Real-time monitoring method and device for webpage Trojan horse

Abstract

The invention discloses a real-time monitoring method and a real-time monitoring device for webpage Trojan horse. The method comprises the following monitoring steps of: injecting a browser process needing monitoring; examining the memory utilization situation in the process space and recording the current memory utilization situation; monitoring the behavior that the browser opens a new webpage; and when opening the new webpage, checking memory increment at first, suspending the process if the memory increment is greater than a specified threshold, searching whether newly increased memory has a suspicious characteristic, and giving an alarm and recording the current webpage information if the newly increased memory has the suspicious characteristic. The method for determining the webpage Trojan horse by monitoring the memory increment situation of the browser process and whether the newly increased memory has the suspicious characteristic is a lightweight system security protection method; and the method can guarantee the security of the regularly browsed webpage without affecting the speed of browsing the internet.

Description

technical field [0001] The invention relates to the technical field of computer security, in particular to a method and device for real-time monitoring of web page Trojan horses. Background technique [0002] With the continuous advancement of the Internet, browsing the web, downloading files, etc. have become the daily habits of many people. However, in the process of people browsing the web, many webpage Trojan horses will be embedded in people's computers inadvertently to carry out illegal activities such as account theft, such as webpage Trojan horses that exploit buffer overflow vulnerabilities in IE browsers, causing people to bear great risks when browsing the webpage . [0003] In the prior art, detection methods for web page Trojans mainly include feature code detection, behavior detection and virtual machine detection. [0004] Signature code detection is still the most commonly used technology at present. Its implementation is relatively simple, and the ability ...

AI Technical Summary

Problems solved by technology

Although the feature code-based scanning method is widely used and the identification is relatively fast, it often fails to report some Internet horses that exploit unknown vulnerabilities or code-encrypted and confused Internet horses, and cannot fundamentally protect computer security in real time.

[0005] Virtual machine detection generally uses software to simulate the addressing, compilation, and execution of CPU instructions to find virus signatures in the mechanism after execution. This method consumes a lot of system resources, has poor real-time performance, and is rarely used for scanning and killing web Trojan horses.

[0006] Behavior detection is by monitoring some behavioral characteristics of the application program (such as embezzlement interception system interruption, modification of the total memory and memory control block, writing operations to executable files, boot sector or performing suspicious actions such as formatting disks, virus programs, etc. Match the behavior feature library with the host program switching and search API function address, etc. This method can better prevent some web Trojan attacks, but often only some functions are enabled due to the huge consumption of system resources

[0007] Regardless of which of the above detection methods is used, there is still a blind spot in the detection of exploiting unknown vulnerabilities to mount a horse

Images