CN111953646A - Webpage tampering identification method and system based on neural network clustering - Google Patents

Webpage tampering identification method and system based on neural network clustering Download PDF

Info

Publication number
CN111953646A
CN111953646A CN202010554782.9A CN202010554782A CN111953646A CN 111953646 A CN111953646 A CN 111953646A CN 202010554782 A CN202010554782 A CN 202010554782A CN 111953646 A CN111953646 A CN 111953646A
Authority
CN
China
Prior art keywords
webpage
instruction
operation request
detection
security threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010554782.9A
Other languages
Chinese (zh)
Inventor
李翔宇
刘福生
潘叶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Guangdong Co Ltd
Original Assignee
China Mobile Group Guangdong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Guangdong Co Ltd filed Critical China Mobile Group Guangdong Co Ltd
Priority to CN202010554782.9A priority Critical patent/CN111953646A/en
Publication of CN111953646A publication Critical patent/CN111953646A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Virology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Bioethics (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a webpage tampering identification method and a system based on neural network clustering, wherein the method comprises the following steps: performing characteristic analysis on the received webpage operation request, and judging whether the webpage operation request is a webpage security threat instruction or not; if so, determining a webpage security threat type corresponding to the webpage security threat instruction, and blocking the webpage security threat instruction according to a blocking mode corresponding to the webpage security threat type; if not, carrying out validity detection on the webpage operation request; and when the validity detection fails, blocking the webpage operation request. Therefore, by implementing the embodiment of the invention, the security of the received webpage operation instruction aiming at the webpage can be detected, and if any detection result aiming at the webpage operation instruction fails, the webpage operation instruction can be blocked, so that the malicious attack aiming at the webpage can be prevented in advance, the webpage is prevented from being illegally tampered, and the user experience of the webpage is improved.

Description

Webpage tampering identification method and system based on neural network clustering
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a webpage tampering identification method and system based on neural network clustering.
Background
With the development of networks and information technologies, the wide popularization and application of the internet are deeply influencing the life and work modes of people. Meanwhile, the importance of information security based on the internet is also increasing. At present, the problem of webpage tampering becomes a security problem of great concern for various websites, and some attack means may tamper webpage contents, which affects normal operation of webpages and data security of users.
In the prior art, a web page is usually prevented from being tampered by a post-compensation mechanism based on web page file protection, that is, after the web page is tampered, a pre-stored backup web page file is read, and the backup web page file is restored, so that the web page is prevented from being tampered. However, in practice, it is found that the above-mentioned method for preventing the web page from being tampered cannot prevent the web page from being maliciously attacked, and occupies more memory resources, so that the response speed of the web page is reduced, thereby reducing the user experience of the web page.
Disclosure of Invention
The invention provides a webpage tampering identification method and system based on neural network clustering, aiming at the problems in the prior art, the method can protect in advance against malicious attacks of the webpage, prevent the webpage from being illegally tampered, and improve the user experience of the webpage.
The first aspect of the application discloses a webpage tampering identification method based on neural network clustering, which comprises the following steps:
performing characteristic analysis on the received webpage operation request, and judging whether the webpage operation request is a webpage security threat instruction or not;
if so, determining a webpage security threat type corresponding to the webpage security threat instruction, and blocking the webpage security threat instruction according to a blocking mode corresponding to the webpage security threat type;
if not, carrying out validity detection on the webpage operation request;
and blocking the webpage operation request when the validity detection fails.
As an optional implementation manner, in the first aspect of this embodiment of the present invention, the method further includes:
performing integrity detection on the webpage files of the webpage at preset time intervals;
if the integrity detection is passed, storing the webpage file as a backup webpage file;
and if the integrity detection fails, acquiring the pre-stored backup webpage file, and restoring the webpage according to the backup webpage file.
As an optional implementation manner, in the first aspect of the embodiment of the present invention, the types of the webpage security threats at least include: a database injection type, a cross-site script type, a web script type, and an illegal upload type.
As an optional implementation manner, in the first aspect of the embodiment of the present invention, the performing validity detection on the web page operation request includes:
judging whether the user inputting the webpage operation request is a legal user or not;
if not, determining that the validity detection is not passed;
if the user is the legal user, judging whether the application process corresponding to the webpage operation request is a legal process;
and if the process is not the legal process, determining that the legality detection is not passed.
As an optional implementation manner, in the first aspect of the embodiment of the present invention, when it is determined that the application process corresponding to the web page operation request is a legal process, the method further includes:
detecting whether the webpage operation request contains a webpage modification instruction or not;
if the webpage modification instruction is contained, detecting whether the webpage modification instruction is a legal instruction or not;
and if the instruction is not the legal instruction, blocking the webpage operation request.
The second aspect of the present application discloses a web page tampering identification system based on neural network clustering, which includes:
the judging unit is used for carrying out characteristic analysis on the received webpage operation request and judging whether the webpage operation request is a webpage security threat instruction or not;
the determining unit is used for determining a webpage security threat type corresponding to the webpage security threat instruction and blocking the webpage security threat instruction according to a blocking mode corresponding to the webpage security threat type when the judging result of the judging unit is yes;
the first detection unit is used for carrying out validity detection on the webpage operation request when the judgment result of the judgment unit is negative;
and the first blocking unit is used for blocking the webpage operation request when the detection result of the first detection unit does not pass.
As an optional implementation manner, in the second aspect of the embodiment of the present invention, the system for identifying webpage tampering based on neural network clustering further includes:
the second detection unit is used for detecting the integrity of the webpage files of the webpage at preset time intervals;
the storage unit is used for storing the webpage file as a backup webpage file when the detection result of the second detection unit passes;
and the acquisition unit is used for acquiring the pre-stored backup webpage file when the detection result of the second detection unit fails, and recovering the webpage according to the backup webpage file.
As an alternative implementation manner, in the second aspect of the embodiment of the present invention, the types of the web page security threats at least include: a database injection type, a cross-site script type, a web script type, and an illegal upload type.
As an optional implementation manner, in a second aspect of the embodiment of the present invention, the first detection unit includes:
the first judgment subunit is used for judging whether the user inputting the webpage operation request is a legal user or not;
the first determining subunit is used for determining that the validity detection fails when the judgment result of the first judging subunit is negative;
the second judging subunit is configured to, when the judgment result of the first judging subunit is yes, judge whether the application process corresponding to the web page operation request is a legal process;
and the second determining subunit is used for determining that the validity detection fails when the judgment result of the second judging subunit is negative.
As an optional implementation manner, in the second aspect of the embodiment of the present invention, the system for identifying webpage tampering based on neural network clustering further includes:
a third detecting unit, configured to detect whether the web page operation request includes a web page modification instruction when the determination result of the second determining subunit is yes;
the fourth detection unit is used for detecting whether the webpage modification instruction is a legal instruction or not when the judgment result of the third detection unit is yes;
and the second blocking unit is used for blocking the webpage operation request when the judgment result of the fourth detection unit is negative.
A third aspect of an embodiment of the present invention discloses an electronic device, including:
a memory storing executable program code;
a processor coupled with the memory;
the processor calls the executable program code stored in the memory to perform part or all of the steps of any one of the methods of the first aspect.
A fourth aspect of the present embodiments discloses a computer-readable storage medium storing a program code, where the program code includes instructions for performing part or all of the steps of any one of the methods of the first aspect.
A fifth aspect of embodiments of the present invention discloses a computer program product, which, when run on a computer, causes the computer to perform some or all of the steps of any one of the methods of the first aspect.
A sixth aspect of the present embodiment discloses an application publishing platform, where the application publishing platform is configured to publish a computer program product, where the computer program product is configured to, when running on a computer, cause the computer to perform part or all of the steps of any one of the methods in the first aspect.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
in the embodiment of the invention, the received webpage operation request is subjected to characteristic analysis, and whether the webpage operation request is a webpage security threat instruction is judged; if so, determining a webpage security threat type corresponding to the webpage security threat instruction, and blocking the webpage security threat instruction according to a blocking mode corresponding to the webpage security threat type; if not, carrying out validity detection on the webpage operation request; and when the validity detection fails, blocking the webpage operation request. Therefore, by implementing the embodiment of the invention, the security of the received webpage operation instruction aiming at the webpage can be detected, and if any detection result aiming at the webpage operation instruction fails, the webpage operation instruction can be blocked, so that the malicious attack aiming at the webpage is protected in advance, the webpage is prevented from being illegally tampered, and the user experience of the webpage is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic flow chart of a method for identifying webpage tampering based on neural network clustering according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of another method for identifying webpage tampering based on neural network clustering according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a system for identifying webpage tampering based on neural network clustering according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of another neural network clustering-based webpage tampering identification system disclosed in the embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It is to be noted that the terms "comprises" and "comprising" and any variations thereof in the embodiments and drawings of the present invention are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
The embodiment of the invention discloses a webpage tampering identification method and system based on neural network clustering, which can protect against malicious attacks of a webpage in advance, prevent the webpage from being illegally tampered and improve the user experience of the webpage. The following are detailed below.
Example one
Referring to fig. 1, fig. 1 is a schematic flowchart of a web page tampering identification method based on neural network clustering according to an embodiment of the present invention. As shown in fig. 1, the webpage tampering identification method based on neural network clustering may include the following steps:
101. performing characteristic analysis on the received webpage operation request, judging whether the webpage operation request is a webpage security threat instruction or not, and if so, executing the step 102; if not, executing step 103 to step 104.
In this embodiment of the present invention, one or more steps in any embodiment may be executed by a service device (e.g., a cloud server, etc.), and thus, the embodiment of the present invention is not limited. The web page operation request can be input by any application process in web page operation, the input web page operation request can also correspond to any user of the web page, the user can be a normal user of the web page or an abnormal user who maliciously attacks the web page, a web page operation instruction input to the web page by the abnormal user is a web page security threat instruction which has security threat to the web page generally, so that the received web page operation request needs to be subjected to feature analysis, the received web page operation request can be subjected to feature analysis based on a neural network clustering algorithm, and then whether the obtained web page operation request is a web page security threat instruction can be analyzed.
102. And determining a webpage security threat type corresponding to the webpage security threat instruction, and blocking the webpage security threat instruction according to a blocking mode corresponding to the webpage security threat type.
In the embodiment of the invention, the webpage security threat types at least comprise: the database injection type, the cross-site script type, the webpage script type and the illegal uploading type are analyzed, different webpage security problems can be processed in a targeted mode through analyzing different webpage security types, and therefore the webpage can safely cope with webpage attacks of various webpage security types. The webpage security threat instruction of the database injection type may be to inject a vulnerability into a webpage by using a Structured Query Language (SQL), and an SQL command is input in a Uniform Resource Locator (URL), a table domain or other input domains to change the Query attribute of the database, thereby spoofing a webpage application program, and thus implementing unrestricted access to the database; the webpage security threat instruction of the Cross-Site script type can be a common method for disguising a user by using Cross Site Scripting (XSS) and false webpage content, and the malicious attack can steal data (Cookie) of the user, which is stored on a local terminal of the user, through XSS, guide the user to other malicious pages and provide false content for the user; the webpage security threat instruction of the webpage script type can be that a WEB Shell is obtained by using a Trojan horse uploading mode and the like, a webpage is tampered by means of file uploading or modification and the like after administrator permission is obtained in various modes, and malicious personnel exchange data with a server through the WEB Shell through WEB ports such as 80 and the like, so that the webpage security threat instruction can pass through a firewall and is generally used for attacking a webpage system allowing a user to upload; the illegal uploading type webpage security threat instruction can bypass the limitation of an administrator for malicious personnel, and files of any type can be uploaded or written in a directory which is prohibited to be written in.
103. And carrying out validity detection on the webpage operation request.
In the embodiment of the invention, when the webpage operation request is judged not to be the webpage security threat instruction, the validity of the webpage operation request can be further detected.
104. Judging whether the validity detection passes or not, if so, ending the process; if not, step 105 is performed.
As an alternative embodiment, when the validity detection passes, the following steps may be further performed:
sending a webpage operation request to a lower driving module;
taking a fine-grained file protection mode as a basis, and performing protection judgment on the webpage operation request through a lower layer driving module;
when the protection judgment on the webpage operation request is passed, executing the webpage operation corresponding to the webpage operation request;
when the protection judgment on the webpage operation request is not passed, step 105 is executed.
By implementing the implementation mode, the webpage operation request can be protected and judged again based on the fine-grained file protection mode after the validity detection of the webpage operation request passes, and the operation corresponding to the webpage operation request can be executed only after the protection judgment passes, so that the safety of the operation corresponding to the webpage operation request is ensured.
105. And blocking the webpage operation request.
In the method described in fig. 1, malicious attacks on the web page can be protected in advance, the web page is prevented from being illegally tampered, and the user experience of the web page is improved. In addition, the method described in fig. 1 is implemented, so that the web page can safely cope with web page attacks of various web page security types. In addition, the method described in fig. 1 is implemented, so that the security of the operation corresponding to the execution of the web page operation request is ensured.
Example two
Referring to fig. 2, fig. 2 is a schematic flowchart illustrating another method for identifying webpage tampering based on neural network clustering according to an embodiment of the present invention. As shown in fig. 2, the webpage tampering identification method based on neural network clustering may include the following steps:
201. performing characteristic analysis on the received webpage operation request, judging whether the webpage operation request is a webpage security threat instruction or not, and if so, executing step 202; if not, step 203 to step 204 are executed.
202. And determining a webpage security threat type corresponding to the webpage security threat instruction, and blocking the webpage security threat instruction according to a blocking mode corresponding to the webpage security threat type.
203. And carrying out validity detection on the webpage operation request.
204. Judging whether the user inputting the webpage operation request is a legal user, if so, executing step 206; if not, step 205 is performed.
In the embodiment of the invention, whether the user inputting the webpage operation instruction is a legal user can be judged firstly, the user information of the user inputting the webpage operation instruction can be obtained, the user information is compared with the registered user information stored in the database in advance, when the registered user information matched with the user information exists in the database, the user can be considered as a legal user, otherwise, the user can be considered as an illegal user.
205. It is determined that the validity check fails and steps 208-210 are performed.
206. Judging whether the application process corresponding to the webpage operation request is a legal process, if so, ending the process; if not, step 207 is performed.
As an optional implementation manner, when it is determined that the application process corresponding to the web page operation request is a legal process, the following steps may be further performed:
detecting whether the webpage operation request contains a webpage modification instruction or not;
if the webpage modification instruction is contained, detecting whether the webpage modification instruction is a legal instruction;
and if the instruction is not a legal instruction, blocking the webpage operation request.
The implementation of the implementation mode can detect the content in the webpage operation request, if the webpage operation request is detected to contain the webpage modification instruction aiming at the webpage content, the legality of the webpage modification instruction needs to be detected, only when the webpage modification instruction is determined to be the legal instruction, the operation corresponding to the webpage modification instruction can be executed, and the safety of webpage operation according to the webpage modification instruction is guaranteed.
Furthermore, the web page modification instruction may be at least a web page content adding instruction, a web page content deleting instruction, a web page content modifying instruction, or the like, and different operations for detecting the validity of the web page modification instruction may be performed for different web page modification instructions.
Optionally, when the webpage modification instruction is a webpage content increasing instruction, the method for detecting whether the webpage modification instruction is a legal instruction may be: acquiring added content information from the webpage content adding instruction, analyzing the added content information based on a neural network algorithm, and judging whether the added content information contains illegal instruction information or not; if the instruction is contained, the webpage content increasing instruction is not considered to be a legal instruction; if not, the webpage content increasing instruction can be considered as a legal instruction, and the webpage content increasing instruction is responded. Therefore, the added content information contained in the webpage content adding instruction can be analyzed through the method, and the webpage content adding instruction can be responded only when the condition that the added content information does not contain illegal instruction information is detected, so that the safety of the webpage content adding is ensured.
Optionally, when the webpage modification instruction is a webpage content deletion instruction, the method for detecting whether the webpage modification instruction is a legal instruction may be: acquiring deletion address information from a webpage content deletion instruction, determining a target deletion address in a webpage corresponding to the deletion address information, determining target deletion webpage content corresponding to the target deletion address in the webpage, analyzing the target deletion webpage content based on a neural network algorithm, and judging whether the target deletion webpage content is a core instruction; if the instruction is a core instruction, the webpage content deleting instruction is not considered to be a legal instruction; if the instruction is not the core instruction, the webpage content deleting instruction can be considered as a legal instruction, and the webpage content deleting instruction is responded. Therefore, the target deleted webpage content needing to be deleted in the webpage can be determined according to the webpage content deleting instruction in the above mode, the target deleted webpage content can be analyzed, and if the target deleted webpage content is a core instruction, the target deleted webpage content is considered to be incapable of being deleted, so that the webpage content deleting instruction can be considered not to be a legal instruction; only under the condition that the target deleted webpage content is not considered to be the core instruction, the target deleted webpage content can be deleted in response to the webpage content deleting instruction, and at the moment, the normal operation of the webpage is not influenced, so that the normal operation of the webpage is ensured under the condition that partial content of the webpage is deleted.
Optionally, when the webpage modification instruction is a webpage content modification instruction, the method for detecting whether the webpage modification instruction is a legal instruction may be: acquiring modified content information and modified address information from a webpage content modification instruction, determining a target modification address in a webpage corresponding to the modified address information, determining target modified webpage content corresponding to the target modification address in the webpage, analyzing the modified content information and the target modified webpage content based on a neural network algorithm, and judging whether the modified content information contains illegal instruction information and whether the target modified webpage content is a core instruction; if the modified content information contains illegal instruction information or the target modified webpage content is a core instruction, the webpage content deleting instruction can be considered as a legal instruction; if the modified content information does not contain illegal instruction information and the target modified webpage content is not a core instruction, the webpage content modification instruction can be considered as a legal instruction and the webpage content modification instruction is responded. Therefore, the legality of the webpage content modification instruction can be analyzed through the method, and the webpage content modification instruction can be considered as a legal instruction only under the condition that the modified content information contained in the webpage content modification instruction does not contain illegal instruction information and the target modified webpage content contained in the webpage content modification instruction is not a core instruction, so that the correctness of content modification in the webpage is guaranteed.
207. It is determined that the validity check fails and steps 208-210 are performed.
In the embodiment of the present invention, by implementing the above step 204 to step 207, the legality of the user and the application process corresponding to the web page operation request can be further detected, and only when the user is a legal user and the application process is a legal process, the next operation can be executed according to the web page operation request, so that the security of responding to the web page operation request is ensured.
208. And blocking the webpage operation request.
209. And carrying out integrity detection on the webpage files of the webpage at preset time intervals.
As an alternative embodiment, the method for performing integrity check on the web page file of the web page may include the following steps:
detecting whether malicious codes exist in webpage files of the webpage based on a crawler technology and a webpage horse hanging detection technology;
if the malicious codes exist, determining that the integrity detection of the webpage files of the webpage fails;
if no malicious code exists, detecting whether a missing code exists in the webpage file based on a crawler technology;
if the missing code exists, determining that the integrity detection of the webpage file of the webpage fails;
and if the missing codes do not exist, determining that the integrity detection of the webpage files of the webpage passes.
By implementing the implementation mode, the integrity of the webpage file can be detected through a crawler technology and a webpage horse hanging detection technology, and if redundant malicious codes exist in the webpage file or a part of codes in the webpage file are lost, the integrity of the webpage file can be considered to be not detected, so that the accuracy of the integrity detection of the webpage file is ensured.
210. Judging whether the integrity detection passes, if so, executing step 211; if not, step 212 is performed.
211. The web page file is stored as a backup web page file.
212. And acquiring a pre-stored backup webpage file, and restoring the webpage according to the backup webpage file.
In the embodiment of the present invention, by implementing the steps 209 to 212, the integrity of the web page file of the web page may be detected, and if the web page file is detected to be incomplete, the web page may be considered to be attacked and the web page file is maliciously operated, and in order to protect the security of the web page operation, a pre-stored backup web page file may be obtained, and the web page may be restored according to the backup web page file, so that an error may not occur in the web page operation process, and the security of the web page operation is ensured.
Optionally, steps 209 to 212 may be performed before or after any one of steps 201 to 208, and have no influence on the implementation of the embodiment of the present invention.
In the method described in fig. 2, malicious attacks on the web page can be protected in advance, the web page is prevented from being illegally tampered, and the user experience of the web page is improved. In addition, the method described in fig. 2 is implemented, so that the security of the operation performed on the web page according to the web page modification instruction is ensured. In addition, the method described in fig. 2 is implemented, so that the security of the content added to the webpage is ensured. In addition, the method described in fig. 2 can ensure the normal operation of the web page in the case of deleting part of the content of the web page. In addition, the method described in fig. 2 is implemented to ensure the correctness of the content modification in the web page. In addition, the method described in fig. 2 is implemented to ensure the security of responding to the web page operation request. In addition, the method described in fig. 2 is implemented, so that the accuracy of integrity detection of the web page file is ensured. In addition, the method described in fig. 2 is implemented to ensure the safety of the operation of the web page.
EXAMPLE III
Referring to fig. 3, fig. 3 is a schematic structural diagram of a system for identifying webpage tampering based on neural network clustering according to an embodiment of the present invention. As shown in fig. 3, the system for identifying webpage tampering based on neural network clustering may include:
the determining unit 301 is configured to perform feature analysis on the received web page operation request, and determine whether the web page operation request is a web page security threat instruction.
A determining unit 302, configured to determine, when the determination result of the determining unit 301 is yes, a webpage security threat type corresponding to the webpage security threat instruction, and block the webpage security threat instruction according to a blocking manner corresponding to the webpage security threat type.
In the embodiment of the invention, the webpage security threat types at least comprise: the database injection type, the cross-site script type, the webpage script type and the illegal uploading type are analyzed, different webpage security problems can be processed in a targeted mode through analyzing different webpage security types, and therefore the webpage can safely cope with webpage attacks of various webpage security types.
A first detecting unit 303, configured to perform validity detection on the web page operation request when the determination result of the determining unit 301 is negative.
As an optional implementation manner, when the validity detection passes, the first detecting unit 303 may further be configured to:
sending a webpage operation request to a lower driving module;
taking a fine-grained file protection mode as a basis, and performing protection judgment on the webpage operation request through a lower layer driving module;
when the protection judgment on the webpage operation request is passed, executing the webpage operation corresponding to the webpage operation request;
when the protection judgment on the webpage operation request is not passed, step 105 is executed.
By implementing the implementation mode, the webpage operation request can be protected and judged again based on the fine-grained file protection mode after the validity detection of the webpage operation request passes, and the operation corresponding to the webpage operation request can be executed only after the protection judgment passes, so that the safety of the operation corresponding to the webpage operation request is ensured.
The first blocking unit 304 is configured to block the web page operation request when the detection result of the first detecting unit 303 fails.
Therefore, by implementing the webpage tampering identification system based on neural network clustering described in fig. 3, malicious attacks on the webpage can be prevented in advance, the webpage is prevented from being tampered illegally, and the user experience of the webpage is improved. In addition, the webpage tampering identification system based on neural network clustering described in fig. 3 is implemented, so that the webpage can safely cope with webpage attacks of various webpage security types. In addition, by implementing the neural network clustering-based webpage tampering identification system described in fig. 3, the security of the operation corresponding to the webpage operation request is ensured.
Example four
Referring to fig. 4, fig. 4 is a schematic structural diagram of another system for identifying webpage tampering based on neural network clustering according to an embodiment of the present invention. The neural network cluster-based webpage tampering identification system shown in fig. 4 is obtained by optimizing the neural network cluster-based webpage tampering identification system shown in fig. 3. The webpage tampering identification system based on neural network clustering shown in fig. 4 may further include:
the second detecting unit 305 is configured to perform integrity detection on the web page file of the web page at preset time intervals.
A storage unit 306, configured to store the web page file as a backup web page file when the detection result of the second detection unit 305 passes.
An obtaining unit 307, configured to obtain a pre-stored backup web page file when the detection result of the second detecting unit 305 fails, and restore the web page according to the backup web page file.
In the embodiment of the invention, the integrity of the webpage files of the webpage can be detected, if the webpage files are detected to be incomplete, the webpage can be considered to be attacked, and the webpage files are maliciously operated.
As an optional implementation manner, the way for the second detecting unit 305 to perform integrity detection on the web page file of the web page may specifically be:
detecting whether malicious codes exist in webpage files of the webpage based on a crawler technology and a webpage horse hanging detection technology;
if the malicious codes exist, determining that the integrity detection of the webpage files of the webpage fails;
if no malicious code exists, detecting whether a missing code exists in the webpage file based on a crawler technology;
if the missing code exists, determining that the integrity detection of the webpage file of the webpage fails;
and if the missing codes do not exist, determining that the integrity detection of the webpage files of the webpage passes.
By implementing the implementation mode, the integrity of the webpage file can be detected through a crawler technology and a webpage horse hanging detection technology, and if redundant malicious codes exist in the webpage file or a part of codes in the webpage file are lost, the integrity of the webpage file can be considered to be not detected, so that the accuracy of the integrity detection of the webpage file is ensured.
As an alternative embodiment, the first detection unit 303 of the neural network cluster-based webpage tampering identification system shown in fig. 4 may include:
a first judgment subunit 3031, configured to judge whether a user inputting a web page operation request is a valid user;
a first determining subunit 3032, configured to determine that the validity detection fails when the determination result of the first determining subunit 3031 is negative, and trigger the first blocking unit 304 to block the web page operation request;
a second determining subunit 3033, configured to determine, when the determination result of the first determining subunit 3031 is yes, whether the application process corresponding to the web page operation request is a legal process;
the second determining subunit 3034 is configured to determine that the validity detection fails and trigger the first blocking unit 304 to block the web page operation request when the determination result of the second determining subunit 3033 is negative.
By implementing the implementation mode, the legality of the user and the application process corresponding to the webpage operation request can be further detected, and the next operation can be executed according to the webpage operation request only under the condition that the user is a legal user and the application process is a legal process, so that the safety of responding to the webpage operation request is ensured.
As an optional implementation, the system for identifying webpage tampering based on neural network clustering shown in fig. 4 may further include:
a third detecting unit 308, configured to detect whether the web page operation request includes a web page modification instruction when the determination result of the second determining sub-unit 3033 is yes;
a fourth detecting unit 309, configured to detect whether the web page modification instruction is a legal instruction when the determination result of the third detecting unit 308 is yes;
a second blocking unit 310, configured to block the web page operation request when the determination result of the fourth detecting unit 309 is negative.
The implementation of the implementation mode can detect the content in the webpage operation request, if the webpage operation request is detected to contain the webpage modification instruction aiming at the webpage content, the legality of the webpage modification instruction needs to be detected, only when the webpage modification instruction is determined to be the legal instruction, the operation corresponding to the webpage modification instruction can be executed, and the safety of webpage operation according to the webpage modification instruction is guaranteed.
Furthermore, the web page modification instruction may be at least a web page content adding instruction, a web page content deleting instruction, a web page content modifying instruction, or the like, and different operations for detecting the validity of the web page modification instruction may be performed for different web page modification instructions.
Optionally, when the web page modification instruction is a web page content increase instruction, the manner of detecting whether the web page modification instruction is a legal instruction by the fourth detecting unit 309 may specifically be: acquiring added content information from the webpage content adding instruction, analyzing the added content information based on a neural network algorithm, and judging whether the added content information contains illegal instruction information or not; if the instruction is contained, the webpage content increasing instruction is not considered to be a legal instruction; if not, the webpage content increasing instruction can be considered as a legal instruction, and the webpage content increasing instruction is responded. Therefore, the added content information contained in the webpage content adding instruction can be analyzed through the method, and the webpage content adding instruction can be responded only when the condition that the added content information does not contain illegal instruction information is detected, so that the safety of the webpage content adding is ensured.
Optionally, when the web page modification instruction is a web page content deletion instruction, the way for detecting whether the web page modification instruction is a legal instruction by the fourth detection unit 309 may specifically be: acquiring deletion address information from a webpage content deletion instruction, determining a target deletion address in a webpage corresponding to the deletion address information, determining target deletion webpage content corresponding to the target deletion address in the webpage, analyzing the target deletion webpage content based on a neural network algorithm, and judging whether the target deletion webpage content is a core instruction; if the instruction is a core instruction, the webpage content deleting instruction is not considered to be a legal instruction; if the instruction is not the core instruction, the webpage content deleting instruction can be considered as a legal instruction, and the webpage content deleting instruction is responded. Therefore, the target deleted webpage content needing to be deleted in the webpage can be determined according to the webpage content deleting instruction in the above mode, the target deleted webpage content can be analyzed, and if the target deleted webpage content is a core instruction, the target deleted webpage content is considered to be incapable of being deleted, so that the webpage content deleting instruction can be considered not to be a legal instruction; only under the condition that the target deleted webpage content is not considered to be the core instruction, the target deleted webpage content can be deleted in response to the webpage content deleting instruction, and at the moment, the normal operation of the webpage is not influenced, so that the normal operation of the webpage is ensured under the condition that partial content of the webpage is deleted.
Optionally, when the web page modification instruction is a web page content modification instruction, the way for detecting whether the web page modification instruction is a legal instruction by the fourth detecting unit 309 may specifically be: acquiring modified content information and modified address information from a webpage content modification instruction, determining a target modification address in a webpage corresponding to the modified address information, determining target modified webpage content corresponding to the target modification address in the webpage, analyzing the modified content information and the target modified webpage content based on a neural network algorithm, and judging whether the modified content information contains illegal instruction information and whether the target modified webpage content is a core instruction; if the modified content information contains illegal instruction information or the target modified webpage content is a core instruction, the webpage content deleting instruction can be considered as a legal instruction; if the modified content information does not contain illegal instruction information and the target modified webpage content is not a core instruction, the webpage content modification instruction can be considered as a legal instruction and the webpage content modification instruction is responded. Therefore, the legality of the webpage content modification instruction can be analyzed through the method, and the webpage content modification instruction can be considered as a legal instruction only under the condition that the modified content information contained in the webpage content modification instruction does not contain illegal instruction information and the target modified webpage content contained in the webpage content modification instruction is not a core instruction, so that the correctness of content modification in the webpage is guaranteed.
Therefore, by implementing the webpage tampering identification system based on neural network clustering described in fig. 4, malicious attacks on the webpage can be prevented in advance, the webpage is prevented from being tampered illegally, and the user experience of the webpage is improved. In addition, the webpage tampering identification system based on neural network clustering described in fig. 4 is implemented, so that the safety of operating the webpage according to the webpage modification instruction is ensured. In addition, the webpage tampering identification system based on neural network clustering described in fig. 4 is implemented, so that the security of the content added to the webpage is ensured. In addition, by implementing the webpage tampering identification system based on neural network clustering described in fig. 4, the normal operation of the webpage can be ensured under the condition of deleting partial content of the webpage. In addition, the webpage tampering identification system based on neural network clustering described in fig. 4 is implemented, so that the correctness of content modification in the webpage is ensured. In addition, the webpage tampering identification system based on neural network clustering described in fig. 4 is implemented, so that the safety of responding to the webpage operation request is ensured. In addition, the accuracy of integrity detection of the webpage file is ensured by implementing the webpage tampering identification system based on neural network clustering described in fig. 4. In addition, the webpage tampering identification system based on neural network clustering described in fig. 4 is implemented, so that the safety of webpage operation is ensured.
EXAMPLE five
Referring to fig. 5, fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure. As shown in fig. 5, the electronic device may include:
a memory 501 in which executable program code is stored;
a processor 502 coupled to a memory 501;
wherein, the processor 502 calls the executable program code stored in the memory 501 to execute part or all of the steps of the method in the above method embodiments.
The embodiment of the invention also discloses a computer readable storage medium, wherein the computer readable storage medium stores program codes, wherein the program codes comprise instructions for executing part or all of the steps of the method in the above method embodiments.
Embodiments of the present invention also disclose a computer program product, wherein, when the computer program product is run on a computer, the computer is caused to execute part or all of the steps of the method as in the above method embodiments.
The embodiment of the present invention also discloses an application publishing platform, wherein the application publishing platform is used for publishing a computer program product, and when the computer program product runs on a computer, the computer is caused to execute part or all of the steps of the method in the above method embodiments.
It should be appreciated that reference throughout this specification to "an embodiment of the present invention" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrase "in embodiments of the invention" appearing in various places throughout the specification are not necessarily all referring to the same embodiments. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. Those skilled in the art should also appreciate that the embodiments described in this specification are exemplary and alternative embodiments, and that the acts and modules illustrated are not required in order to practice the invention.
In various embodiments of the present invention, it should be understood that the sequence numbers of the above-mentioned processes do not imply an inevitable order of execution, and the execution order of the processes should be determined by their functions and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
In addition, the terms "system" and "network" are often used interchangeably herein. It should be understood that the term "and/or" herein is merely one type of association relationship describing an associated object, meaning that three relationships may exist, for example, a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In the embodiments provided herein, it should be understood that "B corresponding to a" means that B is associated with a from which B can be determined. It should also be understood, however, that determining B from a does not mean determining B from a alone, but may also be determined from a and/or other information.
It will be understood by those skilled in the art that all or part of the steps in the methods of the embodiments described above may be implemented by hardware instructions of a program, and the program may be stored in a computer-readable storage medium, where the storage medium includes Read-Only Memory (ROM), Random Access Memory (RAM), Programmable Read-Only Memory (PROM), Erasable Programmable Read-Only Memory (EPROM), One-time Programmable Read-Only Memory (OTPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM), or other Memory, such as a magnetic disk, or a combination thereof, A tape memory, or any other medium readable by a computer that can be used to carry or store data.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated units, if implemented as software functional units and sold or used as a stand-alone product, may be stored in a computer accessible memory. Based on such understanding, the technical solution of the present invention, which is a part of or contributes to the prior art in essence, or all or part of the technical solution, can be embodied in the form of a software product, which is stored in a memory and includes several requests for causing a computer device (which may be a personal computer, a server, a network device, or the like, and may specifically be a processor in the computer device) to execute part or all of the steps of the above-described method of each embodiment of the present invention.
The method and the system for identifying webpage tampering based on neural network clustering disclosed by the embodiment of the invention are described in detail, a specific embodiment is applied in the method for explaining the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. A webpage tampering identification method based on neural network clustering is characterized by comprising the following steps:
performing characteristic analysis on the received webpage operation request, and judging whether the webpage operation request is a webpage security threat instruction or not;
if so, determining a webpage security threat type corresponding to the webpage security threat instruction, and blocking the webpage security threat instruction according to a blocking mode corresponding to the webpage security threat type;
if not, carrying out validity detection on the webpage operation request;
and blocking the webpage operation request when the validity detection fails.
2. The method for webpage tamper recognition based on neural network clustering, according to claim 1, further comprising:
performing integrity detection on the webpage files of the webpage at preset time intervals;
if the integrity detection is passed, storing the webpage file as a backup webpage file;
and if the integrity detection fails, acquiring the pre-stored backup webpage file, and restoring the webpage according to the backup webpage file.
3. The method for identifying webpage tampering based on neural network clustering according to claim 1 or 2, wherein the webpage security threat types at least include: a database injection type, a cross-site script type, a web script type, and an illegal upload type.
4. The method for identifying webpage tampering based on neural network clustering according to any one of claims 1 to 3, wherein the detecting the validity of the webpage operation request includes:
judging whether the user inputting the webpage operation request is a legal user or not;
if not, determining that the validity detection is not passed;
if the user is the legal user, judging whether the application process corresponding to the webpage operation request is a legal process;
and if the process is not the legal process, determining that the legality detection is not passed.
5. The method for identifying webpage tampering based on neural network clustering, according to claim 4, wherein when it is determined that the application process corresponding to the webpage operation request is a legal process, the method further comprises:
detecting whether the webpage operation request contains a webpage modification instruction or not;
if the webpage modification instruction is contained, detecting whether the webpage modification instruction is a legal instruction or not;
and if the instruction is not the legal instruction, blocking the webpage operation request.
6. A webpage tampering identification system based on neural network clustering is characterized by comprising:
the judging unit is used for carrying out characteristic analysis on the received webpage operation request and judging whether the webpage operation request is a webpage security threat instruction or not;
the determining unit is used for determining a webpage security threat type corresponding to the webpage security threat instruction and blocking the webpage security threat instruction according to a blocking mode corresponding to the webpage security threat type when the judging result of the judging unit is yes;
the first detection unit is used for carrying out validity detection on the webpage operation request when the judgment result of the judgment unit is negative;
and the first blocking unit is used for blocking the webpage operation request when the detection result of the first detection unit does not pass.
7. The neural network cluster-based webpage tampering identification system according to claim 6, further comprising:
the second detection unit is used for detecting the integrity of the webpage files of the webpage at preset time intervals;
the storage unit is used for storing the webpage file as a backup webpage file when the detection result of the second detection unit passes;
and the acquisition unit is used for acquiring the pre-stored backup webpage file when the detection result of the second detection unit fails, and recovering the webpage according to the backup webpage file.
8. The neural network cluster-based webpage tamper recognition system according to claim 6 or 7, wherein the webpage security threat types at least include: a database injection type, a cross-site script type, a web script type, and an illegal upload type.
9. The system for identifying webpage tampering based on neural network clustering according to any one of claims 6 to 8, wherein the first detection unit comprises:
the first judgment subunit is used for judging whether the user inputting the webpage operation request is a legal user or not;
the first determining subunit is used for determining that the validity detection fails when the judgment result of the first judging subunit is negative;
the second judging subunit is configured to, when the judgment result of the first judging subunit is yes, judge whether the application process corresponding to the web page operation request is a legal process;
and the second determining subunit is used for determining that the validity detection fails when the judgment result of the second judging subunit is negative.
10. The neural network cluster-based webpage tampering identification system according to claim 9, further comprising:
a third detecting unit, configured to detect whether the web page operation request includes a web page modification instruction when the determination result of the second determining subunit is yes;
the fourth detection unit is used for detecting whether the webpage modification instruction is a legal instruction or not when the judgment result of the third detection unit is yes;
and the second blocking unit is used for blocking the webpage operation request when the judgment result of the fourth detection unit is negative.
CN202010554782.9A 2020-06-17 2020-06-17 Webpage tampering identification method and system based on neural network clustering Pending CN111953646A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010554782.9A CN111953646A (en) 2020-06-17 2020-06-17 Webpage tampering identification method and system based on neural network clustering

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010554782.9A CN111953646A (en) 2020-06-17 2020-06-17 Webpage tampering identification method and system based on neural network clustering

Publications (1)

Publication Number Publication Date
CN111953646A true CN111953646A (en) 2020-11-17

Family

ID=73337097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010554782.9A Pending CN111953646A (en) 2020-06-17 2020-06-17 Webpage tampering identification method and system based on neural network clustering

Country Status (1)

Country Link
CN (1) CN111953646A (en)

Similar Documents

Publication Publication Date Title
CN107659583B (en) Method and system for detecting attack in fact
US10728274B2 (en) Method and system for injecting javascript into a web page
EP3136277B1 (en) Illicit activity sensing network system and illicit activity sensing method
US8024804B2 (en) Correlation engine for detecting network attacks and detection method
CN107612924B (en) Attacker positioning method and device based on wireless network intrusion
CN105635126B (en) Malice network address accesses means of defence, client, security server and system
CN111460445B (en) Sample program malicious degree automatic identification method and device
CN108989355B (en) Vulnerability detection method and device
US7930744B2 (en) Methods for hooking applications to monitor and prevent execution of security-sensitive operations
CN107465702B (en) Early warning method and device based on wireless network intrusion
US20170353434A1 (en) Methods for detection of reflected cross site scripting attacks
KR101080953B1 (en) System and method for detecting and protecting webshell in real-time
CN110417718B (en) Method, device, equipment and storage medium for processing risk data in website
Hsu et al. Browserguard: A behavior-based solution to drive-by-download attacks
CN113711559B (en) System and method for detecting anomalies
CN109327451A (en) A kind of method, system, device and medium that the upload verifying of defence file bypasses
CN111628990A (en) Attack recognition method and device and server
CN106250761B (en) Equipment, device and method for identifying web automation tool
CN113055399A (en) Attack success detection method, system and related device for injection attack
CN110851838A (en) Cloud testing system and security testing method based on Internet
CN111177727A (en) Vulnerability detection method and device
CN114285626B (en) Honeypot attack chain construction method and honeypot system
Deng et al. Lexical analysis for the webshell attacks
CN107103243B (en) Vulnerability detection method and device
Nadar et al. A defensive approach for CSRF and broken authentication and session management attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination