CN109347882A - Webpage Trojan horse monitoring method, device, equipment and storage medium - Google Patents
Webpage Trojan horse monitoring method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN109347882A CN109347882A CN201811469346.0A CN201811469346A CN109347882A CN 109347882 A CN109347882 A CN 109347882A CN 201811469346 A CN201811469346 A CN 201811469346A CN 109347882 A CN109347882 A CN 109347882A
- Authority
- CN
- China
- Prior art keywords
- trojan horse
- webpage trojan
- data packet
- monitoring station
- response data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of webpage Trojan horse monitoring methods, comprising the following steps: simulation browser accesses monitoring station, to obtain the response data packet that the monitoring station returns;The response data packet is parsed, to extract related data in the response data packet, the related data includes: Domain data, IP data and url data;Multiple detection is carried out based on the response data packet, the related data, webpage Trojan horse whether there is with the determination monitoring station.The invention also discloses a kind of webpage Trojan horse monitoring device, equipment and computer readable storage mediums.The present invention improves webpage Trojan horse recognition effect, utmostly guarantees the safety of website.
Description
Technical field
The present invention relates to technical field of network security more particularly to a kind of webpage Trojan horse monitoring method, device, equipment and meters
Calculation machine readable storage medium storing program for executing.
Background technique
Webpage Trojan horse is exactly the web page files for disguising oneself as common on surface or is directly inserted into the code of malice normally
Web page files in, when someone's access, webpage Trojan horse will be utilized automatically will configuration to the loophole of method, system or browser
The server-side of good wooden horse downloads on the computer of visitor to be executed automatically.Such as webpage digs mine wooden horse.Webpage digs mine wooden horse
Propagation face it is very wide, as long as visitor by browser browsing maliciously implanted webpage dig mine wooden horse website, browser meeting
At once it executes and digs mine instruction, so that the computer of visitor becomes corpse mine machine, it is gratuitously that webpage digs mine wooden horse implantation person
It provides and calculates power, be connected in its and produce ideal money.
Technically mainly there are several types of modes to carry out webpage Trojan horse detection at present:
1, it is detected according to web page characteristics code, but there are two types of defects for this technology, one is wrong reports, when the matched page
In containing when being described such webpage and digging mine Trojan characteristics keyword, it is possible to can be reported by mistake and dig mine wooden horse for webpage;Separately
Outside one is failing to report, some webpages containing malicious code may will do it Code obfuscation, will lead to the mistake of condition code matching technique
Effect.
2, it is detected according to loophole feature, this mode can only detect known disclosed loophole and therefore be easy to appear leakage
Report.It, can be increasingly on recognition effect according to traditional this technology for carrying out detection webpage digging mine wooden horse using known bugs
Difference.
Summary of the invention
The main purpose of the present invention is to provide a kind of webpage Trojan horse monitoring method, device, equipment and computer-readable deposit
Storage media, it is intended to solve the technical problem of existing webpage Trojan horse detection technique recognition effect difference.
To achieve the above object, the present invention provides a kind of webpage Trojan horse monitoring method, the webpage Trojan horse monitoring method packet
Include following steps:
Simulation browser accesses monitoring station, to obtain the response data packet that the monitoring station returns;
The response data packet is parsed, to extract related data in the response data packet, the related data
It include: Domain data, IP data and url data;
Multiple detection is carried out based on the response data packet, the related data, whether is deposited with the determination monitoring station
In webpage Trojan horse.
Optionally, described that Multiple detection is carried out based on the response data packet, the related data, with the determination monitoring
Website includes: with the presence or absence of webpage Trojan horse
Access is made requests to the Domain data, IP data and url data respectively, to request access to pair described in obtaining
The response data packet answered;
To the monitoring station return response data packet and it is described request access to corresponding response data packet respectively into
Row static detection obtains the first testing result;
It is requested access to described in judgement in corresponding response data packet with the presence or absence of the file of downloading;
If it exists, then static detection is carried out to the file of the downloading respectively and dynamic heuristic detects, obtain the second inspection
Survey result;
If first testing result and/or second testing result are the presence of exception, it is determined that the monitoring station
There are webpage Trojan horses.
Optionally, described that Multiple detection is carried out based on the response data packet, the related data, with the determination monitoring
Website whether there is webpage Trojan horse further include:
If first testing result and second testing result be it is normal, be based on the Domain data, IP number
According to and url data, respectively inquire database to carry out address information matching, wherein have webpage Trojan horse institute in the database
The corresponding address information of the api interface used;
If existing and any one or more phases in the Domain data, IP data and url data in the database
Matched address information, it is determined that there are API used in webpage Trojan horse to connect in the response data packet that the monitoring station returns
Mouthful;
If in the response data packet that the monitoring station returns, there are api interfaces used in webpage Trojan horse, it is determined that institute
Stating monitoring station, there are webpage Trojan horses.
Optionally, described that Multiple detection is carried out based on the response data packet, the related data, with the determination monitoring
Website whether there is webpage Trojan horse further include:
If first testing result and second testing result be it is normal, by predefined morphological rule, point
It analyses in the response data packet that the monitoring station returns with the presence or absence of described in malicious code used in webpage Trojan horse and analysis
Family's type of malicious code;
If it exists, it is determined that there are the webpage Trojan horses of family's type for the monitoring station.
Optionally, the webpage Trojan horse monitoring method further include:
When determining that the monitoring station there are when webpage Trojan horse, pushes early warning information by preset communication interface in real time,
Wherein, the communication interface includes: wechat public platform interface, mail interface.
Optionally, the webpage Trojan horse monitoring method further include:
If it is determined that webpage Trojan horse is not present in the monitoring station, then webpage Trojan horse is executed to monitoring station every preset duration
The task of monitoring.
Further, to achieve the above object, the present invention also provides a kind of webpage Trojan horse monitoring device, the webpage Trojan horses
Monitoring device includes:
Analog module accesses monitoring station for simulation browser, to obtain the response data that the monitoring station returns
Packet;
Parsing module, for being parsed to the response data packet, to extract related data in the response data packet,
The related data includes: Domain data, IP data and url data;
Detection module, for carrying out Multiple detection based on the response data packet, the related data, with the determination prison
Survey station point whether there is webpage Trojan horse.
Optionally, the detection module includes: the first detection sub-module;
First detection sub-module is used for: making requests visit to the Domain data, IP data and url data respectively
It asks, to request access to corresponding response data packet described in acquisition;The response data packet and described that the monitoring station is returned
It requests access to corresponding response data packet and carries out static detection respectively, obtain the first testing result;
It is requested access to described in judgement in corresponding response data packet with the presence or absence of the file of downloading;If it exists, then to described
The file of downloading carries out static detection and dynamic heuristic detection respectively, obtains the second testing result;If the first detection knot
Fruit and/or second testing result are the presence of exception, it is determined that there are webpage Trojan horses for the monitoring station.
Optionally, the detection module further include: the second detection sub-module;
Second detection sub-module is used for: if first testing result and second testing result be it is normal,
Based on the Domain data, IP data and url data, database is inquired respectively to carry out address information matching, wherein described
There is the corresponding address information of api interface used in webpage Trojan horse in database;
If existing and any one or more phases in the Domain data, IP data and url data in the database
Matched address information, it is determined that there are API used in webpage Trojan horse to connect in the response data packet that the monitoring station returns
Mouthful;If in the response data packet that the monitoring station returns, there are api interfaces used in webpage Trojan horse, it is determined that the monitoring
There are webpage Trojan horses for website.
Optionally, the detection module further include: third detection sub-module;
The third detection sub-module is used for: if first testing result and second testing result be it is normal,
By predefined morphological rule, analyzes in the response data packet that the monitoring station returns and used with the presence or absence of webpage Trojan horse
Malicious code and the analysis malicious code family's type;If it exists, it is determined that there are the families for the monitoring station
The webpage Trojan horse of same clan's type.
Optionally, the webpage Trojan horse monitoring device further include:
Warning module, for when determine the monitoring station there are when webpage Trojan horse, it is real-time by preset communication interface
Push early warning information, wherein the communication interface includes: wechat public platform interface, mail interface.
Optionally, the webpage Trojan horse monitoring device further include:
Task scheduling modules are used for if it is determined that webpage Trojan horse is not present in the monitoring station, then every preset duration to prison
Survey station point executes the task of webpage Trojan horse monitoring.
Further, to achieve the above object, the present invention also provides a kind of webpage Trojan horse monitoring device, the webpage Trojan horses
Monitoring device includes the webpage wood that memory, processor and being stored in can be run on the memory and on the processor
Horse monitoring program, the webpage Trojan horse monitoring program realize webpage wood as described in any one of the above embodiments when being executed by the processor
The step of horse monitoring method.
Further, to achieve the above object, the present invention also provides a kind of computer readable storage medium, the computers
It is stored with webpage Trojan horse monitoring program on readable storage medium storing program for executing, is realized such as when the webpage Trojan horse monitoring program is executed by processor
The step of webpage Trojan horse monitoring method described in any of the above embodiments.
In the present invention, when carrying out webpage Trojan horse detection, simulation browser accesses monitoring station first, to obtain monitoring station
The response data packet that point returns;Then response data packet is parsed, to extract the Domain data in response data packet, IP
Data and url data;It is finally carried out based on response data packet and the Domain data extracted, IP data and url data multiple
Detection judges monitoring station with the presence or absence of webpage Trojan horse according to testing result.Due to response data packet, Domain data, IP number
It is directly linked according to existing with url data and webpage Trojan horse, therefore, the present invention is able to ascend the recognition effect of webpage Trojan horse, maximum
The safety of guarantee website.
Detailed description of the invention
Fig. 1 is the structural representation for the device hardware running environment that webpage Trojan horse monitoring device example scheme of the present invention is related to
Figure;
Fig. 2 is the flow diagram of webpage Trojan horse monitoring method first embodiment of the present invention;
Fig. 3 is the flow diagram of webpage Trojan horse monitoring method second embodiment of the present invention;
Fig. 4 is the refinement flow diagram of mono- embodiment of step S30 in Fig. 2;
Fig. 5 is the refinement flow diagram of another embodiment of step S30 in Fig. 4;
Fig. 6 is the refinement flow diagram of another embodiment of step S30 in Fig. 4;
Fig. 7 is the functional block diagram of webpage Trojan horse monitoring device first embodiment of the present invention;
Fig. 8 is the functional block diagram of webpage Trojan horse monitoring device second embodiment of the present invention;
Fig. 9 is the functional block diagram of one embodiment of detection module in Fig. 7;
Figure 10 is the functional block diagram of another embodiment of detection module in Fig. 9.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
It should be appreciated that described herein, specific examples are only used to explain the present invention, is not intended to limit the present invention.
The present invention provides a kind of webpage Trojan horse monitoring device.
Referring to Fig.1, Fig. 1 is the device hardware running environment that webpage Trojan horse monitoring device example scheme of the present invention is related to
Structural schematic diagram.
As shown in Figure 1, the webpage Trojan horse monitoring device may include: processor 1001, such as CPU, communication bus 1002,
User interface 1003, network interface 1004, memory 1005.Wherein, communication bus 1002 is for realizing between these components
Connection communication.User interface 1003 may include display screen (Display), input unit such as keyboard (Keyboard), optional
User interface 1003 can also include standard wireline interface and wireless interface.Network interface 1004 optionally may include standard
Wireline interface, wireless interface (such as WI-FI interface).Memory 1005 can be high speed RAM memory, be also possible to stable
Memory (non-volatile memory), such as magnetic disk storage.Memory 1005 optionally can also be independently of aforementioned
The storage equipment of processor 1001.
It will be understood by those skilled in the art that the hardware configuration of webpage Trojan horse monitoring device shown in Fig. 1 is not constituted
Restriction to webpage Trojan horse monitoring device, may include than illustrating more or fewer components, perhaps combine certain components or
Different component layouts.
As shown in Figure 1, as may include operating system, net in a kind of memory 1005 of computer readable storage medium
Network communication module, Subscriber Interface Module SIM and webpage Trojan horse monitoring program.Wherein, operating system is to manage and control webpage Trojan horse
The program of monitoring device and software resource, support network communication module, Subscriber Interface Module SIM, webpage Trojan horse monitoring program and its
The operation of his program or software;Network communication module is for managing and controlling network interface 1004;Subscriber Interface Module SIM is for managing
Reason and control user interface 1003.
In webpage Trojan horse monitoring device hardware configuration shown in Fig. 1, after network interface 1004 is mainly used for connection system
Platform carries out data communication with system background;User interface 1003 is mainly used for connecting client (user terminal), carries out with client
Data communication;Webpage Trojan horse monitoring device calls the webpage Trojan horse stored in memory 1005 to monitor journey by processor 1001
Sequence, and execute following operation:
Simulation browser accesses monitoring station, to obtain the response data packet that the monitoring station returns;
The response data packet is parsed, to extract related data in the response data packet, the related data
It include: Domain data, IP data and url data;
Multiple detection is carried out based on the response data packet, the related data, whether is deposited with the determination monitoring station
In webpage Trojan horse.
Further, webpage Trojan horse monitoring device calls the webpage Trojan horse stored in memory 1005 by processor 1001
Monitoring program also executes following operation:
Access is made requests to the Domain data, IP data and url data respectively, to request access to pair described in obtaining
The response data packet answered;
To the monitoring station return response data packet and it is described request access to corresponding response data packet respectively into
Row static detection obtains the first testing result;
It is requested access to described in judgement in corresponding response data packet with the presence or absence of the file of downloading;
If it exists, then static detection is carried out to the file of the downloading respectively and dynamic heuristic detects, obtain the second inspection
Survey result;
If first testing result and/or second testing result are the presence of exception, it is determined that the monitoring station
There are webpage Trojan horses.
Further, webpage Trojan horse monitoring device calls the webpage Trojan horse stored in memory 1005 by processor 1001
Monitoring program also executes following operation:
If first testing result and second testing result be it is normal, be based on the Domain data, IP number
According to and url data, respectively inquire database to carry out address information matching, wherein have webpage Trojan horse institute in the database
The corresponding address information of the api interface used;
If existing and any one or more phases in the Domain data, IP data and url data in the database
Matched address information, it is determined that there are API used in webpage Trojan horse to connect in the response data packet that the monitoring station returns
Mouthful;
If in the response data packet that the monitoring station returns, there are api interfaces used in webpage Trojan horse, it is determined that institute
Stating monitoring station, there are webpage Trojan horses.
Further, webpage Trojan horse monitoring device calls the webpage Trojan horse stored in memory 1005 by processor 1001
Monitoring program also executes following operation:
If first testing result and second testing result be it is normal, by predefined morphological rule, point
It analyses in the response data packet that the monitoring station returns with the presence or absence of described in malicious code used in webpage Trojan horse and analysis
Family's type of malicious code;
If it exists, it is determined that there are the webpage Trojan horses of family's type for the monitoring station.
Further, webpage Trojan horse monitoring device calls the webpage Trojan horse stored in memory 1005 by processor 1001
Monitoring program also executes following operation:
When determining that the monitoring station there are when webpage Trojan horse, pushes early warning information by preset communication interface in real time,
Wherein, the communication interface includes: wechat public platform interface, mail interface.
Further, webpage Trojan horse monitoring device calls the webpage Trojan horse stored in memory 1005 by processor 1001
Monitoring program also executes following operation:
If it is determined that webpage Trojan horse is not present in the monitoring station, then webpage Trojan horse is executed to monitoring station every preset duration
The task of monitoring.
Based on the hardware running environment of above-mentioned webpage Trojan horse monitoring device, propose webpage Trojan horse monitoring method of the present invention with
Under each embodiment.
The present invention also provides a kind of webpage Trojan horse monitoring methods.
It is the flow diagram of webpage Trojan horse monitoring method first embodiment of the present invention referring to Fig. 2, Fig. 2.In the present embodiment,
The webpage Trojan horse monitoring method the following steps are included:
Step S10, simulation browser access monitoring station, to obtain the response data packet that the monitoring station returns;
Preferably by reptile instrument according to customized rule in the present embodiment, automatically crawls and to need to monitor in internet
The page program or script of website make requests access with the website that the behavior of simulation browser monitors needs, and then obtain
This of monitoring station return requests access to corresponding response data packet.The response data packet is preferably that monitoring station homepage is corresponding
Response data packet.
Optionally, further response data packet to be cached as file in this step convenient for subsequent analysis.
Step S20 parses the response data packet, described to extract related data in the response data packet
Related data includes: Domain data, IP data and url data;
Preferably response data packet is parsed using protocol resolver in the present embodiment, to extract the response data
Following data in packet:
(1) Domain data refer to domain name data, for the electronic bearing of the mark computer when data are transmitted, such as
DNS。
(2) IP data refer to that IP address, IP address are the number font IDs that Internet host carries out routing addressing.
(3) url data refers to uniform resource locator, is position and the access of the resource to that can obtain from internet
The succinct expression of one kind of method, is the address of standard resource on internet.Each file on internet have one it is unique
URL.
Step S30 carries out Multiple detection based on the response data packet, the related data, with the determination monitoring station
Point whether there is webpage Trojan horse.
The response data packet that monitoring station return is specifically based in the present embodiment, the Domain extracted from response data packet
Data, IP data and url data carry out Multiple detection, judge monitoring station with the presence or absence of webpage wood according to the result of Multiple detection
Horse.
The present embodiment is unlimited for specific detection mode, for example, heuristic using the static nature detection of various dimensions and height
Suspicious actions detection.Operation and response data packet, Domain data, IP data or url data due to webpage Trojan horse exist straight
Association is connect, therefore, the discrimination of webpage Trojan horse can be promoted by carrying out Multiple detection to above-mentioned data, avoid missing inspection or erroneous detection.
In the present embodiment, when carrying out webpage Trojan horse detection, simulation browser accesses monitoring station first, to be monitored
The response data packet that website returns;Then response data packet is parsed, with extract the Domain data in response data packet,
IP data and url data;It is finally carried out based on response data packet and the Domain data extracted, IP data and url data more
Re-detection judges monitoring station with the presence or absence of webpage Trojan horse according to testing result.Due to response data packet, Domain data, IP
Data and url data and webpage Trojan horse, which exist, to be directly linked, and therefore, the present embodiment is able to ascend the recognition effect of webpage Trojan horse,
Utmostly guarantee the safety of website.
It is the flow diagram of webpage Trojan horse monitoring method second embodiment of the present invention referring to Fig. 3, Fig. 3.Based on above-mentioned
One embodiment, in the present embodiment, after above-mentioned steps S30, the webpage Trojan horse monitoring method further include:
Step S40, when determining the monitoring station, there are when webpage Trojan horse, pushed in real time by preset communication interface in advance
Alert message, wherein the communication interface includes: wechat public platform interface, mail interface.
The present embodiment is preferably based on Saas (Software-as-a-service) framework and carries out real-time early warning, the technology frame
Various communication interfaces can be integrated under structure, comprising: wechat public platform interface, mail interface, or can also include other kinds of
Communication interface.
When note abnormalities risk when, namely determine that monitoring station there are when webpage Trojan horse, carries out real-time in several ways
Early warning information push, for example early warning information is pushed by wechat public platform interface, early warning information is pushed by mail interface, or
By threatening report interface to push early warning information.
The present embodiment will carry out real-time early warning after confirmation is dangerous, realize the closed loop of detection with O&M, promote webpage Trojan horse
The user experience of monitoring.
Further, the safe operation steady in a long-term for guarantee monitoring station in one embodiment monitors webpage Trojan horse
Entire process flow as a task, if determining that webpage Trojan horse is not present in monitoring station after this task execution is complete,
The task of webpage Trojan horse monitoring is executed again to monitoring station every preset duration.The present embodiment can be realized to monitoring station
Cycle detection promotes the safety of website.
It is the refinement flow diagram of mono- embodiment of step S30 in Fig. 2 referring to Fig. 4, Fig. 4.Based on above-mentioned first embodiment,
In the present embodiment, above-mentioned steps S30 further comprises:
Step S301 makes requests access to the Domain data, IP data and url data respectively, described in obtaining
Request access to corresponding response data packet;
In the present embodiment, response data packet first is obtained from monitoring station, then therefrom extracts Domain data, IP data
And url data, above-mentioned data may be related to webpage Trojan horse, therefore redirect access again, to obtain doubtful wooden horse side
The response data packet that website returns.
Step S302, the response data packet return to the monitoring station and described requests access to corresponding response data
Packet carries out static detection respectively, obtains the first testing result;
Static detection is a kind of characteristic detection method, specifically only by analyzing or checking the grammer of test object, structure, connect
Mouthful etc. detect whether exception, from grammer, semantically the behavior of test object is understood, so that the feature of analysis detection object, seeks
Look for the exception in the presence of test object.
The number of responses of response data packet and the return of doubtful wooden horse side's website that the present embodiment respectively returns to monitoring station
Static detection is carried out respectively according to packet, so as to directly, comprehensively detect to potential trojan horse, promotes webpage Trojan horse
Detectability.
Step S303 is requested access to described in judgement in corresponding response data packet with the presence or absence of the file of downloading;
Step S304, and if it exists, then static detection is carried out to the file of the downloading respectively and dynamic heuristic detects, obtained
To the second testing result;
In the present embodiment, in some cases, webpage Trojan horse is to be propagated by indirect mode, for example download file, because
This, obtains the response data packet that doubtful wooden horse side's website returns by redirecting access, if in the presence of in the response data packet
The file (for example being downloaded by URL) of load, then need further to detect the file of the downloading.
Since file content is more and the mode of hiding is more complex, to avoid judging by accident or fail to judge, the present embodiment
In static detection and dynamic heuristic carried out to the file of downloading respectively detect.
Dynamic heuristic detection be a kind of behavioral value method, heuristic fingers " ability of self-discovery " or " with certain
Mode or method go to determine the knowledge and skills of things ", whether the logical construction which is capable of Study document code contains evil
Meaning performance of program, or judge whether it has malice row by the execution code of the proactive property in a virtual security context
For.Dynamic heuristic detection lures disease by killing soft built-in virtual machine technique, the running environment emulated to virus formulation one
Poison is run in killing soft simulated cushioned area, as detected suspicious movement in operational process, is then determined as dangerous program.
Step S305, if first testing result and/or second testing result are the presence of exception, it is determined that described
There are webpage Trojan horses for monitoring station.
In the present embodiment, repeated detection in several ways has obtained repeated detection as a result, if one or many detections
Exist as the result is shown abnormal, it is determined that there are webpage Trojan horses for monitoring station.
In addition, to promote detection effect, the preferred artificial intelligence technology of the present embodiment is combined with virtualization sandbox technology
Viral diagnosis mode carries out webpage Trojan horse detection.The antivirus detecting and alarm for applying artificial intelligence technology virtualization has been deployed to
Sandbox system solves the problems, such as that resource occupation is big in traditional scheme, and recall rate and performance can be made to occupy to obtain a comparison
Good balance.Its static nature detectability and high heuristic suspicious actions detectability for supporting various dimensions simultaneously, by patrolling
It collects micro -isolating technique and carries out feature and behavioral value, executing to have detected every time can all discharge, and will not damage to physical machine.
Further, to avoid judging by accident or fail to judge, while the recognition effect and detection coverage rate of webpage Trojan horse detection are promoted,
In another embodiment of webpage Trojan horse monitoring method of the present invention, to Domain data, IP data and url data further progress
With detection.
It is the refinement flow diagram of another embodiment of step S30 in Fig. 4 referring to Fig. 5, Fig. 5.Based on the above embodiment, originally
In embodiment, above-mentioned steps S30 further comprises:
Step S306, if first testing result and second testing result be it is normal, be based on the Domain
Data, IP data and url data inquire database respectively to carry out address information matching, wherein have net in the database
The corresponding address information of api interface used in page wooden horse;
In the present embodiment, further Domain data, IP data and url data are individually detected, specifically with
The corresponding address information of api interface used in the webpage Trojan horse stored in database is reference, carries out address information matching.Its
In, meeting real-time perfoming is updated to store the address of api interface used in webpage Trojan horse newest, most complete on the market in database
Information (domain-name information, IP information, URL information etc.).
Step S307, if existing and any one in the Domain data, IP data and url data in the database
Or multiple address informations to match, it is determined that there are webpage Trojan horses to be used in the response data packet that the monitoring station returns
Api interface;
Step S308, if there are api interface used in webpage Trojan horse in the response data packet that the monitoring station returns,
Then determine that there are webpage Trojan horses for the monitoring station.
By being compared one by one, if in database exist with it is any one in Domain data, IP data and url data
A or multiple address informations to match then can determine that there are webpage Trojan horses to be used in the response data packet of monitoring station return
Api interface, and then can further determine that monitoring station there are webpage Trojan horses.
In the present embodiment after the completion of last round of detection, continue next round detection if no abnormal, to avoid
It judges by accident or fails to judge, while promoting the recognition effect and detection coverage rate of webpage Trojan horse detection.
Further, it is contemplated that certain wooden horses are designed more ingenious, and general feature detection is not easy to find, therefore,
To avoid judging by accident or fail to judge, while the recognition effect and detection coverage rate of webpage Trojan horse detection are promoted, in webpage Trojan horse of the present invention
In another embodiment of monitoring method, intelligent morphological analysis detection is carried out to the response data packet that monitoring station returns.
It is the refinement flow diagram of another embodiment of step S30 in Fig. 4 referring to Fig. 6, Fig. 6.Based on the above embodiment, originally
In embodiment, above-mentioned steps S30 further comprises:
Step S309, if first testing result and second testing result be it is normal, pass through predefined word
Method rule, analyze in the response data packet that the monitoring station returns with the presence or absence of malicious code used in webpage Trojan horse and
Analyze family's type of the malicious code;
Step S310, and if it exists, then determining the monitoring station, there are the webpage Trojan horses of family's type.
It in the present embodiment, analyzed, detected in the response data packet of monitoring station return by predefined morphological rule
With the presence or absence of malicious code used in webpage Trojan horse.
The concrete principle of intelligent morphological analysis are as follows: clustering first is carried out to all webpage Trojan horse samples, then according to same
The sample of one family carries out morphological analysis, finds out which dangerous function, system resource, suspicious is all had invoked in same family's sample
Label, crucial class and object, then define morphological analysis and detected rule, finally according to the word order for these elements found out
It is detected again based on morphological rule.
The present embodiment can effectively avoid the problem that single features are bypassed compared with traditional IPS rule and WAF rule,
To avoid judging by accident or fail to judge, while promoting the recognition effect and detection coverage rate of webpage Trojan horse detection.
It is the functional block diagram of webpage Trojan horse monitoring device first embodiment of the present invention referring to Fig. 7, Fig. 7.This implementation
In example, webpage Trojan horse monitoring device includes:
Analog module 10 accesses monitoring station for simulation browser, to obtain the number of responses that the monitoring station returns
According to packet;
Preferably by reptile instrument according to customized rule in the present embodiment, automatically crawls and to need to monitor in internet
The page program or script of website make requests access with the website that the behavior of simulation browser monitors needs, and then obtain
This of monitoring station return requests access to corresponding response data packet.The response data packet is preferably that monitoring station homepage is corresponding
Response data packet.
Parsing module 20, for being parsed to the response data packet, to extract dependency number in the response data packet
According to the related data includes: Domain data, IP data and url data;
Preferably response data packet is parsed using protocol resolver in the present embodiment, to extract the response data
Following data in packet:
(1) Domain data refer to domain name data, for the electronic bearing of the mark computer when data are transmitted, such as
DNS。
(2) IP data refer to that IP address, IP address are the number font IDs that Internet host carries out routing addressing.
(3) url data refers to uniform resource locator, is position and the access of the resource to that can obtain from internet
The succinct expression of one kind of method, is the address of standard resource on internet.Each file on internet have one it is unique
URL.
Detection module 30, for carrying out Multiple detection based on the response data packet, the related data, described in determination
Monitoring station whether there is webpage Trojan horse.
The response data packet that monitoring station return is specifically based in the present embodiment, the Domain extracted from response data packet
Data, IP data and url data carry out Multiple detection, judge monitoring station with the presence or absence of webpage wood according to the result of Multiple detection
Horse.
The present embodiment is unlimited for specific detection mode, for example, heuristic using the static nature detection of various dimensions and height
Suspicious actions detection.Operation and response data packet, Domain data, IP data or url data due to webpage Trojan horse exist straight
Association is connect, therefore, the discrimination of webpage Trojan horse can be promoted by carrying out Multiple detection to above-mentioned data, avoid missing inspection or erroneous detection.
In the present embodiment, when carrying out webpage Trojan horse detection, simulation browser accesses monitoring station first, to be monitored
The response data packet that website returns;Then response data packet is parsed, with extract the Domain data in response data packet,
IP data and url data;It is finally carried out based on response data packet and the Domain data extracted, IP data and url data more
Re-detection judges monitoring station with the presence or absence of webpage Trojan horse according to testing result.Due to response data packet, Domain data, IP
Data and url data and webpage Trojan horse, which exist, to be directly linked, and therefore, the present embodiment is able to ascend the recognition effect of webpage Trojan horse,
Utmostly guarantee the safety of website.
It is the functional block diagram of webpage Trojan horse monitoring device second embodiment of the present invention referring to Fig. 8, Fig. 8.Based on upper
State embodiment, in the present embodiment, webpage Trojan horse monitoring device further include:
Warning module 40, for when determining that there are when webpage Trojan horse, it is real to pass through preset communication interface the monitoring station
When push early warning information, wherein the communication interface includes: wechat public platform interface, mail interface.
The present embodiment is preferably based on Saas (Software-as-a-service) framework and carries out real-time early warning, the technology frame
Various communication interfaces can be integrated under structure, comprising: wechat public platform interface, mail interface, or can also include other kinds of
Communication interface.
When note abnormalities risk when, namely determine monitoring station there are when webpage Trojan horse, warning module 40 passes through a variety of sides
Formula carries out the push of real-time early warning message, for example pushes early warning information by wechat public platform interface, is pushed by mail interface pre-
Alert message, or by threatening report interface to push early warning information.
The present embodiment will carry out real-time early warning after confirmation is dangerous, realize the closed loop of detection with O&M, promote webpage Trojan horse
The user experience of monitoring.
Task scheduling modules 50 are used for if it is determined that webpage Trojan horse is not present in the monitoring station, then every preset duration pair
Monitoring station executes the task of webpage Trojan horse monitoring.
For the safe operation steady in a long-term for guaranteeing monitoring station, the entire place that task scheduling modules 50 monitor webpage Trojan horse
Process is managed as a task, if determining that webpage Trojan horse is not present in monitoring station after this task execution is complete, every default
Duration executes the task of webpage Trojan horse monitoring to monitoring station again.The present embodiment can realize the circulation inspection to monitoring station
It surveys, promotes the safety of website.
It is the functional block diagram of one embodiment of detection module in Fig. 7 referring to Fig. 9, Fig. 9.Based on the above embodiment, originally
In embodiment, detection module 30 includes:
First detection sub-module 301: making requests access to the Domain data, IP data and url data respectively, with
Corresponding response data packet is requested access to described in acquisition;The response data packet and the request return to the monitoring station is visited
It asks that corresponding response data packet carries out static detection respectively, obtains the first testing result;
It is requested access to described in judgement in corresponding response data packet with the presence or absence of the file of downloading;If it exists, then to described
The file of downloading carries out static detection and dynamic heuristic detection respectively, obtains the second testing result;If the first detection knot
Fruit and/or second testing result are the presence of exception, it is determined that there are webpage Trojan horses for the monitoring station.
In the present embodiment, response data packet first is obtained from monitoring station, then therefrom extracts Domain data, IP data
And url data, above-mentioned data may be related to webpage Trojan horse, therefore redirect access again, to obtain doubtful wooden horse side
The response data packet that website returns.
The number of responses of response data packet and the return of doubtful wooden horse side's website that the present embodiment respectively returns to monitoring station
Static detection is carried out respectively according to packet, so as to directly, comprehensively detect to potential trojan horse, promotes webpage Trojan horse
Detectability.
In the present embodiment, in some cases, webpage Trojan horse is to be propagated by indirect mode, for example download file, because
This, obtains the response data packet that doubtful wooden horse side's website returns by redirecting access, if in the presence of in the response data packet
The file (for example being downloaded by URL) of load, then need further to detect the file of the downloading.
Since file content is more and the mode of hiding is more complex, to avoid judging by accident or fail to judge, the present embodiment
In static detection and dynamic heuristic carried out to the file of downloading respectively detect.
Dynamic heuristic detection be a kind of behavioral value method, heuristic fingers " ability of self-discovery " or " with certain
Mode or method go to determine the knowledge and skills of things ", whether the logical construction which is capable of Study document code contains evil
Meaning performance of program, or judge whether it has malice row by the execution code of the proactive property in a virtual security context
For.Dynamic heuristic detection lures disease by killing soft built-in virtual machine technique, the running environment emulated to virus formulation one
Poison is run in killing soft simulated cushioned area, as detected suspicious movement in operational process, is then determined as dangerous program.
In the present embodiment, repeated detection in several ways has obtained repeated detection as a result, if one or many detections
Exist as the result is shown abnormal, it is determined that there are webpage Trojan horses for monitoring station.
In addition, to promote detection effect, the preferred artificial intelligence technology of the present embodiment is combined with virtualization sandbox technology
Viral diagnosis mode carries out webpage Trojan horse detection.The antivirus detecting and alarm for applying artificial intelligence technology virtualization has been deployed to
Sandbox system solves the problems, such as that resource occupation is big in traditional scheme, and recall rate and performance can be made to occupy to obtain a comparison
Good balance.Its static nature detectability and high heuristic suspicious actions detectability for supporting various dimensions simultaneously, by patrolling
It collects micro -isolating technique and carries out feature and behavioral value, executing to have detected every time can all discharge, and will not damage to physical machine.
0, Figure 10 is the functional block diagram of another embodiment of detection module in Fig. 9 referring to Fig.1.Based on above-mentioned implementation
, in the present embodiment, detection module 30 further include: the second detection sub-module 302 and/or third detection sub-module 303.
Second detection sub-module 302 is used for: if first testing result and second testing result are normal, base
In the Domain data, IP data and url data, database is inquired respectively to carry out address information matching, wherein the number
According to there being the corresponding address information of api interface used in webpage Trojan horse in library;
If existing and any one or more phases in the Domain data, IP data and url data in the database
Matched address information, it is determined that there are API used in webpage Trojan horse to connect in the response data packet that the monitoring station returns
Mouthful;If in the response data packet that the monitoring station returns, there are api interfaces used in webpage Trojan horse, it is determined that the monitoring
There are webpage Trojan horses for website.
In the present embodiment, further Domain data, IP data and url data are individually detected, specifically with
The corresponding address information of suspicious api interface stored in database is reference, carries out address information matching.Wherein, database
Middle meeting real-time perfoming is updated to store the address information (domain name of api interface used in webpage Trojan horse newest, most complete on the market
Information, IP information, URL information etc.).
By being compared one by one, if in database exist with it is any one in Domain data, IP data and url data
A or multiple address informations to match then can determine that there are webpage Trojan horses to be used in the response data packet of monitoring station return
Api interface, and then can further determine that monitoring station there are webpage Trojan horses.
In the present embodiment after the completion of last round of detection, continue next round detection if no abnormal, to avoid
It judges by accident or fails to judge, while promoting the recognition effect and detection coverage rate of webpage Trojan horse detection.
Third detection sub-module 303 is used for: if first testing result and second testing result be it is normal, lead to
Predefined morphological rule is crossed, is analyzed in the response data packet that the monitoring station returns with the presence or absence of used in webpage Trojan horse
Family's type of malicious code and the analysis malicious code;If it exists, it is determined that there are the families for the monitoring station
The webpage Trojan horse of type.
It in the present embodiment, analyzed, detected in the response data packet of monitoring station return by predefined morphological rule
With the presence or absence of malicious code used in webpage Trojan horse.
The concrete principle of intelligent morphological analysis are as follows: clustering first is carried out to all webpage Trojan horse samples, then according to same
The sample of one family carries out morphological analysis, finds out which dangerous function, system resource, suspicious is all had invoked in same family's sample
Label, crucial class and object, then define morphological analysis and detected rule, finally according to the word order for these elements found out
It is detected again based on morphological rule.
The present embodiment can effectively avoid the problem that single features are bypassed compared with traditional IPS rule and WAF rule,
To avoid judging by accident or fail to judge, while promoting the recognition effect and detection coverage rate of webpage Trojan horse detection.
The present invention also provides a kind of computer readable storage mediums.
Webpage Trojan horse monitoring program, the webpage Trojan horse monitoring program are stored on computer readable storage medium of the present invention
The step of webpage Trojan horse monitoring method as described in the examples such as any of the above-described is realized when being executed by processor.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art
The part contributed out can be embodied in the form of software products, which is stored in a storage medium
In (such as ROM/RAM), including some instructions are used so that a terminal (can be computer, server or the network equipment etc.)
Execute method described in each embodiment of the present invention.
The embodiment of the present invention is described with above attached drawing, but the invention is not limited to above-mentioned specific
Embodiment, the above mentioned embodiment is only schematical, rather than restrictive, those skilled in the art
Under the inspiration of the present invention, without breaking away from the scope protected by the purposes and claims of the present invention, it can also make very much
Form, it is all using equivalent structure or equivalent flow shift made by description of the invention and accompanying drawing content, directly or indirectly
Other related technical areas are used in, all of these belong to the protection of the present invention.
Claims (12)
1. a kind of webpage Trojan horse monitoring method, which is characterized in that the webpage Trojan horse monitoring method the following steps are included:
Simulation browser accesses monitoring station, to obtain the response data packet that the monitoring station returns;
The response data packet is parsed, to extract related data in the response data packet, the related data includes:
Domain data, IP data and url data;
Multiple detection is carried out based on the response data packet, the related data, net whether there is with the determination monitoring station
Page wooden horse.
2. webpage Trojan horse monitoring method as described in claim 1, which is characterized in that described to be based on the response data packet, institute
It states related data and carries out Multiple detection, include: with the presence or absence of webpage Trojan horse with the determination monitoring station
Access is made requests to the Domain data, IP data and url data respectively, it is corresponding to be requested access to described in acquisition
Response data packet;
To the monitoring station return response data packet and it is described request access to corresponding response data packet carry out respectively it is quiet
State detection, obtains the first testing result;
It is requested access to described in judgement in corresponding response data packet with the presence or absence of the file of downloading;
If it exists, then static detection is carried out to the file of the downloading respectively and dynamic heuristic detects, obtain the second detection knot
Fruit;
If first testing result and/or second testing result are the presence of exception, it is determined that the monitoring station exists
Webpage Trojan horse.
3. webpage Trojan horse monitoring method as claimed in claim 2, which is characterized in that described to be based on the response data packet, institute
It states related data and carries out Multiple detection, webpage Trojan horse whether there is with the determination monitoring station further include:
If first testing result and second testing result be it is normal, based on the Domain data, IP data and
Url data inquires database respectively to carry out address information matching, wherein have webpage Trojan horse in the database and used
The corresponding address information of api interface;
Match if existing in the database with any one or more in the Domain data, IP data and url data
Address information, it is determined that there are api interfaces used in webpage Trojan horse in the response data packet that the monitoring station returns;
If in the response data packet that the monitoring station returns, there are api interfaces used in webpage Trojan horse, it is determined that the prison
There are webpage Trojan horses for survey station point.
4. webpage Trojan horse monitoring method as claimed in claim 2 or claim 3, which is characterized in that it is described based on the response data packet,
The related data carries out Multiple detection, whether there is webpage Trojan horse with the determination monitoring station further include:
If first testing result and second testing result be it is normal, pass through predefined morphological rule, analyze institute
It states in the response data packet of monitoring station return with the presence or absence of malicious code used in webpage Trojan horse and the analysis malice
Family's type of code;
If it exists, it is determined that there are the webpage Trojan horses of family's type for the monitoring station.
5. webpage Trojan horse monitoring method as described in claim 1, which is characterized in that the webpage Trojan horse monitoring method is also wrapped
It includes:
When determining that the monitoring station there are when webpage Trojan horse, pushes early warning information by preset communication interface in real time, wherein
The communication interface includes: wechat public platform interface, mail interface.
6. webpage Trojan horse monitoring method as described in claim 1, which is characterized in that the webpage Trojan horse monitoring method is also wrapped
It includes:
If it is determined that webpage Trojan horse is not present in the monitoring station, then webpage Trojan horse monitoring is executed to monitoring station every preset duration
Task.
7. a kind of webpage Trojan horse monitoring device, which is characterized in that the webpage Trojan horse monitoring device includes:
Analog module accesses monitoring station for simulation browser, to obtain the response data packet that the monitoring station returns;
Parsing module, it is described to extract related data in the response data packet for being parsed to the response data packet
Related data includes: Domain data, IP data and url data;
Detection module, for carrying out Multiple detection based on the response data packet, the related data, with the determination monitoring station
Point whether there is webpage Trojan horse.
8. webpage Trojan horse monitoring device as claimed in claim 7, which is characterized in that the detection module includes: the first detection
Submodule;
First detection sub-module is used for: access is made requests to the Domain data, IP data and url data respectively,
To request access to corresponding response data packet described in acquisition;The response data packet and the request that the monitoring station is returned
It accesses corresponding response data packet and carries out static detection respectively, obtain the first testing result;
It is requested access to described in judgement in corresponding response data packet with the presence or absence of the file of downloading;If it exists, then to the downloading
File carry out respectively static detection and dynamic heuristic detection, obtain the second testing result;If first testing result and/
Or second testing result is the presence of exception, it is determined that there are webpage Trojan horses for the monitoring station.
9. webpage Trojan horse monitoring device as claimed in claim 8, which is characterized in that the detection module further include: the second inspection
Survey submodule and/or third detection sub-module;
Second detection sub-module is used for:
If first testing result and second testing result be it is normal, based on the Domain data, IP data and
Url data inquires database respectively to carry out address information matching, wherein have webpage Trojan horse in the database and used
The corresponding address information of api interface;
Match if existing in the database with any one or more in the Domain data, IP data and url data
Address information, it is determined that there are api interfaces used in webpage Trojan horse in the response data packet that the monitoring station returns;If
There are api interfaces used in webpage Trojan horse in the response data packet that the monitoring station returns, it is determined that the monitoring station
There are webpage Trojan horses;
The third detection sub-module is used for:
If first testing result and second testing result be it is normal, pass through predefined morphological rule, analyze institute
It states in the response data packet of monitoring station return with the presence or absence of malicious code used in webpage Trojan horse and the analysis malice
Family's type of code;If it exists, it is determined that there are the webpage Trojan horses of family's type for the monitoring station.
10. webpage Trojan horse monitoring device as claimed in claim 7, which is characterized in that the webpage Trojan horse monitoring device is also wrapped
It includes: warning module and/or task scheduling modules;
The warning module is used for: when determine the monitoring station there are when webpage Trojan horse, it is real-time by preset communication interface
Push early warning information, wherein the communication interface includes: wechat public platform interface, mail interface;
The task scheduling modules are used for: if it is determined that webpage Trojan horse is not present in the monitoring station, then every preset duration to prison
Survey station point executes the task of webpage Trojan horse monitoring.
11. a kind of webpage Trojan horse monitoring device, which is characterized in that the webpage Trojan horse monitoring device includes memory, processor
And it is stored in the webpage Trojan horse monitoring program that can be run on the memory and on the processor, the webpage Trojan horse prison
The step such as webpage Trojan horse monitoring method of any of claims 1-6 is realized when ranging sequence is executed by the processor
Suddenly.
12. a kind of computer readable storage medium, which is characterized in that be stored with webpage wood on the computer readable storage medium
Horse monitoring program is realized when the webpage Trojan horse monitoring program is executed by processor as of any of claims 1-6
The step of webpage Trojan horse monitoring method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811469346.0A CN109347882B (en) | 2018-11-30 | 2018-11-30 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811469346.0A CN109347882B (en) | 2018-11-30 | 2018-11-30 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109347882A true CN109347882A (en) | 2019-02-15 |
| CN109347882B CN109347882B (en) | 2021-12-21 |
Family
ID=65319380
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811469346.0A Active CN109347882B (en) | 2018-11-30 | 2018-11-30 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109347882B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109889547A (en) * | 2019-03-29 | 2019-06-14 | 新华三信息安全技术有限公司 | A kind of detection method and device of abnormal network equipment |
| CN110213375A (en) * | 2019-06-04 | 2019-09-06 | 杭州安恒信息技术股份有限公司 | A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF |
| CN111130993A (en) * | 2019-11-22 | 2020-05-08 | 北京知道创宇信息技术股份有限公司 | Information extraction method and device and readable storage medium |
| CN111884882A (en) * | 2020-07-29 | 2020-11-03 | 北京千丁互联科技有限公司 | Monitoring coverage rate detection method and device |
| CN114020366A (en) * | 2022-01-06 | 2022-02-08 | 北京微步在线科技有限公司 | Remote control Trojan horse unloading method and device based on threat information |
| CN114513331A (en) * | 2022-01-06 | 2022-05-17 | 杭州薮猫科技有限公司 | Mining Trojan detection method, device and equipment based on application layer communication protocol |
| CN115037537A (en) * | 2022-06-06 | 2022-09-09 | 恒安嘉新(北京)科技股份公司 | Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964026A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | Method and system for detecting web page horse hanging |
| CN103065089A (en) * | 2012-12-11 | 2013-04-24 | 深信服网络科技(深圳)有限公司 | Method and device for detecting webpage Trojan horses |
| US20150186779A1 (en) * | 2013-02-05 | 2015-07-02 | International Business Machines Corporation | Dynamic Model-Based Analysis of Data Centers |
| US20160080195A1 (en) * | 2014-09-16 | 2016-03-17 | CloudGenix, Inc. | Methods and systems for serial device replacement within a branch routing architecture |
| CN107370755A (en) * | 2017-08-23 | 2017-11-21 | 杭州安恒信息技术有限公司 | A kind of method of the profound detection APT attacks of various dimensions |
| CN107454109A (en) * | 2017-09-22 | 2017-12-08 | 杭州安恒信息技术有限公司 | A kind of network based on HTTP flow analyses is stolen secret information behavioral value method |
-
2018
- 2018-11-30 CN CN201811469346.0A patent/CN109347882B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964026A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | Method and system for detecting web page horse hanging |
| CN103065089A (en) * | 2012-12-11 | 2013-04-24 | 深信服网络科技(深圳)有限公司 | Method and device for detecting webpage Trojan horses |
| US20150186779A1 (en) * | 2013-02-05 | 2015-07-02 | International Business Machines Corporation | Dynamic Model-Based Analysis of Data Centers |
| US20160080195A1 (en) * | 2014-09-16 | 2016-03-17 | CloudGenix, Inc. | Methods and systems for serial device replacement within a branch routing architecture |
| CN107370755A (en) * | 2017-08-23 | 2017-11-21 | 杭州安恒信息技术有限公司 | A kind of method of the profound detection APT attacks of various dimensions |
| CN107454109A (en) * | 2017-09-22 | 2017-12-08 | 杭州安恒信息技术有限公司 | A kind of network based on HTTP flow analyses is stolen secret information behavioral value method |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109889547A (en) * | 2019-03-29 | 2019-06-14 | 新华三信息安全技术有限公司 | A kind of detection method and device of abnormal network equipment |
| CN110213375A (en) * | 2019-06-04 | 2019-09-06 | 杭州安恒信息技术股份有限公司 | A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF |
| CN111130993A (en) * | 2019-11-22 | 2020-05-08 | 北京知道创宇信息技术股份有限公司 | Information extraction method and device and readable storage medium |
| CN111130993B (en) * | 2019-11-22 | 2022-03-29 | 北京知道创宇信息技术股份有限公司 | Information extraction method and device and readable storage medium |
| CN111884882A (en) * | 2020-07-29 | 2020-11-03 | 北京千丁互联科技有限公司 | Monitoring coverage rate detection method and device |
| CN114020366A (en) * | 2022-01-06 | 2022-02-08 | 北京微步在线科技有限公司 | Remote control Trojan horse unloading method and device based on threat information |
| CN114513331A (en) * | 2022-01-06 | 2022-05-17 | 杭州薮猫科技有限公司 | Mining Trojan detection method, device and equipment based on application layer communication protocol |
| CN115037537A (en) * | 2022-06-06 | 2022-09-09 | 恒安嘉新(北京)科技股份公司 | Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109347882B (en) | 2021-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347882A (en) | Webpage Trojan horse monitoring method, device, equipment and storage medium | |
| Iqbal et al. | Adgraph: A graph-based approach to ad and tracker blocking | |
| ES2761603T3 (en) | Procedure and computer system to determine a threat score | |
| CN105512559B (en) | It is a kind of for providing the method and apparatus of accession page | |
| US9424424B2 (en) | Client based local malware detection method | |
| US9509714B2 (en) | Web page and web browser protection against malicious injections | |
| EP3726410B1 (en) | Interpretation device, interpretation method and interpretation program | |
| US8499283B2 (en) | Detection of scripting-language-based exploits using parse tree transformation | |
| CN104348803B (en) | Link kidnaps detection method, device, user equipment, Analysis server and system | |
| US9215245B1 (en) | Exploration system and method for analyzing behavior of binary executable programs | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| Karami et al. | Behavioral analysis of android applications using automated instrumentation | |
| Eder et al. | Ananas-a framework for analyzing android applications | |
| WO2013026320A1 (en) | Method and system for detecting webpage trojan embedded | |
| CN103294955B (en) | Macrovirus checking and killing method and system | |
| RU2697950C2 (en) | System and method of detecting latent behaviour of browser extension | |
| Singh et al. | Malcrawler: A crawler for seeking and crawling malicious websites | |
| CN111737692A (en) | Application program risk detection method and device, equipment and storage medium | |
| CN109446801A (en) | Detect method, apparatus, server and the storage medium of simulator access | |
| CN110348210A (en) | Safety protecting method and device | |
| CN108351941B (en) | Analysis device, analysis method, and computer-readable storage medium | |
| CN103617390A (en) | Malicious webpage judgment method, device and system | |
| CN108898014A (en) | A kind of checking and killing virus method, server and electronic equipment | |
| Huyam et al. | Discovering security vulnerabilities and leaks in ASP. NET websites | |
| CN103581321B (en) | A kind of creation method of refer chains, device and safety detection method and client |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |