CN116910751A - Information security detection method and device, electronic equipment and storage medium - Google Patents
Information security detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116910751A CN116910751A CN202211397872.7A CN202211397872A CN116910751A CN 116910751 A CN116910751 A CN 116910751A CN 202211397872 A CN202211397872 A CN 202211397872A CN 116910751 A CN116910751 A CN 116910751A
- Authority
- CN
- China
- Prior art keywords
- webpage
- text
- information
- target
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 40
- 238000012502 risk assessment Methods 0.000 claims abstract description 57
- 238000000034 method Methods 0.000 claims abstract description 36
- 238000012544 monitoring process Methods 0.000 claims abstract description 27
- 230000014509 gene expression Effects 0.000 claims description 35
- 239000000725 suspension Substances 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 5
- 230000009191 jumping Effects 0.000 claims description 4
- 238000012015 optical character recognition Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 208000006011 Stroke Diseases 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/957—Browsing optimisation, e.g. caching or content distillation
- G06F16/9577—Optimising the visualization of content, e.g. distillation of HTML documents
Abstract
The embodiment of the disclosure provides an information security detection method, which is executed by a webpage client containing a preset plugin, and comprises the following steps: when monitoring a first type of operation event acting on a first webpage, acquiring a target text corresponding to a target area on the first webpage; the target area is a webpage area where the first type of operation event acts on the first webpage; the target text is sent to a server through the preset plug-in; receiving risk assessment information returned by the server; and according to the risk assessment information, outputting risk prompt information before skipping to a second webpage based on a second type of operation acting on the target area. Compared with the method that the user manually copies the text of the first webpage and inquires and analyzes the risk of the first webpage, the method and the device can automatically detect the risk of the webpage and early warn, reduce manual operation, improve efficiency and accuracy of webpage risk detection, and improve safety of webpage browsing and intelligence of webpage browsing of the user.
Description
Technical Field
The disclosure relates to the field of network security technologies, but is not limited to, and in particular, to an information security detection method, an information security detection device, an electronic device and a storage medium.
Background
With the rapid development of network technology, individuals and enterprises are increasingly widely applied to web pages, and risks of accessing the web pages are also increasing.
In the existing webpage information security detection method, the webpage information is manually copied to a threat analysis platform for detection analysis to determine information security, or an application programming interface is called for detection analysis to determine information security. The efficiency of detecting information security by manually copying the webpage information is low, the specificity of detecting information security by calling an application programming interface is strong, and the application scope is small.
Disclosure of Invention
In view of this, an embodiment of the disclosure discloses an information security detection method, an information security detection device, an electronic device and a storage medium.
According to a first aspect of embodiments of the present disclosure, there is provided an information security detection method, which is performed by a web client including a preset plugin, the method including: when monitoring a first type of operation event acting on a first webpage, acquiring a target text corresponding to a target area on the first webpage; the target area is a webpage area of the first webpage acted by the first type of operation event;
The target text is sent to a server through the preset plug-in;
receiving risk assessment information returned by the server;
and according to the risk assessment information, outputting risk prompt information before skipping to a second webpage based on a second type of operation acting on the target area.
In one embodiment, when the first type of operation event acting on the first web page is monitored, obtaining the target text corresponding to the target area on the first web page includes: when monitoring a first type of operation event acting on a first webpage, determining a target mode for acquiring the target text according to event information of the first type of operation event; and obtaining the target text according to the target mode.
In one embodiment, when monitoring a first type of operation event acting on a first web page, determining a target manner of acquiring the target text according to event information of the first type of operation event includes: when a cursor suspension event or a cursor selection event acting on the first webpage is monitored, extracting text contained in a webpage label corresponding to cursor suspension of the first webpage or text selected by the cursor.
In one embodiment, when monitoring a first type of operation event acting on a first web page, determining a target manner of acquiring the target text according to event information of the first type of operation event includes: when an operation event acting on a screenshot control on the first webpage is monitored, acquiring a screenshot of the first webpage; and identifying and obtaining texts in the screenshot of the first webpage according to the screenshot of the first webpage.
In one embodiment, when the first type of operation event acting on the first web page is monitored, obtaining the target text corresponding to the target area on the first web page includes: when a first type of operation event acting on the first webpage is monitored, acquiring an alternative text corresponding to a target area of the first webpage; and matching the candidate text by using a preset regular matching expression to obtain the target text successfully matched with the preset regular matching expression.
In one embodiment, the preset regular matching expression includes: the regular matching expression of the domain name is used for extracting the domain name from the candidate text; an internet protocol address regular matching expression for extracting an internet protocol address from the candidate text; the mailbox address regular matching expression is used for extracting an email address from the alternative text; the communication identification regular expression is used for extracting a communication identification from the candidate text; and the file hash regular expression is used for extracting hash values of the files from the candidate texts.
In one embodiment, the method further comprises: determining whether the preset plug-in is logged in the server; when the preset plugin logs in the server, acquiring the preset plugin and returning an authentication token after logging in the server; the sending the target text to a server through the preset plug-in comprises the following steps: and according to the authentication token, the target text is sent to the server through the preset plug-in.
