[go: up one dir, main page]

CN102111385A - Webpage security trust scoring method - Google Patents

Webpage security trust scoring method Download PDF

Info

Publication number
CN102111385A
CN102111385A CN2009102442640A CN200910244264A CN102111385A CN 102111385 A CN102111385 A CN 102111385A CN 2009102442640 A CN2009102442640 A CN 2009102442640A CN 200910244264 A CN200910244264 A CN 200910244264A CN 102111385 A CN102111385 A CN 102111385A
Authority
CN
China
Prior art keywords
webpage
scoring
browser
publisher
authentication center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2009102442640A
Other languages
Chinese (zh)
Inventor
赵晨
辛阳
杜晓峰
包一兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING SAFE-CODE TECHNOLOGY Co Ltd
Original Assignee
BEIJING SAFE-CODE TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING SAFE-CODE TECHNOLOGY Co Ltd filed Critical BEIJING SAFE-CODE TECHNOLOGY Co Ltd
Priority to CN2009102442640A priority Critical patent/CN102111385A/en
Publication of CN102111385A publication Critical patent/CN102111385A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a webpage security trust scoring method, which comprises that: a webpage publisher embeds a digital signature comprising an abstract and a suggested score into a hypertext markup language (HTML) code of a webpage; a plurality of authentication centers give a security score to each webpage; and a browser automatically calculates a final score S0 according to a set mechanism, and determines security rights endowed to the webpage according to the score. Compared with the prior art, the invention has the advantage that: the problems of insufficient manual input and single-site authentication force and particularly incapability of determining specific security levels of the single webpage are solved.

