CN117290845A - Webpage tampering detection method and device and computer readable storage medium - Google Patents
Webpage tampering detection method and device and computer readable storage medium Download PDFInfo
- Publication number
- CN117290845A CN117290845A CN202311590921.3A CN202311590921A CN117290845A CN 117290845 A CN117290845 A CN 117290845A CN 202311590921 A CN202311590921 A CN 202311590921A CN 117290845 A CN117290845 A CN 117290845A
- Authority
- CN
- China
- Prior art keywords
- page
- image
- comparison result
- dynamic
- images
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 54
- 230000003068 static effect Effects 0.000 claims abstract description 104
- 238000000034 method Methods 0.000 claims abstract description 54
- 238000004590 computer program Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 abstract description 6
- 230000008569 process Effects 0.000 description 13
- 238000012545 processing Methods 0.000 description 6
- 238000000605 extraction Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V10/00—Arrangements for image or video recognition or understanding
- G06V10/70—Arrangements for image or video recognition or understanding using pattern recognition or machine learning
- G06V10/74—Image or video pattern matching; Proximity measures in feature spaces
Abstract
The invention discloses a method and a device for detecting webpage tampering and a computer readable storage medium. The method comprises the following steps: acquiring a first image set of a standard page of a target webpage and acquiring a second image set of a real page of the target webpage, wherein the first image set and the second image set are both composed of images of a static area of the page and images of a dynamic area of the page; comparing the static area of the standard page with the static area of the real page according to the first image set and the second image set to obtain a first comparison result; comparing the dynamic region of the standard page with the dynamic region of the real page according to the first image set and the second image set to obtain a second comparison result; and determining whether the target webpage is tampered according to the first comparison result and the second comparison result. The invention solves the technical problem that more system resources are occupied when webpage tamper-proof detection is carried out in the related technology.
Description
Technical Field
The present invention relates to the field of internet, and in particular, to a method and apparatus for detecting web page tampering, and a computer readable storage medium.
Background
With the rapid development of the internet, the importance of websites is more and more prominent. At present, network attackers often attack websites by means of tampering with website contents, destroying website systems, stealing website information and the like, so that great losses are caused to website operation. Tampering with website content is one of the common attack methods for attackers, so how to effectively protect website security and prevent website tampering becomes an important problem in the field of internet security.
At present, in the related art, a method of high resource occupation such as a cloud platform, a block chain, a multi-module and the like is generally used for detecting web page tampering, so that the problem of occupying more system resources exists, the method cannot be operated on massive terminals, and the method is easy to bypass by an attacker, thereby influencing the safety protection of a website.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting webpage tampering and a computer readable storage medium, which at least solve the technical problem that more system resources are occupied when webpage tamper detection is performed in the related technology.
According to an aspect of an embodiment of the present invention, there is provided a method for detecting tampering of a web page, including: acquiring a first image set of a standard page of a target webpage and acquiring a second image set of a real page of the target webpage, wherein the first image set and the second image set are both composed of images of a static area of the page and images of a dynamic area of the page; comparing the static area of the standard page with the static area of the real page according to the first image set and the second image set to obtain a first comparison result; comparing the dynamic region of the standard page with the dynamic region of the real page according to the first image set and the second image set to obtain a second comparison result; and determining whether the target webpage is tampered according to the first comparison result and the second comparison result.
Further, the method for detecting webpage tampering further comprises the following steps: carrying out image interception on the standard page for a plurality of times to obtain a plurality of standard page images; extracting an image belonging to a static area of a standard page from any standard page image to obtain a first image; for each dynamic region of the standard page, extracting images belonging to the dynamic region from a plurality of standard page images to obtain a plurality of second images matched with the dynamic region; the first image and the second image matched with all dynamic areas form a first image set.
Further, the method for detecting webpage tampering further comprises the following steps: carrying out image interception on the real page for a plurality of times to obtain a plurality of real page images; extracting an image belonging to a static area of a real page from any real page image to obtain a third image; for each dynamic region of the real page, extracting images belonging to the dynamic region from a plurality of real page images to obtain a plurality of fourth images matched with the dynamic region; and forming a second image set by the third image and the fourth image matched with all dynamic areas.
Further, the method for detecting webpage tampering further comprises the following steps: comparing pixel values of pixels in the same position in the first image and the third image to obtain a first sub-comparison result corresponding to each position; and determining a first comparison result according to all the first sub-comparison results, wherein the first comparison result is used for representing whether the static area of the standard page is identical to the static area of the real page.
Further, the method for detecting webpage tampering further comprises the following steps: for each dynamic region of the real page, determining a target dynamic region matched with the dynamic region of the real page from the dynamic regions of the standard page; comparing each second image matched with the target dynamic region with each fourth image matched with the dynamic region of the real page to obtain a second sub-comparison result between each second image and each fourth image; and determining a second comparison result according to the second sub-comparison results of all the fourth images.
Further, the method for detecting webpage tampering further comprises the following steps: judging whether a target sub-comparison result exists in a second sub-comparison result of each fourth image, wherein the target sub-comparison result represents that the fourth image is identical to the second image; under the condition that all the fourth images have corresponding target sub-comparison results, determining that the dynamic areas of the second comparison result representation specification pages are the same as the dynamic areas of the real pages; and under the condition that the fourth image does not have the corresponding target sub-comparison result, determining that the dynamic area of the second comparison result representation specification page is different from the dynamic area of the real page.
Further, the method for detecting webpage tampering further comprises the following steps: if the first comparison result represents that the static area of the standard page is the same as the static area of the real page, and the second comparison result represents that the dynamic area of the standard page is the same as the dynamic area of the real page, determining that the target webpage is not tampered; if the static area of the first comparison result representing the standard page is different from the static area of the real page, or the dynamic area of the second comparison result representing the standard page is different from the dynamic area of the real page, the target webpage is determined to be tampered.
Further, the method for detecting webpage tampering further comprises the following steps: after determining whether the target webpage is tampered according to the first comparison result and the second comparison result, acquiring a new second image set of the real page of the target webpage under the condition that the time interval between the target time point and the reference time point reaches a preset value, wherein the reference time point is the time point of acquiring the second image set; and determining whether the target webpage is tampered according to the new second image set and the first image set.
According to another aspect of the embodiment of the present invention, there is also provided a device for detecting tampering of a web page, including: the first acquisition module is used for acquiring a first image set of a standard page of the target webpage and acquiring a second image set of a real page of the target webpage, wherein the first image set and the second image set are both composed of images of a static area of the page and images of a dynamic area of the page; the first comparison module is used for comparing the static area of the standard page with the static area of the real page according to the first image set and the second image set to obtain a first comparison result; the second comparison module is used for comparing the dynamic area of the standard page with the dynamic area of the real page according to the first image set and the second image set to obtain a second comparison result; the first determining module is used for determining whether the target webpage is tampered or not according to the first comparison result and the second comparison result.
According to another aspect of the embodiments of the present invention, there is also provided a computer readable storage medium having a computer program stored therein, wherein the computer program is configured to execute the above method for detecting web page tampering when running.
In the embodiment of the invention, the dynamic area and the static area of the standard page and the real page are compared according to the page image to determine whether the webpage is tampered, the first image set of the standard page of the target webpage is obtained, the second image set of the real page of the target webpage is obtained, then the static area and the static area of the standard page are compared according to the first image set and the second image set to obtain a first comparison result, and the dynamic area of the real page of the standard page are compared according to the first image set and the second image set to obtain a second comparison result, so that whether the target webpage is tampered is determined according to the first comparison result and the second comparison result.
In the above process, whether the target webpage is tampered is determined by acquiring the first image set and the second image set and according to the first image set and the second image set, so that the computing power involved in the method only has image comparison, the involved storage content only has page images, and therefore, only occupies relatively less storage space and system resources, and is convenient to deploy on any plurality of network terminals to form multi-terminal detection. In addition, whether the target webpage is tampered is determined in a mode of image comparison, accuracy of webpage tampering detection is improved, and the phenomenon that detection is missed and false detection is easy because information represented by the webpage elements is possibly different from actual content of the webpage when judging according to the webpage elements is avoided.
Therefore, the scheme provided by the application achieves the purpose of comparing the dynamic area and the static area of the standard page and the real page according to the page image so as to determine whether the webpage is tampered, thereby realizing the technical effect of reducing occupied system resources, and further solving the technical problem that more system resources are occupied when webpage tamper-proof detection is carried out in the related technology.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a flowchart of an alternative method for detecting web page tampering according to an embodiment of the invention;
FIG. 2 is a second flowchart of an alternative method for detecting tampering with a web page according to an embodiment of the invention;
fig. 3 is a schematic diagram of an alternative device for detecting tampering with a web page according to an embodiment of the invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related region, and provide corresponding operation entries for the user to select authorization or rejection.
Example 1
According to an embodiment of the present invention, there is provided an embodiment of a method for detecting tampering of a web page, it being noted that the steps shown in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is shown in the flowchart, in some cases the steps shown or described may be performed in an order different from that herein.
Fig. 1 is a flowchart of an alternative method for detecting web page tampering according to an embodiment of the invention, as shown in fig. 1, the method includes the following steps:
step S101, a first image set of a standard page of a target webpage is obtained, and a second image set of a real page of the target webpage is obtained, wherein the first image set and the second image set are both composed of images of a static area of the page and images of a dynamic area of the page.
Alternatively, an electronic device, an application system, a server, or the like may be used as the execution subject of the present application. In the present embodiment, the object detection system is taken as an execution subject to acquire the first image set and the second image set described above.
In an optional application scenario, the target detection system may be applied to each terminal of the target mechanism, where the target webpage may be developed by the target mechanism, and the target detection system detects whether the target webpage is tampered, so as to ensure security when a worker in the target mechanism accesses the target webpage. Alternatively, the canonical page may be pre-specified by the relevant staff, the first image set may include a first image matching a static region of the canonical page and a plurality of second images matching respective dynamic regions of the canonical page, and the second image set may include a third image matching a static region of the real page and a plurality of fourth images matching respective dynamic regions of the real page. Different second images in the plurality of second images matched with the same dynamic region of the standard page belong to different image frames, and different fourth images in the plurality of fourth images matched with the same dynamic region of the real page belong to different image frames.
Step S102, comparing the static area of the standard page with the static area of the real page according to the first image set and the second image set to obtain a first comparison result.