In a second aspect, an embodiment of the present disclosure provides an information security detection method, performed by a server, the method including:
receiving a target text sent by a preset plug-in of a webpage client;
threat analysis is carried out on the target text, and risk assessment information is obtained; wherein the risk assessment information is for: the preset plug-in of the webpage client outputs risk prompt information according to the risk assessment information;
and sending the risk assessment information to a client.
In a third aspect, an embodiment of the present disclosure provides an information security detection apparatus, the apparatus including:
the acquisition module is used for acquiring a target text corresponding to a target area on a first webpage when monitoring a first type of operation event acted on the first webpage; the target area is a webpage area where the first type of operation event acts on the first webpage;
The sending module is used for sending the target text to a server through a preset plug-in;
the receiving module is used for receiving the risk assessment information returned by the server;
and the output module is used for outputting risk prompt information before jumping to a second webpage based on the second type of operation acting on the target area according to the risk assessment information.
In a fourth aspect, an embodiment of the present disclosure provides an information security detection apparatus, the apparatus including:
the receiving module is used for receiving a target text sent by a webpage client preset plug-in;
the obtaining module is used for carrying out threat analysis on the target text to obtain risk assessment information; wherein the risk assessment information is for: the preset plug-in of the webpage client outputs risk prompt information according to the risk assessment information;
and the sending module is used for sending the risk assessment information to the client.
In a fifth aspect, embodiments of the present disclosure provide an electronic device, including: a processor and a memory for storing a computer program capable of running on the processor; wherein the processor, when running the computer program, performs the steps of the method of one or more of the foregoing technical solutions.
In a sixth aspect, embodiments of the present disclosure provide a computer-readable storage medium having stored thereon computer-executable instructions; the computer-executable instructions, when executed by the processor, are capable of performing the method of one or more of the foregoing aspects.
According to the information security detection method provided by the embodiment of the disclosure, the webpage client side comprising the preset plugin acquires the target text of the first webpage according to the monitoring of the first type of operation event, and acquires the risk assessment information from the server through the target text, so that the risk prompt information is output, compared with the method that a user manually copies the target text of the first webpage and manually inquires and analyzes the risk of the first webpage, the plugin can automatically acquire the target text of the first webpage, and the risk assessment information of the first webpage is determined according to the server, so that manual operation can be reduced, the efficiency and the accuracy of detecting the risk of the webpage are improved, risk early warning is carried out when the risk exists in the first webpage in time, and the safety of webpage browsing and the intelligence of webpage browsing of the user are improved.
Drawings
Fig. 1 is a flow chart of an information security detection method according to an embodiment of the disclosure.
Fig. 2 is a flow chart of an information security detection method according to an embodiment of the disclosure.
Fig. 3 is a flow chart of an information security detection method according to an embodiment of the disclosure.
Fig. 4 is a flow chart of an information security detection method according to an embodiment of the disclosure.
Fig. 5 is a flow chart of an information security detection method according to an embodiment of the present disclosure.
Fig. 6 is a schematic diagram of a first web page according to an embodiment of the disclosure.
Fig. 7 is a schematic diagram of a single sign-on method according to an embodiment of the disclosure.
Fig. 8 is a flowchart of an information security detection method according to an embodiment of the present disclosure.
Fig. 9 is a schematic diagram of an information security detection device according to an embodiment of the disclosure.
Fig. 10 is a schematic diagram of an information security detection device according to an embodiment of the disclosure.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present disclosure more apparent, the present disclosure will be further described in detail with reference to the accompanying drawings, and the described embodiments should not be construed as limiting the present disclosure, and all other embodiments obtained by those skilled in the art without making inventive efforts are within the scope of protection of the present disclosure.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
In the following description, the terms "first", "second", "third" and the like are merely used to distinguish similar objects and do not represent a particular ordering of the objects, it being understood that the "first", "second", "third" may be interchanged with a particular order or sequence, as permitted, to enable embodiments of the disclosure described herein to be practiced otherwise than as illustrated or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. The terminology used herein is for the purpose of describing embodiments of the present disclosure only and is not intended to be limiting of the present disclosure.
As shown in fig. 1, an embodiment of the present disclosure provides an information security detection method, which is executed by a web client including a preset plugin, and includes:
step S101: when monitoring a first type of operation event acting on a first webpage, acquiring a target text corresponding to a target area on the first webpage; the target area is a webpage area of the first webpage acted by the first type of operation event;
Step S102: the target text is sent to a server through the preset plug-in;
step S103: receiving risk assessment information returned by the server;
step S104: and according to the risk assessment information, outputting risk prompt information before skipping to a second webpage based on a second type of operation acting on the target area.
In one embodiment, the web pages may be text files in hypertext markup language (HTML, hyper Text Markup Language) format from which the web site may be composed; the web page client may include: an application program such as a browser or the like that reads and displays a web page.
In one embodiment, the plug-in may be a program running on a predetermined system platform, and may include: text plug-ins, script plug-ins, or program plug-ins, etc. The preset plug-in included in the webpage client may include: browser plug-ins, and the like.
In one embodiment, the first web page may be represented according to a document object model (DOM, document Object Model). The document object model may represent the first web page as a tree structure of at least one node; wherein the node may comprise: element nodes, which can include web page tags and texts contained in the web page tags; text nodes, which can include content text corresponding to the labels; and/or attribute nodes, may include attributes of tags, etc. In one embodiment, the step S101 may include: monitoring a first type of operation event acted on a first webpage by input equipment through a preset plug-in of a webpage client; and when monitoring a first type of operation event acted on the first webpage, acquiring a target text corresponding to a target area on the first webpage.
In one embodiment, the input device may include, but is not limited to: a mouse, a keyboard, and/or a touch device, etc.
In one embodiment, the web page client may include at least one web page therein, and the first web page may include: a first webpage currently displayed; and/or the first webpage currently acted on by the input device.
The first type of operational event may include: a predetermined operation event for extracting a target text, which acts on a target area of the first web page.
In one embodiment, the listening mode may include: listening is performed by the programming language. By way of example, the programming language may include: and the JavaScript programming language is used for monitoring the operation event of the input device. Wherein the operation event of the input device may include: a click event of a mouse, a movement event of a mouse, a pressing event of a keyboard key of a keyboard, a releasing event of a keyboard key, etc.
In one embodiment, the server may be configured to: and threat analysis is carried out on the target text, so that risk assessment information is obtained. The server may include: and a server of the threat intelligence platform. The threat intelligence platform may communicate with the server at a client via a web page of the threat intelligence platform.
In one embodiment, the step S102 may include: and the preset plug-in sends a request to a server, wherein the request carries the target text.
In one embodiment, the preset plug-in may send a request carrying the target text to a server by calling an interface of the server.
In one embodiment, the risk assessment information may be used to assess whether the first web page is at risk, and the risk assessment information may include: whether threat information, threat information text, risk type and/or risk level exists in the target text, etc.
The risk type may include the risk that threat information may cause. By way of example, the risk types may include: malicious links exist in the first webpage, illegal information exists in the first webpage, malicious attack information exists in the first webpage, and the like.
The risk level may be used to indicate the importance and urgency of the risk. Illustratively, the risk level may include: high risk, risk of stroke, low risk, etc. Illustratively, the degree of urgency may be divided into: very urgent, urgent and not urgent.
In one embodiment, the second web page in the step S104 may include: a second web page associated with the first web page, the second type of operation may include a jump web page operation. Illustratively, when jumping to the second web page based on the second type of operation acting on the target area, it may include: the target area of the first web page contains a uniform resource locator (URL, uniform resource locator) of the second web page, and the second web page is jumped to according to clicking the URL.
In one embodiment, the risk prompt may include: before jumping to a second webpage based on a second type of operation acting on the target area, risk prompt information displayed through a page or a prompt box; wherein, the risk prompt information may include: picture information and/or text information, etc.
In one embodiment, the step S104 may include: if the risk assessment information determines that the first webpage has no risk, outputting first risk prompt information; the first risk prompt information is used for indicating that the first webpage is free of risk.
In one embodiment, the step S104 may further include: if the risk of the first webpage is determined to exist in the risk assessment information, outputting second risk prompt information; the second risk prompt information is used for indicating that the first webpage has risks.
In one embodiment, the second risk prompting information may also be used to display information such as the threat information text, risk type and/or risk level in the risk assessment information.
For example, the outputting, by the preset plug-in, the second risk prompting information on the first web page may be as shown in fig. 6, and the text information of the risk prompt may be displayed through a prompt box.
The first type of operation event is monitored through the preset plug-in of the webpage client to obtain the target text of the first webpage, and risk assessment information is obtained from the server through the target text, so that risk prompt information is output, compared with the situation that a user manually copies the target text of the first webpage and manually inquires and analyzes the risk of the first webpage, the plug-in can automatically obtain the target text of the first webpage, the risk assessment information of the first webpage is determined according to the server, manual operation can be reduced, efficiency and accuracy of detecting the risk of the webpage are improved, risk early warning is timely carried out when the risk exists in the first webpage, and safety of browsing the webpage and intelligence of browsing the webpage are improved.
As shown in fig. 2, in some embodiments, when a first type of operation event acting on a first web page is monitored, obtaining a target text corresponding to a target area on the first web page includes:
Step S201: when monitoring a first type of operation event acting on a first webpage, determining a target mode for acquiring the target text according to event information of the first type of operation event;
step S202: and obtaining the target text according to the target mode.
In one embodiment, the type information of the text of the first web page may include: text of letters and/or pictures, etc.
In one embodiment, the first type of operational event may include: acquiring a text operation event and/or acquiring a picture text operation event; if the first type of operation event is an operation event for acquiring a text, determining that a target mode for acquiring a target text is acquiring the text; if the first type of operation event is an operation event for acquiring a picture text, determining a mode for acquiring a target text is as follows: acquiring a picture text; and extracting the text of the characters in the picture text.
In one embodiment, the obtaining the picture text may include: directly acquiring the picture text and/or acquiring the screenshot to acquire the picture text, etc.
In one embodiment, the method may include: and setting a text acquisition control and a picture acquisition control in the preset plugin, and determining a target mode for acquiring the target text when detecting the operation of selecting the control in the preset plugin. The picture obtaining control may include a screenshot control and the like.
In one embodiment, the method further comprises: when the loading of the first webpage is monitored to be completed, determining the type information of the text in the first webpage; and determining a target mode for acquiring the target text according to the type information of the text in the first webpage.
When the text type of the first webpage only includes a text of a word or a picture, the target manner of obtaining the target text may include: and acquiring the text according to the text operation event or acquiring the text in the picture according to the picture text operation event.
When the text type of the first webpage comprises a text of a word and a text of a picture, the target mode of acquiring the target text comprises the following steps: acquiring literal text events and/or acquiring pictorial text events, etc.
In one embodiment, when the text of the first web page is nested in the text of the portable document format (PDF, portable Document Format), the target text in the PDF file may be obtained according to the get text operation event, and if the text in the PDF file cannot be obtained according to the get text operation event, the target text in the PDF file may be obtained through the get picture text operation event.
In one embodiment, when monitoring a first type of operation event acting on a first web page, determining, according to event information of the first type of operation event, a target manner of acquiring the target text may include: and when the loading completion event of the first webpage is monitored, extracting all texts of the first webpage.
In one embodiment, the extracting all text of the first web page may include: text in all nodes from the root element node in the first web page is extracted according to the document object model.
In some embodiments, when monitoring a first type of operation event acting on a first web page, determining, according to event information of the first type of operation event, a target manner of acquiring the target text includes:
when a cursor suspension event or a cursor selection event acting on the first webpage is monitored, extracting text contained in a webpage label corresponding to cursor suspension of the first webpage or text selected by the cursor.
In one embodiment, the cursor may comprise a cursor displayed by an input device.
In one embodiment, the cursor hover event may include: and when the cursor is suspended in the target area of the webpage label of the first webpage, extracting the text contained in the webpage label corresponding to the cursor suspension.
In one embodiment, the web page tags may include HTML tags. The web page tag may include: title tags, paragraph tags, and/or link tags, etc.
Illustratively, when the cursor is suspended in the target area of the title label of the first webpage, extracting the title text contained in the title label.
In one embodiment, the cursor suspension event may further include: when the cursor is suspended in the target area of the webpage label of the first webpage, determining an element node where the webpage label corresponding to the cursor suspension is located according to the document object model, and extracting a text contained in the webpage label corresponding to the cursor suspension in the element node.
In one embodiment, the cursor selection event may include: and the event that the characters in the first webpage are selected by the cursor. And when a cursor selection event acting on the first webpage is monitored, extracting a text selected by the cursor of the first webpage.
Illustratively, the cursor selection event may include: pressing and moving a left button of the mouse and loosening operation events of the left button of the mouse; or a dragging operation event of a long press of the touch screen and a cursor; or an operation event in which a mouse cursor is clicked when a shift (shift) key of the keyboard is pressed.
When a cursor selection event acting on the first webpage is monitored, the text selected by the cursor is extracted, key detection can be performed on the text selected by the cursor, and when insufficient text recognition or text recognition errors occur in the text of the first webpage, detection and analysis can be performed on the correct text selected, so that accuracy and intelligence of acquiring the target text are improved.
As shown in fig. 3, in some embodiments, when monitoring a first type of operation event acting on a first web page, determining, according to event information of the first type of operation event, a target manner of acquiring the target text includes:
step S301: when an operation event acting on a screenshot control on the first webpage is monitored, acquiring a screenshot of the first webpage;
step S302: and identifying and obtaining texts in the screenshot of the first webpage according to the screenshot of the first webpage.
In one embodiment, the screenshot control is included in the preset plugin. In one embodiment, when a click operation on a screenshot control on the first webpage is monitored, a screenshot operation is started, and a screenshot of the first webpage is obtained according to the screenshot operation. In one embodiment, the screenshot operation may include: pressing, moving and releasing the button of the mouse. According to the starting point coordinate position of the cursor during the pressing operation of the key of the mouse and the ending point coordinate position of the cursor during the releasing operation of the key of the mouse in the screenshot operation, a screenshot area in the first webpage can be determined, and a screenshot of the screenshot area of the first webpage is obtained.
In one embodiment, the step S301 may be implemented by invoking a Canvas application program interface (Canvas API) according to the preset plug-in. Determining screenshot area information of a first webpage according to screenshot operation of a screenshot control in a preset plugin, wherein the screenshot area information can comprise: the coordinate position of the starting point cursor, the coordinate position of the end point cursor, the width and the height of the screenshot area; the preset plug-in sends the screenshot area information to a canvas application program through a canvas application program interface; and the preset plug-in receives a screenshot of the first webpage generated by the canvas application program according to the screenshot area information. The canvas application program can also encode the screenshot of the first webpage by representing binary data (Base 64) encoding mode based on 64 printable characters, and the encoded screenshot of the first webpage is sent to a preset plug-in.
In one embodiment, the step S302 may include: the text within the screenshot of the first web page is obtained by identifying the screenshot of the first web page by optical character recognition (OCR, optical Character Recognition). In one embodiment, the step S302 may further include: and recognizing the screenshot of the first webpage according to the OCR interface, and obtaining the text of the characters in the screenshot of the first webpage.
Here, the screenshot of the first webpage is obtained through monitoring the screenshot control, the text in the screenshot is obtained through screenshot identification of the first webpage, threat information can be detected and early warning is carried out when the threat information is placed in the picture by a malicious website, and accuracy and safety of webpage detection are improved.
As shown in fig. 4, in some embodiments, when a first type of operation event acting on a first web page is monitored, obtaining a target text corresponding to a target area on the first web page includes:
step S401: when a first type of operation event acting on the first webpage is monitored, acquiring an alternative text corresponding to a target area of the first webpage;
step S402: and matching the candidate text by using a preset regular matching expression to obtain the target text successfully matched with the preset regular matching expression.
In one embodiment, the candidate text corresponding to the target area of the first web page may include: and text obtained according to the cursor suspension event, the cursor selection event and/or the operation event of the screenshot control.
In one embodiment, the regular expression describes a pattern of string matches that can be used to check whether a string contains a certain sub-string, replace a matching sub-string or take a sub-string from a certain string that meets a certain condition, etc.
Here, the target text obtained by matching the candidate text with the preset regular matching expression, and the target text which is more suitable for threat detection analysis in the candidate text can be screened by setting the regular matching expression, so that compared with the detection by manually selecting the target text, the efficiency of detecting threat information can be improved, and the obtained risk assessment information is more accurate.
In some embodiments, the preset regular matching expression comprises:
the regular matching expression of the domain name is used for extracting the domain name from the candidate text;
an internet protocol address regular matching expression for extracting an internet protocol address from the candidate text;
the mailbox address regular matching expression is used for extracting an email address from the alternative text;
the communication identification regular expression is used for extracting a communication identification from the candidate text;
and the file hash regular expression is used for extracting hash values of the files from the candidate texts.
In one embodiment, the preset regular matching expression may include: domain name regular matching expressions, internet protocol address regular matching expressions, mailbox address regular matching expressions, communication identification regular expressions and/or file hash regular expressions, and the like.
In one embodiment, the domain name in the alternative text may include: the domain name of the first web page and/or the domain name contained in the text of the first web page.
The internet protocol address (Internet Protocol Address) in the alternative text may comprise: an internet protocol address of the first web page or an internet protocol address contained in the text of the first web page.
The communication identification may include: a number identifying the user's communication, such as a telephone number, etc. Wherein the telephone number may include: a cell phone number, a fixed phone number, a satellite phone number, and/or a virtual phone number, etc.
The file hash may include: and calculating the hash value of the file according to the hash algorithm, and encrypting the file or checking the integrity of the file according to the hash value of the file.
In some embodiments, the method further comprises:
determining whether the preset plug-in is logged in the server;
when the preset plugin logs in the server, acquiring an authentication token returned after the preset plugin logs in the server;
the sending the target text to a server through the preset plug-in comprises the following steps:
and according to the authentication token, the target text is sent to the server through the preset plug-in.
In one embodiment, the server may comprise a server of a threat intelligence platform through which the server is accessed at a client.
In one embodiment, the preset plug-in logs in to an authentication token (token) returned after the server, and the authentication token can be used for temporary identity authentication of a computer login system.
In one embodiment, the sending, by the preset plug-in, the target text to the server according to the authentication token may include: and the preset plug-in sends a request to a server, wherein the request carries the authentication token and the target text. Wherein the authentication token may be carried in the request header (header) of the request or behind the uniform resource locator (URL, universal Resource Locator) of the request.
In some embodiments, the method further comprises:
when the preset plug-in is not logged in the server, a login request is sent to the server;
and receiving and storing the authentication token returned by the server based on the login request.
In one embodiment, when the preset plugin is not logged in to the server, a login request is sent to the server, wherein the login request can include user login identity information; the server generates an authentication token according to the user login identity information and returns the authentication token; and the preset plug-in receives and stores the authentication token returned by the server based on the login request.
In one embodiment, the web client storing the authentication token may include: the authentication token is stored in data (cookie) or in a local store (localStorage) stored on the user's local terminal. In one embodiment, the authentication token may be stored in a local store (localStorage) corresponding to the domain name.
In one embodiment, a single sign-on may be provided between the preset plugin and the threat intelligence platform. The Single Sign On (SSO) is that, among a plurality of application systems, a user can access all application systems trusted by each other only by logging in once. In one embodiment, a schematic diagram of single sign-on between a preset plug-in and a threat intelligence platform is shown in fig. 7.
In one embodiment, the method for logging in the server by the preset plugin further includes: a threat information platform at a webpage client sends a login request to the server; the webpage client receives and stores the authentication token returned by the server based on the login request; when the preset plug-in is not logged in the server, acquiring an authentication token returned after the threat information platform stored by the webpage client logs in the server; and logging in an authentication token returned by the server according to the threat information platform, and sending the target text to the server through the preset plug-in.
Therefore, when the threat information platform logs in the server and the preset plug-in unit does not log in the server, the preset plug-in unit can communicate with the server according to the authentication token returned by the threat information platform logging in the server without logging in again according to the single sign-on, so that the communication efficiency between the preset plug-in unit and the server is improved, and the risk assessment information obtaining efficiency of the preset plug-in unit can be improved.
In one embodiment, when the preset plugin logs in to the server and the threat information platform does not log in to the server, the threat information platform may log in to the authentication token returned by the server according to the stored preset plugin.
In one embodiment, the web page client may include: and installing the preset plug-in. In one embodiment, the web client may send a request for acquiring the preset plugin to a server, receive the preset plugin returned by the server, and install the preset plugin returned by the server.
As shown in fig. 5, an embodiment of the present disclosure provides an information security detection method, which is performed by a server, the method including:
step S501: receiving a target text sent by a preset plug-in of a webpage client;
Step S502: threat analysis is carried out on the target text, and risk assessment information is obtained; wherein the risk assessment information is for: the preset plug-in of the webpage client outputs risk prompt information according to the risk assessment information;
step S503: and sending the risk assessment information to a client.
In one embodiment, the server may include a server for threat analysis that may provide pages of a threat intelligence platform that users access at clients.
In one embodiment, the server may receive a request sent by a preset plug-in of a web client, where the request includes the target text.
In one embodiment, the server may include a threat intelligence database. Wherein the threat intelligence database is used for storing threat intelligence information, the threat intelligence may include, but is not limited to: identification information of the threat may include: malicious IP addresses, domain names, electronic mailboxes, file hash values, program running paths and/or registry entries, etc.; or, information of threat activities such as data leakage, data tampering, security attack, unauthorized activities and/or installation and running of malicious software.
In one embodiment, the step S502 may include: the server can inquire in a threat information database according to the target text to determine whether threat information exists in the target text; if threat information exists in the target text, determining the risk type and the risk level possibly caused by the existing threat information; and generating risk assessment information according to whether the target text threatens information, threat information text, risk type and/or risk grade.
In one embodiment, the method further comprises: receiving a login request sent by a client preset plug-in or threat information platform; generating an authentication token according to the user login identity information in the login request; the authentication token is used for temporarily authenticating the identity in the login of the client; and returning the authentication token to the client.
In one embodiment, the method further comprises: receiving a request carrying an authentication token and a target text sent by a client preset plug-in; verifying the authentication token; if the authentication token passes verification, threat analysis is carried out on the target text to obtain risk assessment information, and a response carrying the risk assessment information is sent to a client; and if the authentication token does not pass the verification, sending a denial of service response to the client.
In one embodiment, a flow of information security detection may be as shown in fig. 8, and the steps may include:
step a, a browser plug-in of a webpage client monitors a first type of operation event acted on a first webpage by a user according to a monitor; wherein the step a may include: step a1, monitoring a cursor suspension event according to a suspension monitor; step a2, monitoring a cursor selection event according to a cursor selection monitor; step a3, monitoring an operation event of the screenshot control according to the screenshot monitor;
b, when the browser plug-in monitors a first type of operation event acting on a first webpage, acquiring a target text corresponding to a target area on the first webpage; wherein, the step b may include:
step b1, when a cursor suspension event acting on a first webpage is monitored, acquiring a text contained in a webpage label corresponding to cursor suspension of the first webpage;
step b2, when a cursor selection event acting on the first webpage is monitored, acquiring a text selected by the cursor;
step b31, when an operation event acting on a screenshot control on the first webpage is monitored, obtaining a screenshot of the first webpage;
And b32, obtaining the text in the screenshot of the first webpage through optical character recognition OCR according to the screenshot of the first webpage.
Step c, performing regular matching on the obtained text to obtain a target text; wherein the target text includes: domain name, IP address, mailbox address, communication identification, file hash, etc.;
step d, the browser plug-in sends the target text to a server;
step e, the server receives the target text;
f, the server performs query analysis through a threat information library according to the target text to obtain risk assessment information, and sends the risk assessment information to a browser plug-in;
and g, receiving the risk assessment information by the browser plug-in, and outputting risk prompt information according to the risk assessment information.
As shown in fig. 9, an embodiment of the present disclosure provides an information security detection apparatus, including:
an acquisition module 10 for: when monitoring a first type of operation event acting on a first webpage, acquiring a target text corresponding to a target area on the first webpage; the target area is a webpage area where the first type of operation event acts on the first webpage;
A transmitting module 20 for: the target text is sent to a server through a preset plug-in;
the receiving module 30 is configured to receive risk assessment information returned by the server;
an output module 40 for: and according to the risk assessment information, outputting risk prompt information before skipping to a second webpage based on a second type of operation acting on the target area.
In one embodiment, the apparatus further comprises: a determination module 50 and an acquisition module 60; the determining module 50 is configured to: when monitoring a first type of operation event acting on a first webpage, determining a target mode for acquiring the target text according to event information of the first type of operation event; the obtaining module 60 is configured to: and obtaining the target text according to the target mode.
In one embodiment, the apparatus further comprises: an extraction module 70; the extraction module 70 is configured to: when a cursor suspension event or a cursor selection event acting on the first webpage is monitored, extracting text contained in a webpage label corresponding to cursor suspension of the first webpage or text selected by the cursor.
In one embodiment, the acquisition module 10 is further configured to: when an operation event acting on a screenshot control on the first webpage is monitored, acquiring a screenshot of the first webpage; the obtaining module 60 is further configured to: and identifying and obtaining texts in the screenshot of the first webpage according to the screenshot of the first webpage.
In one embodiment, the acquisition module 10 is further configured to: when a first type of operation event acting on the first webpage is monitored, acquiring an alternative text corresponding to a target area of the first webpage; the obtaining module 60 is further configured to: and matching the candidate text by using a preset regular matching expression to obtain the target text successfully matched with the preset regular matching expression.
In one embodiment, the determining module 50 is further configured to: determining whether the preset plug-in is logged in the server; the acquisition module 10 is further configured to: when the preset plugin logs in the server, acquiring the preset plugin and returning an authentication token after logging in the server; the sending module 20 is further configured to: and according to the authentication token, the target text is sent to the server through the preset plug-in.
In one embodiment, the sending module 20 is further configured to send the login request to the server when the preset plugin is not logged in to the server; the receiving module 30 is further configured to receive and store the authentication token returned by the server based on the login request.
As shown in fig. 10, an embodiment of the present disclosure provides an information security detection apparatus, including:
the receiving module 110 is configured to receive a target text sent by a preset plug-in of a web page client;
the obtaining module 120 is configured to: threat analysis is carried out on the target text, and risk assessment information is obtained; wherein the risk assessment information is for: the preset plug-in of the webpage client outputs risk prompt information according to the risk assessment information;
and the sending module 130 is configured to send the risk assessment information to a client.
It should be noted that, as those skilled in the art may understand, the methods provided in the embodiments of the present disclosure may be performed alone or together with some methods in the embodiments of the present disclosure or some methods in the related art.
The embodiment of the disclosure also provides an electronic device, which includes: a processor and a memory for storing a computer program capable of running on the processor, which when run performs the steps of the method of one or more of the preceding claims.
Embodiments of the present disclosure also provide a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, enable implementation of the method according to one or more of the foregoing technical solutions.
The computer storage medium provided in this embodiment may be a non-transitory storage medium. In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present disclosure may be integrated in one processing module, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
In some cases, the two technical features do not conflict, and a new method technical scheme can be combined.
In some cases, the above two technical features may be combined into a new device technical scheme without any conflict.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk or an optical disk, or the like, which can store program codes.
The foregoing is merely specific embodiments of the disclosure, but the protection scope of the disclosure is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the disclosure, and it is intended to cover the scope of the disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.
Claims (12)
1. An information security detection method, which is executed by a web client including a preset plugin, the method comprising:
when monitoring a first type of operation event acting on a first webpage, acquiring a target text corresponding to a target area on the first webpage; the target area is a webpage area of the first webpage acted by the first type of operation event;
the target text is sent to a server through the preset plug-in;
receiving risk assessment information returned by the server;
and according to the risk assessment information, outputting risk prompt information before skipping to a second webpage based on a second type of operation acting on the target area.
2. The method of claim 1, wherein the obtaining the target text corresponding to the target area on the first web page when monitoring the first type of operation event acting on the first web page comprises:
When monitoring a first type of operation event acting on a first webpage, determining a target mode for acquiring the target text according to event information of the first type of operation event;
and obtaining the target text according to the target mode.
3. The method according to claim 2, wherein determining, when monitoring a first type of operation event acting on a first web page, a target manner of acquiring the target text according to event information of the first type of operation event includes:
when a cursor suspension event or a cursor selection event acting on the first webpage is monitored, extracting a text or a cursor selected text contained in a webpage label corresponding to the cursor suspension of the first webpage.
4. The method according to claim 2, wherein determining, when monitoring a first type of operation event acting on a first web page, a target manner of acquiring the target text according to event information of the first type of operation event includes:
when an operation event acting on a screenshot control on the first webpage is monitored, acquiring a screenshot of the first webpage;
and identifying and obtaining texts in the screenshot of the first webpage according to the screenshot of the first webpage.
5. The method of claim 1, wherein when a first type of operation event acting on a first web page is monitored, the obtaining target text corresponding to a target area on the first web page comprises:
when a first type of operation event acting on the first webpage is monitored, acquiring an alternative text corresponding to a target area of the first webpage;
and matching the candidate text by using a preset regular matching expression to obtain the target text successfully matched with the preset regular matching expression.
6. The method of claim 5, wherein the pre-set regular matching expression comprises:
the regular matching expression of the domain name is used for extracting the domain name from the candidate text;
an internet protocol address regular matching expression for extracting an internet protocol address from the candidate text;
the mailbox address regular matching expression is used for extracting an email address from the alternative text;
the communication identification regular expression is used for extracting a communication identification from the candidate text;
and the file hash regular expression is used for extracting hash values of the files from the candidate texts.
7. The method according to claim 1, wherein the method further comprises:
Determining whether the preset plug-in is logged in the server;
when the preset plugin logs in the server, acquiring an authentication token returned after the preset plugin logs in the server;
the sending the target text to a server through the preset plug-in comprises the following steps:
and according to the authentication token, the target text is sent to the server through the preset plug-in.
8. A method of message security detection performed by a server, the method comprising:
receiving a target text sent by a preset plug-in of a webpage client;
threat analysis is carried out on the target text, and risk assessment information is obtained; wherein the risk assessment information is for: the preset plug-in of the webpage client outputs risk prompt information according to the risk assessment information;
and sending the risk assessment information to a client.
9. An information security detection device, the device comprising:
the acquisition module is used for acquiring a target text corresponding to a target area on a first webpage when monitoring a first type of operation event acted on the first webpage; the target area is a webpage area where the first type of operation event acts on the first webpage;
The sending module is used for sending the target text to a server through a preset plug-in;
the receiving module is used for receiving the risk assessment information returned by the server;
and the output module is used for outputting risk prompt information before jumping to a second webpage based on the second type of operation acting on the target area according to the risk assessment information.
10. An information security detection device, the device comprising:
the receiving module is used for receiving a target text sent by a webpage client preset plug-in;
the obtaining module is used for carrying out threat analysis on the target text to obtain risk assessment information; wherein the risk assessment information is for: the preset plug-in of the webpage client outputs risk prompt information according to the risk assessment information;
and the sending module is used for sending the risk assessment information to the client.
11. An electronic device, the electronic device comprising: a processor and a memory for storing a computer program capable of running on the processor, wherein the processor, when running the computer program, performs the steps of the information security detection method of any of claims 1 to 8.
12. A computer-readable storage medium, wherein the computer-readable storage medium stores computer-executable instructions; the computer executable instructions, when executed by a processor, enable the information security detection method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211397872.7A CN116910751A (en) | 2022-11-09 | 2022-11-09 | Information security detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211397872.7A CN116910751A (en) | 2022-11-09 | 2022-11-09 | Information security detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116910751A true CN116910751A (en) | 2023-10-20 |
Family
ID=88363439
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211397872.7A Pending CN116910751A (en) | 2022-11-09 | 2022-11-09 | Information security detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116910751A (en) |
-
2022
- 2022-11-09 CN CN202211397872.7A patent/CN116910751A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110324311B (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| US9954841B2 (en) | Distinguish valid users from bots, OCRs and third party solvers when presenting CAPTCHA | |
| US10904286B1 (en) | Detection of phishing attacks using similarity analysis | |
| US9614862B2 (en) | System and method for webpage analysis | |
| CN101964025B (en) | XSS detection method and equipment | |
| US8898796B2 (en) | Managing network data | |
| US10261984B2 (en) | Browser and operating system compatibility | |
| RU2637477C1 (en) | System and method for detecting phishing web pages | |
| CN102663319B (en) | Prompting method and device for download link security | |
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| CN103685307A (en) | Method, system, client and server for detecting phishing fraud webpage based on feature library | |
| CN112703496B (en) | Content policy based notification to application users regarding malicious browser plug-ins | |
| CN104168293A (en) | Method and system for recognizing suspicious phishing web page in combination with local content rule base | |
| CN103297394A (en) | Website security detection method and device | |
| CN111770086B (en) | Fishing user simulation collection method, device, system and computer readable storage medium | |
| CN105488400A (en) | Comprehensive detection method and system of malicious webpage | |
| CN104158828A (en) | Method and system for identifying doubtful phishing webpage on basis of cloud content rule base | |
| CN111737692A (en) | Application program risk detection method and device, equipment and storage medium | |
| CN111586005A (en) | Scanner scanning behavior identification method and device | |
| CN110602030A (en) | Network intrusion blocking method, server and computer readable medium | |
| CN108270754B (en) | Detection method and device for phishing website | |
| CN108804501B (en) | Method and device for detecting effective information | |
| CN113364784B (en) | Detection parameter generation method and device, electronic equipment and storage medium | |
| CN108462749B (en) | Web application processing method, device and system | |
| CN111131236A (en) | Web fingerprint detection device, method, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |