【摘要】：近年來,以蠕蟲、木馬、僵尸網(wǎng)絡(luò)等為代表的惡意代碼始終威脅Internet安全,而隨著WEB2.0和云計算的日益普及,越來越多的應(yīng)用提供基于WEB的服務(wù),已經(jīng)出現(xiàn)了瀏覽器級操作系統(tǒng)的趨勢,利用瀏覽器及瀏覽器插件的漏洞取代了利用操作系統(tǒng)和應(yīng)用程序漏洞,惡意網(wǎng)頁逐漸成為惡意代碼傳播或攻擊的主要渠道,成為地下經(jīng)濟的重要環(huán)節(jié)。惡意網(wǎng)頁是包含惡意內(nèi)容以使得病毒、木馬等可借其進行傳播或攻擊的網(wǎng)頁,包含的惡意內(nèi)容也被稱為網(wǎng)頁木馬,本質(zhì)上并非木馬,而是以網(wǎng)頁為介質(zhì)進行傳播或攻擊的惡意代碼,一般以JavaScript, VBScript等腳本語言編寫,包含在網(wǎng)頁之中,通過各種方式進行代碼混淆以逃避檢測,在網(wǎng)頁中插入惡意內(nèi)容的行為也被稱為“網(wǎng)頁掛馬”。網(wǎng)頁惡意代碼通過利用用戶的瀏覽器或插件中的漏洞,在用戶毫不知情的情況下下載和運行惡意軟件,如廣告軟件、木馬和病毒等。正常網(wǎng)頁也可能被植入惡意代碼,所以即使用戶訪問一些看似正常的網(wǎng)站,也有可能受到這類惡意代碼的攻擊。由于網(wǎng)頁惡意代碼大量使用了代碼混淆技術(shù),傳統(tǒng)的反病毒軟件的漏報率很高,這也導致越來越多的攻擊者使用網(wǎng)頁惡意代碼來傳播惡意軟件。已有的惡意網(wǎng)頁檢測方法通�？梢苑譃殪o態(tài)檢測(基于網(wǎng)頁內(nèi)容或網(wǎng)址)和動態(tài)檢測(基于瀏覽網(wǎng)頁引發(fā)的行為),以及兩者混合的方法。傳統(tǒng)靜態(tài)檢測方法簡單快速,但只能檢測已知的特征,難以處理頁面代碼混淆,因此會出現(xiàn)大量的漏報和誤報,因此,現(xiàn)有系統(tǒng)多使用動態(tài)檢測的方法,通過在虛擬機中開啟一個瀏覽器來打開網(wǎng)頁,監(jiān)控系統(tǒng)運行狀態(tài)來找尋惡意行為。動態(tài)監(jiān)測方法準確性較高,但資源消耗比較大,無法用來檢測互聯(lián)網(wǎng)上存在的大規(guī)模的網(wǎng)頁。 通過分析頁面內(nèi)容,提取特征,提出了一種輕量級的網(wǎng)頁惡意代碼檢測方法,進行機器學習來自動得到分類模型。同時,為了彌補靜態(tài)檢測方法的不足,通過JavaScript虛擬機對可能代碼混淆的部分進行解析,提高系統(tǒng)準確率。該方法主要對頁面源碼進行檢測,不需要實際訪問網(wǎng)頁和檢測系統(tǒng)行為,因此這個系統(tǒng)在保證檢測準確的情況下資源消耗更少,速度更快,可以應(yīng)用于如搜索引擎等大規(guī)模的網(wǎng)頁惡意代碼檢測中。通過系統(tǒng)地分析網(wǎng)頁惡意代碼的特性,提取了惡意網(wǎng)頁檢測所用的特征,并完成了網(wǎng)頁惡意代碼檢測原型系統(tǒng)的設(shè)計和實現(xiàn),實驗證明該系統(tǒng)能夠較為準確有效的完成惡意網(wǎng)頁檢測。
[Abstract]:In recent years, malicious code, such as worms, Trojan horses, botnets, has always threatened the security of Internet. With the increasing popularity of WEB2.0 and cloud computing, more and more applications provide services based on WEB. There has been a trend of browser-level operating systems. Using vulnerabilities in browsers and browser plug-ins to replace vulnerabilities in operating systems and applications, malicious web pages have gradually become the main channel for spreading or attacking malicious code. Become the important link of underground economy. Malicious web pages are pages that contain malicious content so that viruses, Trojans and so on can spread or attack, including malicious content is also known as web Trojan, essentially not Trojan, It is the malicious code that propagates or attacks by using the web page as the medium, usually written in the script language such as JavaScript, VBScript, which is included in the web page, and carries out code confusion in various ways to avoid detection. The act of inserting malicious content into a web page is also known as "webpage hanging." Web malicious code downloads and runs malicious software, such as advertising software, Trojans and viruses, without the user's knowledge by exploiting vulnerabilities in the user's browser or plug-in. Normal web pages can also be planted with malicious code, so even if users visit some seemingly normal websites, they may also be attacked by such malicious code. Due to the extensive use of code obfuscation technology in web malicious code, the traditional anti-virus software has a high rate of missing reports, which leads to more and more attackers using web malicious code to spread malicious software. The existing methods of malicious web page detection can be divided into static detection (based on web content or web address) and dynamic detection (based on behavior caused by browsing web pages) and a mixture of the two methods. The traditional static detection method is simple and fast, but it can only detect the known features, so it is difficult to deal with the confusion of page code, so there will be a large number of false positives and false positives. Therefore, the existing systems often use dynamic detection methods. Open a browser in the virtual machine to open a web page and monitor the system's running state to find malicious behavior. The accuracy of dynamic monitoring method is high, but the resource consumption is large, so it can not be used to detect large scale web pages on the Internet. By analyzing the content of the page and extracting the features, a lightweight detection method of malicious code for web pages is proposed, which can be used for machine learning to get the classification model automatically. At the same time, in order to make up for the shortcomings of the static detection method, the JavaScript virtual machine is used to parse the confused parts of the possible code to improve the accuracy of the system. The method mainly detects the source code of the page, and does not need to actually visit the web page and detect the behavior of the system. Therefore, the system can consume less resources and speed up the detection under the condition of ensuring the accuracy of the detection. Can be applied to large-scale web pages such as search engine malicious code detection. Through the systematic analysis of the characteristics of the malicious code of the web page, the features used in the detection of the malicious web page are extracted, and the design and implementation of the prototype system for the detection of the malicious code of the web page are completed. Experiments show that the system can detect malicious web pages accurately and effectively.
【學位授予單位】：華中科技大學
【學位級別】：碩士
【學位授予年份】：2011
【分類號】：TP393.092

【同被引文獻】

相關(guān)期刊論文 前10條

1 向?qū)W哲;;改進的支撐向量機(SVM)算法在郵件過濾中的應(yīng)用[J];華中師范大學學報(自然科學版);2007年01期

2 吳際,黃傳河,王麗娜,吳小兵;基于數(shù)據(jù)挖掘的入侵檢測系統(tǒng)研究[J];計算機工程與應(yīng)用;2003年04期

3 郭敏哲;袁津生;王雅超;;網(wǎng)絡(luò)釣魚Web頁面檢測算法[J];計算機工程;2008年20期

4 何高輝;鄒福泰;譚大禮;王明政;;基于SVM主動學習算法的網(wǎng)絡(luò)釣魚檢測系統(tǒng)[J];計算機工程;2011年19期

5 曹玖新;毛波;羅軍舟;劉波;;基于嵌套EMD的釣魚網(wǎng)頁檢測算法[J];計算機學報;2009年05期

6 張衛(wèi)豐;周毓明;許蕾;徐寶文;;基于匈牙利匹配算法的釣魚網(wǎng)頁檢測方法[J];計算機學報;2010年10期

7 朱杰;秦亮曦;龍煒哲;蘇永秀;;一種新的基于SVM權(quán)重向量的云分類器[J];計算機應(yīng)用研究;2009年06期

8 張學工;關(guān)于統(tǒng)計學習理論與支持向量機[J];自動化學報;2000年01期

9 朱瑩瑩;尹傳環(huán);牟少敏;;一種改進的局部支持向量機算法[J];計算機工程與科學;2013年02期

10 趙躍華;胡向濤;;網(wǎng)絡(luò)釣魚攻擊的防御技術(shù)及防御框架設(shè)計[J];計算機應(yīng)用研究;2013年06期

相關(guān)博士學位論文 前1條

1 張健毅;大規(guī)模反釣魚識別引擎關(guān)鍵技術(shù)研究[D];北京郵電大學;2012年

，

本文編號：2358671