技术领域technical field
本申请涉及互联网技术领域,尤其涉及一种检测网站是否存在后门程序的方法及装置。The present application relates to the technical field of the Internet, in particular to a method and device for detecting whether there is a backdoor program in a website.
背景技术Background technique
随着互联网技术的发展,信息资源出现了爆炸式增长,随之而来的则是信息资源的安全问题。位于互联网环境下的信息资源可能面临各方面的威胁。通常情况下,从起源上看,这种威胁可能来自于恶意程序或代码有目的性的主动攻击,比如,黑客、病毒等;也有可能来自信息资源自身所依赖的载体(比如,应用软件、客户端程序、网页/网站等)存在“先天性”的安全漏洞,而这种漏洞具有极大的可能被不正当分子非法利用,进而对信息资源造成威胁。“后门程序”带来的威胁即是后一种情形下的一种较为常见的现象。With the development of Internet technology, information resources have experienced explosive growth, followed by security issues of information resources. Information resources located in the Internet environment may face various threats. Usually, from the point of view of origin, this kind of threat may come from the purposeful active attack of malicious programs or codes, such as hackers, viruses, etc.; Terminal programs, webpages/websites, etc.) have "inherent" security loopholes, and such loopholes are very likely to be illegally used by unscrupulous elements, thereby posing a threat to information resources. The threat brought by the "backdoor program" is a more common phenomenon in the latter case.
比如,在软件的开发阶段,为了方便对软件进行修改、调试、升级等操作,程序员可能会在软件内创建或预留适当的接口,以便通过它修改程序设计中的某些缺陷或完善某些功能。但是,这些接口程序如果被其他人知道,或是在发布软件之前未被及时删除,那么它就可能被黑客等恶意者通过这些接口绕过安全性控制而获取对相关程序或系统的访问权,从事搜集信息等非法操作。这种在可能被信息资源的安全带来威胁的接口一般称为后门程序,后门程序一旦被利用可能造成严重后果。因此,有必要在信息资源存在的载体中通过适当的方法对是否存在后门程序进行检测,然后对其进行删除等操作,从而降低安全风险。For example, in the software development stage, in order to facilitate operations such as modification, debugging, and upgrading of the software, programmers may create or reserve appropriate interfaces in the software, so as to modify some defects in the program design or improve certain interfaces through it. some functions. However, if these interface programs are known by others, or are not deleted in time before the release of the software, then malicious persons such as hackers may use these interfaces to bypass security controls and gain access to related programs or systems. Engage in illegal operations such as collecting information. This kind of interface that may be threatened by the security of information resources is generally called a backdoor program. Once the backdoor program is used, it may cause serious consequences. Therefore, it is necessary to detect whether there is a backdoor program through an appropriate method in the carrier where information resources exist, and then perform operations such as deleting it, thereby reducing security risks.
在现有技术中的某些场景中,后门程序可以被较好的发现,得到及时处理。比如,对于潜伏在客户端程序中的后门程序,可通过现有的杀毒软件进行检测,在检测出来后及时进行查杀处理。但是,对于潜伏在网站中的后门程序,目前还没有一种有效的后门程序检测方式,以提高网站的安全等级。In some scenarios in the prior art, backdoor programs can be better discovered and processed in a timely manner. For example, for the backdoor program lurking in the client program, it can be detected by the existing anti-virus software, and the detection and killing process can be carried out in time after detection. However, for the backdoor program lurking in the website, there is currently no effective way to detect the backdoor program, so as to improve the security level of the website.
发明内容Contents of the invention
本申请实施例提供一种克服上述问题或者至少部分地解决上述问题的检测网站是否存在后门程序的方法及装置。Embodiments of the present application provide a method and device for detecting whether there is a backdoor program in a website to overcome the above problems or at least partially solve the above problems.
本申请实施例采用下述技术方案:The embodiment of the application adopts the following technical solutions:
一种检测网站是否存在后门的方法,包括:A method of detecting whether a website has a backdoor, comprising:
获取待检测网站在第一统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第一集合;Obtain the Uniform Resource Locator URL that the website to be detected is visited within the first statistical time length, and obtain the first set that includes the Uniform Resource Locator URL;
获取待检测网站在所述第一统计时长之后或之前的第二统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第二集合;Obtaining URLs of uniform resource locators accessed by the website to be detected within a second statistical duration after or before the first statistical duration, and obtaining a second collection containing uniform resource locator URLs;
将所述第二集合中包含的且所述第一集合中未包含的统一资源定位符URL或者所述第一集合中包含的且所述第二集合中未包含的统一资源定位符确定为可疑统一资源定位符URL;determining a Uniform Resource Locator URL contained in the second set and not contained in the first set or a Uniform Resource Locator contained in the first set not contained in the second set as suspicious Uniform Resource Locator URL;
判断通过上述可疑统一资源定位符URL获得的与之对应的网页代码中是否包含预先确定的后门指纹,所述后门指纹是根据后门样本库中的多个样本后门程序训练得到的;Judging whether the corresponding webpage code obtained through the above-mentioned suspicious uniform resource locator URL contains a predetermined backdoor fingerprint, and the backdoor fingerprint is obtained according to a plurality of sample backdoor program trainings in the backdoor sample library;
若是,判定所述待检测网站存在后门程序。If so, it is determined that there is a backdoor program in the website to be detected.
优选地,获取待检测网站在第一统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第一集合之后,所述方法还包括:Preferably, after obtaining the URL of the uniform resource locator visited by the website to be detected within the first statistical time length, and obtaining the first set containing the URL of the uniform resource locator, the method further includes:
对所述第一集合中包含的统一资源定位符URL进行去重;和/或,Deduplicating the Uniform Resource Locator URLs contained in the first set; and/or,
将所述第一集合中包含的具有对应静态资源的统一资源定位符URL进行过滤;filtering the Uniform Resource Locator URLs with corresponding static resources included in the first set;
获取待检测网站在所述第一统计时长之后或之前的第二统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第二集合之后,所述方法还包括:Obtaining the URL of the uniform resource locator visited by the website to be detected within the second statistical duration after or before the first statistical duration, and after obtaining the second collection containing the URL of the uniform resource locator, the method further includes:
对所述第二集合中包含的统一资源定位符URL进行去重;和/或,Deduplicating the Uniform Resource Locator URLs contained in the second set; and/or,
将所述第二集合中包含的具有对应静态资源的统一资源定位符URL进行过滤。The uniform resource locator URLs with corresponding static resources included in the second set are filtered.
优选地,将所述第二集合中包含的且所述第一集合中未包含的统一资源定位符URL确定为上述待检测网站的可疑URL,具体包括:Preferably, the uniform resource locator URL contained in the second set and not included in the first set is determined as the suspicious URL of the website to be detected, specifically including:
确定所述第二集合中包含的且所述第一集合中未包含的统一资源定位符URL;determining Uniform Resource Locators URLs included in the second set and not included in the first set;
判断上述确定的统一资源定位符URL是否带有参数;Judging whether the above-mentioned determined uniform resource locator URL has parameters;
若是,将该统一资源定位符URL确定为可疑统一资源定位符URL。If yes, the uniform resource locator URL is determined as a suspicious uniform resource locator URL.
优选地,获取待检测网站在第一统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第一集合之后,所述方法还包括:Preferably, after obtaining the URL of the uniform resource locator visited by the website to be detected within the first statistical time length, and obtaining the first set containing the URL of the uniform resource locator, the method further includes:
将所述第一集合划分为包含带有参数的统一资源定位符URL的第一子集、及包含不带有参数的统一资源定位符URL的第二子集;dividing the first set into a first subset comprising Uniform Resource Locator URLs with parameters and a second subset comprising Uniform Resource Locator URLs without parameters;
获取待检测网站在第一统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第一集合之后,所述方法还包括:Obtaining the uniform resource locator URL that the website to be detected is visited within the first statistical time length, and after obtaining the first set that contains the uniform resource locator URL, the method also includes:
将所述第二集合划分为包含带有参数的统一资源定位符URL的第三子集、及包含不带有参数的统一资源定位符URL的第四子集;dividing the second set into a third subset comprising Uniform Resource Locator URLs with parameters, and a fourth subset comprising Uniform Resource Locator URLs without parameters;
则,将所述第二集合中包含的且所述第一集合中未包含的统一资源定位符URL确定为可疑统一资源定位符URL,具体包括:Then, determining the uniform resource locator URL included in the second set and not included in the first set as a suspicious uniform resource locator URL, specifically includes:
将所述第一子集中包含的且所述第三子集中未包含的统一资源定位符URL确定为带参数的可疑统一资源定位符URL;determining a Uniform Resource Locator URL included in the first subset and not included in the third subset as a suspicious Uniform Resource Locator URL with parameters;
将所述第二子集中包含的且所述第四子集中未包含的统一资源定位符URL确定为不带参数的可疑统一资源定位符URL。A uniform resource locator URL included in the second subset and not included in the fourth subset is determined as a suspicious uniform resource locator URL without parameters.
优选地,将所述第二集合中包含的且所述第一集合中未包含的统一资源定位符URL确定为可疑统一资源定位符URL,具体包括:Preferably, the uniform resource locator URL included in the second set and not included in the first set is determined as a suspicious uniform resource locator URL, specifically including:
确定所述第二集合中包含的且所述第一集合中未包含的带有参数的统一资源定位符URL;determining URLs with parameters included in the second set and not included in the first set;
判断上述确定的统一资源定位符URL中是否包含预设的后门样本库中的后门URL特征;Judging whether the above-mentioned determined uniform resource locator URL includes the backdoor URL feature in the preset backdoor sample library;
若是,将该统一资源定位符URL确定为可疑统一资源定位符URL。If yes, the uniform resource locator URL is determined as a suspicious uniform resource locator URL.
一种检测网站是否存在后门程序的装置,包括:A device for detecting whether there is a backdoor program in a website, comprising:
第一获取单元,用于获取待检测网站在第一统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第一集合;The first obtaining unit is used to obtain the URL of the uniform resource locator that is visited within the first statistical time length of the website to be detected, and obtain the first set containing the URL of the uniform resource locator;
第二获取单元,用于获取待检测网站在所述第一统计时长之后或之前的第二统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第二集合;The second obtaining unit is used to obtain URLs of uniform resource locators accessed by the website to be detected within a second statistical period after or before the first statistical period, and obtain a second set containing uniform resource locator URLs;
确定单元,用于将所述第二集合中包含的且所述第一集合中未包含的统一资源定位符URL或者所述第一集合中包含的且所述第二集合中未包含的统一资源定位符确定为可疑统一资源定位符URL;a determining unit, configured to use the uniform resource locator URL included in the second set and not included in the first set or the uniform resource included in the first set and not included in the second set The locator is determined to be a suspicious Uniform Resource Locator URL;
判断单元,用于判断通过上述可疑统一资源定位符URL获得的与之对应的网页代码中是否包含预先确定的后门指纹,所述后门指纹是根据后门样本库中的多个样本后门程序训练得到的;若是,判定所述待检测网站存在后门程序。A judging unit, configured to judge whether the corresponding webpage code obtained through the above-mentioned suspicious uniform resource locator URL contains a predetermined backdoor fingerprint, and the backdoor fingerprint is obtained according to training of multiple sample backdoor programs in the backdoor sample library ; If so, determine that there is a backdoor program in the website to be detected.
优选地,所述装置还包括:Preferably, the device also includes:
第一预处理单元,用于对所述第一集合中包含的统一资源定位符URL进行去重;和/或将所述第一集合中包含的属于静态资源的统一资源定位符URL进行剔除;A first preprocessing unit, configured to deduplicate the uniform resource locator URLs contained in the first set; and/or remove the uniform resource locator URLs belonging to static resources contained in the first set;
第二预处理单元,用于对所述第二集合中包含的统一资源定位符URL进行去重;和/或将所述第二集合中包含的属于静态资源的统一资源定位符URL进行剔除。The second preprocessing unit is configured to deduplicate the uniform resource locator URLs contained in the second set; and/or remove the uniform resource locator URLs belonging to static resources contained in the second set.
优选地,所述确定单元具体包括:Preferably, the determining unit specifically includes:
第一确定子单元,用于确定所述第二集合中包含的且所述第一集合中未包含的统一资源定位符URL;A first determining subunit, configured to determine a uniform resource locator URL included in the second set and not included in the first set;
第一判断子单元,用于判断上述确定的统一资源定位符URL是否带有参数;若是,将该统一资源定位符URL确定为可疑统一资源定位符URL。The first judging subunit is configured to judge whether the above determined URL has parameters; if so, determine the URL as a suspicious URL.
优选地,所述装置还包括:Preferably, the device also includes:
第一划分单元,用于将所述第一集合划分为包含带有参数的统一资源定位符URL的第一子集、及包含不带有参数的统一资源定位符URL的第二子集;A first division unit, configured to divide the first set into a first subset comprising a uniform resource locator URL with parameters and a second subset comprising a uniform resource locator URL without parameters;
第一划分单元,用于将所述第二集合划分为包含带有参数的统一资源定位符URL的第三子集、及包含不带有参数的统一资源定位符URL的第四子集;A first division unit, configured to divide the second set into a third subset comprising a uniform resource locator URL with parameters and a fourth subset comprising a uniform resource locator URL without parameters;
则,所述确定单元具体用于:Then, the determining unit is specifically used for:
将所述第一子集中包含的且所述第三子集中未包含的统一资源定位符URL确定为带参数的可疑统一资源定位符URL;determining a Uniform Resource Locator URL included in the first subset and not included in the third subset as a suspicious Uniform Resource Locator URL with parameters;
将所述第二子集中包含的且所述第四子集中未包含的统一资源定位符URL确定为不带参数的可疑统一资源定位符URL。A uniform resource locator URL included in the second subset and not included in the fourth subset is determined as a suspicious uniform resource locator URL without parameters.
优选地,所述确定单元具体包括:Preferably, the determining unit specifically includes:
第二确定子单元,用于确定所述第二集合中包含的且所述第一集合中未包含的带有参数的统一资源定位符URL;A second determining subunit, configured to determine URLs with parameters included in the second set and not included in the first set;
第二判断子单元,用于判断上述确定的统一资源定位符URL中是否包含预设的后门样本库中的后门URL特征;若是,将该统一资源定位符URL确定为可疑统一资源定位符URL。The second judging subunit is used to judge whether the above-mentioned determined uniform resource locator URL contains the characteristics of the backdoor URL in the preset backdoor sample library; if so, determine the uniform resource locator URL as a suspicious uniform resource locator URL.
本申请实施例采用的上述至少一个技术方案能够达到以下有益效果:The above at least one technical solution adopted in the embodiment of the present application can achieve the following beneficial effects:
通过分别获取在第一统计时长内和第二统计时长内待检测网站被访问的统一资源定位符URL,以分别得到包含统一资源定位符URL的第一集合、第二集合,然后将上述第二集合中包含的且上述第一集合中未包含的统一资源定位符URL确定为可疑统一资源定位符URL,再将确定的可疑统一资源定位符URL请求网页,得到网页代码,最终通过判断网页代码中是否包含预设的后门指纹来判定上述待检测网站是否存在后门程序。与现有技术相比,通过上述这种“网站访问流量分析”的方式,能够及时找出网站中的可疑网页代码,从而针对可疑网页代码进行后门程序检测,有效发现网站中的后门程序,进而对网站中的后门程序采取必要的针对性措施,有助于提高网站的安全等级。By obtaining the uniform resource locator URLs of the website to be detected in the first statistical time length and the second statistical time length respectively, to obtain the first set and the second set containing the uniform resource locator URL respectively, and then the above second The uniform resource locator URL included in the set and not included in the first set above is determined as a suspicious uniform resource locator URL, and then the determined suspicious uniform resource locator URL is requested for a webpage to obtain the webpage code, and finally by judging the URL in the webpage code Whether it contains a preset backdoor fingerprint to determine whether there is a backdoor program in the above-mentioned website to be detected. Compared with the existing technology, through the above-mentioned method of "website access traffic analysis", suspicious web page codes in the website can be found in time, so as to detect suspicious web page codes for backdoor programs, effectively discover backdoor programs in the website, and then Taking necessary targeted measures against the backdoor programs in the website will help improve the security level of the website.
附图说明Description of drawings
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described here are used to provide a further understanding of the application and constitute a part of the application. The schematic embodiments and descriptions of the application are used to explain the application and do not constitute an improper limitation to the application. In the attached picture:
图1为本申请一实施例提供的检测网站是否存在后门的方法的流程图;Fig. 1 is a flow chart of a method for detecting whether there is a backdoor in a website provided by an embodiment of the present application;
图2为本申请实施例中确定为可疑统一资源定位符URL的具体流程;Fig. 2 is the concrete flow that is determined as suspicious Uniform Resource Locator URL in the embodiment of the present application;
图3为本申请一实施例提供的检测网站是否存在后门的装置的模块图。FIG. 3 is a block diagram of an apparatus for detecting whether a website has a backdoor provided by an embodiment of the present application.
具体实施方式detailed description
为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请具体实施例及相应的附图对本申请技术方案进行清楚、完整地描述。显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solution and advantages of the present application clearer, the technical solution of the present application will be clearly and completely described below in conjunction with specific embodiments of the present application and corresponding drawings. Apparently, the described embodiments are only some of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.
图1为本申请一实施例提供的检测网站是否存在后门的方法的流程,包括:Fig. 1 is the process flow of the method for detecting whether there is a backdoor in a website provided by an embodiment of the present application, including:
S101:获取待检测网站在第一统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第一集合Q1。S101: Obtain uniform resource locator URLs of websites to be detected that are accessed within a first statistical time period, and obtain a first set Q1 including uniform resource locator URLs.
S102:获取待检测网站在所述第一统计时长之后的第二统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第二集合Q2。S102: Obtain uniform resource locator URLs of websites to be detected that are accessed within a second statistical time period after the first statistical time period, and obtain a second set Q2 including uniform resource locator URLs.
在上述步骤S101和步骤S102中,上述待检测网站可以是任意可以被用户通过浏览器进行访问的网站。计算机可以通过查看待检测网站的日志数据来获取该待检测网站被访问过的统一资源定位符(Uniform Resource Locator,URL)。上述日志数据可以包括:host、时间、IP地址、统一资源定位符URL、网页参数等信息,并且可以将上述日志数据按照时间进行标记,这样便可以获取在一定的统计时长内的日志数据。In the above step S101 and step S102, the website to be detected may be any website that can be accessed by the user through a browser. The computer can obtain the Uniform Resource Locator (Uniform Resource Locator, URL) that the website to be detected has been visited by checking the log data of the website to be detected. The above log data may include information such as host, time, IP address, Uniform Resource Locator URL, web page parameters, etc., and the above log data may be marked according to time, so that log data within a certain statistical period can be obtained.
本申请实施例中,可以根据统计周期(上述第一统计时长或第二统计时长)去定时获取上述待检测网站的在相应的统计周期内的日志数据,从而发现该待检测网站可能属于后门文件的统一资源定位符URL。也就是说,上述第一统计时长和上述第二统计时长是相等的。举例而言,上述第一统计时长和第二统计时长是一天,这样,上述步骤S101便是获取待检测网站在前一天的时间内被访问的URL,而上述步骤S102便是获取待检测网站在后一天的时间内被访问的URL。当然,在本申请其他实施例中,上述第一、第二统计时长也可以是不相等的,上述第一、第二统计时长也可以是其他任意时长。需要说明的是,本申请的第二统计时长也可以位于第一统计时长之前。In the embodiment of the present application, the log data of the above-mentioned website to be detected in the corresponding statistical period can be obtained regularly according to the statistical period (the above-mentioned first statistical period or the second statistical period), so as to find that the website to be detected may belong to a backdoor file The Uniform Resource Locator URL for . That is to say, the first statistical duration and the second statistical duration are equal. For example, the first statistical duration and the second statistical duration are one day, so the above step S101 is to obtain the URL of the website to be detected that was accessed within the previous day, and the above step S102 is to obtain the URL of the website to be detected in the previous day. URLs that were visited during the next day. Of course, in other embodiments of the present application, the above-mentioned first and second statistical time lengths may also be unequal, and the above-mentioned first and second statistical time lengths may also be other arbitrary time lengths. It should be noted that the second statistical duration in this application may also be before the first statistical duration.
