CN107124386A - The determination method and device of black industry content - Google Patents
The determination method and device of black industry content Download PDFInfo
- Publication number
- CN107124386A CN107124386A CN201610102490.5A CN201610102490A CN107124386A CN 107124386 A CN107124386 A CN 107124386A CN 201610102490 A CN201610102490 A CN 201610102490A CN 107124386 A CN107124386 A CN 107124386A
- Authority
- CN
- China
- Prior art keywords
- black industry
- industry content
- data
- content
- black
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a kind of determination method of black industry content, the packet that server to be detected is interacted with client is obtained, the reply data that the request data or the server that the packet is sent comprising the user end to server are sent to the client;Black industry content detection is carried out to the request data or the reply data;When detecting the request data or the reply data have black industry content, black industry content and the first preset rule base according to detecting analyze the classification of the black industry content, corresponding relation of first rule base comprising the black industry content with the classification.The invention also discloses a kind of detection and analysis device of black industry content.The present invention realizes identification black industry content, analyzes the classification of black industry content, carries out comprehensive detection with the presence or absence of black industry content and the content and classification of presence to server and points out the purpose of user.
Description
Technical field
The present invention relates to the determination method of technical field of network security, more particularly to black industry content
And device.
Background technology
The people's life that develops into of network technology brings many convenient, can pass through connection in daily life
Various information in terms of the education of internet browsing Webpage searching, medical treatment, can also be handled by government website
Relevant issues etc..At the same time, the tissue or individual for often making a stab bad are attacked by using website vulnerability
Website, and using the resource on server/customer end it is traded or takes the resource of server/customer end,
Therefore form attack, make black industry content, propagation, a complete industry chain (supply chain) of transaction, i.e.,
Dark Industry Link.Attacker performs malicious operation on the target device in Dark Industry Link, by these
Malicious operation produces various data, is that network security causes hidden danger so as to obtain interests.
In the prior art, in order to prevent black industry content from would generally use feature detection, statistic mixed-state etc.
Whether Prevention-Security mechanism detected to server by attack, when user may being pointed out to intercept after detection
Wooden horse communication linkage has blocked SQL (Structured Query Languag, Sql) injection
Attack or be to have blocked webshell attacks, but there is which black after being attacked for server
Industry content, the classification of black industry content is not generally detected and analyzed.
The content of the invention
It is a primary object of the present invention to provide a kind of determination method and device of black industry content,
Aim at identification black industry content, the purpose of the classification of analysis black industry content.
To achieve the above object, a kind of determination method for black industry content that the present invention is provided includes
Following steps:
The packet that server to be detected is interacted with client is obtained, the packet includes the client
The reply data that the request data or the server sent to server is sent to the client;
Black industry content detection is carried out to the request data or the reply data;
When detecting the request data or the reply data have black industry content, according to detection
The black industry content and the first preset rule base that arrive analyze the classification of the black industry content, described
Corresponding relation of first rule base comprising the black industry content with the classification.
Preferably, it is described that black industry content detection bag is carried out to the request data or the reply data
Include:
The request data or the reply data are detected by preset regular expression, it is described
Preset regular expression is used for the request data or the reply data and preset Second Rule storehouse
In data matched;
When the packet includes the request data and matches the data in the Second Rule storehouse,
Confirm that the request data has the black industry content;When the packet includes the reply data
And when matching the information in the Second Rule storehouse, confirm that the reply data have the black industry
Content.
Preferably, it is described that black industry content detection is carried out also to the request data or the reply data
Including:
Detect that the request data or the reply data whether there is the characteristic information of preset application;
When the packet includes the request data and there is the characteristic information, the request is confirmed
There is the black industry content in data;When the packet is comprising the reply data and there is the spy
When reference ceases, confirm that the reply data have the black industry content.
Preferably, it is described the request data or the reply data are carried out black industry content detection it
It is preceding also to include:
The packet got is performed intrusion detection, judges whether the server is attacked by invasion
Hit;
When the server is by the Network Intrusion, the detection request data or described is performed
Reply the step of data whether there is black industry content.
Preferably, the determination method of the black industry content also includes:
Produced when detecting the server and there is the black by the Network Intrusion or the request data
When perhaps described reply data have the black industry content in the industry, send corresponding to the client
Warning information.
In addition, to achieve the above object, the present invention also provides a kind of detection and analysis dress of black industry content
Put, the detection and analysis device of the black industry content includes:
Acquisition module, for obtaining the packet that server to be detected is interacted with client, the packet
What the request data or the server sent comprising the user end to server was sent to the client
Reply data;
Black industry content detection module, for carrying out black to the request data or the reply data
Industry content detection;
Black industry content analysis module, for when detecting the request data or the reply data are deposited
In black industry content, institute is analyzed according to the black industry content and the first preset rule base that detect
The classification of black industry content is stated, first rule base includes the black industry content and the classification
Corresponding relation.
Preferably, the black industry content detection module includes:
First detection unit, for the request data or the reply data to be passed through into preset canonical table
Detected up to formula, the preset regular expression is used for the request data or the reply data
Matched with the data in preset Second Rule storehouse;
First confirmation unit, for when the packet is comprising the request data and matches described second
During data in rule base, confirm that the request data has the black industry content;When the data
When bag includes the reply data and matches the information in the Second Rule storehouse, the reply number is confirmed
According to there is the black industry content.
