本文選題：瀏覽器擴(kuò)展　切入點(diǎn)：行為序列　出處：《天津大學(xué)》2014年碩士論文　論文類型：學(xué)位論文

【摘要】：自從2008年以來，瀏覽器擴(kuò)展的安全問題開始得到人們的關(guān)注。隨著瀏覽器發(fā)揮的作用越來越重要，該問題逐漸變成個(gè)研究熱點(diǎn)。但是目前尚沒有保護(hù)用戶免受針對(duì)瀏覽器擴(kuò)展攻擊的方法或工具。研究發(fā)現(xiàn)造成瀏覽器擴(kuò)展安全問題的主要原因是瀏覽器擴(kuò)展機(jī)制的設(shè)計(jì)不合理。 基于對(duì)Firefox瀏覽器擴(kuò)展機(jī)制的研究分析，本文提出了種基于行為序列分析的瀏覽器擴(kuò)展漏洞檢測(cè)方法。該方法首先分析了Firefox瀏覽器為擴(kuò)展提供的接口，并將接口調(diào)用抽象成為瀏覽器擴(kuò)展的行為，同時(shí)按照每類行為可能給用戶帶來的安全風(fēng)險(xiǎn)將其劃分為四個(gè)安全等級(jí)。然后將擴(kuò)展的行為按照發(fā)生時(shí)間順序連成行為序列，并建模成基于神經(jīng)網(wǎng)絡(luò)的圖模型，再對(duì)建模成的大規(guī)模圖模型進(jìn)行約簡(jiǎn)。接下來，借助于個(gè)攻擊特征行為序列知識(shí)庫的支持，，將檢測(cè)惡意瀏覽器擴(kuò)展以及瀏覽器擴(kuò)展漏洞的問題轉(zhuǎn)化為個(gè)子圖匹配的問題。最后，根據(jù)本文提出的方法，實(shí)現(xiàn)了套自動(dòng)化檢測(cè)的工具，并對(duì)從Mozilla上下載的140個(gè)瀏覽器擴(kuò)展進(jìn)行了自動(dòng)測(cè)試。測(cè)試包括對(duì)4種漏洞和對(duì)7種不安全實(shí)踐的檢測(cè)。實(shí)驗(yàn)結(jié)果表明查準(zhǔn)率在87.7%。 本文自動(dòng)測(cè)試了Mozilla上的所有類別的瀏覽器擴(kuò)展的行為。測(cè)試知識(shí)庫收集總結(jié)了瀏覽器擴(kuò)展漏洞和不安全實(shí)踐。對(duì)瀏覽器擴(kuò)展存在的安全問題及瀏覽器擴(kuò)展機(jī)制的設(shè)計(jì)缺陷進(jìn)行了調(diào)查研究。實(shí)驗(yàn)表明瀏覽器擴(kuò)展中存在較為嚴(yán)重的安全問題。
[Abstract]:Since 2008, the issue of browser extension security has come to the fore. As browsers play an increasingly important role, However, there are no methods or tools to protect users from browser extension attacks. It is found that the main cause of browser extension security problem is the unreasonable design of browser extension mechanism. Based on the research and analysis of Firefox browser extension mechanism, this paper proposes a browser extension vulnerability detection method based on behavior sequence analysis. Firstly, the interface provided by Firefox browser for extension is analyzed. The interface call is abstracted as the behavior of browser extension, and it is divided into four security levels according to the security risk that each kind of behavior may bring to the user. The model is modeled as a graph model based on neural network, and then the large-scale graph model is reduced. Then, with the support of a knowledge base of attack characteristic behavior sequence, The problem of detecting malicious browser extension and browser extension vulnerabilities is transformed into a sub-graph matching problem. Finally, according to the method proposed in this paper, a set of automatic detection tool is implemented. The test includes four vulnerabilities and seven kinds of unsafe practices. The experimental results show that the precision rate is 87.7%. This paper automatically tests the behavior of all classes of browser extensions on Mozilla. The collection of test knowledge bases summarizes browser extension vulnerabilities and unsafe practices. Security problems and browser extension mechanisms for browser extensions. The experimental results show that there are serious security problems in browser extension.
【學(xué)位授予單位】：天津大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.092

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 王建剛;李曉紅;馮志勇;;瀏覽器擴(kuò)展行為監(jiān)控系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[J];計(jì)算機(jī)應(yīng)用研究;2012年01期

本文編號(hào)：1569706