CN109347882B - Webpage Trojan horse monitoring method, device, equipment and storage medium - Google Patents
Webpage Trojan horse monitoring method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN109347882B CN109347882B CN201811469346.0A CN201811469346A CN109347882B CN 109347882 B CN109347882 B CN 109347882B CN 201811469346 A CN201811469346 A CN 201811469346A CN 109347882 B CN109347882 B CN 109347882B
- Authority
- CN
- China
- Prior art keywords
- detection
- monitoring
- trojan
- data
- webpage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a webpage Trojan horse monitoring method, which comprises the following steps: simulating a browser to access a monitoring site to obtain a response data packet returned by the monitoring site; analyzing the response data packet to extract relevant data in the response data packet, wherein the relevant data comprises: domain data, IP data, and URL data; and performing multiple detection based on the response data packet and the related data to determine whether the webpage Trojan horse exists in the monitored site. The invention also discloses a webpage Trojan horse monitoring device, equipment and a computer readable storage medium. The method and the device improve the webpage Trojan horse recognition effect and ensure the safety of the website to the maximum extent.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a webpage Trojan horse monitoring method, a webpage Trojan horse monitoring device, webpage Trojan horse monitoring equipment and a computer readable storage medium.
Background
The webpage trojan is a common webpage file which is disguised on the surface or malicious codes are directly inserted into a normal webpage file, and when someone visits the webpage trojan, the webpage trojan can automatically download a configured trojan server to a computer of a visitor for automatic execution by utilizing the vulnerability of a system or a browser of the other party. Such as web mining trojans. The webpage mine digging Trojan horse has a very wide spreading surface, and as long as a visitor browses through the browser and is maliciously implanted into a webpage mine digging Trojan horse site, the browser can execute a mine digging instruction immediately, so that the visitor's computer is reduced to a zombie machine, the uncompensated webpage mine digging Trojan horse implant provides calculation power for the webpage mine digging Trojan horse implant, and virtual currency is indirectly produced for the webpage mine digging Trojan horse implant.
At present, the technology mainly adopts the following modes to detect the web Trojan horse:
1. the detection is carried out according to the webpage feature codes, but the technology has two defects, namely misinformation, and when the matched page contains keywords for introducing the feature of the webpage mining Trojan horse, the matched page can be misinformed as the webpage mining Trojan horse; in addition, the false alarm is caused, and some web pages containing malicious codes can be subjected to code confusion, so that the feature code matching technology is failed.
2. And the detection is carried out according to the characteristics of the loophole, and the method can only detect the known public loophole, so that the report missing is easy to occur. According to the traditional technology for detecting the webpage mining trojan by utilizing the known loopholes, the identification effect is increasingly poor.
Disclosure of Invention
The invention mainly aims to provide a webpage Trojan horse monitoring method, a webpage Trojan horse monitoring device, equipment and a computer readable storage medium, and aims to solve the technical problem that the existing webpage Trojan horse detection technology is poor in identification effect.
In order to achieve the above object, the present invention provides a web page Trojan horse monitoring method, which comprises the following steps:
simulating a browser to access a monitoring site to obtain a response data packet returned by the monitoring site;
analyzing the response data packet to extract relevant data in the response data packet, wherein the relevant data comprises: domain data, IP data, and URL data;
and performing multiple detection based on the response data packet and the related data to determine whether the webpage Trojan horse exists in the monitored site.
Optionally, the performing multiple detections based on the response data packet and the related data to determine whether the monitored site has the web Trojan horse includes:
respectively performing request access on the Domain data, the IP data and the URL data to obtain a response data packet corresponding to the request access;
respectively performing static detection on the response data packet returned by the monitoring station and the response data packet corresponding to the request access to obtain a first detection result;
judging whether the downloaded file exists in a response data packet corresponding to the request access;
if the downloaded file exists, respectively carrying out static detection and dynamic heuristic detection on the downloaded file to obtain a second detection result;
and if the first detection result and/or the second detection result are abnormal, determining that the webpage trojan exists in the monitored site.
Optionally, the performing multiple detections based on the response data packet and the related data to determine whether the monitored site has the web Trojan further includes:
if the first detection result and the second detection result are normal, respectively querying a database for address information matching based on the Domain data, the IP data and the URL data, wherein the database stores address information corresponding to an API (application programming interface) used by the webpage Trojan horse;
if address information matched with any one or more of the Domain data, the IP data and the URL data exists in the database, determining that an API (application programming interface) used by the webpage Trojan exists in a response data packet returned by the monitoring site;
and if the API used by the webpage Trojan horse exists in the response data packet returned by the monitored site, determining that the webpage Trojan horse exists in the monitored site.
Optionally, the performing multiple detections based on the response data packet and the related data to determine whether the monitored site has the web Trojan further includes:
if the first detection result and the second detection result are normal, analyzing whether malicious codes used by the webpage trojans exist in response data packets returned by the monitoring site and analyzing the family types of the malicious codes through predefined lexical rules;
and if so, determining that the family type webpage Trojan horse exists in the monitored site.
Optionally, the webpage trojan monitoring method further includes:
when determining that the webpage trojan exists in the monitored site, pushing an early warning message in real time through a preset communication interface, wherein the communication interface comprises: WeChat public interface, mail interface.
Optionally, the webpage trojan monitoring method further includes:
and if the fact that the webpage Trojan does not exist in the monitored site is determined, executing a webpage Trojan monitoring task on the monitored site every preset time.
Further, in order to achieve the above object, the present invention further provides a web page Trojan horse monitoring device, including:
the simulation module is used for simulating a browser to access a monitoring site so as to obtain a response data packet returned by the monitoring site;
an analysis module, configured to analyze the response packet to extract relevant data in the response packet, where the relevant data includes: domain data, IP data, and URL data;
and the detection module is used for carrying out multiple detections on the basis of the response data packet and the related data so as to determine whether the website trojan horse exists in the monitored website.
Optionally, the detection module includes: a first detection submodule;
the first detection submodule is used for: respectively performing request access on the Domain data, the IP data and the URL data to obtain a response data packet corresponding to the request access; respectively performing static detection on the response data packet returned by the monitoring station and the response data packet corresponding to the request access to obtain a first detection result;
judging whether the downloaded file exists in a response data packet corresponding to the request access; if the downloaded file exists, respectively carrying out static detection and dynamic heuristic detection on the downloaded file to obtain a second detection result; and if the first detection result and/or the second detection result are abnormal, determining that the webpage trojan exists in the monitored site.
Optionally, the detection module further includes: a second detection submodule;
the second detection submodule is used for: if the first detection result and the second detection result are normal, respectively querying a database for address information matching based on the Domain data, the IP data and the URL data, wherein the database stores address information corresponding to an API (application programming interface) used by the webpage Trojan horse;
if address information matched with any one or more of the Domain data, the IP data and the URL data exists in the database, determining that an API (application programming interface) used by the webpage Trojan exists in a response data packet returned by the monitoring site; and if the API used by the webpage Trojan horse exists in the response data packet returned by the monitored site, determining that the webpage Trojan horse exists in the monitored site.
Optionally, the detection module further includes: a third detection submodule;
the third detection submodule is used for: if the first detection result and the second detection result are normal, analyzing whether malicious codes used by the webpage trojans exist in response data packets returned by the monitoring site and analyzing the family types of the malicious codes through predefined lexical rules; and if so, determining that the family type webpage Trojan horse exists in the monitored site.
Optionally, the web Trojan monitoring apparatus further includes:
the early warning module is used for pushing early warning information in real time through a preset communication interface when determining that the website trojan exists in the monitored website, wherein the communication interface comprises: WeChat public interface, mail interface.
Optionally, the web Trojan monitoring apparatus further includes:
and the task scheduling module is used for executing the webpage Trojan monitoring task on the monitored site every preset time length if the monitored site is determined to have no webpage Trojan.
Further, in order to achieve the above object, the present invention further provides a web Trojan monitoring device, where the web Trojan monitoring device includes a memory, a processor, and a web Trojan monitoring program stored in the memory and capable of running on the processor, and when the web Trojan monitoring program is executed by the processor, the steps of the web Trojan monitoring method as described in any one of the above are implemented.
Further, to achieve the above object, the present invention also provides a computer readable storage medium, where a web Trojan monitoring program is stored on the computer readable storage medium, and when executed by a processor, the web Trojan monitoring program implements the steps of the web Trojan monitoring method according to any one of the above items.
In the invention, when webpage Trojan horse detection is carried out, firstly, a browser is simulated to access a monitoring site so as to obtain a response data packet returned by the monitoring site; then analyzing the response data packet to extract the Domain data, the IP data and the URL data in the response data packet; and finally, performing multiple detection based on the response data packet, the Domain data, the IP data and the URL data, and judging whether the website has the webpage Trojan horse or not according to the detection result. Because the response data packet, the Domain data, the IP data and the URL data are directly associated with the webpage Trojan, the method and the system can improve the identification effect of the webpage Trojan and ensure the safety of the website to the maximum extent.
Drawings
FIG. 1 is a schematic structural diagram of a hardware operating environment of a device according to an embodiment of a web Trojan horse monitoring device of the present invention;
FIG. 2 is a flowchart illustrating a Trojan horse monitoring method according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a Trojan horse monitoring method according to a second embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating a detailed flow of step S30 in FIG. 2;
FIG. 5 is a schematic view of a detailed flow chart of another embodiment of step S30 in FIG. 4;
FIG. 6 is a schematic diagram illustrating a detailed flow of another embodiment of step S30 in FIG. 4;
FIG. 7 is a functional block diagram of a Trojan horse monitoring device according to a first embodiment of the present invention;
FIG. 8 is a functional block diagram of a Trojan horse monitoring device according to a second embodiment of the present invention;
FIG. 9 is a functional block diagram of one embodiment of the detection module of FIG. 7;
fig. 10 is a functional block diagram of another embodiment of the detection module in fig. 9.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides webpage Trojan horse monitoring equipment.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a hardware operating environment of a device according to an embodiment of the web Trojan horse monitoring device of the present invention.
As shown in fig. 1, the web Trojan monitoring device may include: a processor 1001, such as a CPU, a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a memory device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the hardware configuration of the netpage Trojan monitoring device shown in FIG. 1 does not constitute a limitation of the netpage Trojan monitoring device, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer-readable storage medium, may include therein an operating system, a network communication module, a user interface module, and a web Trojan horse monitoring program. The operating system is a program for managing and controlling the webpage Trojan horse monitoring equipment and software resources, and supports the operation of a network communication module, a user interface module, the webpage Trojan horse monitoring program and other programs or software; the network communication module is used to manage and control the network interface 1004; the user interface module is used to manage and control the user interface 1003.
In the hardware structure of the web Trojan horse monitoring device shown in fig. 1, the network interface 1004 is mainly used for connecting to a system background and performing data communication with the system background; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; the web trojan monitoring device calls the web trojan monitoring program stored in the memory 1005 through the processor 1001, and performs the following operations:
simulating a browser to access a monitoring site to obtain a response data packet returned by the monitoring site;
analyzing the response data packet to extract relevant data in the response data packet, wherein the relevant data comprises: domain data, IP data, and URL data;
and performing multiple detection based on the response data packet and the related data to determine whether the webpage Trojan horse exists in the monitored site.