Optionally, the target detection system may compare images matched with the static area in the first image set and the second image set, that is, compare the first image and the third image, to obtain a first comparison result. The first comparison result is at least used for representing whether the static area of the standard page and the static area of the real page are the same, the first comparison result can contain difference information between the static area of the standard page and the static area of the real page, and the difference information can be used for indicating pixel positions with different pixel values.
For example, the object detection system may input the first image and the third image into a pre-trained image processing model, and then compare the first image and the third image through the image processing model, thereby obtaining a first comparison result. For another example, the target detection system may also compare pixel values of pixels in the same position in the first image and the third image, so as to determine the first comparison result according to the comparison result of the pixel values in each position.
And step S103, comparing the dynamic region of the standard page with the dynamic region of the real page according to the first image set and the second image set to obtain a second comparison result.
Optionally, the target detection system may compare the images matched with the dynamic region in the first image set and the second image set, that is, compare the second image and the fourth image, to obtain a second comparison result. The second comparison result is at least used for representing whether the dynamic area of the standard page is the same as the dynamic area of the real page. The second comparison result may contain difference information between the dynamic region of the canonical page and the dynamic region of the real page.
For example, for each fourth image, the object detection system may compare the fourth image with all the second images, and then determine the second comparison result according to the comparison results corresponding to all the fourth images. For another example, for each fourth image, the target detection system may first screen out a second image corresponding to the dynamic area to which the fourth image belongs from all the second images, and then compare the fourth image with each second image that is screened out, so as to determine a second comparison result according to the comparison results corresponding to all the fourth images.
Optionally, in the process of determining the second comparison result, the dynamic area of the standard page and the dynamic area of the real page may be determined to be the same when each fourth image is determined to find the second image identical to the fourth image according to the comparison result, and the dynamic area of the standard page and the dynamic area of the real page may be determined to be different when it is determined that the fourth image cannot find the second image identical to the fourth image according to the comparison result.
Step S104, determining whether the target webpage is tampered according to the first comparison result and the second comparison result.
For example, if the static area and the dynamic area of the standard page are determined to be the same as the static area and the dynamic area of the real page according to the first comparison result and the second comparison result, the target webpage is determined to be not tampered, otherwise, the target webpage is determined to be tampered.
For another example, in the case that it is determined that the information content of the difference information between the static area of the standard page and the static area of the real page belongs to the preset negligible content according to the first comparison result, it is determined that the target web page is not tampered, and otherwise, it is determined that the target web page is tampered.
Optionally, after determining that the target web page is tampered, the target detection system may generate a page tampering alert signal to notify website management personnel, so as to maintain the security of the target web page in time.
Based on the scheme defined in the steps S101 to S104, it can be known that in the embodiment of the present invention, a manner of comparing a dynamic area and a static area of a standard page with a real page according to a page image is adopted to determine whether a web page is tampered, by acquiring a first image set of the standard page of a target web page and acquiring a second image set of the real page of the target web page, then comparing the static area of the standard page with the static area of the real page according to the first image set and the second image set, obtaining a first comparison result, and comparing the dynamic area of the standard page with the dynamic area of the real page according to the first image set and the second image set, obtaining a second comparison result, thereby determining whether the target web page is tampered according to the first comparison result and the second comparison result.
In the above process, whether the target webpage is tampered is determined by acquiring the first image set and the second image set and according to the first image set and the second image set, so that the computing power involved in the method only has image comparison, the involved storage content only has page images, and therefore, only occupies relatively less storage space and system resources, and is convenient to deploy on any plurality of network terminals to form multi-terminal detection. In addition, whether the target webpage is tampered is determined in a mode of image comparison, accuracy of webpage tampering detection is improved, and the phenomenon that detection is missed and false detection is easy because information represented by the webpage elements is possibly different from actual content of the webpage when judging according to the webpage elements is avoided.
Therefore, the scheme provided by the application achieves the purpose of comparing the dynamic area and the static area of the standard page and the real page according to the page image so as to determine whether the webpage is tampered, thereby realizing the technical effect of reducing occupied system resources, and further solving the technical problem that more system resources are occupied when webpage tamper-proof detection is carried out in the related technology.
In an optional embodiment, in the process of acquiring the first image set of the standard page of the target webpage, the target detection system may perform image capturing on the standard page for multiple times, obtain multiple standard page images, extract images belonging to static areas of the standard page from any one standard page image, obtain the first image, extract, for each dynamic area of the standard page, images belonging to the dynamic area from multiple standard page images, obtain multiple second images matched with the dynamic area, so that the first image set is formed by the first image and the second images matched with all the dynamic areas.
Optionally, the target detection system may use a screenshot tool to perform multiple image capturing on the canonical page, so as to obtain multiple canonical page images. In the case that the specification page cannot be completely displayed on the display window due to oversized specification page, the screenshot tool may use a scrolling screenshot mode to intercept the complete specification page. In addition, the aforementioned multi-image capturing may be performed at a predetermined frequency, for example, once every second.
Optionally, in order to ensure that all images of each dynamic area of the standard page can be effectively intercepted in the process of intercepting multiple images, the target detection system may set the preset frequency to be relatively smaller, and compare the obtained standard page image with the image in the first standard page image after each screenshot until the obtained standard page image is the same as the first standard page image, and determine that the standard page is not intercepted any more under the condition that the target standard page image exists between the obtained standard page image and the first standard page image. Wherein the target specification page image refers to a specification page image different from the first specification page image. Optionally, the target detection system may also acquire manually preset interception times and frequencies, and intercept to obtain a plurality of standard page images according to the interception times and frequencies.
Optionally, after obtaining the plurality of standard page images, since the content of the static area of the standard page remains unchanged all the time, the target detection system may extract an image belonging to the static area of the standard page from any one standard page image, to obtain the first image. Further, since the content of the dynamic region of the canonical page is always changed, for each dynamic region of the canonical page, the target image may extract an image belonging to the dynamic region from each canonical page image, so as to obtain a plurality of second images matched with the dynamic region. Wherein different second images in the plurality of second images matched with the same dynamic region of the canonical page belong to different image frames.
The static area and the dynamic area of the standard page can be marked in advance, the target detection system can extract the standard page image according to the coordinate information matched with the static area to obtain a first image, and extract the standard page image according to the coordinate information matched with the dynamic area to obtain a second image. The coordinate information may include the coordinate values of the respective vertices of the corresponding static region or dynamic region.
It should be noted that, by extracting the first image and the second image from the standard page image, effective distinction of the content in the static area and the dynamic area of the standard page is achieved, so that accurate first comparison result and accurate second comparison result can be obtained conveniently.
In an alternative embodiment, in the process of acquiring the second image set of the real page of the target webpage, the target detection system may perform image capturing on the real page for multiple times to obtain multiple real page images, then extract an image belonging to a static area of the real page from any one real page image to obtain a third image, extract an image belonging to a dynamic area from multiple real page images for each dynamic area of the real page to obtain multiple fourth images matched with the dynamic area, so that the third image and the fourth images matched with all the dynamic areas form the second image set.
Optionally, the target detection system may use a screenshot tool to perform multiple image capturing on the real page, so as to obtain multiple real page images. Before intercepting the real page, the target detection system can judge whether the page resolution of the real page is the same as the page resolution of the standard page, so that the page resolution of the real page is firstly adjusted to be the same as the page resolution of the standard page under the condition of different values, and then image interception is carried out. In the case where the real page is too large to be displayed in its entirety on the display window, the screenshot tool may employ a scrolling screenshot to intercept the entire real page. In addition, the aforementioned multi-image capturing may be performed at a predetermined frequency, for example, once every second.
Optionally, in order to ensure that all images of each dynamic area of the real page can be effectively intercepted in the process of intercepting the images for multiple times, the target detection system may set the preset frequency to be relatively smaller, and compare the obtained real page image with the image in the first real page image after each screenshot until the obtained real page image is the same as the first real page image, and determine that the image interception is not performed on the real page any more under the condition that the target real page image exists between the obtained real page image and the first real page image. Wherein the target real page image refers to a real page image different from the first real page image. Optionally, the target detection system may also directly capture multiple real page images according to a manner of capturing multiple standard page images.
Optionally, after obtaining the plurality of real page images, since the content of the static area of the real page remains unchanged all the time, the target detection system may extract an image belonging to the static area of the real page from any one real page image, to obtain the third image. Further, since the content of the dynamic region of the real page is always changed, for each dynamic region of the real page, the target image may extract an image belonging to the dynamic region from each real page image, and obtain a plurality of fourth images matched with the dynamic region. Wherein, different fourth images in the plurality of fourth images matched with the same dynamic region of the real page belong to different image frames.
The coordinate information of static region matching in the standard page can be determined as the coordinate information of static region matching in the real page, and the coordinate information of dynamic region matching in the standard page is determined as the coordinate information of dynamic region matching in the real page, so that a third image and a fourth image are extracted according to the coordinate information.
It should be noted that, by extracting the third image and the fourth image from the image of the real page, effective distinction of the content in the static area and the dynamic area of the real page is achieved, so that accurate first comparison result and accurate second comparison result can be obtained conveniently.
In an alternative embodiment, the first image set includes a first image matched with the static area of the canonical page, the second image set includes a third image matched with the static area of the real page, and in the process of comparing the static area of the canonical page with the static area of the real page according to the first image set and the second image set to obtain a first comparison result, the target detection system may compare pixel values of pixels in the same position in the first image and the third image to obtain a first sub-comparison result corresponding to each position, and determine the first comparison result according to all the first sub-comparison results, where the first comparison result is used to represent whether the static area of the canonical page is the same as the static area of the real page.
Optionally, the first sub-comparison result is used to represent whether the pixel values of the pixels in the current position in the first image and the third image are the same. The target detection system may determine that the static area of the first comparison result representation specification page is the same as the static area of the real page under the condition that all the first sub-comparison results represent the same pixel value of the pixel at the current position in the first image and the third image, otherwise, determine that the static area of the first comparison result representation specification page is different from the static area of the real page under the condition that the pixel values of the pixels at the current position in the first image and the third image are different.
It should be noted that, by comparing the pixel values of the pixels at each position in the image to determine the first comparison result, accurate determination of the first comparison result is achieved.
In an alternative embodiment, the first image set includes a plurality of second images matched with respective dynamic areas of the canonical page, the second image set includes a plurality of fourth images matched with respective dynamic areas of the real page, where in comparing the dynamic areas of the canonical page and the dynamic areas of the real page according to the first image set and the second image set to obtain a second comparison result, the target detection system may determine, for each dynamic area of the real page, a target dynamic area matched with the dynamic area of the real page from the dynamic areas of the canonical page, and then, for each fourth image matched with the dynamic area of the real page, compare each second image matched with the target dynamic area with the fourth image to obtain a second sub comparison result between each second image and the fourth image, thereby determining a second comparison result according to the second sub comparison result of all the fourth images.
Alternatively, for each dynamic region of the real page, the target detection system may determine, from all dynamic regions of the canonical page, a target dynamic region matching the dynamic region of the real page according to the coordinate information. For example, if the vertex coordinate values of a dynamic region of the canonical page are the same as those of the dynamic region of the real page, the dynamic region of the canonical page is determined to be the target dynamic region.
For each fourth image matched with the dynamic region of the real page, a plurality of second sub-comparison results are matched with the fourth image, different second sub-comparison results matched with the same fourth image correspond to different second images in the target dynamic region, and the second sub-comparison results are used for representing whether the fourth image is identical to the current second image or not.
Optionally, the target detection system may compare pixel values of pixels at the same position in the fourth image with those in the second image, so as to determine that the second sub-comparison result represents that the fourth image is the same as the current second image when determining that the pixel values at all the same positions in the fourth image are the same as those in the second image, and otherwise determine that the second sub-comparison result represents that the fourth image is different from the current second image when determining that the pixel values at the same positions in the fourth image are different from those in the second image.
Optionally, the target detection system may determine a second comparison result according to the second sub-comparison results of all the fourth images.
It should be noted that, by matching the dynamic area of the standard page with the dynamic area of the real page, and comparing the images in the two matched dynamic areas, the accuracy of the second comparison result is improved, and meanwhile, the problem of low detection efficiency existing in comparing the fourth image with all the second images is avoided.
In an alternative embodiment, in determining the second comparison result according to the second sub-comparison results of all the fourth images, the target detection system may determine, for each fourth image, whether a target sub-comparison result exists in the second sub-comparison results of the fourth image, so that in the case that all the fourth images have corresponding target sub-comparison results, it is determined that the dynamic area of the second comparison result representation specification page is the same as the dynamic area of the real page, and in the case that the fourth image does not have corresponding target sub-comparison results, it is determined that the dynamic area of the second comparison result representation specification page is different from the dynamic area of the real page, where the target sub-comparison results represent that the fourth image is the same as the second image.
Optionally, under the condition that all the fourth images have corresponding target sub-comparison results, determining that all the dynamic areas of the real page are the same as all the dynamic areas of the standard page, and therefore determining that the dynamic areas of the second comparison result representing the standard page are the same as the dynamic areas of the real page. On the contrary, under the condition that the fourth image does not have the corresponding target sub-comparison result, the dynamic area of the real page is determined to be different from the dynamic area of the standard page, so that the dynamic area of the second comparison result representing the standard page is determined to be different from the dynamic area of the real page.
It should be noted that, by determining the second comparison result according to the second sub-comparison results of all the fourth images, accurate determination of the second comparison result is achieved.
In an alternative embodiment, in determining whether the target webpage is tampered according to the first comparison result and the second comparison result, if the static area of the first comparison result representing the standard page is the same as the static area of the real page, and the dynamic area of the second comparison result representing the standard page is the same as the dynamic area of the real page, the target detection system may determine that the target webpage is not tampered, if the static area of the first comparison result representing the standard page is different from the static area of the real page, or the dynamic area of the second comparison result representing the standard page is different from the dynamic area of the real page, the target detection system may determine that the target webpage is tampered.
In popular terms, when the static area and the dynamic area of the target webpage are determined to be not tampered according to the first comparison result and the second comparison result, the target webpage is determined to be tampered when the static area or the dynamic area of the target webpage is determined to be tampered according to the first comparison result and the second comparison result.
By the above process, whether the target webpage is tampered or not is accurately judged, so that the network security is improved conveniently.
In an alternative embodiment, after determining whether the target web page is tampered according to the first comparison result and the second comparison result, the target detection system may acquire a new second image set of the real page of the target web page when the time interval between the target time point and the reference time point reaches a preset value, so as to determine whether the target web page is tampered according to the new second image set and the first image set. Wherein the reference time point refers to a time point when the second image set is acquired.
Alternatively, the target detection system may periodically detect whether the target web page has been tampered with. For example, in the case that the time interval between the current time point and the reference time point reaches a preset value, a new second image set of the real page of the target web page is acquired. The current time point is the target time point.
Optionally, the target detection system may determine whether the target web page is tampered according to the new second image set and the first image set, where the process is the same as the above process of determining whether the target web page is tampered according to the second image set and the first image set, which is not described herein.
It should be noted that, by continuously detecting whether the target web page is tampered, network security can be further improved.
In an alternative embodiment, fig. 2 is a flowchart of an alternative method for detecting tampering of a web page according to an embodiment of the present invention, as shown in fig. 2, a target detection system may first perform image capturing on a canonical page of a target web page to obtain a first image set. And then starting a timer to periodically perform page image comparison. And if the timer is up, performing subsequent grabbing and comparing, otherwise, continuing waiting until the timer is up. Optionally, after the timer time arrives, the target detection system may perform image capturing on the real page of the target webpage, to obtain the second image set. And then, comparing the static area of the standard page with the static area of the real page according to the first image set and the second image set to obtain a first comparison result, comparing the dynamic area of the standard page with the dynamic area of the real page according to the first image set and the second image set under the condition that the static area of the standard page is represented by the first comparison result and the static area of the real page is the same, obtaining a second comparison result, determining that the target webpage is not tampered under the condition that the dynamic area of the standard page is represented by the second comparison result and the dynamic area of the real page is the same, and continuing waiting for the time of the next timer. Otherwise, if the static area of the first comparison result representing the standard page is different from the static area of the real page, or if the dynamic area of the second comparison result representing the standard page is different from the dynamic area of the real page, determining that the target webpage is tampered, generating page tampering alarm information, and continuing waiting for the next time of the timer. In this way, the network bandwidth occupied by the method provided by the application can be regulated by the timer, and the method can be applied to multiple terminals distributed in different areas for detection, so that the bandwidth is distributed on different network paths, and the possibility of bandwidth congestion is thoroughly avoided.
Therefore, the scheme provided by the application achieves the purpose of comparing the dynamic area and the static area of the standard page and the real page according to the page image so as to determine whether the webpage is tampered, thereby realizing the technical effect of reducing occupied system resources, and further solving the technical problem that more system resources are occupied when webpage tamper-proof detection is carried out in the related technology.
Example 2
According to an embodiment of the present invention, there is provided an embodiment of a device for detecting web page tampering, where fig. 3 is a schematic diagram of an alternative device for detecting web page tampering according to an embodiment of the present invention, as shown in fig. 3, and the device includes:
the first obtaining module 301 is configured to obtain a first image set of a canonical page of the target webpage, and obtain a second image set of a real page of the target webpage, where the first image set and the second image set are both composed of an image of a static area of the page and an image of a dynamic area of the page;
the first comparison module 302 is configured to compare the static area of the canonical page with the static area of the real page according to the first image set and the second image set, so as to obtain a first comparison result;
The second comparison module 303 is configured to compare the dynamic area of the canonical page with the dynamic area of the real page according to the first image set and the second image set to obtain a second comparison result;
the first determining module 304 is configured to determine whether the target web page is tampered according to the first comparison result and the second comparison result.
It should be noted that the first obtaining module 301, the first comparing module 302, the second comparing module 303, and the first determining module 304 correspond to steps S101 to S104 in the above embodiment, and the four modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in the above embodiment 1.
Optionally, the first obtaining module 301 further includes: the first intercepting sub-module is used for intercepting the images of the standard pages for a plurality of times to obtain a plurality of standard page images; the first extraction sub-module is used for extracting an image belonging to a static area of a standard page from any standard page image to obtain a first image; the second extraction submodule is used for extracting images belonging to the dynamic areas from a plurality of standard page images for each dynamic area of the standard page to obtain a plurality of second images matched with the dynamic areas; the first processing sub-module is used for forming a first image set by the first image and the second images matched with all dynamic areas.
Optionally, the first obtaining module 301 further includes: the second interception sub-module is used for intercepting the real page for a plurality of times to obtain a plurality of real page images; the third extraction sub-module is used for extracting an image belonging to a static area of the real page from any real page image to obtain a third image; the fourth extraction sub-module is used for extracting images belonging to the dynamic areas from a plurality of real page images for each dynamic area of the real page to obtain a plurality of fourth images matched with the dynamic areas; and the second processing sub-module is used for forming a second image set by the third image and the fourth image matched with all dynamic areas.
Optionally, the first comparison module 302 includes: the first comparison sub-module is used for comparing the pixel values of the pixels in the same position in the first image and the third image to obtain a first sub-comparison result corresponding to each position; the first determining submodule is used for determining a first comparison result according to all the first comparison results, wherein the first comparison result is used for representing whether the static area of the standard page is identical to the static area of the real page.
Optionally, the second comparison module 303 includes: the second determining submodule is used for determining a target dynamic region matched with the dynamic region of the real page from the dynamic regions of the standard page for each dynamic region of the real page; the second comparison sub-module is used for comparing each second image matched with the target dynamic region with each fourth image matched with the dynamic region of the real page to obtain a second sub-comparison result between each second image and each fourth image; and the third determining sub-module is used for determining a second comparison result according to the second sub-comparison results of all the fourth images.
Optionally, the third determining sub-module further comprises: the judging unit is used for judging whether a target sub-comparison result exists in the second sub-comparison result of each fourth image, wherein the target sub-comparison result represents that the fourth image is identical with the second image; the first determining unit is used for determining that the dynamic area of the second comparison result representation specification page is the same as the dynamic area of the real page under the condition that all the fourth images have the corresponding target sub comparison results; the second determining unit is used for determining that the dynamic area of the second comparison result representation standard page is different from the dynamic area of the real page under the condition that the fourth image does not exist the corresponding target sub comparison result.
Optionally, the first determining module 304 further includes: a fourth determining submodule, configured to determine that the target webpage is not tampered if the first comparison result indicates that the static area of the standard page is the same as the static area of the real page, and the second comparison result indicates that the dynamic area of the standard page is the same as the dynamic area of the real page; and the fifth determining submodule is used for determining that the target webpage is tampered if the static area of the first comparison result representing the standard webpage is different from the static area of the real webpage or the dynamic area of the second comparison result representing the standard webpage is different from the dynamic area of the real webpage.
Optionally, the device for detecting web page tampering further includes: the second acquisition module is used for acquiring a new second image set of the real page of the target webpage under the condition that the time interval between the target time point and the reference time point reaches a preset value, wherein the reference time point is the time point of acquiring the second image set; and the second determining module is used for determining whether the target webpage is tampered according to the new second image set and the first image set.
Example 3
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium in which a computer program is stored, wherein the computer program is configured to execute the above-described method for detecting web page tampering when running.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of units may be a logic function division, and there may be another division manner in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.
Claims (10)
1. The method for detecting the webpage tampering is characterized by comprising the following steps of:
acquiring a first image set of a standard page of a target webpage and acquiring a second image set of a real page of the target webpage, wherein the first image set and the second image set are both composed of images of a static area of the page and images of a dynamic area of the page;
comparing the static area of the standard page with the static area of the real page according to the first image set and the second image set to obtain a first comparison result;
comparing the dynamic region of the standard page with the dynamic region of the real page according to the first image set and the second image set to obtain a second comparison result;
and determining whether the target webpage is tampered or not according to the first comparison result and the second comparison result.
2. The method of claim 1, wherein obtaining the first set of images of the canonical page of the target web page comprises:
Carrying out image interception on the standard page for a plurality of times to obtain a plurality of standard page images;
extracting an image belonging to a static area of a standard page from any standard page image to obtain a first image;
extracting images belonging to the dynamic areas from the plurality of standard page images for each dynamic area of the standard page to obtain a plurality of second images matched with the dynamic areas;
the first image set is composed of the first image and all dynamic region matched second images.
3. The method of claim 1, wherein obtaining a second set of images of real pages of the target web page comprises:
carrying out image interception on the real page for a plurality of times to obtain a plurality of real page images;
extracting an image belonging to a static area of a real page from any real page image to obtain a third image;
extracting images belonging to the dynamic areas from the plurality of real page images for each dynamic area of the real page to obtain a plurality of fourth images matched with the dynamic areas;
and forming the second image set by the third image and the fourth image matched with all dynamic areas.
4. The method of claim 1, wherein the first set of images includes a first image that matches a static region of the canonical page, and the second set of images includes a third image that matches a static region of the real page, wherein comparing the static region of the canonical page to the static region of the real page from the first set of images and the second set of images results in a first comparison result comprising:
comparing the pixel values of the pixels in the same position in the first image and the third image to obtain a first sub-comparison result corresponding to each position;
and determining the first comparison result according to all the first sub-comparison results, wherein the first comparison result is used for representing whether the static area of the standard page is identical to the static area of the real page.
5. The method of claim 1, wherein the first set of images includes a plurality of second images that match respective dynamic regions of the canonical page, the second set of images includes a plurality of fourth images that match respective dynamic regions of the real page, wherein comparing the dynamic regions of the canonical page and the real page according to the first set of images and the second set of images results in a second comparison result, comprising:
For each dynamic region of the real page, determining a target dynamic region matched with the dynamic region of the real page from the dynamic regions of the standard page;
comparing each second image matched with the target dynamic region with each fourth image matched with the dynamic region of the real page to obtain a second sub-comparison result between each second image and each fourth image;
and determining a second comparison result according to the second sub-comparison results of all the fourth images.
6. The method of claim 5, wherein determining the second comparison result based on the second sub-comparison results of all fourth images comprises:
judging whether a target sub-comparison result exists in a second sub-comparison result of each fourth image, wherein the target sub-comparison result represents that the fourth image is identical to the second image;
under the condition that all fourth images have corresponding target sub-comparison results, determining that the dynamic areas of the second comparison results representing the standard pages are the same as the dynamic areas of the real pages;
and under the condition that the fourth image does not have a corresponding target sub-comparison result, determining that the dynamic area of the second comparison result representing the standard page is different from the dynamic area of the real page.
7. The method of claim 1, wherein determining whether the target web page has been tampered with based on the first comparison result and the second comparison result comprises:
if the first comparison result indicates that the static area of the standard page is the same as the static area of the real page, and the second comparison result indicates that the dynamic area of the standard page is the same as the dynamic area of the real page, determining that the target webpage is not tampered;
and if the first comparison result indicates that the static area of the standard page is different from the static area of the real page, or the second comparison result indicates that the dynamic area of the standard page is different from the dynamic area of the real page, determining that the target webpage is tampered.
8. The method of claim 1, wherein after determining whether the target web page has been tampered with based on the first comparison result and the second comparison result, the method further comprises:
acquiring a new second image set of a real page of the target webpage under the condition that the time interval between a target time point and a reference time point reaches a preset value, wherein the reference time point is the time point of acquiring the second image set;
And determining whether the target webpage is tampered according to the new second image set and the first image set.
9. A web page tamper detection device, comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring a first image set of a standard page of a target webpage and acquiring a second image set of a real page of the target webpage, and the first image set and the second image set are both composed of images of a static area of the page and images of a dynamic area of the page;
the first comparison module is used for comparing the static area of the standard page with the static area of the real page according to the first image set and the second image set to obtain a first comparison result;
the second comparison module is used for comparing the dynamic region of the standard page with the dynamic region of the real page according to the first image set and the second image set to obtain a second comparison result;
the first determining module is used for determining whether the target webpage is tampered or not according to the first comparison result and the second comparison result.
10. A computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, wherein the computer program is arranged to perform the method of detecting tampering with a web page as claimed in any one of claims 1 to 8 at run-time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311590921.3A CN117290845A (en) | 2023-11-27 | 2023-11-27 | Webpage tampering detection method and device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311590921.3A CN117290845A (en) | 2023-11-27 | 2023-11-27 | Webpage tampering detection method and device and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117290845A true CN117290845A (en) | 2023-12-26 |
Family
ID=89239437
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311590921.3A Pending CN117290845A (en) | 2023-11-27 | 2023-11-27 | Webpage tampering detection method and device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117290845A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102779245A (en) * | 2011-05-12 | 2012-11-14 | 李朝荣 | Webpage abnormality detection method based on image processing technology |
| CN103201749A (en) * | 2011-01-05 | 2013-07-10 | 株式会社东芝 | Web page defacement detection device and storage medium |
| CN108427881A (en) * | 2018-03-16 | 2018-08-21 | 北京知道创宇信息技术有限公司 | Webpage tamper monitoring method, device, monitoring device and readable storage medium storing program for executing |
| CN108563963A (en) * | 2018-04-16 | 2018-09-21 | 深信服科技股份有限公司 | Webpage tamper detection method, device, equipment and computer readable storage medium |
| CN111783159A (en) * | 2020-07-07 | 2020-10-16 | 杭州安恒信息技术股份有限公司 | Webpage tampering verification method and device, computer equipment and storage medium |
| CN114091118A (en) * | 2021-11-26 | 2022-02-25 | 中国电信股份有限公司 | Webpage tamper-proofing method, device, equipment and storage medium |
| CN117113430A (en) * | 2023-08-18 | 2023-11-24 | 华润数字科技有限公司 | Webpage violation picture detection method and device, electronic equipment and storage medium |
-
2023
- 2023-11-27 CN CN202311590921.3A patent/CN117290845A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103201749A (en) * | 2011-01-05 | 2013-07-10 | 株式会社东芝 | Web page defacement detection device and storage medium |
| CN102779245A (en) * | 2011-05-12 | 2012-11-14 | 李朝荣 | Webpage abnormality detection method based on image processing technology |
| CN108427881A (en) * | 2018-03-16 | 2018-08-21 | 北京知道创宇信息技术有限公司 | Webpage tamper monitoring method, device, monitoring device and readable storage medium storing program for executing |
| CN108563963A (en) * | 2018-04-16 | 2018-09-21 | 深信服科技股份有限公司 | Webpage tamper detection method, device, equipment and computer readable storage medium |
| CN111783159A (en) * | 2020-07-07 | 2020-10-16 | 杭州安恒信息技术股份有限公司 | Webpage tampering verification method and device, computer equipment and storage medium |
| CN114091118A (en) * | 2021-11-26 | 2022-02-25 | 中国电信股份有限公司 | Webpage tamper-proofing method, device, equipment and storage medium |
| CN117113430A (en) * | 2023-08-18 | 2023-11-24 | 华润数字科技有限公司 | Webpage violation picture detection method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104486140B (en) | It is a kind of to detect device and its detection method that webpage is held as a hostage | |
| US9178899B2 (en) | Detecting automated site scans | |
| US20150026813A1 (en) | Method and system for detecting network link | |
| CN103825888A (en) | Network threat processing method and apparatus | |
| CN111401416A (en) | Abnormal website identification method and device and abnormal countermeasure identification method | |
| CN110782374A (en) | Electronic evidence obtaining method and system based on block chain | |
| CN102779245A (en) | Webpage abnormality detection method based on image processing technology | |
| CN111506917A (en) | Page display method, display device, readable storage medium and electronic equipment | |
| CN107016298B (en) | Webpage tampering monitoring method and device | |
| CN110691072A (en) | Distributed port scanning method, device, medium and electronic equipment | |
| CN110708292A (en) | IP processing method, device, medium and electronic equipment | |
| CN107180194B (en) | Method and device for vulnerability detection based on visual analysis system | |
| CN113315785B (en) | Alarm reduction method, device, equipment and computer readable storage medium | |
| CN106789973B (en) | Page security detection method and terminal equipment | |
| CN111783159A (en) | Webpage tampering verification method and device, computer equipment and storage medium | |
| CN109815702B (en) | Software behavior safety detection method, device and equipment | |
| CN107135421B (en) | Video feature detection method and device | |
| CN112307464A (en) | Fraud identification method and device and electronic equipment | |
| CN111651658A (en) | Method and computer equipment for automatically identifying website based on deep learning | |
| CN117113430A (en) | Webpage violation picture detection method and device, electronic equipment and storage medium | |
| CN117290845A (en) | Webpage tampering detection method and device and computer readable storage medium | |
| CN112087455A (en) | Method, system, equipment and medium for generating WAF site protection rule | |
| KR101869264B1 (en) | Apparatus and method for detecting phishing sites | |
| CN108171053B (en) | Rule discovery method and system | |
| CN107995167B (en) | Equipment identification method and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |