CN104580203A - Website malicious program detection method and device - Google Patents

Abstract

The invention relates to a website malicious program detection method and device. The method includes the steps that a webpage file of a target website is obtained; source codes in the webpage file are detected according to a malicious program feature library, and suspected malicious codes in the webpage file are recognized; the suspected malicious codes and/or the webpage file are transmitted to a preset server, and then the preset server can judge whether the suspected malicious codes are malicious codes or not; a judgment result of the suspected malicious codes fed back by the preset server is obtained. According to the technical scheme, the malicious codes existing in the target website can be detected quickly and accurately, therefore the possibility that the website is maliciously attacked can be reduced, and the safety of the website can be improved.

Description

Website malicious program detection method and device

technical field

The present invention relates to the technical field of network security, in particular, to a method for detecting malicious website programs, a device for detecting malicious website programs, a method for judging malicious codes for websites, and a device for judging malicious codes for websites.

Background technique

Today, as the network is increasingly developed, network security issues have become the focus of various websites and users. Existing network security detection technologies are generally aimed at user terminals, such as personal devices such as PCs, tablet computers, smart phones, and smart TVs, and the detection objects are generally only files in the devices.

Although the above-mentioned detection technology can make the user terminal obtain a certain security guarantee, it cannot detect potential security risks existing in the website. In addition to maliciously attacking user terminals, hackers will also attack the servers of various websites, mainly by implanting malicious codes into the webpage files of the websites, such as implanting backdoor programs, or stealing the entry of inherent backdoor programs through malicious codes. In this way, the security control of the website can be bypassed through the back door, and then the authority to access the website data can be obtained, which will cause great security risks to the website access users and even the website administrator.

Contents of the invention

The technical problem to be solved by the present invention is how to detect whether there is malicious code in the webpage file of the website, so as to prompt the administrator of the website to deal with it accordingly, so as to ensure the security of the website.

For this purpose, the present invention proposes a kind of website malicious program detection method, comprises:

Obtain the webpage files of the target website;

Detecting the source code in the webpage file according to the malicious program feature library, and identifying the suspected malicious code in the webpage file;

transmitting the suspected malicious code and/or webpage file to a preset server, so that the preset server can determine whether the suspected malicious code is malicious code;

Obtain the judgment result of the suspected malicious code returned by the preset server.

Preferably, it also includes:

Prompt information is generated according to the judgment result to prompt whether the target website contains webpage files with malicious codes.

Preferably, if it is determined that the suspected malicious code is malicious code, the method further includes:

Adding the malicious code to the whitelist according to the received first instruction, so that the malicious code added to the whitelist is identified as non-malicious code when the source code is detected again;

or

The malicious code is added to the blacklist according to the received second instruction, so that the code added to the blacklist is identified as malicious code when the source code is detected again.

Preferably, the identifying suspected malicious code in the webpage file also includes:

Query the number of users who access the suspected malicious code and add the suspected malicious code to the white list, and if the number of users is greater than the preset number, determine the suspected malicious code as non-malicious code and prompt.

The present invention also proposes a method for judging website malicious codes, including:

Obtaining the suspected malicious code determined by the terminal and/or the suspected malicious code in the webpage file from the terminal;

The suspected malicious code is detected by multiple engines, and whether the suspected malicious code is malicious code is judged according to the detection result of each engine;

Sending the judgment result of the suspected malicious code to the terminal.

The present invention also proposes a website malicious program detection device, comprising:

a file obtaining unit, configured to obtain a web page file of a target website;

An identification unit, configured to detect the source code in the webpage file according to the malicious program feature library, and identify the suspected malicious code in the webpage file;

a transmission unit, configured to transmit the suspected malicious code and/or webpage file to a server, so that the preset server can detect whether the suspected malicious code is malicious code;

The result obtaining unit is configured to obtain the suspected malicious code detection result returned by the preset server.

Preferably, it also includes:

A prompting unit, configured to generate prompt information according to the judgment result, so as to prompt whether the target website contains webpage files with malicious codes.

Preferably, it also includes:

Adding unit, if the suspected malicious code is malicious code, add the malicious code to the white list according to the received first instruction, so that the code added to the white list can be identified when the source code is detected again is non-malicious code;

or

In the case that the suspected malicious code is malicious code, add the malicious code to the blacklist according to the received second instruction, so that the code added to the blacklist is identified as malicious code when the source code is detected again .

