CN107124386A - The determination method and device of black industry content - Google Patents

The determination method and device of black industry content Download PDF

Info

Publication number
CN107124386A
CN107124386A CN201610102490.5A CN201610102490A CN107124386A CN 107124386 A CN107124386 A CN 107124386A CN 201610102490 A CN201610102490 A CN 201610102490A CN 107124386 A CN107124386 A CN 107124386A
Authority
CN
China
Prior art keywords
black industry
industry content
data
content
black
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610102490.5A
Other languages
Chinese (zh)
Other versions
CN107124386B (en
Inventor
曾加良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Shenxinfu Electronic Technology Co Ltd
Original Assignee
Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Shenxinfu Electronic Technology Co Ltd filed Critical Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority to CN201610102490.5A priority Critical patent/CN107124386B/en
Publication of CN107124386A publication Critical patent/CN107124386A/en
Application granted granted Critical
Publication of CN107124386B publication Critical patent/CN107124386B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a kind of determination method of black industry content, the packet that server to be detected is interacted with client is obtained, the reply data that the request data or the server that the packet is sent comprising the user end to server are sent to the client;Black industry content detection is carried out to the request data or the reply data;When detecting the request data or the reply data have black industry content, black industry content and the first preset rule base according to detecting analyze the classification of the black industry content, corresponding relation of first rule base comprising the black industry content with the classification.The invention also discloses a kind of detection and analysis device of black industry content.The present invention realizes identification black industry content, analyzes the classification of black industry content, carries out comprehensive detection with the presence or absence of black industry content and the content and classification of presence to server and points out the purpose of user.