Description

A kind of webpage security trust scoring method
Technical field
The present invention relates to network security technology, particularly a kind of safe web page is trusted the method for scoring.
Background technology
Along with the development of Internet and the continuous progress of network technology, when people experienced surfing on the net with rapid changepl. never-ending changes and improvements and experience, the behavior of various infringement user information safeties was grown just darkling. Using the browser browsing page has not been the foolproof thing of part, and the assailant may embed malicious code in the webpage of former safety, make the user download virus or wooden horse unconsciously, and then cause losing of the system failure or important information. Evaluation safe web page rank makes browser automatically make security response, is an important method that prevents webpage operation malicious code.
Common prior art has at present: 1, secure browser rank and safety zone arrange; 2, safe web page authentication center. Simply be described below:
Prior art one: secure browser rank and safety zone arrange
Scheme: the high, normal, basic level of security of Denging is set in browser, and every kind of rank gives different security permissions, such as allowing ActiveX etc. And the safety zones such as trusted site are set, level of security corresponding to each safety zone.
Shortcoming: need the artificial web path that adds in mutually required safety zone, and safe granularity can not refine to single webpage, allow the different pages have different security permissions.
Prior art two: webpage security authentication center
Scheme: when browser is opened webpage, check that automatically certain is equivalent to the website of authentication center, gives the security permission of this website with reference to authentication center.
Shortcoming: depend on the trust to single authentication center, fairness and reliability are difficult to guarantee. And the safe granularity at current authentication center only refine to for website usually. If refine to for single webpage, the storage capacity of single authentication center and disposal ability can be challenged.
In sum, prior art Existence dependency user manually adds or relies on the authentication capability of single website, and these 2 all can not be trusted fully. And prior art is only carried out man-rate for website, can't be granulated to the safe class of each webpage, and this is that underaction is with actual.
Summary of the invention
The embodiment of the invention provides a kind of method of safe web page scoring, and it is inadequate to solve the manual input and the single site authentication dynamics that exist in the prior art, and especially level of security can not be granulated to the problem of single webpage.
A kind of webpage security trust scoring method comprises:
The webpage publisher uses the digital digest of webpage and suggestion scoring and is packaged into digital signature behind the encrypted private key and is embedded in the former web page code;
Give each webpage a security scoring by a plurality of authentication centers, S finally marks0Automatically calculated according to setting mechanism by browser, browser determines to give webpage what kind of security permission according to this scoring;
Browser calculates final scoring S automatically0Mechanism comprise:
According to formula S 0 = Σ S i A i n (i=1,2 ..., n) calculate final scoring S0; 
In the formula, S1Be webpage publisher's suggestion scoring, A1Credit rating for the webpage publisher; When i>1, SiBe the guarantee scoring of certain authentication center to this webpage, AiCredit rating for corresponding authentication center;
S 1Acquisition methods be: browser extracts the digital signature of webpage, the deciphering that uses public-key, the suggestion that obtains the webpage publisher S that marks1; 
A 1Acquisition methods be: browser calculates webpage publisher's credit rating A according to the webpage publisher's of its preservation credit record1If this network publisher has then A of record of bad behavior1Reduce, without bad record A then1Increase;
S iAcquisition methods be: after browser received webpage, automatically asking a plurality of authentication centers was webpage test and appraisal, and each authentication center provides the guarantee scoring S to this webpagei; 
A iAcquisition methods be: browser obtains the credit rating A of corresponding authentication center according to the credit record of the authentication center of its preservationiIf there is then A of record of bad behavior in this authentication centeriReduce, without bad record A theniIncrease.
In the embodiment of the invention, automatically determine the safe web page authority by browser, need not manually add web path to the safety zone; Security permission is accurate to webpage, rather than for the website; Web page code embeds digital signature, greatly reduces by webpage to hang the chance that wooden horse is invaded browser; The embodiment of the invention does not rely on single authentication center and gives safety evaluation; and adopt safety scoring and credit underwriting mechanism; be similar to the method for the anti-swindle of financial sector, operative constraint webpage making person and guarantee person's (authentication center) dishonest conduct.
Description of drawings
Fig. 1 is that the embodiment of the invention is that safe web page is trusted scoring and the application scenarios figure that assures;
Fig. 2 is that the embodiment of the invention is that safe web page is trusted scoring and the group method flow chart of assuring;
Fig. 3 is the method flow diagram that browser calculates the final safety scoring of webpage in the embodiment of the invention;
The specific embodiment
Inadequate for the manual input and the single site authentication dynamics that exist in the prior art; especially level of security can not be granulated to the problem of single webpage; the embodiment of the invention proposes a kind of method of safe web page scoring; can be in user's browsing page; the webpage recommending scoring that provides according to authentication result and the webpage publisher of a plurality of authentication centers; automatically calculate the level of security of webpage by browser, and give corresponding browse right, solved the problems referred to above.
As shown in Figure 1, there are some special websites in the internet, can test and assess to the webpage security that arrives user browser, claim that these websites are the test and appraisal center.
The webpage publisher reaches the webpage distributor with webpage, then by web page server webpage is distributed to extraneous Internet. The user receives webpage by the internet, because the insecurity of webpage, before the browser execution web page code, at first check the authentication center in the present networks zone, send the test and appraisal request to authentication center, the authentication center that receives the test and appraisal request provides marks to the guarantee of this webpage, and browser receives the guarantee scoring of this webpage, and then calculates final safety scoring according to these parameters by user browser.
Simultaneously, in the process of user's browsing page, the security situation at webpage publisher and test and appraisal center all can affect the credit record to them of preserving in the browser.
As shown in Figure 2, the overall procedure for the scoring of safe web page trust and guarantee of the embodiment of the invention comprises:
Step 201, webpage publisher embed the suggestion scoring and comprise S in the webpage HTML code1, then the digital signature of digital digest is uploaded to webpage and is published to extraneous Internet in the webpage publisher server.
Step 202, browser receive webpage, and then the authentication center in the network sends webpage evaluation and test request, and the authentication center that receives the evaluation and test request authenticates webpage, provide separately the guarantee scoring S to this webpagei, be transmitted back to the browser that request is tested and assessed.
Step 203, browser receive the guarantee scoring at the center of respectively testing and assessing, and the digital signature of then checking webpage detects the primitiveness of webpage etc., and obtain the credit rating at this web site publisher and each test and appraisal center according to the browser credit record. According to formula S 0 = Σ S i A i n (i=1,2 ..., n) calculate the final scoring S of this webpage0。 
Step 204, according to the final scoring S of webpage0, browser gives webpage corresponding authority. Such as S0All outer functions of=0 o'clock forbidding text display, S0Allow to download unsigned ActiveX control etc. when higher.
In the step 201, because be not that each webpage needs very large security permission, issuing the page such as the information of pure words does not just need the ActiveX function. Therefore the webpage publisher is according to the actual conditions of each webpage, only need to add digital signature and suggestion scoring to some page, whether good this page of forethought needs to move JavaScript code or ActiveX control etc., and gives the required enough scorings of corresponding authority and get final product. And for the ordinary pages that does not have digital signature, final safety scoring is made as 0 without exception, gives the most basic function of browse authority.
In the step 201, the method that embeds digital signature in the webpage is:
Adopt certain HASH function calculation to go out digital digest to the webpage that will issue;
Encrypted private key is adopted in digital digest and suggestion scoring, be embedded in the webpage after both packings;
The PKI of deciphering usefulness sends in the user browser by secure way.
In the step 202, the preferential principle of region and familiarity is taked in the selection of authentication center, and is preferential at the same network segment and credit rating is higher in user browser authentication center with the user. But the authentication center that participates in test and appraisal can not be less than two.
All records are obtained with calculating all and are finished by user browser in the step 203.
As shown in Figure 3, the method flow that browser calculates the final safety scoring of webpage automatically in the embodiment of the invention comprises:
Step 301, browser receive webpage, at first detect whether contain digital signature in the webpage. For the webpage that does not contain digital signature, the final scoring of order S0Be 0, namely only give minimum browse right.
Step 302, for the webpage that contains digital signature, the decrypted digital signature that uses public-key obtains the digital digest of former webpage and webpage publisher to the suggestion scoring S of this webpage1 Detect whether former webpage of webpage according to the digital digest of webpage. If the digital digest of finding after testing current web page is unequal with the former digital digest that decrypts, then illustrate webpage victim maliciously distort, make S at once0=0, only give the webpage least privilege. Give the alarm to the user simultaneously, and be recorded in the security log.
Step 303, determine that webpage is former webpage after testing, then browser obtains this webpage publisher's credit rating A according to the credit record of this webpage publisher in browser1。 
Step 304, for the authentication center that tests and assesses for this webpage, browser obtains the credit rating A of this authentication center according to the credit record at this test and appraisal centeri, 2≤i≤n wherein.
Step 305, extract corresponding test and appraisal center to the guarantee scoring S of this webpagei, 2≤i≤n wherein.
Step 306, successively to promising this webpage authentication center's execution in step 304 and the step 305 of testing and assessing.
Step 307, the web site publisher who obtains according to front several steps advise the S that marks1, web site publisher's credit rating A1, the guarantee scoring S at each center of testing and assessingiAnd credit rating Ai, according to formula S 0 = Σ S i A i n (i=1,2 ..., n) calculate the final scoring S of this webpage0。 
In the step 301, the webpage that does not contain digital signature has two kinds of situations, and the one, the webpage publisher thinks that according to the particular content of this webpage only giving least privilege can normally show, does not therefore add signature; The 2nd, webpage victim in issue and transmission course has been deleted digital signature, in this case, although webpage be tampered, because of S0Be 0, browser is forbidden moving the code that may work the mischief, so user's browsing page remains safe.
In the step 303, certain webpage publisher's credit rating can change along with the historical performance of the security of own publishing web page. Be similar to bank card, have record of bad behavior can reduce credit, it's not true, and credit increases gradually. And preserve credit record to some webpage publisher in each user browser, because the browsing histories of each browser self is different, also just different to webpage publisher's credit scoring. Under this mechanism, browser is always guarded to some extent to the website that logs in for the first time.
In the step 304, similar to webpage publisher's credit rating, the credit rating of certain authentication center, meeting is evaluated and tested the degree of accuracy of webpage along with self and is increased and decreased equally. Preserve the credit record of some authentication center in the browser, same, because each browser is not identical to the credit scoring of each authentication center to the historical difference of the request authentication of authentication center yet. If never be the tested and assessed authentication center of webpage of this browser before one of the browse request, the credit rating of this authentication center is just not too high so. Also Just because of this, browser should be selected the relatively authentication center of " being familiar with " when the selective authenticate center.

Claims (2)

1. webpage security trust scoring method is characterized in that the method comprises:
The webpage publisher uses the digital digest of webpage and suggestion scoring and is packaged into digital signature behind the encrypted private key and is embedded in the former web page code;
Give each webpage a security scoring by a plurality of authentication centers, S finally marks0Automatically calculated according to setting mechanism by browser, browser determines to give webpage what kind of security permission according to this scoring;
Browser calculates final scoring S automatically0Mechanism comprise:
According to formula S 0 = Σ S i A i n (i=1,2 ..., n) calculate final scoring S0
In the formula, S1Be webpage publisher's suggestion scoring, A1Credit rating for the webpage publisher; When i>1, SiBe the guarantee scoring of certain authentication center to this webpage, AiCredit rating for corresponding authentication center;
S 1Acquisition methods be: browser extracts the digital signature of webpage, the deciphering that uses public-key, the suggestion that obtains the webpage publisher S that marks1
A 1Acquisition methods be: browser calculates webpage publisher's credit rating A according to the webpage publisher's of its preservation credit record1If this network publisher has then A of record of bad behavior1Reduce, without bad record A then1Increase;
S iAcquisition methods be: after browser received webpage, automatically asking a plurality of authentication centers was webpage test and appraisal, and each authentication center provides the guarantee scoring S to this webpagei
A iAcquisition methods be: browser obtains the credit rating A of corresponding authentication center according to the credit record of the authentication center of its preservationiIf there is then A of record of bad behavior in this authentication centeriReduce, without the then Ai increase of bad record.
2. the method for claim 1 is characterized in that, described SiAcquisition methods in, follow nearby during selective authenticate center test and appraisal webpage and with regard to the principle of high degree of belief.
CN2009102442640A 2009-12-28 2009-12-28 Webpage security trust scoring method Pending CN102111385A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009102442640A CN102111385A (en) 2009-12-28 2009-12-28 Webpage security trust scoring method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009102442640A CN102111385A (en) 2009-12-28 2009-12-28 Webpage security trust scoring method

Publications (1)

Publication Number Publication Date
CN102111385A true CN102111385A (en) 2011-06-29

Family

ID=44175415

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009102442640A Pending CN102111385A (en) 2009-12-28 2009-12-28 Webpage security trust scoring method

Country Status (1)

Country Link
CN (1) CN102111385A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685108A (en) * 2012-03-31 2012-09-19 奇智软件(北京)有限公司 Method and device for adding and deciphering webpage enciphered data
CN104620225A (en) * 2012-09-18 2015-05-13 国际商业机器公司 Certifying server side web applications against security vulnerabilities
CN107229631A (en) * 2016-03-24 2017-10-03 北京京东尚科信息技术有限公司 A kind of method and apparatus for capturing website data
CN107231363A (en) * 2017-06-12 2017-10-03 华南理工大学 A kind of distributed authentication method and authentication model
CN109951448A (en) * 2019-01-31 2019-06-28 中国互联网络信息中心 Blockchain-based domain name trusted authentication method and device
CN111901334A (en) * 2020-07-27 2020-11-06 费希敏 System and method for setting access authority of associated equipment

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685108A (en) * 2012-03-31 2012-09-19 奇智软件(北京)有限公司 Method and device for adding and deciphering webpage enciphered data
CN102685108B (en) * 2012-03-31 2015-11-11 北京奇虎科技有限公司 The interpolation of encrypting web data, decryption method and device
CN104620225A (en) * 2012-09-18 2015-05-13 国际商业机器公司 Certifying server side web applications against security vulnerabilities
CN104620225B (en) * 2012-09-18 2018-01-23 国际商业机器公司 Method and system for server security verification
CN107229631A (en) * 2016-03-24 2017-10-03 北京京东尚科信息技术有限公司 A kind of method and apparatus for capturing website data
CN107231363A (en) * 2017-06-12 2017-10-03 华南理工大学 A kind of distributed authentication method and authentication model
CN107231363B (en) * 2017-06-12 2021-06-08 华南理工大学 A Distributed Authentication Method and Authentication Model
CN109951448A (en) * 2019-01-31 2019-06-28 中国互联网络信息中心 Blockchain-based domain name trusted authentication method and device
CN111901334A (en) * 2020-07-27 2020-11-06 费希敏 System and method for setting access authority of associated equipment

Similar Documents

Publication Publication Date Title
Kostyuk et al. The microfoundations of state cybersecurity: Cyber risk perceptions and the mass public
CN102546576B (en) A kind of web page horse hanging detects and means of defence, system and respective code extracting method
CN1829225B (en) Method and system for securely revealing identity over the internet
Halkidis et al. Architectural risk analysis of software systems based on security patterns
CN104077396B (en) Method and device for detecting phishing website
CN102111385A (en) Webpage security trust scoring method
Di Martino et al. Revisiting identification issues in GDPR ‘Right Of Access’ policies: a technical and longitudinal analysis
CN106682489A (en) Password security detection method, password security reminding method and corresponding devices
CN116522197B (en) Identity authentication and access control system based on security management
CN117955730B (en) Identity authentication method, product, equipment and medium
US20230065787A1 (en) Detection of phishing websites using machine learning
CN106230835A (en) Method based on the anti-malicious access that Nginx log analysis and IPTABLES forward
CN103841097B (en) A kind of safe NAS authentication methods based on digital certificate
Ormerod Corruption and economic resilience: recovery from the financial crisis in western economies
Arshad et al. Large-scale analysis of style injection by relative path overwrite
Lombardi et al. Behavior control-based approach to influencing user's cybersecurity actions using mobile news app
CN105404796A (en) JavaScript source file protection method and apparatus
Dzemydienė et al. Evaluation of security disturbance risks in electronic financial payment systems.
Lalia et al. Implementation of web browser extension for mitigating CSRF attack
Ulbl et al. The Alzheimer's Disease Assessment Scale–Cognitive Subscale (ADAS‐Cog): Validation of Slovenian version for detecting mild cognitive impairment or Alzheimer's dementia
KR101565902B1 (en) Method for Detecting and Preventing Personal Leakage
Kasemsan et al. Internet banking security guideline model for banking in Thailand
Halkidis et al. Quantitative evaluation of systems with security patterns using a fuzzy approach
Lee Adopting a Zero Trust Approach in Higher Education
Hong et al. Detecting MCI using real‐time, ecologically valid data capture methodology: How to improve scientific rigor in digital biomarker analyses: Biomarkers (non‐neuroimaging): Method development and validation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent for invention or patent application
CB02 Change of applicant information

Address after: 100082, building 1, building 32, 612 North Main Street, Haidian District, Beijing, Xizhimen

Applicant after: Beijing Safe-Code Technology Co., Ltd.

Address before: 100876 No. 34 South College Road, Beijing, Haidian District

Applicant before: Beijing Safe-Code Technology Co., Ltd.

C53 Correction of patent for invention or patent application
CB03 Change of inventor or designer information

Inventor after: Zhao Chen

Inventor after: Xu Qin

Inventor after: Du Xiaofeng

Inventor after: Bao Yibing

Inventor before: Zhao Chen

Inventor before: Xin Yang

Inventor before: Du Xiaofeng

Inventor before: Bao Yibing

COR Change of bibliographic data

Free format text: CORRECT: INVENTOR; FROM: ZHAO CHEN XIN YANG DU XIAOFENG BAO YIBING TO: ZHAO CHEN XU QIN DU XIAOFENGBAO YIBING

C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20110629