CN111737695A - White list optimization method, device, equipment and computer readable storage medium - Google Patents

White list optimization method, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN111737695A
CN111737695A CN202010587315.6A CN202010587315A CN111737695A CN 111737695 A CN111737695 A CN 111737695A CN 202010587315 A CN202010587315 A CN 202010587315A CN 111737695 A CN111737695 A CN 111737695A
Authority
CN
China
Prior art keywords
page
detected
white list
interface
text
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010587315.6A
Other languages
Chinese (zh)
Inventor
张何钫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN202010587315.6A priority Critical patent/CN111737695A/en
Publication of CN111737695A publication Critical patent/CN111737695A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • G06F16/90344Query processing by using string matching techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/205Parsing
    • G06F40/216Parsing using statistical methods

Abstract

The invention discloses a white list optimization method, which comprises the following steps: if the interface to be detected is detected, determining whether a white list interface matched with the interface to be detected exists in a preset white list; if the detected page exists, determining the page to be detected corresponding to the interface to be detected and a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page; and if the similarity is smaller than a preset threshold value, deleting the white list interface from the white list, and carrying out vulnerability detection on the interface to be detected. The invention also discloses a white list optimization device, equipment and a computer readable storage medium. The method and the device not only judge whether the interface to be detected is in the white list, but also detect the page to be detected of the interface to be detected, and judge whether the interface to be detected needs to be optimized according to the similarity between the page to be detected and the white list page recorded in the white list, so that the white list is accurately optimized, and the intelligent optimization of the white list is realized.

Description

White list optimization method, device, equipment and computer readable storage medium
Technical Field
The invention relates to the technical field of financial technology (Fintech), in particular to a white list optimization method, a white list optimization device, white list optimization equipment and a computer-readable storage medium.
Background
In recent years, with the development of financial technology (Fintech), particularly internet finance, information security technology has been introduced into daily services of financial institutions such as banks. In the daily service process of financial institutions such as banks, in order to avoid malicious attacks on a service system, vulnerability scanning needs to be performed on an interface connected with the service system, in the vulnerability scanning process, in order to accelerate scanning speed and reduce false alarm rate, a white list technology is generally used, namely, the interface in the white list is reliable, scanning and detection are not needed, safety is improved, and rapidness is greatly improved, so that how to maintain and manage the white list is an important work of the financial institutions such as banks.
In the prior art, vulnerability detection is generally performed on an interface connected with a service system, after the vulnerability detection is qualified, the vulnerability detection is added into a white list, and a page sent by the interface is not subjected to vulnerability detection any more.
In order to avoid such a situation, in the prior art, the interface in the white list is also periodically detected, that is, the interface is detected again, if the interface is not detected, the interface is retained, and if a bug is detected, the interface is deleted from the white list, and the white list is updated. However, such a method is not timely in updating, and needs to repeatedly perform vulnerability detection, which is obviously not intelligent enough.
Disclosure of Invention
The invention mainly aims to provide a white list optimization method, a white list optimization device, white list optimization equipment and a computer readable storage medium, and aims to realize intelligent optimization of a white list.
In order to achieve the above object, the present invention provides a white list optimization method, which includes the following steps:
if the interface to be detected is detected, determining whether a white list interface matched with the interface to be detected exists in a preset white list;
if the detected page exists, determining the page to be detected corresponding to the interface to be detected and a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page;
and if the similarity is smaller than a preset threshold value, deleting the white list interface from the white list, and carrying out vulnerability detection on the interface to be detected.
Preferably, the step of calculating the similarity between the page to be detected and the white list page includes:
determining the text length of the page to be detected and the white list page, which has the same text content, and the total text length of the page to be detected and the white list page;
and calculating the similarity between the page to be detected and the white list page based on the text length and the text total length.
Preferably, the step of determining the text length of the page to be detected, which is the same as the text content of the white list page, includes:
acquiring a first text of the page to be detected and a second text of the white list page, determining that a terminal character of the first text is a first character to be matched, and determining that a terminal character of the second text is a second character to be matched;
determining whether the first character to be matched is consistent with the second character to be matched;
if the characters are consistent, removing the terminal characters from the first text and the second text, determining the removed terminal characters as target characters, continuously determining the terminal characters of the first text as first characters to be matched, and determining the terminal characters of the second text as second characters to be matched;
if not, removing the terminal character from the first text or the second text, determining that the terminal character of the first text is a first character to be matched, and determining that the terminal character of the second text is a second character to be matched;
if the characters of the first text or the characters of the second text are completely matched, acquiring a character set corresponding to the target character, wherein the character set at least comprises one character;
and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the character set.
Preferably, the step of determining the text length to be detected, which is the same as the text content of the white list page, based on the character set includes:
if the number of the character sets is one, counting a first number of target characters in the character sets, and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the first number;
if the character sets are multiple, determining the character set with the most target characters as a target character set, counting a second number of the target characters in the target character set, and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the second number.
Preferably, if the detected page exists, the step of determining the page to be detected corresponding to the interface to be detected and the white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page includes:
if the page to be detected exists, determining the page to be detected corresponding to the interface to be detected and a first streamline text of the page to be detected, and determining a white list page corresponding to the white list interface and a second streamline text of the white list page, wherein the streamline text refers to content for recording the processing sequence of the page;
and replacing the first and second running texts with preset texts, and calculating the similarity between the replaced page to be detected and the replaced white list page.
Preferably, if the detected page exists, the step of determining the page to be detected corresponding to the interface to be detected and the white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page includes:
if the page to be detected exists, determining the page to be detected corresponding to the interface to be detected, and determining a response code of the page to be detected;
and if the response code is a preset response code, determining a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page.
Preferably, the step of determining the page to be detected corresponding to the interface to be detected includes:
sending a first preset number of first page requests to the interface to be detected so as to obtain a first preset number of first return pages returned by the interface to be detected based on the first page requests;
determining whether the first request time of each first return page is within a Gaussian distribution range of the white list interface;
and determining a first returned page with the first request time in the Gaussian distribution range as a target page, and determining a page to be detected corresponding to the interface to be detected based on the target page.
Preferably, after the step of determining whether the first request time of each first returned page is within the gaussian distribution range of the white list interface, the white list optimization method further includes:
and if the first request time of each first return page is not in the Gaussian distribution range, determining the first return page with the latest return time in each first return page as the page to be detected corresponding to the interface to be detected.
Preferably, before the step of determining whether a white list interface matched with the interface to be detected exists in a preset white list if the interface to be detected is detected, the white list optimization method further includes:
sending a second preset number of second page requests to the white list interface to obtain a second preset number of second return pages returned by the white list interface based on the second page requests;
and determining second request time of each second return page, and determining the Gaussian distribution range of the white list interface based on the second request time and a preset calculation formula.
In addition, to achieve the above object, the present invention further provides a white list optimizing apparatus, including:
the detection module is used for determining whether a preset white list has a white list interface matched with the interface to be detected or not if the interface to be detected is detected;
the calculation module is used for determining a to-be-detected page corresponding to the to-be-detected interface and a white list page corresponding to the white list interface if the to-be-detected page exists, and calculating the similarity between the to-be-detected page and the white list page;
and the optimization module is used for deleting the white list interface from the white list and carrying out vulnerability detection on the interface to be detected if the similarity is smaller than a preset threshold value.
Preferably, the calculation module is further configured to:
determining the text length of the page to be detected and the white list page, which has the same text content, and the total text length of the page to be detected and the white list page;
and calculating the similarity between the page to be detected and the white list page based on the text length and the text total length.
Preferably, the calculation module is further configured to:
acquiring a first text of the page to be detected and a second text of the white list page, determining that a terminal character of the first text is a first character to be matched, and determining that a terminal character of the second text is a second character to be matched;
determining whether the first character to be matched is consistent with the second character to be matched;
if the characters are consistent, removing the terminal characters from the first text and the second text, determining the removed terminal characters as target characters, continuously determining the terminal characters of the first text as first characters to be matched, and determining the terminal characters of the second text as second characters to be matched;
if not, removing the terminal character from the first text or the second text, determining that the terminal character of the first text is a first character to be matched, and determining that the terminal character of the second text is a second character to be matched;
if the characters of the first text or the characters of the second text are completely matched, acquiring a character set corresponding to the target character, wherein the character set at least comprises one character;
and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the character set.
Preferably, the calculation module is further configured to:
if the number of the character sets is one, counting a first number of target characters in the character sets, and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the first number;
if the character sets are multiple, determining the character set with the most target characters as a target character set, counting a second number of the target characters in the target character set, and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the second number.
Preferably, the calculation module is further configured to:
if the page to be detected exists, determining the page to be detected corresponding to the interface to be detected and a first streamline text of the page to be detected, and determining a white list page corresponding to the white list interface and a second streamline text of the white list page, wherein the streamline text refers to content for recording the processing sequence of the page;
and replacing the first and second running texts with preset texts, and calculating the similarity between the replaced page to be detected and the replaced white list page.
Preferably, the calculation module is further configured to:
if the page to be detected exists, determining the page to be detected corresponding to the interface to be detected, and determining a response code of the page to be detected;
and if the response code is a preset response code, determining a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page.
Preferably, the calculation module is further configured to:
sending a first preset number of first page requests to the interface to be detected so as to obtain a first preset number of first return pages returned by the interface to be detected based on the first page requests;
determining whether the first request time of each first return page is within a Gaussian distribution range of the white list interface;
and determining a first returned page with the first request time in the Gaussian distribution range as a target page, and determining a page to be detected corresponding to the interface to be detected based on the target page.
Preferably, the calculation module is further configured to:
and if the first request time of each first return page is not in the Gaussian distribution range, determining the first return page with the latest return time in each first return page as the page to be detected corresponding to the interface to be detected.
Preferably, the calculation module is further configured to:
sending a second preset number of second page requests to the white list interface to obtain a second preset number of second return pages returned by the white list interface based on the second page requests;
and determining second request time of each second return page, and determining the Gaussian distribution range of the white list interface based on the second request time and a preset calculation formula.
In addition, to achieve the above object, the present invention further provides a white list optimizing apparatus, including: a memory, a processor, and a whitelist optimizer stored on the memory and executable on the processor, the whitelist optimizer, when executed by the processor, implementing the steps of the whitelist optimization method as described above.
In addition, to achieve the above object, the present invention also provides a computer readable storage medium having stored thereon a white list optimization program, which when executed by a processor, implements the steps of the white list optimization method as described above.
According to the white list optimization method, if the interface to be detected is detected, whether a white list interface matched with the interface to be detected exists in a preset white list or not is determined; if the detected page exists, determining the page to be detected corresponding to the interface to be detected and a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page; and if the similarity is smaller than a preset threshold value, deleting the white list interface from the white list, and carrying out vulnerability detection on the interface to be detected. The method and the device not only judge whether the interface to be detected is in the white list, but also detect the page to be detected of the interface to be detected, and judge whether the interface to be detected needs to be optimized according to the similarity between the page to be detected and the white list page recorded in the white list, so that the white list is accurately optimized, and the intelligent optimization of the white list is realized.
Drawings
FIG. 1 is a schematic diagram of an apparatus architecture of a hardware operating environment according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a white list optimization method according to a first embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present invention.
The device of the embodiment of the invention can be a mobile terminal or a server device.
As shown in fig. 1, the apparatus may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration of the apparatus shown in fig. 1 is not intended to be limiting of the apparatus and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a type of computer storage medium, may include an operating system, a network communication module, a user interface module, and a white list optimization program therein.