Description

The determination method and device of black industry content
Technical field
The present invention relates to the determination method of technical field of network security, more particularly to black industry content And device.
Background technology
The people's life that develops into of network technology brings many convenient, can pass through connection in daily life Various information in terms of the education of internet browsing Webpage searching, medical treatment, can also be handled by government website Relevant issues etc..At the same time, the tissue or individual for often making a stab bad are attacked by using website vulnerability Website, and using the resource on server/customer end it is traded or takes the resource of server/customer end, Therefore form attack, make black industry content, propagation, a complete industry chain (supply chain) of transaction, i.e., Dark Industry Link.Attacker performs malicious operation on the target device in Dark Industry Link, by these Malicious operation produces various data, is that network security causes hidden danger so as to obtain interests.
In the prior art, in order to prevent black industry content from would generally use feature detection, statistic mixed-state etc. Whether Prevention-Security mechanism detected to server by attack, when user may being pointed out to intercept after detection Wooden horse communication linkage has blocked SQL (Structured Query Languag, Sql) injection Attack or be to have blocked webshell attacks, but there is which black after being attacked for server Industry content, the classification of black industry content is not generally detected and analyzed.
The content of the invention
It is a primary object of the present invention to provide a kind of determination method and device of black industry content, Aim at identification black industry content, the purpose of the classification of analysis black industry content.
To achieve the above object, a kind of determination method for black industry content that the present invention is provided includes Following steps:
The packet that server to be detected is interacted with client is obtained, the packet includes the client The reply data that the request data or the server sent to server is sent to the client;
Black industry content detection is carried out to the request data or the reply data;
When detecting the request data or the reply data have black industry content, according to detection The black industry content and the first preset rule base that arrive analyze the classification of the black industry content, described Corresponding relation of first rule base comprising the black industry content with the classification.
Preferably, it is described that black industry content detection bag is carried out to the request data or the reply data Include:
The request data or the reply data are detected by preset regular expression, it is described Preset regular expression is used for the request data or the reply data and preset Second Rule storehouse In data matched;
When the packet includes the request data and matches the data in the Second Rule storehouse, Confirm that the request data has the black industry content;When the packet includes the reply data And when matching the information in the Second Rule storehouse, confirm that the reply data have the black industry Content.
Preferably, it is described that black industry content detection is carried out also to the request data or the reply data Including:
Detect that the request data or the reply data whether there is the characteristic information of preset application;
When the packet includes the request data and there is the characteristic information, the request is confirmed There is the black industry content in data;When the packet is comprising the reply data and there is the spy When reference ceases, confirm that the reply data have the black industry content.
Preferably, it is described the request data or the reply data are carried out black industry content detection it It is preceding also to include:
The packet got is performed intrusion detection, judges whether the server is attacked by invasion Hit;
When the server is by the Network Intrusion, the detection request data or described is performed Reply the step of data whether there is black industry content.
Preferably, the determination method of the black industry content also includes:
Produced when detecting the server and there is the black by the Network Intrusion or the request data When perhaps described reply data have the black industry content in the industry, send corresponding to the client Warning information.
In addition, to achieve the above object, the present invention also provides a kind of detection and analysis dress of black industry content Put, the detection and analysis device of the black industry content includes:
Acquisition module, for obtaining the packet that server to be detected is interacted with client, the packet What the request data or the server sent comprising the user end to server was sent to the client Reply data;
Black industry content detection module, for carrying out black to the request data or the reply data Industry content detection;
Black industry content analysis module, for when detecting the request data or the reply data are deposited In black industry content, institute is analyzed according to the black industry content and the first preset rule base that detect The classification of black industry content is stated, first rule base includes the black industry content and the classification Corresponding relation.
Preferably, the black industry content detection module includes:
First detection unit, for the request data or the reply data to be passed through into preset canonical table Detected up to formula, the preset regular expression is used for the request data or the reply data Matched with the data in preset Second Rule storehouse;
First confirmation unit, for when the packet is comprising the request data and matches described second During data in rule base, confirm that the request data has the black industry content;When the data When bag includes the reply data and matches the information in the Second Rule storehouse, the reply number is confirmed According to there is the black industry content.
Preferably, the black industry content detection module also includes:
Second detection unit, for detecting that the request data or the reply data are answered with the presence or absence of preset Characteristic information;
Second confirmation unit, for when the packet is comprising the request data and there is the feature letter During breath, confirm that the request data has the black industry content;When the packet is returned comprising described Complex data and when there is the characteristic information, confirms that the reply data have the black industry content.
Preferably, the detection and analysis device of the black industry content also includes:
Intrusion detection module, for the packet got to be performed intrusion detection, judges the clothes Whether device be engaged in by Network Intrusion;
The black industry content detection module is additionally operable to when the server is by the Network Intrusion, Detect that the request data or the reply data whether there is black industry content.
Preferably, the detection and analysis device of the black industry content also includes:
Alarm module, the server is detected by the Network Intrusion or the request data for working as When there are in the black industry perhaps described reply data and there is the black industry content, to the visitor Family end sends corresponding warning information.
The embodiment of the present invention is by obtaining the packet that server to be detected is interacted with client, the data The request data or the server that bag is sent comprising the user end to server are sent to the client Reply data;Black industry content detection is carried out to the request data or the reply data;Work as inspection The request data is measured or when the reply data have black industry content, according to the black detected Industry content and the first preset rule base analyze the classification of the black industry content, first rule Corresponding relation of the storehouse comprising the black industry content with the classification.Due in the black industry that detects It is the black industry content existed to hold, it is achieved that the purpose of identification black industry content, and pass through The classification for the black industry content for determining to detect using the first rule base, effectively realizes analysis black industry The purpose of the classification of content, to server with the presence or absence of black industry content and the content and classification of presence Carry out comprehensive detection.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the determination method first embodiment of black industry content of the present invention;
Fig. 2 is the schematic flow sheet of the determination method second embodiment of black industry content of the present invention;
Fig. 3 is the schematic flow sheet of the determination method 3rd embodiment of black industry content of the present invention;
Fig. 4 is the schematic flow sheet of the determination method fourth embodiment of black industry content of the present invention;
Fig. 5 is the functional module structure of the detection and analysis device first embodiment of black industry content of the present invention Schematic diagram;
Fig. 6 is the functional module structure of the detection and analysis device second embodiment of black industry content of the present invention Schematic diagram;
Fig. 7 is the functional module structure of the detection and analysis device 3rd embodiment of black industry content of the present invention Schematic diagram;
Fig. 8 is the functional module structure of the detection and analysis device fourth embodiment of black industry content of the present invention Schematic diagram.
The realization, functional characteristics and advantage of the object of the invention will be done further referring to the drawings in conjunction with the embodiments Explanation.
Embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, limit is not used to The fixed present invention.
The determination method of black industry content of the present invention.Reference picture 1, in the first embodiment, this is black The determination method of color industry content includes:
Step S10, obtains the packet that server to be detected is interacted with client, and the packet includes institute State the reply number that the request data or the server of user end to server transmission are sent to the client According to;
Step S20, black industry content detection is carried out to the request data or the reply data;
Step S30, when detecting the request data or the reply data have black industry content, Black industry content and the first preset rule base according to detecting analyze the class of the black industry content Not, corresponding relation of first rule base comprising the black industry content with the classification.
The determination method for the black industry content that the present invention is provided is mainly used in server, to clothes The black industry content of business device is detected and the classification of black industry content is analyzed.
In the present embodiment, above-mentioned server is server end to be detected and corresponding client with client. The content of the packet is the request data that user end to server is sent, or server is to client Hold the reply data sent.Above-mentioned black industry content refers to that attacker performs malice and grasped on the target device The content of work, as perhaps dug in the false medicine advertisement delivered on the target device, game promotion, lottery industry Bit coin is taken, is opened when client and these black industry contents is can be appreciated that after webpage, or even the black production having Holding the link page of sensing in the industry can make user's computer be poisoned with wooden horse, thus trigger a series of networks Safety problem.Black industry content may be uploaded when attacker's attack server to server;Work as service When device has had black industry content in itself, it may reply to and black industry is included in the data of client Content.Therefore here by detecting request data either server that user end to server sends to visitor After reply data that family end is sent judge whether black industry content, or server is attacked There is black industry content and sent black industry content to client.
When being detected, the packet that the server got is interacted with client can pass through RFC first The consensus standard of definition is parsed, and black industry content detection is then carried out again.RFC(Request For Comments it is) a series of Internet communication association to be described in detail in the file that is ranked, RFC files to number View.When detect include black industry content in the packet that server is interacted with client when, i.e. client It is comprising in black industry to hold the data sent to server the data that either server is sent to client Hold, then the classification now to black industry content is analyzed.For example, when detecting Baccarat, The black industry content is judged for lottery industry classification according to preset rule base, above-mentioned the first preset rule Corresponding relation comprising black industry content and classification in storehouse.When result can be stored in after detection and analysis In system journal, and to the black industry content and black industry content of the presence of Client-Prompt server Classification.
The embodiment of the present invention is by obtaining the packet that server to be detected is interacted with client, the data The request data or the server that bag is sent comprising the user end to server are sent to the client Reply data;Black industry content detection is carried out to the request data or the reply data;Work as inspection The request data is measured or when the reply data have black industry content, according to the black detected Industry content and the first preset rule base analyze the classification of the black industry content, first rule Corresponding relation of the storehouse comprising the black industry content with the classification.Due in the black industry that detects It is the black industry content existed to hold, it is achieved that the purpose of identification black industry content, and pass through The classification for the black industry content for determining to detect using the first rule base, effectively realizes analysis black industry The purpose of the classification of content, to server with the presence or absence of black industry content and the content and classification of presence Carry out comprehensive detection.
Further, reference picture 2, the determination method first based on black industry content of the present invention is implemented Example, in the detection and analysis second embodiment of black industry content of the present invention, above-mentioned steps S20 includes:
Step S211, the request data or the reply data are carried out by preset regular expression Detection, the preset regular expression be used for by the request data or the reply data with it is preset Data in Second Rule storehouse are matched;
Step S212, when the packet is comprising the request data and matches in the Second Rule storehouse Data when, confirm that the request data has the black industry content;When the packet includes institute When stating reply data and matching the information in the Second Rule storehouse, confirm that the reply data have institute State black industry content.
In the present embodiment above-mentioned preset regular expression be used for by request data or reply data with it is preset Second Rule storehouse in data matched, when using regular expression matched when drawn using parsing Hold up the content that regular expression is parsed when program is run.For example, when using expression formula [pcre:" * (win by network Color net | Macao's gambling net | Baccarat) * ";] to request data in packet or reply data detect when, meeting Check request data or reply in data whether closed comprising network lottery industry net, Macao's gambling net, Baccarat etc. Key word.Above-mentioned preset regular expression content to be matched comes from preset rule base, above-mentioned preset Second Rule storehouse can include preset keyword, can also such as comprising Baccarat, gaming platform Comprising preset malicious link, detection regular expression of black industry content etc. can also be included, specifically It can be set as needed.For example in the page of government website, the page is matched:[pcre:" * (bars | model | nightclub) recruitment * ";], expression is inserted into pornographic class black industry content, page title matching: pcre:”*<title>(big health care | delay powder |)</title>*”;], expression is implanted in the black industry of false medicine Hold.Black industry content part in wherein the first rule base can include all interior in Second Rule storehouse Hold, other black industry contents in addition to the full content in Second Rule storehouse can also be included.
During by content of the matching regular expressions into rule base, if that the packet obtained includes is visitor The request data that family end is sent to server, then it represents that there is attacker to be submitted to server in black industry Hold, now intercept and analyzed, will intercept and the result of analysis points out user.When the packet of acquisition Comprising be reply data that server is sent to client, such as certain Educational website, which is matched, " sends out greatly 888 Black industry content as gaming platform ", and determine information sensing be linked as the link of non-our station (being probably 123.game.com), then can confirm that the server has black industry content, Jin Erfen Analyse and point out user related information.
The present embodiment by the request data in the packet or reply data by passing through preset canonical table Matched to judge whether black industry content up to formula, the black industry content matched is attack The black industry content or server that person submits to server return to the black industry content of client, The black industry content that these information are namely present, therefore reached the purpose of identification black industry content.
Further, reference picture 3, the determination method first based on black industry content of the present invention is implemented Example, in the detection and analysis 3rd embodiment of black industry content of the present invention, above-mentioned steps S20 also includes:
Step S221, detects that the request data or the reply data whether there is the feature of preset application Information;
Step S222, when the packet includes the request data and there is the characteristic information, really Recognize the request data and there is the black industry content;When the packet comprising it is described reply data and When there is the characteristic information, confirm that the reply data have the black industry content.
Above-mentioned preset application refers to pre-defined malicious application in the present embodiment, for example, excavate bit coin Using etc., application can be selected as needed.The characteristic information of above-mentioned preset application refers to that reflection is preset and answered The information of behavior, each application operationally can all have some specific behavioural characteristics, such as connect Connect the server specified or use some specific communication protocols.Detect request data or reply data Characteristic information with the presence or absence of preset application is exactly to detect to whether there is in packet specifically to lead to using some Believe agreement, if the specific server upload of connection or download information etc., detection can be selected as needed Which customizing messages of which application.The server that bit coin is excavated in connection is for example detected, shows possibility In the presence of the malicious act for excavating bit coin.It can now be further analyzed, and record in daily record Alerted simultaneously to user.
The present embodiment identifies black industry content by the characteristic information of preset application, by asking in packet Seek data or reply data and detected in the characteristic information by preset application, reach identification black industry The purpose of content.It is understood that this detection can interact what is obtained by server with client Packet detected, the information that can also have existed on server to be detected to whole server Detected.
Further, reference picture 4, the above-mentioned implementation of determination method based on black industry content of the present invention Example, in the detection and analysis fourth embodiment of black industry content of the present invention, is wrapped before above-mentioned steps S20 Include:
Step S40, the packet got is performed intrusion detection, judge the server whether by To Network Intrusion;When the server is by the Network Intrusion, step S20 is performed.
Intrusion detection is that attacker's invasion server is detected in the present embodiment, the detection that can be used Method has Sql injections to detect, the method such as cross-site scripting attack (Cross Site Scripting, Xss) attack detecting, As needed one or more combination can be selected to use.When detecting the server by Network Intrusion When show to might have black industry content tampering server, now carry out black industry content detection.
Sql injections are that malicious code is inserted into SQL by attacker using the leak of Sql sentences, and make evil Meaning code is carried out.For example, there is following Sql sentences:select count(*)from login where Username=' { 0 } ' and password=' { 1 } ', username, password, when the user people and password are all During admin, client submits user name admin, password admin, can normal login system, but When client inputs admin ' --, can also normally login system, or client during Password Input 123 Input admin ' --, Password Input 345 also can normal login system because, backstage acquisition input frame Information after, the Sql sentences to be performed be select count (*) from login where Username=' admin ' -- password=' 123 ', wherein -- it is identified as watching symbol attentively, sentence below is saved Slightly log in success.When detecting sql injections, it can be judged by injecting statement scans detection to sql Whether sql injection is had, and specific implementation has much in the prior art, can select to use as needed.
The attacker for carrying out Xss attacks embedded client script (such as JavaScript) generally in webpage, When user browses this webpage, script will be performed on the browser of user, so as to reach attacker's Purpose.Such as obtaining the Cookie of user, be linked to malice connection.Xss attack detection methods can lead to The method such as data transmission scenarios crossed in analysis web application code realizes, concrete implementation mode It can select as needed.
The present embodiment carries out detection by the interactive information to server and client and determines whether attacker Invade server.Make client just understand client before server has black industry content whether there is Malicious attack.
Further, determination method above-described embodiment based on black industry content of the present invention, at this In the embodiment of detection and analysis the 5th of invention black industry content, the detection and analysis of above-mentioned black industry content Method also includes:
Produced when detecting the server and there is the black by the Network Intrusion or the request data When perhaps described reply data have the black industry content in the industry, send corresponding to the client Warning information.
Above-mentioned warning information can enter when intrusion detection finds and has malicious attack to client in the present embodiment Row is reminded, and can also find there is black industry content in the interaction according to server and client When send a warning message and reminded.The content of warning information can include the interaction of prompting client There is black industry content in itself in the server of the black industry content that content the is included either interaction (server that there is black industry content is properly termed as black production main frame), and black industry content class Not.The prompting mode of warning information can be selected as needed, can point out to use in user terminal pop-up window The black industry content that family is present, for example, point out server to be invaded by malicious attacker, and be added to False drug information.
Alarm letter is sent when the present embodiment is by finding malicious attack or black industry content to client Breath, makes situation and specific black industry content and classification that user's awareness server is attacked.
The present invention also provides a kind of detection and analysis device of black industry content, and there is provided this hair for reference picture 5 In the detection and analysis device first embodiment of bright black industry content, the embodiment, black industry content Detection and analysis device includes:
Acquisition module 10, for obtaining the packet that server to be detected is interacted with client, the data The request data or the server that bag is sent comprising the user end to server are sent to the client Reply data;
Black industry content detection module 20 is black for being carried out to the request data or the reply data Color industry content detection;
Black industry content analysis module 30, the request data or the reply data are detected for working as When there is the black industry content, according to the black industry content and the first preset rule detected Then the classification of the black industry content is analyzed in storehouse, and first rule base includes the black industry content With the corresponding relation of the classification.
The detection and analysis device for the black industry content that the present invention is provided is mainly used in server, to clothes The black industry content of business device is detected and the classification of black industry content is analyzed.
In the present embodiment, above-mentioned server is server end to be detected and corresponding client with client. The content of the packet is the request data that user end to server is sent, or server is to client Hold the reply data sent.Above-mentioned black industry content refers to that attacker performs malice and grasped on the target device The content of work, as perhaps dug in the false medicine advertisement delivered on the target device, game promotion, lottery industry Bit coin is taken, is opened when client and these black industry contents is can be appreciated that after webpage, or even the black production having Holding the link page of sensing in the industry can make user's computer be poisoned with wooden horse, thus trigger a series of networks Safety problem.Black industry content may be uploaded when attacker's attack server to server;Work as service When device has had black industry content in itself, it may reply to and black industry is included in the data of client Content.Therefore here by detecting request data either server that user end to server sends to visitor After reply data that family end is sent judge whether black industry content, or server is attacked There is black industry content and sent black industry content to client.
When black industry content detection module 20 is detected, the server got is interacted with client The consensus standard that can define first by RFC of packet parsed, then carry out again in black industry Hold detection.RFC (Request For Comments) is a series of to number the file being ranked, RFC files Internet communication protocol is inside described in detail.Wrapped when detecting in the packet that server is interacted with client During the content of industry containing black, i.e., the data either server that user end to server is sent is sent out to client The data sent include black industry content, then the classification now to black industry content is analyzed. For example, when detecting Baccarat, judging the black industry content for lottery industry according to preset rule base Corresponding relation comprising black industry content and classification in classification, above-mentioned the first preset rule base.Work as inspection Result can be stored in after surveying analysis in system journal, and in the black industry existed to Client-Prompt The classification of appearance and black industry content.
The embodiment of the present invention is by obtaining the packet that server to be detected is interacted with client, the data The request data or the server that bag is sent comprising the user end to server are sent to the client Reply data;Black industry content detection is carried out to the request data or the reply data;Work as inspection The request data is measured or when the reply data have black industry content, according to the black detected Industry content and the first preset rule base analyze the classification of the black industry content, first rule Corresponding relation of the storehouse comprising the black industry content with the classification.Due in the black industry that detects It is the black industry content existed to hold, it is achieved that the purpose of identification black industry content, and pass through The classification for the black industry content for determining to detect using the first rule base, effectively realizes analysis black industry The purpose of the classification of content, to server with the presence or absence of black industry content and the content and classification of presence Carry out comprehensive detection.
Further, reference picture 6, the detection and analysis device first based on black industry content of the present invention is implemented Example, in the detection and analysis device second embodiment of black industry content of the present invention, in above-mentioned black industry Holding detection module 20 also includes:
First detection unit 211, for the request data or the reply data to be passed through into preset canonical Expression formula detected, the preset regular expression be used for by the data in the packet with it is preset Second Rule storehouse in data matched;
First confirmation unit 212, for when the packet is comprising the request data and matches described the During data in two rule bases, confirm that the request data has the black industry content;When the number When including the reply data according to bag and matching the information in the Second Rule storehouse, described reply is confirmed There is the black industry content in data.
In the present embodiment above-mentioned preset regular expression be used for by request data or reply data with it is preset Second Rule storehouse in data matched, when using regular expression matched when drawn using parsing Hold up the content that regular expression is parsed when program is run.For example, when using expression formula [pcre:" * (win by network Color net | Macao's gambling net | Baccarat) * ";] to request data in packet or reply data detect when, meeting Check request data or reply in data whether closed comprising network lottery industry net, Macao's gambling net, Baccarat etc. Key word.Above-mentioned preset regular expression content to be matched comes from preset rule base, above-mentioned preset Second Rule storehouse can include preset keyword, can also such as comprising Baccarat, gaming platform Comprising preset malicious link, detection regular expression of black industry content etc. can also be included, specifically It can be set as needed.For example in the page of government website, the page is matched:[pcre:" * (bars | model | nightclub) recruitment * ";], expression is inserted into pornographic class black industry content, page title matching: pcre:”*<title>(big health care | delay powder |)</title>*”;], expression is implanted in the black industry of false medicine Hold.Black industry content part in wherein the first rule base can include all interior in Second Rule storehouse Hold, other black industry contents in addition to the full content in Second Rule storehouse can also be included.
When first detection unit 211 is by content of the matching regular expressions into rule base, if obtain What packet was included is the request data that user end to server is sent, then it represents that have attacker to service Device submits black industry content, now intercepts and is analyzed, and will intercept and the result of analysis points out user. What is included when the packet of acquisition is reply data that server is sent to client, such as certain Educational website Black industry content as " 888 gaming platforms of big hair " is fitted on, and determines the chain of information sensing It is connected in non-our station link (being probably 123.game.com), then can confirm that the server has black production Hold in the industry, and then analyze and point out user related information.
The present embodiment by the request data in the packet or reply data by passing through preset canonical table Matched to judge whether black industry content up to formula, the black industry content matched is attack The black industry content or server that person submits to server return to the black industry content of client, I.e. the black industry content that these information servers are present, therefore reached identification black industry content Purpose.
Further, reference picture 7, the detection and analysis device first based on black industry content of the present invention is implemented Example, in the detection and analysis device 3rd embodiment of black industry content of the present invention, in above-mentioned black industry Holding detection module 20 also includes:
Second detection unit 221, for detecting the request data or the reply data with the presence or absence of preset The characteristic information of application;
Second confirmation unit 222, for when the packet is comprising the request data and there is the feature During information, confirm that the request data has the black industry content;When the packet is comprising described When replying data and there is the characteristic information, confirm that the reply data have the black industry content.
Above-mentioned preset application refers to pre-defined malicious application in the present embodiment, for example, excavate bit coin Using etc., application can be selected as needed.The characteristic information of above-mentioned preset application refers to that reflection is preset and answered The information of behavior, each application operationally can all have some specific behavioural characteristics, such as connect Connect the server specified or use some specific communication protocols.The detection of second detection unit 221 please It is exactly to detect in packet whether there is to seek data or reply data with the presence or absence of the characteristic information of preset application Use some specific communication protocols, if the specific server of connection is uploaded or download information etc., can be with Selection detects which customizing messages of which application as needed.For example detect connection and excavate bit coin Server, shows to there may be the malicious act for excavating bit coin.It can now be further analyzed, And record in daily record while being alerted to user.
The present embodiment identifies black industry content by the characteristic information of preset application, by asking in packet Seek data or reply data and detected in the characteristic information by preset application, reach identification black industry The purpose of content.It is understood that this detection can interact what is obtained by server with client Packet detected, the information that can also have existed on server to be detected to whole server Detected.
Further, reference picture 8, the above-mentioned implementation of detection and analysis device based on black industry content of the present invention Example, in the detection and analysis device fourth embodiment of black industry content of the present invention, in above-mentioned black industry The detection and analysis device of appearance also includes:
Intrusion detection module 40, for the packet got to be performed intrusion detection, judges described Whether server is by Network Intrusion.
The black industry content detection module 20 is additionally operable to when the server is by the Network Intrusion When, detect that the request data or the reply data whether there is black industry content.
Intrusion detection is that attacker's invasion server is detected in the present embodiment, the detection that can be used Method has Sql injections to detect, the method such as cross-site scripting attack (Cross Site Scripting, Xss) attack detecting, As needed one or more combination can be selected to use.When detecting the server by Network Intrusion When show to might have black industry content tampering server, now call black industry content detection module 20 carry out the detection of black industry content.
Sql injections are that malicious code is inserted into SQL by attacker using the leak of Sql sentences, and make evil Meaning code is carried out.For example, there is following Sql sentences:select count(*)from login where Username=' { 0 } ' and password=' { 1 } ', username, password, when the user people and password are all During admin, client submits user name admin, password admin, can normal login system, but When client inputs admin ' --, can also normally login system, or client during Password Input 123 Input admin ' --, Password Input 345 also can normal login system because, backstage acquisition input frame Information after, the Sql sentences to be performed be select count (*) from login where Username=' admin ' -- password=' 123 ', wherein -- it is identified as watching symbol attentively, sentence below is saved Slightly log in success.When detecting sql injections, it can be judged by injecting statement scans detection to sql Whether sql injection is had, and specific implementation has much in the prior art, can select to use as needed.
The attacker for carrying out Xss attacks embedded client script (such as JavaScript) generally in webpage, When user browses this webpage, script will be performed on the browser of user, so as to reach attacker's Purpose.Such as obtaining the Cookie of user, be linked to malice connection.Xss attack detection methods can lead to The method such as data transmission scenarios crossed in analysis web application code realizes, concrete implementation mode It can select as needed.
The present embodiment carries out detection by the interactive information to server and client and determines whether attacker Invade server.Make client just understand client before server has black industry content whether there is Malicious attack.
Further, detection and analysis device above-described embodiment based on black industry content of the present invention, at this In the embodiment of detection and analysis device the 5th of invention black industry content, the detection of above-mentioned black industry content Analytical equipment also includes:
Alarm module, the server is detected by the Network Intrusion or the request data for working as When there are in the black industry perhaps described reply data and there is the black industry content, to the visitor Family end sends corresponding warning information.
Above-mentioned warning information can be in intrusion detection module 40 or black industry content detection mould in the present embodiment Block 20 is reminded after detecting black industry content.Specifically, above-mentioned warning information can be in invasion inspection Survey discovery and client is reminded when having malicious attack, can also be in the friendship according to server and client Find to send a warning message when there is black industry content during mutually to be reminded.The content of warning information The clothes for the black industry content either interaction that the content that can be being interacted including prompting client is included Business device has had black industry content in itself, and (server that there is black industry content is properly termed as black production Main frame), and black industry content classification.The prompting mode of warning information can be selected as needed, User can be pointed out the black industry content existed in user terminal pop-up window, for example, point out server to be disliked The attacker that anticipates invades, and is added to false drug information.
Alarm letter is sent when the present embodiment is by finding malicious attack or black industry content to client Breath, makes situation and specific black industry content and classification that user's awareness server is attacked.
The preferred embodiments of the present invention are these are only, are not intended to limit the scope of the invention, it is every The equivalent structure or equivalent flow conversion made using description of the invention and accompanying drawing content, or directly or Connect and be used in other related technical fields, be included within the scope of the present invention.

Claims (10)

1. a kind of determination method of black industry content, it is characterised in that the black industry content Determination method comprise the following steps:
The packet that server to be detected is interacted with client is obtained, the packet includes the client The reply data that the request data or the server sent to server is sent to the client;
Black industry content detection is carried out to the request data or the reply data;
When detecting the request data or the reply data have black industry content, according to detection The black industry content and the first preset rule base that arrive analyze the classification of the black industry content, described Corresponding relation of first rule base comprising the black industry content with the classification.
2. the determination method of black industry content as claimed in claim 1, it is characterised in that institute State includes to the request data or reply data progress black industry content detection:
The request data or the reply data are detected by preset regular expression, it is described Preset regular expression is used for the request data or the reply data and preset Second Rule storehouse In data matched;
When the packet includes the request data and matches the data in the Second Rule storehouse, Confirm that the request data has the black industry content;When the packet includes the reply data And when matching the information in the Second Rule storehouse, confirm that the reply data have the black industry Content.
3. the determination method of black industry content as claimed in claim 1, it is characterised in that institute State includes to the request data or reply data progress black industry content detection:
Detect that the request data or the reply data whether there is the characteristic information of preset application;
When the packet includes the request data and there is the characteristic information, the request is confirmed There is the black industry content in data;When the packet is comprising the reply data and there is the spy When reference ceases, confirm that the reply data have the black industry content.
4. the determination method of the black industry content as described in any one of claims 1 to 3, it is special Levy and be, it is described that the request data or the reply data are carried out to go back before black industry content detection Including:
The packet got is performed intrusion detection, judges whether the server is attacked by invasion Hit;
When the server is by the Network Intrusion, the detection request data or described is performed Reply the step of data whether there is black industry content.
5. the determination method of black industry content as claimed in claim 4, it is characterised in that institute Stating the determination method of black industry content also includes:
Produced when detecting the server and there is the black by the Network Intrusion or the request data When perhaps described reply data have the black industry content in the industry, send corresponding to the client Warning information.
6. a kind of detection and analysis device of black industry content, it is characterised in that the black industry content Detection and analysis device include:
Acquisition module, for obtaining the packet that server to be detected is interacted with client, the packet What the request data or the server sent comprising the user end to server was sent to the client Reply data;
Black industry content detection module, for carrying out black to the request data or the reply data Industry content detection;
Black industry content analysis module, for when detecting the request data or the reply data are deposited In black industry content, institute is analyzed according to the black industry content and the first preset rule base that detect The classification of black industry content is stated, first rule base includes the black industry content and the classification Corresponding relation.
7. the detection and analysis device of black industry content as claimed in claim 6, it is characterised in that institute Stating black industry content detection module includes:
First detection unit, for the request data or the reply data to be passed through into preset canonical table Detected up to formula, the preset regular expression is used for the request data or the reply data Matched with the data in preset Second Rule storehouse;
First confirmation unit, for when the packet is comprising the request data and matches described second During data in rule base, confirm that the request data has the black industry content;When the data When bag includes the reply data and matches the information in the Second Rule storehouse, the reply number is confirmed According to there is the black industry content.
8. the detection and analysis device of black industry content as claimed in claim 6, it is characterised in that institute Stating black industry content detection module also includes:
Second detection unit, for detecting that the request data or the reply data are answered with the presence or absence of preset Characteristic information;
Second confirmation unit, for when the packet is comprising the request data and there is the feature letter During breath, confirm that the request data has the black industry content;When the packet is returned comprising described Complex data and when there is the characteristic information, confirms that the reply data have the black industry content.
9. the detection and analysis device of the black industry content as described in any one of claim 6 to 8, it is special Levy and be, the detection and analysis device of the black industry content also includes:
Intrusion detection module, for the packet got to be performed intrusion detection, judges the clothes Whether device be engaged in by Network Intrusion;
The black industry content detection module is additionally operable to when the server is by the Network Intrusion, Detect that the request data or the reply data whether there is black industry content.
10. the detection and analysis device of black industry content as claimed in claim 9, it is characterised in that The detection and analysis device of the black industry content also includes:
Alarm module, the server is detected by the Network Intrusion or the request data for working as When there are in the black industry perhaps described reply data and there is the black industry content, to the visitor Family end sends corresponding warning information.
CN201610102490.5A 2016-02-24 2016-02-24 Method and device for detecting and analyzing black industry content Active CN107124386B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610102490.5A CN107124386B (en) 2016-02-24 2016-02-24 Method and device for detecting and analyzing black industry content

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610102490.5A CN107124386B (en) 2016-02-24 2016-02-24 Method and device for detecting and analyzing black industry content

Publications (2)

Publication Number Publication Date
CN107124386A true CN107124386A (en) 2017-09-01
CN107124386B CN107124386B (en) 2021-05-04

Family

ID=59717610

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610102490.5A Active CN107124386B (en) 2016-02-24 2016-02-24 Method and device for detecting and analyzing black industry content

Country Status (1)

Country Link
CN (1) CN107124386B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277488A (en) * 2020-01-19 2020-06-12 上海掌门科技有限公司 Session processing method and device

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1577791A1 (en) * 2004-03-16 2005-09-21 Andreas Baumhof XML content monitoring
CN1760901A (en) * 2005-11-03 2006-04-19 上海交通大学 System for filtering E-mails
CN101656710A (en) * 2008-08-21 2010-02-24 中联绿盟信息技术(北京)有限公司 Proactive audit system and method
CN103246705A (en) * 2013-04-09 2013-08-14 无锡安康讯信息科技有限公司 Network text data content detecting and high-speed processing method
CN103731426A (en) * 2013-12-31 2014-04-16 曙光云计算技术有限公司 Intrusion alarming system based on virtual network
CN103763124A (en) * 2013-12-26 2014-04-30 孙伟力 Internet user behavior analyzing and early-warning system and method
CN104270304A (en) * 2014-10-14 2015-01-07 四川神琥科技有限公司 Detection and analysis method for image emails
CN104598815A (en) * 2013-10-30 2015-05-06 贝壳网际(北京)安全技术有限公司 Identification method and device of malicious advertisement program and client side
CN104866478A (en) * 2014-02-21 2015-08-26 腾讯科技(深圳)有限公司 Detection recognition method and device of malicious text
CN105208037A (en) * 2015-10-10 2015-12-30 中国人民解放军信息工程大学 DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection
CN105262672A (en) * 2015-08-31 2016-01-20 小米科技有限责任公司 Intra-group anti-harassment method and device

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1577791A1 (en) * 2004-03-16 2005-09-21 Andreas Baumhof XML content monitoring
CN1760901A (en) * 2005-11-03 2006-04-19 上海交通大学 System for filtering E-mails
CN101656710A (en) * 2008-08-21 2010-02-24 中联绿盟信息技术(北京)有限公司 Proactive audit system and method
CN103246705A (en) * 2013-04-09 2013-08-14 无锡安康讯信息科技有限公司 Network text data content detecting and high-speed processing method
CN104598815A (en) * 2013-10-30 2015-05-06 贝壳网际(北京)安全技术有限公司 Identification method and device of malicious advertisement program and client side
CN103763124A (en) * 2013-12-26 2014-04-30 孙伟力 Internet user behavior analyzing and early-warning system and method
CN103731426A (en) * 2013-12-31 2014-04-16 曙光云计算技术有限公司 Intrusion alarming system based on virtual network
CN104866478A (en) * 2014-02-21 2015-08-26 腾讯科技(深圳)有限公司 Detection recognition method and device of malicious text
CN104270304A (en) * 2014-10-14 2015-01-07 四川神琥科技有限公司 Detection and analysis method for image emails
CN105262672A (en) * 2015-08-31 2016-01-20 小米科技有限责任公司 Intra-group anti-harassment method and device
CN105208037A (en) * 2015-10-10 2015-12-30 中国人民解放军信息工程大学 DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
朱军: "中文垃圾邮件过滤技术研究及应用", 《中国优秀博硕士学位论文全文数据库信息科技辑(月刊)》 *
罗常泳: "基于内容的垃圾邮件检测方法研究", 《中国优秀硕士学位论文全文数据库信息科技辑(月刊 )》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277488A (en) * 2020-01-19 2020-06-12 上海掌门科技有限公司 Session processing method and device

Also Published As

Publication number Publication date
CN107124386B (en) 2021-05-04

Similar Documents

Publication Publication Date Title
US10668385B2 (en) Protecting against polymorphic cheat codes in a video game
US9680850B2 (en) Identifying bots
Ferreira et al. An analysis of social engineering principles in effective phishing
CN107046518A (en) The detection method and device of network attack
CN105337993B (en) It is a kind of based on the mail security detection device being association of activity and inertia and method
US20080046738A1 (en) Anti-phishing agent
CN106961419A (en) WebShell detection methods, apparatus and system
US20090216795A1 (en) System and method for detecting and blocking phishing attacks
CN110460612A (en) Safety detecting method, equipment, storage medium and device
US20140281919A1 (en) Detecting a change to the content of information displayed to a user of a website
Zhang et al. Detecting malicious activities with user‐agent‐based profiles
Calzavara et al. Machine learning for web vulnerability detection: the case of cross-site request forgery
CN108173814A (en) Detection method for phishing site, terminal device and storage medium
CN110443031A (en) A kind of two dimensional code Risk Identification Method and system
CN106790189A (en) A kind of intrusion detection method and device based on response message
Massa et al. A fraud detection system based on anomaly intrusion detection systems for e-commerce applications
CN115580494A (en) Method, device and equipment for detecting weak password
WO2022001577A1 (en) White list-based content lock firewall method and system
CN107124386A (en) The determination method and device of black industry content
CN105072109B (en) Prevent the method and system of cross-site scripting attack
Patil Request dependency integrity: validating web requests using dependencies in the browser environment
CN113709145A (en) Vulnerability verification system based on POC (point-of-sale) verification engine
Penna et al. A framework for improved adolescent and child safety in MMOs
Chaudhary Recognition of phishing attacks utilizing anomalies in phishing websites
Chu et al. An investigation of hotlinking and its countermeasures

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 518000 the first floor of A1 building, Nanshan Zhiyuan 1001, Nanshan District Xue Yuan Avenue, Shenzhen, Guangdong.

Applicant after: SANGFOR TECHNOLOGIES Inc.

Address before: 518052 the first floor of A1 building, Nanshan Zhiyuan 1001, Nanshan District Xue Yuan Avenue, Shenzhen, Guangdong.

Applicant before: Sangfor Technologies Co.,Ltd.

GR01 Patent grant
GR01 Patent grant