Further, the web Trojan monitoring device calls the web Trojan monitoring program stored in the memory 1005 through the processor 1001, and further performs the following operations:
respectively performing request access on the Domain data, the IP data and the URL data to obtain a response data packet corresponding to the request access;
respectively performing static detection on the response data packet returned by the monitoring station and the response data packet corresponding to the request access to obtain a first detection result;
judging whether the downloaded file exists in a response data packet corresponding to the request access;
if the downloaded file exists, respectively carrying out static detection and dynamic heuristic detection on the downloaded file to obtain a second detection result;
and if the first detection result and/or the second detection result are abnormal, determining that the webpage trojan exists in the monitored site.
Further, the web Trojan monitoring device calls the web Trojan monitoring program stored in the memory 1005 through the processor 1001, and further performs the following operations:
if the first detection result and the second detection result are normal, respectively querying a database for address information matching based on the Domain data, the IP data and the URL data, wherein the database stores address information corresponding to an API (application programming interface) used by the webpage Trojan horse;
if address information matched with any one or more of the Domain data, the IP data and the URL data exists in the database, determining that an API (application programming interface) used by the webpage Trojan exists in a response data packet returned by the monitoring site;
and if the API used by the webpage Trojan horse exists in the response data packet returned by the monitored site, determining that the webpage Trojan horse exists in the monitored site.
Further, the web Trojan monitoring device calls the web Trojan monitoring program stored in the memory 1005 through the processor 1001, and further performs the following operations:
if the first detection result and the second detection result are normal, analyzing whether malicious codes used by the webpage trojans exist in response data packets returned by the monitoring site and analyzing the family types of the malicious codes through predefined lexical rules;
and if so, determining that the family type webpage Trojan horse exists in the monitored site.
Further, the web Trojan monitoring device calls the web Trojan monitoring program stored in the memory 1005 through the processor 1001, and further performs the following operations:
when determining that the webpage trojan exists in the monitored site, pushing an early warning message in real time through a preset communication interface, wherein the communication interface comprises: WeChat public interface, mail interface.
Further, the web Trojan monitoring device calls the web Trojan monitoring program stored in the memory 1005 through the processor 1001, and further performs the following operations:
and if the fact that the webpage Trojan does not exist in the monitored site is determined, executing a webpage Trojan monitoring task on the monitored site every preset time.
Based on the hardware operating environment of the webpage Trojan monitoring equipment, the following embodiments of the webpage Trojan monitoring method are provided.
The invention further provides a webpage Trojan horse monitoring method.
Referring to fig. 2, fig. 2 is a flowchart illustrating a webpage Trojan horse monitoring method according to a first embodiment of the present invention. In this embodiment, the web Trojan horse monitoring method includes the following steps:
step S10, simulating a browser to access a monitored site to obtain a response data packet returned by the monitored site;
in this embodiment, preferably, a crawler tool automatically crawls a page program or a script of a site to be monitored in the internet according to a user-defined rule to simulate a behavior of a browser to request access to the site to be monitored, and further obtain a response data packet corresponding to the request access returned by the monitored site. The response data packet is preferably a response data packet corresponding to the home page of the monitoring station.
Optionally, in order to facilitate subsequent analysis, the response packet is further cached as a file in this step.
Step S20, parsing the response packet to extract relevant data in the response packet, where the relevant data includes: domain data, IP data, and URL data;
in this embodiment, it is preferable to use a protocol parser to parse the response packet, so as to extract the following data in the response packet:
(1) domain data, which refers to Domain name data, is used to identify the electronic location of a computer, such as DNS, at the time of data transfer.
(2) The IP data refers to an IP address, and the IP address is a digital body identifier for routing and addressing of the Internet host.
(3) URL data, which refers to uniform resource locators, is a compact representation of the location and access method of resources available from the internet, and is the address of a standard resource on the internet. Each file on the internet has a unique URL.
And step S30, performing multiple detection based on the response data packet and the related data to determine whether the website has the web Trojan horse or not.
In this embodiment, multiple detection is performed specifically based on the response data packet returned by the monitored site, the Domain data, the IP data, and the URL data extracted from the response data packet, and whether a web Trojan exists in the monitored site is determined according to a result of the multiple detection.
The embodiment is not limited to a specific detection mode, for example, multi-dimensional static feature detection and high heuristic suspicious behavior detection are adopted. Because the operation of the web Trojan horse is directly related to the response data packet, the Domain data, the IP data or the URL data, the identification rate of the web Trojan horse can be improved by carrying out multiple detection on the data, and missing detection or false detection is avoided.
In the embodiment, when webpage trojan detection is performed, a browser is simulated to access a monitoring site to obtain a response data packet returned by the monitoring site; then analyzing the response data packet to extract the Domain data, the IP data and the URL data in the response data packet; and finally, performing multiple detection based on the response data packet, the Domain data, the IP data and the URL data, and judging whether the website has the webpage Trojan horse or not according to the detection result. Because the response data packet, the Domain data, the IP data and the URL data are directly associated with the webpage Trojan, the identification effect of the webpage Trojan can be improved, and the safety of the website is guaranteed to the greatest extent.
Referring to fig. 3, fig. 3 is a flowchart illustrating a web Trojan horse monitoring method according to a second embodiment of the present invention. Based on the first embodiment, in this embodiment, after the step S30, the method for monitoring a web Trojan further includes:
step S40, when determining that the website Trojan exists in the monitored website, pushing an early warning message in real time through a preset communication interface, wherein the communication interface comprises: WeChat public interface, mail interface.
In this embodiment, real-time early warning is preferably performed based on a Saas (Software-as-a-service) architecture, and multiple communication interfaces may be integrated under the technical architecture, including: a wechat, public interface, mail interface, or may also include other types of communication interfaces.
When abnormal risks are found, namely when the fact that the monitored site has the webpage trojan is determined, the early warning messages are pushed in real time through various modes, for example, the early warning messages are pushed through a WeChat public number interface, the early warning messages are pushed through a mail interface, or the early warning messages are pushed through a threat reporting interface.
After confirming danger, real-time early warning is carried out, closed loop of detection and operation and maintenance is achieved, and user use experience of webpage Trojan monitoring is improved.
Further, in order to ensure long-term stable and safe operation of the monitored site, in one embodiment, the whole processing flow of webpage Trojan monitoring is taken as a task, and if the monitored site is determined to have no webpage Trojan after the task is executed, the task of webpage Trojan monitoring is executed again for the monitored site every preset time. According to the embodiment, the cyclic detection of the monitoring station can be realized, and the safety of the station is improved.
Referring to fig. 4, fig. 4 is a schematic view of a detailed flow of the step S30 in fig. 2. Based on the first embodiment, in this embodiment, the step S30 further includes:
step S301, respectively performing request access on the Domain data, the IP data and the URL data to obtain a response data packet corresponding to the request access;
in this embodiment, the response data packet is obtained from the monitored site, and then Domain data, IP data, and URL data are extracted from the response data packet, where the data may be related to the web Trojan, so that redirection access is performed again to obtain a response data packet returned by the suspected Trojan side site.
Step S302, respectively carrying out static detection on the response data packet returned by the monitoring station and the response data packet corresponding to the request access to obtain a first detection result;
static detection is a feature detection method, and specifically detects whether an abnormality occurs by analyzing or checking only syntax, structure, interface, and the like of a detection object, so that the behavior of the detection object is understood syntactically and semantically, thereby analyzing the feature of the detection object and finding the abnormality existing in the detection object.
The embodiment respectively carries out static detection on the response data packet returned by the monitored site and the response data packet returned by the suspected Trojan horse side site, so that potential Trojan horse viruses can be directly and comprehensively detected, and the webpage Trojan horse detection capability is improved.
Step S303, judging whether the downloaded file exists in the response data packet corresponding to the request access;
step S304, if the downloaded file exists, respectively carrying out static detection and dynamic heuristic detection on the downloaded file to obtain a second detection result;
in this embodiment, in some cases, the web trojan is propagated in an indirect manner, for example, by downloading a file, so that a response data packet returned by the suspected trojan side site is obtained by redirecting access, and if there is a downloaded file (for example, downloaded through a URL) in the response data packet, the downloaded file needs to be further detected.
Because the content of the file is more and the Trojan horse hiding mode is more complex, in order to avoid misjudgment or missed judgment, static detection and dynamic heuristic detection are respectively performed on the downloaded file in the embodiment.
Dynamic heuristic detection is a behavior detection method, and heuristic means "self-discovery ability" or "applying a certain way or method to determine knowledge and skills of things" that can analyze whether a logical structure of a file code contains malicious program features, or determine whether it has malicious behavior by proactively executing code in a virtual security environment. Dynamic heuristic detection constructs a simulated running environment for the virus through a virtual machine technology built in the soft killing, induces the virus to run in a soft killing simulation buffer area, and judges the virus as a dangerous program if suspicious actions are detected in the running process.
Step S305, if the first detection result and/or the second detection result is/are abnormal, determining that the website trojan exists on the monitored website.
In the embodiment, multiple detection results are obtained through multiple detection in multiple modes, and if one or multiple detection results show that abnormity exists, the fact that the website trojan exists in the monitored site is determined.
In addition, for promoting detection effect, the virus detection mode that the artificial intelligence technique and the virtual sandbox technique of this embodiment combined together carries out webpage trojan detection. The antivirus detection engine applying the artificial intelligence technology is deployed to the virtualization sandbox system, the problem of large resource occupation in the traditional scheme is solved, and the detection rate and the performance occupation can be well balanced. Meanwhile, the method supports multi-dimensional static feature detection capability and high heuristic suspicious behavior detection capability, performs feature and behavior detection through a logic micro-isolation technology, releases the detection after each execution, and cannot damage a physical machine.
Further, in order to avoid erroneous judgment or missed judgment and improve the identification effect and detection coverage rate of webpage Trojan detection, in another embodiment of the webpage Trojan monitoring method, Domain data, IP data and URL data are further subjected to matching detection.
Referring to fig. 5, fig. 5 is a schematic view of a detailed flow of another embodiment of step S30 in fig. 4. Based on the foregoing embodiment, in this embodiment, the foregoing step S30 further includes:
step S306, if the first detection result and the second detection result are normal, respectively querying a database for address information matching based on the Domain data, the IP data and the URL data, wherein the database stores address information corresponding to an API (application programming interface) used by the webpage Trojan horse;
in this embodiment, Domain data, IP data, and URL data are further detected separately, and address information matching is performed with reference to address information corresponding to an API interface used by a web Trojan stored in the database. The database is updated in real time to store the address information (domain name information, IP information, URL information, etc.) of the API interface used by the latest and most popular web Trojan horse on the market.
Step S307, if address information matched with any one or more of the Domain data, the IP data and the URL data exists in the database, determining that an API (application programming interface) used by the webpage Trojan exists in a response data packet returned by the monitoring site;
step S308, if the API used by the webpage Trojan exists in the response data packet returned by the monitored site, determining that the webpage Trojan exists in the monitored site.
By comparing one by one, if address information matched with any one or more of Domain data, IP data and URL data exists in the database, the API used by the webpage Trojan can be determined to exist in the response data packet returned by the monitored site, and further the webpage Trojan can be further determined to exist in the monitored site.
In this embodiment, after the previous round of detection is completed, if no abnormality is found, the next round of detection is continued, so that misjudgment or missed judgment is avoided, and the identification effect and the detection coverage rate of webpage Trojan horse detection are improved.
Furthermore, in consideration of the fact that some trojans are designed skillfully and general characteristic detection is not easy to find, in order to avoid misjudgment or missed judgment and simultaneously improve the identification effect and detection coverage rate of webpage trojan detection, in another embodiment of the webpage trojan monitoring method, intelligent lexical analysis detection is carried out on response data packets returned by the monitoring site.
Referring to fig. 6, fig. 6 is a schematic view of a detailed flow of another embodiment of step S30 in fig. 4. Based on the foregoing embodiment, in this embodiment, the foregoing step S30 further includes:
step S309, if the first detection result and the second detection result are normal, analyzing whether malicious codes used by the Trojan horse exist in a response data packet returned by the monitoring site and analyzing the family types of the malicious codes through a predefined lexical rule;
step S310, if yes, determining that the monitored site has the webpage Trojan horse of the family type.
In this embodiment, whether malicious codes used by the web trojan horse exist in a response data packet returned by the monitoring site is analyzed and detected through a predefined lexical rule.
The specific principle of intelligent lexical analysis is as follows: firstly, performing cluster analysis on all webpage Trojan horse samples, then performing lexical analysis according to samples of the same family, finding out which dangerous functions, system resources, suspicious labels, key classes and objects are called in the samples of the same family, then defining lexical analysis and detection rules according to the found word sequences of the elements, and finally performing detection based on the lexical rules.
Compared with the traditional IPS rule and WAF rule, the method and the device can effectively avoid the problem that a single feature is bypassed, thereby avoiding misjudgment or missed judgment and simultaneously improving the identification effect and the detection coverage rate of webpage Trojan horse detection.
Referring to fig. 7, fig. 7 is a functional module schematic diagram of a webpage Trojan horse monitoring device according to a first embodiment of the present invention. In this embodiment, webpage trojan monitoring devices includes:
the simulation module 10 is used for simulating a browser to access a monitoring site so as to obtain a response data packet returned by the monitoring site;
in this embodiment, preferably, a crawler tool automatically crawls a page program or a script of a site to be monitored in the internet according to a user-defined rule to simulate a behavior of a browser to request access to the site to be monitored, and further obtain a response data packet corresponding to the request access returned by the monitored site. The response data packet is preferably a response data packet corresponding to the home page of the monitoring station.
An analyzing module 20, configured to analyze the response data packet to extract relevant data in the response data packet, where the relevant data includes: domain data, IP data, and URL data;
in this embodiment, it is preferable to use a protocol parser to parse the response packet, so as to extract the following data in the response packet:
(1) domain data, which refers to Domain name data, is used to identify the electronic location of a computer, such as DNS, at the time of data transfer.
(2) The IP data refers to an IP address, and the IP address is a digital body identifier for routing and addressing of the Internet host.
(3) URL data, which refers to uniform resource locators, is a compact representation of the location and access method of resources available from the internet, and is the address of a standard resource on the internet. Each file on the internet has a unique URL.
And the detection module 30 is configured to perform multiple detections based on the response data packet and the related data to determine whether the monitored site has a web Trojan.
In this embodiment, multiple detection is performed specifically based on the response data packet returned by the monitored site, the Domain data, the IP data, and the URL data extracted from the response data packet, and whether a web Trojan exists in the monitored site is determined according to a result of the multiple detection.
The embodiment is not limited to a specific detection mode, for example, multi-dimensional static feature detection and high heuristic suspicious behavior detection are adopted. Because the operation of the web Trojan horse is directly related to the response data packet, the Domain data, the IP data or the URL data, the identification rate of the web Trojan horse can be improved by carrying out multiple detection on the data, and missing detection or false detection is avoided.
In the embodiment, when webpage trojan detection is performed, a browser is simulated to access a monitoring site to obtain a response data packet returned by the monitoring site; then analyzing the response data packet to extract the Domain data, the IP data and the URL data in the response data packet; and finally, performing multiple detection based on the response data packet, the Domain data, the IP data and the URL data, and judging whether the website has the webpage Trojan horse or not according to the detection result. Because the response data packet, the Domain data, the IP data and the URL data are directly associated with the webpage Trojan, the identification effect of the webpage Trojan can be improved, and the safety of the website is guaranteed to the greatest extent.
Referring to fig. 8, fig. 8 is a functional module schematic diagram of a web Trojan monitoring device according to a second embodiment of the present invention. Based on the above embodiment, in this embodiment, the web Trojan monitoring device further includes:
the early warning module 40 is configured to, when it is determined that the monitored site has the web Trojan, push an early warning message in real time through a preset communication interface, where the communication interface includes: WeChat public interface, mail interface.
In this embodiment, real-time early warning is preferably performed based on a Saas (Software-as-a-service) architecture, and multiple communication interfaces may be integrated under the technical architecture, including: a wechat, public interface, mail interface, or may also include other types of communication interfaces.
When an abnormal risk is found, that is, when it is determined that a website is monitored to have a web Trojan horse, the early warning module 40 pushes the early warning message in real time in various ways, for example, the early warning message is pushed through a wechat public number interface, the early warning message is pushed through a mail interface, or the early warning message is pushed through a threat reporting interface.
After confirming danger, real-time early warning is carried out, closed loop of detection and operation and maintenance is achieved, and user use experience of webpage Trojan monitoring is improved.
And the task scheduling module 50 is configured to execute a task of monitoring the webpage trojan on the monitored site every preset time if it is determined that the webpage trojan does not exist in the monitored site.
In order to ensure the long-term stable and safe operation of the monitored site, the task scheduling module 50 takes the whole processing flow of the web Trojan monitoring as a task, and if the monitored site is determined to have no web Trojan after the task is executed, the task of the web Trojan monitoring is executed to the monitored site once again at intervals of preset time. According to the embodiment, the cyclic detection of the monitoring station can be realized, and the safety of the station is improved.
Referring to fig. 9, fig. 9 is a functional block diagram of an embodiment of the detection module in fig. 7. Based on the foregoing embodiment, in this embodiment, the detection module 30 includes:
the first detection submodule 301: respectively performing request access on the Domain data, the IP data and the URL data to obtain a response data packet corresponding to the request access; respectively performing static detection on the response data packet returned by the monitoring station and the response data packet corresponding to the request access to obtain a first detection result;
judging whether the downloaded file exists in a response data packet corresponding to the request access; if the downloaded file exists, respectively carrying out static detection and dynamic heuristic detection on the downloaded file to obtain a second detection result; and if the first detection result and/or the second detection result are abnormal, determining that the webpage trojan exists in the monitored site.
In this embodiment, the response data packet is obtained from the monitored site, and then Domain data, IP data, and URL data are extracted from the response data packet, where the data may be related to the web Trojan, so that redirection access is performed again to obtain a response data packet returned by the suspected Trojan side site.
The embodiment respectively carries out static detection on the response data packet returned by the monitored site and the response data packet returned by the suspected Trojan horse side site, so that potential Trojan horse viruses can be directly and comprehensively detected, and the webpage Trojan horse detection capability is improved.
In this embodiment, in some cases, the web trojan is propagated in an indirect manner, for example, by downloading a file, so that a response data packet returned by the suspected trojan side site is obtained by redirecting access, and if there is a downloaded file (for example, downloaded through a URL) in the response data packet, the downloaded file needs to be further detected.
Because the content of the file is more and the Trojan horse hiding mode is more complex, in order to avoid misjudgment or missed judgment, static detection and dynamic heuristic detection are respectively performed on the downloaded file in the embodiment.
Dynamic heuristic detection is a behavior detection method, and heuristic means "self-discovery ability" or "applying a certain way or method to determine knowledge and skills of things" that can analyze whether a logical structure of a file code contains malicious program features, or determine whether it has malicious behavior by proactively executing code in a virtual security environment. Dynamic heuristic detection constructs a simulated running environment for the virus through a virtual machine technology built in the soft killing, induces the virus to run in a soft killing simulation buffer area, and judges the virus as a dangerous program if suspicious actions are detected in the running process.
In the embodiment, multiple detection results are obtained through multiple detection in multiple modes, and if one or multiple detection results show that abnormity exists, the fact that the website trojan exists in the monitored site is determined.
In addition, for promoting detection effect, the virus detection mode that the artificial intelligence technique and the virtual sandbox technique of this embodiment combined together carries out webpage trojan detection. The antivirus detection engine applying the artificial intelligence technology is deployed to the virtualization sandbox system, the problem of large resource occupation in the traditional scheme is solved, and the detection rate and the performance occupation can be well balanced. Meanwhile, the method supports multi-dimensional static feature detection capability and high heuristic suspicious behavior detection capability, performs feature and behavior detection through a logic micro-isolation technology, releases the detection after each execution, and cannot damage a physical machine.
Referring to fig. 10, fig. 10 is a functional block diagram of another embodiment of the detection block shown in fig. 9. Based on the above embodiment, in this embodiment, the detection module 30 further includes: a second detection submodule 302 and/or a third detection submodule 303.
The second detection submodule 302 is configured to: if the first detection result and the second detection result are normal, respectively querying a database for address information matching based on the Domain data, the IP data and the URL data, wherein the database stores address information corresponding to an API (application programming interface) used by the webpage Trojan horse;
if address information matched with any one or more of the Domain data, the IP data and the URL data exists in the database, determining that an API (application programming interface) used by the webpage Trojan exists in a response data packet returned by the monitoring site; and if the API used by the webpage Trojan horse exists in the response data packet returned by the monitored site, determining that the webpage Trojan horse exists in the monitored site.
In this embodiment, the Domain data, the IP data, and the URL data are further detected separately, and address information matching is performed with reference to address information corresponding to a suspicious API interface stored in the database. The database is updated in real time to store the address information (domain name information, IP information, URL information, etc.) of the API interface used by the latest and most popular web Trojan horse on the market.
By comparing one by one, if address information matched with any one or more of Domain data, IP data and URL data exists in the database, the API used by the webpage Trojan can be determined to exist in the response data packet returned by the monitored site, and further the webpage Trojan can be further determined to exist in the monitored site.
In this embodiment, after the previous round of detection is completed, if no abnormality is found, the next round of detection is continued, so that misjudgment or missed judgment is avoided, and the identification effect and the detection coverage rate of webpage Trojan horse detection are improved.
The third detection submodule 303 is configured to: if the first detection result and the second detection result are normal, analyzing whether malicious codes used by the webpage trojans exist in response data packets returned by the monitoring site and analyzing the family types of the malicious codes through predefined lexical rules; and if so, determining that the family type webpage Trojan horse exists in the monitored site.
In this embodiment, whether malicious codes used by the web trojan horse exist in a response data packet returned by the monitoring site is analyzed and detected through a predefined lexical rule.
The specific principle of intelligent lexical analysis is as follows: firstly, performing cluster analysis on all webpage Trojan horse samples, then performing lexical analysis according to samples of the same family, finding out which dangerous functions, system resources, suspicious labels, key classes and objects are called in the samples of the same family, then defining lexical analysis and detection rules according to the found word sequences of the elements, and finally performing detection based on the lexical rules.
Compared with the traditional IPS rule and WAF rule, the method and the device can effectively avoid the problem that a single feature is bypassed, thereby avoiding misjudgment or missed judgment and simultaneously improving the identification effect and the detection coverage rate of webpage Trojan horse detection.
The invention also provides a computer readable storage medium.
The computer readable storage medium of the present invention stores a web Trojan monitoring program, and the web Trojan monitoring program, when executed by a processor, implements the steps of the web Trojan monitoring method described in any one of the above embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM), and includes several instructions for enabling a terminal (which may be a computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
The present invention is described in connection with the accompanying drawings, but the present invention is not limited to the above embodiments, which are only illustrative and not restrictive, and those skilled in the art can make various changes without departing from the spirit and scope of the invention as defined by the appended claims, and all changes that come within the meaning and range of equivalency of the specification and drawings that are obvious from the description and the attached claims are intended to be embraced therein.
Claims (10)
1. A webpage Trojan horse monitoring method is characterized by comprising the following steps:
simulating a browser to access a monitoring site to obtain a response data packet returned by the monitoring site;
analyzing the response data packet to extract relevant data in the response data packet, wherein the relevant data comprises: domain data, IP data, and URL data;
performing multiple detection on the response data packet and the related data by utilizing multi-dimensional static detection and dynamic heuristic detection to determine whether the monitored site has a webpage Trojan horse or not;
the multiple detection of the response data packet and the related data to determine whether the web Trojan exists in the monitored site comprises:
respectively performing request access on the Domain data, the IP data and the URL data to obtain a response data packet corresponding to the request access;
respectively performing static detection on the response data packet returned by the monitoring station and the response data packet corresponding to the request access to obtain a first detection result;
judging whether the downloaded file exists in a response data packet corresponding to the request access;
if the downloaded file exists, respectively carrying out static detection and dynamic heuristic detection on the downloaded file to obtain a second detection result;
if the first detection result and the second detection result are normal, respectively querying a database for address information matching based on the Domain data, the IP data and the URL data, wherein the database stores address information corresponding to an API (application programming interface) used by the webpage Trojan horse;
if address information matched with any one or more of the Domain data, the IP data and the URL data exists in the database, determining that an API (application programming interface) used by the webpage Trojan exists in a response data packet returned by the monitoring site;
and if the API used by the webpage Trojan horse exists in the response data packet returned by the monitored site, determining that the webpage Trojan horse exists in the monitored site.
2. The method for monitoring the webpage trojan according to claim 1, wherein if the first detection result and/or the second detection result is abnormal, it is determined that the webpage trojan exists in the monitored site.
3. The method for web trojan monitoring as claimed in claim 1, wherein said performing multiple detections based on the response data packet and the related data to determine whether the web trojan exists at the monitored site further comprises:
if the first detection result and the second detection result are normal, analyzing whether malicious codes used by the webpage trojans exist in response data packets returned by the monitoring site and analyzing the family types of the malicious codes through predefined lexical rules;
and if so, determining that the family type webpage Trojan horse exists in the monitored site.
4. The web Trojan horse monitoring method according to claim 1, further comprising:
when determining that the webpage trojan exists in the monitored site, pushing an early warning message in real time through a preset communication interface, wherein the communication interface comprises: WeChat public interface, mail interface.
5. The web Trojan horse monitoring method according to claim 1, further comprising:
and if the fact that the webpage Trojan does not exist in the monitored site is determined, executing a webpage Trojan monitoring task on the monitored site every preset time.
6. A web page trojan monitoring device, the web page trojan monitoring device comprising:
the simulation module is used for simulating a browser to access a monitoring site so as to obtain a response data packet returned by the monitoring site;
an analysis module, configured to analyze the response packet to extract relevant data in the response packet, where the relevant data includes: domain data, IP data, and URL data;
the detection module is used for carrying out multiple detection on the response data packet and the related data by utilizing multi-dimensional static detection and dynamic heuristic detection so as to determine whether the website trojans exist in the monitored site;
the detection module comprises: a first detection submodule;
the first detection submodule is used for: respectively performing request access on the Domain data, the IP data and the URL data to obtain a response data packet corresponding to the request access; respectively performing static detection on the response data packet returned by the monitoring station and the response data packet corresponding to the request access to obtain a first detection result;
judging whether the downloaded file exists in a response data packet corresponding to the request access; if the downloaded file exists, respectively carrying out static detection and dynamic heuristic detection on the downloaded file to obtain a second detection result;
the detection module further comprises: a second detection submodule and/or a third detection submodule;
the second detection submodule is used for:
if the first detection result and the second detection result are normal, respectively querying a database for address information matching based on the Domain data, the IP data and the URL data, wherein the database stores address information corresponding to an API (application programming interface) used by the webpage Trojan horse;
if address information matched with any one or more of the Domain data, the IP data and the URL data exists in the database, determining that an API (application programming interface) used by the webpage Trojan exists in a response data packet returned by the monitoring site; if an API (application programming interface) used by the webpage Trojan horse exists in a response data packet returned by the monitoring site, determining that the webpage Trojan horse exists in the monitoring site;
the third detection submodule is used for:
if the first detection result and the second detection result are normal, analyzing whether malicious codes used by the webpage trojans exist in response data packets returned by the monitoring site and analyzing the family types of the malicious codes through predefined lexical rules; and if so, determining that the family type webpage Trojan horse exists in the monitored site.
7. The device for monitoring Trojan horse on webpage of claim 6, wherein if the first detection result and/or the second detection result is abnormal, it is determined that Trojan horse on webpage exists on the monitored site.
8. The netpage trojan monitoring device of claim 6, further comprising: the early warning module and/or the task scheduling module;
the early warning module is used for: when determining that the webpage trojan exists in the monitored site, pushing an early warning message in real time through a preset communication interface, wherein the communication interface comprises: a WeChat public interface and a mail interface;
the task scheduling module is configured to: and if the fact that the webpage Trojan does not exist in the monitored site is determined, executing a webpage Trojan monitoring task on the monitored site every preset time.
9. A web trojan monitoring device comprising a memory, a processor and a web trojan monitoring program stored on the memory and executable on the processor, the web trojan monitoring program when executed by the processor implementing the steps of the web trojan monitoring method according to any one of claims 1 to 5.
10. A computer-readable storage medium, having stored thereon a web Trojan horse monitoring program which, when executed by a processor, implements the steps of the web Trojan horse monitoring method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811469346.0A CN109347882B (en) | 2018-11-30 | 2018-11-30 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811469346.0A CN109347882B (en) | 2018-11-30 | 2018-11-30 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109347882A CN109347882A (en) | 2019-02-15 |
| CN109347882B true CN109347882B (en) | 2021-12-21 |
Family
ID=65319380
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811469346.0A Active CN109347882B (en) | 2018-11-30 | 2018-11-30 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109347882B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109889547B (en) * | 2019-03-29 | 2021-10-26 | 新华三信息安全技术有限公司 | Abnormal network equipment detection method and device |
| CN110213375A (en) * | 2019-06-04 | 2019-09-06 | 杭州安恒信息技术股份有限公司 | A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF |
| CN111130993B (en) * | 2019-11-22 | 2022-03-29 | 北京知道创宇信息技术股份有限公司 | Information extraction method and device and readable storage medium |
| CN111884882A (en) * | 2020-07-29 | 2020-11-03 | 北京千丁互联科技有限公司 | Monitoring coverage rate detection method and device |
| CN114513331B (en) * | 2022-01-06 | 2023-06-09 | 杭州薮猫科技有限公司 | Mining Trojan detection method, device and equipment based on application layer communication protocol |
| CN114020366A (en) * | 2022-01-06 | 2022-02-08 | 北京微步在线科技有限公司 | Remote control Trojan horse unloading method and device based on threat information |
| CN115037537A (en) * | 2022-06-06 | 2022-09-09 | 恒安嘉新(北京)科技股份公司 | Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium |
| CN119740224B (en) * | 2024-12-24 | 2025-06-20 | 北京天融信网络安全技术有限公司 | Method for detecting hanging webpage, electronic equipment, storage medium and computer program product |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964026A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | Method and system for detecting web page horse hanging |
| CN103065089A (en) * | 2012-12-11 | 2013-04-24 | 深信服网络科技(深圳)有限公司 | Method and device for detecting webpage Trojan horses |
| CN107370755A (en) * | 2017-08-23 | 2017-11-21 | 杭州安恒信息技术有限公司 | A kind of method of the profound detection APT attacks of various dimensions |
| CN107454109A (en) * | 2017-09-22 | 2017-12-08 | 杭州安恒信息技术有限公司 | A network stealing behavior detection method based on HTTP traffic analysis |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9064213B2 (en) * | 2013-02-05 | 2015-06-23 | International Business Machines Corporation | Dynamic model-based analysis of data centers |
| US10142164B2 (en) * | 2014-09-16 | 2018-11-27 | CloudGenix, Inc. | Methods and systems for dynamic path selection and data flow forwarding |
-
2018
- 2018-11-30 CN CN201811469346.0A patent/CN109347882B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964026A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | Method and system for detecting web page horse hanging |
| CN103065089A (en) * | 2012-12-11 | 2013-04-24 | 深信服网络科技(深圳)有限公司 | Method and device for detecting webpage Trojan horses |
| CN107370755A (en) * | 2017-08-23 | 2017-11-21 | 杭州安恒信息技术有限公司 | A kind of method of the profound detection APT attacks of various dimensions |
| CN107454109A (en) * | 2017-09-22 | 2017-12-08 | 杭州安恒信息技术有限公司 | A network stealing behavior detection method based on HTTP traffic analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109347882A (en) | 2019-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347882B (en) | Webpage Trojan horse monitoring method, device, equipment and storage medium | |
| US12348561B1 (en) | Detection of phishing attacks using similarity analysis | |
| US20240121266A1 (en) | Malicious script detection | |
| US10592676B2 (en) | Application security service | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| US10089464B2 (en) | De-obfuscating scripted language for network intrusion detection using a regular expression signature | |
| US10728274B2 (en) | Method and system for injecting javascript into a web page | |
| US9596255B2 (en) | Honey monkey network exploration | |
| US9509714B2 (en) | Web page and web browser protection against malicious injections | |
| CN101964025B (en) | XSS detection method and equipment | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| US20140173736A1 (en) | Method and system for detecting webpage Trojan embedded | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| US20110307956A1 (en) | System and method for analyzing malicious code using a static analyzer | |
| CN107465702B (en) | Method and device for early warning based on wireless network intrusion | |
| CN101820419A (en) | Method for automatically positioning webpage Trojan mount point in Trojan linked webpage | |
| CN105791261A (en) | A detection method and detection device for cross-site scripting attack | |
| US10701087B2 (en) | Analysis apparatus, analysis method, and analysis program | |
| CN110348210B (en) | Safety protection method and device | |
| CN112287349A (en) | Security vulnerability detection method and server | |
| CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
| TWI470468B (en) | System and method for detecting web malicious programs and behaviors | |
| KR102159399B1 (en) | Device for monitoring web server and analysing malicious code | |
| CN102446253B (en) | Webpage trojan detection method and system | |
| CN114006746B (en) | Attack detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |