BHO technology-based dynamic detection system

Abstract

The invention discloses a BHO technology-based dynamic detection system. The BHO technology-based dynamic detection system comprises a task reading and distributing module, a virtual machine task control module, a BHO module, a log module and a log analysis module. According to a method, when access of an IE to a webpage is finished can be known accurately; in addition, a plurality of web pages can be detected at the same time under the condition that a real environment of a user is simulated, and after the detection of each web page is finished, any change of the web page for a virtual machine is restored to ensure that the whole system is prevented from being subjected to any modification by a malicious web page; and furthermore, a behavior of the malicious web page is judged, extracted and determined by utilizing a machine learning method, so that the accuracy of malicious web page detection is improved. Through the method, the malicious web page detection efficiency and accuracy of the system can be greatly improved.

Description

technical field [0001] The invention relates to the field of the Internet, in particular to a dynamic detection system based on BHO technology. Background technique [0002] All malicious web page detection systems that appear today basically use client honeypot systems or virtual machines that simulate real users to detect, but these systems can only detect one url at a time in the process of detecting malicious web pages (otherwise When malicious behavior occurs, it is difficult to distinguish which webpage is malicious), general client-side honeypots or sandbox systems cannot truly simulate the user environment, and general malicious webpages use vulnerabilities in third-party controls Or the real vulnerabilities of IE. Generally, these systems are difficult to provide these environments, so there will be a lot of false negatives in the detection process. For these existing detection systems, when a url is detected, a new client honeypot or sandbox will be restarted at t...

AI Technical Summary

Problems solved by technology

[0002] All malicious web page detection systems that appear today basically use client honeypot systems or virtual machines that simulate real users to detect, but these systems can only detect one url at a time in the process of detecting malicious web pages (otherwise When malicious behavior occurs, it is difficult to distinguish which webpage is malicious), general client-side honeypots or sandbox systems cannot truly simulate the user environment, and general malicious webpages use vulnerabilities in third-party controls Or the real vulnerability of IE, generally these systems are difficult to provide these environments, so there will be a lot of false positives in the detection process

For these existing detection systems, after detecting a url, or restarting a new client honeypot or sandbox at the next detection, the efficiency is very low

In the virtual machine detection process of the simulated user, a malicious web page is added for detection, which will have some impact on the virtual machine. When using this virtual machine to detect the next web page, false negatives may occur (Some malicious web pages use cookies to determine whether the client has visited the malicious web page)

In addition, when most systems use IE to access web pages, it is difficult to know when the browser has finished accessing the web page. Generally, the system will judge according to the number of page views, or set a timeout time by itself, which will also affect the detection efficiency and results. some influence

Images