Research And Implementation Of Detection System Of Website Defacements

With the development of the Internet and the rapid growth of netizens, anincreasingly growing number of businesses of governments, schools, and enterprisesdepend on the website. At the same time, due to the complexity and diversity of allkinds of web application system, especially a lack of necessary security maintenance,website defacements occur frequently, which not only ruins the image of theconstruction organization of the web system, but also results in economic loss, evenwith serious political influence. Therefore, in order to reduce the spread of damage, howto monitor the website defacements in real time becomes an important research task inthe field of Internet security.At present, the research of web server-oriented website defacements detectionbecomes relatively mature, which has brought about quite a few practical systems. Theserver-oriented detection system, only suitable for stand-alone deployment, not only hascomplex deployment, high cost in application, but also reduces the site performance.Thus, it cannot realize in numerous websites with various types and scatteredmanagement. However, the traditional client-oriented polling schema limits to staticwebsites, and it fails to monitor dynamic websites. Therefore, this paper put forward atechnical solution for dynamic website defacements detection, and realized a prototypesystem of real-time monitor. With a domain inputted, the system can have a secure scanon the website, which is suitable for large-scale detection.In this paper, the research mainly includes the following:To start with, this paper brought forward a method of detecting malicious scriptsdefacing web pages. The method, different from that is characterized by matching textstrings or that is relevant to Hook loophole function sequence, but rather a runningmechanism of in-depth JavaScript byte code study, can quickly identify malicious codesmisplaced and encrypted through code instrumentation for script interpreter, and withthe aid of CPU simulator.What is more, through the study of updating cycle of the web page, this paperproposed that the website has the feature of local changes, and introduced this feature tothe analysis of web page structure change. Combining with the similarity of web pagesto calculate, this paper also proposed an algorithm which can isolate the dynamic areaand the static area from a website in a shorter training period with the thought of dynamic transmission to identify two areas.Finally, this paper put forward a recognition method for static web pages and staticareas defacement, and a recognition algorithm for the dynamic region of web pages.The algorithm improved the traditional comparison method ofMD5value, combiningwith domain knowledge, using statistical theory, and can not only scan the wholewebsite in a shorter time, but also approximately locate the defacement area with higheraccuracy than other algorithms.Experiments show that the online monitoring system implemented in this paper hasa high detection rate of the malicious web pages, and can find web pages localdefacement in time. The system gets few numbers of times of false alarm under thestability of the style of websites.