CN107423325A - A kind of method for tracing webpage tamper behavior source - Google Patents
A kind of method for tracing webpage tamper behavior source Download PDFInfo
- Publication number
- CN107423325A CN107423325A CN201710223468.0A CN201710223468A CN107423325A CN 107423325 A CN107423325 A CN 107423325A CN 201710223468 A CN201710223468 A CN 201710223468A CN 107423325 A CN107423325 A CN 107423325A
- Authority
- CN
- China
- Prior art keywords
- behavior
- source
- file
- pid
- distorting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/958—Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/1734—Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
Abstract
The present invention relates to the network information security, it is desirable to provide a kind of method for tracing webpage tamper behavior source.The method in this kind retrospect webpage tamper behavior source includes step:Distort process detecting, tampering association, process PID is corresponding, process behavior is analyzed, the retrospect of tampering source.The present invention can efficiently, precisely, intelligent tracing webpage tamper behavior source, be the innovation in filed of network information security more particularly to webpage tamper-resistance techniques scheme, it is very big for the meaning of network security, and market prospects are had an optimistic view of.
Description
Technical field
The present invention is on filed of network information security, more particularly to a kind of method for tracing webpage tamper behavior source.
Background technology
Using computer, information technology and mechanics of communication, cloud as support information network high speed development, before
The scale not having changes the life of the mankind with speed.While networking sends huge interests to us, shape of also having arranged in pairs or groups
The network security problem of shape and color color.In order to avoid the invasion of network security problem, people be widely used antivirus software,
The network security measures such as fire wall.This makes the network safety event generation quantity such as virus, main frame invasion significantly decline.However,
While we identify oneself to have done enough network protections, we have been found that the generation quantity of webpage tamper event just fast
Speed increases.In order to prevent webpage to be tampered, it is highly desirable to dispose webpage anti-tampering protection system.
Webpage anti-tampering protection system uses both of which substantially at present:One kind is usurped by configuration rule file, blocking
Change;Another kind is after being tampered, and is recovered in time with backup file.Although both approaches can effectively prevent that webpage from being usurped
Change, ensure website and webpage safety, but tampering is not tracked.After tampering occurs, can not effectively it chase after
The action process of track webpage tamper is so as to tracing back to tampering source.
The content of the invention
It is a primary object of the present invention to overcome deficiency of the prior art, there is provided a kind of efficient, accurate, intelligent tracing net
The method in page tampering source.In order to solve the above technical problems, the solution of the present invention is:
A kind of method for tracing webpage tamper behavior source is provided, during for being tampered with to file or catalogue to be detected
Tampering source is traced, and the method in the retrospect webpage tamper behavior source specifically includes following step:
(1) process detecting is distorted:Hook Function, the energy in Hook Function are added in the file system driver layer of operating system
Configure file to be detected or catalogue;When file or catalogue to be detected have any operation behavior, Hook Function can be triggered,
Hook Function can get the process of distorting;
(2) tampering associates:After step (1) gets the process of distorting, Hook Function can further trace calling
All processes of process are distorted, form the process list for calling and distorting process behavior;
(3) process PID is corresponding:Hook Function can further trace the process PID that process is distorted in step (1), step
Suddenly in (2) process list process PID (particularly point out, the process PID of step (1) and the process PID of step (2) be it is same,
Corresponding user request);
(4) process behavior is analyzed:The process PID behaviors that step (3) obtains are analyzed, obtain process analysis result;
The process analysis result includes but is not limited to:Login user, log in IP, landing time, behavior;
(5) tampering source traces:Step (1) is summarized to step (4), traces back to tampering source:Distort user, distort
The page;
It is described to distort user and refer to process analysis result in step (4);
The page of distorting refers to that Hook Function monitors the file being tampered in step (1).
In the present invention, the message that hook (HOOK) function can be triggered to file manipulation function and by file operation
Carry out HOOK;Hook Function can be realized:Process is distorted in detecting first, then detects the process list for calling process of distorting, and is then obtained
The process PID for the process list distorted process PID and call process of distorting is taken, and process PID behaviors are analyzed, completion pair
The accurate retrospect in webpage tamper behavior source.
In the present invention, the file to be detected or catalogue refer to Web page listings.
Compared with prior art, the beneficial effects of the invention are as follows:
The present invention can efficiently, precisely, intelligent tracing webpage tamper behavior source, be especially to be related in filed of network information security
And the innovation in webpage tamper-resistance techniques scheme, it is very big for the meaning of network security, and market prospects are had an optimistic view of.
Brief description of the drawings
The webpage tamper behavior source that Fig. 1 is the present invention traces flow chart.
Embodiment
Firstly the need of explanation, the present invention is one kind application of the computer technology in field of information security technology.At this
In the implementation process of invention, the application of multiple software function modules can be related to.It is applicant's understanding that such as reading over application text
After part, accurate understanding realization principle and goal of the invention of the invention, in the case where combining existing known technology, this area skill
Art personnel can use the software programming technical ability of its grasp to realize the present invention completely.
The present invention is described in further detail with embodiment below in conjunction with the accompanying drawings:
A kind of method in retrospect webpage tamper behavior source as shown in Figure 1, detected by operating system bottom layer driving technology
To the process of tampering with a document, the process list that process is distorted to calling is analyzed.The method tool in the retrospect webpage tamper behavior source
Body comprises the steps:
Step 1:Process detecting is distorted to open:Hook Function is added in the driving layer of the file system of operating system first,
Web page issue catalogue is configured to detect object.Hook letter is triggered when detecting the file in catalogue and having any operation behavior
Number processing, gets the process of distorting.
Step 2:Process list with distorting process context obtains:After Hook Function obtains the process of distorting, further processing,
Collect and distort the process list information of process context.
Step 3:Process PID is corresponding:Hook Function enters traveling one to the process list for distorting process and step 2 of step 1
Step processing, obtain corresponding process PID.
Step 4:Process list behavioural analysis:Hook Function is to the process PID in step 3, and further processing, traces and divide
Analyse the PID behaviors of these processes:Behavior, landing time are logged in, login user, IP is logged in, distorts page etc..
Step 5:Webpage tamper behavior source traces:Hook Function is according to the analysis result in step 4, and further processing, returns
Webpage tamper behavior source is received and summarizes, so as to precisely trace back to webpage tamper behavior source, returning result:Log in IP, log in use
Family, landing time, distort page etc..
Finally it should be noted that listed above is only specific embodiment of the invention.It is clear that the invention is not restricted to
Above example, there can also be many variations.One of ordinary skill in the art can directly lead from present disclosure
All deformations for going out or associating, are considered as protection scope of the present invention.
Claims (3)
1. a kind of method for tracing webpage tamper behavior source, row is distorted during for being tampered with to file or catalogue to be detected
Traced for source, it is characterised in that the method in the retrospect webpage tamper behavior source specifically includes following step:
(1) process detecting is distorted:Hook Function is added in the file system driver layer of operating system, can be configured in Hook Function
File to be detected or catalogue;When file or catalogue to be detected have any operation behavior, Hook Function, hook can be triggered
Function can get the process of distorting;
(2) tampering associates:After step (1) gets the process of distorting, Hook Function can further trace calling and distort
All processes of process, form the process list for calling and distorting process behavior;
(3) process PID is corresponding:Hook Function can further trace the process PID that process is distorted in step (1), step (2)
The process PID of middle process list;
(4) process behavior is analyzed:The process PID behaviors that step (3) obtains are analyzed, obtain process analysis result;
The process analysis result includes but is not limited to:Login user, log in IP, landing time, behavior;
(5) tampering source traces:Step (1) is summarized to step (4), traces back to tampering source:Distort user, distort page
Face;
It is described to distort user and refer to process analysis result in step (4);
The page of distorting refers to that Hook Function monitors the file being tampered in step (1).
A kind of 2. method for tracing webpage tamper behavior source according to claim 1, it is characterised in that the Hook Function
The message that can be triggered to file manipulation function and by file operation carries out HOOK;Hook Function can be realized:Detecting is distorted first
Process, then the process list for calling process of distorting is detected, then obtain the process list distorted process PID and call process of distorting
Process PID, and process PID behaviors are analyzed, complete the accurate retrospect to webpage tamper behavior source.
3. a kind of method for tracing webpage tamper behavior source according to claim 1, it is characterised in that described to be detected
File or catalogue refer to Web page listings.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710223468.0A CN107423325A (en) | 2017-04-07 | 2017-04-07 | A kind of method for tracing webpage tamper behavior source |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710223468.0A CN107423325A (en) | 2017-04-07 | 2017-04-07 | A kind of method for tracing webpage tamper behavior source |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107423325A true CN107423325A (en) | 2017-12-01 |
Family
ID=60423848
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710223468.0A Pending CN107423325A (en) | 2017-04-07 | 2017-04-07 | A kind of method for tracing webpage tamper behavior source |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107423325A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108234484A (en) * | 2017-12-30 | 2018-06-29 | 广东世纪网通信设备股份有限公司 | For tracing the wooden horse source traceability system of the computer readable storage medium in wooden horse source and the application medium |
CN109787964A (en) * | 2018-12-29 | 2019-05-21 | 北京零平数据处理有限公司 | Process behavior is traced to the source device and method |
CN111967058A (en) * | 2020-07-28 | 2020-11-20 | 浙江军盾信息科技有限公司 | Tamper-proof method supporting user white list, electronic device and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1925494A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Web page wooden horse detecting method based on behavior characteristic |
CN101159000A (en) * | 2007-10-17 | 2008-04-09 | 深圳市迅雷网络技术有限公司 | Web page safety information detecting system and method |
CN101408919A (en) * | 2008-12-09 | 2009-04-15 | 吕欣 | Method and system for monitoring computer espionage behavior |
CN102857519A (en) * | 2012-09-29 | 2013-01-02 | 北京奇虎科技有限公司 | Active defensive system |
CN102902909A (en) * | 2012-10-10 | 2013-01-30 | 北京奇虎科技有限公司 | System and method for preventing file from being tampered |
CN103152323A (en) * | 2013-01-29 | 2013-06-12 | 深圳市深信服电子科技有限公司 | Method and system of controlling access behaviors of client network |
CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
-
2017
- 2017-04-07 CN CN201710223468.0A patent/CN107423325A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1925494A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Web page wooden horse detecting method based on behavior characteristic |
CN101159000A (en) * | 2007-10-17 | 2008-04-09 | 深圳市迅雷网络技术有限公司 | Web page safety information detecting system and method |
CN101408919A (en) * | 2008-12-09 | 2009-04-15 | 吕欣 | Method and system for monitoring computer espionage behavior |
CN102857519A (en) * | 2012-09-29 | 2013-01-02 | 北京奇虎科技有限公司 | Active defensive system |
CN102902909A (en) * | 2012-10-10 | 2013-01-30 | 北京奇虎科技有限公司 | System and method for preventing file from being tampered |
CN103152323A (en) * | 2013-01-29 | 2013-06-12 | 深圳市深信服电子科技有限公司 | Method and system of controlling access behaviors of client network |
CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108234484A (en) * | 2017-12-30 | 2018-06-29 | 广东世纪网通信设备股份有限公司 | For tracing the wooden horse source traceability system of the computer readable storage medium in wooden horse source and the application medium |
CN108234484B (en) * | 2017-12-30 | 2021-01-19 | 广东世纪网通信设备股份有限公司 | Computer readable storage medium for tracing Trojan horse source and Trojan horse source tracing system applying same |
CN109787964A (en) * | 2018-12-29 | 2019-05-21 | 北京零平数据处理有限公司 | Process behavior is traced to the source device and method |
CN111967058A (en) * | 2020-07-28 | 2020-11-20 | 浙江军盾信息科技有限公司 | Tamper-proof method supporting user white list, electronic device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10536482B2 (en) | Computer security attack detection using distribution departure | |
CN102902928B (en) | Method and device for webpage integrity assurance | |
CN104036030B (en) | Pop-up Ad blocking method, system and related browser based on browser | |
CN107423325A (en) | A kind of method for tracing webpage tamper behavior source | |
CN107483438A (en) | A kind of network security situation awareness early warning system and method based on big data | |
Garg et al. | Profiling users in GUI based systems for masquerade detection | |
CN104268481A (en) | Method and device for realizing early warning of smart phone | |
CN105072115A (en) | Information system invasion detection method based on Docker virtualization | |
CN103218561B (en) | Tamper-proof method and device for protecting browser | |
TW201719484A (en) | Information security management system for application level log-based analysis and method using the same | |
Camiña et al. | Towards building a masquerade detection method based on user file system navigation | |
WO2019018829A1 (en) | Advanced cybersecurity threat mitigation using behavioral and deep analytics | |
KR101451782B1 (en) | User verification system via mouse movement pattern and method thereof | |
Lee et al. | ATMSim: An anomaly teletraffic detection measurement analysis simulator | |
US10015181B2 (en) | Using natural language processing for detection of intended or unexpected application behavior | |
KR102311997B1 (en) | Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis | |
Wang et al. | Mobile agents for network intrusion resistance | |
CN104010021A (en) | Network consultation platform | |
Yin | An improved BM pattern matching algorithm in intrusion detection system | |
CN103825877A (en) | Integration immunization virtual machine detection method | |
CN107179939B (en) | Information security competition question availability detection method | |
CN114205094B (en) | Network attack alarm processing method, device, equipment and storage medium | |
Formenty et al. | From forecasting to control of emerging infectious diseases of zoonotic origin: linking animal and human health systems. | |
Song et al. | CAML: Machine learning-based predictable, system-level anomaly detection | |
CN104702454A (en) | Method for monitoring risks of QQ transmitted data based on keyword extraction strategy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171201 |
|
RJ01 | Rejection of invention patent application after publication |