The operating system is a program for managing and controlling the white list optimization equipment and software resources and supports the operation of a network communication module, a user interface module, a white list optimization program and other programs or software; the network communication module is used for managing and controlling the network interface 1002; the user interface module is used to manage and control the user interface 1003.
In the whitelist optimization apparatus shown in fig. 1, the whitelist optimization apparatus invokes a whitelist optimization program stored in the memory 1005 by the processor 1001 and performs operations in the various embodiments of the whitelist optimization method described below.
Based on the hardware structure, the embodiment of the white list optimization method is provided.
Referring to fig. 2, fig. 2 is a schematic flowchart of a white list optimization method according to a first embodiment of the present invention, where the method includes:
step S10, if the interface to be detected is detected, determining whether a preset white list has a white list interface matched with the interface to be detected;
step S20, if the interface exists, determining a page to be detected corresponding to the interface to be detected and a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page;
and step S30, if the similarity is smaller than a preset threshold value, deleting the interface of the white list from the white list, and carrying out vulnerability detection on the interface to be detected.
The white list optimization method is applied to white list optimization equipment of financial institutions such as financial institutions or bank systems, the white list optimization equipment can be terminals, robots or PC equipment, and for convenience in description, the white list optimization equipment is referred to as optimization equipment for short. The optimization device of this embodiment is preferably a mobile terminal such as a mobile phone, and is configured with a Web Scan (Web vulnerability scanner), that is, the optimization device detects a security service of a Web site vulnerability through the Web vulnerability scanner, and a white list is set in the Web vulnerability scanner, and a target corresponding to the white list is a page to be detected corresponding to an interface to be detected, and functions to enable the Web vulnerability scanner to skip vulnerability scanning of the interface.
When detecting the interface to be detected, the optimization device of this embodiment first determines whether the interface to be detected is in the white list, so as to determine whether vulnerability scanning needs to be performed on the interface to be detected, and when determining that the white list interface corresponding to the interface to be detected exists in the white list, calculates the similarity between the page to be detected of the interface to be detected and the white list page of the white list interface, so as to determine whether the web interface has a change logic, and whether to remove the old white list rule, so as to implement intelligent optimization of the white list with a finer optimization logic.
The respective steps will be described in detail below:
step S10, if the interface to be detected is detected, determining whether a white list interface matching the interface to be detected exists in a preset white list.
In this embodiment, if the optimization device detects an interface to be detected, it first determines whether a white list interface matched with the interface to be detected exists in a preset white list through interface information of the interface to be detected, where the interface information may be a URL address of the interface to be detected, and the optimization device searches whether a white list interface with the same URL address exists in the white list according to the URL address of the interface to be detected.
In addition, the interface information may also be an interface identifier, which is sent to the interface by the optimization device in advance, that is, for a trusted interface, the optimization device sends the trusted identifier to the trusted interface, when the trusted interface is connected with the optimization device, the trusted interface carries the interface identifier in the corresponding connection request, and the optimization device searches whether a white list interface with the same interface identifier exists in a white list according to the interface identifier.
It can be understood that if the white list does not have a white list interface matched with the interface to be detected, the interface to be detected is subjected to vulnerability scanning.
Step S20, if the interface exists, determining the page to be detected corresponding to the interface to be detected and the white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page.
In this embodiment, if a white list interface matched with the interface to be detected exists in the white list, the page to be detected corresponding to the interface to be detected is obtained, the white list page corresponding to the white list interface is obtained, and then the similarity between the page to be detected and the white list page is calculated.
That is, whether the interface to be detected has logic change is determined by calculating the similarity between the page to be detected and the white list page, where the page to be detected is the current page of the interface to be detected, and the white list page is the page when the interface to be detected is determined to be the safe interface, that is, when the interface to be detected is stored as the white list interface in the white list, the optimization device stores the current page together.
Specifically, in an embodiment, the step of calculating the similarity between the page to be detected and the white list page includes:
step a, determining the text length of the page to be detected and the white list page, which has the same text content, and the total text length of the page to be detected and the white list page;
in an embodiment, after determining a page to be detected of an interface to be detected and a white list page of a white list interface, determining text lengths of the page to be detected and the white list page of the white list interface which have the same text contents and text total lengths of the text of the page to be detected and the text of the white list interface, if the text of the page to be detected is aebaghbgg and the text of the white list page is bcdgegjh, the text of the page to be detected and the text of the white list page which have the same text contents is bgh, that is, the text length of the page to be detected.
In an embodiment, the similarity between the page to be detected and the white list page can be determined by a hamming distance or a jaccard distance, or a length value of the longest common subsequence, which is not described in detail herein.
Further, in one embodiment, step a includes:
a1, acquiring a first text of the page to be detected and a second text of the white list page, determining that an end character of the first text is a first character to be matched, and determining that an end character of the second text is a second character to be matched;
in an embodiment, a calculation method for determining similarity between a page to be detected and a white list page is provided, specifically, a first text of the page to be detected and a second text of the white list page are obtained first, if the first text is aebaghbgg, the second text is bcdgegjh, then, an end character of the first text is determined to be a first character to be matched, such as g, and an end character of the second text is determined to be a second character to be matched, such as h.
Step a2, determining whether the first character to be matched is consistent with the second character to be matched;
and then, comparing the first character to be matched with the second character to be matched, and determining whether the first character to be matched and the second character to be matched are consistent, wherein only two characters are obtained, one character is consistent, one character is inconsistent, if the first character to be matched and the second character to be matched are consistent, the step a3 is executed, and if the first character to be matched and the second character to be matched are inconsistent, the step a4 is executed.
