RU2622870C2 - System and method for evaluating malicious websites - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: system comprises means for scanning for the detection of objects contained in web pages, such as downloaded files, links within a website, hyperlinks to web resources, cookies (HTTP cookies), scenarios and network addresses; means to control checks to determine the type of each object, to assign analysis means to each object; analysis means, such as a URL-address analysis, scenario analysis means and "redirects" analysis means, wherein said means are intended for transmission of test results as solutions to verdicts means. Solution contains information about harmfulness, suspicion or security of a scanned object; verdicts means for analysis of the solutions obtained, using heuristic rules, rendering the analysis results for each tested web page of checked website; assessment means for determining the level of danger of a website based on these test results, where the level of danger is at least critical, dangerous or safe.

EFFECT: concurrent detection of website infection with malicious software.

18 cl, 3 dwg

Description

Technical field

The present invention relates to systems and methods for ensuring the security of websites, and more particularly, to a system and method for assessing the level of danger of websites based on the detection of malicious threats and vulnerabilities on websites.

State of the art

At present, the most popular place for obtaining information is the Internet, which combines an almost infinite number of websites. A website is an information resource that contains a combination of a common name (domain name) and the content of web pages. The website is physically located on a computer device (for example, a server or a personal computer, most often on the server of the hosting provider), and each website has a specific domain name on the network. The website and its pages are accessed using, for example, the Hypertext Transfer Protocol (HTTP) and sometimes the more secure protocol (HTTPS), as well as others.

Since web sites provide tremendous commercial potential for both businesses and individuals, the web site development industry is growing rapidly, which affects the quality and safety of web site development. When creating new websites, developers do not have time to properly create reliable, secure and secure websites. Many websites are created using free or unlicensed website management systems that contain “holes” (problems in the program code) and vulnerabilities. Often, third-party unqualified or unreliable specialists are involved in the creation of the sites, who themselves can enter the site either by accident or intentionally malicious code or leave “holes” and vulnerabilities on the site that could be used to interfere with the operation of the website or spread malicious exposure further.

In addition, the activity of computer virus writers and cybercriminals in recent years has shifted to network technologies, including the Internet, as traditional computers and tablet devices are more and more reliably protected from malware every year (hereinafter referred to as software) and are used less and less. in business circulation, and websites, on the contrary, are poorly protected and are used more and more. Typical attackers are usually interested in hacking a large number of websites with little effort and at the same time harming the maximum number of website visitors. Perhaps the time of massive viral infections for websites on the Internet will come in the near future. Just as the time has come for massive attacks on desktop computers after the release of the Windows XP operating system. Thus, there are a large number of preconditions for poorly protected websites to be massively infected or used by malicious software (for example, viruses, trojans and exploits) and pose a threat to users, commercial enterprises and hosting providers.

At the same time, traditional anti-virus companies, and search services (for example, Google, Yandex) in their designs do not provide protection tools for websites and do not solve the problem of website protection from developers and website owners. So, traditional antiviruses are focused mainly on end devices: personal computers, tablets and mobile phones. They do not always detect hacked and infected websites, especially if these websites do not directly attack users. Server antiviruses used by hosting providers are not effective enough because they use antivirus databases from traditional antiviruses and do not detect and neutralize hacks and attacks aimed at the Internet business: traffic theft, deception of search engines and others. Search engines can only detect some website problems, but they do it too slowly, because They go to websites far from daily. During this time, in case of infection of the website, both the users of this website and the owner of the website, who will incur losses in the form of loss of traffic (decrease in visitors), will have time to suffer. Existing technologies are not as effective as necessary for protecting websites, especially small and medium-sized businesses that do not have qualified resources to ensure the security of sites.

For example, US Pat. No. 7,177,937 B2 discloses a malware inspection approach for mail servers, messaging servers, and websites. The check consists in monitoring user requests to web servers (sites), where during the control the presence or absence of viruses in the transmitted data is determined. After checking, the user is informed about the presence or absence of malware. This technology does not directly check the websites themselves, but only protect web clients (users) from possible infection.

We can say that the approaches focused on ensuring the security of the websites themselves practically do not exist. Thus, a new effective approach is required to allow verification and protection of the websites themselves. Thus, the system and method for assessing the level of danger of websites based on the detection of malicious threats on the websites themselves can effectively solve this problem.

Disclosure of invention

The present invention is intended for the early detection of threats on a website with the aim of limiting the spread of malicious threats and preventing blocking access to the website on various search engines and various anti-virus systems, which allows a quick solution to the security problem and website protection for the developer or owner website.

The first technical result of the present invention is the rapid detection of infection by malicious programs of the website by assessing the danger level of the specified website based on a comprehensive check of the specified website, which includes checking the website.

The second technical result of the present invention is to prevent the website from being blocked by various search and antivirus systems by forming preventive measures based on a website’s hazard rating that takes into account information about malicious threats on the website and associated risks, for example, for the owner of the web website, website developer or hosting provider.

It is worth noting that a feature of the technical solution in the claimed invention, in contrast to the prior art, is the proactive identification of the risks of threats and the rapid detection of the fact of the threat (infection) of one or more websites with the possibility of further informing interested parties (for example, the owner of the site, site developer or hosting provider).

As one of the variants of implementation, a system for determining the danger level of a website is proposed, which includes: a scanning tool designed to connect to the web pages of the checked website by HTTP requests or download the mentioned web pages in a browser emulator, to detect objects contained on the mentioned web pages, the objects being at least text files, links inside the website, hyperlinks to various resources on the network, cookies (from the English HTTP cookies), scripts and network addresses, transferring the identified objects to the verification management tool; said means of control checks, designed to determine the type of each object, assigning to each object an analysis tool based on a certain type of object and transferring each object to the designated analysis tool; analysis tools, which at least are URL analysis tools, script analysis tools, and “redirects” analysis tools, each of which is designed to scan received objects for malicious or suspicious objects, while the type of scan corresponds to the purpose means of transmitting the results of the verification of objects in the form of solutions to the means of verdicts, while the solution contains information about the harmfulness, suspiciousness or safety of the verified object; a verdict tool designed to analyze the decisions made using heuristic rules, display the result of the analysis for each checked web page of the checked website and transmit the specified results to the evaluation tool; an assessment tool designed to determine the level of danger of a website based on the results of verification, where the level of danger is at least critical, dangerous or safe.

In another embodiment of the system, the control tool checks the queue of objects for each particular type of object, where each queue of objects corresponds to an analysis tool, and transferring objects from the queue of objects to the corresponding analysis tool.

In another embodiment of the system, the analysis tools are also the following tools: a file analysis tool and a vulnerability analysis tool.

In another embodiment of the system, as another means of analysis is an external checker designed to check the availability of information about the said website, the said web pages and the mentioned objects in external sources; making decisions on the basis of the information collected and transferring the results of the verification to the evaluation tool.

In yet another embodiment of the system, external sources are at least malicious databases of anti-virus companies and databases of suspicious search engine sites.

In another embodiment of the system, the verdict tool is intended for combining the obtained decisions into decision groups, where each decision group corresponds to the web page from which the objects were identified, and analyzing the said groups using heuristic rules.

In yet another embodiment of the system, a protective device designed to determine the type of protection depending on a certain level of danger.

In another embodiment of the system, the type of protection is at least blocking outgoing traffic containing malicious objects and removing malicious objects.

In yet another embodiment of the system, the assessment tool is also intended to generate a report on the level of danger of the website according to a predetermined template that corresponds to the particular region where the website is located, and transmit the report to interested persons, who are at least the owner of the website and website developer.

In another embodiment of the system, when downloading or emulating web pages, it is understood that at least downloading or emulating the main web page of the website being checked is where the main web page is a web page with a second-level domain name.

