Web malicious code detection method and system

Abstract

The invention relates to a Web malicious code detection method and system. Based on a Web application source code database, a malicious code feature database, a webpage code behavior analysis, a white list and a manual analysis, whether a web malicious code exists is detected and determined comprehensively. The system comprises a malicious code detection agent module, a malicious code detection server white list module, a source code database query and detection module, a malicious code feature detection module, a malicious code behavior detection module, a detection result determination and alarm module, a detection result query module and a management module. According to the invention, through comprehensive application of the Web application source code database, the malicious code feature database, the webpage code behavior analysis, the white list and the manual analysis, missed alarm behaviors of malicious code detection can be effectively solved, the accuracy of the malicious code detection is improved, the natural contradiction between the rate of false alarm and the missed alarm rate in a malicious code detection process is balanced, and the response efficiency in the malicious code detection process is optimized.

Description

technical field [0001] The invention relates to the detection and technical field of Web malicious codes, in particular to a real-time detection method and system for malicious codes such as Web-type Trojan horses and viruses. Background technique [0002] With the rapid development of the Internet, network attacks against Internet applications are also becoming more and more rampant. Among all kinds of network attacks, malicious code implantation (webpage Trojan, webpage virus, webshell backdoor, etc.) targeting websites has become one of the most popular and most harmful attack methods. [0003] Malicious code (UnwantedCode) refers to code that has no effect but brings danger. One of the safest definitions is to regard all unnecessary code as malicious. There are many types of malicious code analysis methods. Generally, traditional malicious code analysis methods are divided into three types: analysis methods based on code characteristics, analysis methods based on semant...

AI Technical Summary

Problems solved by technology

[0019] 4. When there is a grammatical error or an infinite recursive call error in the javascript code, the browser will call window.onerror(), and the malicious webpage will judge that the current operating environment is Sandbox by deliberately introducing a grammatical error or an infinite recursive call error It is still a browser. If the sandbox of the security product implements incomplete error handling, for example, it may stop parsing when encountering a syntax error, instead of calling window.onerror like a real browser, then it may be maliciously Web exploits evade detection

[0024] This method has at least the following problems: 1) The malicious code signature database is difficult to be comprehensive and the update lags behind the emergence of malicious code, and the detection results will produce false negatives

2) The detection action is a periodic behavior, and there is a certain hysteresis

3) It is difficult to achieve real-time and efficient detection of malicious code in a large-scale deployment environment

Images