A3, if the characters are consistent, removing the terminal characters from the first text and the second text, determining the removed terminal characters as target characters, and continuing to execute the steps of determining the terminal characters of the first text as first characters to be matched and determining the terminal characters of the second text as second characters to be matched;
in one embodiment, if the first character to be matched is identical to the second character to be matched, the terminal character is removed from the first text and the second text, if the first text is abc, the second text is adc, and the end characters of both are c, then the end character c is removed from the first text and the second text, so as to obtain the first text as ab and the second text as ad, and the removed terminal character c is taken as the target character, and then, the determination of the terminal character of the first text as the first character to be matched is continuously carried out, if the terminal character of the first text at this time is b, b is the first character to be matched, the end character of the second text is determined as the second character to be matched, if the end character of the second text is d, d is the second character to be matched, and then the comparison is continued to determine whether the first character to be matched and the second character to be matched are consistent.
A4, if not, removing the terminal character from the first text or the second text, and executing the steps of determining that the terminal character of the first text is a first character to be matched and determining that the terminal character of the second text is a second character to be matched;
in an embodiment, if the first character to be matched is not consistent with the second character to be matched, the end character is removed from the first text or the second text, if the first text is abd, the second text is aadf, the end character of the first text is d, the end character of the second text is f, and the two characters are not consistent, the end character of the first text is removed, or the end character of the second text is removed.
That is, there are two possibilities at this time, the first is to remove the end character of the first text, the second text is not changed, the aadf is still used, the first text is ab, and then the end character of the first text is continuously determined as the first character to be matched, if the end character of the first text is b, b is the first character to be matched, the end character of the second text is determined as the second character to be matched, if the end character of the second text is f, f is the second character to be matched, and then whether the first character to be matched and the second character to be matched are consistent or not is continuously compared.
The second method is to remove the terminal character of the second text, the second text becomes aad, the first text is unchanged and still becomes abd, and then continue to determine the terminal character of the first text as the first character to be matched, if the terminal character of the first text is d, d is the first character to be matched, and the terminal character of the second text is determined as the second character to be matched, if the terminal character of the second text is d, d is the second character to be matched, and then continue to compare and determine whether the first character to be matched and the second character to be matched are consistent.
Therefore, it can be understood that if the first character to be matched is not consistent with the second character to be matched, the corresponding possible situations are increased in a square multiple manner.
A5, if the characters of the first text or the characters of the second text are completely matched, acquiring a character set corresponding to the target character, wherein the character set at least comprises one character;
if the characters of the first text or the characters of the second text are completely matched, which means that the circulation is terminated, acquiring a character set corresponding to the target character, wherein if the first character to be matched and the second character to be matched are consistent each time, the character set is one; and if the first character to be matched is inconsistent with the second character to be matched, the character set is more than one.
If the first text is abc and the second text is acd, the change process of the first text and the second text according to the method is as follows:
one possibility is that: (abc, acd) → (ab, acd) → (a, acd) → (null, acd), the corresponding target character being null;
one possibility is that: (abc, acd) → (ab, acd) → (ab, ac) → (a, ac) → (a, a) (the terminal characters coincide with each other, a being a target character) → (null ), the corresponding target character being a, the set thereof being (a);
one possibility is that: (abc, acd) → (abc, ac) (end characters coincide, c is a target character) → (ab, a) → (a, a) (end characters coincide, a is a target character) → (null ), the corresponding target characters being c and a, the character set thereof being (ca);
one possibility.
It can be seen that if the first text is not identical to the second text, multiple character sets may appear.
Step a6, based on the character set, determining the text length of the page to be detected which is the same as the text content of the white list page.
And finally, determining the text length of the page to be detected, which is the same as the text content of the page of the white list, according to the character set.
As is clear from the above description, since there are a plurality of character sets, step a6 includes:
step a61, if the character set is one, counting a first number of target characters in the character set, and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the first number;
in an embodiment, if there is only one character set, that is, the first text is completely the same as the second text, only the first number of the target characters in the character set needs to be counted, and the first number is used as a value of the text length of the page to be detected, which has the same text content in the inconsistent white list of the page, and if the target character is 5, the corresponding text length is 5.
Step a62, if the character set is multiple, determining the character set with the most target characters as a target character set, counting a second number of the target characters in the target character set, and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the second number.
In an embodiment, if the number of the character sets is multiple, that is, the first text and the second text are not completely the same, the number of the target characters in each character set is compared, the character set with the most target characters is determined as the target character set, then, the second number of the target characters in the target character set is counted, and the second number is used as a value of the text length of the page to be detected with the same content in the inconsistent white list page.
And b, calculating the similarity between the page to be detected and the white list page based on the text length and the total text length.
In an embodiment, after determining the text length of the page to be detected and the white list page, which have the same text content, and the total text length of the page to be detected and the white list page, the similarity between the page to be detected and the white list page can be calculated, and the specific formula is as follows:
S=2×M/T
and S is the similarity, M is the text length of the page to be detected and the white list page with the same text content, and T is the total text length of the page to be detected and the white list page.
And step S30, if the similarity is smaller than a preset threshold value, deleting the interface of the white list from the white list, and carrying out vulnerability detection on the interface to be detected.
In this embodiment, after the similarity between the page to be detected and the white list page is obtained through calculation, the obtained similarity is compared with a preset threshold, where the preset threshold is an empirical value, preferably 0.8, and if the obtained similarity is smaller than the preset threshold, it is determined that the interface to be detected has a logical change, which results in a large difference between the page to be detected and the white list page, and a risk of embedding files such as trojan viruses exists, so that the original white list rule is no longer applicable, and therefore the white list interface is deleted from the white list, and vulnerability detection is performed on the interface to be detected which loses trust, so as to avoid vulnerability attack.
If the interface to be detected is detected, determining whether a preset white list has a white list interface matched with the interface to be detected; if the detected page exists, determining the page to be detected corresponding to the interface to be detected and a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page; and if the similarity is smaller than a preset threshold value, deleting the white list interface from the white list, and carrying out vulnerability detection on the interface to be detected. The method and the device not only judge whether the interface to be detected is in the white list, but also detect the page to be detected of the interface to be detected, and judge whether the interface to be detected needs to be optimized according to the similarity between the page to be detected and the white list page recorded in the white list, so that the white list is accurately optimized, and the intelligent optimization of the white list is realized.