As another embodiment, a method for determining the danger level of a website is proposed, including the steps of: using a scanning tool, connect to the web pages of the website being checked by HTTP requests or by downloading said web pages in a browser emulator; with the help of a scanning tool, objects contained in the said web pages are detected, at least the downloaded files, links within the website, hyperlinks to various resources on the network, cookies (from the English HTTP cookies), scripts and network addresses determine, with the help of the control tool, the type for each identified object; Assign an analysis tool to each object using the inspection control tool based on a specific type of object; using the management tool, each object is transmitted to the designated analysis tool, while the analysis tool is at least a URL analysis tool, a script analysis tool and a “redirect” analysis tool; carried out using the analysis tools that received the objects, checking the received objects for the presence of malicious or suspicious objects among them, while the type of verification corresponds to the purpose of the analysis tool; transmit using the analysis tools that received the objects, the results of the verification of objects in the form of solutions to the means of verdicts, while the solution contains information about the harmfulness, suspiciousness or security of the verified object; using the means of verdicts, analyze the decisions obtained using heuristic rules and render the result of the analysis for each checked web page of the checked website; determine, with the help of the assessment tool, the website’s hazard level based on the analysis, where the hazard level is at least critical, dangerous or safe.

In another embodiment of the method, in step g), a queue of objects is formed for each specific type of object, where each queue of objects corresponds to an analysis tool according to the type of object.

In another embodiment of the method in step d), the analysis tools are also a file analysis tool, a vulnerability analysis tool, and an external verification tool.

In another embodiment of the method, the obtained solutions are combined by means of verdicts into decision groups, where each decision group corresponds to the web page from which the objects were identified.

In yet another embodiment of the method, the types of protection according to a certain hazard level are determined using a protective device.

In another embodiment of the method, the type of protection is at least blocking outgoing traffic containing malicious objects and removing malicious objects.

In another embodiment of the method, a website hazard level report is generated using the assessment tool according to a predetermined template, and the report is transmitted to the person concerned, at least the website owner or website developer.

In another embodiment of the method, the generated hazard level report of the website corresponds to a specific region of the computer device on which the website is located.

Brief Description of the Drawings

Additional objectives, features and advantages of the present invention will be apparent from reading the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

FIG. 1 illustrates a scheme for interacting websites with a computer system that hosts a system for determining the level of danger of websites.

FIG. 2 illustrates a block diagram of a website hazard determination system.

FIG. 3 illustrates a method for determining the severity level of a website.

Although the invention may have various modifications and alternative forms, the characteristic features shown by way of example in the drawings will be described in detail. It should be understood, however, that the purpose of the description is not to limit the invention to its specific embodiment. On the contrary, the purpose of the description is to cover all changes, modifications that are within the scope of this invention, as defined in the attached formula.

Description of Embodiments

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The essence described in the description is nothing more than the specific details necessary to assist the specialist in the field of technology in a comprehensive understanding of the invention, and the present invention is defined in the scope of the attached claims.

In FIG. 1 shows a diagram of the interaction of websites 120 with a computer system that hosts a system for determining the danger level of websites 150 (hereinafter referred to as a system for determining 150).

As a computer system (not shown in Fig. 1) is understood a general-purpose computer system, which can be either a personal computer or a server (s). A computer system (hereinafter - the computer) is inherent in all components of modern computer devices and / or servers. The computer also has a file system on which the recorded operating system is contained, as well as additional software applications, program modules, and program data. A computer is capable of operating in a networked environment, using a network connection with one or more remote computers. The remote computer (or computers) are the same personal computers or servers. In addition, other devices, such as routers, network stations, peer-to-peer devices or other network nodes, may also be present in a computer network, such as the Internet.

Network connections can form both a local area network (LAN) and a wide area network (WAN), including networks of mobile operators. Such networks, for example, are used in corporate computer networks and, as a rule, have access to the Internet. In LAN or WAN networks, the computer is connected to the local network through a network adapter or network interface. When using networks, the computer can use various means of communication with a global computer network, such as the Internet, for example, a modem. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration.

Website 120 is a web resource combining a number of web pages and hosted, for example, on a web server. A web server is a program that performs the functions of the server (computer system) on which the program runs. In addition to the web server, various server applications can be installed, for example, a mail server, file server, etc., each of which provides its own service. To access such services, special programs are used, such as a browser, an email client, a file access service client, and others. Accordingly, users using a browser can access the submitted data on websites 120 at the URL of the website’s website page they require. It is worth noting that the interaction between the website (web server) and users, including the 150 detection system, is performed using various protocols. The main data transfer protocols are HTTP (S), (S) FTP, SSH, POPZ, SMTP and IMAP4.

Thus, the detection system 150, when interacting with any website 120, uses a browser or emulates a browser.

In addition, to fulfill its purpose, the detection system 150 can also interact with various external services (sources of information), such as: anti-virus databases 170 containing information about malware; Blacklists of search engines 180 containing information about suspicious websites or websites containing malicious objects; 190 other black lists and vulnerability databases of various competent companies and organizations, containing information about vulnerabilities in applications and websites, as well as lists of infected websites or compromised email addresses. Examples of anti-virus databases are databases of companies such as Symantec, Trend Micro and Kaspersky Lab. Examples of search engines are Google and Yandex. In turn, the vulnerability bases may be the bases of a company such as Positive Technologies. Examples of other blacklists can be lists like DNSBL (from the English Domain Name System Blacklist) or lists of services such as Phishtank (a service aimed at combating Internet fraud, such as phishing) and others.

Next, a block diagram of a determination system 150 will be discussed in conjunction with one of the websites 120.

In FIG. 2 is a structural diagram of a system for determining the level of danger of a website 150. A determination system 150 is designed to determine the level of danger of a website 120 by applying at least two (unlimited) detection methods and then making an assessment based on the results of the verification. Detection methods detect both malicious objects contained on the website and various problems associated with the vulnerabilities of website 120. The severity level reflects the presence of 120 malicious, suspicious and unwanted objects on the website and / or the presence of website 120 in the lists of unwanted sites of search engines and / or antivirus companies, as well as other blacklists and, in addition, the presence of vulnerabilities on the site. Such a check can be carried out both once and with some periodicity (for example, once a day). If you periodically check the website 120, the final hazard level will be the most accurate, as with each re-inspection, the level of danger can be specified or changed, and will allow you to quickly determine the facts of infection of the website and, accordingly, their possible distribution from such a website.

The mentioned detection methods combine both methods of analyzing information received from external sources about the verified website 120 and methods of analyzing content (objects) contained both on the website 120 and downloaded from other websites 120.

The determination system 150 includes at least a scan tool 210, a control tool 220, an analysis tool 240, a tool verdict 250 and a tool 270. In the particular case, the implementation of the detection system 150 also includes a tool for external verification 260 and a tool 280.

The scanning engine 210, using a browser emulation, connects to each web page of the website 120 at the corresponding web page addresses. It is worth noting that, as a rule, web pages contain a description of the markup in the HTML language (or XHTML), with the help of which the interpretation is performed in the browser. After that, the scanning tool 210 selects (determines) all the objects contained on each web page. Web page objects can be either static objects (described in the page code) or dynamic objects (loaded or modified during code interpretation). Examples of objects are web server service responses, text documents, downloads, links within a website, hyperlinks to various resources on the network, cookies (from the English HTTP cookies, a small piece of data), scripts in various programming languages - script (from the English script, scripts), IP addresses, various user data, redirects (automatic redirection from one website to another) and much more. After the scan tool 210 transmits the specified information about all the selected objects on all web pages of the website 120 or the objects themselves to the control tool 220.

It is worth noting that connection to web pages can be carried out using either a single IP address or several, including randomly selected or from a specific list (for example, the network of a specific provider or service provider) in order to detect malicious code on a website that uses detection disguises or, on the contrary, manifests itself only in networks with certain ranges of addresses (for example, networks of telecom operators).

In turn, the audit control tool 220, after receiving information about the objects or the objects themselves, determines the type of each object, assigns the appropriate analysis tool 240 to check the objects based on a certain type and transfers the specified objects or information about them to the corresponding analysis tools 240a ... 240n. Examples of object types are the following categories: URLs, scripts, text documents, and files of various formats. In addition, the control tool for inspections 220 in the particular case of implementation can preliminarily (before transferring objects to analysis tools 240) create a queue of objects for each type of object, where for each queue one of the analysis tools 240 will be assigned, which has the ability to check the corresponding type of objects. Separation by types and queuing allows optimizing the load on analysis tools 240, because the number of web pages on one site can be large (for example, thousands or tens of thousands of web pages), and the number of objects detected in them is even greater.

In one embodiment, the queuing for each type of object is based on the domain names of the web pages on which the objects were identified. For example, objects from a web page with a second-level domain name or an address inside a website of lower nesting will be queued higher (i.e. will be checked earlier) than objects from a web page with a third-level domain name or the address inside the site of greater nesting, etc. This is due to the fact that on web pages with top-level domain names or less nesting, the likelihood of a threat (malware or vulnerability) is usually higher.

It is worth noting that in the description when using numbering 240 for analysis tools, not only all of the analysis tools 240a ... 240n are meant at once, but each separately.

Analysis tools 240 are designed to check all detected objects for the presence of malicious or suspicious objects among them, to determine the presence of vulnerabilities in objects, to identify links to infected, phishing or fraudulent sites or malicious scripts (scripts), etc., and to transmit the result of an object scan in the form the verdict to the means of the verdict 250. Malicious objects are understood to mean any object with the help of which the site owner or its developer, which was not intended by the owner, is realized or can be realized om action, for the purpose of unauthorized use of the site or causing harm (harm) to the visitor to the site, the site owner, hosting provider or other parties, also for the purpose of deriving profit or simply for the purpose of interfering with the operation of the website. Suspicious objects are objects that do not fall into malicious objects, but are also not legitimate (safe) objects.

Since various types of verification methods are required to verify various types of objects, the analysis tools 240 have various verification methods that can have either a signature (exact) or a heuristic (probabilistic) approach. The signature approach is based on a comparison with already known malicious objects. Signature types of analysis include, but are not limited to, comparisons of scanned objects with a black list of web pages by URL, a database of malicious objects, as well as comparisons with a list of trusted objects (applications, components). The heuristic approach is based on a more complex analysis, such as analyzing the behavior of an object (for example, transferring control to another area) or emulating the operation of an object, followed by analyzing a report on the operation of the object using predefined verification rules. Heuristic types of analysis include such methods as emulation of programs and scripts (scripts), application activity monitoring and virtualization of the runtime environment, as well as analysis based on accumulated data about other objects.

Therefore, depending on the type of object, each analysis tool 240 conducts the analysis that is most effective for conducting verification of the corresponding object. So examples of analysis tools 240a ... 240n are the following tools:

- file analysis tools designed to check files both by comparison with databases of known malicious files, and using heuristic methods,

- a tool for analyzing URLs (links) that analyzes URLs, including by comparing with a database of malicious URLs,

- a means of analyzing scripts (scripts) that analyzes scripts, including by emulating them and identifying malicious or suspicious behavior in their work,

- a tool for analyzing "redirects", which checks all redirects (ie, changes to URLs and redirects the user to another address) by, for example, comparing with the databases of "black lists" of addresses and other comparisons,

- a vulnerability analysis tool that checks all objects that may have vulnerabilities in the code using the database of known vulnerabilities of both websites and web browsers,

- etc.

After checking each identified object, the appropriate analysis tool from 240a ... 240n makes a decision on the result of the verification, which passes it to the verdict tool 250. The decision can be short (only the result is indicated, for example, “the object is infected”) or detailed (details that affect the receipt result, for example, "redirect to the site www.imyasayta.ru") view.

The verdict tool 250 combines the solutions (verdicts) received from the analysis tools 240 into groups, where each group of verdicts corresponds to a specific web page from which the objects were identified. After that, the verdict tool 250 analyzes the mentioned groups using a constantly updated set of heuristic rules and delivers the final result of checking a separate (each) web page of the checked website or website 120 as a whole and passes the indicated results to the evaluation tool 270. By analysis is meant comparing verdicts with other information, such as, for example, technical specifications of a website or web server, accumulated data on similar verdicts or data from third-party providers of information about threats ah, where as a result of this comparison verdicts evaluation categories or weights can be assigned to characterize the degree of danger.

In the particular case of the implementation, the detection system 150 also contains an external checker 260. The external checker 260 collects information about the website being checked from various external sources and transfers the collected information to the assessment tool 270. As mentioned above, the external sources can be, for example, anti-virus databases 170, search engine blacklists 180 and open vulnerability databases 190. The information contains information about the status of the most checked website 120, the web server hosting the website 120, and / or information about some On the web pages of the website being monitored or on objects hosted on the web pages.

Evaluation tool 270 determines the danger level of a website based on the results of verification from the means of verdicts 250, as well as in the particular case of implementation and information received from the means of external verification 260, where the danger level is at least critical, dangerous or safe. Also, the danger level can be determined on the basis of a percentage indicator of danger, from 0% to 100% or as a numerical value (for example, 1,2, ..., 10). At the same time, 0% means that the website is completely safe, and 100% means that the website is critically dangerous, because has active threats (malware) or vulnerabilities through which website users are exposed and / or malicious code that spreads and infects website users.

It is worth noting that in another embodiment, the external verification tool 260 is one of the analysis tools 240. In this case, the external verification tool 260, based on the collected information, makes at least one decision, which in turn is passed to the verdict tool 250 (communication not shown in Fig. 2). The means of verdicts 250 fulfills its purpose, as mentioned above. In this case, the means of assessment 270 determines the level of danger of the website on the basis of only the obtained verification results from the means of the verdicts 250.

In a frequent case, the hazard level can be stored in a database. Then, in the case of a periodic check of the website 120, the newly formed danger level can be checked with the previously stored values and stored in the database before being stored in the database, thereby generating statistics on the change in the danger level of the website. Based on statistics, it is possible to generate scenarios for further verification of the website. For example, scan objects or scan times may change. In addition, before each new check of the website, the time of the last check will be checked, and if the predetermined interval is not exceeded, the check may not be carried out. To this end, the detection system 150 may include a scheduled launcher or based on external events and a database of checked websites (not shown in Fig. 2).

In another special case of implementation, the assessment tool 270, after determining the danger level of the website, creates a report on the danger level of the website according to predefined (defined) templates, while the report allows the owner of the specified website or other interested parties to be informed of the results of the verification. It is worth noting that the templates may correspond to the region of the website being checked (for example, continent or country) or its industry, thematic or other affiliation. In addition, the report may contain results of checks specific to each industry, for example, on the compliance of the site being checked with the legislation on personal data, the presence of site security certificates accepted in the industry, etc. For example, a template will be generated for each country that will contain the most relevant information for the relevant region of the country.

Website hazard level reports can be sent both promptly and at regular intervals.

In yet another particular embodiment, the detection system 150 comprises a security device 280 that, depending on the level of danger, will take various protective or preventive measures for the respective website. So, for example, if the danger level is high or critical (close to or equal to 100%), then the protection tool 280 forms a list of outgoing content that will restrict the distribution of outgoing data from the website by allowing only the data specified in this list or from a specific one to be distributed areas of the website. Or, conversely, Protector 280 will be configured to identify and remove hazardous objects. Thus, the spread of malicious threats (files, links, scripts (English script), etc.) from the infected website will be prevented. In addition, Protector 280 can also clean the program code of a website by deleting infected code or deleting the entire object, and if cleaning is successful, it will remove the restriction on the list of outgoing content. Another example is the situation when, for example, the danger level is medium (50%), then the protection tool 280 can only block access to those web pages of a website that have (spread) a threat (malware) or only issue a warning to those interested parties about the hazard level of the website.

In FIG. 3 presents a special case of the implementation of the method for determining the level of danger of websites. Website owners may need to conduct a one-time or periodic website hazard assessment in order to detect facts of malware infection, the risks leading to such infections and any other unauthorized interventions in the operation of the website and to prevent the possible consequences of such interference, including preventing website blocking by various search and antivirus systems.

At 310, a connection is made to the website being checked, namely, connection to a portion of the web pages or each web page using the scanning tool 210 by one or more page requests or page loading in a browser emulator. At the same time, at step 320, objects are selected on the web page for subsequent verification. Web page objects can be either static objects (that is, located directly in the page code) or dynamic objects (that is, created or changed during the page loading process). Examples of objects are fragments of the page code, downloaded files, links within the website, links to external sites, cookies (from the English HTTP cookies, a small piece of data), scripts of programming languages - script (from the English script, scripts), IP addresses, user data indicated on the page, redirects (redirects from one website to another) and much more.

At step 330, with the help of the control tool 220, the objects are divided into types with the aim of subsequently forming a check queue for each type of object. Examples of object types are, for example, the following categories: URL, script, text documents, binary files of various formats. As the formation of the queues means 220 distributes (directs) at step 340 all the queues of objects according to the appropriate analysis tools 240a ... 240n according to the types of objects. Analysis tools 240a ... 240n, in turn, analyze all objects in step 350 as described in FIG. 2. Based on the results of the checks, the analysis tools 240a ... 240n render verdicts for each object, after which the verdicts are passed to the verdict tool 250. At step 360, using the verdict tool 250, all the verdicts are grouped into groups where each group of verdicts corresponds to the web page from which identified objects. After that, the analysis of the mentioned groups is carried out using the heuristic rules and the verification result for each web page of the website being checked is displayed.

In addition, in the particular case of implementation, at step 350, during the analysis of objects, requests are made to external sources of information in parallel using the external verification tool 260, as described in FIG. 2. Requests are related to obtaining information about the checked website and its web pages.

In another particular case, a website check may be limited to only a certain set of pages of this website, and not to all web pages.

At step 370, using the assessment tool 270, a website determines the danger level of the website based on an analysis of the information received - verdicts, namely information from external sources and the results of the verification of the website, web page and objects. The hazard level is at least critical, dangerous or safe. After that, at step 380, the owner of the website or other parties are notified of the danger level with appropriate recommendations, for example, about blocking a web page or restricting outgoing content (information, data) using the generated restrictive list. In the particular case of implementation, these recommendations for the website can be implemented independently (automatically).

In another particular implementation case, after determining the danger level of the website at step 370, using the assessment tool 270, a report on the danger level of the website is created according to predefined (defined) templates, while the report allows informing the owner of the specified website or other interested parties about the results of the check. Examples of patterns are presented in the description of FIG. 2.

In another particular case of implementation, depending on the level of danger, various protective or preventive measures are taken for the website being checked using security tool 280. For example, if the danger level is high or critical (close to or equal to 100%), then using protections 280 form a list of outgoing content that will restrict the distribution of outgoing data from a website by allowing only the data specified in this list or from a specific area of the website to be distributed. In another case, with the help of protective equipment 280 only dangerous objects will be detected and deleted. Thus, the spread of malicious threats (files, links, scripts (English script), etc.) will be prevented from the infected website. Other examples of protective measures are presented in the description of FIG. 2.

In conclusion, it should be noted that the information provided in the description are examples that do not limit the scope of the present invention defined by the claims.

Claims (40)

1. A system for determining the danger level of a website, which includes: a) scanning means intended for: - connection to the web pages of the website being checked by HTTP requests or by downloading said web pages in a browser emulator; - identifying the objects contained on the mentioned web pages, the objects being at least downloadable files, links within the website, hyperlinks to various resources on the network, cookies (from the English HTTP cookies), scripts and network Addresses - transfer of identified objects to the audit control tool; b) said means of control of inspections intended to determine the type of each object, to assign an analysis tool to each object based on a certain type of object, and to transfer each object to the designated analysis tool; c) analysis tools, which, at least, are URL analysis tools, script analysis tools, and “redirects” analysis tools, with each tool specified for: - checking the received objects for the presence of malicious or suspicious objects among them, while the type of verification corresponds to the purpose of the tool; - transferring the results of the verification of objects in the form of solutions to the means of verdicts, while the solution contains information about the harmfulness, suspiciousness or safety of the verified object; d) a means of verdicts, designed to analyze the decisions obtained using heuristic rules, to render the result of the analysis for each checked web page of the checked website and to transmit the indicated results to the evaluation tool; e) an assessment tool designed to determine the level of danger of a website based on the results of verification, where the level of danger is at least critical, dangerous or safe. 2. The system according to claim 1, in which the control tool checks the queue of objects for each specific type of object, where each queue of objects corresponds to an analysis tool, and transferring objects from the queue of objects to the corresponding analysis tool. 3. The system of claim 1, wherein the analysis tools are also the following: a file analysis tool and a vulnerability analysis tool. 4. The system according to p. 1, in which as another means of analysis is an external verification tool designed to: - checking the availability of information about the said website, the mentioned web pages and the mentioned objects in external sources; - making decisions based on the information gathered; - transferring the results of verification to the evaluation tool. 5. The system of claim 4, wherein the external sources are at least malware databases of anti-virus companies and databases of suspicious search engine sites. 6. The system of claim 1, wherein the verdict tool is intended to combine the decisions obtained into decision groups, where each decision group corresponds to the web page from which the objects were identified, and to analyze the said groups using heuristic rules. 7. The system according to claim 1, which contains a protective device designed to determine the type of protection depending on a certain level of danger. 8. The system of claim 7, wherein the type of protection is at least blocking outgoing traffic containing malicious objects and removing malicious objects. 9. The system of claim 1, wherein the assessment tool is also intended to generate a report on the website’s hazard level according to a predetermined template that corresponds to the particular region where the website is located, and transmit the report to interested parties, which are at least least a website owner and website developer. 10. The system of claim 1, wherein when downloading or emulating web pages, it is understood that at least downloading or emulating the main web page of the website being verified is where the main web page is a web page with a second-level domain name. 11. A method for determining the danger level of a website, including the steps of: a) using a scanning tool, connect to the web pages of the website being checked by HTTP requests or by downloading the mentioned web pages in a browser emulator; b) using the scanning tool, objects contained on the mentioned web pages are detected, at least the downloaded files, links within the website, hyperlinks to various resources on the network, and cookies (from HTTP cookies) ), scripts, and network addresses; c) determine, with the help of the control tool, the type for each identified object; d) assign an analysis tool to each object using the inspection control tool based on a specific type of object; e) transmit using the management tool each object to the designated analysis tool, while the analysis tool is at least a URL analysis tool, a script analysis tool, and a “redirect” analysis tool; f) using the analysis tools that received the objects, they check the received objects for the presence of malicious or suspicious objects among them, while the type of check corresponds to the purpose of the analysis tool; g) transmit using the analysis tools that received the objects, the results of the verification of objects in the form of solutions to the means of verdicts, while the decision contains information about the harmfulness, suspiciousness or safety of the verified object; h) using the means of verdicts, analyze the decisions obtained with the help of heuristic rules and render the result of the analysis for each checked web page of the checked website; i) determine, with the help of the assessment tool, the website’s hazard level based on the results of the analysis, where the hazard level is at least critical, dangerous or safe. 12. The method according to p. 11, in which, at step d), a queue of objects is formed for each particular type of object, where each queue of objects corresponds to an analysis tool according to the type of object. 13. The method according to p. 11, in which, at step d), the analysis tools are also a file analysis tool, a vulnerability analysis tool, and an external verification tool. 14. The method according to claim 11, in which the obtained decisions are combined using the means of verdicts into decision groups, where each decision group corresponds to the web page from which the objects were identified. 15. The method according to p. 11, which determines the type of protection according to a certain level of danger with the help of a protective device. 16. The method of claim 15, wherein the type of protection is at least blocking outgoing traffic containing malicious objects and removing malicious objects. 17. The method according to p. 11, in which using the means of assessment generate a report on the level of danger of the website according to the specified template and transmit the report to the interested person, which is at least the owner of the website or the developer of the website. 18. The method according to p. 17, in which the generated report on the level of danger of the website corresponds to a specific region of the computer device on which the website is located.

Images