Preferably, it also includes:

The query unit is configured to query the number of times the suspected malicious code has been accessed by a specific user, and if the number of times the suspected malicious code has been accessed by the specific user is greater than a preset number of times, then determine the suspected malicious code as non-malicious code and give a prompt.

In addition to a website malicious code judging device, the present invention includes:

a code acquiring unit, configured to acquire the suspected malicious code determined by the terminal and/or the suspected malicious code in the webpage file from the terminal;

A detection unit, configured to detect the suspected malicious code through multiple engines, and judge whether the suspected malicious code is malicious code according to the detection results of each engine;

A sending unit, configured to send the judgment result of the suspected malicious code to the terminal.

According to the above technical solution, at least the following technical effects can be achieved:

1. Through the layer-by-layer detection of suspected malicious code and malicious code, it can accurately detect whether there is malicious code in the web page file, and then provide accurate tips for the security of the website;

2. Able to add different identifications to malicious codes according to the received instructions, and add malicious codes to the whitelist or blacklist, so that when the source code is detected again, the code can be quickly determined without matching the code with the added identification again type, and then prompt;

3. By comprehensively detecting malicious codes through multiple engines, it is possible to judge more comprehensively and accurately whether the suspected malicious codes are malicious codes, so as to obtain more accurate judgment results for prompting.

Description of drawings

The features and advantages of the present invention will be more clearly understood by referring to the accompanying drawings, which are schematic and should not be construed as limiting the invention in any way. In the accompanying drawings:

FIG. 1 shows a schematic flowchart of a method for detecting malicious programs on a website according to an embodiment of the present invention;

FIG. 2 shows a schematic flowchart of a method for judging malicious code of a website according to an embodiment of the present invention;

Fig. 3 shows a schematic block diagram of a website malicious program detection device according to an embodiment of the present invention;

FIG. 4 shows a schematic block diagram of a website malicious code judging device according to an embodiment of the present invention;

Fig. 5 shows a schematic diagram of interaction between a website malicious program detection device and a website malicious code judgment device according to an embodiment of the present invention.

Detailed ways

Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary only for explaining the present invention and should not be construed as limiting the present invention.

Those skilled in the art will understand that unless otherwise stated, the singular forms "a", "an", "said" and "the" used herein may also include plural forms. It should be further understood that the word "comprising" used in the description of the present invention refers to the presence of said features, integers, steps, operations, elements and/or components, but does not exclude the presence or addition of one or more other features, Integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Additionally, "connected" or "coupled" as used herein may include wireless connection or wireless coupling. The expression "and/or" used herein includes all or any elements and all combinations of one or more associated listed items.

Those skilled in the art can understand that, unless otherwise defined, all terms (including technical terms and scientific terms) used herein have the same meaning as commonly understood by those of ordinary skill in the art to which this invention belongs. It should also be understood that terms, such as those defined in commonly used dictionaries, should be understood to have meanings consistent with their meaning in the context of the prior art, and unless specifically defined as herein, are not intended to be idealized or overly Formal meaning to explain.

Those skilled in the art can understand that the "terminal" and "terminal equipment" used here not only include wireless signal receiver equipment, which only has wireless signal receiver equipment without transmission capabilities, but also include receiving and transmitting hardware. A device having receiving and transmitting hardware capable of performing bi-directional communication over a bi-directional communication link. Such equipment may include: cellular or other communication equipment, which has a single-line display or a multi-line display or a cellular or other communication equipment without a multi-line display; PCS (Personal Communications Service, personal communication system), which can combine voice, data processing , fax and/or data communication capabilities; PDA (Personal Digital Assistant, personal digital assistant), which may include radio frequency receivers, pagers, Internet/Intranet access, web browsers, notepads, calendars and/or GPS (Global Positioning System, Global Positioning System) receiver; a conventional laptop and/or palmtop computer or other device having and/or including a radio frequency receiver. As used herein, a "terminal", "terminal device" may be portable, transportable, installed in a vehicle (air, sea, and/or land), or adapted and/or configured to operate locally, and/or In distributed form, the operation operates at any other location on Earth and/or in space. The "terminal" and "terminal equipment" used here can also be communication terminals, Internet terminals, music/video playback terminals, such as PDA, MID (Mobile Internet Device, mobile Internet device) and/or have music/video playback functions mobile phones, smart TVs, set-top boxes and other devices.

Those skilled in the art can understand that the concepts of server, cloud, and remote network equipment used here have equivalent effects, including but not limited to computers, network hosts, single network servers, multiple network server sets, or multiple servers. Composed of clouds. Here, the cloud is composed of a large number of computers or network servers based on cloud computing (Cloud Computing), where cloud computing is a type of distributed computing, a super virtual computer composed of a group of loosely coupled computer sets. In the embodiment of the present invention, the communication between the remote network equipment, the terminal equipment and the WNS server can be realized through any communication method, including but not limited to, mobile communication based on 3GPP, LTE, WIMAX, based on TCP/IP, UDP protocol Computer network communication and short-distance wireless transmission methods based on Bluetooth and infrared transmission standards.

Those skilled in the art should understand that the concepts of "application", "application program", "application software" and similar expressions referred to in the present invention are the same concepts well known to those skilled in the art, and refer to a series of computer instructions and related Computer software that is organically constructed from data resources and suitable for electronic operation. Unless otherwise specified, this naming itself is not limited by the type of programming language, level, or the operating system or platform on which it runs. Naturally, such concepts are also not limited by any form of terminal.

As shown in Figure 1, the website malicious program detection method according to one embodiment of the present invention includes:

S1, obtaining a webpage file of a target website;

The acquisition operation can be completed by the user (such as a website administrator) through a graphical user interface. In addition to including the target website that can be specified by the user, the graphical user interface can also provide the user with the webpage files to be detected in the specific website, so that the user can according to the needs. Select the corresponding website and specific webpage files, and further, provide users with specific detection areas, detection locations, detection paths, etc., for example, users can specify to detect all files in the server of the target website through the user graphical interface , you can also specify to detect only files in the backup area, or only detect a certain file, so as to achieve targeted detection.

S2, detecting the source code in the webpage file according to the malicious program feature library, and identifying the suspected malicious code in the webpage file;

The addition of malicious codes is mainly aimed at the source code of webpage files. For example, when hackers implant backdoors in websites (of course, malicious codes include and are not limited to backdoors, they can also be computer viruses such as Trojan horses), they use deception to send The website administrator sends an email or file. When the administrator opens or runs the email or file, the program in the email or file will modify the source code in the web page file, thus creating a backdoor on the website server.

To detect the source code of the webpage file, the malicious program template can be extracted from the malicious program feature library to match the source code in the webpage file, and the code whose matching degree is greater than the preset matching value is judged as suspected malicious code.

S3, transmitting the suspected malicious code and/or webpage file to a preset server, so that the preset server can determine whether the suspected malicious code is malicious code;

Preferably, the preset server can be a cloud server, which has strong computing and processing capabilities, and can contain multiple engines to detect suspected malicious codes. On the one hand, it can reduce the computing and processing pressure of the server where the website is located, and on the other hand, it can improve accuracy of judgment.

In addition to being able to judge whether the suspected malicious code is malicious code, the preset server can also directly detect the received webpage files and identify the suspected malicious code, so as to completely execute all operations of malicious code judgment and further reduce the calculation of the server where the website is located Deal with stress.

S4. Obtain the judgment result of the suspected malicious code returned by the preset server.

Preferably, in addition to returning the judgment result, corresponding prompt information may also be generated and returned.

Preferably, it also includes:

Prompt information is generated according to the judgment result to prompt whether the target website contains webpage files with malicious codes.

The prompt information is related to the judgment result. For example, if it is determined that there are multiple malicious codes in the webpage file, it will prompt that there is malicious code, and the safety factor is very low, and mark the malicious code. If it is determined that there is one malicious code in the webpage file, it will prompt that there is malicious code. Code, and the safety factor is low, and malicious code is marked. Of course, besides the above prompt content, the prompt information may also contain other content, such as the specific number of malicious codes and the specific content of malicious codes.

Preferably, if it is determined that the suspected malicious code is malicious code, the method also includes:

adding the malicious code to the whitelist according to the received first instruction, so that the code added to the whitelist is identified as non-malicious code when the source code is detected again;

or

The malicious code is added to the blacklist according to the received second instruction, so that the code added to the blacklist is identified as malicious code when the source code is detected again.

As an example, malicious code includes but is not limited to backdoor programs, and backdoor programs are mainly divided into two types, one is introduced by the website administrator during the website development process, and the website administrator can test the website or modify the program through these backdoors (hereinafter referred to as the first type of backdoor program), and the other is implanted into the website by attackers through illegal means (hereinafter referred to as the second type of backdoor program).

The above two backdoor programs have no substantial difference in the detection process, so they will be judged as malicious codes, but for the first backdoor program, since it was introduced by the website administrator, when it is judged as malicious code prompt, the website The administrator can identify it and add it to the whitelist. When the source code of the webpage is detected again, it can be determined that the code in the whitelist is a backdoor program introduced by the website administrator, so this section can be skipped directly code without further instrumentation. For the second type of backdoor program, when it is judged as a malicious code prompt, the website administrator can add it to the blacklist, and when the source code of the webpage is detected again, the code in the blacklist can be judged as a malicious backdoor program, prompting it directly without further inspection of it.

Through the above two identification operations, repeated detection of the source code of the webpage file can be reduced, thereby reducing resource consumption, and the type of malicious code in the webpage file can be quickly determined and quickly and accurately prompted.

Preferably, identifying the suspected malicious code in the webpage file also includes:

Query the number of users who access the suspected malicious code and add the suspected malicious code to the white list. If the number of users is greater than the preset number, the suspected malicious code is judged as non-malicious code and prompted.

When more than the preset number of users add the suspected malicious code to the white list, it can be preliminarily determined that the suspected malicious code has a high degree of credibility, and the suspected malicious code will be presented as non-malicious code to the website administrator for specific identification. In order to reduce the process of uploading to the preset server for further detection, improve the detection efficiency of suspected malicious code.

Preferably, when a certain section of suspected malicious code is accessed by the website administrator more than the preset number of times, it can be preliminarily determined that it was introduced by the website administrator, and used for testing or modifying defects in the program through it, and then the preliminary determination The result will be prompted to reduce the process of uploading to the preset server for further detection and improve the detection efficiency of suspected malicious code.

Furthermore, the present invention also proposes a malicious program deletion method, which can effectively delete detected malicious programs. For example, for a malicious program in a web page image, it is possible to detect whether a malicious program is embedded in the image by obtaining the image in the web page file. Replacement, so that the malicious program of the picture in the website is detected in time, and it can be effectively processed, which not only reduces the probability of harm to the website, but also improves the security level of the website.

In order to better understand and apply the above-mentioned deletion method, the present invention gives an example for the specific problems of detecting JPEG format pictures in webpages and checking and killing malicious programs, but the present invention is not limited to the following examples.

The JPEG image vulnerability mainly involves a file named GdiPlus.dll in the operating system. Since many software calls this dynamic link library to process JPEG images, the vulnerability involves a very wide range. For example, Windows XP SP1, MS Office, QQ2004, etc. Intruders can insert malicious programs into pictures through this vulnerability principle, so that malicious programs with this vulnerability will run the malicious programs in the picture unconditionally, thereby controlling the affected system.

From the above-mentioned vulnerability principle of JPEG images, we can see that this vulnerability allows intruders a lot of room for intrusion. While opening the picture, malicious programs such as Trojan horse and backdoor have been running quietly, or insert some third-party connection programs into the picture, and set the modified picture as a Trojan-like server, and connect this picture to connect to backdoor and other malicious programs.

Specifically, malicious programs such as Trojan horse backdoors are inserted into pictures, so that as soon as a viewer opens a webpage or email containing pictures, the pictures will be opened automatically, and malicious programs such as Trojan horse backdoors will also be run at the same time. This is the most typical Exploit method. For example, use a tool: JPEG Downloader, which can effectively help us insert Trojan horse files and other malicious programs into the specified image file, open it, fill in the download address of the Trojan horse and other malicious programs to be inserted in the Downloader file column, After filling in, double-click the "make" button, so that a picture file can be generated in the same directory, but this is inserted with malicious program codes such as Trojan horses.

Furthermore, the above-mentioned picture file looks the same as the ordinary picture file on the surface, but once it is opened, it will automatically download and run malicious programs such as Trojan horses specified previously, and the only apparent difference is that the picture cannot be displayed normally when opened, Instead, it is displayed in a display manner including but not limited to a red X.

Furthermore, because the JPEG image vulnerability mainly involves a file named GdiPlus.dll in the operating system, and many software calls this dynamic link library to process JPEG images, the vulnerability involves a very wide range, so the JPEG image vulnerability How to check and kill malicious programs such as backdoors, the invention proposes a website protection method.

Specifically, the website log files of the website are recorded and analyzed through a CDN (Content Delivery Network, Content Delivery Network), and each piece of log data in the website log files is identified and further analyzed. Wherein, the log data of the website includes information such as: host, time, IP address, URL (Uniform Resource Location, Uniform Resource Locator), web page parameters, etc., and the web page parameters of the log data of the detected website can be extracted to obtain web page files.

Further, the webpage file is compared with the webpage file pre-stored in the database. Specifically, the visit frequency of each webpage of the website is counted, that is, the visit volume PV within a period of time, and the webpage files whose visit frequency is lower than the preset visit frequency threshold are identified as suspicious webpage files. The value is inversely proportional to the access frequency of the web page file, that is, the smaller the access frequency, the greater the abnormal weight of the access frequency, conversely, the greater the frequency of access, the smaller the abnormal weight of the access frequency; and/or statistical website The number of access sources of each web page identifies a web page file whose number of access sources is lower than the preset threshold of the number of access sources as a suspicious web page file. The smaller the value, the greater the abnormal weight of the access source. On the contrary, the larger the number of access sources, the smaller the abnormal weight of the access source; and/or counting the visits of each web page of the website by time period, and the number of visits by time period exceeds the preset A webpage file whose number of time-segmented access volume thresholds is greater than a specified number of times is identified as a suspicious file, and the time-segmented access abnormal weight of the suspicious webpage file is calculated.

For example, analyze webpage logs according to a certain period of time. For example, analyze according to the day. Generally, the number of visits and peak periods of all files have obvious rules. If they are accessed by users, they will rise and fall according to the time. If the machine accesses automatically, the file access will have a fixed time point, and only the access of backdoor files, Trojan horses, viruses and other malicious programs is disordered. Therefore, it can be detected by counting the visits by time period, and setting the period-by-period threshold according to the actual application situation. For webpage files whose visits by time period exceed the time-period threshold for more than the specified number of times, it can be identified as a suspicious webpage file. For example, it is divided into 12 periods, each period is set with a different period threshold, and it is stipulated that the number of times exceeding the period threshold should be less than 3 times. Then identify the above-mentioned webpage as a suspicious webpage.

Further, the suspicious webpage file is compared with the webpage file pre-stored in the database, if the picture in the webpage file is different from the picture pre-stored in the database, the picture in the webpage is obtained, thereby improving the speed of obtaining the webpage. Efficiency and accuracy of images in files.

Further, it is detected whether a malicious program is embedded in the picture. Specifically, a malicious program rule base is loaded; and the pictures are matched using the rules in the rule base. As a result, the accuracy of acquiring malicious programs embedded in pictures is improved.

Further, the image attribute information in the web page is obtained; according to the image creation time and/or image authority in the image attribute information, the attribute abnormality degree of the image is determined; the image whose attribute abnormality degree is greater than the preset abnormality threshold value is judged as an embedded malicious program picture of.

Furthermore, according to the picture creation time and/or picture authority in the picture attribute information, determining the attribute abnormality degree of the picture further includes: determining the picture attribute abnormality degree according to the picture creation time is: calculating the difference between the picture creation time and the same web page Time dispersion of other pictures, determining pictures whose time dispersion is greater than a preset dispersion threshold, and assigning creation time exception weights to them. Among them, the calculation method of time dispersion includes but not limited to the following methods:

Get the creation time of all pictures in the same directory, sort them according to time, and calculate the time dispersion of each picture. The dispersion can be calculated by using mathematical methods such as the range, the sum of squares of the average distance difference, the variance or the standard deviation, thereby improving the diversity and accuracy of the time dispersion of the acquired pictures. For example, to do calculations in a poor way, it could be:

Time dispersion of the current picture = creation time of the current picture - creation time of the first created picture in the same directory. For example, if the creation time of the current picture is 10:30 of a certain day, and the creation time of the first created picture in the same directory is 10:28 of the same day, then the time dispersion of the current picture at this time is 2 minutes.

Judging whether the time dispersion of each picture exceeds a preset dispersion threshold, determining pictures whose time dispersion is greater than the preset dispersion threshold, and assigning creation time exception weights to them. For example, if the preset dispersion value is 5, the current picture in the above example is considered to be a normal picture, otherwise it is an abnormal picture.

Furthermore, determining the abnormality degree of the picture attribute according to the picture permission is: judging whether the picture permission is the default permission, if not, giving the picture an abnormal permission weight; determining the abnormal weight of the picture according to the creation time abnormal weight and/or the permission abnormal weight attribute abnormality. That is, it can be understood as judging whether the permission of the picture is the default permission. If it is found that the permission of the picture is not the default permission, a constant is assigned as the abnormal permission weight. For example, under linux, the default permissions for pictures are usually 0744.

Furthermore, if there is a malicious program in the picture, the position of the malicious program in the picture is obtained, and the malicious program is replaced with a padding character. Wherein, the padding characters include: alphanumeric safe characters, for example, a-z or A-Z, numeric safe characters and/or blank placeholders. Thus, the diversity and selectivity of the filling characters are improved.

According to the malicious program deletion method proposed by the present invention, by obtaining the picture in the webpage file, it is detected whether a malicious program is embedded in the picture, if there is a malicious program in the picture, the position of the malicious program in the picture is obtained, and the malicious program is deleted by using the filling characters Replacement, so that the malicious program of the picture in the website is detected in time, and it can be effectively processed, which not only reduces the probability of harm to the website, but also improves the security level of the website.

As shown in Figure 2, the method for judging malicious code of a website according to one embodiment of the present invention includes:

S1', obtaining the suspected malicious code determined by the terminal and/or the suspected malicious code in the webpage file from the terminal;

S2', using multiple engines to detect the suspected malicious code, and judge whether the suspected malicious code is malicious code according to the detection results of each engine;

S3', sending the judgment result of the suspected malicious code to the terminal.

Since different engines have different detection methods for suspected malicious code, the judgment results are also different. Therefore, the judgment structure of each engine can be intersected. For example, three pieces of suspected malicious code are obtained,

The detection results of the first engine for the three suspected malicious codes are: non-malicious code, malicious code, malicious code;

The detection results of the second engine for the three suspected malicious codes are: non-malicious code, malicious code, malicious code;

The detection results of the third engine for the three suspected malicious codes are: non-malicious code, malicious code, non-malicious code,

Then the intersection of the judgment results of the three engines can get the detection results of three suspected malicious codes: non-malicious code, malicious code, and malicious code. That is to say, for a suspected malicious code, when multiple engines detect it as non-malicious Malicious code, it is judged as non-malicious code, and when at least one of the multiple engines detects it as malicious code, it is judged as malicious code, thereby improving the accuracy of judging suspected malicious code.

As shown in FIG. 3, the website malicious program detection device 10 according to one embodiment of the present invention includes:

A file obtaining unit 11, configured to obtain the web page file of the target website;

Identification unit 12, for detecting the source code in the webpage file according to the malicious program feature library, and identifying the suspected malicious code in the webpage file;

The transmission unit 13 is configured to transmit the suspected malicious code and/or webpage file to the server, so that the preset server detects whether the suspected malicious code is malicious code;

The result obtaining unit 14 is configured to obtain the suspected malicious code detection result returned by the preset server.

Preferably, it also includes:

The prompting unit 15 is configured to generate prompt information according to the judgment result, so as to prompt whether the target website contains webpage files with malicious codes.

Preferably, it also includes:

The identification unit 16, in the case that the suspected malicious code is malicious code, adds a first identification to the malicious code according to the received first instruction, so that the malicious code to which the first identification is added is identified as a non-identical code when the source code is detected again. Malicious code;

or

In the case that the suspected malicious code is malicious code, add a second identifier to the malicious code according to the received second instruction, so that the malicious code to which the second identifier is added is identified as malicious code when the source code is detected again.

Preferably, it also includes:

The query unit 17 is configured to query the number of times the suspected malicious code is accessed by a specific user, and if the number of times the suspected malicious code is accessed by a specific user is greater than a preset number of times, the suspected malicious code is determined to be non-malicious code and prompted.

As shown in Figure 4, the website malicious code judging device 20 according to one embodiment of the present invention includes:

The code obtaining unit 21 is used to obtain the suspected malicious code determined by the terminal and/or the suspected malicious code in the webpage file from the terminal;

The detection unit 22 is used to detect the suspected malicious code through multiple engines, and judge whether the suspected malicious code is malicious code according to the detection results of each engine;

The sending unit 23 is configured to send the judgment result of the suspected malicious code to the terminal.

The interaction process between the malicious website program detection device 10 and the malicious website code judgment device 20 is shown in Figure 5, wherein the malicious website program detection device 10 includes but not limited to the local server of the website, and the malicious website code judgment device 20 includes but not limited to the cloud server. Server, the local server conducts preliminary detection of the source code in the webpage file, and the cloud server conducts precise detection of the suspected malicious code. On the one hand, it improves the accuracy of the detection results, on the other hand, it reduces the computing pressure on the local server, and improves the overall performance of code detection. speed.

To sum up, the present invention detects the source code in the webpage file and detects the suspected malicious code through the preset server, so that the malicious code existing in the target website can be detected quickly and accurately, thereby reducing the risk of malicious codes on the website. The probability of attack and improve the security of the website.

It should be noted that the algorithms and formulas presented herein are not inherently related to any particular computer, virtual system, or other device. Various general systems can also be used with the examples based here. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline the present invention and to facilitate an understanding of one or more of its various aspects, various features of the invention are sometimes grouped together into a single embodiment , figure, or description of it. This disclosed method and apparatus, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments.

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all functions of some or all components in the website security detection device according to the embodiment of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

The above descriptions are only part of the embodiments of the present invention. It should be pointed out that those skilled in the art can make some improvements and modifications without departing from the principles of the present invention. It should be regarded as the protection scope of the present invention.

Claims (10)

1. A method for detecting malicious programs on a website, comprising: Obtain the webpage files of the target website; Detecting the source code in the webpage file according to the malicious program feature library, and identifying the suspected malicious code in the webpage file; transmitting the suspected malicious code and/or webpage file to a preset server, so that the preset server can determine whether the suspected malicious code is malicious code; Obtain the judgment result of the suspected malicious code returned by the preset server. 2. The website malicious program detection method according to claim 1, further comprising: Prompt information is generated according to the judgment result to prompt whether the target website contains webpage files with malicious codes. 3. The website malicious program detection method according to any one of claims 1 and 2, wherein if it is determined that the suspected malicious code is malicious code, the method further comprises: adding the malicious code to the whitelist according to the received first instruction, so that the code added to the whitelist is identified as non-malicious code when the source code is detected again; or The malicious code is added to the blacklist according to the received second instruction, so that the code added to the blacklist is identified as malicious code when the source code is detected again. 4. The website malicious program detection method according to any one of claims 1 to 3, wherein the identifying suspected malicious code in the webpage file further comprises: Query the number of users who access the suspected malicious code and add the suspected malicious code to the white list, and if the number of users is greater than the preset number, determine the suspected malicious code as non-malicious code and prompt. 5. A method for judging malicious code of a website, comprising: Obtaining the suspected malicious code determined by the terminal and/or the suspected malicious code in the webpage file from the terminal; The suspected malicious code is detected by multiple engines, and whether the suspected malicious code is malicious code is judged according to the detection result of each engine; Sending the judgment result of the suspected malicious code to the terminal. 6. A website malicious program detection device, characterized in that, comprising: a file obtaining unit, configured to obtain a web page file of a target website; An identification unit, configured to detect the source code in the webpage file according to the malicious program feature library, and identify the suspected malicious code in the webpage file; a transmission unit, configured to transmit the suspected malicious code and/or webpage file to a server, so that the preset server can detect whether the suspected malicious code is malicious code; The result obtaining unit is configured to obtain the suspected malicious code detection result returned by the preset server. 7. The website malicious program detection device according to claim 6, further comprising: A prompting unit, configured to generate prompt information according to the judgment result, so as to prompt whether the target website contains webpage files with malicious codes. 8. According to the website malicious program detecting device according to any one of claims 6 and 7, it is characterized in that it also includes: Adding unit, if the suspected malicious code is malicious code, add the malicious code to the white list according to the received first instruction, so that the code added to the white list can be identified when the source code is detected again is non-malicious code; or In the case that the suspected malicious code is malicious code, add the malicious code to the blacklist according to the received second instruction, so that the code added to the blacklist is identified as malicious code when the source code is detected again . 9. The website malicious program detection device according to any one of claims 6 to 8, further comprising: a query unit, configured to query the number of users who access the suspected malicious code and add the suspected malicious code to the white list; if the number of users is greater than a preset number, determine the suspected malicious code as non-malicious code hint. 10. A website malicious code judging device, characterized in that it comprises: a code acquiring unit, configured to acquire the suspected malicious code determined by the terminal and/or the suspected malicious code in the webpage file from the terminal; The detection unit is used to detect the suspected malicious code and/or webpage file respectively through multiple engines, and judge whether the suspected malicious code is malicious code according to the detection result of each engine; A sending unit, configured to send the judgment result of the suspected malicious code to the terminal.