网页木马检测技术的研究
|
摘要
随着互联网技术应用迅速的发展,网页以其直观易操作,信息量大的特点逐渐成为人们进行获取和发布信息的主要方式。大量的网站为人们提供丰富多样的信息同时也遭受着各种威胁。互联网应用被木马攻击的事件案例举不胜举,其中90%是靠网页传播的。研究有效的针对网页木马的检测技术,对于控制木马的主要传播渠道,实现从“源”端阻止木马具有重要意义。
本文通过对现有网页木马检测技术的分析,从网页代码审查为主的方法入手,设计基于网页代码审查的网页木马检测系统。采用XML的DOM文档对象模型解析和顺序读取网页源码的方法,进行网页木马特征码提取,并建立一个DOM树形结构的文档对象。用网页木马类型特征作为关键字进行树节点查找。网页木马特征库依据网页木马攻击网站系统后,在网页文件源码中的嵌入代码特征进行设计的。通过审查静态的网页脚本代码,发现其中隐藏的木马攻击行为。这种检测发生在代码执行前,可以有效避免威胁。它也不需要巨大的木马数据库,检测效率高。
最后基于以上研究的基础,设计一个检测网页木马的网站安全检测系统。系统通过对一个目标网站文件进行检测网页木马特征,论证了以网页代码审查为主的方法是可行的。以网页代码审查为主,旨在提高网页木马检测的准确性和效率,并推动智能化检测在实际检测中的应用。该系统可减少网站安全管理相关人员的工作强度,在检测网站文件方面具有一定的实用价值。
As the rapid development of Internet technology, webpage which has trait of intuitiveeasy operation and abundance information gradually becomes the main way for people toobtain and release information. Many websites provide people with a rich variety ofinformation at the same time suffer from all sorts of threats. There are many event casesof Internet applications attacking, and 90% of them transmitted by webpage.
Through the analysis of the existing web Trojan detection techniques, from the mainmethod of webpage code review, this paper designs a web Trojan detection system basedon webpage code review. Using the method of XML DOM document object modelanalysis and order reading the webpage source code, this paper extracts the trait of thewebpage Trojan, and builds a DOM tree document objects structure. This paper uses thetype trait of the webpage Trojan as keywords to search the tree node. The feature library ofwebpage Trojan is designed on the trait of webpage source code after attacking bywebpage Trojan. Through the review of static page code, the system finds the attackingbehavior of the hidden Trojan. The test can effectively avoid threat before the execution ofcode. It does not need a huge Trojan database, and has high efficiency of detection.
Finally, based above research, this pager designs a detection system of the webpageTrojan. Through detecting the webpage Trojan on a target site file, the detection systemdemonstrated to review the webpage code method is feasible. The aim is to improve thewebpage Trojan detection accuracy and efficiency, and promote intelligent testing in theactual detection. This system can reduce the intensity of the work related to personnel, andhas some practical value in the test of website documents.
本文通过对现有网页木马检测技术的分析,从网页代码审查为主的方法入手,设计基于网页代码审查的网页木马检测系统。采用XML的DOM文档对象模型解析和顺序读取网页源码的方法,进行网页木马特征码提取,并建立一个DOM树形结构的文档对象。用网页木马类型特征作为关键字进行树节点查找。网页木马特征库依据网页木马攻击网站系统后,在网页文件源码中的嵌入代码特征进行设计的。通过审查静态的网页脚本代码,发现其中隐藏的木马攻击行为。这种检测发生在代码执行前,可以有效避免威胁。它也不需要巨大的木马数据库,检测效率高。
最后基于以上研究的基础,设计一个检测网页木马的网站安全检测系统。系统通过对一个目标网站文件进行检测网页木马特征,论证了以网页代码审查为主的方法是可行的。以网页代码审查为主,旨在提高网页木马检测的准确性和效率,并推动智能化检测在实际检测中的应用。该系统可减少网站安全管理相关人员的工作强度,在检测网站文件方面具有一定的实用价值。
As the rapid development of Internet technology, webpage which has trait of intuitiveeasy operation and abundance information gradually becomes the main way for people toobtain and release information. Many websites provide people with a rich variety ofinformation at the same time suffer from all sorts of threats. There are many event casesof Internet applications attacking, and 90% of them transmitted by webpage.
Through the analysis of the existing web Trojan detection techniques, from the mainmethod of webpage code review, this paper designs a web Trojan detection system basedon webpage code review. Using the method of XML DOM document object modelanalysis and order reading the webpage source code, this paper extracts the trait of thewebpage Trojan, and builds a DOM tree document objects structure. This paper uses thetype trait of the webpage Trojan as keywords to search the tree node. The feature library ofwebpage Trojan is designed on the trait of webpage source code after attacking bywebpage Trojan. Through the review of static page code, the system finds the attackingbehavior of the hidden Trojan. The test can effectively avoid threat before the execution ofcode. It does not need a huge Trojan database, and has high efficiency of detection.
Finally, based above research, this pager designs a detection system of the webpageTrojan. Through detecting the webpage Trojan on a target site file, the detection systemdemonstrated to review the webpage code method is feasible. The aim is to improve thewebpage Trojan detection accuracy and efficiency, and promote intelligent testing in theactual detection. This system can reduce the intensity of the work related to personnel, andhas some practical value in the test of website documents.
引文
[1]公安部2009年全国信息网络安全状况暨计算机病毒疫情调查报告.http://www.antivirus-china.org.cn/head/diaocha2009/xinwengao2009.html,2009.
[2]瑞星公司2010上半年的互联网安全报告.http://www.rising.com.cn/about/news/rising/2010-07-30/7950_3.html,2010.
[3]赵彪.动态嵌入式DLL木马简便发现与清除方法.计算机与网络,2007,3(14):12~35.
[4]朱玉,张虹,孔令东.基于人工免疫的多维关联规则挖掘及其应用研究.计算机科学,2009,36(08):239~242.
[5]钱昌明,黄皓.Linux木马检测技术分析与系统调用权限验证法,微型机与应用,2005,24(6):57~60.
[6] Naiqi W,Yanming Q,Guiqing C.A Novel Approach to Trojan Horse Detection by ProcessTracing.In Proceedings of the 2006 IEEE International Conference on Networking,Sensing andControl,2006.721~726.
[7] Ting L,Xiaohong G,Qinghua Z,et al.Prototype Demonstration: Trojan Detection and DefenseSystem.Consumer Communications and Networking Conferenc,2009, (6):1~2.
[8] Micha Moffie,Winnie Cheng,David Kaeli,et al.Hunting Trojan Horses.New York:ASID '06Proceedings of the 1st workshop on Architectural and system support for improving softwaredependability ACM,2006.56~66.
[9] Beyah,Holloway,Copeland.Invisible Trojan:an architecture,implementation and detectionmethod.The 2007 45th Midwest Symposium on,2007,8(3):500~504.
[10]李斯.浅析木马程序攻击手段及防范技术.网络安全技术与应用,2009,7(08):15~16.
[11]张富泰,孙银霞,张磊等.无证书公钥密码体制研究.软件学报,2011,22(6):1316~1319.
[12] Joseph,Migga,Kizza.Guide to Computer Network Security.USA:Springer PublishingCompany,2008.12~18.
[13]张永忠,赵国庆,叶春明.通过有效匹配TCP/IP数据包检测黑客入侵.计算机工程与应用,2011,47(26):103~106.
[14]刘宝旭,许榕生.黑客入侵防范体系的设计与实现.计算机工程,2003,29(12):34~35.
[15]李晓红,王翔宇,冯志勇.一种安全需求分析中的用例漏洞检测方法.计算机工程与应用,2010,46(5):51~54.
[16]李珂泂,宁超.恶意脚本程序研究以及基于API HOOK的注册表监控技术.计算机应用2009,29(12):3197~3200.
[17]任飞,章炜,张爱华.网页木马攻防实战.北京:电子工业出版社,2009.6~8.
[18] ZhiYong L,Ran T,ZhenHi C,et al.A Web Page Malicious Code Detect Approach Based onScript Execution.International Conference Natural Computation,BeiJing,2009:200~212.
[19]罗川,辛茗庭,凌志祥.网页木马剖析与实现.计算机安全,2007,8(12):83~85.
[20]潘家哗,庄毅,许斌.一种新的windows木马检测方法研究.小型微型计算机系统,2010,26(12):83~88.
[21]林小进,钱江.特洛伊木马隐藏技术研究.微计算机信息,2007,27(11-3):59~60.
[22]王泽东,刘宇.采用行为分析的单机木马防护系统设计与实现.计算机工程与应用,2011,47(11):46~48.
[23]朱红明.ARP木马的攻击原理及防御,无锡南洋学院学报,2007,6(2):41~45.
[24]陈素霞,宋斌.浅析360安全卫士及360杀毒软件机制及漏洞,科技资讯,2010,10(17):20.
[25] Yatagai ,Isohara,Sasase.Detection of HTTP-GET flood Attack Based on Analysis of Page AccessBehavior.IEEE Pacific Rim Conference on: Communications,Computers and SignalProcessing,NewYork,2007:154~157.
[26]吴润浦,方勇,吴少华.基于统计与代码特征分析的网页木马检测模型,信息与电子工程,2009,7(1):71~75.
[27] McClure,Scambray,Kurtz. Hacking Exposed:Network Security Secrets and Solutions. England:McGraw-Hill Osborne Media,2006.539~578.
[28] Benson Luk,Eyal Reuveni,Kamron Farrokh.Intelligent Detection of Malicious ScriptCode,Symantec,2007.19~21.
[29]康治平,向宏,傅鹂.基于API HOOK技术的特洛伊木马攻防研究,信息安全与通信保密,2007,9(02):145~148.
[30]唐骏,庄毅,许斌等.基于马尔可夫模型的恶意网页检测算法.中国计算机学会信息保密专业委员会论文集,2006,6(1):273~277.
[31]范通让,王奕,赵永斌等.匹配预处理对XML查询的优化.计算机工程与应用,2009,45(19):125~127.
[32] World Wide Web Consortium DOM标准[EB/OL].http://www.w3.org/documentobject(DOM)level1-3 specification,2010.
[33] XML中国论坛.http://bbs.xml.org.cn,2011.
[34] Microsoft MSDN Library for VS.NET [EB/OL].http:www.microsoft.com,2010.
[35] Jie Z,Le,Thoma.Combining DOM tree and geometric layout analysis for online medical journalarticle segmentation.Proceedings of the 6th ACM/IEEE-CS Joint Conferenceon,BeiJing,2006:119~128.
[36]肖奔,邓爱萍.基于XML的程序代码匹配算法研究.微计算机信息,2010,26(12-3):264~265.
[37]孙晓妍,王洋,祝跃飞等.基于客户端蜜罐的恶意网页检测系统的设计与实现,计算机应用,2007,27(7):1613~1615.
[38]赵仁杰,李众立.网页清洗系统基于静态正则表达式的实现.微计算机信息,2007,23(12):226~227.
[39] (美)麦克米伦著,吕秀锋,崔睿译.数据结构与算法:C#语言描述.北京:人民邮电出版社,2009.140~145.
[40]曾颖,刘粉林.一类恶意代码检测算法可靠性与完备性证明.小型微型计算机系统,2011,27(1):85~90.
[41]张永平,徐冬阳.Snort匹配机制的改进,微计算机信息,2009,25(2-3):106~107.
[42]张奇.Visual C#2005数据库项目案例导航.北京:清华大学出版社,2007.235~240.
[43] Gailong L,Shengli C.Research on Trojan Horse Based on Port Reuse Technology,ComputerEngineering,2007,12(15):45~48.
[2]瑞星公司2010上半年的互联网安全报告.http://www.rising.com.cn/about/news/rising/2010-07-30/7950_3.html,2010.
[3]赵彪.动态嵌入式DLL木马简便发现与清除方法.计算机与网络,2007,3(14):12~35.
[4]朱玉,张虹,孔令东.基于人工免疫的多维关联规则挖掘及其应用研究.计算机科学,2009,36(08):239~242.
[5]钱昌明,黄皓.Linux木马检测技术分析与系统调用权限验证法,微型机与应用,2005,24(6):57~60.
[6] Naiqi W,Yanming Q,Guiqing C.A Novel Approach to Trojan Horse Detection by ProcessTracing.In Proceedings of the 2006 IEEE International Conference on Networking,Sensing andControl,2006.721~726.
[7] Ting L,Xiaohong G,Qinghua Z,et al.Prototype Demonstration: Trojan Detection and DefenseSystem.Consumer Communications and Networking Conferenc,2009, (6):1~2.
[8] Micha Moffie,Winnie Cheng,David Kaeli,et al.Hunting Trojan Horses.New York:ASID '06Proceedings of the 1st workshop on Architectural and system support for improving softwaredependability ACM,2006.56~66.
[9] Beyah,Holloway,Copeland.Invisible Trojan:an architecture,implementation and detectionmethod.The 2007 45th Midwest Symposium on,2007,8(3):500~504.
[10]李斯.浅析木马程序攻击手段及防范技术.网络安全技术与应用,2009,7(08):15~16.
[11]张富泰,孙银霞,张磊等.无证书公钥密码体制研究.软件学报,2011,22(6):1316~1319.
[12] Joseph,Migga,Kizza.Guide to Computer Network Security.USA:Springer PublishingCompany,2008.12~18.
[13]张永忠,赵国庆,叶春明.通过有效匹配TCP/IP数据包检测黑客入侵.计算机工程与应用,2011,47(26):103~106.
[14]刘宝旭,许榕生.黑客入侵防范体系的设计与实现.计算机工程,2003,29(12):34~35.
[15]李晓红,王翔宇,冯志勇.一种安全需求分析中的用例漏洞检测方法.计算机工程与应用,2010,46(5):51~54.
[16]李珂泂,宁超.恶意脚本程序研究以及基于API HOOK的注册表监控技术.计算机应用2009,29(12):3197~3200.
[17]任飞,章炜,张爱华.网页木马攻防实战.北京:电子工业出版社,2009.6~8.
[18] ZhiYong L,Ran T,ZhenHi C,et al.A Web Page Malicious Code Detect Approach Based onScript Execution.International Conference Natural Computation,BeiJing,2009:200~212.
[19]罗川,辛茗庭,凌志祥.网页木马剖析与实现.计算机安全,2007,8(12):83~85.
[20]潘家哗,庄毅,许斌.一种新的windows木马检测方法研究.小型微型计算机系统,2010,26(12):83~88.
[21]林小进,钱江.特洛伊木马隐藏技术研究.微计算机信息,2007,27(11-3):59~60.
[22]王泽东,刘宇.采用行为分析的单机木马防护系统设计与实现.计算机工程与应用,2011,47(11):46~48.
[23]朱红明.ARP木马的攻击原理及防御,无锡南洋学院学报,2007,6(2):41~45.
[24]陈素霞,宋斌.浅析360安全卫士及360杀毒软件机制及漏洞,科技资讯,2010,10(17):20.
[25] Yatagai ,Isohara,Sasase.Detection of HTTP-GET flood Attack Based on Analysis of Page AccessBehavior.IEEE Pacific Rim Conference on: Communications,Computers and SignalProcessing,NewYork,2007:154~157.
[26]吴润浦,方勇,吴少华.基于统计与代码特征分析的网页木马检测模型,信息与电子工程,2009,7(1):71~75.
[27] McClure,Scambray,Kurtz. Hacking Exposed:Network Security Secrets and Solutions. England:McGraw-Hill Osborne Media,2006.539~578.
[28] Benson Luk,Eyal Reuveni,Kamron Farrokh.Intelligent Detection of Malicious ScriptCode,Symantec,2007.19~21.
[29]康治平,向宏,傅鹂.基于API HOOK技术的特洛伊木马攻防研究,信息安全与通信保密,2007,9(02):145~148.
[30]唐骏,庄毅,许斌等.基于马尔可夫模型的恶意网页检测算法.中国计算机学会信息保密专业委员会论文集,2006,6(1):273~277.
[31]范通让,王奕,赵永斌等.匹配预处理对XML查询的优化.计算机工程与应用,2009,45(19):125~127.
[32] World Wide Web Consortium DOM标准[EB/OL].http://www.w3.org/documentobject(DOM)level1-3 specification,2010.
[33] XML中国论坛.http://bbs.xml.org.cn,2011.
[34] Microsoft MSDN Library for VS.NET [EB/OL].http:www.microsoft.com,2010.
[35] Jie Z,Le,Thoma.Combining DOM tree and geometric layout analysis for online medical journalarticle segmentation.Proceedings of the 6th ACM/IEEE-CS Joint Conferenceon,BeiJing,2006:119~128.
[36]肖奔,邓爱萍.基于XML的程序代码匹配算法研究.微计算机信息,2010,26(12-3):264~265.
[37]孙晓妍,王洋,祝跃飞等.基于客户端蜜罐的恶意网页检测系统的设计与实现,计算机应用,2007,27(7):1613~1615.
[38]赵仁杰,李众立.网页清洗系统基于静态正则表达式的实现.微计算机信息,2007,23(12):226~227.
[39] (美)麦克米伦著,吕秀锋,崔睿译.数据结构与算法:C#语言描述.北京:人民邮电出版社,2009.140~145.
[40]曾颖,刘粉林.一类恶意代码检测算法可靠性与完备性证明.小型微型计算机系统,2011,27(1):85~90.
[41]张永平,徐冬阳.Snort匹配机制的改进,微计算机信息,2009,25(2-3):106~107.
[42]张奇.Visual C#2005数据库项目案例导航.北京:清华大学出版社,2007.235~240.
[43] Gailong L,Shengli C.Research on Trojan Horse Based on Port Reuse Technology,ComputerEngineering,2007,12(15):45~48.