present invention.
Embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
The embodiment of the present invention provides a kind of recognition methods of web extension horses webpage, and this method is:Set up Trojan characteristics storehouse, institute
State the Trojan characteristics that are stored with Trojan characteristics storehouse;The source file of webpage to be detected is obtained, and is carried from the source file
Tag identification code related to extension horse in webpage to be detected is taken, the finger URL URL of webpage to be detected is extracted from the tag identification code,
The finger URL URL of the webpage to be detected is matched with the URL in Trojan characteristics storehouse, if the match is successful, it is determined that should
Webpage to be detected is extension horse webpage.
This method also includes:If it fails to match, then carry out dynamic detection to the webpage to be detected, if testing result is
Extension horse webpage, then extract the characteristic information of the extension horse webpage, and this feature information is added in the Trojan characteristics storehouse, instead
It, if testing result is not extension horse webpage, allows the server access webpage;
It is described to set up Trojan characteristics storehouse, be specially:The Trojan characteristics information of extension horse webpage, the wood are crawled from major secure sites
Horse characteristic information includes webpage Trojan horse carry position, the corresponding match pattern string in carry position, the backstage network address of wooden horse, from described
Removed in Trojan characteristics information and Trojan characteristics storehouse is stored in after the Trojan characteristics information of repetition.
It is described that dynamic detection is carried out to the webpage to be detected, be specially:According to sandbox technology simulation to webpage to be detected
Carry out page loading, render, dom generations, it is determined that whether the simulation page can trigger download or change system file or modification registration
Table row is, if any one behavior is considered extension horse behavior, and by the webpage to be detected accordingly including wooden horse carry position
Put and the corresponding match pattern string in the carry position and the wooden horse backstage network address are added in Trojan characteristics storehouse.
The finger URL URL that webpage to be detected is extracted from the tag identification code, be specially:The tag identification code includes
Javascript labels, a labels, img labels, style labels, iframe labels, link labels;According to described
Javascript labels, a labels, img labels, style labels, iframe labels, link labels determine webpage to be detected
Finger URL URL.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.
Claims (5)
1. a kind of recognition methods of web extension horses webpage, it is characterised in that this method is:Trojan characteristics storehouse is set up, the wooden horse is special
Levy the Trojan characteristics that are stored with storehouse;The source file of webpage to be detected is obtained, and extracts to be detected from the source file
The tag identification code related to extension horse in webpage, the finger URL URL of webpage to be detected is extracted from the tag identification code, is treated described
The finger URL URL of detection webpage is matched with the URL in Trojan characteristics storehouse, if the match is successful, it is determined that the survey grid to be checked
Page is extension horse webpage.
2. the recognition methods of web extension horses webpage according to claim 1, it is characterised in that this method also includes:If
Dynamic detection is carried out with failure, then to the webpage to be detected, if testing result is extension horse webpage, the extension horse webpage is extracted
Characteristic information, and this feature information is added in the Trojan characteristics storehouse.
3. the recognition methods of web extension horses webpage according to claim 1 or 2, it is characterised in that described to set up Trojan characteristics
Storehouse, be specially:The Trojan characteristics information of extension horse webpage is crawled from major secure sites, the Trojan characteristics information includes webpage wood
Horse carry position, the corresponding match pattern string in carry position, the backstage network address of wooden horse, remove weight from the Trojan characteristics information
Trojan characteristics storehouse is stored in after multiple Trojan characteristics information.
4. the recognition methods of web extension horses webpage according to claim 2, it is characterised in that described to the survey grid to be checked
Page carries out dynamic detection, is specially:According to sandbox technology simulation webpage to be detected is carried out page loading, render, dom is generated,
It is determined that whether the simulation page can trigger download or change system file or edit the registry behavior, if any one behavior is recognized
To be extension horse behavior, and the webpage to be detected is accordingly included into wooden horse carry position and the corresponding match pattern in carry position
String and the wooden horse backstage network address are added in Trojan characteristics storehouse.
5. the recognition methods of web extension horses webpage according to claim 1, it is characterised in that described from the tag identification code
The middle finger URL URL for extracting webpage to be detected, be specially:The tag identification code includes Javascript labels, a labels, img
Label, style labels, iframe labels, link labels;According to the Javascript labels, a labels, img labels,
Style labels, iframe labels, link labels determine the finger URL URL of webpage to be detected.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710647307.4A CN107231379A (en) | 2017-08-01 | 2017-08-01 | The recognition methods of web extension horse webpages |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710647307.4A CN107231379A (en) | 2017-08-01 | 2017-08-01 | The recognition methods of web extension horse webpages |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107231379A true CN107231379A (en) | 2017-10-03 |
Family
ID=59957834
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710647307.4A Pending CN107231379A (en) | 2017-08-01 | 2017-08-01 | The recognition methods of web extension horse webpages |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107231379A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107918735A (en) * | 2017-11-29 | 2018-04-17 | 中科信息安全共性技术国家工程研究中心有限公司 | A kind of Web page wooden horse detecting method based on isolated island file |
CN109190376A (en) * | 2018-08-30 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of Web page wooden horse detecting method, system and electronic equipment and storage medium |
CN109657088A (en) * | 2018-09-30 | 2019-04-19 | 阿里巴巴集团控股有限公司 | A kind of picture risk checking method, device, equipment and medium |
CN111125704A (en) * | 2019-12-27 | 2020-05-08 | 北京安信天行科技有限公司 | Webpage Trojan horse recognition method and system |
CN113709154A (en) * | 2021-08-25 | 2021-11-26 | 平安国际智慧城市科技股份有限公司 | Browser security processing method and device, computer equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1351137A2 (en) * | 2002-04-04 | 2003-10-08 | Intrinsyc Software International, Inc. | Internet-enabled boot loader and booting method |
CN101630325A (en) * | 2009-08-18 | 2010-01-20 | 北京大学 | Webpage clustering method based on script feature |
CN101820419A (en) * | 2010-03-23 | 2010-09-01 | 北京大学 | Method for automatically positioning webpage Trojan mount point in Trojan linked webpage |
CN102469113A (en) * | 2010-11-01 | 2012-05-23 | 北京启明星辰信息技术股份有限公司 | Security gateway and method for forwarding webpage by using security gateway |
CN102546576A (en) * | 2010-12-31 | 2012-07-04 | 北京启明星辰信息技术股份有限公司 | Webpagehanging trojan detecting and protecting method and system as well as method for extracting corresponding code |
-
2017
- 2017-08-01 CN CN201710647307.4A patent/CN107231379A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1351137A2 (en) * | 2002-04-04 | 2003-10-08 | Intrinsyc Software International, Inc. | Internet-enabled boot loader and booting method |
CN101630325A (en) * | 2009-08-18 | 2010-01-20 | 北京大学 | Webpage clustering method based on script feature |
CN101820419A (en) * | 2010-03-23 | 2010-09-01 | 北京大学 | Method for automatically positioning webpage Trojan mount point in Trojan linked webpage |
CN102469113A (en) * | 2010-11-01 | 2012-05-23 | 北京启明星辰信息技术股份有限公司 | Security gateway and method for forwarding webpage by using security gateway |
CN102546576A (en) * | 2010-12-31 | 2012-07-04 | 北京启明星辰信息技术股份有限公司 | Webpagehanging trojan detecting and protecting method and system as well as method for extracting corresponding code |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107918735A (en) * | 2017-11-29 | 2018-04-17 | 中科信息安全共性技术国家工程研究中心有限公司 | A kind of Web page wooden horse detecting method based on isolated island file |
CN109190376A (en) * | 2018-08-30 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of Web page wooden horse detecting method, system and electronic equipment and storage medium |
CN109657088A (en) * | 2018-09-30 | 2019-04-19 | 阿里巴巴集团控股有限公司 | A kind of picture risk checking method, device, equipment and medium |
CN111125704A (en) * | 2019-12-27 | 2020-05-08 | 北京安信天行科技有限公司 | Webpage Trojan horse recognition method and system |
CN111125704B (en) * | 2019-12-27 | 2022-06-28 | 北京安信天行科技有限公司 | Webpage Trojan horse recognition method and system |
CN113709154A (en) * | 2021-08-25 | 2021-11-26 | 平安国际智慧城市科技股份有限公司 | Browser security processing method and device, computer equipment and storage medium |
CN113709154B (en) * | 2021-08-25 | 2023-08-15 | 平安国际智慧城市科技股份有限公司 | Browser security processing method and device, computer equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107231379A (en) | The recognition methods of web extension horse webpages | |
KR101083311B1 (en) | System for detecting malicious script and method for detecting malicious script using the same | |
CN105184159B (en) | The recognition methods of webpage tamper and device | |
Wang et al. | TT-XSS: A novel taint tracking based dynamic detection framework for DOM Cross-Site Scripting | |
US9509714B2 (en) | Web page and web browser protection against malicious injections | |
KR101514984B1 (en) | Detecting system for detecting Homepage spreading Virus and Detecting method thereof | |
CN103532944B (en) | A kind of method and apparatus capturing unknown attack | |
CN102436563B (en) | Method and device for detecting page tampering | |
CN105760379B (en) | Method and device for detecting webshell page based on intra-domain page association relation | |
CN102663319B (en) | Prompting method and device for download link security | |
JP2016053956A (en) | System and method for detecting web-based malicious codes | |
CN102446255B (en) | Method and device for detecting page tamper | |
KR20090108000A (en) | Method and apparatus for detecting computer fraud | |
CN102737183A (en) | Method and device for webpage safety access | |
CN102624713A (en) | Website tampering identification method and website tampering identification device | |
CN105488400A (en) | Comprehensive detection method and system of malicious webpage | |
CN105975523A (en) | Hidden hyperlink detection method based on stack | |
CN106022132A (en) | Real-time webpage Trojan detection method based on dynamic content analysis | |
CN104036190A (en) | Method and device for detecting page tampering | |
CN107506649A (en) | A kind of leak detection method of html web page, device and electronic equipment | |
CN103475673B (en) | Fishing website recognition methods, device and client | |
KR20120070018A (en) | Javascript obfuscation by hooking automatically decrypted and how to detect malicious web sites | |
CN108270754A (en) | A kind of detection method and device of fishing website | |
CN104036189A (en) | Page distortion detecting method and black link database generating method | |
KR101699009B1 (en) | Method for collecting blackmarket crawler for mobile malware |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171003 |