Method and apparatus for detecting a malicious website

Technical Field

The present invention relates to a method and apparatus for detecting a malicious website.

Background Art

With the in-depth development of network technology, more and more websites appear on the Internet to provide people with a wide variety of businesses and services. Under this

circumstance, it has become a trend for people to visit

websites to obtain required businesses and services.

Security is a very important factor when it comes to obtaining businesses and services through websites. However, with the development of hacking technology, some websites have been controlled by malicious attackers and are illegally deployed with malicious programs such as Trojan programs or worms and the like, and thus become malicious websites. Under this circumstance, if people visit these malicious websites, people's computers will be illegally installed with malicious programs, and will thereby be controlled by malicious attackers to perform illegal operations.

For this reason, malicious websites need to be found out, be shielded or be informed to people so that people will not visit these malicious websites. Currently available solutions for detecting malicious websites are performed on the basis of the signatures of malicious programs, that is, scanning webpage files of a website to check whether it contains a signature of a malicious program, and judging that the website is a

malicious website when it is found through scanning that the webpage files of the website contain the signature of the malicious program. However, existing solutions that detect malicious websites based on signatures can only detect

malicious websites that contain known malicious programs.

Contents of the Invention

Taking the above problems in the prior art into consideration, the embodiments of the present invention provide a method and apparatus for detecting a malicious website, which is capable of detecting out a malicious website containing an unknown malicious program and/or a known malicious program.

The method for detecting a malicious website according to the embodiments of the present invention comprises: operating at least one browser to access a specified website; monitoring a behavior of the at least one browser during the process in which the at least one browser accesses the specified website; detecting whether the monitored behavior contains an

impermissible behavior; and judging that the specified website is a malicious website if the detection result is yes.

The method can further comprise: checking whether the monitored behavior contains a behavior of downloading a content from the specified website; performing a virus scan on the content downloaded from the specified website if the check result is yes; and judging that the specified website is a malicious website if the scan result indicates that the content

downloaded from the specified website contains a virus.

The operation step can further comprise: operating each of the at least one browser to access the specified website multiple times, wherein a different security level is set for each browser each time it accesses the specified website. The abovementioned manipulation step can further comprise:

operating the at least one browser to traverse each webpage of the specified website.

The impermissible behavior comprises at least one of the following: downloading content from the specified website without permission; installing software without permission; redirecting from the specified website to other malicious websites without permission; and uploading content to the specified website without permission.

The at least one browser may work in a virtual environment.

The apparatus for detecting a malicious website according to the embodiments of the present invention comprises: a operation module for operating at least one browser to access a specified website; a monitoring module for monitoring a behavior of the at least one browser during the process in which the at least one browser accesses the specified website; a detection module for detecting whether the monitored behavior contains an impermissible behavior; and a determination module for judging that the specified website is a malicious website if the detection result is yes.

The apparatus can further comprise: a checking module for checking whether the monitored behavior contains a behavior of downloading content from the specified website; a scanning module for performing a virus scan on the content downloaded from the specified website if the check result is yes; and a judgment module for judging that the specified website is a malicious website if the scan result indicates that the content downloaded from the specified website contains a virus.

The manipulation module may be further used for operating each of the at least one browser to access the specified website multiple times, wherein a different security level is set for each browser each time it accesses the specified website.

The operation module may be further used for operating the at least one browser to traverse each webpage of the specified website .

The impermissible behavior comprises at least one of the following: downloading content from the specified website without permission; installing software without permission;

redirecting from the specified website to other malicious websites without permission; and uploading content to the specified website without permission.

The at least one browser may work in a virtual environment.

As may be seen from the above description, the solution of the embodiments of the present invention uses an impermissible behavior of a browser which accesses website, rather than a signature of a malicious program, to detect malicious websites. Since the impermissible behavior of the browser occurs under the influence of known and unknown malicious programs contained in the visited website, the solution of the embodiments of the present invention is capable of detecting out websites that contain unknown malicious programs.

Description of the accompanying drawings

The features, characteristics, advantages and benefits of the present invention will become more apparent by way of the detailed description herein below in conjunction with the accompanying drawings . In the drawings :

Fig. 1 shows a flowchart of a method for detecting a malicious website according to an embodiment of the present invention; Fig. 2 shows a schematic diagram of an apparatus for detecting a malicious website according to an embodiment of the present invention; and

Fig. 3 shows a schematic diagram of a device for detecting a malicious website according to an embodiment of the present invention .

Particular embodiments

After a large number of experiments, the inventors have found that: when using a browser to visit a website, if the visited website contains a malicious program, then regardless of whether the malicious program is known or unknown, the browser will usually be affected by the malicious program contained in the visited website and perform an unapproved behavior, such as downloading a content from the website without approval, installing software without approval, redirecting to other malicious websites without approval and/or uploading a content to the website without approval.

