CN109815744A - Detection method, device and the storage medium of webpage tamper - Google Patents
Detection method, device and the storage medium of webpage tamper Download PDFInfo
- Publication number
- CN109815744A CN109815744A CN201811546534.9A CN201811546534A CN109815744A CN 109815744 A CN109815744 A CN 109815744A CN 201811546534 A CN201811546534 A CN 201811546534A CN 109815744 A CN109815744 A CN 109815744A
- Authority
- CN
- China
- Prior art keywords
- webpage
- web
- web evolution
- content
- evolution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 73
- 230000004044 response Effects 0.000 claims abstract description 71
- 238000000034 method Methods 0.000 claims abstract description 21
- 230000008859 change Effects 0.000 claims description 23
- 238000012549 training Methods 0.000 claims description 15
- 230000004048 modification Effects 0.000 claims description 6
- 238000012986 modification Methods 0.000 claims description 6
- 238000001228 spectrum Methods 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000007689 inspection Methods 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 3
- 230000001133 acceleration Effects 0.000 description 2
- 230000000712 assembly Effects 0.000 description 2
- 238000000429 assembly Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- KLDZYURQCUYZBL-UHFFFAOYSA-N 2-[3-[(2-hydroxyphenyl)methylideneamino]propyliminomethyl]phenol Chemical compound OC1=CC=CC=C1C=NCCCN=CC1=CC=CC=C1O KLDZYURQCUYZBL-UHFFFAOYSA-N 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 201000001098 delayed sleep phase syndrome Diseases 0.000 description 1
- 208000033921 delayed sleep phase type circadian rhythm sleep disease Diseases 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000003550 marker Substances 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the invention discloses a kind of detection method of webpage tamper, device and storage mediums, are related to network safety filed.The method comprise the steps that Current Content and previous detection content based on webpage to be detected, determine whether current web page changes;It changes in response to current web page, obtains Web evolution time, Web evolution code amplitude, Web evolution frequency, Web evolution location of content value and Web evolution content relevance value;By any one or any combination in the Web evolution time, the Web evolution code amplitude, the Web evolution frequency, the Web evolution location of content value and the Web evolution content relevance value, input webpage tamper detection model, obtain the judging result of distorting of current web page, the judging result of distorting includes that webpage is tampered and webpage is normally modified.The present invention can be improved the accuracy detected to webpage tamper.
Description
Technical field
The present invention relates to network safety filed more particularly to a kind of detection methods of webpage tamper, device and storage medium.
Background technique
With the rapid development of Internet, network has become a part in people's life, incident network peace
Full problem also becomes the task of top priority, and webpage tamper is exactly one.Webpage tamper is that attacker utilizes website vulnerability modification webpage
Content, to be endangered huge to public propagation invalid information.
In existing webpage tamper detection method, changed webpage that most of detection method all will test
Directly as webpage is distorted, judgement is distorted without being made whether to the webpage of variation, there is greatly erroneous detection situation, to lead
Cause the accuracy rate bottom detected for webpage tamper.
Summary of the invention
The embodiment of the present invention provides detection method, device and the storage medium of a kind of webpage tamper, can be improved to net
Page distorts the accuracy detected.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
In a first aspect, the embodiment of the present invention provides a kind of detection method of webpage tamper, comprising:
Current Content and previous detection content based on webpage to be detected, determine whether current web page changes;
It changes in response to current web page, obtains Web evolution time, Web evolution code amplitude, Web evolution frequency
Rate, Web evolution location of content value and Web evolution content relevance value;
By the Web evolution time, the Web evolution code amplitude, the Web evolution frequency, the Web evolution
Any one or any combination in location of content value and the Web evolution content relevance value, input webpage tamper detect mould
Type, obtains the judging result of distorting of current web page, and the judging result of distorting includes that webpage is tampered and webpage is normally modified.
With reference to first aspect, in the first possible implementation of the first aspect, the Web evolution time is inspection
Measure the time that current web page changes;
Difference of the Web evolution code amplitude between current source code line number and previous detection source lines of code;
The Web evolution frequency is calculated by Web evolution number and Web evolution time interval;
The Web evolution location of content value is obtained by webpage source code, picture, webpage JS file, webpage CSS file set;
The Web evolution content relevance value by webpage source code, picture, webpage JS file, webpage CSS file, from source code
In isolated content of text, picture set of URL closes, non-picture set of URL closes to obtain.
With reference to first aspect, in the second possible implementation of the first aspect, it is described by the Web evolution when
Between, the Web evolution code amplitude, the Web evolution frequency, the Web evolution location of content value and the Web evolution
Any one or any combination in content relevance value input webpage tamper detection model, obtain distorting for current web page and sentence
Disconnected result, comprising:
By the Web evolution time, the Web evolution code amplitude, the Web evolution frequency, the Web evolution
Any one or any combination in location of content value and the Web evolution content relevance value, input webpage tamper detect mould
Type is compared with the normal range (NR) of relevant parameter in model;
Based on the corresponding default comparison rule of each parameter, obtain current web page distorts judging result.
The possible implementation of second with reference to first aspect, in the third possible implementation of first aspect
In, the method also includes:
Determine the Web evolution time whether in normal variation time range;
In response to the Web evolution time not in normal variation time range, the judging result of distorting is webpage quilt
It distorts;Or, determining that the Web evolution code amplitude is in response to the Web evolution time in normal variation time range
It is no in normal variation amplitude range;
In response to the Web evolution code amplitude not in normal variation amplitude range, the judging result of distorting is net
Page is tampered;Or, determining the Web evolution generation in response to the Web evolution code amplitude in normal variation amplitude range
Whether code frequency is in normal variation frequency range;
In response to the Web evolution frequency not in normal variation frequency range, the judging result of distorting is webpage quilt
It distorts;Or, determining the Web evolution location of content value in response to the Web evolution frequency in normal variation frequency range
Whether within the scope of normal variation location of content value;
It is described to distort judgement in response to the Web evolution location of content value not within the scope of normal variation location of content value
As a result it is tampered for webpage;Or, in response to the Web evolution location of content value within the scope of normal variation location of content value, really
Whether the fixed Web evolution content relevance value is within the scope of normal variation content relevance value;
It is described to distort in response to the Web evolution content relevance value not within the scope of normal variation content relevance value
Judging result is tampered for webpage;Or, in response to the Web evolution content relevance value in normal variation content relevance value
In range, the judging result of distorting is that webpage is normally modified.
The third possible implementation with reference to first aspect, in the 4th kind of possible implementation of first aspect
In, the method also includes:
Web data of the same URL after multiple variation is obtained, as sample training collection;
Based on the sample training collection, the webpage tamper detection model is trained, when obtaining the normal variation
Between range, the normal variation amplitude range, the normal variation frequency range, the normal variation location of content value range,
And the normal variation content relevance value range.
Second aspect, the embodiment of the present invention provide a kind of detection device of webpage tamper, comprising:
Determining module, for based on webpage to be detected Current Content and previous detection content, whether determine current web page
It changes;
Module is obtained, for changing in response to current web page, obtains Web evolution time, Web evolution code width
Degree, Web evolution frequency, Web evolution location of content value and Web evolution content relevance value;
Judgment module is used for the Web evolution time, the Web evolution code amplitude, Web evolution frequency
Any one or any combination in rate, the Web evolution location of content value and the Web evolution content relevance value, it is defeated
Enter webpage tampering detection model, obtains the judging result of distorting of current web page, the judging result of distorting includes that webpage is tampered
And webpage is normally modified.
In conjunction with second aspect, in the first possible implementation of the second aspect,
The Web evolution time for obtaining module acquisition is the time for detecting current web page and changing;
It is described to obtain the Web evolution code amplitude that module obtains as current source code line number and previous detection source generation
Difference between code line number;
The Web evolution frequency for obtaining module acquisition is by Web evolution number and Web evolution time interval meter
It obtains;
The Web evolution location of content value for obtaining module acquisition is by webpage source code, picture, webpage JS file, net
Page CSS file set obtains;
It is described obtain module obtain the Web evolution content relevance value by webpage source code, picture, webpage JS file,
Webpage CSS file, content of text isolated from source code, picture set of URL close, non-picture set of URL closes to obtain.
In conjunction with second aspect, in a second possible implementation of the second aspect,
The judgment module is also used to become the Web evolution time, the Web evolution code amplitude, the webpage
Change frequency, the Web evolution location of content value and any one in the Web evolution content relevance value or any group
It closes, inputs webpage tamper detection model, be compared with the normal range (NR) of relevant parameter in model;It is respectively corresponded based on each parameter
Default comparison rule, obtain current web page distorts judging result.
In conjunction with second of possible implementation of second aspect, in the third possible implementation of second aspect
In,
Whether the judgment module is also used to determine the Web evolution time in normal variation time range;
The judgment module is also used in response to the Web evolution time not in normal variation time range, described
Judging result is distorted to be tampered for webpage;Or, determining institute in normal variation time range in response to the Web evolution time
Web evolution code amplitude is stated whether in normal variation amplitude range;
The judgment module is also used in response to the Web evolution code amplitude not in normal variation amplitude range,
The judging result of distorting is tampered for webpage;Or, in response to the Web evolution code amplitude in normal variation amplitude range
It is interior, determine the Web evolution code spectrum whether in normal variation frequency range;
The judgment module is also used in response to the Web evolution frequency not in normal variation frequency range, described
Judging result is distorted to be tampered for webpage;Or, determining institute in normal variation frequency range in response to the Web evolution frequency
Web evolution location of content value is stated whether within the scope of normal variation location of content value;
The judgment module is also used in response to the Web evolution location of content value not in normal variation location of content value
In range, the judging result of distorting is tampered for webpage;Or, in response to the Web evolution location of content value in normal variation
Within the scope of location of content value, determine the Web evolution content relevance value whether in normal variation content relevance value range
It is interior;
The judgment module is also used to not be associated in normal variation content in response to the Web evolution content relevance value
Within the scope of property value, the judging result of distorting is tampered for webpage;Or, in response to the Web evolution content relevance value just
Within the scope of normal changing content relevance value, the judging result of distorting is that webpage is normally modified.
In conjunction with the third possible implementation of second aspect, in the 4th kind of possible implementation of second aspect
In,
Training module, for obtaining web data of the same URL after multiple variation, as sample training collection;Based on institute
Sample training collection is stated, the webpage tamper detection model is trained, obtains the normal variation time range, described normal
In amplitude of variation range, the normal variation frequency range, the normal variation location of content value range and the normal variation
Hold relevance value range.
