CN107423325A - A kind of method for tracing webpage tamper behavior source - Google Patents

A kind of method for tracing webpage tamper behavior source Download PDF

Info

Publication number
CN107423325A
CN107423325A CN201710223468.0A CN201710223468A CN107423325A CN 107423325 A CN107423325 A CN 107423325A CN 201710223468 A CN201710223468 A CN 201710223468A CN 107423325 A CN107423325 A CN 107423325A
Authority
CN
China
Prior art keywords
behavior
source
file
pid
distorting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710223468.0A
Other languages
Chinese (zh)
Inventor
寇石垒
范渊
龙文洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201710223468.0A priority Critical patent/CN107423325A/en
Publication of CN107423325A publication Critical patent/CN107423325A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs

Abstract

The present invention relates to the network information security, it is desirable to provide a kind of method for tracing webpage tamper behavior source.The method in this kind retrospect webpage tamper behavior source includes step:Distort process detecting, tampering association, process PID is corresponding, process behavior is analyzed, the retrospect of tampering source.The present invention can efficiently, precisely, intelligent tracing webpage tamper behavior source, be the innovation in filed of network information security more particularly to webpage tamper-resistance techniques scheme, it is very big for the meaning of network security, and market prospects are had an optimistic view of.

Description

A kind of method for tracing webpage tamper behavior source
Technical field
The present invention is on filed of network information security, more particularly to a kind of method for tracing webpage tamper behavior source.
Background technology
Using computer, information technology and mechanics of communication, cloud as support information network high speed development, before The scale not having changes the life of the mankind with speed.While networking sends huge interests to us, shape of also having arranged in pairs or groups The network security problem of shape and color color.In order to avoid the invasion of network security problem, people be widely used antivirus software, The network security measures such as fire wall.This makes the network safety event generation quantity such as virus, main frame invasion significantly decline.However, While we identify oneself to have done enough network protections, we have been found that the generation quantity of webpage tamper event just fast Speed increases.In order to prevent webpage to be tampered, it is highly desirable to dispose webpage anti-tampering protection system.
Webpage anti-tampering protection system uses both of which substantially at present:One kind is usurped by configuration rule file, blocking Change;Another kind is after being tampered, and is recovered in time with backup file.Although both approaches can effectively prevent that webpage from being usurped Change, ensure website and webpage safety, but tampering is not tracked.After tampering occurs, can not effectively it chase after The action process of track webpage tamper is so as to tracing back to tampering source.
The content of the invention
It is a primary object of the present invention to overcome deficiency of the prior art, there is provided a kind of efficient, accurate, intelligent tracing net The method in page tampering source.In order to solve the above technical problems, the solution of the present invention is:
A kind of method for tracing webpage tamper behavior source is provided, during for being tampered with to file or catalogue to be detected Tampering source is traced, and the method in the retrospect webpage tamper behavior source specifically includes following step:
(1) process detecting is distorted:Hook Function, the energy in Hook Function are added in the file system driver layer of operating system Configure file to be detected or catalogue;When file or catalogue to be detected have any operation behavior, Hook Function can be triggered, Hook Function can get the process of distorting;
(2) tampering associates:After step (1) gets the process of distorting, Hook Function can further trace calling All processes of process are distorted, form the process list for calling and distorting process behavior;
(3) process PID is corresponding:Hook Function can further trace the process PID that process is distorted in step (1), step Suddenly in (2) process list process PID (particularly point out, the process PID of step (1) and the process PID of step (2) be it is same, Corresponding user request);
(4) process behavior is analyzed:The process PID behaviors that step (3) obtains are analyzed, obtain process analysis result;
The process analysis result includes but is not limited to:Login user, log in IP, landing time, behavior;
(5) tampering source traces:Step (1) is summarized to step (4), traces back to tampering source:Distort user, distort The page;
It is described to distort user and refer to process analysis result in step (4);
The page of distorting refers to that Hook Function monitors the file being tampered in step (1).
In the present invention, the message that hook (HOOK) function can be triggered to file manipulation function and by file operation Carry out HOOK;Hook Function can be realized:Process is distorted in detecting first, then detects the process list for calling process of distorting, and is then obtained The process PID for the process list distorted process PID and call process of distorting is taken, and process PID behaviors are analyzed, completion pair The accurate retrospect in webpage tamper behavior source.
In the present invention, the file to be detected or catalogue refer to Web page listings.
Compared with prior art, the beneficial effects of the invention are as follows:
The present invention can efficiently, precisely, intelligent tracing webpage tamper behavior source, be especially to be related in filed of network information security And the innovation in webpage tamper-resistance techniques scheme, it is very big for the meaning of network security, and market prospects are had an optimistic view of.
Brief description of the drawings
The webpage tamper behavior source that Fig. 1 is the present invention traces flow chart.
Embodiment
Firstly the need of explanation, the present invention is one kind application of the computer technology in field of information security technology.At this In the implementation process of invention, the application of multiple software function modules can be related to.It is applicant's understanding that such as reading over application text After part, accurate understanding realization principle and goal of the invention of the invention, in the case where combining existing known technology, this area skill Art personnel can use the software programming technical ability of its grasp to realize the present invention completely.
The present invention is described in further detail with embodiment below in conjunction with the accompanying drawings:
A kind of method in retrospect webpage tamper behavior source as shown in Figure 1, detected by operating system bottom layer driving technology To the process of tampering with a document, the process list that process is distorted to calling is analyzed.The method tool in the retrospect webpage tamper behavior source Body comprises the steps:
Step 1:Process detecting is distorted to open:Hook Function is added in the driving layer of the file system of operating system first, Web page issue catalogue is configured to detect object.Hook letter is triggered when detecting the file in catalogue and having any operation behavior Number processing, gets the process of distorting.
Step 2:Process list with distorting process context obtains:After Hook Function obtains the process of distorting, further processing, Collect and distort the process list information of process context.
Step 3:Process PID is corresponding:Hook Function enters traveling one to the process list for distorting process and step 2 of step 1 Step processing, obtain corresponding process PID.
Step 4:Process list behavioural analysis:Hook Function is to the process PID in step 3, and further processing, traces and divide Analyse the PID behaviors of these processes:Behavior, landing time are logged in, login user, IP is logged in, distorts page etc..
Step 5:Webpage tamper behavior source traces:Hook Function is according to the analysis result in step 4, and further processing, returns Webpage tamper behavior source is received and summarizes, so as to precisely trace back to webpage tamper behavior source, returning result:Log in IP, log in use Family, landing time, distort page etc..
Finally it should be noted that listed above is only specific embodiment of the invention.It is clear that the invention is not restricted to Above example, there can also be many variations.One of ordinary skill in the art can directly lead from present disclosure All deformations for going out or associating, are considered as protection scope of the present invention.

Claims (3)

1. a kind of method for tracing webpage tamper behavior source, row is distorted during for being tampered with to file or catalogue to be detected Traced for source, it is characterised in that the method in the retrospect webpage tamper behavior source specifically includes following step:
(1) process detecting is distorted:Hook Function is added in the file system driver layer of operating system, can be configured in Hook Function File to be detected or catalogue;When file or catalogue to be detected have any operation behavior, Hook Function, hook can be triggered Function can get the process of distorting;
(2) tampering associates:After step (1) gets the process of distorting, Hook Function can further trace calling and distort All processes of process, form the process list for calling and distorting process behavior;
(3) process PID is corresponding:Hook Function can further trace the process PID that process is distorted in step (1), step (2) The process PID of middle process list;
(4) process behavior is analyzed:The process PID behaviors that step (3) obtains are analyzed, obtain process analysis result;
The process analysis result includes but is not limited to:Login user, log in IP, landing time, behavior;
(5) tampering source traces:Step (1) is summarized to step (4), traces back to tampering source:Distort user, distort page Face;
It is described to distort user and refer to process analysis result in step (4);
The page of distorting refers to that Hook Function monitors the file being tampered in step (1).
A kind of 2. method for tracing webpage tamper behavior source according to claim 1, it is characterised in that the Hook Function The message that can be triggered to file manipulation function and by file operation carries out HOOK;Hook Function can be realized:Detecting is distorted first Process, then the process list for calling process of distorting is detected, then obtain the process list distorted process PID and call process of distorting Process PID, and process PID behaviors are analyzed, complete the accurate retrospect to webpage tamper behavior source.
3. a kind of method for tracing webpage tamper behavior source according to claim 1, it is characterised in that described to be detected File or catalogue refer to Web page listings.
CN201710223468.0A 2017-04-07 2017-04-07 A kind of method for tracing webpage tamper behavior source Pending CN107423325A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710223468.0A CN107423325A (en) 2017-04-07 2017-04-07 A kind of method for tracing webpage tamper behavior source

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710223468.0A CN107423325A (en) 2017-04-07 2017-04-07 A kind of method for tracing webpage tamper behavior source

Publications (1)

Publication Number Publication Date
CN107423325A true CN107423325A (en) 2017-12-01

Family

ID=60423848

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710223468.0A Pending CN107423325A (en) 2017-04-07 2017-04-07 A kind of method for tracing webpage tamper behavior source

Country Status (1)

Country Link
CN (1) CN107423325A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234484A (en) * 2017-12-30 2018-06-29 广东世纪网通信设备股份有限公司 For tracing the wooden horse source traceability system of the computer readable storage medium in wooden horse source and the application medium
CN109787964A (en) * 2018-12-29 2019-05-21 北京零平数据处理有限公司 Process behavior is traced to the source device and method
CN111967058A (en) * 2020-07-28 2020-11-20 浙江军盾信息科技有限公司 Tamper-proof method supporting user white list, electronic device and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1925494A (en) * 2006-09-28 2007-03-07 北京理工大学 Web page wooden horse detecting method based on behavior characteristic
CN101159000A (en) * 2007-10-17 2008-04-09 深圳市迅雷网络技术有限公司 Web page safety information detecting system and method
CN101408919A (en) * 2008-12-09 2009-04-15 吕欣 Method and system for monitoring computer espionage behavior
CN102857519A (en) * 2012-09-29 2013-01-02 北京奇虎科技有限公司 Active defensive system
CN102902909A (en) * 2012-10-10 2013-01-30 北京奇虎科技有限公司 System and method for preventing file from being tampered
CN103152323A (en) * 2013-01-29 2013-06-12 深圳市深信服电子科技有限公司 Method and system of controlling access behaviors of client network
CN104766009A (en) * 2015-03-18 2015-07-08 杭州安恒信息技术有限公司 System for preventing webpage document tampering based on operating system bottom layer

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1925494A (en) * 2006-09-28 2007-03-07 北京理工大学 Web page wooden horse detecting method based on behavior characteristic
CN101159000A (en) * 2007-10-17 2008-04-09 深圳市迅雷网络技术有限公司 Web page safety information detecting system and method
CN101408919A (en) * 2008-12-09 2009-04-15 吕欣 Method and system for monitoring computer espionage behavior
CN102857519A (en) * 2012-09-29 2013-01-02 北京奇虎科技有限公司 Active defensive system
CN102902909A (en) * 2012-10-10 2013-01-30 北京奇虎科技有限公司 System and method for preventing file from being tampered
CN103152323A (en) * 2013-01-29 2013-06-12 深圳市深信服电子科技有限公司 Method and system of controlling access behaviors of client network
CN104766009A (en) * 2015-03-18 2015-07-08 杭州安恒信息技术有限公司 System for preventing webpage document tampering based on operating system bottom layer

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234484A (en) * 2017-12-30 2018-06-29 广东世纪网通信设备股份有限公司 For tracing the wooden horse source traceability system of the computer readable storage medium in wooden horse source and the application medium
CN108234484B (en) * 2017-12-30 2021-01-19 广东世纪网通信设备股份有限公司 Computer readable storage medium for tracing Trojan horse source and Trojan horse source tracing system applying same
CN109787964A (en) * 2018-12-29 2019-05-21 北京零平数据处理有限公司 Process behavior is traced to the source device and method
CN111967058A (en) * 2020-07-28 2020-11-20 浙江军盾信息科技有限公司 Tamper-proof method supporting user white list, electronic device and storage medium

Similar Documents

Publication Publication Date Title
US10536482B2 (en) Computer security attack detection using distribution departure
CN102902928B (en) Method and device for webpage integrity assurance
CN104036030B (en) Pop-up Ad blocking method, system and related browser based on browser
CN107423325A (en) A kind of method for tracing webpage tamper behavior source
CN107483438A (en) A kind of network security situation awareness early warning system and method based on big data
Garg et al. Profiling users in GUI based systems for masquerade detection
CN104268481A (en) Method and device for realizing early warning of smart phone
CN105072115A (en) Information system invasion detection method based on Docker virtualization
CN103218561B (en) Tamper-proof method and device for protecting browser
TW201719484A (en) Information security management system for application level log-based analysis and method using the same
Camiña et al. Towards building a masquerade detection method based on user file system navigation
WO2019018829A1 (en) Advanced cybersecurity threat mitigation using behavioral and deep analytics
KR101451782B1 (en) User verification system via mouse movement pattern and method thereof
Lee et al. ATMSim: An anomaly teletraffic detection measurement analysis simulator
US10015181B2 (en) Using natural language processing for detection of intended or unexpected application behavior
KR102311997B1 (en) Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis
Wang et al. Mobile agents for network intrusion resistance
CN104010021A (en) Network consultation platform
Yin An improved BM pattern matching algorithm in intrusion detection system
CN103825877A (en) Integration immunization virtual machine detection method
CN107179939B (en) Information security competition question availability detection method
CN114205094B (en) Network attack alarm processing method, device, equipment and storage medium
Formenty et al. From forecasting to control of emerging infectious diseases of zoonotic origin: linking animal and human health systems.
Song et al. CAML: Machine learning-based predictable, system-level anomaly detection
CN104702454A (en) Method for monitoring risks of QQ transmitted data based on keyword extraction strategy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171201

RJ01 Rejection of invention patent application after publication