Preferably, the black industry content detection module also includes:
Second detection unit, for detecting that the request data or the reply data are answered with the presence or absence of preset
Characteristic information;
Second confirmation unit, for when the packet is comprising the request data and there is the feature letter
During breath, confirm that the request data has the black industry content;When the packet is returned comprising described
Complex data and when there is the characteristic information, confirms that the reply data have the black industry content.
Preferably, the detection and analysis device of the black industry content also includes:
Intrusion detection module, for the packet got to be performed intrusion detection, judges the clothes
Whether device be engaged in by Network Intrusion;
The black industry content detection module is additionally operable to when the server is by the Network Intrusion,
Detect that the request data or the reply data whether there is black industry content.
Preferably, the detection and analysis device of the black industry content also includes:
Alarm module, the server is detected by the Network Intrusion or the request data for working as
When there are in the black industry perhaps described reply data and there is the black industry content, to the visitor
Family end sends corresponding warning information.
The embodiment of the present invention is by obtaining the packet that server to be detected is interacted with client, the data
The request data or the server that bag is sent comprising the user end to server are sent to the client
Reply data;Black industry content detection is carried out to the request data or the reply data;Work as inspection
The request data is measured or when the reply data have black industry content, according to the black detected
Industry content and the first preset rule base analyze the classification of the black industry content, first rule
Corresponding relation of the storehouse comprising the black industry content with the classification.Due in the black industry that detects
It is the black industry content existed to hold, it is achieved that the purpose of identification black industry content, and pass through
The classification for the black industry content for determining to detect using the first rule base, effectively realizes analysis black industry
The purpose of the classification of content, to server with the presence or absence of black industry content and the content and classification of presence
Carry out comprehensive detection.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the determination method first embodiment of black industry content of the present invention;
Fig. 2 is the schematic flow sheet of the determination method second embodiment of black industry content of the present invention;
Fig. 3 is the schematic flow sheet of the determination method 3rd embodiment of black industry content of the present invention;
Fig. 4 is the schematic flow sheet of the determination method fourth embodiment of black industry content of the present invention;
Fig. 5 is the functional module structure of the detection and analysis device first embodiment of black industry content of the present invention
Schematic diagram;
Fig. 6 is the functional module structure of the detection and analysis device second embodiment of black industry content of the present invention
Schematic diagram;
Fig. 7 is the functional module structure of the detection and analysis device 3rd embodiment of black industry content of the present invention
Schematic diagram;
Fig. 8 is the functional module structure of the detection and analysis device fourth embodiment of black industry content of the present invention
Schematic diagram.
The realization, functional characteristics and advantage of the object of the invention will be done further referring to the drawings in conjunction with the embodiments
Explanation.
Embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, limit is not used to
The fixed present invention.
The determination method of black industry content of the present invention.Reference picture 1, in the first embodiment, this is black
The determination method of color industry content includes:
Step S10, obtains the packet that server to be detected is interacted with client, and the packet includes institute
State the reply number that the request data or the server of user end to server transmission are sent to the client
According to;
Step S20, black industry content detection is carried out to the request data or the reply data;
Step S30, when detecting the request data or the reply data have black industry content,
Black industry content and the first preset rule base according to detecting analyze the class of the black industry content
Not, corresponding relation of first rule base comprising the black industry content with the classification.
The determination method for the black industry content that the present invention is provided is mainly used in server, to clothes
The black industry content of business device is detected and the classification of black industry content is analyzed.
In the present embodiment, above-mentioned server is server end to be detected and corresponding client with client.
The content of the packet is the request data that user end to server is sent, or server is to client
Hold the reply data sent.Above-mentioned black industry content refers to that attacker performs malice and grasped on the target device
The content of work, as perhaps dug in the false medicine advertisement delivered on the target device, game promotion, lottery industry
Bit coin is taken, is opened when client and these black industry contents is can be appreciated that after webpage, or even the black production having
Holding the link page of sensing in the industry can make user's computer be poisoned with wooden horse, thus trigger a series of networks
Safety problem.Black industry content may be uploaded when attacker's attack server to server;Work as service
When device has had black industry content in itself, it may reply to and black industry is included in the data of client
Content.Therefore here by detecting request data either server that user end to server sends to visitor
After reply data that family end is sent judge whether black industry content, or server is attacked
There is black industry content and sent black industry content to client.
When being detected, the packet that the server got is interacted with client can pass through RFC first
The consensus standard of definition is parsed, and black industry content detection is then carried out again.RFC(Request For
Comments it is) a series of Internet communication association to be described in detail in the file that is ranked, RFC files to number
View.When detect include black industry content in the packet that server is interacted with client when, i.e. client
It is comprising in black industry to hold the data sent to server the data that either server is sent to client
Hold, then the classification now to black industry content is analyzed.For example, when detecting Baccarat,
The black industry content is judged for lottery industry classification according to preset rule base, above-mentioned the first preset rule
Corresponding relation comprising black industry content and classification in storehouse.When result can be stored in after detection and analysis
In system journal, and to the black industry content and black industry content of the presence of Client-Prompt server
Classification.
The embodiment of the present invention is by obtaining the packet that server to be detected is interacted with client, the data
The request data or the server that bag is sent comprising the user end to server are sent to the client
Reply data;Black industry content detection is carried out to the request data or the reply data;Work as inspection
The request data is measured or when the reply data have black industry content, according to the black detected
Industry content and the first preset rule base analyze the classification of the black industry content, first rule
Corresponding relation of the storehouse comprising the black industry content with the classification.Due in the black industry that detects
It is the black industry content existed to hold, it is achieved that the purpose of identification black industry content, and pass through
The classification for the black industry content for determining to detect using the first rule base, effectively realizes analysis black industry
The purpose of the classification of content, to server with the presence or absence of black industry content and the content and classification of presence
Carry out comprehensive detection.
Further, reference picture 2, the determination method first based on black industry content of the present invention is implemented
Example, in the detection and analysis second embodiment of black industry content of the present invention, above-mentioned steps S20 includes:
Step S211, the request data or the reply data are carried out by preset regular expression
Detection, the preset regular expression be used for by the request data or the reply data with it is preset
Data in Second Rule storehouse are matched;
Step S212, when the packet is comprising the request data and matches in the Second Rule storehouse
Data when, confirm that the request data has the black industry content;When the packet includes institute
When stating reply data and matching the information in the Second Rule storehouse, confirm that the reply data have institute
State black industry content.
In the present embodiment above-mentioned preset regular expression be used for by request data or reply data with it is preset
Second Rule storehouse in data matched, when using regular expression matched when drawn using parsing
Hold up the content that regular expression is parsed when program is run.For example, when using expression formula [pcre:" * (win by network
Color net | Macao's gambling net | Baccarat) * ";] to request data in packet or reply data detect when, meeting
Check request data or reply in data whether closed comprising network lottery industry net, Macao's gambling net, Baccarat etc.
Key word.Above-mentioned preset regular expression content to be matched comes from preset rule base, above-mentioned preset
Second Rule storehouse can include preset keyword, can also such as comprising Baccarat, gaming platform
Comprising preset malicious link, detection regular expression of black industry content etc. can also be included, specifically
It can be set as needed.For example in the page of government website, the page is matched:[pcre:" * (bars
| model | nightclub) recruitment * ";], expression is inserted into pornographic class black industry content, page title matching:
pcre:”*<title>(big health care | delay powder |)</title>*”;], expression is implanted in the black industry of false medicine
Hold.Black industry content part in wherein the first rule base can include all interior in Second Rule storehouse
Hold, other black industry contents in addition to the full content in Second Rule storehouse can also be included.
During by content of the matching regular expressions into rule base, if that the packet obtained includes is visitor
The request data that family end is sent to server, then it represents that there is attacker to be submitted to server in black industry
Hold, now intercept and analyzed, will intercept and the result of analysis points out user.When the packet of acquisition
Comprising be reply data that server is sent to client, such as certain Educational website, which is matched, " sends out greatly 888
Black industry content as gaming platform ", and determine information sensing be linked as the link of non-our station
(being probably 123.game.com), then can confirm that the server has black industry content, Jin Erfen
Analyse and point out user related information.
The present embodiment by the request data in the packet or reply data by passing through preset canonical table
Matched to judge whether black industry content up to formula, the black industry content matched is attack
The black industry content or server that person submits to server return to the black industry content of client,
The black industry content that these information are namely present, therefore reached the purpose of identification black industry content.
Further, reference picture 3, the determination method first based on black industry content of the present invention is implemented
Example, in the detection and analysis 3rd embodiment of black industry content of the present invention, above-mentioned steps S20 also includes:
Step S221, detects that the request data or the reply data whether there is the feature of preset application
Information;
Step S222, when the packet includes the request data and there is the characteristic information, really
Recognize the request data and there is the black industry content;When the packet comprising it is described reply data and
When there is the characteristic information, confirm that the reply data have the black industry content.
Above-mentioned preset application refers to pre-defined malicious application in the present embodiment, for example, excavate bit coin
Using etc., application can be selected as needed.The characteristic information of above-mentioned preset application refers to that reflection is preset and answered
The information of behavior, each application operationally can all have some specific behavioural characteristics, such as connect
Connect the server specified or use some specific communication protocols.Detect request data or reply data
Characteristic information with the presence or absence of preset application is exactly to detect to whether there is in packet specifically to lead to using some
Believe agreement, if the specific server upload of connection or download information etc., detection can be selected as needed
Which customizing messages of which application.The server that bit coin is excavated in connection is for example detected, shows possibility
In the presence of the malicious act for excavating bit coin.It can now be further analyzed, and record in daily record
Alerted simultaneously to user.
The present embodiment identifies black industry content by the characteristic information of preset application, by asking in packet
Seek data or reply data and detected in the characteristic information by preset application, reach identification black industry
The purpose of content.It is understood that this detection can interact what is obtained by server with client
Packet detected, the information that can also have existed on server to be detected to whole server
Detected.
Further, reference picture 4, the above-mentioned implementation of determination method based on black industry content of the present invention
Example, in the detection and analysis fourth embodiment of black industry content of the present invention, is wrapped before above-mentioned steps S20
Include:
Step S40, the packet got is performed intrusion detection, judge the server whether by
To Network Intrusion;When the server is by the Network Intrusion, step S20 is performed.
Intrusion detection is that attacker's invasion server is detected in the present embodiment, the detection that can be used
Method has Sql injections to detect, the method such as cross-site scripting attack (Cross Site Scripting, Xss) attack detecting,
As needed one or more combination can be selected to use.When detecting the server by Network Intrusion
When show to might have black industry content tampering server, now carry out black industry content detection.
Sql injections are that malicious code is inserted into SQL by attacker using the leak of Sql sentences, and make evil
Meaning code is carried out.For example, there is following Sql sentences:select count(*)from login where
Username=' { 0 } ' and password=' { 1 } ', username, password, when the user people and password are all
During admin, client submits user name admin, password admin, can normal login system, but
When client inputs admin ' --, can also normally login system, or client during Password Input 123
Input admin ' --, Password Input 345 also can normal login system because, backstage acquisition input frame
Information after, the Sql sentences to be performed be select count (*) from login where
Username=' admin ' -- password=' 123 ', wherein -- it is identified as watching symbol attentively, sentence below is saved
Slightly log in success.When detecting sql injections, it can be judged by injecting statement scans detection to sql
Whether sql injection is had, and specific implementation has much in the prior art, can select to use as needed.
The attacker for carrying out Xss attacks embedded client script (such as JavaScript) generally in webpage,
When user browses this webpage, script will be performed on the browser of user, so as to reach attacker's
Purpose.Such as obtaining the Cookie of user, be linked to malice connection.Xss attack detection methods can lead to
The method such as data transmission scenarios crossed in analysis web application code realizes, concrete implementation mode
It can select as needed.
The present embodiment carries out detection by the interactive information to server and client and determines whether attacker
Invade server.Make client just understand client before server has black industry content whether there is
Malicious attack.
Further, determination method above-described embodiment based on black industry content of the present invention, at this
In the embodiment of detection and analysis the 5th of invention black industry content, the detection and analysis of above-mentioned black industry content
Method also includes:
Produced when detecting the server and there is the black by the Network Intrusion or the request data
When perhaps described reply data have the black industry content in the industry, send corresponding to the client
Warning information.
Above-mentioned warning information can enter when intrusion detection finds and has malicious attack to client in the present embodiment
Row is reminded, and can also find there is black industry content in the interaction according to server and client
When send a warning message and reminded.The content of warning information can include the interaction of prompting client
There is black industry content in itself in the server of the black industry content that content the is included either interaction
(server that there is black industry content is properly termed as black production main frame), and black industry content class
Not.The prompting mode of warning information can be selected as needed, can point out to use in user terminal pop-up window
The black industry content that family is present, for example, point out server to be invaded by malicious attacker, and be added to
False drug information.
Alarm letter is sent when the present embodiment is by finding malicious attack or black industry content to client
Breath, makes situation and specific black industry content and classification that user's awareness server is attacked.
The present invention also provides a kind of detection and analysis device of black industry content, and there is provided this hair for reference picture 5
In the detection and analysis device first embodiment of bright black industry content, the embodiment, black industry content
Detection and analysis device includes:
Acquisition module 10, for obtaining the packet that server to be detected is interacted with client, the data
The request data or the server that bag is sent comprising the user end to server are sent to the client
Reply data;
Black industry content detection module 20 is black for being carried out to the request data or the reply data
Color industry content detection;
Black industry content analysis module 30, the request data or the reply data are detected for working as
When there is the black industry content, according to the black industry content and the first preset rule detected
Then the classification of the black industry content is analyzed in storehouse, and first rule base includes the black industry content
With the corresponding relation of the classification.
The detection and analysis device for the black industry content that the present invention is provided is mainly used in server, to clothes
The black industry content of business device is detected and the classification of black industry content is analyzed.
In the present embodiment, above-mentioned server is server end to be detected and corresponding client with client.
The content of the packet is the request data that user end to server is sent, or server is to client
Hold the reply data sent.Above-mentioned black industry content refers to that attacker performs malice and grasped on the target device
The content of work, as perhaps dug in the false medicine advertisement delivered on the target device, game promotion, lottery industry
Bit coin is taken, is opened when client and these black industry contents is can be appreciated that after webpage, or even the black production having
Holding the link page of sensing in the industry can make user's computer be poisoned with wooden horse, thus trigger a series of networks
Safety problem.Black industry content may be uploaded when attacker's attack server to server;Work as service
When device has had black industry content in itself, it may reply to and black industry is included in the data of client
Content.Therefore here by detecting request data either server that user end to server sends to visitor
After reply data that family end is sent judge whether black industry content, or server is attacked
There is black industry content and sent black industry content to client.
When black industry content detection module 20 is detected, the server got is interacted with client
The consensus standard that can define first by RFC of packet parsed, then carry out again in black industry
Hold detection.RFC (Request For Comments) is a series of to number the file being ranked, RFC files
Internet communication protocol is inside described in detail.Wrapped when detecting in the packet that server is interacted with client
During the content of industry containing black, i.e., the data either server that user end to server is sent is sent out to client
The data sent include black industry content, then the classification now to black industry content is analyzed.
For example, when detecting Baccarat, judging the black industry content for lottery industry according to preset rule base
Corresponding relation comprising black industry content and classification in classification, above-mentioned the first preset rule base.Work as inspection
Result can be stored in after surveying analysis in system journal, and in the black industry existed to Client-Prompt
The classification of appearance and black industry content.
The embodiment of the present invention is by obtaining the packet that server to be detected is interacted with client, the data
The request data or the server that bag is sent comprising the user end to server are sent to the client
Reply data;Black industry content detection is carried out to the request data or the reply data;Work as inspection
The request data is measured or when the reply data have black industry content, according to the black detected
Industry content and the first preset rule base analyze the classification of the black industry content, first rule
Corresponding relation of the storehouse comprising the black industry content with the classification.Due in the black industry that detects
It is the black industry content existed to hold, it is achieved that the purpose of identification black industry content, and pass through
The classification for the black industry content for determining to detect using the first rule base, effectively realizes analysis black industry
The purpose of the classification of content, to server with the presence or absence of black industry content and the content and classification of presence
Carry out comprehensive detection.
Further, reference picture 6, the detection and analysis device first based on black industry content of the present invention is implemented
Example, in the detection and analysis device second embodiment of black industry content of the present invention, in above-mentioned black industry
Holding detection module 20 also includes:
First detection unit 211, for the request data or the reply data to be passed through into preset canonical
Expression formula detected, the preset regular expression be used for by the data in the packet with it is preset
Second Rule storehouse in data matched;
First confirmation unit 212, for when the packet is comprising the request data and matches described the
During data in two rule bases, confirm that the request data has the black industry content;When the number
When including the reply data according to bag and matching the information in the Second Rule storehouse, described reply is confirmed
There is the black industry content in data.
In the present embodiment above-mentioned preset regular expression be used for by request data or reply data with it is preset
Second Rule storehouse in data matched, when using regular expression matched when drawn using parsing
Hold up the content that regular expression is parsed when program is run.For example, when using expression formula [pcre:" * (win by network
Color net | Macao's gambling net | Baccarat) * ";] to request data in packet or reply data detect when, meeting
Check request data or reply in data whether closed comprising network lottery industry net, Macao's gambling net, Baccarat etc.
Key word.Above-mentioned preset regular expression content to be matched comes from preset rule base, above-mentioned preset
Second Rule storehouse can include preset keyword, can also such as comprising Baccarat, gaming platform
Comprising preset malicious link, detection regular expression of black industry content etc. can also be included, specifically
It can be set as needed.For example in the page of government website, the page is matched:[pcre:" * (bars
| model | nightclub) recruitment * ";], expression is inserted into pornographic class black industry content, page title matching:
pcre:”*<title>(big health care | delay powder |)</title>*”;], expression is implanted in the black industry of false medicine
Hold.Black industry content part in wherein the first rule base can include all interior in Second Rule storehouse
Hold, other black industry contents in addition to the full content in Second Rule storehouse can also be included.
When first detection unit 211 is by content of the matching regular expressions into rule base, if obtain
What packet was included is the request data that user end to server is sent, then it represents that have attacker to service
Device submits black industry content, now intercepts and is analyzed, and will intercept and the result of analysis points out user.
What is included when the packet of acquisition is reply data that server is sent to client, such as certain Educational website
Black industry content as " 888 gaming platforms of big hair " is fitted on, and determines the chain of information sensing
It is connected in non-our station link (being probably 123.game.com), then can confirm that the server has black production
Hold in the industry, and then analyze and point out user related information.
The present embodiment by the request data in the packet or reply data by passing through preset canonical table
Matched to judge whether black industry content up to formula, the black industry content matched is attack
The black industry content or server that person submits to server return to the black industry content of client,
I.e. the black industry content that these information servers are present, therefore reached identification black industry content
Purpose.
Further, reference picture 7, the detection and analysis device first based on black industry content of the present invention is implemented
Example, in the detection and analysis device 3rd embodiment of black industry content of the present invention, in above-mentioned black industry
Holding detection module 20 also includes:
Second detection unit 221, for detecting the request data or the reply data with the presence or absence of preset
The characteristic information of application;
Second confirmation unit 222, for when the packet is comprising the request data and there is the feature
During information, confirm that the request data has the black industry content;When the packet is comprising described
When replying data and there is the characteristic information, confirm that the reply data have the black industry content.
Above-mentioned preset application refers to pre-defined malicious application in the present embodiment, for example, excavate bit coin
Using etc., application can be selected as needed.The characteristic information of above-mentioned preset application refers to that reflection is preset and answered
The information of behavior, each application operationally can all have some specific behavioural characteristics, such as connect
Connect the server specified or use some specific communication protocols.The detection of second detection unit 221 please
It is exactly to detect in packet whether there is to seek data or reply data with the presence or absence of the characteristic information of preset application
Use some specific communication protocols, if the specific server of connection is uploaded or download information etc., can be with
Selection detects which customizing messages of which application as needed.For example detect connection and excavate bit coin
Server, shows to there may be the malicious act for excavating bit coin.It can now be further analyzed,
And record in daily record while being alerted to user.
The present embodiment identifies black industry content by the characteristic information of preset application, by asking in packet
Seek data or reply data and detected in the characteristic information by preset application, reach identification black industry
The purpose of content.It is understood that this detection can interact what is obtained by server with client
Packet detected, the information that can also have existed on server to be detected to whole server
Detected.
Further, reference picture 8, the above-mentioned implementation of detection and analysis device based on black industry content of the present invention
Example, in the detection and analysis device fourth embodiment of black industry content of the present invention, in above-mentioned black industry
The detection and analysis device of appearance also includes:
Intrusion detection module 40, for the packet got to be performed intrusion detection, judges described
Whether server is by Network Intrusion.
The black industry content detection module 20 is additionally operable to when the server is by the Network Intrusion
When, detect that the request data or the reply data whether there is black industry content.
Intrusion detection is that attacker's invasion server is detected in the present embodiment, the detection that can be used
Method has Sql injections to detect, the method such as cross-site scripting attack (Cross Site Scripting, Xss) attack detecting,
As needed one or more combination can be selected to use.When detecting the server by Network Intrusion
When show to might have black industry content tampering server, now call black industry content detection module
20 carry out the detection of black industry content.
Sql injections are that malicious code is inserted into SQL by attacker using the leak of Sql sentences, and make evil
Meaning code is carried out.For example, there is following Sql sentences:select count(*)from login where
Username=' { 0 } ' and password=' { 1 } ', username, password, when the user people and password are all
During admin, client submits user name admin, password admin, can normal login system, but
When client inputs admin ' --, can also normally login system, or client during Password Input 123
Input admin ' --, Password Input 345 also can normal login system because, backstage acquisition input frame
Information after, the Sql sentences to be performed be select count (*) from login where
Username=' admin ' -- password=' 123 ', wherein -- it is identified as watching symbol attentively, sentence below is saved
Slightly log in success.When detecting sql injections, it can be judged by injecting statement scans detection to sql
Whether sql injection is had, and specific implementation has much in the prior art, can select to use as needed.
The attacker for carrying out Xss attacks embedded client script (such as JavaScript) generally in webpage,
When user browses this webpage, script will be performed on the browser of user, so as to reach attacker's
Purpose.Such as obtaining the Cookie of user, be linked to malice connection.Xss attack detection methods can lead to
The method such as data transmission scenarios crossed in analysis web application code realizes, concrete implementation mode
It can select as needed.
The present embodiment carries out detection by the interactive information to server and client and determines whether attacker
Invade server.Make client just understand client before server has black industry content whether there is
Malicious attack.
Further, detection and analysis device above-described embodiment based on black industry content of the present invention, at this
In the embodiment of detection and analysis device the 5th of invention black industry content, the detection of above-mentioned black industry content
Analytical equipment also includes:
Alarm module, the server is detected by the Network Intrusion or the request data for working as
When there are in the black industry perhaps described reply data and there is the black industry content, to the visitor
Family end sends corresponding warning information.
Above-mentioned warning information can be in intrusion detection module 40 or black industry content detection mould in the present embodiment
Block 20 is reminded after detecting black industry content.Specifically, above-mentioned warning information can be in invasion inspection
Survey discovery and client is reminded when having malicious attack, can also be in the friendship according to server and client
Find to send a warning message when there is black industry content during mutually to be reminded.The content of warning information
The clothes for the black industry content either interaction that the content that can be being interacted including prompting client is included
Business device has had black industry content in itself, and (server that there is black industry content is properly termed as black production
Main frame), and black industry content classification.The prompting mode of warning information can be selected as needed,
User can be pointed out the black industry content existed in user terminal pop-up window, for example, point out server to be disliked
The attacker that anticipates invades, and is added to false drug information.
Alarm letter is sent when the present embodiment is by finding malicious attack or black industry content to client
Breath, makes situation and specific black industry content and classification that user's awareness server is attacked.
The preferred embodiments of the present invention are these are only, are not intended to limit the scope of the invention, it is every
The equivalent structure or equivalent flow conversion made using description of the invention and accompanying drawing content, or directly or
Connect and be used in other related technical fields, be included within the scope of the present invention.
Claims (10)
1. a kind of determination method of black industry content, it is characterised in that the black industry content
Determination method comprise the following steps:
The packet that server to be detected is interacted with client is obtained, the packet includes the client
The reply data that the request data or the server sent to server is sent to the client;
Black industry content detection is carried out to the request data or the reply data;
When detecting the request data or the reply data have black industry content, according to detection
The black industry content and the first preset rule base that arrive analyze the classification of the black industry content, described
Corresponding relation of first rule base comprising the black industry content with the classification.
2. the determination method of black industry content as claimed in claim 1, it is characterised in that institute
State includes to the request data or reply data progress black industry content detection:
The request data or the reply data are detected by preset regular expression, it is described
Preset regular expression is used for the request data or the reply data and preset Second Rule storehouse
In data matched;
When the packet includes the request data and matches the data in the Second Rule storehouse,
Confirm that the request data has the black industry content;When the packet includes the reply data
And when matching the information in the Second Rule storehouse, confirm that the reply data have the black industry
Content.
3. the determination method of black industry content as claimed in claim 1, it is characterised in that institute
State includes to the request data or reply data progress black industry content detection:
Detect that the request data or the reply data whether there is the characteristic information of preset application;
When the packet includes the request data and there is the characteristic information, the request is confirmed
There is the black industry content in data;When the packet is comprising the reply data and there is the spy
When reference ceases, confirm that the reply data have the black industry content.
4. the determination method of the black industry content as described in any one of claims 1 to 3, it is special
Levy and be, it is described that the request data or the reply data are carried out to go back before black industry content detection
Including:
The packet got is performed intrusion detection, judges whether the server is attacked by invasion
Hit;
When the server is by the Network Intrusion, the detection request data or described is performed
Reply the step of data whether there is black industry content.
5. the determination method of black industry content as claimed in claim 4, it is characterised in that institute
Stating the determination method of black industry content also includes:
Produced when detecting the server and there is the black by the Network Intrusion or the request data
When perhaps described reply data have the black industry content in the industry, send corresponding to the client
Warning information.
6. a kind of detection and analysis device of black industry content, it is characterised in that the black industry content
Detection and analysis device include:
Acquisition module, for obtaining the packet that server to be detected is interacted with client, the packet
What the request data or the server sent comprising the user end to server was sent to the client
Reply data;
Black industry content detection module, for carrying out black to the request data or the reply data
Industry content detection;
Black industry content analysis module, for when detecting the request data or the reply data are deposited
In black industry content, institute is analyzed according to the black industry content and the first preset rule base that detect
The classification of black industry content is stated, first rule base includes the black industry content and the classification
Corresponding relation.
7. the detection and analysis device of black industry content as claimed in claim 6, it is characterised in that institute
Stating black industry content detection module includes:
First detection unit, for the request data or the reply data to be passed through into preset canonical table
Detected up to formula, the preset regular expression is used for the request data or the reply data
Matched with the data in preset Second Rule storehouse;
First confirmation unit, for when the packet is comprising the request data and matches described second
During data in rule base, confirm that the request data has the black industry content;When the data
When bag includes the reply data and matches the information in the Second Rule storehouse, the reply number is confirmed
According to there is the black industry content.
8. the detection and analysis device of black industry content as claimed in claim 6, it is characterised in that institute
Stating black industry content detection module also includes:
Second detection unit, for detecting that the request data or the reply data are answered with the presence or absence of preset
Characteristic information;
Second confirmation unit, for when the packet is comprising the request data and there is the feature letter
During breath, confirm that the request data has the black industry content;When the packet is returned comprising described
Complex data and when there is the characteristic information, confirms that the reply data have the black industry content.
9. the detection and analysis device of the black industry content as described in any one of claim 6 to 8, it is special
Levy and be, the detection and analysis device of the black industry content also includes:
Intrusion detection module, for the packet got to be performed intrusion detection, judges the clothes
Whether device be engaged in by Network Intrusion;
The black industry content detection module is additionally operable to when the server is by the Network Intrusion,
Detect that the request data or the reply data whether there is black industry content.
10. the detection and analysis device of black industry content as claimed in claim 9, it is characterised in that
The detection and analysis device of the black industry content also includes:
Alarm module, the server is detected by the Network Intrusion or the request data for working as
When there are in the black industry perhaps described reply data and there is the black industry content, to the visitor
Family end sends corresponding warning information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610102490.5A CN107124386B (en) | 2016-02-24 | 2016-02-24 | Method and device for detecting and analyzing black industry content |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610102490.5A CN107124386B (en) | 2016-02-24 | 2016-02-24 | Method and device for detecting and analyzing black industry content |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107124386A true CN107124386A (en) | 2017-09-01 |
CN107124386B CN107124386B (en) | 2021-05-04 |
Family
ID=59717610
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610102490.5A Active CN107124386B (en) | 2016-02-24 | 2016-02-24 | Method and device for detecting and analyzing black industry content |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107124386B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111277488A (en) * | 2020-01-19 | 2020-06-12 | 上海掌门科技有限公司 | Session processing method and device |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1577791A1 (en) * | 2004-03-16 | 2005-09-21 | Andreas Baumhof | XML content monitoring |
CN1760901A (en) * | 2005-11-03 | 2006-04-19 | 上海交通大学 | System for filtering E-mails |
CN101656710A (en) * | 2008-08-21 | 2010-02-24 | 中联绿盟信息技术(北京)有限公司 | Proactive audit system and method |
CN103246705A (en) * | 2013-04-09 | 2013-08-14 | 无锡安康讯信息科技有限公司 | Network text data content detecting and high-speed processing method |
CN103731426A (en) * | 2013-12-31 | 2014-04-16 | 曙光云计算技术有限公司 | Intrusion alarming system based on virtual network |
CN103763124A (en) * | 2013-12-26 | 2014-04-30 | 孙伟力 | Internet user behavior analyzing and early-warning system and method |
CN104270304A (en) * | 2014-10-14 | 2015-01-07 | 四川神琥科技有限公司 | Detection and analysis method for image emails |
CN104598815A (en) * | 2013-10-30 | 2015-05-06 | 贝壳网际(北京)安全技术有限公司 | Identification method and device of malicious advertisement program and client side |
CN104866478A (en) * | 2014-02-21 | 2015-08-26 | 腾讯科技(深圳)有限公司 | Detection recognition method and device of malicious text |
CN105208037A (en) * | 2015-10-10 | 2015-12-30 | 中国人民解放军信息工程大学 | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection |
CN105262672A (en) * | 2015-08-31 | 2016-01-20 | 小米科技有限责任公司 | Intra-group anti-harassment method and device |
-
2016
- 2016-02-24 CN CN201610102490.5A patent/CN107124386B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1577791A1 (en) * | 2004-03-16 | 2005-09-21 | Andreas Baumhof | XML content monitoring |
CN1760901A (en) * | 2005-11-03 | 2006-04-19 | 上海交通大学 | System for filtering E-mails |
CN101656710A (en) * | 2008-08-21 | 2010-02-24 | 中联绿盟信息技术(北京)有限公司 | Proactive audit system and method |
CN103246705A (en) * | 2013-04-09 | 2013-08-14 | 无锡安康讯信息科技有限公司 | Network text data content detecting and high-speed processing method |
CN104598815A (en) * | 2013-10-30 | 2015-05-06 | 贝壳网际(北京)安全技术有限公司 | Identification method and device of malicious advertisement program and client side |
CN103763124A (en) * | 2013-12-26 | 2014-04-30 | 孙伟力 | Internet user behavior analyzing and early-warning system and method |
CN103731426A (en) * | 2013-12-31 | 2014-04-16 | 曙光云计算技术有限公司 | Intrusion alarming system based on virtual network |
CN104866478A (en) * | 2014-02-21 | 2015-08-26 | 腾讯科技(深圳)有限公司 | Detection recognition method and device of malicious text |
CN104270304A (en) * | 2014-10-14 | 2015-01-07 | 四川神琥科技有限公司 | Detection and analysis method for image emails |
CN105262672A (en) * | 2015-08-31 | 2016-01-20 | 小米科技有限责任公司 | Intra-group anti-harassment method and device |
CN105208037A (en) * | 2015-10-10 | 2015-12-30 | 中国人民解放军信息工程大学 | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection |
Non-Patent Citations (2)
Title |
---|
朱军: "中文垃圾邮件过滤技术研究及应用", 《中国优秀博硕士学位论文全文数据库信息科技辑(月刊)》 * |
罗常泳: "基于内容的垃圾邮件检测方法研究", 《中国优秀硕士学位论文全文数据库信息科技辑(月刊 )》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111277488A (en) * | 2020-01-19 | 2020-06-12 | 上海掌门科技有限公司 | Session processing method and device |
Also Published As
Publication number | Publication date |
---|---|
CN107124386B (en) | 2021-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10668385B2 (en) | Protecting against polymorphic cheat codes in a video game | |
US9680850B2 (en) | Identifying bots | |
Ferreira et al. | An analysis of social engineering principles in effective phishing | |
CN107046518A (en) | The detection method and device of network attack | |
CN105337993B (en) | It is a kind of based on the mail security detection device being association of activity and inertia and method | |
US20080046738A1 (en) | Anti-phishing agent | |
CN106961419A (en) | WebShell detection methods, apparatus and system | |
US20090216795A1 (en) | System and method for detecting and blocking phishing attacks | |
CN110460612A (en) | Safety detecting method, equipment, storage medium and device | |
US20140281919A1 (en) | Detecting a change to the content of information displayed to a user of a website | |
Zhang et al. | Detecting malicious activities with user‐agent‐based profiles | |
Calzavara et al. | Machine learning for web vulnerability detection: the case of cross-site request forgery | |
CN108173814A (en) | Detection method for phishing site, terminal device and storage medium | |
CN110443031A (en) | A kind of two dimensional code Risk Identification Method and system | |
CN106790189A (en) | A kind of intrusion detection method and device based on response message | |
Massa et al. | A fraud detection system based on anomaly intrusion detection systems for e-commerce applications | |
CN115580494A (en) | Method, device and equipment for detecting weak password | |
WO2022001577A1 (en) | White list-based content lock firewall method and system | |
CN107124386A (en) | The determination method and device of black industry content | |
CN105072109B (en) | Prevent the method and system of cross-site scripting attack | |
Patil | Request dependency integrity: validating web requests using dependencies in the browser environment | |
CN113709145A (en) | Vulnerability verification system based on POC (point-of-sale) verification engine | |
Penna et al. | A framework for improved adolescent and child safety in MMOs | |
Chaudhary | Recognition of phishing attacks utilizing anomalies in phishing websites | |
Chu et al. | An investigation of hotlinking and its countermeasures |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 518000 the first floor of A1 building, Nanshan Zhiyuan 1001, Nanshan District Xue Yuan Avenue, Shenzhen, Guangdong. Applicant after: SANGFOR TECHNOLOGIES Inc. Address before: 518052 the first floor of A1 building, Nanshan Zhiyuan 1001, Nanshan District Xue Yuan Avenue, Shenzhen, Guangdong. Applicant before: Sangfor Technologies Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |