CN104363251B - Website security detection method and device - Google Patents

Abstract

The present invention relates to a website security detection method, comprising the following steps: receiving collected data including a hypertext transfer protocol request packet through a remote port; using the link contained in the request packet to determine a new associated link belonging to a known specific website; The webpage corresponding to the new link implements vulnerability scanning and detection. Correspondingly, the present invention also provides a website security detection device. The present invention can discover known specific websites and their new links in time, and can implement loophole detection on these new links in real time, avoid missing detection, and can avoid unnecessary detection of invalid links and repeated links, and has the advantages of efficient and timely maintenance of website security The advantages.

Description

Website security detection method and device

technical field

The invention relates to Internet security technology, in particular to a website security detection scheme and device.

Background technique

There are various security risks in website access, such as: COOKIE poisoning, application buffer overflow, cross-site scripting attack, known security holes, etc. These website security issues will further lead to security issues of user data. Therefore, website visitors want to know the security level of the website, and naturally tend to use relatively safe websites, while website managers hope to fix the loopholes in time, overcome the security problems of their websites, and provide website visitors with a safer browsing platform .

The method of website security detection usually uses a scanner to actively crawl webpages through crawler technology, and conducts security tests on the crawled webpages. In order to avoid increasing the load on the website server caused by the implementation of the crawler technology, usually, the security test of the website performs webpage crawling by timing or manually triggered by the user. However, in today's highly developed information world, the website business (code) as an information carrier is updated frequently, and the information security personnel equipped by each company are not enough to support so many and frequent security tests. This leads to a pair of contradictions, that is, the contradiction between the increased pressure on the server caused by the frequent scanning of the scanner, the shortage of human resources, and the untimely security detection of new web pages caused by the interval scanning of the scanner. Specifically, the flaws caused by existing technologies related to website web page security testing include but are not limited to the following problems:

For example, an island page is a page that crawlers cannot grasp. If there are vulnerabilities and are discovered by hackers, it will lead to great security risks. Existing vulnerability scanners are all based on spider technology to grab website links and then perform security testing. They cannot scan newly launched domain names in time and cannot detect vulnerabilities in isolated island pages.

For another example, large-scale websites (such as news, e-commerce, etc.) have a large number of new webpages going online every day, and regular scanning cannot perform security tests on the newly launched webpages in time. For example, if the website administrator sets the website to be tested at 0:00 every day, the webpage that goes online at 1:00 will be tested after 23 hours. If there are vulnerabilities in these newly launched web pages, it will make the website in an unsafe situation during this time.

Contents of the invention

The purpose of the present invention is to overcome one or more aspects of the above-mentioned problems, and provide a website security detection method and device.

For realizing the purpose of the present invention, the present invention takes following technical scheme:

A method for detecting website security provided by the present invention comprises the following steps:

Receive the collected data including the hypertext transfer protocol request packet through the remote port;

Using the links contained in the request packet to determine associated new links belonging to known specific websites;

Implement vulnerability scanning and detection on the webpage corresponding to the new link.

According to an embodiment of the present invention, the source IP address of the collected data is the destination IP address of the request packet. Preferably, the collected data comes from a collection module installed on the device at the source IP address.

According to another embodiment of the present invention, the source IP address of the collected data is the source IP address in the request packet. Preferably, the collected data comes from a browser plug-in installed on the device at the source IP address. Preferably, before determining the associated new link belonging to the known specific website, the links contained in the request package are summarized and duplicate links are removed.

According to one embodiment of the present invention, the step of removing duplicate links includes the following subdivision steps:

Multiple links formed by accessing the database that differ only in their variables are identified as duplicate links;

Only keep one of the duplicate links to remove duplicate links.

According to another embodiment of the present invention, the step of removing duplicate links includes the following subdivision steps:

Identify multiple links with the same signature as duplicate links;

Only keep one of the duplicate links to remove duplicate links.

According to the disclosure of one of the embodiments of the present invention, the known specific website and/or its new link are preset by receiving user settings through a graphical user interface. Preferably, the set content received by the graphical user interface includes a domain name or an IP address pointing to a website.

According to the disclosure of one of the embodiments of the present invention, by determining that the IP address pointed to by the link in the request packet belongs to the IP address pointed to by the known specific website or its IP address segment, the link is determined to belong to a known specific website. The associated new link for the site.

According to the disclosure of one of the embodiments of the present invention, by comparing the registration characteristic information of the domain name of the link in the request packet with the registration characteristic information of the domain name of the known specific website, the link is determined to belong to the association of the known specific website new link.

Preferably, there is a list of known specific websites for recording the domain names and/or their corresponding IP addresses of one or more known specific websites.

Further, the step of using the links contained in the request packet to determine the associated new link belonging to a known specific website includes the following subdivision steps:

Extract links to all request packages that have been fetched;

Remove duplicate links pointing to web pages with the same code from the extracted links;

Identify new links among them and add the new links to the queue to be scanned.

According to an embodiment of the present invention, the step of performing vulnerability scanning on the webpage pointed to by the new link includes the following subdivision steps:

acquiring the new link from a queue to be scanned for recording the new link;

Vulnerability scanning is performed on the webpage directly mapped to the new link.

According to another embodiment of the present invention, the step of performing vulnerability scanning on the webpage corresponding to the new link includes the following subdivision steps:

acquiring the new link from a queue to be scanned for recording the new link;

Obtain the webpage mapped by the new link in the queue to be scanned and add it to the local webpage library;

Implement vulnerability scanning and detection on the webpages in the webpage library downloaded according to the new link.

Further, the method includes a subsequent step: displaying a graphical user interface to output result information of vulnerability scanning and detection.

A website security detection device provided by the present invention includes:

A packet capture unit is used to receive the collection data comprising a hypertext transfer protocol request packet through a remote port;

A novelty checking unit, adapted to use the links contained in the request packet to determine associated new links belonging to known specific websites;

The detection unit is configured to perform vulnerability scanning detection on the webpage corresponding to the new link.

According to an embodiment of the present invention, the source IP address of the collected data received by the packet capture unit is the destination IP address of the request packet. Preferably, the collected data comes from a collection module installed on the device at the source IP address.

According to another embodiment of the present invention, the source IP address of the collected data received by the packet capture unit is the source IP address in the request packet. Preferably, the collected data comes from a browser plug-in installed on the device at the source IP address.

Preferably, the novelty checking unit is configured to summarize the links contained in the request package and remove duplicate links therein before determining the associated new link belonging to a known specific website.

According to an embodiment of the present invention, the novelty checking unit includes:

A duplicate checking submodule is used to determine multiple links that are only different in variables formed by accessing the database as repeated links;

Removing sub-modules is suitable for implementing only one of the repeated links is retained to achieve the removal of repeated links.

According to another embodiment of the present invention, the novelty checking unit includes:

Duplicate checking sub-module, used to determine multiple links with the same signature as duplicate links;

Removing sub-modules is suitable for implementing only one of the repeated links is retained to achieve the removal of repeated links.

According to one disclosed embodiment of the present invention, the device further includes a setting unit, configured to display a graphical user interface to receive user settings, thereby presetting the known specific website and/or its new link. Preferably, the set content received by the graphical user interface includes a domain name or an IP address pointing to a specific website.

According to one of the disclosed embodiments of the present invention, the device further includes a setting unit configured to determine that the IP address pointed to by the link in the request packet belongs to the IP address pointed to by the known specific website or its IP address section to identify the link as belonging to a known associated new link of a particular website.

According to one of the disclosed embodiments of the present invention, the device further includes a setting unit configured to set the The link is determined to be an associated new link belonging to the known specific website.

Preferably, the device further includes a list of known specific websites, which is used to record the domain names and/or their corresponding IP addresses of one or more known specific websites.

Further, the novelty checking unit includes:

Extraction module, used to extract the links of all the request packages that have been obtained;

The deduplication module is used to remove duplicate links pointing to webpages with the same code in the links extracted by the extraction module;

The adding module is configured to determine a new link therein, and add the new link to a queue to be scanned.

According to an embodiment of the present invention, the detection unit includes:

an acquiring unit configured to acquire the new link from a queue to be scanned for recording the new link;

The implementation unit is configured to implement vulnerability scanning and detection on the webpage mapped to the new link.

According to another disclosed embodiment of the present invention, the detection unit includes:

an acquiring unit configured to acquire the new link from a queue to be scanned for recording the new link;

A downloading unit, configured to download the webpage mapped by the new link in the queue to be scanned and add it to the local webpage library;

The implementation unit is used for implementing vulnerability scanning and detection on the webpages in the webpage library downloaded according to the new link.

Further, the device includes a display unit for displaying a graphical user interface for outputting result information of vulnerability scanning and detection.

Compared with the prior art, the present invention has at least the following advantages:

1. The present invention realizes the acquisition data including the hypertext transfer protocol request packet through the remote port, and can realize a remote distributed connection architecture similar to C/S, so it can receive the corresponding request packet generated by the request initiated by the known specific website server , for targeted vulnerability scanning detections against web pages known to be linked to a specific website and its associated links. Firstly, the present invention can clearly screen and scan new links for known specific websites, and secondly, it can receive and collect data in real time through remote ports, and the number of new links determined by real-time acquisition is relative to the number of links of all known specific websites It is extremely small, usually non-new links have already been scanned in the historical use process, and there is no need to repeat the scan, and the vulnerability scanning for these new links has a low computational load, and the response pressure on the server is also very small. Therefore, The present invention provides technical conditions for real-time scanning of loopholes in webpages pointed to by newly launched new links on specific websites, and avoids possible safety accidents caused by missed scanning during the time gap formed by regular or irregular scanning, and provides network Managers provide more effective technical tools for vulnerability detection.

2. The present invention further controls the source of collected data by limiting the same relationship between the source IP address of the collected data and the source IP address or destination IP address contained in the request packet. In the webpage debugging stage, requests initiated by developers are obtained to realize more timely webpage vulnerability scanning. The latter is suitable for installation on servers that provide relevant webpage services. Similarly, all request packets initiated from the outside can also be captured in a timely manner at the first time. For a website, the first access request for a new link on the line is generally initiated by the network administrator for debugging purposes. Even if it is not debugged by the network administrator, when it is uploaded to the server, the first access must be based on a request for the new link. The request packet initiated to the service by the webpage pointed to by the link, and through the above-mentioned limitation in the present invention, the obtained request packet comes from the server or the client used by the network administrator for debugging, and is necessary for the webpage to be accessed. Therefore, the present invention can obtain the request packet aiming at the latest webpage in most cases, which can theoretically cover all webpages, including isolated island webpages. However, only the part of these request packets that belong to the new link is finally scanned for vulnerabilities. Therefore, the present invention can avoid the drawbacks in the prior art that a full amount of detection is required each time to avoid missed scanning, thereby achieving a comprehensive security scanning effect in a lighter way.

3. The present invention further reduces repeated scanning of webpages that essentially belong to the same code by removing duplicate links in new links. For links such as news webpages and forum webpages, it is greatly optimized and deduplicated. The rate is very high, which further reduces the amount of invalid calculations during vulnerability scanning and improves the overall operating efficiency of the machine.

4. The source of the request packet of the present invention can be obtained by adding a browser plug-in to the browser of the requesting party that initiates the request, or by installing a client on the server that sets up the known specific website, etc. , the entire implementation architecture is very flexible and open, which is conducive to secondary development.

5. The present invention not only allows users to add known specific websites through the graphical user interface, but also provides a way for the program itself to dynamically determine known specific websites, and can also give corresponding warnings after vulnerability scanning, which has very strong interaction and excellent human-computer interaction effect.

In summary, the present invention realizes a more comprehensive and efficient technical solution for website security detection.

Additional aspects and advantages of the invention will be set forth in part in the description which follows, and will become apparent from the description, or may be learned by practice of the invention.

Description of drawings

The above and/or additional aspects and advantages of the present invention will become apparent and easy to understand from the following description of the embodiments in conjunction with the accompanying drawings, wherein:

Fig. 1 is the schematic diagram that the website security detection equipment of the present invention is connected to an existing network topology;

Fig. 2 is a schematic diagram of an existing network topology obtained by changing Fig. 1;

Fig. 3 is a schematic flow chart of an embodiment of a network security detection method of the present invention;

FIG. 4 is a schematic diagram of a subdivision process of step S12 of a network security detection method of the present invention;

5 is a schematic flow diagram of another embodiment of a network security detection method of the present invention;

Fig. 6 is a schematic diagram of the principle of an embodiment of a network security detection device of the present invention;

FIG. 7 is a schematic diagram of another embodiment of a network security detection device according to the present invention;

Fig. 8 is a schematic structural diagram of a novelty checking unit in a network security detection device of the present invention;

detailed description

Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary only for explaining the present invention and should not be construed as limiting the present invention.

Those skilled in the art will understand that unless otherwise stated, the singular forms "a", "an", "said" and "the" used herein may also include plural forms. It should be further understood that the word "comprising" used in the description of the present invention refers to the presence of said features, integers, steps, operations, elements and/or components, but does not exclude the presence or addition of one or more other features, Integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Additionally, "connected" or "coupled" as used herein may include wireless connection or wireless coupling. The expression "and/or" used herein includes all or any elements and all combinations of one or more associated listed items.

Those skilled in the art can understand that, unless otherwise defined, all terms (including technical terms and scientific terms) used herein have the same meaning as commonly understood by those of ordinary skill in the art to which this invention belongs. It should also be understood that terms, such as those defined in commonly used dictionaries, should be understood to have meanings consistent with their meaning in the context of the prior art, and unless specifically defined as herein, are not intended to be idealized or overly Formal meaning to explain.

Those skilled in the art can understand that the "terminal" and "terminal equipment" used here not only include wireless signal receiver equipment, which only has wireless signal receiver equipment without transmission capabilities, but also include receiving and transmitting hardware. A device having receiving and transmitting hardware capable of performing bi-directional communication over a bi-directional communication link. Such equipment may include: cellular or other communication equipment, which has a single-line display or a multi-line display or a cellular or other communication equipment without a multi-line display; PCS (Personal Communications Service, personal communication system), which can combine voice, data Processing, fax and/or data communication capabilities; PDA (Personal Digital Assistant, Personal Digital Assistant), which may include RF receiver, pager, Internet/Intranet access, web browser, notepad, calendar and/or GPS (Global Positioning System , Global Positioning System) receiver; a conventional laptop and/or palmtop computer or other device having and/or including a radio frequency receiver. As used herein, a "terminal", "terminal device" may be portable, transportable, installed in a vehicle (air, sea, and/or land), or adapted and/or configured to operate locally, and/or In distributed form, the operation operates at any other location on Earth and/or in space. The "terminal" and "terminal equipment" used here can also be communication terminals, Internet terminals, music/video playback terminals, such as PDAs, MIDs (Mobile Internet Devices, mobile Internet devices) and/or with music/video playback terminals. Functional mobile phones, smart TVs, set-top boxes and other devices.

Those skilled in the art can understand that the concepts of server, cloud, and remote network equipment used here have equivalent effects, including but not limited to computers, network hosts, single network servers, multiple network server sets, or multiple servers. Composed of clouds. Here, the cloud is composed of a large number of computers or network servers based on cloud computing (Cloud Computing), wherein cloud computing is a kind of distributed computing, a super virtual computer composed of a group of loosely coupled computer sets. In the embodiment of the present invention, the communication between the remote network equipment, the terminal equipment and the WNS server can be realized through any communication method, including but not limited to, mobile communication based on 3GPP, LTE, WIMAX, based on TCP/IP, UDP protocol Computer network communication and short-distance wireless transmission methods based on Bluetooth and infrared transmission standards.

Those skilled in the art should understand that the concepts of "application", "application program", "application software" and similar expressions referred to in the present invention are the same concepts well known to those skilled in the art, and refer to a series of computer instructions and related Computer software that is organically constructed from data resources and suitable for electronic operation. Unless otherwise specified, this naming itself is not limited by the type of programming language, level, or the operating system or platform on which it runs. Naturally, such concepts are also not limited by any form of terminal.

The method and its device of the present invention can be implemented as software through programming, and installed in computer equipment for operation, thereby forming a website detection equipment. In order to further illustrate various embodiments of the present invention, it is possible to first understand the architecture implemented by the enterprise website server. Each enterprise may include one or more websites, and each enterprise website can be distributed and set up on one or more servers. Generally speaking, as shown in Figure 1, a simple corporate website may directly connect each server 81, 82 to a switch 80 to provide services. In a more complicated network topology as shown in Figure 2, multiple servers 81 , 82 may be respectively connected to different switches 80 to provide services. The equipment installed with the software of the present invention does not need to directly collect the request packet at the switch 80, but receives the hypertext transmission that is collected and encapsulated by other functional modules through the remote port to the server where the known specific website is located. The protocol requests the collection data of the packet, therefore, the device does not need to depend on the computer room, but can be directly connected to the Internet, and its pre-protocol remote port can be opened to receive the collection data collected by the client. As will be mentioned later, the implementation form of the client may include client programs and browser plug-ins, which are respectively applicable to browsers installed on servers where known specific websites are located and computer terminal equipment used to debug webpages superior.

Fig. 3 reveals an embodiment of the present invention through the form of step flow, and this embodiment belongs to the concrete realization of the core technology of the website security detection method of the present invention, comprises the following steps:

Step S11, receiving the collected data including the HTTP request packet through the remote port.

As mentioned above, the present invention can realize the data collection of the request packet through a similar C/S distributed structure. Specifically, the remote port is the communication port between the software (installed on a service host, that is, the detection device of the present invention) and its client that implements the website security detection method of the present invention, using the known TCP/IP protocol Such communication techniques can be readily implemented by those skilled in the art. After the client collects the HTTP request packet, it needs to send it to the software through the public network (or local area network in the same way). Based on the basic principles of computer communication, the data communication between the client and the detection equipment is expressed with the message as the basic data unit. Therefore, the collected data collected by the client including the HTTP request packet is also in the message. for transmission. The message contains the source IP address of the message and the destination IP address to be transmitted. The source IP address of the message is the IP address of the computer device where the client is located, and the destination IP address is obviously the detection device's IP address. IP address. Similarly, the request packet should include the source IP address of the request and the destination IP address to be transmitted. The source IP address of the request packet is the IP address of the computer that initiates the request, and its destination IP address is the IP address of the server where the website to be accessed is located. As a result, the detection device can determine the corresponding IP address by comparing the source IP address of the data collection message received by it with the source IP address and the destination IP address in the corresponding request packet contained in the data collection data. Whether the corresponding request comes from a requester client that initiates a request to a known specific website server, or a server that provides the known specific website to the requester. In this way, the source of the request packets can be identified, and the links in these request packets can be further utilized purposefully. The source of the identification request packet referred to herein does not require or exclude that the present invention is implemented by code during program design, and the source IP address of the collected data, the source IP address of the request packet, and the destination IP address of the request packet are checked when the process is running. Technology extraction and comparison, the explanation here of the present invention only indicates the logical connection between the source IP address of the collected data and the source IP address or destination IP address of the request packet, which should be fully understood by those skilled in the art, and can be flexibly Use these techniques.

The collection data received by the detection device may only contain one request packet or multiple request packets encapsulated by the communication protocol, which can be flexibly set by those skilled in the art, especially suitable for setting at time intervals, so that the collection of one transmission The number of request packets included in the data does not have to be the same. For example, the client is set to take every 10 minutes as a time unit, and after continuously collecting request packets, the request packets are packaged into the collected data and transmitted to the detection device. During this time period, more or less requests are initiated, which will not affect the implementation of the present invention.

The hypertext transfer protocol (HTTP) request packet includes two forms for website access, namely get request and post request. Although the two requests are different, they both belong to the processing object of the present invention. Generally speaking, the format of an HTTP request packet mainly includes: protocol, server domain name, port number, request packet path, get parameter name, post parameter name, extension, target server network segment, etc. Both the get request packet and the post request packet contain the URL of the webpage. The URL of a web page, that is, a hyperlink, has an agreed format from its domain name to its page. Among them, the end of the link is the description of the resource it points to, and the other part is the path. For example, the URL http://www.360.cn/test/admin.php, where http:// represents the protocol format, www.360.cn is the domain name, test is the directory in the website, and admin.php is the pointing The resource page, http://www.360.cn/test/ is the path of the link relative to the admin.php page. And http://www.360.cn/test/admin/admin.php is obviously a deeper link to http://www.360.cn/test/admin.php.

To adapt to different implementation forms, the collection data collected by the client and including HTTP request packets can be obtained in any one of the following ways or in combination:

1. A client program collection module for collecting request packets for initiating a web page access request is installed on the server providing the website access service.

According to the above-mentioned analysis, a collection module can be developed, and the collection module is the client program process running on the server. On the server of a specific website, after the client program runs, all the access requests initiated by the server as the target server will have their request packets collected by the client program. These request packets are sent to the remote port by forming the collection data in the form of the software protocol realized by the present invention in the detection equipment, after the present invention receives the collection data through the remote port, it is analyzed and obtained The corresponding HTTP request package. It can be seen that in this case, the destination IP address of the externally initiated request packet is the IP address of the server, and the source IP address of the message expressing the collected data is also the IP address of the server. Using this correspondence, the detection The device can then recognize that the source of the collected data it receives is the server responsible for responding to the request packets therein.

2. Install a browser plug-in on the browser of the device that initiates a request to a server that provides access to a known specific website.

In the same way, a browser plug-in can be developed and installed in the computer terminal device used for online debugging of the aforementioned webpages that provide known specific websites, so that once the browser is running and a certain link is used to access a certain When accessing the web page, the plug-in can obtain the request packet generated by the access, and then refer to the previous method to form the request packet into collected data and send it to the detection device through the remote port. After the detection device obtains the collected data of the browser plug-in, it can analyze it to obtain the corresponding HTTP request package. It can be seen that in this case, the source IP address of the request packet initiated by the browser is the IP address of the computer where it is located, and the source IP address of the message expressing the collected data is also the IP address of the computer. relationship, the detection device can identify that the source of the collected data it receives is the client that initiated the request.

Those skilled in the art should know that both the acquisition module and the browser plug-in implement the function of obtaining the request packet in essence, and both are computer programs, but the expression forms and application details are different. How to use programming to obtain the function of the request packet is known in the prior art. The present invention is not described in detail for the sake of simplicity of description. Those skilled in the art can obtain relevant knowledge from the prior art and practice it. Therefore, it can also be understood that the collection module can also be implemented in the client computer that initiates the request.

The above two different ways of obtaining the request packet are proposed based on different application requirements. No matter what specific method is adopted, the HTTP request packets in the collected data can be extracted with the help of existing technologies, so that these HTTP request packets can be further processed.

Step S12, using the links included in the request packet to determine new associated links belonging to known specific websites.

The website that the present invention is aimed at is specific, and generally is one or more known websites of the enterprise self that applies the method of the present invention, and these websites have some common features, and its links all explain on some specific IP address segments The owner of the domain name is the enterprise or the customer of the enterprise, or is the target website that the enterprise participates in the management of. More specifically, this specific relationship refers to the website that the software implemented by this method needs to pay attention to. On the technical level, whether it belongs to the website that the software needs to pay attention to is judged by the method of the present invention. Specifically, the interface can be artificially set, or it can be registered with a link and/or IP address and/or domain name Comprehensive judgment based on feature information. Therefore, the identification basis of the known specific website in the present invention should not only be understood as a certain domain name or its IP address, but should also include detection objects that are not artificially set in clear text, but are essentially included in the enterprise, including any Links that resolve to newly added domains that essentially belong to some of the IP addresses known to already be occupied by a particular website.

It can be seen that, compared with the crawler technology, although the present invention does not need to carefully select the seed URL, it is necessary to provide basic settings about some specific websites to set the known specific websites of the present invention. Corresponding to the foregoing description, there are various ways of setting these known specific websites. Given the process of a known specific website, no matter whether the given content is a resource locator such as an IP address or a domain name, it is essentially a link to the website, so this process is also essentially a process for determining the new link of the present invention process. The following further discloses several specific methods of the present invention for determining known specific websites and/or new links thereof:

1. Setting a known specific website and/or its associated new link by using a graphical user interface.

Specifically, when the software realized by the present invention runs for the first time, it will provide a graphical user interface for providing the user with the setting of some known specific websites. The setting is completed based on the content related to the website, thereby pre-determining one or more known specific websites. The predetermined content can be one or more domain names, such as so.com, 360.cn, etc., or the IP address corresponding to the server, as well as continuous IP address segments or discrete IP addresses composed of IP addresses. address range. These settings, as mentioned above, can be understood as an associated new link in essence, which can be stored in a list of known specific websites for subsequent calls of this method. It should be pointed out that this list of known specific websites is essentially equivalent to a link library, so it can be regarded as a link library for subsequent use, or as a data source of the link library. The link library referred to here is similar to crawler technology, and can be directly used as a subsequent queue to be scanned, or simply provide basic data for a subsequent queue to be scanned. Therefore, it can be seen that on this basis, these domain names or IP addresses and related information used to determine some known specific websites constitute a new link of the present invention, or at least can be used to construct a new link of the present invention, and become a new link of the present invention. The object that the software scans for the first time. In the follow-up maintenance, this method is used to continue to add new links. When the domain name of the new link is different from other known specific website domain names, it is essentially adding a new known specific website by expanding more domain names.

2. Using domain name registration information to determine associated new links to known specific websites.

Known associated new links for a particular website, including all links belonging to a website that is already registered (which can be identified by including a registered domain name) and/or all links to a website whose domain name is not registered. For the latter, it refers to the link obtained from the request package in this step, including the new domain name, which does not belong to the range of existing known specific website links. When it is a new link associated with a known specific website, it needs to be further determined through technical means whether it should be regarded as a new link associated with a known specific website. Therefore, by calling the interface provided by the domain name registration website, you can query the new domain name in this link to determine its registration feature information, including, for example, the owner of the domain name, the domain name record number, etc., and whether the registration feature information is consistent with the existing It is known that the registration characteristic information of the domain name of a specific website is the same, and if the two are the same, the new link is regarded as a new link related to the known specific website and used in this method; otherwise, the request packet is discarded and not processed. Then the new domain name and/or the new lower-level link can be directly added to a list of known specific websites as mentioned above for future use. Apparently, the operation of querying the characteristic information of new domain name registration can be done manually or by using software. When it is the former, it is actually a follow-up maintenance of the aforementioned first method. When it is the latter, the present invention realizes the dynamic expansion and maintenance of the list of known specific websites. If this known list of specific websites is the link library or the queue to be scanned, it is essentially maintaining a new link list, which can naturally be used as a plurality of correlations required by the present invention later on. The data base of the processing link.

3. Use the IP address to dynamically determine the associated new link of the known specific website.

As we all know, there is a mapping relationship between domain names and IP addresses. Therefore, the corresponding IP address can be determined through a known domain name, and the same website may be served by servers pointed to by multiple IP addresses. Therefore, there may be one-to-many, many-to-many mapping relationships between websites and IP addresses. In practice, corporate websites usually use IP address segments composed of consecutive IP addresses to set up their servers. In view of this, it is possible to determine the IP address segment occupied by the existing known specific website. When the new domain name in the link of the request packet contains one of the domain names that do not belong to the existing known specific website, then it can be compared whether the IP address pointed to by the new domain name belongs to the existing known specific website. If it is one of the IP addresses, then similarly, the link of the request packet can be regarded as a new link associated with a new known specific website and added to a list of known specific websites as described above. In the same way, if the list of known specific websites is the link library or the queue to be scanned, this processing method is essentially maintaining a new link list, which can naturally be used as the link list described later in the present invention. The data basis of multiple related processing links required.

It can be seen from this that one of the key points that the present invention is different from crawler technology is that the present invention has certain known specific websites, and these known specific websites can either be initialized artificially or by software implemented by this method. Dynamically identify and add, without strictly relying on the seed URL like crawler technology. Moreover, these known specific websites are essentially a series of links, and a list can be used for independent maintenance, or the list can be used as a link library, or even directly used as a queue to be scanned. How to use this list specifically is only the flexible combined use of database technology in this method, which is obvious to those skilled in the art. For example, in one mode, the list of known specific websites is essentially the queue to be scanned in the present invention. For new links, it is sufficient to add them to the list in order and attach corresponding unscanned signs. After scanning, change these signs to Characterizes the scanned description. In another way, the list is independent and is mainly used to record each domain name and corresponding IP address, while setting up a queue to be scanned. When a new link is identified, the domain name of the new link will be added to the list. The new link itself is added to the queue to be scanned, and in the future, all links containing this domain name do not need to be parsed, but are directly added to the queue to be scanned. In another way, the list of known specific websites, the link library, and the queue to be scanned are all independent of each other, and the list of known specific websites only knows the relevant storage domain names of the specific website, and the link library is used to store all identified and already identified Links related to a specific website are known, and the queue to be scanned is only used to store new links obtained from the link library. This method ensures the independence of various types of data and can be used for more complex purposes.

As mentioned above, any one of the above three methods can not only be used to determine the known specific website of the present invention, but also is essentially the process of the present invention for determining whether it belongs to the associated new link of the known specific website. In order to simplify the subsequent description and understanding, it is necessary to explain that in the following description, according to the foregoing method, the above-mentioned list of known specific websites is completely equivalent to the queue to be scanned disclosed later in the present invention. However, this simplification should be sufficient for those skilled in the art to extend it to application scenarios including using a link library to save valid links.

After the disclosure of the above content, those skilled in the art should be sufficient to implement this step after understanding the concept of the known specific website of the present invention. Further, after the determination of the known specific website and the determination method of the associated new link belonging to the known specific website are given above, it will be more helpful for those skilled in the art to understand more in-depth embodiments of this step. The above two levels actually give two different levels of variations of this step. Therefore, the implementation of this technical means utilizes the links contained in the request package and determines new associated links belonging to known specific websites. has been fully disclosed.

In order to further reflect the superiority of the invention, the subdivision steps of this step are further disclosed as follows to embody another embodiment realized according to this step. Please refer to Figure 4, the subdivision steps of this step include:

Step S121, extracting the links of all the obtained request packets.

The software realized by this method, after summarizing all the obtained request packets, extracts the links of the request packets. Since the http request packet contains the url of the web page, correspondingly, the corresponding link, that is, the url of the web page, can be restored from the http request packet. Some well-known technical analysis can be performed on these links in advance, such as analyzing whether they are valid links.

A valid link refers to a link that can normally open a web page or download a file. Invalid links refer to pages that are invalid and cannot provide any valuable information to users. When a link has no domain name, incomplete domain name, incomplete link, or no content in the post protocol packet, the link will be judged as an invalid link. Take a link with the domain name abcd.com as an example, if the domain name abcd.com does not appear in the link or only a part of the domain name such as ad.com appears in the link, then the link is invalid.

Analyze the link obtained from the request packet to determine whether the link is a valid link. If the link has no domain name, incomplete domain name, incomplete link, or no content in the post protocol data package, the link is determined to be an invalid link, and the invalid link is not Participate in subsequent processing; otherwise, it is a valid link, and only valid links will be processed later.

Step S122, removing duplicate links pointing to webpages with the same code among the extracted links.

Each of the extracted links mainly refers to valid links among them, which essentially point to a webpage of a corresponding known specific website, however, there may also be a large number of repeated links among these valid links. The so-called duplicate links refer to these links, which point to webpages with the same code, but provide different database access variables for the original webpage, resulting in different webpages in link content, but the loopholes of these webpages are completely identical.

For example, two valid links that start with each other and end with /a.php? =1 and /a.php? =2, these two links are actually only different in the data extracted from the database, among which "1" and "2" can be regarded as variables, so the difference between the two links is actually only the difference in variables, in this case, Any one of these links will point to the page that the other links point to, so only one link needs to be kept. Further, you can remove the tail variable, directly change the end of the link to /a.php, and delete all related links with variables, which can also achieve the same effect. This kind of repeated link pages is more common in forums.

As another example, link descriptions such as /data/2011201 and /data/2011202 are common at the end of webpages on news websites, and 2011201 and 2011202 should be regarded as variables in the same way. Except for these two variables, the rest of the text of the two links are the same, so it's essentially two duplicate links to a page with the same code.

In order to improve the calculation efficiency of the present invention, those skilled in the art should remove duplicate links from the extracted links by means including known techniques. In order to be more helpful to those skilled in the art in implementing the present invention, the following two optional or combined methods for removing duplicate links innovated by the present invention are listed for reference and implementation:

Method 1: sort the links first, and compare and analyze adjacent links. When it is found that the variables of each link are different and the rest of the content is exactly the same, it is determined that it is a plurality of links that are formed by accessing the database and only have different variables. Therefore, it is determined to be a duplicate link. In this case, only one of the many duplicate links is kept, and the rest are all deleted to remove the duplicate link.

Method 2: Sort the links first, and compare the signatures of the web pages pointed to by adjacent links. When the signatures are found to be the same, determine that these links are duplicate links, keep only one of the links, and delete the other links, so as to remove duplicate links .

The sorting in the above two methods and the means of taking adjacent links are not necessary, and those skilled in the art can replace them with all known algorithms that can help to improve the comparison, and will not be described in detail. It can be seen that by removing duplicate links, the obtained links have a certain unique web page pointing, which obviously helps to improve the execution efficiency of subsequent steps.

Step S123 , determining the associated new link among the links processed in the previous step, and adding the new link to the queue to be scanned.

As mentioned earlier, the process of determining a new link is essentially determining whether the link is associated with a known specific website that already exists. Therefore, determining a new link that belongs to a known specific website includes not only the Domain names, IP addresses or more specific links to the list of known specific websites (queue to be scanned), including some whose domain names do not appear in the list, but their mapped IP addresses have been recorded in the list Or the links that fall into the IP address segment or IP address segment range formed by the recorded IP addresses in the list. Therefore, determining the associated new link in this step is a process of flexibly using the above-mentioned three methods for determining the new link belonging to a known specific website or belonging to it. Obviously, it is easy to understand that it is flexible to use the above three methods, and you can choose only one of them, or you can choose any number of them at the same time. The first one, through manual registration, is suitable for registering a website domain name, and then all specific links under the domain name that have not been scanned (as mentioned above can be identified by identifying the status in the link library or in the queue to be scanned) identification) are regarded as new associated links of the website; the second one is to use domain name registration feature information to register, whether it is through human query or program realization, it can have the same effect as the first one, but The way to implement it in the program is the key to this step, which can improve the intelligence and automation of the program; the third one is to compare whether the IP address pointed to by the link of the request packet falls into the currently existing known The IP address pointed to by the link in the specific website list or the range of continuous IP address segments formed by it determines whether the request packet link is regarded as an associated new link belonging to a known specific website. This method can automatically expand the known Specific website list, if it is known that the specific website is a single list, then the domain name of the new link can be added to the list, and the new link is added to the link library (if any) and the queue to be scanned; if already The list of known specific websites is simultaneously used as a queue to be scanned, so directly adding the new link to the list of known specific websites is the process of adding the new link to the queue to be scanned.

After the effective links of the present invention have been screened in the above-mentioned process about new links by means of any one of the several ways disclosed above, all new links are obtained (if necessary, crawler technology can be used on the basis of these new links, Think of it as seed URL progress new link expansion), in order to facilitate the execution of subsequent steps, these new links are added to the queue to be scanned as mentioned above. Regardless of whether the queue to be scanned shares a table with the list of known specific websites, or further shares a table with the link library, or the queue to be scanned is a separate table, etc., as mentioned above, those skilled in the art will Common knowledge can be used to register all certain new links in the queue to be scanned, and to perform vulnerability scanning only on these new links in the future.

Step S13, implementing vulnerability scanning and detection on the webpage corresponding to the new link.

After flexible multiple variants of the above-mentioned steps are processed, and finally all new links are determined from all request packet links, vulnerability scanning and detection may be implemented on the web pages corresponding to these new links. Of course, the so-called concentration can generally be periodic in time. Because user requests are constantly occurring, this method can continuously obtain and analyze request packets, but it is impossible to start scanning and detection until the user no longer sends requests. Therefore, this step has only a logical relationship with other steps, and this logical relationship should not exclude their interspersed relationship in time. For example, a previously determined new link may be scanned while determining a new link. One process can continuously determine the reception of the request packet and determine the new link, and store the new link in the queue to be scanned, while the other process continuously scans the new link in the queue to be scanned. No matter how flexible the other steps are, this step only needs to pay attention to the new links in the queue to be scanned. Similarly, no matter how flexible this step is, the interface finally provided by the aforementioned steps also lies in a waiting list that stores new links. The scanning queue and the queue to be scanned undoubtedly become the interface between this step and the previous steps, and those skilled in the art should know this principle.

The corresponding relationship in the webpage corresponding to the new link mentioned in the present invention can refer to the relationship that the new link is directly mapped to the corresponding webpage in the website server by using the relationship between the domain name and the IP address, or it can refer to the downloading of the corresponding webpage. This indirect one-to-one correspondence is stored in the local webpage database later. Therefore, adapting to these two specific correspondences, one of the following two ways can be adopted to scan and detect the vulnerability of the webpage pointed to by the new link determined in the present invention.

Method 1: Obtain the new link recorded therein from the queue to be scanned, and then use the online webpage directly mapped by the new link to send a request to its web server, and use the web page returned by the web server to perform vulnerability scanning and detection. This method will increase the burden and processing time of the server where the new link is located, but it can appropriately save the calculation amount of the software implemented by this method.

Method 2: Use the new links recorded in the queue to be scanned to download the webpages directly mapped by these new links. The download method can be the same as method 1. Add these webpages to a local webpage library, and then update each of these local webpage libraries. Web pages implement vulnerability scanning and detection. Or, as mentioned above, two processes can be set up, one is used to continuously download the online webpages mapped by each new link to the local webpage library, and the other continuously scans and detects the vulnerabilities of the newly downloaded webpages in the local webpage library .

According to the above method, no matter how the new links in the queue to be scanned are used for vulnerability scanning and detection, obviously, the effect of vulnerability scanning and detection to be achieved by the non-invention will not be affected.

Specifically, when performing vulnerability scanning and detection, it is implemented in combination with website security detection vulnerability data and website security detection rules. The website security detection vulnerability data includes at least one of the following: Trojan horse data, false fraud data, search shielding data, margin data, tampering data, and vulnerability data. According to the website security detection vulnerability data, the website security detection is carried out according to the website security detection rules corresponding to the website security detection vulnerability data, wherein the website security detection rules include at least one of the following: hanging horse rules, false fraud rules, shielding rules, Aline rules, tamper rules, and loophole rules. The invention mainly utilizes loophole rules to scan webpages. Vulnerability rules are used to determine the vulnerabilities of a website based on vulnerability data.

According to the vulnerability data, the security inspection of the website according to the vulnerability rules includes: obtaining the vulnerability characteristics in the pre-stored vulnerability characteristic database, judging whether the vulnerability data conforms to the vulnerability characteristics, if the vulnerability data conforms to the vulnerability characteristics, it is determined as a vulnerability; If it meets the characteristics of a vulnerability, it is determined to be a non-vulnerability. Vulnerabilities existing in the website are determined according to the judgment result, wherein the vulnerability feature may be a vulnerability keyword. For example, use the webpage status code 404 as the vulnerability keyword; or, use the 404 page content as the vulnerability keyword; or, by accessing the normal webpage of the website, extract the webpage content, webpage status code and http header of the normal webpage, and access the For a webpage that does not exist on the website, extract the webpage content, webpage status code and http header of the feedback webpage, compare the webpage content, webpage status code and http header of the normal webpage and the feedback webpage, and obtain the 404 keyword as the vulnerability keyword; Or, visit a webpage that does not exist, and use the webpage content, webpage status code and http header of the feedback webpage as the vulnerability keywords, etc., and the present invention does not limit this.

Through the above-mentioned steps, the method of the present invention can complete the task of performing security detection on the website, and store the results of vulnerability scanning in corresponding files or databases for other uses. Further, in order to achieve a better human-computer interaction effect, the present invention can also optionally perform the following steps with reference to the embodiment disclosed in FIG. 5:

Step S14, displaying a graphical user interface to output the result information of vulnerability scanning and detection.

Since this method is suitable for programming, a graphical user interface can be implemented through this program. After the above-mentioned steps are performed to complete the vulnerability scanning and detection, the detection results are analyzed and counted, and the result information after mathematical processing is processed. The output to the graphical user interface can make the network administrator clear at a glance, so that it is convenient for the network administrator to repair the loopholes in the webpage.

After disclosing in detail various implementation forms of the above-mentioned method of the present invention, combined with modular thinking, embodiments of corresponding devices further realized by the method of the present invention are disclosed below, so that those skilled in the art can understand the present invention more thoroughly. It should be noted that the concepts and principles adopted in this method are similarly applicable to the corresponding device of the present invention, so the following description will be partially simplified.

Please refer to Fig. 6, the website safety detection device of the present invention is configured in a computer device used as a safety detection device, including a packet capture unit 11, a newness checking unit 12, a detection unit 13, and the embodiment shown in Fig. 7 The disclosed optionally includes a display unit 14 .

The packet capture unit 11 is used to receive the collected data including the hypertext transfer protocol request packet through the remote port.

As mentioned above, the present invention can realize the data collection of the request packet through a similar C/S distributed structure. Specifically, the remote port is the communication port between the software (installed on a service host, that is, the detection device of the present invention) and its client that implements the website security detection method of the present invention, using the known TCP/IP protocol Such communication techniques can be readily implemented by those skilled in the art. After the client collects the HTTP request packet, it needs to send it to the software through the public network (or local area network in the same way). Based on the basic principles of computer communication, the data communication between the client and the detection equipment is expressed with the message as the basic data unit. Therefore, the collected data collected by the client including the HTTP request packet is also in the message. for transmission. The message contains the source IP address of the message and the destination IP address to be transmitted. The source IP address of the message is the IP address of the computer device where the client is located, and the destination IP address is obviously the detection device's IP address. IP address. Similarly, the request packet should include the source IP address of the request and the destination IP address to be transmitted. The source IP address of the request packet is the IP address of the computer that initiates the request, and its destination IP address is the IP address of the server where the website to be accessed is located. As a result, the detection device can determine the corresponding IP address by comparing the source IP address of the data collection message received by it with the source IP address and the destination IP address in the corresponding request packet contained in the data collection data. Whether the corresponding request comes from a requester client that initiates a request to a known specific website server, or a server that provides the known specific website to the requester. In this way, the source of the request packets can be identified, and the links in these request packets can be further utilized purposefully. The source of the identification request packet referred to herein does not require or exclude that the present invention is implemented by code during program design, and the source IP address of the collected data, the source IP address of the request packet, and the destination IP address of the request packet are checked when the process is running. Technology extraction and comparison, the explanation here of the present invention only indicates the logical connection between the source IP address of the collected data and the source IP address or destination IP address of the request packet, which should be fully understood by those skilled in the art, and can be flexibly Use these techniques.

The collection data received by the detection device may only contain one request packet or multiple request packets encapsulated by the communication protocol, which can be flexibly set by those skilled in the art, especially suitable for setting at time intervals, so that the collection of one transmission The number of request packets included in the data does not have to be the same. For example, the client is set to take every 10 minutes as a time unit, and after continuously collecting request packets, the request packets are packaged into the collected data and transmitted to the detection device. During this time period, more or less requests are initiated, which will not affect the implementation of the present invention. The hypertext transfer protocol (HTTP) request packet includes two forms for website access, namely get request and post request. Although the two requests are different, they both belong to the processing object of the present invention. Generally speaking, the format of an HTTP request packet mainly includes: protocol, server domain name, port number, request packet path, get parameter name, post parameter name, extension, target server network segment, etc. Both the get request packet and the post request packet contain the URL of the web page. The URL of a web page, that is, a hyperlink, has an agreed format from its domain name to its page. Among them, the end of the link is the description of the resource it points to, and the other part is the path. For example, the URL http://www.360.cn/test/admin.php, where http:// represents the protocol format, www.360.cn is the domain name, test is the directory in the website, and admin.php is the pointing The resource page, http://www.360.cn/test/ is the path of the link relative to the admin.php page. And http://www.360.cn/test/admin/admin.php is obviously a deeper link to http://www.360.cn/test/admin.php.

To adapt to different implementation forms, the collection data collected by the client and including HTTP request packets can be obtained in any one of the following ways or in combination:

1. A client program collection module for collecting request packets for initiating a web page access request is installed on the server providing the website access service.

According to the above-mentioned analysis, a collection module can be developed, and the collection module is the client program process running on the server. On the server of a specific website, after the client program runs, all the access requests initiated by the server as the target server will have their request packets collected by the client program. These request packets are sent to the remote port by forming the collection data in the form of the software protocol realized by the present invention in the detection equipment, after the present invention receives the collection data through the remote port, it is analyzed and obtained The corresponding HTTP request package. It can be seen that in this case, the destination IP address of the externally initiated request packet is the IP address of the server, and the source IP address of the message expressing the collected data is also the IP address of the server. Using this correspondence, the detection The device can then recognize that the source of the collected data it receives is the server responsible for responding to the request packets therein.

2. Install a browser plug-in on the browser of the device that initiates a request to a server that provides access to a known specific website.

In the same way, a browser plug-in can be developed and installed in the computer terminal device used for online debugging of the aforementioned webpages that provide known specific websites, so that once the browser is running and a certain link is used to access a certain When accessing the web page, the plug-in can obtain the request packet generated by the access, and then refer to the previous method to form the request packet into collected data and send it to the detection device through the remote port. After the detection device obtains the collected data of the browser plug-in, it can analyze it to obtain the corresponding HTTP request package. It can be seen that in this case, the source IP address of the request packet initiated by the browser is the IP address of the computer where it is located, and the source IP address of the message expressing the collected data is also the IP address of the computer. relationship, the detection device can identify that the source of the collected data it receives is the client that initiated the request.

Those skilled in the art should know that both the acquisition module and the browser plug-in implement the function of obtaining the request packet in essence, and both are computer programs, but the expression forms and application details are different. How to use programming to obtain the function of the request packet is known in the prior art. The present invention is not described in detail for the sake of simplicity of description. Those skilled in the art can obtain relevant knowledge from the prior art and practice it. Therefore, it can also be understood that the collection module can also be implemented in the client computer that initiates the request. The above two different ways of obtaining the request packet are proposed based on different application requirements. No matter what specific method is adopted, the HTTP request packets in the collected data can be extracted with the help of existing technologies, so that these HTTP request packets can be further processed.

The novelty checking unit 12 is adapted to use the links included in the request packet to determine associated new links belonging to known specific websites.

The website that the present invention is aimed at is specific, is generally one or more known websites of the enterprise self that applies the device of the present invention, and these websites have some common characteristics, and its link all explains on some specific IP address segments, its The owner of the domain name is the enterprise or the customer of the enterprise, or is the target website that the enterprise participates in the management of. More specifically, this specific relationship refers to the website that the software that realizes this device needs to pay attention to. And whether it belongs to the website that the software needs to pay attention to is judged by the device of the present invention on a technical level. Specifically, the interface can be provided artificially, or it can be based on the link and/or IP address and/or domain name registration feature. Make comprehensive judgments based on information. Therefore, the identification basis of the known specific website in the present invention should not only be understood as a certain domain name or its IP address, but should also include detection objects that are not artificially set in clear text, but are essentially included in the enterprise, including any Links that resolve to newly added domains that essentially belong to some of the IP addresses known to already be occupied by a particular website.

It can be seen that, relative to crawler technology, although the present invention does not need to carefully select the seed URL, it is necessary to provide basic settings about some specific websites through a setting unit 120 (referring to FIG. specific site. Corresponding to the foregoing description, there are various ways of setting these known specific websites. Given the process of a known specific website, no matter whether the given content is a resource locator such as an IP address or a domain name, it is essentially a link to the website, so this process is also essentially a process for determining the new link of the present invention process. Several specific embodiments of the setting unit 120 of the present invention for determining a known specific website and/or its new link are further disclosed as follows:

1. The setting unit 120 may be configured to use a graphical user interface to set a known specific website and/or its associated new link.

Specifically, when the software realized by the present invention runs for the first time, it will provide a graphical user interface through the setting unit 120, which is used to provide the user with the setting of some known specific websites. The setting is completed by inputting content related to these known specific websites, so that one or more known specific websites are preset. The predetermined content can be one or more domain names, such as so.com, 360.cn, etc., or the IP address corresponding to the server, as well as continuous IP address segments or discrete IP addresses composed of IP addresses. address range. These setting contents, as mentioned above, can be understood as an associated new link in essence, which can be stored in a list of known specific websites so as to be called by other function modules of the device. It should be pointed out that this list of known specific websites is essentially equivalent to a link library, so it can be regarded as a link library for subsequent use, or as a data source of the link library. The link library referred to here is similar to crawler technology, and can be directly used as a subsequent queue to be scanned, or simply provide basic data for a subsequent queue to be scanned. Therefore, it can be seen that on this basis, these domain names or IP addresses and related information used to determine some known specific websites constitute a new link of the present invention, or at least can be used to construct a new link of the present invention, and become a new link of the present invention. The object that the software scans for the first time. In the follow-up maintenance, this method is used to continue to add new links. When the domain name of the new link is different from other known specific website domain names, it is essentially adding a new known specific website by expanding more domain names.

2. The setting unit 120 may be configured to use domain name registration information to determine a new associated link of a known specific website.

Known associated new links for a particular website, including all links belonging to a website that is already registered (which can be identified by including a registered domain name) and/or all links to a website whose domain name is not registered. For the latter, it refers to the link obtained from the request package, including the new domain name, which does not belong to the link scope of the existing known specific website. When a new link associated with a specific website is known, it needs to be further determined through technical means whether it should be regarded as a new link associated with a known specific website. Therefore, by calling the interface provided by the domain name registration website, you can query the new domain name in this link to determine its registration feature information, including, for example, the owner of the domain name, the domain name record number, etc., and whether the registration feature information is consistent with the existing It is known that the registration characteristic information of the domain name of the specific website is the same, and if the two are the same, the new link is regarded as a new link related to the known specific website and used in the device; otherwise, the request packet is discarded and not processed. Then the new domain name and/or its subordinate new links can be directly added to a list of known specific websites as mentioned above for future use. Apparently, the operation of querying the characteristic information of new domain name registration can be done manually or by using software. When it is the former, it is actually a follow-up maintenance of the aforementioned first method. When it is the latter, the present invention realizes the dynamic expansion and maintenance of the list of known specific websites. If this known list of specific websites is the link library or the queue to be scanned, it is essentially maintaining a new link list, which can naturally be used as a plurality of correlations required by the present invention later on. The data base of the processing link.

3. The setting unit 120 is configured to use the IP address to dynamically determine the associated new link of the known specific website.

As we all know, there is a mapping relationship between domain names and IP addresses. Therefore, the corresponding IP address can be determined through a known domain name, and the same website may be served by servers pointed to by multiple IP addresses. Therefore, there may be one-to-many, many-to-many mapping relationships between websites and IP addresses. In practice, corporate websites usually use IP address segments composed of consecutive IP addresses to set up their servers. In view of this, it is possible to determine the IP address segment occupied by the existing known specific website. When the new domain name in the link of the request packet contains one of the domain names that do not belong to the existing known specific website, then it can be compared whether the IP address pointed to by the new domain name belongs to the existing known specific website. If it is one of the IP addresses, then similarly, the link of the request packet can be regarded as a new link associated with a new known specific website and added to a list of known specific websites as described above. In the same way, if the list of known specific websites is the link library or the queue to be scanned, this processing method is essentially maintaining a new link list, which can naturally be used as the link list described later in the present invention. The data basis of multiple related processing links required.

It can be seen from this that one of the key points that the present invention is different from crawler technology is that the present invention has certain known specific websites, and these known specific websites can either be initialized artificially or by software equipped with the device. Dynamically identify and add, without strictly relying on the seed URL like crawler technology. Moreover, these known specific websites are essentially a series of links, and a list can be used for independent maintenance, or the list can be used as a link library, or even directly used as a queue to be scanned. How to use this list specifically is just the flexible combined use of database technology in this device, which is obvious to those skilled in the art. For example, in one mode, the list of known specific websites is essentially the queue to be scanned in the present invention. For new links, it is sufficient to add them to the list in order and attach corresponding unscanned signs. After scanning, change these signs to Characterizes the scanned description. In another way, the list is independent and is mainly used to record each domain name and corresponding IP address, while setting up a queue to be scanned. When a new link is identified, the domain name of the new link will be added to the list. The new link itself is added to the queue to be scanned, and in the future, all links containing this domain name do not need to be parsed, but are directly added to the queue to be scanned. In another way, the list of known specific websites, the link library, and the queue to be scanned are all independent of each other, and the list of known specific websites only knows the relevant storage domain names of the specific website, and the link library is used to store all identified and already identified Links related to a specific website are known, and the queue to be scanned is only used to store new links obtained from the link library. This method ensures the independence of various types of data and can be used for more complex purposes.

As mentioned above, the three implementations of the setting unit 120 can not only be used to determine the known specific website of the present invention, but also essentially can be used to determine the associated new link belonging to the known specific website. In order to simplify the subsequent description and understanding, it is necessary to explain that in the following description, according to the foregoing method, the above-mentioned list of known specific websites is completely equivalent to the queue to be scanned disclosed later in the present invention. However, this simplification should be sufficient for those skilled in the art to extend it to application scenarios including using a link library to save valid links.

After the disclosure of the above content, those skilled in the art should be able to implement the novelty search unit 12 after understanding the concept of the known specific website of the present invention. Further, after the various setting units 120 for determining the known specific website and the associated new link belonging to the known specific website are given above, it will be more helpful for those skilled in the art to have a deeper understanding of the novelty search unit 12. Example understanding. The above two levels actually provide two different levels of variants of the novelty search unit 12. Therefore, using the links contained in the request package and determining the associated new links belonging to the known specific website, this technology The implementation of the means has been fully disclosed.

In order to further demonstrate the superiority of the invention, the internal structure of the novelty search unit 12 in another embodiment is further disclosed as follows to reflect the details of another embodiment implemented according to the novelty search unit 12 . Referring to Fig. 8, the novelty checking unit 12 further includes an extracting module 121, a deduplication module 122 and an adding module 123:

The extraction module 121 is configured to extract links of all obtained request packets.

The software implemented by this device collects all the obtained request packets, and then uses the extraction module 121 to perform link extraction on the request packets. Since the http request packet contains the url of the web page, correspondingly, the corresponding link, that is, the url of the web page, can be restored from the http request packet. Some well-known technical analysis can be performed on these links in advance, such as analyzing whether they are valid links.

A valid link refers to a link that can normally open a web page or download a file. Invalid links refer to pages that are invalid and cannot provide any valuable information to users. When a link has no domain name, incomplete domain name, incomplete link, or no content in the post protocol packet, the link will be judged as an invalid link. Take a link with the domain name abcd.com as an example, if the domain name abcd.com does not appear in the link or only a part of the domain name such as ad.com appears in the link, then the link is invalid.

Analyze the link obtained from the request packet to determine whether the link is a valid link. If the link has no domain name, incomplete domain name, incomplete link, or no content in the post protocol data package, the link is determined to be an invalid link, and the invalid link is not Participate in subsequent processing; otherwise, it is a valid link, and only valid links will be processed later.

The deduplication module 122 is configured to remove duplicate links pointing to webpages with the same code among the extracted links.

Each of the extracted links mainly refers to valid links among them, which essentially point to a webpage of a corresponding known specific website, however, there may also be a large number of repeated links among these valid links. The so-called duplicate links refer to these links, which point to webpages with the same code, but provide different database access variables for the original webpage, resulting in different webpages in link content, but the loopholes of these webpages are completely identical.

For example, two valid links that start with each other and end with /a.php? =1 and /a.php? =2, these two links are actually only different in the data extracted from the database, among which "1" and "2" can be regarded as variables, so the difference between the two links is actually only the difference in variables, in this case, Any one of these links will point to the page that the other links point to, so only one link needs to be kept. Further, you can remove the tail variable, directly change the end of the link to /a.php, and delete all related links with variables, which can also achieve the same effect. This kind of repeated link pages is more common in forums.

As another example, link descriptions such as /data/2011201 and /data/2011202 are common at the end of webpages on news websites, and 2011201 and 2011202 should be regarded as variables in the same way. Except for these two variables, the rest of the text of the two links are the same, so it's essentially two duplicate links to a page with the same code.

In order to improve the calculation efficiency of the present invention, those skilled in the art should remove duplicate links from the extracted links by means including known techniques. The deduplication module 122 of the present invention further includes a duplication checking submodule and a removal submodule, the former is used to determine duplicate links, and the latter is used to implement a removal operation. In order to help those skilled in the art to implement the present invention, two optional implementations of the specific structure of the deduplication module 122 for removing duplicate links are listed below for reference:

One of the structural forms: the repeat checking sub-module first sorts the links, and compares and analyzes the adjacent links. When it is found that the variables of each link are different and the rest of the content is completely the same, it is determined that only other links are formed due to access to the database. Multiple links with different variables are therefore determined to be repeated links. In this case, the removing submodule only retains one of the many repeated links, and deletes all the others, so as to remove repeated links.

The second structural form: the repeat checking sub-module first sorts the links, compares the signatures of the webpages pointed to by adjacent links, and when the signatures are found to be the same, it is determined that these links belong to duplicate links, and the removing sub-module then only retains the One of the links, delete other links, so as to achieve the removal of duplicate links.

The sorting in the above two structural forms and the means of obtaining adjacent links are not necessary, and those skilled in the art can use all known algorithms that can help improve the comparison to replace them, and will not be described in detail. It can be seen that by removing duplicate links, the obtained links have a certain unique web page pointing, which obviously helps to improve the execution efficiency of other functional modules of the device.

The adding module 123 is configured to determine an associated new link among the links processed by the novelty checking unit 12, and add the new link to the queue to be scanned.

As mentioned earlier, the process of determining a new link is essentially determining whether the link is associated with a known specific website that already exists. Therefore, determining a new link that belongs to a known specific website includes not only the Domain names, IP addresses or more specific links to the list of known specific websites (queue to be scanned), including some whose domain names do not appear in the list, but their mapped IP addresses have been recorded in the list Or the links that fall into the IP address segment or IP address segment range formed by the recorded IP addresses in the list. Therefore, determining the associated new link in the adding module 123 is a process of flexibly using (calling) the various setting unit 120 instances disclosed above. Obviously, it is easy to understand that the use of the above three structural examples of the setting unit 120 is flexible, and only one of them may be selected, or any number of them may be selected at the same time. The first one, through manual registration, is suitable for registering a website domain name, and then all specific links under the domain name that have not been scanned (as mentioned above can be identified by identifying the status in the link library or in the queue to be scanned) identification) are regarded as new links to the website; the second one is to use domain name registration characteristic information to register, whether it is through human query or program realization, it can have the same effect as the first one, but the The way to implement in the program is the key that this add module 123 can adopt, which can improve the intelligence and automation of the program; the third one is to compare whether the IP address pointed to by the link of the request packet falls into the currently existing The IP address pointed to by the link in the known specific website list or the range of continuous IP address segments formed by it is used to determine whether the request packet link is regarded as an associated new link belonging to the known specific website. This method can automatically expand Known specific website list, if the known specific website is a single list, then the domain name of the new link can be added to the list, and the new link can be added to the link library (if any) and the queue to be scanned; If the list of known specific websites is simultaneously used as the queue to be scanned, then directly adding the new link to the list of known specific websites is the process of adding the new link to the queue to be scanned.

After the effective links of the present invention have been screened in the above-mentioned process about new links by means of several setting unit 120 examples disclosed above, all new links are obtained (if necessary, crawler technology can be used on the basis of these new links) , regard it as the seed URL progressing new link expansion), in order to facilitate the execution of other functional modules of the present invention, these new links are added to the queue to be scanned as described above. Regardless of whether the queue to be scanned shares a table with the list of known specific websites, or further shares a table with the link library, or the queue to be scanned is a separate table, etc., as mentioned above, those skilled in the art will Common knowledge can be used to register all certain new links in the queue to be scanned, and to perform vulnerability scanning only on these new links in the future.

The detection unit 13 is configured to perform vulnerability scanning detection on the webpage corresponding to the new link.

After processing through multiple flexible variants of the above steps, and finally determining all new links from all request packet links, the detection unit 13 can be used to centrally implement vulnerability scanning detection on the web pages corresponding to these new links. Of course, the so-called concentration can generally be periodic in time. Because user requests are constantly occurring, the device can continuously obtain and analyze request packets, but it is impossible to start scanning and detection until the user no longer sends requests. Therefore, the detection unit 13 has only a connection relationship with other functional modules, and this connection relationship should not exclude its interspersed relationship in time. For example, a previously determined new link may be scanned while determining a new link. One process can continuously determine the reception of the request packet and determine the new link, and store the new link in the queue to be scanned, while the other process continuously scans the new link in the queue to be scanned. No matter how flexibly and flexibly other functional modules are implemented, the detection unit 13 only needs to pay attention to the new links in the queue to be scanned. The to-be-scanned queue storing the new link undoubtedly becomes the interface between the detection unit 13 and the previous functional modules, and those skilled in the art should know this principle.

The corresponding relationship in the webpage corresponding to the new link mentioned in the present invention can refer to the relationship that the new link is directly mapped to the corresponding webpage in the website server by using the relationship between the domain name and the IP address, or it can refer to the downloading of the corresponding webpage. This indirect one-to-one correspondence is stored in the local webpage database later. Therefore, adapting to these two specific correspondences, two structural examples can be provided for the detection unit 13 of the device, and any of the following structures can be used to perform vulnerability scanning detection on the webpage pointed to by the new link determined in the present invention.

Structural Example 1. An acquisition unit acquires the new link recorded therein from the queue to be scanned, and then uses the online webpage directly mapped by the new link to send a request to its web server, and utilizes the web page returned by the web server to Vulnerability scanning and detection are performed by means of an implementation unit. This method will increase the burden and processing time of the server where the new link is located, but it can appropriately save the amount of computation using the software that implements the device.

Structural Example 2: After obtaining new links from the queue to be scanned by an acquisition unit, a download unit uses the new links to download the webpages directly mapped to these new links. The download method can be the same as that of structural example 1, adding these webpages to In a local webpage library, and then implement vulnerability scanning detection on each webpage in these local webpage libraries by means of an implementation unit. Or, as mentioned above, two processes can be set up, one is used to continuously download the online webpages mapped by each new link to the local webpage library, and the other continuously scans and detects the vulnerabilities of the newly downloaded webpages in the local webpage library .

According to the above method, no matter how the new links in the queue to be scanned are used for vulnerability scanning and detection, obviously, the effect of vulnerability scanning and detection to be achieved by the non-invention will not be affected.

Specifically, when performing vulnerability scanning and detection, it is implemented in combination with website security detection vulnerability data and website security detection rules. The website security detection vulnerability data includes at least one of the following: Trojan horse data, false fraud data, search shielding data, margin data, tampering data, and vulnerability data. According to the website security detection vulnerability data, the website security detection is carried out according to the website security detection rules corresponding to the website security detection vulnerability data, wherein the website security detection rules include at least one of the following: hanging horse rules, false fraud rules, shielding rules, Aline rules, tamper rules, and loophole rules. The invention mainly utilizes loophole rules to scan webpages. Vulnerability rules are used to determine the vulnerabilities of a website based on vulnerability data.

According to the vulnerability data, the security inspection of the website according to the vulnerability rules includes: obtaining the vulnerability characteristics in the pre-stored vulnerability characteristic database, judging whether the vulnerability data conforms to the vulnerability characteristics, if the vulnerability data conforms to the vulnerability characteristics, it is determined as a vulnerability; If it meets the characteristics of a vulnerability, it is determined to be a non-vulnerability. Vulnerabilities existing in the website are determined according to the judgment result, wherein the vulnerability feature may be a vulnerability keyword. For example, use the webpage status code 404 as the vulnerability keyword; or, use the 404 page content as the vulnerability keyword; or, by accessing the normal webpage of the website, extract the webpage content, webpage status code and http header of the normal webpage, and access the For a webpage that does not exist on the website, extract the webpage content, webpage status code and http header of the feedback webpage, compare the webpage content, webpage status code and http header of the normal webpage and the feedback webpage, and obtain the 404 keyword as the vulnerability keyword; Or, visit a webpage that does not exist, and use the webpage content, webpage status code and http header of the feedback webpage as the vulnerability keywords, etc., and the present invention does not limit this.

Through the above-mentioned steps, the device of the present invention can complete the task of performing security detection on the website, and store the results of vulnerability scanning in corresponding files or databases for other use. Further, in order to achieve a better human-computer interaction effect, the present invention may also optionally include a display unit 14:

The display unit 14 is configured to display a graphical user interface to output the result information of vulnerability scanning and detection.

The display unit 14 is configured to provide a graphical user interface. After the detection unit 13 completes the vulnerability scanning detection, the detection results are analyzed and counted, and the result information after the mathematical processing is output to the graphical user interface, which can Make it clear to the network administrator at a glance, so that it is convenient for the network administrator to patch the loopholes in the webpage.

To sum up, the present invention can discover known specific websites and their new links in time, and can implement loophole detection on these new links in real time, avoid missing detection, and can avoid unnecessary detection of invalid links and duplicate links, with high efficiency And the advantages of timely maintenance of website security.

Embodiments of the invention disclose:

A1. A website security detection method, characterized in that, comprising the following steps:

Receive the collected data including the hypertext transfer protocol request packet through the remote port;

Using the links contained in the request packet to determine associated new links belonging to known specific websites;

Implement vulnerability scanning and detection on the webpage corresponding to the new link.

A2. The website security detection method according to claim A1, wherein the source IP address of the collected data is the destination IP address of the request packet.

3. The network security detection method according to claim A2, wherein the collected data comes from a collection module installed on the device at the source IP address.

A4. The website security detection method according to claim A1, wherein the source IP address of the collected data is the source IP address in the request packet.

A5. The website security detection method according to claim A4, wherein the collected data originates from a browser plug-in installed on the device of the source IP address.

A6. The website security detection method according to claim A1, characterized in that before determining the associated new link belonging to a known specific website, summarizing the links contained in the request package and removing duplicate links therein.

A7. The website security detection method according to claim A6, wherein the step of removing duplicate links comprises the following subdivision steps:

Multiple links formed by accessing the database that differ only in their variables are identified as duplicate links;

Only keep one of the duplicate links to remove duplicate links.

A8. The website security detection method according to claim A6, wherein the step of removing duplicate links comprises the following subdivision steps:

Identify multiple links with the same signature as duplicate links;

Only keep one of the duplicate links to remove duplicate links.

A9. The website security detection method according to claim A1, characterized in that, the known specific website and/or its new link is preset by receiving user settings through a graphical user interface.

A10. The website security detection method according to claim A8, wherein the set content received by the graphical user interface includes a domain name or an IP address pointing to the website.

A11. The website security detection method according to claim A1, characterized in that, by determining that the IP address pointed to by the link in the request packet belongs to the IP address pointed to by the known specific website or the IP address segment to which it belongs The link is determined to be a new link associated with a known specific website.

A12. The website security detection method according to claim A1, characterized in that the link is determined by comparing the registration feature information of the linked domain name in the request packet with the registration feature information of the domain name of a known specific website A new link for an association belonging to a known specific website.

A13. The website security detection method according to claim A1, wherein a known specific website list is provided for recording domain names and/or corresponding IP addresses of one or more known specific websites.

A14. The website security detection method according to claim A1, wherein the step of using the link contained in the request packet to determine the associated new link belonging to a known specific website includes the following subdivision steps:

Extract links to all request packages that have been fetched;

Remove duplicate links pointing to web pages with the same code from the extracted links;

Identify new links among them and add the new links to the queue to be scanned.

A15. The website security detection method according to claim A1, wherein the step of implementing vulnerability scanning to the webpage corresponding to the new link includes the following subdivision steps:

acquiring the new link from a queue to be scanned for recording the new link;

Vulnerability scanning is performed on the webpage mapped to the new link.

A16. The website security detection method according to claim A1, wherein the step of implementing vulnerability scanning to the webpage corresponding to the new link includes the following subdivision steps:

acquiring the new link from a queue to be scanned for recording the new link;

Obtain the webpage mapped by the new link in the queue to be scanned and add it to the local webpage library;

Implement vulnerability scanning and detection on the webpages in the webpage library downloaded according to the new link.

A17. The website security detection method according to claim A1, characterized in that, the method comprises a subsequent step: displaying a graphical user interface to output the result information of vulnerability scanning detection.

B18. A website security detection device, characterized in that, comprising:

A packet capture unit is used to receive the collection data comprising a hypertext transfer protocol request packet through a remote port;

A novelty checking unit, adapted to use the links contained in the request packet to determine associated new links belonging to known specific websites;

The detection unit is configured to perform vulnerability scanning detection on the webpage corresponding to the new link.

B19. The website security detection method according to claim B18, wherein the source IP address of the collected data obtained by the packet capture unit is the destination IP address of the request packet.

B20. The network security detection method according to claim B19, wherein the collected data comes from a collection module installed on the device of the source IP address.

B21. The website security detection method according to claim B18, characterized in that the source IP address of the data collected by the packet capture unit is the source IP address in the request packet.

B22. The website security detection method according to claim B21, wherein the collected data originates from a browser plug-in installed on the device of the source IP address.

B23. The website security detection device according to claim B18, wherein the novelty checking unit is configured to summarize the links contained in the request package and Remove duplicate links from it.

B24. The website safety detection device according to claim B23, wherein the novelty checking unit includes:

A duplicate checking submodule is used to determine multiple links that are only different in variables formed by accessing the database as repeated links;

Removing sub-modules is suitable for implementing only one of the repeated links is retained to achieve the removal of repeated links.

B25. The website security detection device according to claim B23, wherein the novelty checking unit includes:

Duplicate checking sub-module, used to determine multiple links with the same signature as duplicate links;

Removing sub-modules is suitable for implementing only one of the repeated links is retained to achieve the removal of repeated links.

B26. The website safety detection device according to claim B18, characterized in that the device also includes a setting unit for displaying a graphical user interface to receive user settings, thereby presetting the known specific website and/or its new links.

B27. The website security detection device according to claim B26, wherein the set content received by the graphical user interface includes a domain name or an IP address pointing to a website.

B28. The website security detection device according to claim B18, characterized in that the device also includes a setting unit configured to determine that the IP address pointed to by the link in the request packet belongs to the known specific website pointed to The IP address or the IP address segment it belongs to determines the link as an associated new link belonging to a known specific website.

B29. The website security detection device according to claim B18, characterized in that the device also includes a setting unit configured to compare the registration feature information of the linked domain name in the request packet with the registration feature information of a known specific website The registered characteristic information of the domain name is the same, and the link is determined as a new associated link belonging to the known specific website.

B30. The website security detection device according to claim B18, characterized in that, the device also includes a list of known specific websites for recording the domain names of one or more described known specific websites and/or their corresponding IP address.

B31. The website security detection device according to claim B18, characterized in that, the novelty checking unit comprises:

Extraction module, used to extract the links of all the request packages that have been obtained;

The deduplication module is used to remove duplicate links pointing to webpages with the same code in the links extracted by the extraction module;

The adding module is configured to determine a new link therein, and add the new link to a queue to be scanned.

B32. The website security detection device according to claim B18, wherein said detection unit comprises:

an acquiring unit configured to acquire the new link from a queue to be scanned for recording the new link;

The implementation unit is configured to implement vulnerability scanning and detection on the webpage mapped to the new link.

B33. The website security detection device according to claim B18, wherein said detection unit comprises:

an acquiring unit configured to acquire the new link from a queue to be scanned for recording the new link;

A downloading unit, configured to download the webpage mapped by the new link in the queue to be scanned and add it to the local webpage library;

The implementation unit is used for implementing vulnerability scanning and detection on the webpages in the webpage library downloaded according to the new link.

B34. The website security detection device according to claim B18, characterized in that the device comprises a display unit for displaying a graphical user interface to output the result information of implementing vulnerability scanning detection.

It should be noted that the algorithms and formulas presented herein are not inherently related to any particular computer, virtual system, or other device. Various general systems can also be used with the examples based here. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline the present invention and to facilitate an understanding of one or more of its various aspects, various features of the invention are sometimes grouped together into a single embodiment , figure, or description of it. This disclosed method and apparatus, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. .

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all functions of some or all components in the website security detection device according to the embodiment of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

The above descriptions are only part of the embodiments of the present invention. It should be pointed out that those skilled in the art can make some improvements and modifications without departing from the principles of the present invention. It should be regarded as the protection scope of the present invention.

Claims (34)

1. A website security detection method, is characterized in that, comprises the following steps: Receive the collected data including the hypertext transfer protocol request packet through the remote port; Utilize the link contained in the request packet to determine the associated new link belonging to the known specific website, the known specific website refers to one or more known websites, the links of which are all interpreted to a specific IP address segment; Implement vulnerability scanning and detection on the webpage corresponding to the new link. 2. The website security detection method according to claim 1, wherein the source IP address of the collected data is the destination IP address of the request packet. 3. The network security detection method according to claim 2, wherein the collected data comes from a collection module installed on the device at the source IP address. 4. The website security detection method according to claim 1, wherein the source IP address of the collected data is the source IP address in the request packet. 5. The website security detection method according to claim 4, wherein the collected data originates from a browser plug-in installed on the device at the source IP address. 6 . The website security detection method according to claim 1 , wherein before determining the associated new link belonging to a known specific website, the links included in the request packet are summarized and duplicate links are removed. 7 . 7. The website security detection method according to claim 6, wherein the step of removing duplicate links comprises the following subdivision steps: Multiple links formed by accessing the database that differ only in their variables are identified as duplicate links; Only keep one of the duplicate links to remove duplicate links. 8. The website security detection method according to claim 6, wherein the step of removing duplicate links comprises the following subdivision steps: Identify multiple links with the same signature as duplicate links; Only keep one of the duplicate links to remove duplicate links. 9. The website security detection method according to claim 1, characterized in that, the known specific website and/or its new link is preset by receiving user settings through a graphical user interface. 10 . The website security detection method according to claim 8 , wherein the set content received by the graphical user interface includes a domain name or an IP address pointing to the website. 11 . 11. The website security detection method according to claim 1, characterized in that, by determining that the IP address pointed to by the link in the request packet belongs to the IP address pointed to by the known specific website or the IP address segment to which it belongs The link is determined to be a new link associated with a known specific website. 12. The website security detection method according to claim 1, wherein the link is determined by comparing the registration characteristic information of the domain name of the link in the request packet with the registration characteristic information of the domain name of a known specific website. A new link for an association belonging to a known specific website. 13. The website security detection method according to claim 1, characterized in that a list of known specific websites is provided for recording domain names and/or corresponding IP addresses of one or more said known specific websites. 14. The website security detection method according to claim 1, wherein the step of using the links contained in the request packet to determine the associated new links belonging to a known specific website comprises the following subdivision steps: Extract links to all request packages that have been fetched; Remove duplicate links pointing to webpages with the same code from the extracted links, and keep only one of the duplicate links for duplicate links; Identify new links among them and add the new links to the queue to be scanned. 15. The website security detection method according to claim 1, wherein the step of implementing vulnerability scanning on the web page corresponding to the new link includes the following subdivision steps: acquiring the new link from a queue to be scanned for recording the new link; Vulnerability scanning is performed on the webpage mapped to the new link. 16. The website security detection method according to claim 1, wherein the step of implementing vulnerability scanning on the webpage corresponding to the new link comprises the following subdivision steps: acquiring the new link from a queue to be scanned for recording the new link; Obtain the webpage mapped by the new link in the queue to be scanned and add it to the local webpage library; Implement vulnerability scanning and detection on the webpages in the webpage library downloaded according to the new link. 17. The website security detection method according to claim 1, characterized in that the method comprises a subsequent step: displaying a graphical user interface to output the result information of vulnerability scanning detection. 18. A website security detection device, characterized in that it comprises: A packet capture unit is used to receive the collection data comprising a hypertext transfer protocol request packet through a remote port; The novelty checking unit is adapted to use the link contained in the request packet to determine the associated new link belonging to the known specific website, and the known specific website refers to one or more known websites, the links of which are all interpreted to a specific IP on the address segment; The detection unit is configured to perform vulnerability scanning detection on the webpage corresponding to the new link. 19. The website security detection method according to claim 18, wherein the source IP address of the collected data obtained by the packet capture unit is the destination IP address of the request packet. 20. The network security detection method according to claim 19, wherein the collected data comes from a collection module installed on the device at the source IP address. 21. The website security detection method according to claim 18, characterized in that the source IP address of the data collected by the packet capture unit is the source IP address in the request packet. 22. The website security detection method according to claim 21, wherein the collected data comes from a browser plug-in installed on the device at the source IP address. 23. The website security detection device according to claim 18, wherein the novelty checking unit is configured to summarize the links contained in the request packet and Remove duplicate links in it. 24. The website security detection device according to claim 23, wherein the novelty checking unit comprises: A duplicate checking submodule is used to determine multiple links that are only different in variables formed by accessing the database as repeated links; Removing sub-modules is suitable for implementing only one of the repeated links is retained to achieve the removal of repeated links. 25. The website security detection device according to claim 23, wherein the novelty checking unit comprises: Duplicate checking sub-module, used to determine multiple links with the same signature as duplicate links; Removing sub-modules is suitable for implementing only one of the repeated links is retained to achieve the removal of repeated links. 26. The website safety detection device according to claim 18, characterized in that the device further comprises a setting unit for displaying a graphical user interface to receive user settings, thereby presetting the known specific website and/or its new links. 27. The website security detection device according to claim 26, characterized in that the set content received by the graphical user interface includes a domain name or an IP address pointing to a website. 28. The website security detection device according to claim 18, characterized in that the device further comprises a setting unit configured to determine that the IP address pointed to by the link in the request packet belongs to the known specific website pointed to The IP address or the IP address segment it belongs to determines the link as an associated new link belonging to a known specific website. 29. The website security detection device according to claim 18, characterized in that the device further comprises a setting unit configured to compare the registration characteristic information of the linked domain name in the request packet with the registration feature information of the known specific website The registered characteristic information of the domain name is the same, and the link is determined as a new associated link belonging to the known specific website. 30. The website security detection device according to claim 18, characterized in that, the device also includes a list of known specific websites for recording the domain names of one or more of the known specific websites and/or their corresponding IP address. 31. The website security detection device according to claim 18, wherein the novelty checking unit comprises: Extraction module, used to extract the links of all the request packages that have been obtained; The de-duplication module is used to remove duplicate links pointing to webpages with the same code among the links extracted by the extraction module, and only keep one of the duplicate links for duplicate links; The adding module is configured to determine a new link therein, and add the new link to a queue to be scanned. 32. The website security detection device according to claim 18, wherein the detection unit comprises: an acquiring unit configured to acquire the new link from a queue to be scanned for recording the new link; The implementation unit is configured to implement vulnerability scanning and detection on the webpage mapped to the new link. 33. The website security detection device according to claim 18, wherein the detection unit comprises: an acquiring unit configured to acquire the new link from a queue to be scanned for recording the new link; A downloading unit, configured to download the webpage mapped by the new link in the queue to be scanned and add it to the local webpage library; The implementation unit is used for implementing vulnerability scanning and detection on the webpages in the webpage library downloaded according to the new link. 34. The website security detection device according to claim 18, characterized in that the device comprises a display unit for displaying a graphical user interface for outputting result information of vulnerability scanning detection.