本申请实施例中,上述第一集合Q1是上述待检测网站在第一统计时长内被访问的URL的集合,上述第二集合Q2是上述待检测网站在第二统计时长内被访问的URL的集合。一般地,上述待检测网站上的各个网页页面可以是目录结构。例如:某待检测网站的主页的URL是:www.sina.com.cn;以该主页的URL为目录的第一级,则假设在该第一级URL下的第二级URL可以包括:www.sports.sina.com.cn;www.book.sina.com.cn;www.game.sina.com.cn;等等;假设在上述第二级URL“www.sports.sina.com.cn”下的第三级URL可以包括:www.sports.sina.com.cn/g/laliga/;假设在上述第三级URL“www.sports.sina.com.cn/g/laliga/”下的第四级URL可以包括:www.sports.sina.com.cn/g/laliga/2015-12-16/doc-ifxmpnuk1614789.shtml;依次类推,总之,在待检测网站上的URL可以是类如上述描述的目录结构。本实施例中,以上述统计时长为一天为例,待检测网站上每个URL在每天被访问的流量(或次数)是基本持平的,若发现在某天中上述待检测网站上某个URL被访问的流量(或次数)发现变化,则可以确定该URL是可疑URL。In the embodiment of the present application, the above-mentioned first set Q1 is a set of URLs visited by the website to be detected within the first statistical time period, and the second set Q2 is a set of URLs visited by the website to be detected within the second statistical time period. gather. Generally, each web page on the above-mentioned website to be detected may have a directory structure. For example: the URL of the homepage of a certain website to be detected is: www.sina.com.cn; With the URL of the homepage as the first level of the directory, it is assumed that the second-level URL under the first-level URL can include: www .sports.sina.com.cn; www.book.sina.com.cn; www.game.sina.com.cn; etc.; assuming the above second-level URL "www.sports.sina.com.cn" The third-level URL below may include: www.sports.sina.com.cn/g/laliga/; assuming that the third-level URL "www.sports.sina.com.cn/g/laliga/" The four-level URL can include: www.sports.sina.com.cn/g/laliga/2015-12-16/doc-ifxmpnuk1614789.shtml; and so on, in short, the URL on the website to be detected can be as described above directory structure. In this embodiment, taking the above-mentioned statistical duration as one day as an example, the traffic (or times) visited by each URL on the website to be detected is basically the same every day. If the visited traffic (or times) changes, it can be determined that the URL is a suspicious URL.
本申请实施例中,在得到上述第一集合Q1和第二集合Q2的过程中,由于待检测网站的日志数据中通常是按照被访问的时间对一条URL进行记录,故实际上在日志数据中可能在预设时长(如1天)对同一个URL进行多条记录,故为了使得最终得到第一集合和第二集合内的URL数据更加简洁,以提高计算机的处理效率,本申请实施例可以通过如下方案来实现:In the embodiment of the present application, in the process of obtaining the above-mentioned first set Q1 and second set Q2, since the log data of the website to be detected usually records a URL according to the time when it is accessed, in fact, in the log data It is possible to perform multiple records on the same URL within a preset period of time (such as 1 day), so in order to make the URL data in the first set and the second set finally obtained more concisely, so as to improve the processing efficiency of the computer, the embodiment of the present application can This is achieved through the following schemes:
在上述步骤S101之后,所述方法还包括如下步骤:对所述第一集合Q1中包含的统一资源定位符URL进行去重。在上述步骤S102之后,所述方法还包括如下步骤:对所述第二集合Q2中包含的统一资源定位符URL进行去重。通过上述步骤,可以将上述第一、第二集合中的重复URL数据进行去重,使得最终得到的URL数据更加精简。After the above step S101, the method further includes the following step: deduplicating the Uniform Resource Locator URL contained in the first set Q1. After the above step S102, the method further includes the following step: deduplicating the URLs contained in the second set Q2. Through the above steps, the repeated URL data in the first and second sets can be deduplicated, so that the finally obtained URL data is more streamlined.
另外,为进一步确保得到的URL数据更加精简,在上述步骤S101之后,所述方法还包括如下步骤:将所述第一集合Q1中包含的属于静态资源的统一资源定位符URL进行剔除;在上述步骤S102之后,所述方法还包括如下步骤:将所述第二集合Q2中包含的具有对应静态资源的统一资源定位符URL进行剔除。其中,上述静态资源包括但不限于:CSS(Cascading Style Sheets,层叠样式表)、JS(Javascript)、HTML、图片等,这里的“对应”是指与统一资源定位符URL对应,即某些统一资源定位符URL的资源可能存在静态资源。通过将得到上述第一集合Q1和上述第二集合Q2中包含的静态资源的URL进行过滤,可以使得最终得到集合中的URL数据更加精简,进一步提升计算机的处理效率。In addition, in order to further ensure that the obtained URL data is more streamlined, after the above step S101, the method further includes the following steps: removing the uniform resource locator URLs belonging to static resources contained in the first set Q1; After step S102, the method further includes the following step: removing URLs with corresponding static resources included in the second set Q2. Among them, the above-mentioned static resources include but are not limited to: CSS (Cascading Style Sheets, Cascading Style Sheets), JS (Javascript), HTML, pictures, etc., the "correspondence" here refers to the correspondence with the uniform resource locator URL, that is, some uniform The resources of the resource locator URL may have static resources. By filtering the URLs of the static resources included in the first set Q1 and the second set Q2, the URL data in the finally obtained sets can be more streamlined, and the processing efficiency of the computer can be further improved.
值得一提的是,本申请实施例中可以分别选取上述去重处理的步骤、上述静态资源过滤步骤中的一个步骤,也可以将上述去重处理的步骤和上述静态资源过滤步骤进行结合。It is worth mentioning that in the embodiment of the present application, one of the steps of the above-mentioned deduplication processing and the above-mentioned static resource filtering step can be selected separately, or the above-mentioned deduplication processing step and the above-mentioned static resource filtering step can be combined.
一般地,URL可以分为带有参数的URL和不带有参数的URL。其中,带有参数的URL例如是:http://www.xxx.com/cgi-bin/phf?Qname=root%;不带有参数的URL例如是:www.sports.sina.com.cn/g/laliga/。其中,“?Qname=root%”即是上述URL的参数。通常,带有参数的URL相比于不带有参数的URL,其携带的信息更多。鉴于此,本申请某些实施例中,在上述步骤S101之后,所述方法还包括如下步骤:将所述第一集合Q划分为包含带有参数的统一资源定位符URL的第一子集Q11、及包含不带有参数的统一资源定位符URL的第二子集Q12。相应地,在上述步骤S102之后,所述方法还包括如下步骤:将所述第二集合Q2划分为包含带有参数的统一资源定位符URL的第三子集Q21、及包含不带有参数的统一资源定位符URL的第四子集Q22。通过将上述得到URL按照是否带有参数进行划分,可以提升最终确定后门程序的准确性。Generally, URLs can be classified into URLs with parameters and URLs without parameters. Among them, the URL with parameters is, for example: http://www.xxx.com/cgi-bin/phf? Qname=root%; the URL without parameters is, for example: www.sports.sina.com.cn/g/laliga/. Wherein, "?Qname=root%" is the parameter of the above URL. In general, URLs with parameters carry more information than URLs without parameters. In view of this, in some embodiments of the present application, after the above step S101, the method further includes the following step: dividing the first set Q into a first subset Q11 containing uniform resource locator URLs with parameters , and a second subset Q12 comprising uniform resource locator URLs without parameters. Correspondingly, after the above step S102, the method further includes the step of: dividing the second set Q2 into a third subset Q21 including URLs with parameters, and a third subset Q21 including URLs without parameters. A fourth subset Q22 of Uniform Resource Locators URLs. By dividing the URL obtained above according to whether it has parameters, the accuracy of finally determining the backdoor program can be improved.
S103:将所述第二集合中包含的且所述第一集合中未包含的统一资源定位符URL确定为可疑统一资源定位符URL。S103: Determine the uniform resource locator URLs included in the second set and not included in the first set as suspicious uniform resource locator URLs.
以上述第一统计时长和第二统计时长为一天为例,通常如果发现在后一天被访问的某URL在前一天的日志数据中并没有出现,也就是说,该URL属于新的被访问的URL,则在一定程度上,可以表明该URL属于可疑的URL,需要进行进一步的判断其是否属于后门程序的URL。具体实现过程中,通过上述S101和S102分别获取待检测网站在前一天的日志数据(被访问的URL数据),以及在后一天的日志数据,再通过求上述第一集合Q1和第二集合Q2的差集,可以得到在第二集合Q2中包含的但是在上述第二集合Q1没有包含的一个或多个URL,这些URL可以被确定为可疑URL。同样地,另一种情形是可以得到第一集合Q1中包含而第二集合Q2中没有包含的一个或多个URL,这些URL同样可被确定为可以URL。为便于叙述简便,本申请后续在提及确定可疑URL的相关步骤时,仅以前一种情形为例进行重点说明。Taking the above-mentioned first statistical period and the second statistical period as one day as an example, usually if it is found that a certain URL accessed on the next day does not appear in the log data of the previous day, that is to say, the URL belongs to a new URL, to a certain extent, can indicate that the URL is a suspicious URL, and it needs to be further judged whether it belongs to the URL of a backdoor program. In the specific implementation process, the log data (accessed URL data) of the website to be detected in the previous day and the log data in the next day are obtained respectively through the above S101 and S102, and then the above-mentioned first set Q1 and second set Q2 are calculated. One or more URLs included in the second set Q2 but not included in the second set Q1 can be obtained, and these URLs can be determined as suspicious URLs. Similarly, another situation is that one or more URLs included in the first set Q1 but not included in the second set Q2 can be obtained, and these URLs can also be determined as available URLs. For the convenience of description, when referring to the relevant steps of determining the suspicious URL later in this application, only the former case is taken as an example to focus on the description.
如上所述,在本申请某些实施例中,若根据URL是否带有参数对URL进行划分,则,上述步骤S103可以具体包括如下步骤:As mentioned above, in some embodiments of the present application, if the URL is divided according to whether the URL has parameters, the above step S103 may specifically include the following steps:
将所述第一子集Q11中包含的且所述第三子集Q21中未包含的统一资源定位符URL确定为带参数的可疑统一资源定位符URL,例如:http://www.xxx.com/cgi-bin/phf?Qname=root%。Determining the uniform resource locator URLs contained in the first subset Q11 and not contained in the third subset Q21 as suspicious uniform resource locator URLs with parameters, for example: http://www.xxx. com/cgi-bin/phf? Qname=root%.
将所述第二子集Q12中包含的且所述第四子集Q22中未包含的统一资源定位符URL确定为不带参数的可疑统一资源定位符URL,例如:www.sports.sina.com.cn/g/laliga/。Determining the Uniform Resource Locator URL included in the second subset Q12 and not included in the fourth subset Q22 as a suspicious Uniform Resource Locator URL without parameters, for example: www.sports.sina.com .cn/g/laliga/.
值得一提的是,在本申请实施例中,因为带有参数的URL携带更多的信息,故可以仅保留带有参数的可疑URL,进行接下来的后门程序的判断,这样也可以进一步缓解计算机的处理压力。当然,在其他实施例中,也可以仅保留不带参数的可疑URL,或者同时保留带有参数的可疑URL和不带参数的可疑URL。It is worth mentioning that in the embodiment of this application, because URLs with parameters carry more information, only suspicious URLs with parameters can be reserved for the next backdoor program judgment, which can further alleviate Computer processing stress. Of course, in other embodiments, only suspicious URLs without parameters may be reserved, or both suspicious URLs with parameters and suspicious URLs without parameters may be reserved.
参图2所示,在本申请某些实施例中,上述方法可以不包括对上述对第一集合、第二集合中的URL按照是否带有参数进行划分的步骤,作为替代的方案,上述步骤S103可以包括如下步骤:As shown in FIG. 2, in some embodiments of the present application, the above-mentioned method may not include the above-mentioned step of dividing the URLs in the first set and the second set according to whether they have parameters. As an alternative, the above-mentioned steps S103 may include the following steps:
S1031:确定所述第二集合Q2中包含的且所述第一集合Q1中未包含的统一资源定位符URL。S1031: Determine uniform resource locator URLs included in the second set Q2 and not included in the first set Q1.
S1032:判断上述确定的统一资源定位符URL是否带有参数。S1032: Determine whether the above determined URL has parameters.
一般地,带参数的URL是指地址尾部带有“?”的URL,则可以通过识别地址尾部是否带有“?”来判定其是否带有参数。Generally, a URL with parameters refers to a URL with a "?" at the end of the address. You can determine whether it has parameters by identifying whether there is a "?" at the end of the address.
S1033:若上述确定的统一资源定位符URL带有参数,将该统一资源定位符URL确定为可疑统一资源定位符URL。通过上述过程,可以在不对URL进行划分的前提下,通过步骤S103的具体流程仅保留带有参数的URL。S1033: If the determined URL has parameters, determine the URL as a suspicious URL. Through the above process, only URLs with parameters can be retained through the specific process of step S103 without dividing the URLs.
S104:判断通过上述可疑统一资源定位符URL请求网页得到的网页代码中是否包含预先确定的后门指纹;若是,判定所述待检测网站存在后门程序。S104: Determine whether the webpage code obtained by requesting the webpage through the suspicious uniform resource locator URL contains a predetermined backdoor fingerprint; if so, determine that there is a backdoor program in the website to be detected.
在实现该步骤S104之前,可以利用预先得到的若干后门样本(即后门程序),来提取这些后门样本所包含的后门指纹,所谓后门指纹是确定的后门程序的程序代码中所独有的代码片段,例如,“&shell=%s”。对于一个后门样本,可以同时确定出一个或多个该后本样本的程序代码所独有的代码片段(后门指纹)。本实施例中,最终将得到多个后门指纹归入后门指纹库中。Before realizing the step S104, several backdoor samples (i.e. backdoor programs) obtained in advance can be used to extract the backdoor fingerprints contained in these backdoor samples. The so-called backdoor fingerprints are unique code fragments in the program code of the determined backdoor program , for example, "&shell=%s". For a backdoor sample, one or more unique code fragments (backdoor fingerprints) unique to the program code of the backdoor sample can be determined at the same time. In this embodiment, the obtained multiple backdoor fingerprints are finally classified into the backdoor fingerprint library.
在通过上述步骤S103确定在后一天内被访问的可疑URL之后,可以通过上述步骤S104动态地利用该可以URL进行请求网页,得到与可疑URL对应的网页,之后,通过抓取页面HTML返回内容对应的网页代码,并利用上述预先得到后门指纹库,通过偏移定位的方式来查找上述可疑URL对应的网页代码中是否包含后门指纹库中的后门指纹,来确定该可疑URL是否是该待检测网站的后门。优选地,本申请实施例为提高判定后门程序的准确性,上述步骤S104中,若发现上述可疑URL对应的网页代码中包含至少三段后门指纹,并且上述至少三段后门指纹是不连续的,则可以判定该可疑URL属于上述待检测网站的后门,而不需要再去查看该网站的具体源代码。After the suspicious URL that is accessed within the next day is determined through the above step S103, the URL can be dynamically used to request a web page through the above step S104 to obtain the web page corresponding to the suspicious URL, and then return the corresponding content by grabbing the page HTML webpage code, and use the above pre-obtained backdoor fingerprint library to find out whether the webpage code corresponding to the above suspicious URL contains the backdoor fingerprint in the backdoor fingerprint library by means of offset positioning to determine whether the suspicious URL is the website to be detected back door. Preferably, in order to improve the accuracy of determining the backdoor program in the embodiment of the present application, in the above step S104, if it is found that the webpage code corresponding to the above-mentioned suspicious URL contains at least three backdoor fingerprints, and the at least three backdoor fingerprints are discontinuous, Then it can be determined that the suspicious URL belongs to the backdoor of the above-mentioned website to be detected, and there is no need to check the specific source code of the website.
举例而言,假设待检测网站的某可疑URL是:http://www.xxx.com/cgi-bin/phf?Qname=root%,通过动态请求网页,得到网页代码中某个代码片段例如是:For example, suppose a suspicious URL of the website to be detected is: http://www.xxx.com/cgi-bin/phf? Qname=root%, by dynamically requesting a webpage, a certain code fragment in the webpage code is obtained, for example:
pUdphdr->SrcPort=htons(SRCPORT);pUdphdr->SrcPort = htons(SRCPORT);
pUdphdr->DestPort=htons(DESTPORT);pUdphdr->DestPort = htons(DESTPORT);
pUdphdr->Checksum=0;pUdphdr->Checksum=0;
char*pData=&buf[sizeof(IP_HEADER)+sizeof(UDP_HEADER)];char*pData=&buf[sizeof(IP_HEADER)+sizeof(UDP_HEADER)];
memcpy(pData,szMsg,nMsgLen);memcpy(pData, szMsg, nMsgLen);
UdpCheckSum(pIphdr,pUdphdr,pData,nMsgLen);UdpCheckSum(pIphdr, pUdphdr, pData, nMsgLen);
SOCKADDR_IN addr={0};//SOCKADDR_IN addr = {0}; //
假设检查上述代码发现包含三段后门指纹分别是:Suppose you check the above code and find that there are three backdoor fingerprints:
pUdphdr->DestPort=htons(DESTPORT);pUdphdr->DestPort = htons(DESTPORT);
char*pData=&buf[sizeof(IP_HEADER)+sizeof(UDP_HEADER)];char*pData=&buf[sizeof(IP_HEADER)+sizeof(UDP_HEADER)];
UdpCheckSum(pIphdr,pUdphdr,pData,nMsgLen);UdpCheckSum(pIphdr, pUdphdr, pData, nMsgLen);
则可以判定上述待检测网站存在后门程序。Then it can be determined that there is a backdoor program in the above-mentioned website to be detected.
综上,本申请实施例提供的方法中,通过分别获取在第一统计时长内、和第二统计时长内待检测网站被访问的统一资源定位符URL,以分别得到包含统一资源定位符URL的第一集合、第二集合,然后将上述第二集合中包含的且上述第一集合中未包含的统一资源定位符URL确定为可疑统一资源定位符URL,再将确定的可疑统一资源定位符URL请求网页,得到网页代码,最终通过判断网页代码中是否包含预设的后门指纹来判定上述待检测网站是否存在后门。通过上述过程,本申请实施例可以实现网站中后门程序的检测,从而提高网站的安全等级。To sum up, in the method provided by the embodiment of the present application, the Uniform Resource Locator URLs that are visited by the website to be detected within the first statistical time length and the second statistical time length are respectively obtained to obtain the URLs containing the Uniform Resource Locator URL respectively. The first set and the second set, and then determine the uniform resource locator URLs contained in the above-mentioned second set and not included in the above-mentioned first set as suspicious uniform resource locator URLs, and then determine the suspicious uniform resource locator URLs Request the webpage, obtain the webpage code, and finally determine whether the above-mentioned website to be detected has a backdoor by judging whether the webpage code contains a preset backdoor fingerprint. Through the above process, the embodiment of the present application can realize the detection of the backdoor program in the website, thereby improving the security level of the website.
图3为本申请一实施例提供的检测网站是否存在后门程序的装置的模块图。其中,该装置中包含的各个单元所实现的功能与上述方法中包含的各个步骤所实现的功能是相同的,故该装置涉及的具体技术细节可以参照上述方法实施例中的内容,本文不再予以赘述。该装置包括:FIG. 3 is a block diagram of an apparatus for detecting whether a website has a backdoor program provided by an embodiment of the present application. Wherein, the functions realized by each unit contained in the device are the same as the functions realized by each step contained in the above-mentioned method, so the specific technical details involved in the device can refer to the content in the above-mentioned method embodiment, and will not be repeated herein be repeated. The unit includes:
第一获取单元101,用于获取待检测网站在第一统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第一集合;The first acquiring unit 101 is configured to acquire URLs of uniform resource locators accessed within the first statistical time period of the website to be detected, and obtain a first set including URLs of uniform resource locators;
第二获取单元102,用于获取待检测网站在所述第一统计时长之后或之前的第二统计时长内被访问的统一资源定位符URL,得到包含统一资源定位符URL的第二集合;The second acquiring unit 102 is configured to acquire URLs of uniform resource locators accessed within a second statistical period after or before the first statistical period to obtain a second set containing uniform resource locator URLs;
确定单元103,用于将所述第二集合中包含的且所述第一集合中未包含的统一资源定位符URL或者所述第一集合中包含的且所述第二集合中未包含的统一资源定位符确定为可疑统一资源定位符URL;The determining unit 103 is configured to unify the Uniform Resource Locator URLs included in the second set and not included in the first set or URLs included in the first set and not included in the second set The resource locator is determined to be a suspicious Uniform Resource Locator URL;
判断单元104,用于判断通过上述可疑统一资源定位符URL获得的与之对应的网页代码中是否包含预先确定的后门指纹,所述后门指纹是根据后门样本库中的多个样本后门程序训练得到的;若是,判定所述待检测网站存在后门程序。The judging unit 104 is configured to judge whether the corresponding webpage code obtained through the above-mentioned suspicious uniform resource locator URL contains a predetermined backdoor fingerprint, and the backdoor fingerprint is obtained according to training of multiple sample backdoor programs in the backdoor sample library If so, determine that there is a backdoor program in the website to be detected.
申请实施例提供的装置中,通过分别获取在第一统计时长内、和第二统计时长内待检测网站被访问的统一资源定位符URL,以分别得到包含统一资源定位符URL的第一集合、第二集合,然后将上述第二集合中包含的且上述第一集合中未包含的统一资源定位符URL确定为可疑统一资源定位符URL,再将确定的可疑统一资源定位符URL请求网页,得到网页代码,最终通过判断网页代码中是否包含预设的后门指纹来判定上述待检测网站是否存在后门。通过上述过程,本申请实施例可以实现网站中后门程序的检测,从而提高网站的安全等级。In the device provided in the embodiment of the application, the uniform resource locator URLs that are visited by the website to be detected within the first statistical time length and the second statistical time length are respectively obtained to obtain the first set, The second set, then determine the uniform resource locator URL contained in the above-mentioned second set and not included in the above-mentioned first set as a suspicious uniform resource locator URL, and then request a webpage for the determined suspicious uniform resource locator URL, and obtain The webpage code finally determines whether there is a backdoor in the website to be detected by judging whether the webpage code contains a preset backdoor fingerprint. Through the above process, the embodiment of the present application can realize the detection of the backdoor program in the website, thereby improving the security level of the website.
本申请实施例中,所述装置还包括:In the embodiment of the present application, the device further includes:
第一预处理单元,用于对所述第一集合中包含的统一资源定位符URL进行去重;和/或将所述第一集合中包含的具有相应静态资源的统一资源定位符URL进行剔除;The first preprocessing unit is configured to deduplicate the uniform resource locator URLs contained in the first set; and/or remove the uniform resource locator URLs with corresponding static resources contained in the first set ;
第二预处理单元,用于对所述第二集合中包含的统一资源定位符URL进行去重;和/或将所述第二集合中包含的具有相应静态资源的统一资源定位符URL进行过滤。通过上述第一、第二预处理单元可以使得最终得到URL数据集合更加精简,从而提高计算机处理的效率。The second preprocessing unit is configured to deduplicate the uniform resource locator URLs contained in the second set; and/or filter the uniform resource locator URLs with corresponding static resources contained in the second set . Through the above first and second preprocessing units, the finally obtained URL data set can be made more compact, thereby improving the efficiency of computer processing.
本申请实施例中,所述确定单元具体包括:In the embodiment of the present application, the determining unit specifically includes:
第一确定子单元,用于确定所述第二集合中包含的且所述第一集合中未包含的统一资源定位符URL;A first determining subunit, configured to determine a uniform resource locator URL included in the second set and not included in the first set;
第一判断子单元,用于判断上述确定的统一资源定位符URL是否带有参数;若是,将该统一资源定位符URL确定为可疑统一资源定位符URL。通过上述第一确定子单元、第一判断子单元可以使得最终确定的可疑URL更加准确,从而提高计算机处理的效率。The first judging subunit is configured to judge whether the above determined URL has parameters; if so, determine the URL as a suspicious URL. Through the above-mentioned first determining subunit and first judging subunit, the final determined suspicious URL can be made more accurate, thereby improving the efficiency of computer processing.
本申请实施例中,所述装置还包括:In the embodiment of the present application, the device further includes:
第一划分单元,用于将所述第一集合划分为包含带有参数的统一资源定位符URL的第一子集、及包含不带有参数的统一资源定位符URL的第二子集;A first division unit, configured to divide the first set into a first subset comprising a uniform resource locator URL with parameters and a second subset comprising a uniform resource locator URL without parameters;
第一划分单元,用于将所述第二集合划分为包含带有参数的统一资源定位符URL的第三子集、及包含不带有参数的统一资源定位符URL的第四子集;A first division unit, configured to divide the second set into a third subset comprising a uniform resource locator URL with parameters and a fourth subset comprising a uniform resource locator URL without parameters;
则,所述确定单元具体用于:Then, the determining unit is specifically used for:
将所述第一子集中包含的且所述第三子集中未包含的统一资源定位符URL确定为带参数的可疑统一资源定位符URL;determining a Uniform Resource Locator URL included in the first subset and not included in the third subset as a suspicious Uniform Resource Locator URL with parameters;
将所述第二子集中包含的且所述第四子集中未包含的统一资源定位符URL确定为不带参数的可疑统一资源定位符URL。通过将上述URL按照是否带有参数进行分类,可以进一步提升判定可疑URL过程的准确性。A uniform resource locator URL included in the second subset and not included in the fourth subset is determined as a suspicious uniform resource locator URL without parameters. By classifying the above URLs according to whether they contain parameters, the accuracy of the process of determining suspicious URLs can be further improved.
本申请实施例中,所述确定单元具体包括:In the embodiment of the present application, the determining unit specifically includes:
第二确定子单元,用于确定所述第二集合中包含的且所述第一集合中未包含的带有参数的统一资源定位符URL;A second determining subunit, configured to determine URLs with parameters included in the second set and not included in the first set;
第二判断子单元,用于判断上述确定的统一资源定位符URL中是否包含预设的后门样本库中的后门URL特征;若是,将该统一资源定位符URL确定为可疑统一资源定位符URL。通过上述第二确定子单元和第二判断子单元可以使得最终确定的可疑URL更加准确。The second judging subunit is used to judge whether the above-mentioned determined uniform resource locator URL contains the characteristics of the backdoor URL in the preset backdoor sample library; if so, determine the uniform resource locator URL as a suspicious uniform resource locator URL. The final determined suspicious URL can be made more accurate through the above second determining subunit and second judging subunit.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent storage in computer readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read only memory (ROM) or flash RAM. Memory is an example of computer readable media.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape magnetic disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes Other elements not expressly listed, or elements inherent in the process, method, commodity, or apparatus are also included. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.
本领域技术人员应明白,本申请的实施例可提供为方法、系统或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems or computer program products. Accordingly, the present application can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
以上所述仅为本申请的实施例而已,并不用于限制本申请。对于本领域技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在本申请的权利要求范围之内。The above descriptions are only examples of the present application, and are not intended to limit the present application. For those skilled in the art, various modifications and changes may occur in this application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application shall be included within the scope of the claims of the present application.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510976063.5ACN106911636B (en) | 2015-12-22 | 2015-12-22 | A method and device for detecting whether a website has a backdoor program |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510976063.5ACN106911636B (en) | 2015-12-22 | 2015-12-22 | A method and device for detecting whether a website has a backdoor program |
| Publication Number | Publication Date |
|---|---|
| CN106911636Atrue CN106911636A (en) | 2017-06-30 |
| CN106911636B CN106911636B (en) | 2020-09-04 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510976063.5AActiveCN106911636B (en) | 2015-12-22 | 2015-12-22 | A method and device for detecting whether a website has a backdoor program |
| Country | Link |
|---|---|
| CN (1) | CN106911636B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107241296A (en)* | 2016-03-28 | 2017-10-10 | 阿里巴巴集团控股有限公司 | A kind of Webshell detection method and device |
| CN108337269A (en)* | 2018-03-28 | 2018-07-27 | 杭州安恒信息技术股份有限公司 | A kind of WebShell detection methods |
| CN114430348A (en)* | 2022-02-07 | 2022-05-03 | 云盾智慧安全科技有限公司 | Web site search engine optimization backdoor identification method and device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090328208A1 (en)* | 2008-06-30 | 2009-12-31 | International Business Machines | Method and apparatus for preventing phishing attacks |
| CN102045360A (en)* | 2010-12-27 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Method and device for processing baleful website library |
| CN102158499A (en)* | 2011-06-02 | 2011-08-17 | 国家计算机病毒应急处理中心 | Trojan-embedded website detection method based on hyper text transfer protocol (HTTP) traffic analysis |
| CN102377583A (en)* | 2010-08-09 | 2012-03-14 | 百度在线网络技术(北京)有限公司 | Method and system for counting website traffic |
| CN103297435A (en)* | 2013-06-06 | 2013-09-11 | 中国科学院信息工程研究所 | Abnormal access behavior detection method and system on basis of WEB logs |
| CN103607413A (en)* | 2013-12-05 | 2014-02-26 | 北京奇虎科技有限公司 | Method and device for detecting website backdoor program |
| CN103902476A (en)* | 2013-12-27 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Webpage backdoor detection method and system based on non-credit-granting |
| US8826426B1 (en)* | 2011-05-05 | 2014-09-02 | Symantec Corporation | Systems and methods for generating reputation-based ratings for uniform resource locators |
| CN104468477A (en)* | 2013-09-16 | 2015-03-25 | 杭州迪普科技有限公司 | WebShell detection method and system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090328208A1 (en)* | 2008-06-30 | 2009-12-31 | International Business Machines | Method and apparatus for preventing phishing attacks |
| CN102377583A (en)* | 2010-08-09 | 2012-03-14 | 百度在线网络技术(北京)有限公司 | Method and system for counting website traffic |
| CN102045360A (en)* | 2010-12-27 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Method and device for processing baleful website library |
| US8826426B1 (en)* | 2011-05-05 | 2014-09-02 | Symantec Corporation | Systems and methods for generating reputation-based ratings for uniform resource locators |
| CN102158499A (en)* | 2011-06-02 | 2011-08-17 | 国家计算机病毒应急处理中心 | Trojan-embedded website detection method based on hyper text transfer protocol (HTTP) traffic analysis |
| CN103297435A (en)* | 2013-06-06 | 2013-09-11 | 中国科学院信息工程研究所 | Abnormal access behavior detection method and system on basis of WEB logs |
| CN104468477A (en)* | 2013-09-16 | 2015-03-25 | 杭州迪普科技有限公司 | WebShell detection method and system |
| CN103607413A (en)* | 2013-12-05 | 2014-02-26 | 北京奇虎科技有限公司 | Method and device for detecting website backdoor program |
| CN103902476A (en)* | 2013-12-27 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Webpage backdoor detection method and system based on non-credit-granting |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107241296A (en)* | 2016-03-28 | 2017-10-10 | 阿里巴巴集团控股有限公司 | A kind of Webshell detection method and device |
| CN107241296B (en)* | 2016-03-28 | 2020-06-05 | 阿里巴巴集团控股有限公司 | Webshell detection method and device |
| CN108337269A (en)* | 2018-03-28 | 2018-07-27 | 杭州安恒信息技术股份有限公司 | A kind of WebShell detection methods |
| CN108337269B (en)* | 2018-03-28 | 2020-12-15 | 杭州安恒信息技术股份有限公司 | A WebShell Detection Method |
| CN114430348A (en)* | 2022-02-07 | 2022-05-03 | 云盾智慧安全科技有限公司 | Web site search engine optimization backdoor identification method and device |
| CN114430348B (en)* | 2022-02-07 | 2023-12-05 | 云盾智慧安全科技有限公司 | Web site search engine optimization backdoor identification method and device |
| Publication number | Publication date |
|---|---|
| CN106911636B (en) | 2020-09-04 |
| Publication | Publication Date | Title |
|---|---|---|
| CN102819713B (en) | A kind of method and system detecting bullet window safe | |
| CN103095681B (en) | A kind of method and device detecting leak | |
| CN110855661B (en) | WebShell detection method, device, equipment and medium | |
| CN105635126B (en) | Malice network address accesses means of defence, client, security server and system | |
| CN106384048B (en) | Threat information processing method and device | |
| WO2014000537A1 (en) | System and method for finding phishing website | |
| CN103607413B (en) | Method and device for detecting website backdoor program | |
| WO2012089005A1 (en) | Method and apparatus for phishing web page detection | |
| WO2015096528A1 (en) | Method and device for detecting security of online shopping environment | |
| WO2013044744A1 (en) | Download resource providing method and device | |
| CN104144142A (en) | Web vulnerability discovery method and system | |
| WO2013044757A1 (en) | Method, device and system for detecting security of download link | |
| CN108900554B (en) | HTTP asset detection method, system, device and computer medium | |
| CN114021115B (en) | Malicious application detection method and device, storage medium and processor | |
| CN107395553B (en) | Network attack detection method, device and storage medium | |
| CN106911635B (en) | Method and device for detecting whether backdoor program exists in website | |
| WO2017084557A1 (en) | File scanning method and device | |
| CN106911636B (en) | A method and device for detecting whether a website has a backdoor program | |
| CN110555147A (en) | website data capturing method, device, equipment and medium thereof | |
| CN103336693B (en) | The creation method of refer chain, device and security detection equipment | |
| CN106131069A (en) | A kind of Web method for detecting abnormality and device | |
| CN118174972B (en) | A method, device and electronic device for feature expansion of threat intelligence data | |
| CN114444127A (en) | A WEB page tampering detection method and system | |
| CN104021143A (en) | Method and device for recording webpage access behavior | |
| CN106897297B (en) | Method and device for determining access path between website columns |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right | Effective date of registration:20220819 Address after:No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science and Technology Park, High-tech Zone, Binhai New District, Tianjin 300000 Patentee after:3600 Technology Group Co.,Ltd. Address before:100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before:Qizhi software (Beijing) Co.,Ltd. |