The solution of the embodiments of the present invention is proposed on the basis of the abovementioned discovery of the inventors, which actively manipulates a browser to visit a website, detects whether the browser performs an unapproved behavior during the process in which the browser visits the website, and determines that the visited website is a malicious website when the detection result is yes. Here, an unapproved behavior of the browser which visits the website, rather than a signature of a malicious program, is used to detect malicious websites. Since the unapproved behavior of the browser occurs under the influence of known and unknown malicious programs contained in the visited website, the solution of the

embodiments of the present invention is capable of detecting out websites that contain known and/or unknown malicious programs . Herein below, each of the embodiments of the present invention will be described in detail in conjunction with the

accompanying drawings .

Referring to Fig. 1, it shows a flowchart of a method for detecting a malicious website according to an embodiment of the present invention. As shown in Fig. 1, in step S100, a

plurality of browsers are manipulated to visit a website Wl to be detected so as to traverse each webpage of the website Wl . Here, the plurality of browsers may be manipulated to visit the website Wl simultaneously or successively. Here, each browser L of the plurality of browsers may be manipulated to visit the website Wl once; or, each browser L of the plurality of

browsers may be manipulated to visit the website Wl multiple times, wherein a different security level (for example, low, medium, high and so on) may be set each time the browser L visits the website Wl . Here, the plurality of browsers may be various browsers that exist already or may appear in future, for example, but not limited to, the browser developed by

Microsoft Corporation, Firefox browser, Google browser

(Chrome) , Sogou browser and so on.

In step S110, a behavior of the plurality of browsers is monitored during the process in which the plurality of browsers visits the website Wl .

In step S120, whether the monitored behavior contains an unapproved behavior is detected. Under normal circumstances, a behavior performed by the browser is a behavior initiated by a user or a behavior initiated by the browser but which has been informed to the user and is approved by the user; and such behaviors belong to approved behaviors. If a behavior performed by the browser is initiated by the browser but is not approved by the user, the behavior belongs to an unapproved behavior, and such behaviors are often performed by the browser under the influence of a malicious program in the website. In addition, unapproved behaviors may further comprise a malicious behavior disguised as a harmless behavior; such behavior appears

harmless from the outside and the disguised malicious behavior has been approved by the user, but in fact the user is not aware of the malicious behavior itself and does not know that the malicious behavior will cause damage. Here, for example, it is possible to define approved behaviors in advance and store them, so as to detect whether the monitored behavior contains an unapproved behavior by comparing the monitored behavior with the stored approved behavior. Of course, other methods can also be employed to detect whether the monitored behavior contains an unapproved behavior .

Here, unapproved behaviors may include but are not limited to at least one of the following: downloading a content from the website Wl without approval, installing software without approval, redirecting from the website Wl to other malicious websites without approval and uploading a content to the website Wl without approval. Here, uploading a content to the website Wl without approval is for example unapproved pageload, uploading sensitive data of the user, such as account number, password, etc. to the website Wl without approval and so on.

In step S130, it is determined that the website Wl is a

malicious website when the detection result of step S120 is yes, that is, the monitored behavior contains an unapproved behavior .

If the detection result of step S120 is no, that is, the monitored behavior does not contain unapproved behavior, then the flow ends.

As may be seen from the above description, this embodiment actively manipulates a plurality of browsers to traverse each webpage of a website Wl, and therefore, the detection is very comprehensive and the accuracy of the detection is very high.

Other Variants

It should be understood by those skilled in the art that the method described in the above embodiments may further comprise the steps of: checking whether the monitored behavior contains a behavior of downloading a content from the website Wl ;

performing a virus scan on the content downloaded from the website Wl if the check result indicates that the monitored behavior contains a behavior of downloading a content from the website Wl ; and judging that the website Wl is a malicious website if the scan result indicates that the content

downloaded from the website Wl contains a virus.

It should be understood by those skilled in the art that the plurality of browsers described in the above embodiments may be browsers developed by various manufacturers or be reprogrammed and obtained by imitating browsers developed by various

manufacturers .

It should be understood by those skilled in the art that although a plurality of browsers are manipulated to visit the website Wl in the above embodiments, the present invention is not limited to this. In some other embodiments of the present invention, it is also possible to manipulate only one browser to visit the website Wl .

Meanwhile, it should be understood by those skilled in the art that the browser may be set to work in a virtual environment (such as using sandbox technology) , so that even an unapproved behavior occurs in the browser, the security of the system will not be compromised, and thus the security of the system can be enhanced . It should be understood by those skilled in the art that although a plurality of browsers are manipulated to visit the website Wl to be detected so as to traverse each webpage of the website Wl in step S100 of the above embodiments, the present invention is not limited to this. In some other embodiments of the present invention, a plurality of browsers can also be manipulated to only visit part of the webpages in the website Wl to be detected, such as the part of webpages in the website Wl that the user frequently visits. In most cases, malicious programs are often placed by hackers on the part of webpages in the website that the user frequently visits, and if no

unapproved behavior is detected when a browser visits the part of webpages in the website that the user frequently visits, then the website is usually not a malicious website.

Apparently, if a plurality of browsers are manipulated to visit only part of the webpages in the website to be detected, then it will greatly accelerate the detection speed.

Now referring to Fig. 2, it shows a schematic diagram of an apparatus for detecting a malicious website according to an embodiment of the present invention. The apparatus shown in Fig. 2 may be realized using software, hardware (such as integrated circuit, Field Programmable Gate Array (FPGA) , etc.) or a combination of hardware and software.

As shown in Fig. 2, the apparatus 200 for detecting a malicious website may comprise a manipulation module 210, a monitoring module 220, a detection module 230 and a determination module 240. The manipulation module 210 may be used for manipulating at least one browser to visit a specified website ZH. The monitoring module 220 may be used for monitoring a behavior of the at least one browser during the process in which the at least one browser visits the specified website ZH. The

detection module 230 may be used for detecting whether the monitored behavior contains an unapproved behavior. The

determination module 240 may be used for judging that the specified website ZH is a malicious website if the detection result is yes.

In addition, the manipulation module 210 may be further used for manipulating each browser L of the at least one browser to visit the specified website ZH multiple times, wherein a different security level is set for the browser L each time it visits the specified website ZH.

In addition, the manipulation module 210 may be further used for manipulating the at least one browser to traverse each webpage of the specified website ZH.

In addition, the apparatus 200 may further comprise a checking module 250, a scanning module 260, and a judgment module 270. The checking module 250 may be used for checking whether the monitored behavior contains a behavior of downloading a content from the specified website ZH. The scanning module 260 may be used for performing a virus scan on the content downloaded from the specified website ZH if the check result is yes. The judgment module 270 may be used for judging that the specified website ZH is a malicious website if the scan result indicates that the content downloaded from the specified website ZH contains a virus.

In addition, the unapproved behavior can comprise at least one of the following: downloading a content from the specified website ZH without approval; installing software without approval; redirecting from the specified website ZH to other malicious websites without approval; and uploading a content to the specified website ZH without approval. In addition, the at least one browser may work in a virtual environment.

Now referring to Fig. 3, it shows a schematic diagram of a device for detecting a malicious website according to an embodiment of the present invention. As shown in Fig. 3, the device 300 for detecting a malicious website can comprise a memory 310 for storing an executable instruction and a

processor 320.

The processor 320 may be used for performing the following operations according to the executable instruction stored in the memory 310: manipulating at least one browser to visit a specified website ZH; monitoring a behavior of the at least one browser during the process in which the at least one browser visits the specified website ZH; detecting whether the

monitored behavior contains an unapproved behavior; and judging that the specified website ZH is a malicious website if the detection result is yes.

In addition, for the operation of manipulating the at least one browser to visit the specified website ZH, the processor 320 may be further used for performing the following operations according to the executable instruction stored in the memory 310: manipulating each browser L of the at least one browser to visit the specified website ZH multiple times, wherein a different security level is set for the browser L each time it visits the specified website ZH.

In addition, for the operation of manipulating the at least one browser to visit the specified website ZH, the processor 320 may be used for further performing the following operations according to the executable instruction stored in the memory 310: manipulating each browser L of the at least one browser to traverse each webpage of the specified website ZH.

In addition, the processor 320 may be further used for

performing the following operations according to the executable instruction stored in the memory 310: checking whether the monitored behavior contains a behavior of downloading a content from the specified website ZH; performing a virus scan on the content downloaded from the specified website ZH if the check result is yes; and judging that the specified website ZH is a malicious website if the scan result indicates that the content downloaded from the specified website ZH contains a virus.

In addition, the unapproved behavior can comprise at least one of the following: downloading a content from the specified website ZH without approval; installing software without approval; redirecting from the specified website ZH to other malicious websites without approval; and uploading a content to the specified website ZH without approval. In addition, the at least one browser may work in a virtual environment.

The embodiments of the present invention also provide a machine readable medium, which stores thereon an executable instruction that enables a machine to execute operations executed by the processor 320 when the executable instruction is executed.

It should be understood by those skilled in the art that various variations and modifications may be made to each of the embodiments disclosed above without departing from the essence of the invention, and all these variations and modifications should be within the protection scope of the present invention. Therefore, the protection scope of the present invention is to be defined by the attached claims.