The third aspect, the embodiment of the present invention provide a kind of computer readable storage medium, are stored thereon with computer journey
Sequence, which is characterized in that the step of method that first aspect provides is realized when described program is executed by processor.
Detection method, device and the storage medium of webpage tamper provided in an embodiment of the present invention, by being based on survey grid to be checked
The Current Content of page and previous detection content, determine whether current web page changes;It changes, obtains in response to current web page
Take Web evolution time, Web evolution code amplitude, Web evolution frequency, Web evolution location of content value and Web evolution content
Relevance value;The Web evolution time, the Web evolution code amplitude, the Web evolution frequency, the webpage are become
Change any one or any combination in location of content value and the Web evolution content relevance value, input webpage tamper detection
Model, obtains the judging result of distorting of current web page, and the judging result of distorting includes that webpage is tampered and webpage is normally modified.
The data information of the current variation webpage extracted can be analyzed and determined, show that current variation webpage is to be tampered webpage
Or the judging result of normal modification webpage, can be to avoid the false detection rate to webpage tamper, so as to improve to webpage tamper
The accuracy detected.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ability
For the those of ordinary skill of domain, without creative efforts, it can also be obtained according to these attached drawings other attached
Figure.
Fig. 1 is the flow diagram of the detection method of the webpage tamper of the embodiment of the present invention;
Fig. 2 is another flow diagram of the detection method of the webpage tamper of the embodiment of the present invention;
Fig. 3 is the structure of the detecting device schematic diagram of the webpage tamper of the embodiment of the present invention;
Fig. 4 is another structural schematic diagram of the detection device of the webpage tamper of the embodiment of the present invention;
Fig. 5 is the structural schematic diagram of the detection device 500 of the webpage tamper of the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts all other
Embodiment shall fall within the protection scope of the present invention.
One embodiment of the invention provides a kind of detection method of webpage tamper, as shown in Figure 1, which comprises
101, Current Content and previous detection content based on webpage to be detected, determine whether current web page changes.
For the embodiment of the present invention, the webpage situation of URL to be detected is obtained, first passes through the webpage source code, picture, webpage JS
The MD5 value of file and webpage CSS file is once compared judgement to the detected value of the URL webpage with preceding, determines current web page
Whether change.
102, it changes in response to current web page, obtains Web evolution time, Web evolution code amplitude, Web evolution
Frequency, Web evolution location of content value and Web evolution content relevance value.
103, by the Web evolution time, the Web evolution code amplitude, the Web evolution frequency, the webpage
Any one or any combination in changing content positional value and the Web evolution content relevance value, input webpage tamper inspection
Model is surveyed, obtains the judging result of distorting of current web page, the judging result of distorting includes that webpage is tampered and webpage is normally repaired
Change.
Compared with prior art, the embodiment of the present invention can divide the data information of the current variation webpage extracted
Analysis judgement show that current variation webpage is the judging result for being tampered webpage or normal modification webpage, can be to avoid to webpage
The false detection rate distorted, so as to improve the accuracy detected to webpage tamper.
Further embodiment of this invention provides a kind of detection method of webpage tamper, as shown in Figure 2, which comprises
201, web data of the same URL after multiple variation is obtained, as sample training collection.
For the embodiment of the present invention, the variation web data got can also be located in advance as before sample data
Reason, transformation period, Web evolution code amplitude after obtaining each Web evolution, Web evolution location of content value, Web evolution
Content relevance value, Web evolution type and the change frequency for calculating webpage.
Wherein, Web evolution location of content has four source code, picture, JS file and CSS file positions, and default label value is
0, the mark value of change location is set to 1 as the case may be when being pre-processed, decimal number is then converted into and obtains webpage
Changing content positional value;Web evolution relevance has the non-picture url of content of text-, pictures -- picture url, JS- source code, the source CSS-
Four kinds of associations of code, default label value are 0, carry out the connective marker for as the case may be changing two sides simultaneously when data prediction
Value is set to 1, is then converted into decimal number and obtains Web evolution content relevance value.
202, it is based on the sample training collection, the webpage tamper detection model is trained, the normal change is obtained
Change time range, the normal variation amplitude range, the normal variation frequency range, the normal variation location of content value model
It encloses and the normal variation content relevance value range.
Optionally, webpage tamper detection model is trained by CART algorithm, the model constructed is decision tree
Model.
In embodiments of the present invention, which may range from a normal variation location of content tool
Body value, the normal variation content relevance value may range from a normal variation content relevance occurrence.
203, Current Content and previous detection content based on webpage to be detected, determine whether current web page changes.
For the embodiment of the present invention, the webpage situation of URL to be detected is obtained, first passes through the webpage source code, picture, webpage JS
The MD5 value of file and webpage CSS file is once compared judgement to the detected value of the URL webpage with preceding, determines current web page
Whether change.
204, it changes in response to current web page, obtains Web evolution time, Web evolution code amplitude, Web evolution
Frequency, Web evolution location of content value and Web evolution content relevance value.
Wherein, the Web evolution time is the time for detecting current web page and changing;The Web evolution code
Difference of the amplitude between current source code line number and previous detection source lines of code;The Web evolution frequency is by Web evolution
Number is calculated with Web evolution time interval;The Web evolution location of content value is by webpage source code, picture, webpage JS text
Part, webpage CSS file set obtain;The Web evolution content relevance value is by webpage source code, picture, webpage JS file, net
Page CSS file, content of text isolated from source code, picture set of URL close, non-picture set of URL closes to obtain.
205, by the Web evolution time, the Web evolution code amplitude, the Web evolution frequency, the webpage
Any one or any combination in changing content positional value and the Web evolution content relevance value, input webpage tamper inspection
Model is surveyed, is compared with the normal range (NR) of relevant parameter in model.
206, it is based on the corresponding default comparison rule of each parameter, obtain current web page distorts judging result.
For the embodiment of the present invention, by webpage tamper detection model, the deterministic process that whether is tampered to webpage can be with
It is successively right: Web evolution time, Web evolution code amplitude, Web evolution frequency, Web evolution location of content value, Web evolution
Content relevance value carries out preset rules comparison, sentences when there is one to belong to webpage tamper situation to get what is be tampered to webpage
Disconnected result.So as to improve the detection efficiency of webpage tamper.
Optionally, following steps (1)-(6) are a kind of example for above-mentioned deterministic process.
(1) determine the Web evolution time whether in normal variation time range;
(2) in response to the Web evolution time not in normal variation time range, the judging result of distorting is net
Page is tampered;Or, determining the Web evolution code width in normal variation time range in response to the Web evolution time
Whether degree is in normal variation amplitude range;
(3) described to distort judging result in response to the Web evolution code amplitude not in normal variation amplitude range
It is tampered for webpage;Or, determining that the webpage becomes in response to the Web evolution code amplitude in normal variation amplitude range
Change code spectrum whether in normal variation frequency range;
(4) in response to the Web evolution frequency not in normal variation frequency range, the judging result of distorting is net
Page is tampered;Or, determining Web evolution content position in response to the Web evolution frequency in normal variation frequency range
Set value whether within the scope of normal variation location of content value (such as the description of step 202, when normal variation location of content herein
Be worth range be a normal variation location of content occurrence when, correspondingly, determine the Web evolution location of content value whether etc.
In the normal variation location of content occurrence);
(5) in response to the Web evolution location of content value not within the scope of normal variation location of content value (alternatively, corresponding
Ground is not equal to the normal variation location of content occurrence in response to the Web evolution location of content value), it is described to distort judgement knot
Fruit is tampered for webpage;Or, being determined in response to the Web evolution location of content value within the scope of normal variation location of content value
The Web evolution content relevance value whether within the scope of normal variation content relevance value (such as the description of step 202,
When normal variation content relevance value range is a normal variation content relevance occurrence herein, correspondingly, institute is determined
State whether Web evolution content relevance value is equal to the normal variation content relevance occurrence);
(6) in response to the Web evolution content relevance value not within the scope of normal variation content relevance value (alternatively,
It is not equal to the normal variation content relevance occurrence accordingly, in response to the Web evolution content relevance value), it is described to usurp
Change judging result to be tampered for webpage;Or, in response to the Web evolution content relevance value in normal variation content relevance
It is worth in range, the judging result of distorting is that webpage is normally modified.
It should be noted that the embodiment of the present invention is not limited to above-mentioned comparative sequence, other are for Web evolution time, webpage
It is suitable to change code amplitude, Web evolution frequency, Web evolution location of content value, any combination of Web evolution content relevance value
Sequence carries out the deterministic process whether webpage is tampered and belongs in the range of the embodiment of the present invention.
Compared with prior art, the embodiment of the present invention can divide the data information of the current variation webpage extracted
Analysis judgement show that current variation webpage is the judging result for being tampered webpage or normal modification webpage, can be to avoid to webpage
The false detection rate distorted, so as to improve the accuracy detected to webpage tamper.
Further embodiment of this invention provides a kind of detection device of webpage tamper, as shown in figure 3, described device includes:
Determining module 31, for based on webpage to be detected Current Content and previous detection content, determine that current web page is
It is no to change;
Module 32 is obtained, for changing in response to current web page, obtains Web evolution time, Web evolution code width
Degree, Web evolution frequency, Web evolution location of content value and Web evolution content relevance value;
Judgment module 33 is used for the Web evolution time, the Web evolution code amplitude, Web evolution frequency
Any one or any combination in rate, the Web evolution location of content value and the Web evolution content relevance value, it is defeated
Enter webpage tampering detection model, obtains the judging result of distorting of current web page, the judging result of distorting includes that webpage is tampered
And webpage is normally modified.
The Web evolution time for obtaining the acquisition of module 32 is the time for detecting current web page and changing;
It is described to obtain the Web evolution code amplitude that module 32 obtains as current source code line number and previous detection source
Difference between lines of code;
The Web evolution frequency for obtaining the acquisition of module 32 is by Web evolution number and Web evolution time interval
It is calculated;
It is described obtain module 32 obtain the Web evolution location of content value by webpage source code, picture, webpage JS file,
Webpage CSS file set obtains;
The Web evolution content relevance value for obtaining the acquisition of module 32 is by webpage source code, picture, webpage JS text
Part, webpage CSS file, content of text isolated from source code, picture set of URL close, non-picture set of URL closes to obtain.
The judgment module 33 was also used to the Web evolution time, the Web evolution code amplitude, the webpage
Change frequency, the Web evolution location of content value and any one in the Web evolution content relevance value or any group
It closes, inputs webpage tamper detection model, be compared with the normal range (NR) of relevant parameter in model;It is respectively corresponded based on each parameter
Default comparison rule, obtain current web page distorts judging result.
Whether the judgment module 33 is also used to determine the Web evolution time in normal variation time range;
The judgment module 33 is also used in response to the Web evolution time not in normal variation time range, institute
It states and distorts judging result and be tampered for webpage;Or, being determined in response to the Web evolution time in normal variation time range
Whether the Web evolution code amplitude is in normal variation amplitude range;
The judgment module 33 is also used in response to the Web evolution code amplitude not in normal variation amplitude range
Interior, the judging result of distorting is tampered for webpage;Or, in response to the Web evolution code amplitude in normal variation amplitude model
In enclosing, determine the Web evolution code spectrum whether in normal variation frequency range;
The judgment module 33 is also used in response to the Web evolution frequency not in normal variation frequency range, institute
It states and distorts judging result and be tampered for webpage;Or, being determined in response to the Web evolution frequency in normal variation frequency range
Whether the Web evolution location of content value is within the scope of normal variation location of content value;
The judgment module 33 is also used in response to the Web evolution location of content value not in normal variation location of content
It is worth in range, the judging result of distorting is tampered for webpage;Or, normally becoming in response to the Web evolution location of content value
Change within the scope of location of content value, determines the Web evolution content relevance value whether in normal variation content relevance value range
It is interior;
The judgment module 33 is also used to not close in normal variation content in response to the Web evolution content relevance value
Within the scope of connection property value, the judging result of distorting is tampered for webpage;Or, existing in response to the Web evolution content relevance value
Within the scope of normal variation content relevance value, the judging result of distorting is that webpage is normally modified.
Further, as shown in figure 4, described device further include:
Training module 41, for obtaining web data of the same URL after multiple variation, as sample training collection;It is based on
The sample training collection is trained the webpage tamper detection model, obtain the normal variation time range, it is described just
Normal amplitude of variation range, the normal variation frequency range, the normal variation location of content value range and the normal variation
Content relevance value range.
Compared with prior art, the embodiment of the present invention can divide the data information of the current variation webpage extracted
Analysis judgement show that current variation webpage is the judging result for being tampered webpage or normal modification webpage, can be to avoid to webpage
The false detection rate distorted, so as to improve the accuracy detected to webpage tamper.
The embodiment of the present invention also provides another computer readable storage medium, which can be
Computer readable storage medium included in memory in above-described embodiment;It is also possible to individualism, eventually without supplying
Computer readable storage medium in end.The computer-readable recording medium storage has one or more than one program, institute
State that one or more than one program by one or more than one processor are used to execute Fig. 1, embodiment illustrated in fig. 2 provides
Webpage tamper detection method.
The embodiment of the method for above-mentioned offer may be implemented in the detection device of webpage tamper provided in an embodiment of the present invention, specifically
Function realizes the explanation referred in embodiment of the method, and details are not described herein.The inspection of webpage tamper provided in an embodiment of the present invention
Surveying method, apparatus and storage medium can be adapted for detecting to distorting webpage, but be not limited only to this.
As shown in figure 5, the detection device 500 of webpage tamper can be mobile phone, computer, digital broadcast terminal disappears
Cease transceiver, game console, tablet device, personal digital assistant etc..
Referring to Fig. 5, the detection device 500 of webpage tamper may include following one or more components: processing component 502,
Memory 504, power supply module 506, multimedia component 508, audio component 510, the interface 512 of input/output (I/O), sensing
Device assembly 514 and communication component 516.
Processing component 502 usually control unmanned aerial vehicle (UAV) control device 500 integrated operation, such as with display, call, number
According to communication, camera operation and record operate associated operation.Processing component 502 may include one or more processors 520
To execute instruction.
In addition, processing component 502 may include one or more modules, convenient between processing component 502 and other assemblies
Interaction.For example, processing component 502 may include multi-media module, with facilitate multimedia component 508 and processing component 502 it
Between interaction.
Memory 504 is configured as storing various types of data to support the operation in unmanned aerial vehicle (UAV) control device 500.This
The example of a little data includes the instruction of any application or method for operating on unmanned aerial vehicle (UAV) control device 500, connection
Personal data, telephone book data, message, picture, video etc..Memory 504 can be by any kind of volatibility or non-volatile
It stores equipment or their combination is realized, such as static random access memory (SRAM), the read-only storage of electrically erasable
Device (EEPROM), Erasable Programmable Read Only Memory EPROM (EPROM), programmable read only memory (PROM), read-only memory
(ROM), magnetic memory, flash memory, disk or CD.
Power supply module 506 provides electric power for the various assemblies of unmanned aerial vehicle (UAV) control device 500.Power supply module 506 may include
Power-supply management system, one or more power supplys and other with for unmanned aerial vehicle (UAV) control device 500 generate, manage, and distribute electric power phase
Associated component.
Multimedia component 508 includes one output interface of offer between the unmanned aerial vehicle (UAV) control device 500 and user
Screen.In some embodiments, screen may include liquid crystal display (LCD) and touch panel (TP).If screen includes
Touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one or more
A touch sensor is to sense the gesture on touch, slide, and touch panel.The touch sensor can not only sense touch
Or the boundary of sliding action, but also detect duration and pressure associated with the touch or slide operation.In some realities
It applies in example, multimedia component 508 includes a front camera and/or rear camera.When unmanned aerial vehicle (UAV) control device 500 is in
Operation mode, such as in a shooting mode or a video mode, front camera and/or rear camera can receive external multimedia
Data.Each front camera and rear camera can be a fixed optical lens system or there is focal length and optics to become
Burnt ability.
Audio component 510 is configured as output and/or input audio signal.For example, audio component 510 includes a Mike
Wind (MIC), when unmanned aerial vehicle (UAV) control device 500 is in operation mode, when such as call mode, recording mode, and voice recognition mode,
Microphone is configured as receiving external audio signal.The received audio signal can be further stored in memory 504 or
It is sent via communication component 516.In some embodiments, audio component 510 further includes a loudspeaker, for exporting audio letter
Number.
I/O interface 512 provides interface between processing component 502 and peripheral interface module, and above-mentioned peripheral interface module can
To be keyboard, click wheel, button etc..These buttons may include, but are not limited to: home button, volume button, start button and lock
Determine button.
Sensor module 514 includes one or more sensors, for providing various aspects for unmanned aerial vehicle (UAV) control device 500
Status assessment.For example, sensor module 514 can detecte the state that opens/closes of unmanned aerial vehicle (UAV) control device 500, component
Relative positioning, such as the component is the display and keypad of unmanned aerial vehicle (UAV) control device 500, and sensor module 514 may be used also
To detect the position change of 500 1 components of unmanned aerial vehicle (UAV) control device 500 or unmanned aerial vehicle (UAV) control device, user and unmanned aerial vehicle (UAV) control
The existence or non-existence that device 500 contacts, 500 orientation of unmanned aerial vehicle (UAV) control device or acceleration/deceleration and unmanned aerial vehicle (UAV) control device 500
Temperature change.Sensor module 514 may include proximity sensor, be configured to examine without any physical contact
Survey presence of nearby objects.Sensor module 514 can also include that optical sensor is used for such as CMOS or ccd image sensor
It is used in imaging applications.In some embodiments, which can also include acceleration transducer, and gyroscope passes
Sensor, Magnetic Sensor, pressure sensor or temperature sensor.
Communication component 516 is configured to facilitate wired or wireless way between unmanned aerial vehicle (UAV) control device 500 and other equipment
Communication.Unmanned aerial vehicle (UAV) control device 500 can access the wireless network based on communication standard, such as WiFi, 2G or 3G or they
Combination.In one exemplary embodiment, communication component 516 is received via broadcast channel from the wide of external broadcasting management system
Broadcast signal or broadcast related information.In one exemplary embodiment, the communication component 516 further includes near-field communication (NFC)
Module, to promote short range communication.For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) can be based in NFC module
Technology, ultra wide band (UWB) technology, bluetooth (BT) technology and other technologies are realized.
In the exemplary embodiment, unmanned aerial vehicle (UAV) control device 500 can be by one or more application specific integrated circuit
(ASIC), digital signal processor (DSP), digital signal processing appts (DSPD), programmable logic device (PLD), scene can
Gate array (FPGA), controller, microcontroller, microprocessor or other electronic components are programmed to realize.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for equipment reality
For applying example, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to embodiment of the method
Part explanation.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium
In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (11)
1. a kind of detection method of webpage tamper characterized by comprising
Current Content and previous detection content based on webpage to be detected, determine whether current web page changes;
It changes in response to current web page, obtains Web evolution time, Web evolution code amplitude, Web evolution frequency, net
Page changing content positional value and Web evolution content relevance value;
By the Web evolution time, the Web evolution code amplitude, the Web evolution frequency, the Web evolution content
Any one or any combination in positional value and the Web evolution content relevance value input webpage tamper detection model,
Obtain the judging result of distorting of current web page, the judging result of distorting includes that webpage is tampered and webpage is normally modified.
2. the detection method of webpage tamper according to claim 1, which is characterized in that the Web evolution time is detection
The time to change to current web page;
Difference of the Web evolution code amplitude between current source code line number and previous detection source lines of code;
The Web evolution frequency is calculated by Web evolution number and Web evolution time interval;
The Web evolution location of content value is obtained by webpage source code, picture, webpage JS file, webpage CSS file set;
The Web evolution content relevance value by webpage source code, picture, webpage JS file, webpage CSS file, from source code point
From obtained content of text, picture set of URL closes, non-picture set of URL closes to obtain.
3. the detection method of webpage tamper according to claim 1, which is characterized in that it is described by the Web evolution when
Between, the Web evolution code amplitude, the Web evolution frequency, the Web evolution location of content value and the Web evolution
Any one or any combination in content relevance value input webpage tamper detection model, obtain distorting for current web page and sentence
Disconnected result, comprising:
By the Web evolution time, the Web evolution code amplitude, the Web evolution frequency, the Web evolution content
Any one or any combination in positional value and the Web evolution content relevance value input webpage tamper detection model,
It is compared with the normal range (NR) of relevant parameter in model;
Based on the corresponding default comparison rule of each parameter, obtain current web page distorts judging result.
4. the detection method of webpage tamper according to claim 3, which is characterized in that the method also includes:
Determine the Web evolution time whether in normal variation time range;
In response to the Web evolution time not in normal variation time range, the judging result of distorting is that webpage is usurped
Change;Or, whether determining the Web evolution code amplitude in response to the Web evolution time in normal variation time range
In normal variation amplitude range;
In response to the Web evolution code amplitude not in normal variation amplitude range, the judging result of distorting is webpage quilt
It distorts;Or, determining the Web evolution code frequency in response to the Web evolution code amplitude in normal variation amplitude range
Whether rate is in normal variation frequency range;
In response to the Web evolution frequency not in normal variation frequency range, the judging result of distorting is that webpage is usurped
Change;Or, determining that the Web evolution location of content value is in response to the Web evolution frequency in normal variation frequency range
It is no within the scope of normal variation location of content value;
It is described to distort judging result in response to the Web evolution location of content value not within the scope of normal variation location of content value
It is tampered for webpage;Or, determining institute within the scope of normal variation location of content value in response to the Web evolution location of content value
Web evolution content relevance value is stated whether within the scope of normal variation content relevance value;
It is described to distort judgement in response to the Web evolution content relevance value not within the scope of normal variation content relevance value
As a result it is tampered for webpage;Or, in response to the Web evolution content relevance value in normal variation content relevance value range
Interior, the judging result of distorting is that webpage is normally modified.
5. the detection method of webpage tamper according to claim 4, which is characterized in that the method also includes:
Web data of the same URL after multiple variation is obtained, as sample training collection;
Based on the sample training collection, the webpage tamper detection model is trained, obtains the normal variation time model
It encloses, the normal variation amplitude range, the normal variation frequency range, the normal variation location of content value range and institute
State normal variation content relevance value range.
6. a kind of detection device of webpage tamper characterized by comprising
Determining module, for based on webpage to be detected Current Content and previous detection content, determine whether current web page occurs
Change;
Module is obtained, for changing in response to current web page, obtains Web evolution time, Web evolution code amplitude, net
Page change frequency, Web evolution location of content value and Web evolution content relevance value;
Judgment module was used for the Web evolution time, the Web evolution code amplitude, the Web evolution frequency, institute
Any one or any combination in Web evolution location of content value and the Web evolution content relevance value are stated, webpage is inputted
Tampering detection model, obtains the judging result of distorting of current web page, and the judging result of distorting includes that webpage is tampered and webpage
Normal modification.
7. the detection device of webpage tamper according to claim 6, which is characterized in that
The Web evolution time for obtaining module acquisition is the time for detecting current web page and changing;
It is described to obtain the Web evolution code amplitude that module obtains as current source code line number and previous detection source code lines
Difference between number;
The Web evolution frequency for obtaining module acquisition is calculated by Web evolution number and Web evolution time interval
It arrives;
The Web evolution location of content value for obtaining module acquisition is by webpage source code, picture, webpage JS file, webpage
CSS file set obtains;
The Web evolution content relevance value for obtaining module acquisition is by webpage source code, picture, webpage JS file, webpage
CSS file, content of text isolated from source code, picture set of URL close, non-picture set of URL closes to obtain.
8. the detection device of webpage tamper according to claim 6, which is characterized in that
The judgment module is also used to the Web evolution time, the Web evolution code amplitude, Web evolution frequency
Any one or any combination in rate, the Web evolution location of content value and the Web evolution content relevance value, it is defeated
Enter webpage tampering detection model, is compared with the normal range (NR) of relevant parameter in model;It is corresponding pre- based on each parameter
If comparison rule, obtain current web page distorts judging result.
9. the detection device of webpage tamper according to claim 8, which is characterized in that
Whether the judgment module is also used to determine the Web evolution time in normal variation time range;
The judgment module is also used in response to the Web evolution time not in normal variation time range, described to distort
Judging result is tampered for webpage;Or, determining the net in normal variation time range in response to the Web evolution time
Whether page variation code amplitude is in normal variation amplitude range;
The judgment module is also used in response to the Web evolution code amplitude not in normal variation amplitude range, described
Judging result is distorted to be tampered for webpage;Or, in response to the Web evolution code amplitude in normal variation amplitude range, really
Whether the fixed Web evolution code spectrum is in normal variation frequency range;
The judgment module is also used in response to the Web evolution frequency not in normal variation frequency range, described to distort
Judging result is tampered for webpage;Or, determining the net in normal variation frequency range in response to the Web evolution frequency
Whether page changing content positional value is within the scope of normal variation location of content value;
The judgment module is also used in response to the Web evolution location of content value not in normal variation location of content value range
Interior, the judging result of distorting is tampered for webpage;Or, in response to the Web evolution location of content value in normal variation content
Within the scope of positional value, determine the Web evolution content relevance value whether within the scope of normal variation content relevance value;
The judgment module is also used in response to the Web evolution content relevance value not in normal variation content relevance value
In range, the judging result of distorting is tampered for webpage;Or, normally becoming in response to the Web evolution content relevance value
Change within the scope of content relevance value, the judging result of distorting is that webpage is normally modified.
10. the detection device of webpage tamper according to claim 9, which is characterized in that described device further include:
Training module, for obtaining web data of the same URL after multiple variation, as sample training collection;Based on the sample
This training set is trained the webpage tamper detection model, obtains the normal variation time range, the normal variation
Amplitude range, the normal variation frequency range, the normal variation location of content value range and the normal variation content are closed
Connection property value range.
11. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that described program is processed
The step of claim 1-5 the method is realized when device executes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811546534.9A CN109815744A (en) | 2018-12-18 | 2018-12-18 | Detection method, device and the storage medium of webpage tamper |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811546534.9A CN109815744A (en) | 2018-12-18 | 2018-12-18 | Detection method, device and the storage medium of webpage tamper |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109815744A true CN109815744A (en) | 2019-05-28 |
Family
ID=66602136
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811546534.9A Pending CN109815744A (en) | 2018-12-18 | 2018-12-18 | Detection method, device and the storage medium of webpage tamper |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109815744A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113407885A (en) * | 2021-06-23 | 2021-09-17 | 中移(杭州)信息技术有限公司 | XPath data tampering warning method, device, equipment and readable storage medium |
| CN113495836A (en) * | 2020-04-03 | 2021-10-12 | 北京搜狗科技发展有限公司 | Page detection method and device for page detection |
| CN118503571A (en) * | 2024-07-17 | 2024-08-16 | 天翼视联科技有限公司 | Page change identification method and device, electronic device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101510195A (en) * | 2008-02-15 | 2009-08-19 | 刘峰 | Website safety protection and test diagnosis system structure method based on crawler technology |
| JP2011527472A (en) * | 2008-07-11 | 2011-10-27 | 北京神州▲緑▼盟信息安全科技股▲分▼有限公司 | Web page alteration prevention equipment, web page alteration prevention method and system |
| CN102682098A (en) * | 2012-04-27 | 2012-09-19 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting web page content changes |
| CN103049484A (en) * | 2012-11-30 | 2013-04-17 | 北京奇虎科技有限公司 | Method and device for recognizing webpage risks |
| CN107301355A (en) * | 2017-06-20 | 2017-10-27 | 深信服科技股份有限公司 | A kind of webpage tamper monitoring method and device |
-
2018
- 2018-12-18 CN CN201811546534.9A patent/CN109815744A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101510195A (en) * | 2008-02-15 | 2009-08-19 | 刘峰 | Website safety protection and test diagnosis system structure method based on crawler technology |
| JP2011527472A (en) * | 2008-07-11 | 2011-10-27 | 北京神州▲緑▼盟信息安全科技股▲分▼有限公司 | Web page alteration prevention equipment, web page alteration prevention method and system |
| CN102682098A (en) * | 2012-04-27 | 2012-09-19 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting web page content changes |
| CN103049484A (en) * | 2012-11-30 | 2013-04-17 | 北京奇虎科技有限公司 | Method and device for recognizing webpage risks |
| CN107301355A (en) * | 2017-06-20 | 2017-10-27 | 深信服科技股份有限公司 | A kind of webpage tamper monitoring method and device |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113495836A (en) * | 2020-04-03 | 2021-10-12 | 北京搜狗科技发展有限公司 | Page detection method and device for page detection |
| CN113407885A (en) * | 2021-06-23 | 2021-09-17 | 中移(杭州)信息技术有限公司 | XPath data tampering warning method, device, equipment and readable storage medium |
| CN113407885B (en) * | 2021-06-23 | 2024-04-12 | 中移(杭州)信息技术有限公司 | XPath data tampering alarm method, device, equipment and readable storage medium |
| CN118503571A (en) * | 2024-07-17 | 2024-08-16 | 天翼视联科技有限公司 | Page change identification method and device, electronic device and storage medium |
| CN118503571B (en) * | 2024-07-17 | 2024-10-18 | 天翼视联科技有限公司 | Page change identification method and device, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104238875B (en) | Application program footmark adding method and device | |
| US20170300503A1 (en) | Method and apparatus for managing video data, terminal, and server | |
| CN106709399A (en) | Fingerprint identification method and device | |
| CN107832741A (en) | The method, apparatus and computer-readable recording medium of facial modeling | |
| CN109842612B (en) | Log security analysis method and device based on graph library model and storage medium | |
| KR20160048708A (en) | Recognition method and apparatus for communication message | |
| CN106170004A (en) | Process the method and device of identifying code | |
| CN111107219B (en) | Control method and electronic equipment | |
| CN109815744A (en) | Detection method, device and the storage medium of webpage tamper | |
| KR20170023746A (en) | Method and apparatus of displaying ticket information | |
| CN104391667A (en) | Item content display method and item content display device | |
| CN108038431A (en) | Image processing method, device, computer equipment and computer-readable recording medium | |
| CN108881979B (en) | Information processing method and device, mobile terminal and storage medium | |
| CN107230137A (en) | Merchandise news acquisition methods and device | |
| CN111262777A (en) | Group message display method and electronic equipment | |
| CN106331328B (en) | Information prompting method and device | |
| CN109598120A (en) | Security postures intelligent analysis method, device and the storage medium of mobile terminal | |
| CN110222706A (en) | Ensemble classifier method, apparatus and storage medium based on feature reduction | |
| CN106325670A (en) | Message prompting method and device | |
| CN109614181A (en) | Security postures methods of exhibiting, device and the storage medium of mobile terminal | |
| CN109214175A (en) | Method, apparatus and storage medium based on sample characteristics training classifier | |
| CN106330864B (en) | The processing method of verification information, apparatus and system | |
| CN109522741B (en) | Application program permission prompting method and terminal equipment thereof | |
| CN109067979B (en) | Prompting method and mobile terminal | |
| CN109981624A (en) | Intrusion detection method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190528 |
|
| RJ01 | Rejection of invention patent application after publication |