阅读说明：本技术 一种文件篡改劫持的检测方法、装置及存储介质 (Method and device for detecting file tampering hijacking and storage medium ) 是由 韩志辉 吕志泉 梅瑞 严寒冰 丁丽 李佳 沈元 张帅 李志辉 张腾 陈阳 王适 于 2019-03-19 设计创作，主要内容包括：本发明提出了一种文件篡改劫持的检测方法、装置及存储介质,包括：获取下载的源文件；查看文件属性信息,获取数字签名信息；所述数字签名信息包括：签名者信息及签名时间；查询下载源文件的网站的域名信息；获取网站域名的注册信息；所述获取网站域名的注册信息包括：域名所有人及域名注册商；判断数字签名信息与网站域名的注册信息是否同源；如果是,则下载的源文件未被篡改,否则判定下载的源文件被篡改或下载地址被劫持。通过识别下载文件与网站信息是否同源,来判定所下载文件是否被篡改或网站是否被劫持。解决了传统方法中,因网站被劫持,放合法签名文件,导致对于这类威胁无法检测的难题。(The invention provides a method, a device and a storage medium for detecting file tampering hijacking, which comprise the following steps: acquiring a downloaded source file; checking the file attribute information to obtain digital signature information; the digital signature information includes: signer information and signature time; inquiring domain name information of a website for downloading a source file; acquiring registration information of a website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar; judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked. And judging whether the downloaded file is tampered or the website is hijacked or not by identifying whether the downloaded file is homologous with the website information or not. The problem that the threat cannot be detected due to hijacking of the website and placement of the legal signature file in the traditional method is solved.)

1. A detection method for file tampering hijacking is characterized by comprising the following steps:

acquiring a downloaded source file;

checking the file attribute information to obtain digital signature information; the digital signature information includes: signer information and signature time;

inquiring domain name information of a website for downloading a source file;

acquiring registration information of a website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar;

judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked.

2. The method according to claim 1, wherein the querying domain name information of the download source file specifically comprises: the query is made by the whois domain name query protocol.

3. The method according to claim 1, wherein the step of determining whether the digital signature information is homologous with the registration information of the website domain name comprises: and generating a homology library by collecting and crawling the corresponding relation between the registration information of each website domain name and the digital signature information, and judging whether the digital signature information is homologous with the registration information of the website domain name.

4. A device for detecting tampering hijacking of a file, comprising: a memory and a processor;

the memory for storing a computer program running on the processor;

the processor, when running the computer program, implements the steps of:

acquiring a downloaded source file;

checking the file attribute information to obtain digital signature information; the digital signature information includes: signer information and signature time;

inquiring domain name information of a website for downloading a source file;

acquiring registration information of a website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar;

judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked.

5. The apparatus according to claim 4, wherein the querying domain name information of the download source file specifically includes: the query is made by the whois domain name query protocol.

6. The apparatus according to claim 4, wherein the determining whether the digital signature information is homologous to the registration information of the website domain name is specifically: and generating a homology library by collecting and crawling the corresponding relation between the registration information of each website domain name and the digital signature information, and judging whether the digital signature information is homologous with the registration information of the website domain name.

7. A device for detecting tampering hijacking of a file, comprising:

the file acquisition module acquires a downloaded source file;

the attribute acquisition module is used for checking the file attribute information and acquiring digital signature information; the digital signature information includes: signer information and signature time;

the query module is used for querying the domain name information of the website for downloading the source file;

the registration information acquisition module is used for acquiring the registration information of the website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar;

the homologous judgment module is used for judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked.

8. A non-transitory computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing a method of detecting file tampering hijacking as claimed in any one of claims 1 to 3.

Technical Field

The invention relates to the technical field of network security, in particular to a method and a device for detecting file tampering hijacking and a storage medium.

Background

Traditional file hijacking and tampering are usually based on URL tracking, and are found by URL tracking monitoring. However, the conventional method is relatively delayed for the detection discovery, and needs the matching support of the feature library. If the integrity of the file is verified by using the hash: if the website is hijacked or invaded, the hash of the original file is modified and does not have the ability to identify the source. Moreover, the phenomenon of hijacking is often selective in regions and intermittent in time, so that the phenomenon of hijacking is difficult to monitor.

Disclosure of Invention

In order to solve the above problems, the present invention provides a method, an apparatus and a storage medium for detecting file tampering hijacking, which determine whether a file is tampered or whether a website is hijacked by determining homology between a downloaded file and a website of the downloaded file. The problem of detection lag in the prior art is solved.

The invention firstly provides a method for detecting file tampering hijacking, which comprises the following steps:

acquiring a downloaded source file;

checking the file attribute information to obtain digital signature information; the digital signature information includes: signer information and signature time;

inquiring domain name information of a website for downloading a source file;

acquiring registration information of a website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar;

judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked.

In the method, the querying domain name information of the download source file specifically includes: the query is made by the whois domain name query protocol.

In the method, whether the digital signature information is homologous with the registration information of the website domain name is judged, specifically: and generating a homology library by collecting and crawling the corresponding relation between the registration information of each website domain name and the digital signature information, and judging whether the digital signature information is homologous with the registration information of the website domain name.

The present application further provides a device for detecting file tampering hijacking, including: a memory and a processor;

the memory for storing a computer program running on the processor;

the processor, when running the computer program, implements the steps of:

acquiring a downloaded source file;

checking the file attribute information to obtain digital signature information; the digital signature information includes: signer information and signature time;

inquiring domain name information of a website for downloading a source file;

acquiring registration information of a website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar;

judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked.

In the device, the querying domain name information of the download source file specifically includes: the query is made by the whois domain name query protocol.

In the device, judging whether the digital signature information is homologous with the registration information of the website domain name specifically comprises the following steps: and generating a homology library by collecting and crawling the corresponding relation between the registration information of each website domain name and the digital signature information, and judging whether the digital signature information is homologous with the registration information of the website domain name.

A device for detecting tampering hijacking of a file, comprising:

the file acquisition module acquires a downloaded source file;

the attribute acquisition module is used for checking the file attribute information and acquiring digital signature information; the digital signature information includes: signer information and signature time;

the query module is used for querying the domain name information of the website for downloading the source file;

the registration information acquisition module is used for acquiring the registration information of the website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar;

the homologous judgment module is used for judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked.

A non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements any of the above-described methods of detecting file tampering hijacking.

The method has the advantages that based on consistency comparison between the website owner and the owner of the provided downloaded file, if inconsistency is found, tampering or hijacking can occur. In the traditional method, the problem of detection of the threats is caused by hijacking of a website and release of legal signature files, and the problem can be effectively solved by bilateral confirmation of a transmission source and the transmission files.

The invention provides a method, a device and a storage medium for detecting file tampering hijacking, which comprise the following steps: acquiring a downloaded source file; checking the file attribute information to obtain digital signature information; the digital signature information includes: signer information and signature time; inquiring domain name information of a website for downloading a source file; acquiring registration information of a website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar; judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked. And judging whether the downloaded file is tampered or the website is hijacked or not by identifying whether the downloaded file is homologous with the website information or not. The problem that the threat cannot be detected due to hijacking of the website and placement of the legal signature file in the traditional method is solved.

Drawings

In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

FIG. 1 is a flowchart of an embodiment of a file tampering hijacking detection method according to the present invention;

FIG. 2 is a schematic structural diagram of a file tampering hijacking detection apparatus according to the present invention;

fig. 3 is a schematic structural diagram of another file tampering hijacking detection apparatus according to the present invention.

Detailed Description

In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the present invention more comprehensible, the technical solutions of the present invention are described in further detail below with reference to the accompanying drawings.

The invention firstly provides a method for detecting file tampering hijacking, which comprises the following steps as shown in figure 1:

s101: acquiring a downloaded source file;

s102: checking the file attribute information to obtain digital signature information; the digital signature information includes: signer information and signature time; for example, the signer information may display the name of the signer;

s103: inquiring domain name information of a website for downloading a source file;

s104: acquiring registration information of a website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar;

s105: judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked.

In the method, the querying domain name information of the download source file specifically includes: the query is made by the whois domain name query protocol.

In the method, whether the digital signature information is homologous with the registration information of the website domain name is judged, specifically: and generating a homology library by collecting and crawling the corresponding relation between the registration information of each website domain name and the digital signature information, and judging whether the digital signature information is homologous with the registration information of the website domain name.

For example: a source file is downloaded from a website A, and information such as a domain name owner, a domain name registrar and the like of the website A is acquired through a whois domain name query protocol or an information collection crawling mode. And then comparing the attribute signature information with the downloaded source file attribute signature information, and if the attribute signature information is inconsistent, judging that the website A is hijacked or the downloaded source file is tampered.

The present application further provides a device for detecting file tampering hijacking, as shown in fig. 2, including: a memory 201 and a processor 202;

the memory for storing a computer program running on the processor;

the processor, when running the computer program, implements the steps of:

acquiring a downloaded source file;

checking the file attribute information to obtain digital signature information; the digital signature information includes: signer information and signature time;

inquiring domain name information of a website for downloading a source file;

acquiring registration information of a website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar;

judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked.

In the device, the querying domain name information of the download source file specifically includes: the query is made by the whois domain name query protocol.

In the device, judging whether the digital signature information is homologous with the registration information of the website domain name specifically comprises the following steps: and generating a homology library by collecting and crawling the corresponding relation between the registration information of each website domain name and the digital signature information, and judging whether the digital signature information is homologous with the registration information of the website domain name.

A file tampering hijacking detection device, as shown in fig. 3, comprising:

a file acquisition module 301 for acquiring a downloaded source file;

an attribute obtaining module 302 for checking the file attribute information and obtaining the digital signature information; the digital signature information includes: signer information and signature time;

the query module 303 is configured to query domain name information of a website for downloading a source file;

a registration information obtaining module 304, which obtains registration information of the website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar;

the homology judgment module 305 is used for judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked.

A non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements any of the above-described methods of detecting file tampering hijacking.

The method has the advantages that the traditional file hijacking and tampering are usually found by URL tracking monitoring, and the detection method is relatively lagged. The hijacking and tampering can be effectively detected in real time by adopting a dynamic comparison mode. The traditional method is supported by matching of a feature library, such as using a hash to check the integrity of a file, but if the hash of an original file is tampered, the original file does not have the identification capability of whether the original file is homologous or not. And the consistency comparison between the owner information of the source file and the owner information of the website still can effectively detect the source file.

If inconsistency is found, tampering or hijacking may occur, based on a consistency comparison of the website owner with the owner of the provided downloaded file. In the traditional method, because a website is hijacked and a legal signature file is put in, the detection problem of the threat is caused, whether the website is homologous or not is identified through comparing domain name information and information of a downloaded file, and the problem that the website is hijacked or the file information is modified is effectively identified through dynamic identification.

The invention provides a method, a device and a storage medium for detecting file tampering hijacking, which comprise the following steps: acquiring a downloaded source file; checking the file attribute information to obtain digital signature information; the digital signature information includes: signer information and signature time; inquiring domain name information of a website for downloading a source file; acquiring registration information of a website domain name; the acquiring the registration information of the website domain name comprises the following steps: domain name owner and domain name registrar; judging whether the digital signature information is homologous with the registration information of the website domain name; if so, the downloaded source file is not tampered, otherwise, the downloaded source file is judged to be tampered or the download address is hijacked. And judging whether the downloaded file is tampered or the website is hijacked or not by identifying whether the downloaded file is homologous with the website information or not. The problem that the threat cannot be detected due to hijacking of the website and placement of the legal signature file in the traditional method is solved.

From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

While the present invention has been described with respect to the embodiments, those skilled in the art will appreciate that there are numerous variations and permutations of the present invention without departing from the spirit of the invention, and it is intended that the appended claims cover such variations and modifications as fall within the true spirit of the invention.