Further, a second embodiment of the white list optimization method is proposed based on the first embodiment of the white list optimization method.
The second embodiment of the white list optimization method is different from the first embodiment of the white list optimization method in that the step S20 includes:
step c, if the page exists, determining the page to be detected corresponding to the interface to be detected, and determining the response code of the page to be detected;
and d, if the response code is a preset response code, determining a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page.
In the embodiment, because the process of calculating the similarity is time-consuming, before the similarity calculation is performed, whether the similarity calculation needs to be performed is determined by the response code of the page to be detected, some special pages to be detected can be quickly discriminated without performing the similarity calculation step, and the intelligence of white list optimization is improved.
The respective steps will be described in detail below:
and c, if the page exists, determining the page to be detected corresponding to the interface to be detected, and determining the response code of the page to be detected.
In this embodiment, if it is determined that a white list interface matching the interface to be detected exists in the white list, the page to be detected corresponding to the interface to be detected is obtained, and a response code of the page to be detected is further determined, where the response code refers to a response state of the page, and if the response code is 404, it indicates that the server cannot find a requested web page (not found), and if the response code is 500, it indicates that the server (server internal error) encounters an error, and cannot complete the request, and the like.
And d, if the response code is a preset response code, determining a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page.
In this embodiment, response codes representing successful requests, such as 200, 201, 202, 203, 204, 205, and 206, are preset, and other response codes, such as 404 and 500, are non-preset, the response code of the page to be detected is compared with the preset response code, if the response code of the page to be detected is the preset response code, the white list page corresponding to the white list interface is obtained, and the similarity between the page to be detected and the white list page is calculated. Prevent the error removal of white list caused by network fluctuation.
It can be understood that if the response code of the page to be detected is the non-preset response code, it means that the current page to be detected is not a page that successfully responds, and at this time, if the similarity between the page to be detected and the white list page is calculated, the two are quite different, so that the interface to be detected makes an erroneous judgment, and it is meaningless, therefore, when the response code of the page to be detected is the non-preset response code, the vulnerability detection is directly performed on the page to be detected, the similarity calculation is not performed on the page to be detected, and the processing time is reduced.
Further, in another embodiment, the step S20 includes:
step e, if the page to be detected corresponding to the interface to be detected exists, determining a first streamline text of the page to be detected, determining a white list page corresponding to the white list interface, and a second streamline text of the white list page, wherein the streamline text refers to content for recording the processing sequence of the page;
in another embodiment, if it is determined that a white list interface matched with the interface to be detected exists in the white list, the page to be detected corresponding to the interface to be detected and a first pipelined text of the page to be detected are obtained, and the white list page corresponding to the white list interface and a second pipelined text of the white list page are determined, where the pipelined text refers to content used for recording a processing sequence of the page, such as text content of a sequence number, a timestamp, a pipelined number, and the like in the page to be detected and the white list page.
And f, replacing the first and second running texts with preset texts, and calculating the similarity between the replaced page to be detected and the replaced white list page.
And then, replacing the first and second pipeline texts with preset texts, because although the contents of the pipeline texts are inconsistent, the pipeline texts do not affect other contents of the page to be detected and the white list page, but are interference factors for calculating the similarity of the page to be detected and the white list page, so that the first and second pipeline texts can be replaced with the preset texts, if the date is 03-31, the preset text is replaced with MM-dd, the subsequent interference calculation of the similarity is avoided, and the subsequent similarity calculation is more accurate.
Further, in another embodiment, the step S20 includes:
step g, if the page to be detected corresponding to the interface to be detected and the first main content of the page to be detected exist, determining a white list page corresponding to the white list interface and a second main content corresponding to the white list page;
in another embodiment, if it is determined that a white list interface matched with the interface to be detected exists in the white list, the page to be detected corresponding to the interface to be detected and the first main content of the page to be detected are obtained, and the white list page corresponding to the white list interface and the second main content of the white list page are determined, wherein the main content refers to body texts (main texts) of the page to be detected and the white list page.
And h, calculating the reduced similarity of the first main body content and the second main body content, and if the reduced similarity is greater than a preset value, calculating the similarity of the page to be detected and the white list page.
Then, calculating the reduced similarity of the first main content and the second main content, wherein the calculation formula of the reduced similarity is as follows:
Ssimple and convenient=minB/maxB
Wherein S isSimple and convenientAnd minB is the main content with the minimum length in the first main content and the second main content, and maxB is the main content with the maximum length in the first main content and the second main content.
In addition, a preset value is set, wherein the preset value is an empirical value, and can be set to 0.8 and the like. Comparing the reduced similarity with a preset value, and if the reduced similarity is greater than the preset value, indicating that the reduced similarity is very similar to the preset value, calculating the similarity between the page to be detected and the white list page; if the simplified similarity is smaller than or equal to the preset value, the possibility that the simplified similarity is similar to the preset value is low, the similarity between the page to be detected and the white list page does not need to be calculated, the white list interface is directly deleted from the white list, and vulnerability detection is carried out on the interface to be detected.
In addition, before calculating the similarity between the page to be detected and the white list page, the similarity between the title theme of the page to be detected and the theme of the white list page may be calculated, and the calculation method is similar to the calculation simplified similarity, which is not described herein again.
In addition, the page to be detected and the white list page can be preprocessed, for example, HTML tags of the page to be detected and the white list page are removed, and similarity between the page to be detected and the white list page is calculated.
Before similarity calculation, the page to be detected and/or the white list page are/is subjected to preprocessing, such as simplified similarity calculation, running text replacement and the like, some special pages to be detected are quickly discriminated, the necessary degree of similarity calculation is reduced, and the intelligence of white list optimization is improved.
Further, a second embodiment of the white list optimization method is proposed based on the first embodiment of the white list optimization method.
The difference between the second embodiment of the white list optimization method and the first embodiment of the white list optimization method is that the step of determining the page to be detected corresponding to the interface to be detected includes:
step i, sending a first preset number of first page requests to the interface to be detected so as to obtain a first preset number of first return pages returned by the interface to be detected based on the first page requests;
step j, determining whether the first request time of each first return page is in the Gaussian distribution range of the white list interface;
and k, determining a first returned page with the first request time in the Gaussian distribution range as a target page, and determining a page to be detected corresponding to the interface to be detected based on the target page.
In order to ensure that the page to be detected can be accurately obtained when the similarity is calculated, so that whether the logic of the interface to be detected changes can be accurately judged subsequently, the page to be detected is determined through the Gaussian distribution range of the white list interface, and the stability when the similarity between the page to be detected and the white list page is calculated is improved.
The respective steps will be described in detail below:
step i, sending a first preset number of first page requests to the interface to be detected so as to obtain a first preset number of first return pages returned by the interface to be detected based on the first page requests.
In this embodiment, when the interface to be detected is detected, a first preset number of first page requests are sent to the interface to be detected, so as to obtain that the interface to be detected returns a first preset number of first returned pages based on the first page requests, that is, the optimization device sends a plurality of page requests to the interface to be detected, and the interface to be detected returns a plurality of pages in response to the plurality of page requests, where the first preset number is an empirical value, and may be selected to be 5.
And j, determining whether the first request time of each first return page is in the Gaussian distribution range of the white list interface.
In this embodiment, the first request time of each return page is determined, and each first request time is compared with the gaussian distribution range of the white list interface one by one, so as to determine whether the first request time of each first return page is within the gaussian distribution range, where the gaussian distribution range of the white list interface is a request time range with higher stability obtained through a prior test, that is, if the request time of the return page returned by the interface to be detected is within the gaussian distribution range, the return page is considered to be stable and can be used as the page to be detected.
Before that, the white list optimization method further includes:
and (m) step. Sending a second preset number of second page requests to the white list interface to obtain a second preset number of second return pages returned by the white list interface based on the second page requests;
in an embodiment, in the process of storing a trusted interface as a white list interface in a white list, a second page request of a second preset number is sent to the white list interface to obtain a second return page of the white list interface returning the second preset number based on the second page request, where the second preset number is an empirical value, and it needs to be noted that the second preset number is greater than the first preset number, which is to obtain a larger number of return pages to determine a gaussian distribution range, so that the gaussian distribution range is reliable.
And n, determining second request time of each second return page, and determining the Gaussian distribution range of the white list interface based on the second request time and a preset calculation formula.
And then, determining second request time of each second return page, preprocessing each second request time, if the maximum value and the minimum value are removed, concentrating the result convergence, and determining the Gaussian distribution range of the white list interface according to the preprocessed second request time and a preset calculation formula.
Specifically, the standard deviation of each second request time and the mean value of each second request time are calculated, the gaussian coefficient is determined, and then the calculated mean value, standard deviation and gaussian coefficient are substituted into a preset calculation formula, so that the gaussian distribution range of the white list interface is obtained.
The preset calculation formula is as follows:
mean value + gaussian coefficient standard deviation of upper boundary in gaussian distribution range
Mean-gaussian coefficient standard deviation at lower boundary of gaussian distribution range
The gaussian coefficient may be a fixed value of 7 in an embodiment, and it should be explained that the gaussian distribution range is a normal distribution bell-shaped graph, and the 7 standard deviations are selected instead of other values because the 7 standard deviations cover an area of the bell-shaped graph of more than 99.997%, that is, the coverage probability is wider, so that the request time for returning the page returned by the white list interface falls within the gaussian distribution range.
In one embodiment, the gaussian coefficient is a dynamic value that fluctuates according to a second predetermined amount, specifically according to the formula:
gaussian coefficient-second preset number after pre-processing-second preset number before pre-processing x 1/10
If 10 second request times are 0.714, 0.726, 0.736, 0.716, 0.71, 0.723, 0.724, 0.725, 0.727 and 0.728 respectively, preprocessing is performed to remove the maximum value 0.736 and the minimum value 0.71, and the remaining 8 data are calculated to have a standard deviation of 0.00481 and a mean value of 0.72288, and then calculated to have a gaussian coefficient of 8-10 × 1/10 equal to 7, then:
the upper boundary of the gaussian distribution range is 0.72288+7 0.00481-0.75655
The lower boundary of the Gaussian distribution range is 0.72288-7-0.00481-0.68921
At this time, the white list interface has a gaussian distribution range of [0.68921, 0.75655 ].
And k, determining a first returned page with the first request time in the Gaussian distribution range as a target page, and determining a page to be detected corresponding to the interface to be detected based on the target page.
In this embodiment, the gaussian distribution ranges of the preprocessing of each first request time are compared, the first returned page of which the first request time falls within the gaussian distribution range is determined as the target page, and then the target page is determined as the page to be detected, it needs to be explained that if a plurality of first returned pages of which the first request time falls within the gaussian distribution range are determined, and the returned pages are all reliable pages, one first returned page is randomly selected as the page to be detected.
Further, in an embodiment, the white list optimization method further includes:
and if the first request time of each first return page is not in the Gaussian distribution range, determining the first return page with the latest return time in each first return page as the page to be detected corresponding to the interface to be detected.
In an embodiment, if the first request time of the first preset number of first returned pages is not within the gaussian distribution range, that is, the returned pages returned by the interface to be detected are all unreliable, the last returned first returned page is taken as the page to be detected, so that the situation that the page to be detected cannot be determined is avoided, and the returned page is unstable because the returned pages are not within the gaussian distribution range, and the last returned page is selected to be closer to the current situation of the interface to be detected.
According to the method and the device, the page to be detected is determined through the Gaussian distribution range of the white list interface, the stability of the page to be detected is improved, and the page to be detected can be accurately obtained when the similarity is calculated, so that whether the logic of the interface to be detected changes can be accurately judged subsequently, and the intelligent optimization of the white list is realized.
The invention also provides a white list optimization device. The white list optimizing device of the invention comprises:
the detection module is used for determining whether a preset white list has a white list interface matched with the interface to be detected or not if the interface to be detected is detected;
the calculation module is used for determining a to-be-detected page corresponding to the to-be-detected interface and a white list page corresponding to the white list interface if the to-be-detected page exists, and calculating the similarity between the to-be-detected page and the white list page;
and the optimization module is used for deleting the white list interface from the white list and carrying out vulnerability detection on the interface to be detected if the similarity is smaller than a preset threshold value.
Preferably, the calculation module is further configured to:
determining the text length of the page to be detected and the white list page, which has the same text content, and the total text length of the page to be detected and the white list page;
and calculating the similarity between the page to be detected and the white list page based on the text length and the text total length.
Preferably, the calculation module is further configured to:
acquiring a first text of the page to be detected and a second text of the white list page, determining that a terminal character of the first text is a first character to be matched, and determining that a terminal character of the second text is a second character to be matched;
determining whether the first character to be matched is consistent with the second character to be matched;
if the characters are consistent, removing the terminal characters from the first text and the second text, determining the removed terminal characters as target characters, continuously determining the terminal characters of the first text as first characters to be matched, and determining the terminal characters of the second text as second characters to be matched;
if not, removing the terminal character from the first text or the second text, determining that the terminal character of the first text is a first character to be matched, and determining that the terminal character of the second text is a second character to be matched;
if the characters of the first text or the characters of the second text are completely matched, acquiring a character set corresponding to the target character, wherein the character set at least comprises one character;
and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the character set.
Preferably, the calculation module is further configured to:
if the number of the character sets is one, counting a first number of target characters in the character sets, and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the first number;
if the character sets are multiple, determining the character set with the most target characters as a target character set, counting a second number of the target characters in the target character set, and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the second number.
Preferably, the calculation module is further configured to:
if the page to be detected exists, determining the page to be detected corresponding to the interface to be detected and a first streamline text of the page to be detected, and determining a white list page corresponding to the white list interface and a second streamline text of the white list page, wherein the streamline text refers to content for recording the processing sequence of the page;
and replacing the first and second running texts with preset texts, and calculating the similarity between the replaced page to be detected and the replaced white list page.
Preferably, the calculation module is further configured to:
if the page to be detected exists, determining the page to be detected corresponding to the interface to be detected, and determining a response code of the page to be detected;
and if the response code is a preset response code, determining a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page.
Preferably, the calculation module is further configured to:
sending a first preset number of first page requests to the interface to be detected so as to obtain a first preset number of first return pages returned by the interface to be detected based on the first page requests;
determining whether the first request time of each first return page is within a Gaussian distribution range of the white list interface;
and determining a first returned page with the first request time in the Gaussian distribution range as a target page, and determining a page to be detected corresponding to the interface to be detected based on the target page.
Preferably, the calculation module is further configured to:
and if the first request time of each first return page is not in the Gaussian distribution range, determining the first return page with the latest return time in each first return page as the page to be detected corresponding to the interface to be detected.
Preferably, the calculation module is further configured to:
sending a second preset number of second page requests to the white list interface to obtain a second preset number of second return pages returned by the white list interface based on the second page requests;
and determining second request time of each second return page, and determining the Gaussian distribution range of the white list interface based on the second request time and a preset calculation formula.
The invention also provides a computer readable storage medium.
The computer readable storage medium of the present invention has stored thereon a whitelist optimization program that, when executed by a processor, performs the steps of the whitelist optimization method described above.
The method implemented when the white list optimization program running on the processor is executed may refer to each embodiment of the white list optimization method of the present invention, and details are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (12)

1. A white list optimization method, characterized in that the white list optimization method comprises the following steps:
if the interface to be detected is detected, determining whether a white list interface matched with the interface to be detected exists in a preset white list;
if the detected page exists, determining the page to be detected corresponding to the interface to be detected and a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page;
and if the similarity is smaller than a preset threshold value, deleting the white list interface from the white list, and carrying out vulnerability detection on the interface to be detected.
2. The white list optimization method of claim 1, wherein the step of calculating the similarity between the page to be detected and the white list page comprises:
determining the text length of the page to be detected and the white list page, which has the same text content, and the total text length of the page to be detected and the white list page;
and calculating the similarity between the page to be detected and the white list page based on the text length and the text total length.
3. The white list optimization method of claim 2, wherein the step of determining the text length of the page to be detected that is the same as the text content of the white list page comprises:
acquiring a first text of the page to be detected and a second text of the white list page, determining that a terminal character of the first text is a first character to be matched, and determining that a terminal character of the second text is a second character to be matched;
determining whether the first character to be matched is consistent with the second character to be matched;
if the characters are consistent, removing the terminal characters from the first text and the second text, determining the removed terminal characters as target characters, continuously determining the terminal characters of the first text as first characters to be matched, and determining the terminal characters of the second text as second characters to be matched;
if not, removing the terminal character from the first text or the second text, determining that the terminal character of the first text is a first character to be matched, and determining that the terminal character of the second text is a second character to be matched;
if the characters of the first text or the characters of the second text are completely matched, acquiring a character set corresponding to the target character, wherein the character set at least comprises one character;
and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the character set.
4. The white list optimization method of claim 3, wherein the step of determining the length of the text to be detected that is the same as the text content of the white list page based on the character set comprises:
if the number of the character sets is one, counting a first number of target characters in the character sets, and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the first number;
if the character sets are multiple, determining the character set with the most target characters as a target character set, counting a second number of the target characters in the target character set, and determining the text length of the page to be detected, which is the same as the text content of the white list page, based on the second number.
5. The white list optimization method according to claim 1, wherein if the detected page exists, the step of determining the page to be detected corresponding to the interface to be detected and the white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page comprises:
if the page to be detected exists, determining the page to be detected corresponding to the interface to be detected and a first streamline text of the page to be detected, and determining a white list page corresponding to the white list interface and a second streamline text of the white list page, wherein the streamline text refers to content for recording the processing sequence of the page;
and replacing the first and second running texts with preset texts, and calculating the similarity between the replaced page to be detected and the replaced white list page.
6. The white list optimization method according to claim 1, wherein if the detected page exists, the step of determining the page to be detected corresponding to the interface to be detected and the white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page comprises:
if the page to be detected exists, determining the page to be detected corresponding to the interface to be detected, and determining a response code of the page to be detected;
and if the response code is a preset response code, determining a white list page corresponding to the white list interface, and calculating the similarity between the page to be detected and the white list page.
7. The white list optimization method according to any one of claims 1 to 6, wherein the step of determining the page to be detected corresponding to the interface to be detected includes:
sending a first preset number of first page requests to the interface to be detected so as to obtain a first preset number of first return pages returned by the interface to be detected based on the first page requests;
determining whether the first request time of each first return page is within a Gaussian distribution range of the white list interface;
and determining a first returned page with the first request time in the Gaussian distribution range as a target page, and determining a page to be detected corresponding to the interface to be detected based on the target page.
8. The whitelist optimization method of claim 7, wherein after the step of determining whether the first request time for each of the first returned pages is within a gaussian distribution of the whitelist interface, the whitelist optimization method further comprises:
and if the first request time of each first return page is not in the Gaussian distribution range, determining the first return page with the latest return time in each first return page as the page to be detected corresponding to the interface to be detected.
9. The white list optimization method according to claim 7, wherein before the step of determining whether the preset white list has a white list interface matching the interface to be detected if the interface to be detected is detected, the white list optimization method further comprises:
sending a second preset number of second page requests to the white list interface to obtain a second preset number of second return pages returned by the white list interface based on the second page requests;
and determining second request time of each second return page, and determining the Gaussian distribution range of the white list interface based on the second request time and a preset calculation formula.
10. A white list optimization apparatus, the white list optimization apparatus comprising:
the detection module is used for determining whether a preset white list has a white list interface matched with the interface to be detected or not if the interface to be detected is detected;
the calculation module is used for determining a to-be-detected page corresponding to the to-be-detected interface and a white list page corresponding to the white list interface if the to-be-detected page exists, and calculating the similarity between the to-be-detected page and the white list page;
and the optimization module is used for deleting the white list interface from the white list and carrying out vulnerability detection on the interface to be detected if the similarity is smaller than a preset threshold value.
11. A whitelist optimization device, comprising: memory, a processor and a whitelist optimizer stored on the memory and executable on the processor, the whitelist optimizer implementing the steps of the whitelist optimization method of any one of claims 1 to 9 when executed by the processor.
12. A computer-readable storage medium, having stored thereon a whitelist optimization program that, when executed by a processor, performs the steps of the whitelist optimization method of any one of claims 1-9.
CN202010587315.6A 2020-06-24 2020-06-24 White list optimization method, device, equipment and computer readable storage medium Pending CN111737695A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010587315.6A CN111737695A (en) 2020-06-24 2020-06-24 White list optimization method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010587315.6A CN111737695A (en) 2020-06-24 2020-06-24 White list optimization method, device, equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN111737695A true CN111737695A (en) 2020-10-02

Family

ID=72651343

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010587315.6A Pending CN111737695A (en) 2020-06-24 2020-06-24 White list optimization method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN111737695A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112100085A (en) * 2020-11-17 2020-12-18 深圳市房多多网络科技有限公司 Android application program stability testing method, device and equipment
CN112487427A (en) * 2020-11-26 2021-03-12 网宿科技股份有限公司 Method, system and server for determining system white list

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112100085A (en) * 2020-11-17 2020-12-18 深圳市房多多网络科技有限公司 Android application program stability testing method, device and equipment
CN112487427A (en) * 2020-11-26 2021-03-12 网宿科技股份有限公司 Method, system and server for determining system white list

Similar Documents

Publication Publication Date Title
CN107918733B (en) System and method for detecting malicious elements of web page
EP2452287B1 (en) Anti-virus scanning
US9680848B2 (en) Apparatus, system and method for detecting and preventing malicious scripts using code pattern-based static analysis and API flow-based dynamic analysis
CN109768992B (en) Webpage malicious scanning processing method and device, terminal device and readable storage medium
CN108804925B (en) Method and system for detecting malicious code
US8448245B2 (en) Automated identification of phishing, phony and malicious web sites
CN102307189B (en) Malicious code detection method and network equipment
US10528731B1 (en) Detecting malicious program code using similarity of hashed parsed trees
CN107808095B (en) System and method for detecting abnormal elements of web page
CN111586005B (en) Scanner scanning behavior identification method and device
CN111737695A (en) White list optimization method, device, equipment and computer readable storage medium
US11550920B2 (en) Determination apparatus, determination method, and determination program
JPWO2019013266A1 (en) Determination device, determination method, and determination program
CN112016078A (en) Method, device, server and storage medium for detecting forbidding of login equipment
CN109657472B (en) SQL injection vulnerability detection method, device, equipment and readable storage medium
EP3306511B1 (en) System and methods of detecting malicious elements of web pages
CN115495740A (en) Virus detection method and device
EP3293661A1 (en) System and method for detecting anomalous elements of web pages
US8627099B2 (en) System, method and computer program product for removing null values during scanning
CN113538288A (en) Network anomaly detection method and device and computer readable storage medium
CN113721960A (en) Application program bug fixing method and device based on RPA and AI
CN112565298A (en) Vulnerability scanning method and device and electronic equipment
CN114372265A (en) Malicious program detection method and device, electronic equipment and storage medium
CN111159111A (en) Information processing method, device, system and computer readable storage medium
US20210209504A1 (en) Learning method, learning device, and learning program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination