CN107918735A - A kind of Web page wooden horse detecting method based on isolated island file - Google Patents
A kind of Web page wooden horse detecting method based on isolated island file Download PDFInfo
- Publication number
- CN107918735A CN107918735A CN201711220750.XA CN201711220750A CN107918735A CN 107918735 A CN107918735 A CN 107918735A CN 201711220750 A CN201711220750 A CN 201711220750A CN 107918735 A CN107918735 A CN 107918735A
- Authority
- CN
- China
- Prior art keywords
- file
- webpage
- list
- web page
- isolated island
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
A kind of method for detecting webpage Trojan horse, including:The webpage of http protocol request is captured, and webpage is parsed;The DOM structure of the page is obtained, extracts the link in the page, the file that analysis link is directed toward, the file that each link is directed toward is included in a list;Web page listings are analyzed, determine that the file under Web page listings whether there is in the list;If having in Web page listings has file not in the list, the file in no longer described list is isolated island file, and the access to isolated island file is recorded into line trace;For there is the isolated island file of doubtful behavior to carry out aspect ratio pair, judge whether this document is webpage Trojan horse according to comparison result.The beneficial effect of technical solution of the present invention is:Technical solution of the present invention can effectively detect webpage Trojan horse, and according to testing result timely processing webpage Trojan horse, be effectively protected the computer of user.
Description
Technical field
The present invention relates to safe web page field, in particular to a kind of webpage Trojan horse detection side based on isolated island file
Method.
Background technology
Webpage Trojan horse is one kind of computer wooden horse.Attacker is inserted into malice by distorting webpage in normal webpage
Code.When targeted customer accesses the webpage being tampered, malicious code can utilize the loopholes such as webpage control, browser and system,
Wooden horse or virus are implanted into the computer of targeted customer.
By the wooden horse or virus of implantation, attacker can control targe user easily computer, or steal mesh
Mark information of user etc..Since implantation process is not easy to be discovered by targeted customer, and the wooden horse or virus that are implanted into endanger very big, webpage
Wooden horse is as one of serious threat of internet security.
At present, mainly webpage Trojan horse is detected using the mode of feature detection and behavioral value.They generally pass through
The features such as malicious code and malicious act for existing webpage Trojan horse are analyzed, when there is the webpage for meeting individual features
Then it is determined as webpage Trojan horse.This method is largely effective for the wooden horse of feature invariant.But loophole emerges in an endless stream, loophole is utilized
Malicious code also constantly changing.Being detected by feature merely cannot find and detect in time webpage Trojan horse.
The content of the invention
The present invention be directed to the deficiencies in the prior art, it is proposed that a kind of Web page wooden horse detecting method based on isolated island file,
The application of this method can find webpage Trojan horse in time and remove, so as to protect the computer of user.
A kind of method for detecting webpage Trojan horse, including:
The webpage of http protocol request is captured, and webpage is parsed;
The DOM structure of the page is obtained, extracts the link in the page, the file that analysis link is directed toward, the text that each link is directed toward
Part is included in a list;
Web page listings are analyzed, determine that the file under Web page listings whether there is in the list;
If having in Web page listings has file not in the list, the file in no longer described list is isolated island file, to orphan
The access of island file is recorded into line trace;
For there is the isolated island file of doubtful behavior to carry out aspect ratio pair, judge whether this document is webpage wood according to comparison result
Horse.
A kind of device for detecting webpage Trojan horse, it includes webpage and creeps unit, resolution unit and detection unit;
The webpage is creeped unit, travels through the website that http protocol is followed in URL, extracts website hierarchical structure, by can in website
The page browsed passes to resolution unit;Site listing is scanned at the same time, obtains the list of All Files under catalogue;
The resolution unit, from webpage creep unit obtain webpage, the DOM structure of analyzing web page, extract the page in all chains
Connect, obtain file pointed in link href attributes and file is included in a list;
The detection unit, creeps the list of the All Files obtained in unit by webpage and linking of being generated in resolution unit refers to
To listed files be compared, obtain isolated island listed files;By conventional methods such as behavioural analysis and signature analysises to isolated island
File is detected to determine whether wooden horse.
The beneficial effect of technical solution of the present invention is:Technical solution of the present invention can carry out webpage Trojan horse
Effective detection, and according to testing result timely processing webpage Trojan horse, it is effectively protected the computer of user.
Embodiment
In order to make those skilled in the art more fully understand technical scheme, with reference to specific embodiment to this
Invention is described in further detail.
The present invention basic principle be:In order to ensure file can be had access to by normal navigation patterns, under Web page listings
File must there is the link in a webpage to be explicitly directed to.Then will not be by normal without the linked file being directed toward
Navigation patterns have access to, so as to be referred to as " isolated island file ".In order to snugly be implanted into wooden horse to targeted customer, what attacker uploaded
Webpage Trojan horse will not be directed toward by linking in a normal way.Therefore, it can just be detected and filtered out by the analysis to isolated island file
Webpage Trojan horse.
A kind of method for detecting webpage Trojan horse, including:
The webpage of http protocol request is captured, and webpage is parsed;
The DOM structure of the page is obtained, extracts the link in the page, the file that analysis link is directed toward, the text that each link is directed toward
Part is included in a list;
Web page listings are analyzed, determine that the file under Web page listings whether there is in the list;
If having in Web page listings has file not in the list, the file in no longer described list is isolated island file, to orphan
The access of island file is recorded into line trace;
For there is the isolated island file of doubtful behavior to carry out aspect ratio pair, judge whether this document is webpage wood according to comparison result
Horse.
A kind of device for detecting webpage Trojan horse, it includes webpage and creeps unit, resolution unit and detection unit;
The webpage is creeped unit, travels through the website that http protocol is followed in URL, extracts website hierarchical structure, by can in website
The page browsed passes to resolution unit;Site listing is scanned at the same time, obtains the list of All Files under catalogue;
The resolution unit, from webpage creep unit obtain webpage, the DOM structure of analyzing web page, extract the page in all chains
Connect, obtain file pointed in link href attributes and file is included in a list;
The detection unit, creeps the list of the All Files obtained in unit by webpage and linking of being generated in resolution unit refers to
To listed files be compared, obtain isolated island listed files;By conventional methods such as behavioural analysis and signature analysises to isolated island
File is detected to determine whether wooden horse.
A kind of method for detecting webpage Trojan horse provided by the present invention is described in detail above, it is used herein
Embodiment is set forth the principle and embodiment of the application, and the explanation of above example is only intended to help to understand this Shen
Method and its core concept please;Meanwhile for those of ordinary skill in the art, according to the thought of the application, specific real
There will be changes in mode and application range are applied, in conclusion this specification content should not be construed as the limit to the application
System.
Claims (2)
- A kind of 1. method for detecting webpage Trojan horse, it is characterised in that including:The webpage of http protocol request is captured, and webpage is parsed;The DOM structure of the page is obtained, extracts the link in the page, the file that analysis link is directed toward, the text that each link is directed toward Part is included in a list;Web page listings are analyzed, determine that the file under Web page listings whether there is in the list;If having in Web page listings has file not in the list, the file in no longer described list is isolated island file, to orphan The access of island file is recorded into line trace;For there is the isolated island file of doubtful behavior to carry out aspect ratio pair, judge whether this document is webpage wood according to comparison result Horse.
- A kind of 2. device for detecting webpage Trojan horse, it is characterised in that:The device of its detection webpage Trojan horse is creeped including webpage Unit, resolution unit and detection unit;The webpage is creeped unit, travels through the website that http protocol is followed in URL, extracts website hierarchical structure, by can in website The page browsed passes to resolution unit;Site listing is scanned at the same time, obtains the list of All Files under catalogue;The resolution unit, from webpage creep unit obtain webpage, the DOM structure of analyzing web page, extract the page in all chains Connect, obtain file pointed in link href attributes and file is included in a list;The detection unit, creeps the list of the All Files obtained in unit by webpage and linking of being generated in resolution unit refers to To listed files be compared, obtain isolated island listed files.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711220750.XA CN107918735A (en) | 2017-11-29 | 2017-11-29 | A kind of Web page wooden horse detecting method based on isolated island file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711220750.XA CN107918735A (en) | 2017-11-29 | 2017-11-29 | A kind of Web page wooden horse detecting method based on isolated island file |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107918735A true CN107918735A (en) | 2018-04-17 |
Family
ID=61897044
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711220750.XA Pending CN107918735A (en) | 2017-11-29 | 2017-11-29 | A kind of Web page wooden horse detecting method based on isolated island file |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107918735A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109818928A (en) * | 2018-12-25 | 2019-05-28 | 北京奇安信科技有限公司 | A kind of network security detection method, system, electronic equipment and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1920832A (en) * | 2006-09-28 | 2007-02-28 | 北京理工大学 | Linkage analysis based web page Trojan track technique |
| CN101340434A (en) * | 2008-05-15 | 2009-01-07 | 王瑞 | Malicious content detection and verification method and system for network station |
| CN101562618A (en) * | 2009-04-08 | 2009-10-21 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting web Trojan |
| CN104572934A (en) * | 2014-12-29 | 2015-04-29 | 西安交通大学 | Webpage key content extracting method based on DOM |
| CN107038240A (en) * | 2017-04-20 | 2017-08-11 | 金电联行(北京)信息技术有限公司 | A kind of web page listings content detection algorithm |
| CN107231379A (en) * | 2017-08-01 | 2017-10-03 | 西安交大捷普网络科技有限公司 | The recognition methods of web extension horse webpages |
-
2017
- 2017-11-29 CN CN201711220750.XA patent/CN107918735A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1920832A (en) * | 2006-09-28 | 2007-02-28 | 北京理工大学 | Linkage analysis based web page Trojan track technique |
| CN101340434A (en) * | 2008-05-15 | 2009-01-07 | 王瑞 | Malicious content detection and verification method and system for network station |
| CN101562618A (en) * | 2009-04-08 | 2009-10-21 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting web Trojan |
| CN104572934A (en) * | 2014-12-29 | 2015-04-29 | 西安交通大学 | Webpage key content extracting method based on DOM |
| CN107038240A (en) * | 2017-04-20 | 2017-08-11 | 金电联行(北京)信息技术有限公司 | A kind of web page listings content detection algorithm |
| CN107231379A (en) * | 2017-08-01 | 2017-10-03 | 西安交大捷普网络科技有限公司 | The recognition methods of web extension horse webpages |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109818928A (en) * | 2018-12-25 | 2019-05-28 | 北京奇安信科技有限公司 | A kind of network security detection method, system, electronic equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101083311B1 (en) | System for detecting malicious script and method for detecting malicious script using the same | |
| Xu et al. | Jstill: mostly static detection of obfuscated malicious javascript code | |
| CN103023712B (en) | Method and system for monitoring malicious property of webpage | |
| Seshagiri et al. | AMA: static code analysis of web page for the detection of malicious scripts | |
| Heiderich et al. | Iceshield: Detection and mitigation of malicious websites with a frozen dom | |
| CN102819710B (en) | Cross-site script vulnerability detection method based on percolation test | |
| Shahriar et al. | S2XS2: a server side approach to automatically detect XSS attacks | |
| CN101895516B (en) | Method and device for positioning cross-site scripting attack source | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| US20140173736A1 (en) | Method and system for detecting webpage Trojan embedded | |
| CN105184159A (en) | Web page falsification identification method and apparatus | |
| CN101350822A (en) | Method for discovering and tracing Internet malevolence code | |
| CN102469113A (en) | Security gateway and method for forwarding webpage by using security gateway | |
| CN107846413A (en) | A kind of method and system for defending cross-site scripting attack | |
| CN107463844B (en) | WEB Trojan horse detection method and system | |
| CN107135212A (en) | Man-machine identifying device and method under a kind of Web environment of Behavior-based control difference | |
| Lamprakis et al. | Unsupervised detection of APT C&C channels using web request graphs | |
| CN102833269A (en) | Detection method and device for cross site scripting and firewall with device | |
| CN106230835A (en) | Method based on the anti-malicious access that Nginx log analysis and IPTABLES forward | |
| Gorji et al. | Detecting obfuscated JavaScript malware using sequences of internal function calls | |
| Lamba | Analysing sanitization technique of reverse proxy framework for enhancing database-security | |
| Liang et al. | Malicious web pages detection based on abnormal visibility recognition | |
| Kishore et al. | Browser JS Guard: Detects and defends against Malicious JavaScript injection based drive by download attacks | |
| KR20120070018A (en) | Javascript obfuscation by hooking automatically decrypted and how to detect malicious web sites | |
| CN107918735A (en) | A kind of Web page wooden horse detecting method based on isolated island file |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180417 |