CN102663000A - Establishment method for malicious website database, method and device for identifying malicious website - Google Patents
Establishment method for malicious website database, method and device for identifying malicious website Download PDFInfo
- Publication number
- CN102663000A CN102663000A CN2012100694437A CN201210069443A CN102663000A CN 102663000 A CN102663000 A CN 102663000A CN 2012100694437 A CN2012100694437 A CN 2012100694437A CN 201210069443 A CN201210069443 A CN 201210069443A CN 102663000 A CN102663000 A CN 102663000A
- Authority
- CN
- China
- Prior art keywords
- url
- website
- network address
- detected
- weights
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an establishment method for a malicious website database, and a method and a device for identifying a malicious website. The establishment method comprises the following steps: S1, constructing a site information association database; S2, constructing an backlink association database; S3, acquiring known malicious websites and adding the websites to a queue to be detected, repeating step S4 until the queue to be detected is empty, and using all the data appeared in the queue to be detected to construct a malicious website database; and S4, querying the backlink association database, determining all the backlink urls of the current url, adding the backlink urls, of which the weight exceeds a preset threshold to the queue to be detected, or analyzing site attribute information of the current url, querying the site information association database, and determining website domain names which have the same site attribute information with the current url, and adding the website domain names of which the weight exceeds a preset threshold to the queue to be detected. Compared with the prior art, the establishment method for a malicious website database, the method and the device for identifying a malicious website provided by the invention improve detection timeliness and accuracy, and reduce failure alert.
Description
[technical field]
The present invention relates to the computer security technique field, the recognition methods and the device of particularly a kind of method for building up of malice network address database, malice network address.
[background technology]
Along with the continuous development of computing machine and network technology, the internet is important to People more and more, has been deep into the various aspects of people's work and life.But the thing followed, also more and more to the malicious act of internet, various safety problems have greatly perplexed the network user.Be used to the website One's name is legion of malicious acts such as swindling at present on the internet, the website of these illegal profits is threatening user security because of the disguise of its profit channel.Yet these illegal websites are of short duration life cycle; Usually once discovery, usually can be banned or be cancelled, in order to ensure effect; The illegal website operator holds a large amount of similar station crowds usually and is used for replacing at any time; Close association is arranged between the crowd of these stations, and refinement and formed a huge black industrial chain gradually often is called as " the underground industrial chain in internet ".
Existing malice network address detection means has: static nature detects and the simulation browser detects.Static Detection is to utilize the malicious code characteristic of collecting in advance, through whether comprising those condition codes in inspection webpage HTML (Hypertext Markup Language, the HTML) code judges, if comprise, then is judged as the malice network address.The discrimination of this detection method is lower usually, is prone to got around by various script encryptions and coded system.It is to utilize the browser environment that builds in advance that the simulation browser detects, and analog subscriber visit network address is if during illegal behavioural characteristic, then be identified as the malice network address with it.The detection efficiency of this mode is lower, and after running into the malice network address, browser environment also possibly need to recover again, and the fully real browser environment of difficult structure, causes easily failing to report.For the network address storehouse that the illegal website operator replaces at any time, just can judge after needing to carry out one by one, can't find the malice network address in advance, ageing relatively poor.
[summary of the invention]
In view of this, the invention provides a kind of method for building up of malice network address database, the recognition methods and the device of malice network address, so that improve promptness and the accuracy that detects, minimizing is failed to report.
Concrete technical scheme is following:
A kind of method for building up of malice network address database, this method may further comprise the steps:
S1, in advance each website domain name and corresponding website attribute information are carried out related, structure the website associating information database;
S2, make up the anti-chain linked database in advance, preserve the linking relationship between each url;
S3, obtain the url of known malicious network address; Add in the formation to be detected; From formation to be detected, take out url and current url difference execution in step S4 one by one to taking out; Until formation to be detected is empty, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database;
S4, the said anti-chain linked database of inquiry are confirmed all anti-chain url of current url, with and the url of known malicious network address between the correlation degree anti-chain url that satisfies preset requirement add in the formation to be detected; Perhaps
Resolve the website attribute information of current url; Inquire about said site information linked database; Confirm to have the website domain name of same site attribute information with current url, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
According to one preferred embodiment of the present invention, said website attribute information comprises following listed at least a: the website name, the website everyone, everyone contact information of website, company information, IP address information, ICP information.
According to one preferred embodiment of the present invention; In said step S3, also comprise: for the url of said malice network address gives initial weight; For setting the anti-chain factor between each url that has the anti-chain relation; Type to website attribute information total between the domain name of website is set factor of influence, and the span of the said anti-chain factor and factor of influence is interval (0,1);
The calculating of correlation degree comprises between the url of anti-chain url and known malicious network address: the weights of current url multiply by the anti-chain factor, obtain the weights of anti-chain url;
The calculating of correlation degree comprises between the url of website domain name and known malicious network address: the weights of current url multiply by the corresponding factor of influence of type of website domain name and the common website attribute information of current url, obtain the weights of website domain name;
Said correlation degree satisfies preset requirement: the weights of said anti-chain url or website domain name surpass predetermined threshold value.
According to one preferred embodiment of the present invention, said malice network address database also comprises: all add url or corresponding website attribute information and the weights of website domain name in the formation to be detected to.
A kind of recognition methods of malice network address, this method comprises:
Obtain url to be detected, whether comprise said url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address;
Wherein said malice network address database is to adopt the method for building up of said malice network address database to set up.
A kind of recognition methods of malice network address, this method may further comprise the steps:
S201, obtain url to be detected, resolve the website attribute information of this url;
S202, the website attribute information that utilizes parsing to obtain are searched the malice network address that has same alike result information with said url to be detected in the malice network address database, said malice network address database is to adopt the method for the foundation of said malice network address database to set up;
The weights of the malice network address that S203, utilization find calculate the weights of url to be detected;
S204, judge that whether the weights of said url to be detected surpass predetermined threshold value, if then said url to be detected is identified as malice url.
According to one preferred embodiment of the present invention, said step S203 is specially:
The weights of the malice network address that step S202 is found carry out joint account, obtain the weights of said url to be detected.
According to one preferred embodiment of the present invention, said joint account is to get maximal value, perhaps averages, perhaps summation.
A kind of apparatus for establishing of malice network address database, this device comprises:
The site information relating module, be used in advance each website domain name and corresponding website attribute information being carried out related, structure the website associating information database;
The anti-chain relating module is used for making up the anti-chain linked database in advance, preserves the linking relationship between each url;
Database is set up module; Be used to obtain the url of known malicious network address; Add in the formation to be detected; The current url that from formation to be detected, takes out url one by one and will take out offers anti-chain detection module or site information detection module, is empty until formation to be detected, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database;
The anti-chain detection module; Be used to inquire about said anti-chain linked database; Confirm that said database sets up all anti-chain url of the current url that module provides, with and the url of known malicious network address between the correlation degree anti-chain url that satisfies preset requirement add in the formation to be detected;
The site information detection module; Be used to resolve the website attribute information of current url; Inquire about said site information linked database; Confirm that the current url that sets up module and provide with said database has the website domain name of same site attribute information, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
According to one preferred embodiment of the present invention, said website attribute information comprises following listed at least a: the website name, the website everyone, everyone contact information of website, company information, IP address information, ICP information.
According to one preferred embodiment of the present invention, this device also comprises:
Factor setting module is used to and sets the anti-chain factor between each url that has the anti-chain relation, and, set factor of influence to the type of website attribute information total between the domain name of website, the span of the said anti-chain factor and factor of influence is interval (0,1);
Said database is set up the url that module also is used to said malice network address and is given initial weight;
Said anti-chain detection module multiply by the anti-chain factor respectively with the weights of current url, obtains the weights of each anti-chain url, is embodied correlation degree between the url of anti-chain url and known malicious network address by the weights of anti-chain url;
Said site information detection module multiply by the weights of current url respectively the corresponding factor of influence of type of website domain name and the common website attribute information of current url; Obtain the weights of website domain name, embody correlation degree between the url of website domain name and known malicious network address by the weights of website domain name.
According to one preferred embodiment of the present invention, said malice network address database also comprises: all add url or corresponding website attribute information and the weights of website domain name in the formation to be detected to.
A kind of recognition device of malice network address, this device comprises: the inquiry judging module, be used to obtain url to be detected, whether comprise said url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address;
Wherein said malice network address database is to adopt the apparatus for establishing of said malice network address database to set up.
A kind of recognition device of malice network address, this device comprises:
Parsing module is used to obtain url to be detected, resolves the website attribute information of this url;
Enquiry module; Be used to utilize and resolve the website attribute information that obtains; In the malice network address database, search the malice network address that has same alike result information with said url to be detected, said malice network address database is to adopt the apparatus for establishing of said malice network address database to set up;
Merge module, be used to utilize the weights of the malice network address that finds to calculate the weights of url to be detected;
Judge module is used to judge whether the weights of said url to be detected surpass predetermined threshold value, if then said url to be detected is identified as malice url.
According to one preferred embodiment of the present invention, said merging module concrete configuration is:
The weights of the malice network address that finds in the said enquiry module are carried out joint account, obtain the weights of said url to be detected.
According to one preferred embodiment of the present invention, said joint account is to get maximal value, perhaps averages, perhaps summation.
Can find out by above technical scheme; The recognition methods of the method for building up of malice network address database provided by the invention, malice network address and device; Consider entirely to descend the relevance between the industrial chain, utilize on the internet between each website the associated data of website attribute information and linking relationship that known malicious network address url is expanded, based on the correlation degree of url that expands and malice network address url; Make up the malice network address database; The recognition methods that is realized based on this malice network address database has the higher detection accuracy rate not based on the malicious code characteristic, and need not to simulate browser environment and carry out and also can judge the network address that does not come into operation as yet; Improved the promptness and the accuracy that detect, minimizing is failed to report.
[description of drawings]
The method for building up process flow diagram of the malice network address database that Fig. 1 provides for the embodiment of the invention one;
The recognition methods process flow diagram of the malice network address that Fig. 2 provides for the embodiment of the invention two;
The apparatus for establishing synoptic diagram of the malice network address database that Fig. 3 provides for the embodiment of the invention three;
The recognition device synoptic diagram of the malice network address that Fig. 4 provides for the embodiment of the invention four.
[embodiment]
In order to make the object of the invention, technical scheme and advantage clearer, describe the present invention below in conjunction with accompanying drawing and specific embodiment.
Embodiment one,
Fig. 1 is the method for building up process flow diagram of the malice network address database that provides of present embodiment, and as shown in Figure 1, this method comprises:
Step S101, in advance each website domain name and corresponding website attribute information are carried out related, structure the website associating information database.
A website generally includes many webpages, and each webpage all has corresponding network address, and network address adopts url (uniform resource locator, URL) to represent usually, is generally the form of access protocal+domain name.For example, the Baidu website comprises many webpages, and the url of Baidu's homepage is " http://www.baidu.com ", and domain name is " baidu.com ".Because the website domain name has uniqueness, thereby can utilize the website domain name to represent a website.
For a domain name, utilize instruments such as whois, can inquire the log-on message of the corresponding website of this domain name.Usually log-on message comprises domain name, website everyone, the host name of everyone contact information (comprising organization, head of the unit, unit one belongs to's industry, mailing address, postcode, Email, telephone number, fax number and authentication information) of website, name server and IP address or the like of website name, application.
In underground industrial chain; Same illegal website operator holds a plurality of malicious websites usually and forms similar station crowd; These malicious websites have identical website attribute information usually, such as, possibly have identical website everyone or identical information such as name server.Utilize the incidence relation between these website attribute informations, find illegal website operator's station crowd.
Utilize the website attribute information of the website that exists on the internet in advance, structure the website associating information database is in order to inquire about the incidence relation between each website.
Particularly, when structure the website associating information database, earlier to the website that exists on the internet through the whois instrument, collect those website log-on messages, comprise the website name, the website everyone, everyone contact information of website, company information, IP address information etc.Through methods such as spiders, obtain ICP (Internet Content Provider, the Web content service provider) information of website again; Comprise company information, the website number of putting on record, website name; Information such as website homepage network address; These information and website domain name are carried out related, form the incidence relation between website domain name and the website attribute information, structure the website associating information database.
Said site information linked database can but be not limited to adopt the mode of table index to store; The incidence relation that comprises website domain name and corresponding website attribute information; Wherein the website attribute information comprises the website name, the website everyone, everyone contact information of website; Company information, IP address information etc.
Step S102, make up the anti-chain linked database in advance, preserve the linking relationship between each url.
It is related to comprise in the webpage that a plurality of derivation links and other webpages take place, and correspondingly, a webpage also might with the mode that imports link association take place in a plurality of webpages.
Anti-chain promptly imports link, is meant in other webpages through one section source literal or path a url to be incorporated into the link in their webpage.Every network address that in webpage, comprises the importing link of this url all is the anti-chain url of this url.
Utilize the linking relationship between the corresponding url of these webpages, make up the anti-chain linked database.Adopt existing web crawlers methods such as (web crawler) to climb and get web page contents, preserve the linking relationship between each url, make up and obtain the anti-chain linked database, so that the follow-up anti-chain of searching url.
Step S103, be that different incidence relation is set different factors of influence.
Association takes place in two websites, is meant that these two websites have identical website attribute information.It is different that related website attribute information type takes place each web-site that is meant different incidence relations between any two.Because it is different that the type of related website attribute information takes place between the website, the correlation degree between the website is also not too identical.For example, adopt the website of identical email address registration can confirm as same registrant basically, identical ip addresses then representes to share between the website host ip.
According to the type of website attribute information, for different incidence relations is set different factors of influence.Preset all types of factors of influence are that the type according to website attribute information total between the domain name of website is provided with.For example, set the email factor, be fixed value 0.9, set the IP factor, be fixed value 0.8, set the anti-chain factor, be fixed value 0.8 for the website of anti-chain relation for the website of adopting identical ip addresses for the website of adopting identical email address registration.Type to website attribute information total between the domain name of website is set factor of influence, between each url that has the anti-chain relation anti-chain factor being set.
All types of factors of influence comprise the factor of influence of each website attribute information types such as the anti-chain factor, the email factor, the IP factor, the registered user name factor, company incorporated's factor, the ICP factor.Those dissimilar factor of influence α can but be not limited to set 0<α<1 wherein according to existing empirical data.
Step S104, obtain the url of known malicious network address, add in the formation to be detected, from formation to be detected, take out url one by one and the current url that takes out execution in step S105 respectively.
The known malicious network address can be the network address of confirming through the modes such as malicious websites monitoring technology that existing antivirus software or every day upgrade.Those malice network address as input, for the known malicious network address is given initial weight, and are added in the formation to be detected.At this moment, the initial weight that comprises each malice network address and each malice network address in the formation to be detected.
Take out one by one to the network address in the formation to be detected (url) and to detect, to the current url execution in step S 105 that takes out.
Step S105, the said anti-chain linked database of inquiry are confirmed all anti-chain url of current url, with and the url of known malicious network address between the correlation degree anti-chain url that satisfies preset requirement add in the formation to be detected.
The calculating of correlation degree comprises between the url of anti-chain url and known malicious network address: the weights and the anti-chain factor of current url are multiplied each other, obtain the weights of each anti-chain url.
In this step, anti-chain url that retrieves and current url are the anti-chain relations, thereby the factor of influence of employing is the anti-chain factor.
For detected malice network address, the weights of employing are the initial weight of malice network address, are 1.Utilize the initial weight of malice network address and the weights that the anti-chain factor obtains each anti-chain url.If the anti-chain factor of setting is 0.8, then the weights of each anti-chain url are 0.8*1=0.8.
Said correlation degree satisfies preset requirement: the weights of said anti-chain url surpass predetermined threshold value.The anti-chain url that weights is surpassed predetermined threshold value adds in the formation to be detected.Said predetermined threshold value can be set according to practical experience, such as, it is 0.7 that predetermined threshold value is set, and then weights is surpassed 0.7 anti-chain url and corresponding weights and adds in the formation to be detected.
The website attribute information of step S106, the current url of parsing; Inquire about said site information linked database; Confirm to have the website domain name of same site attribute information with current url, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
The calculating of correlation degree comprises between the url of website domain name and known malicious network address: the weights of current url multiply by the corresponding factor of influence of type of website domain name and the common website attribute information of current url, obtain the weights of website domain name.
Said correlation degree satisfies preset requirement: the weights of said website domain name surpass predetermined threshold value.
Particularly, earlier according to the definite corresponding factor of influence of type of website attribute information total between each website domain name and the current url.The factor of influence that the weights of current url are corresponding with each multiplies each other, and obtains the weights of each website domain name, and the website domain name that weights is surpassed predetermined threshold value is added in the formation to be detected.
Extract the corresponding website domain name of current url, utilize the inquiry of whois instrument, obtain the corresponding website attribute information of current url; Comprise the website name, the website everyone, everyone email of website; Exabyte ICP number etc., utilizes these website attribute informations in the site information linked database, to mate; Inquire website domain name, and write down those website domain names and the related website attribute information type of current url generation, in order to confirm each factor of influence with same alike result.
Each factor of influence is meant that each website domain name with current url the related corresponding factor of influence of website attribute information type takes place.For example, website domain name A has identical email address with current url, and then the weights of this website domain name A are the weights of current url and the product of the email factor.If website domain name B has identical IP address with current url, then the weights of this website domain name B are the weights of current url and the product of the IP factor.And the like, calculate the weights of each website domain name.
If it is a plurality of that the website domain name with current url related factor of influence takes place; For example; When having identical email address, can select the maximal value of these two factors of influence to be used as the factor of influence of website domain name and current url when then confirming factor of influence with identical registered user name.Perhaps, also can be the different different weights of website attribute information distribution, but summation is 1, if exist a plurality of website attribute informations identical, then that each website attribute information is corresponding coefficient carries out weighting, confirms factor of influence.
The website domain name that weights is surpassed predetermined threshold value is added in the formation to be detected.Identical among said predetermined threshold value and the step S105.
What deserves to be mentioned is that the sequencing of said step S105 and step S106 can be changed, also can only adopt a kind of mode wherein to detect.
Step S107, from formation to be detected, take out next url or website domain name; Repeating step S105 and step S106; Until said formation to be detected is empty, utilizes all to appear at url or website domain name and corresponding website attribute information structure malice network address database in the formation to be detected.
Because the website domain name is the special case of url, in the url storehouse, what the website domain name was pointed to is the homepage of this website.Thereby the website domain name can change into website homepage url, and the unified url that adopts representes in the malice network address database.
Because factor of influence 0<α<1 that is provided with; After through continuous the repetition; The weights of the url that calculates can be more and more littler, be in the convergence process, when the weights of all url all less than predetermined threshold value; When promptly no longer newly-increased formation to be detected and formation to be detected are empty, the closure of collecting the suspected site that obtains a collection of association.
All appear at url or corresponding website attribute information and the weights of website domain name, those url or website domain name in the formation to be detected to utilize these, are saved in the database, make up the malice network address database, form a underground industry data database.In the malice network address database can but be not limited to adopt the mode of table index to store, comprise the url information of collecting, email address information, domain name (domain) information, ICP information, IP address information or the like.
Giving an example, if the known malicious network address that obtains has url1, then give initial weight with those malice network address, is 1 for example, adds in the formation to be detected.Take out a url, analyze as current url like url1.
Utilize url1 in the anti-chain linked database, to find out all anti-chain urls corresponding, for example possibly comprise url2, url3 with this malice network address url1.Utilize the weights (being initial weight) of this malice network address url1 to multiply each other with the anti-chain factor of setting, as the weights of anti-chain url2 and url3, the anti-chain factor of for example setting is 0.8, and then the weights of url2 and url3 are 0.8*1=0.8.The anti-chain url that weights is surpassed predetermined threshold value adds in the formation to be detected, if predetermined threshold value is 0.7, then url2 and url3 is added in the formation to be detected.
Extracting from url1 and to obtain corresponding domain name, be www.xxx123.com for example, utilizes instrument inquiry such as whois to obtain the website attribute information of this url1 correspondence; Comprise the website name, the website everyone, everyone emai of website; Exabyte, IP address, ICP number etc.; Utilize these website attribute informations in the site information linked database, to mate, inquire website domain name, the domain name 1 and the domain name 2 that identical ip addresses is arranged of identical email address for example arranged with same alike result.Calculate the weights of domain name 1 and domain name 2; If the email factor of setting is 0.9; The IP factor is 0.8, and then the weights of domain name 1 are the product of the initial weight and the email factor: 0.9*1=0.9, and the weights of domain name 2 are the product of the initial weight and the IP factor: 0.8*1=0.8.Because the weights of domain name 1 and domain name 2 also surpass predetermined threshold value 0.7, then also domain name 1 and domain name 2 are added in the formation to be detected.
Take out next url or website domain name, suppose to take out url2, carry out duplicate detection.
Utilize url2 in the anti-chain linked database, to find out all anti-chain urls corresponding, for example possibly comprise url4, url5 with url2.Utilize the weights of this url2 and the anti-chain factor 0.8 of setting to multiply each other, as the weights of anti-chain url4 and url5, then the weights of url4 and url5 are 0.8*0.8=0.64.Because the weights of url4 and url5 then do not add in the formation to be detected all less than predetermined threshold value 0.7.
Obtain corresponding domain name from the url2 extraction; Utilize the inquiry of instrument such as whois to obtain the corresponding website attribute information of this url2; Utilize these website attribute informations in the site information linked database, to mate; Inquire website domain name, the domain name 3 and the domain name that identical company incorporated is arranged 4 of identical email address for example arranged with same alike result.The weights that calculate domain name 3 are 0.8*0.9=0.72, if company incorporated's factor of setting is 0.8, then the weights of domain name 4 are 0.8*0.8=0.64.Because domain name 3 surpasses predetermined threshold value 0.7, then also domain name 3 is added in the formation to be detected, and domain name 4 is not then added less than predetermined threshold value 0.7.
The rest may be inferred, and repeating step S105 and S106 are empty up to formation to be detected, obtain information and corresponding weights about url1, url2, url3, domain name 1, domain name 2 and domain name 3 etc., make up the malice network address database.
The malice network address database that utilization builds, can to the unknown whether the url of malice detect.A kind of mode can directly be obtained url to be detected, whether comprises this url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address.And, can utilize the record that comprises relevant information for the url that can't in the malice network address database, directly find, discern.Recognition methods through two pairs of malice network address provided by the invention of embodiment describes below.
Embodiment two,
Fig. 2 is the recognition methods process flow diagram of the malice network address that provides of present embodiment, and as shown in Figure 2, this method comprises:
Step S201, obtain url to be detected, resolve the website attribute information of this url to be detected.
For url to be detected, extract corresponding domain name, utilize instrument inquiry such as whois to obtain the website attribute information of this url to be detected, comprise the website name, the website everyone, everyone email of website, exabyte, IP address, information such as ICP number.
Step S202, the website attribute information that utilizes parsing to obtain are searched the malice network address that has same alike result information with said url to be detected in the malice network address database, said malice network address database is to adopt like embodiment one described method to set up.
In the malice network address database that embodiment one builds, utilize the website attribute information of url to be detected, extract the malice url that comprises those website attribute informations, obtain a collection of malice url that is associated with this url to be detected.
The weights of the malice network address that step S203, utilization find calculate the weights of url to be detected.
The weights of the malice network address that step S202 is found carry out joint account, obtain the weights of said url to be detected.Said joint account can be to get maximal value, perhaps averages, perhaps mode such as summation.Preferably, choose the weights of maximal value in the weights with the malice url correspondence that finds as said url to be detected.
For repeating to occur malice url repeatedly, the power of when carrying out joint account, can also transferring is handled, and increases a preset accent weight factor.When url when all being judged as suspicious url from different data sources, represent that this url is that the suspicion degree of malice network address is high more.
Step S204, judge that whether the weights of said url to be detected surpass predetermined threshold value, if then said url to be detected is identified as malice url.
Said predetermined threshold value can with step S105 among the embodiment one and step S106 in identical, also can establish a fixed value in addition.
Thereby for unknown url, good malice network address database judges whether to be the malice network address can to utilize foundation.
More than be the detailed description that method provided by the present invention is carried out, face the apparatus for establishing of malice network address database provided by the invention and the recognition device of malice network address down and be described in detail.
Embodiment three
Fig. 3 is the apparatus for establishing synoptic diagram of the malice network address database that provides of present embodiment.As shown in Figure 3, this device comprises:
Site information relating module 301, be used in advance each website domain name and corresponding website attribute information being carried out related, structure the website associating information database.
Site information relating module 301 utilizes the website attribute information of the website that exists on the internet in advance, and structure the website associating information database is in order to inquire about the incidence relation between each website.
Particularly, when structure the website associating information database, earlier to the website that exists on the internet through the whois instrument, collect those website log-on messages, comprise the website name, the website everyone, everyone contact information of website, company information, IP address information etc.Through methods such as spiders, obtain ICP (Internet Content Provider, the Web content service provider) information of website again; Comprise company information, the website number of putting on record, website name; Information such as website homepage network address; These information and website domain name are carried out related, form the incidence relation between website domain name and the website attribute information, structure the website associating information database.
Said site information linked database can but be not limited to adopt the mode of table index to store; The incidence relation that comprises website domain name and corresponding website attribute information; Wherein the website attribute information comprises the website name, the website everyone, everyone contact information of website; Company information, IP address information etc.
It is related to comprise in the webpage that a plurality of derivation links and other webpages take place, and correspondingly, a webpage also might with the mode that imports link association take place in a plurality of webpages.
Anti-chain promptly imports link, is meant in other webpages through one section source literal or path a url to be incorporated into the link in their webpage.Every network address that in webpage, comprises the importing link of this url all is the anti-chain url of this url.
The span of the said anti-chain factor and factor of influence is interval (0,1).
All types of factors of influence comprise the factor of influence of each website attribute information types such as the anti-chain factor, the email factor, the IP factor, the registered user name factor, company incorporated's factor, the ICP factor.Those dissimilar factor of influence α can but be not limited to set 0<α<1 wherein according to existing empirical data.
Database is set up module 304; Be used to obtain the url of known malicious network address; Add in the formation to be detected; The current url that from formation to be detected, takes out url one by one and will take out offers anti-chain detection module 305 or site information detection module 306, is empty until formation to be detected, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database.
The known malicious network address can be the network address of confirming through the modes such as malicious websites monitoring technology that existing antivirus software or every day upgrade.Those malice network address as input, for the known malicious network address is given initial weight, and are added in the formation to be detected.At this moment, the initial weight that comprises each malice network address and each malice network address in the formation to be detected.
Take out one by one to the network address in the formation to be detected (url), utilize anti-chain detection module 305 or site information detection module 306 to detect.
For detected malice network address, the weights of employing are the initial weight of malice network address, are 1.Utilize the initial weight of malice network address and the weights that the anti-chain factor obtains each anti-chain url.If the anti-chain factor of setting is 0.8, then the weights of each anti-chain url are 0.8*1=0.8.
Site information detection module 306; Be used to resolve the website attribute information of current url; Inquire about said site information linked database; Confirm that the current url that sets up module 304 and provide with database has the website domain name of same site attribute information, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
Site information detection module 306 is earlier according to the definite corresponding factor of influence of type of website attribute information total between each website domain name and the current url.The weights of current url multiply by the corresponding factor of influence of type of website domain name and the common website attribute information of current url respectively, obtain the weights of website domain name, embody correlation degree between the url of website domain name and known malicious network address by the weights of website domain name.The website domain name that weights is surpassed predetermined threshold value is added in the formation to be detected.
Extract the corresponding website domain name of current url, utilize the inquiry of whois instrument, obtain the corresponding website attribute information of current url; Comprise the website name, the website everyone, everyone email of website; Exabyte ICP number etc., utilizes these website attribute informations in the site information linked database, to mate; Inquire website domain name, and write down those website domain names and the related website attribute information type of current url generation, in order to confirm each factor of influence with same alike result.
Each factor of influence is meant that each website domain name with current url the related corresponding factor of influence of website attribute information type takes place.For example, website domain name A has identical email address with current url, and then the weights of this website domain name A are the weights of current url and the product of the email factor.If website domain name B has identical IP address with current url, then the weights of this website domain name B are the weights of current url and the product of the IP factor.And the like, calculate the weights of each website domain name.
If it is a plurality of that the website domain name with current url related factor of influence takes place; For example; When having identical email address, can select the maximal value of these two factors of influence to be used as the factor of influence of website domain name and current url when then confirming factor of influence with identical registered user name.Perhaps, also can be the different different weights of website attribute information distribution, but summation is 1, if exist a plurality of website attribute informations identical, then that each website attribute information is corresponding coefficient carries out weighting, confirms factor of influence.The website domain name that weights is surpassed predetermined threshold value is added in the formation to be detected.
Then; Database is set up module 304 and from formation to be detected, is taken out url one by one and the current url that takes out is triggered anti-chain detection module 305 or site information detection module 306; Until formation to be detected is empty, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database.
Because the website domain name is the special case of url, in the url storehouse, what the website domain name was pointed to is the homepage of this website.Thereby the website domain name can change into website homepage url, and the unified url that adopts representes in the malice network address database.
Because factor of influence 0<α<1 that is provided with; After through continuous the repetition; The weights of the url that calculates can be more and more littler, be in the convergence process, when the weights of all url all less than predetermined threshold value; When promptly no longer newly-increased formation to be detected and formation to be detected are empty, the closure of collecting the suspected site that obtains a collection of association.
All appear at url or corresponding website attribute information and the weights of website domain name, those url or website domain name in the formation to be detected to utilize these, are saved in the database, make up the malice network address database, form a underground industry data database.In the malice network address database can but be not limited to adopt the mode of table index to store, comprise the url information of collecting, email address information, domain name (domain) information, ICP information, IP address information or the like.
The malice network address database that utilization builds, can to the unknown whether the url of malice detect.A kind of recognition device can comprise: the inquiry judging module, directly obtain url to be detected, and whether comprise this url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address.And, can utilize the record that comprises relevant information for the url that can't in the malice network address database, directly find, discern.Recognition device through four pairs of malice network address provided by the invention of embodiment describes below.
Fig. 4 is the recognition device synoptic diagram of the malice network address that provides of present embodiment.As shown in Figure 4, this device comprises:
Parsing module 401 is used to obtain url to be detected, resolves the website attribute information of this url.
For url to be detected, parsing module 401 extracts corresponding domain name, utilizes instrument inquiry such as whois to obtain the website attribute information of this url to be detected, comprises the website name, the website everyone, everyone email of website, exabyte, IP address, information such as ICP number.
The weights of the malice network address that enquiry module 402 is found carry out joint account, obtain the weights of said url to be detected.Said joint account can be to get maximal value, perhaps averages, perhaps mode such as summation.Preferably, choose the weights of maximal value in the weights with the malice url correspondence that finds as said url to be detected.
For repeating to occur malice url repeatedly, the power of when carrying out joint account, can also transferring is handled, and increases a preset accent weight factor.When url when all being judged as suspicious url from different data sources, represent that this url is that the suspicion degree of malice network address is high more.
For unknown url, good malice network address database judges whether to be the malice network address can to utilize foundation.
The recognition methods of the method for building up of malice network address database provided by the invention, malice network address and device; Consider entirely to descend the relevance between the industrial chain; Utilize on the internet associated data of website attribute information between each website, make up the malice network address database, need not to carry out and also can judge unknown network address; Improved the promptness and the accuracy that detect, minimizing is failed to report.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope that the present invention protects.
Claims (16)
1. the method for building up of a malice network address database is characterized in that, this method comprises:
S1, in advance each website domain name and corresponding website attribute information are carried out related, structure the website associating information database;
S2, make up the anti-chain linked database in advance, preserve the linking relationship between each url;
S3, obtain the url of known malicious network address; Add in the formation to be detected; From formation to be detected, take out url and current url difference execution in step S4 one by one to taking out; Until formation to be detected is empty, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database;
S4, the said anti-chain linked database of inquiry are confirmed all anti-chain url of current url, with and the url of known malicious network address between the correlation degree anti-chain url that satisfies preset requirement add in the formation to be detected; Perhaps,
Resolve the website attribute information of current url; Inquire about said site information linked database; Confirm to have the website domain name of same site attribute information with current url, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
2. method according to claim 1 is characterized in that, said website attribute information comprises following listed at least a: the website name, the website everyone, everyone contact information of website, company information, IP address information, ICP information.
3. method according to claim 1; It is characterized in that; In said step S3, also comprise: for the url of said malice network address gives initial weight, be to exist between each url of anti-chain relation to set the anti-chain factor, set factor of influence to the type of website attribute information total between the domain name of website; The span of the said anti-chain factor and factor of influence is interval (0,1);
The calculating of correlation degree comprises between the url of anti-chain url and known malicious network address: the weights of current url multiply by the anti-chain factor, obtain the weights of anti-chain url;
The calculating of correlation degree comprises between the url of website domain name and known malicious network address: the weights of current url multiply by the corresponding factor of influence of type of website domain name and the common website attribute information of current url, obtain the weights of website domain name;
Said correlation degree satisfies preset requirement: the weights of said anti-chain url or website domain name surpass predetermined threshold value.
4. method according to claim 3 is characterized in that, said malice network address database also comprises: all add url or corresponding website attribute information and the weights of website domain name in the formation to be detected to.
5. the recognition methods of a malice network address is characterized in that, this method comprises:
Obtain url to be detected, whether comprise said url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address;
Wherein said malice network address database is to adopt like the described method of the arbitrary claim of claim 1 to 4 to set up.
6. the recognition methods of a malice network address is characterized in that, this method comprises:
S201, obtain url to be detected, resolve the website attribute information of this url;
S202, the website attribute information that utilizes parsing to obtain are searched the malice network address that has same alike result information with said url to be detected in the malice network address database, said malice network address database is to adopt method as claimed in claim 4 to set up;
The weights of the malice network address that S203, utilization find calculate the weights of url to be detected;
S204, judge that whether the weights of said url to be detected surpass predetermined threshold value, if then said url to be detected is identified as malice url.
7. method according to claim 6 is characterized in that, said step S203 is specially:
The weights of the malice network address that step S202 is found carry out joint account, obtain the weights of said url to be detected.
8. method according to claim 7 is characterized in that, said joint account is to get maximal value, perhaps averages, perhaps summation.
9. the apparatus for establishing of a malice network address database is characterized in that, this device comprises:
The site information relating module, be used in advance each website domain name and corresponding website attribute information being carried out related, structure the website associating information database;
The anti-chain relating module is used for making up the anti-chain linked database in advance, preserves the linking relationship between each url;
Database is set up module; Be used to obtain the url of known malicious network address; Add in the formation to be detected; The current url that from formation to be detected, takes out url one by one and will take out offers anti-chain detection module or site information detection module, is empty until formation to be detected, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database;
The anti-chain detection module; Be used to inquire about said anti-chain linked database; Confirm that said database sets up all anti-chain url of the current url that module provides, with and the url of known malicious network address between the correlation degree anti-chain url that satisfies preset requirement add in the formation to be detected;
The site information detection module; Be used to resolve the website attribute information of current url; Inquire about said site information linked database; Confirm that the current url that sets up module and provide with said database has the website domain name of same site attribute information, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
10. device according to claim 9 is characterized in that, said website attribute information comprises following listed at least a: the website name, the website everyone, everyone contact information of website, company information, IP address information, ICP information.
11. device according to claim 9 is characterized in that, this device also comprises:
Factor setting module is used to and sets the anti-chain factor between each url that has the anti-chain relation, and, set factor of influence to the type of website attribute information total between the domain name of website, the span of the said anti-chain factor and factor of influence is interval (0,1);
Said database is set up the url that module also is used to said malice network address and is given initial weight;
Said anti-chain detection module multiply by the anti-chain factor respectively with the weights of current url, obtains the weights of each anti-chain url, is embodied correlation degree between the url of anti-chain url and known malicious network address by the weights of anti-chain url;
Said site information detection module multiply by the weights of current url respectively the corresponding factor of influence of type of website domain name and the common website attribute information of current url; Obtain the weights of website domain name, embody correlation degree between the url of website domain name and known malicious network address by the weights of website domain name.
12. device according to claim 11 is characterized in that, said malice network address database also comprises: all add url or corresponding website attribute information and the weights of website domain name in the formation to be detected to.
13. the recognition device of a malice network address is characterized in that, this device comprises: the inquiry judging module; Be used to obtain url to be detected; Whether comprise said url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address;
Wherein said malice network address database is to adopt like the described device of the arbitrary claim of claim 9 to 12 to set up.
14. the recognition device of a malice network address is characterized in that, this device comprises:
Parsing module is used to obtain url to be detected, resolves the website attribute information of this url;
Enquiry module is used to utilize and resolves the website attribute information that obtains, and in the malice network address database, searches the malice network address that has same alike result information with said url to be detected, and said malice network address database is to adopt device as claimed in claim 12 to set up;
Merge module, be used to utilize the weights of the malice network address that finds to calculate the weights of url to be detected;
Judge module is used to judge whether the weights of said url to be detected surpass predetermined threshold value, if then said url to be detected is identified as malice url.
15. device according to claim 14 is characterized in that, said merging module concrete configuration is:
The weights of the malice network address that finds in the said enquiry module are carried out joint account, obtain the weights of said url to be detected.
16. device according to claim 15 is characterized in that, said joint account is to get maximal value, perhaps averages, perhaps summation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210069443.7A CN102663000B (en) | 2012-03-15 | 2012-03-15 | The maliciously recognition methods of the method for building up of network address database, maliciously network address and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210069443.7A CN102663000B (en) | 2012-03-15 | 2012-03-15 | The maliciously recognition methods of the method for building up of network address database, maliciously network address and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102663000A true CN102663000A (en) | 2012-09-12 |
CN102663000B CN102663000B (en) | 2016-08-03 |
Family
ID=46772491
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210069443.7A Active CN102663000B (en) | 2012-03-15 | 2012-03-15 | The maliciously recognition methods of the method for building up of network address database, maliciously network address and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102663000B (en) |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102945349A (en) * | 2012-10-19 | 2013-02-27 | 北京奇虎科技有限公司 | Method and device for processing unknown files |
CN103036896A (en) * | 2012-12-20 | 2013-04-10 | 北京奇虎科技有限公司 | Method and system for testing malicious links |
CN103778113A (en) * | 2012-10-17 | 2014-05-07 | 腾讯科技(深圳)有限公司 | Terminal and server and webpage processing method of terminal and server |
WO2014094653A1 (en) * | 2012-12-20 | 2014-06-26 | 北京奇虎科技有限公司 | Device, method and system for detecting malicious links |
CN104615695A (en) * | 2015-01-23 | 2015-05-13 | 腾讯科技(深圳)有限公司 | Malicious website detecting method and system |
CN104980446A (en) * | 2015-06-30 | 2015-10-14 | 百度在线网络技术(北京)有限公司 | Detection method and system for malicious behavior |
CN105335480A (en) * | 2015-10-13 | 2016-02-17 | 国家电网公司 | Internet website liability subject identifying method |
CN105956472A (en) * | 2016-05-12 | 2016-09-21 | 宝利九章(北京)数据技术有限公司 | Method and system for identifying whether webpage includes malicious content or not |
CN106992967A (en) * | 2017-02-28 | 2017-07-28 | 北京瑞星信息技术股份有限公司 | Malicious websites recognition methods and system |
CN107463583A (en) * | 2016-06-06 | 2017-12-12 | 广州泰尔智信科技有限公司 | Application developer region determines method and apparatus |
CN107517193A (en) * | 2016-06-17 | 2017-12-26 | 百度在线网络技术(北京)有限公司 | Malicious websites recognition methods and device |
CN108062413A (en) * | 2017-12-30 | 2018-05-22 | 平安科技(深圳)有限公司 | Web data processing method, device, computer equipment and storage medium |
CN109063106A (en) * | 2018-07-27 | 2018-12-21 | 北京字节跳动网络技术有限公司 | Network address modification method, device, computer equipment and storage medium |
CN109391583A (en) * | 2017-08-03 | 2019-02-26 | 武汉安天信息技术有限责任公司 | A kind of attacker's source tracing method and system based on malicious application |
WO2019109529A1 (en) * | 2017-12-08 | 2019-06-13 | 平安科技(深圳)有限公司 | Webpage identification method, device, computer apparatus, and computer storage medium |
CN110012030A (en) * | 2019-04-23 | 2019-07-12 | 北京微步在线科技有限公司 | A kind of method and device of association detection hacker |
CN110837619A (en) * | 2019-11-05 | 2020-02-25 | 北京锐安科技有限公司 | Website auditing method, device, equipment and storage medium |
CN110851680A (en) * | 2015-05-15 | 2020-02-28 | 阿里巴巴集团控股有限公司 | Web crawler identification method and device |
CN110865818A (en) * | 2018-08-28 | 2020-03-06 | 优视科技有限公司 | Application associated domain name detection method and device and electronic equipment |
CN112351441A (en) * | 2019-08-06 | 2021-02-09 | 中国移动通信集团广东有限公司 | Data processing method and device and electronic equipment |
CN112954083A (en) * | 2019-12-11 | 2021-06-11 | 中盈优创资讯科技有限公司 | Method and device for managing registered IP address |
CN113360895A (en) * | 2021-06-02 | 2021-09-07 | 北京百度网讯科技有限公司 | Station group detection method and device and electronic equipment |
CN113742627A (en) * | 2021-09-08 | 2021-12-03 | 北京百度网讯科技有限公司 | Bad website identification method, device, electronic equipment and medium |
CN114172725A (en) * | 2021-12-07 | 2022-03-11 | 百度在线网络技术(北京)有限公司 | Illegal website processing method and device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5732264A (en) * | 1994-11-08 | 1998-03-24 | Matsushita Electric Industrial Co., Ltd. | Information management system and method for managing, processing storing and displaying attribute information of object information |
CN101547197A (en) * | 2009-04-30 | 2009-09-30 | 珠海金山软件股份有限公司 | A URL washing device and a washing method |
CN102045360A (en) * | 2010-12-27 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Method and device for processing baleful website library |
CN102045358A (en) * | 2010-12-29 | 2011-05-04 | 深圳市永达电子股份有限公司 | Intrusion detection method based on integral correlation analysis and hierarchical clustering |
CN102096683A (en) * | 2009-12-11 | 2011-06-15 | 奇智软件(北京)有限公司 | Method for realizing nameplate at browser address bar |
-
2012
- 2012-03-15 CN CN201210069443.7A patent/CN102663000B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5732264A (en) * | 1994-11-08 | 1998-03-24 | Matsushita Electric Industrial Co., Ltd. | Information management system and method for managing, processing storing and displaying attribute information of object information |
CN101547197A (en) * | 2009-04-30 | 2009-09-30 | 珠海金山软件股份有限公司 | A URL washing device and a washing method |
CN102096683A (en) * | 2009-12-11 | 2011-06-15 | 奇智软件(北京)有限公司 | Method for realizing nameplate at browser address bar |
CN102045360A (en) * | 2010-12-27 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Method and device for processing baleful website library |
CN102045358A (en) * | 2010-12-29 | 2011-05-04 | 深圳市永达电子股份有限公司 | Intrusion detection method based on integral correlation analysis and hierarchical clustering |
Cited By (37)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103778113A (en) * | 2012-10-17 | 2014-05-07 | 腾讯科技(深圳)有限公司 | Terminal and server and webpage processing method of terminal and server |
CN103778113B (en) * | 2012-10-17 | 2017-04-19 | 腾讯科技(深圳)有限公司 | Terminal and server and webpage processing method of terminal and server |
CN102945349B (en) * | 2012-10-19 | 2016-06-22 | 北京奇虎科技有限公司 | unknown file processing method and device |
CN102945349A (en) * | 2012-10-19 | 2013-02-27 | 北京奇虎科技有限公司 | Method and device for processing unknown files |
CN103036896A (en) * | 2012-12-20 | 2013-04-10 | 北京奇虎科技有限公司 | Method and system for testing malicious links |
WO2014094653A1 (en) * | 2012-12-20 | 2014-06-26 | 北京奇虎科技有限公司 | Device, method and system for detecting malicious links |
CN103036896B (en) * | 2012-12-20 | 2015-07-01 | 北京奇虎科技有限公司 | Method and system for testing malicious links |
CN104615695A (en) * | 2015-01-23 | 2015-05-13 | 腾讯科技(深圳)有限公司 | Malicious website detecting method and system |
CN104615695B (en) * | 2015-01-23 | 2018-10-09 | 腾讯科技(深圳)有限公司 | A kind of detection method and system of malice network address |
CN110851680B (en) * | 2015-05-15 | 2023-06-30 | 阿里巴巴集团控股有限公司 | Web crawler identification method and device |
CN110851680A (en) * | 2015-05-15 | 2020-02-28 | 阿里巴巴集团控股有限公司 | Web crawler identification method and device |
WO2017000439A1 (en) * | 2015-06-30 | 2017-01-05 | 百度在线网络技术(北京)有限公司 | Detection method, system and device for malicious behaviour, and computer storage medium |
CN104980446A (en) * | 2015-06-30 | 2015-10-14 | 百度在线网络技术(北京)有限公司 | Detection method and system for malicious behavior |
CN105335480A (en) * | 2015-10-13 | 2016-02-17 | 国家电网公司 | Internet website liability subject identifying method |
CN105956472A (en) * | 2016-05-12 | 2016-09-21 | 宝利九章(北京)数据技术有限公司 | Method and system for identifying whether webpage includes malicious content or not |
CN107463583A (en) * | 2016-06-06 | 2017-12-12 | 广州泰尔智信科技有限公司 | Application developer region determines method and apparatus |
CN107517193A (en) * | 2016-06-17 | 2017-12-26 | 百度在线网络技术(北京)有限公司 | Malicious websites recognition methods and device |
CN106992967A (en) * | 2017-02-28 | 2017-07-28 | 北京瑞星信息技术股份有限公司 | Malicious websites recognition methods and system |
CN109391583A (en) * | 2017-08-03 | 2019-02-26 | 武汉安天信息技术有限责任公司 | A kind of attacker's source tracing method and system based on malicious application |
CN109391583B (en) * | 2017-08-03 | 2021-06-25 | 武汉安天信息技术有限责任公司 | Attacker tracing method and system based on malicious application |
WO2019109529A1 (en) * | 2017-12-08 | 2019-06-13 | 平安科技(深圳)有限公司 | Webpage identification method, device, computer apparatus, and computer storage medium |
CN108062413A (en) * | 2017-12-30 | 2018-05-22 | 平安科技(深圳)有限公司 | Web data processing method, device, computer equipment and storage medium |
CN109063106A (en) * | 2018-07-27 | 2018-12-21 | 北京字节跳动网络技术有限公司 | Network address modification method, device, computer equipment and storage medium |
CN109063106B (en) * | 2018-07-27 | 2022-03-04 | 北京字节跳动网络技术有限公司 | Website correction method and device, computer equipment and storage medium |
CN110865818B (en) * | 2018-08-28 | 2023-07-28 | 阿里巴巴(中国)有限公司 | Detection method and device for application associated domain name and electronic equipment |
CN110865818A (en) * | 2018-08-28 | 2020-03-06 | 优视科技有限公司 | Application associated domain name detection method and device and electronic equipment |
CN110012030A (en) * | 2019-04-23 | 2019-07-12 | 北京微步在线科技有限公司 | A kind of method and device of association detection hacker |
CN112351441B (en) * | 2019-08-06 | 2023-08-15 | 中国移动通信集团广东有限公司 | Data processing method and device and electronic equipment |
CN112351441A (en) * | 2019-08-06 | 2021-02-09 | 中国移动通信集团广东有限公司 | Data processing method and device and electronic equipment |
CN110837619A (en) * | 2019-11-05 | 2020-02-25 | 北京锐安科技有限公司 | Website auditing method, device, equipment and storage medium |
CN112954083A (en) * | 2019-12-11 | 2021-06-11 | 中盈优创资讯科技有限公司 | Method and device for managing registered IP address |
CN112954083B (en) * | 2019-12-11 | 2022-03-08 | 中盈优创资讯科技有限公司 | Method and device for managing registered IP address |
CN113360895A (en) * | 2021-06-02 | 2021-09-07 | 北京百度网讯科技有限公司 | Station group detection method and device and electronic equipment |
CN113360895B (en) * | 2021-06-02 | 2023-07-25 | 北京百度网讯科技有限公司 | Station group detection method and device and electronic equipment |
CN113742627A (en) * | 2021-09-08 | 2021-12-03 | 北京百度网讯科技有限公司 | Bad website identification method, device, electronic equipment and medium |
CN114172725A (en) * | 2021-12-07 | 2022-03-11 | 百度在线网络技术(北京)有限公司 | Illegal website processing method and device, electronic equipment and storage medium |
CN114172725B (en) * | 2021-12-07 | 2023-11-14 | 百度在线网络技术(北京)有限公司 | Illegal website processing method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN102663000B (en) | 2016-08-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102663000B (en) | The maliciously recognition methods of the method for building up of network address database, maliciously network address and device | |
Maggi et al. | Two years of short urls internet measurement: security threats and countermeasures | |
CN102739653B (en) | Detection method and device aiming at webpage address | |
CN102663319B (en) | Prompting method and device for download link security | |
CN101964025A (en) | XSS (Cross Site Scripting) detection method and device | |
CN102833258A (en) | Website access method and system | |
CN101895516A (en) | Method and device for positioning cross-site scripting attack source | |
CN107437026B (en) | Malicious webpage advertisement detection method based on advertisement network topology | |
CN104683328A (en) | Method and system for scanning cross-site vulnerability | |
CN103281320A (en) | Website icon matching-based detection method for brand counterfeit websites | |
CN104767747A (en) | Click jacking safety detection method and device | |
US11763032B2 (en) | Method and system for preserving privacy in an HTTP communication between a client and a server | |
CN103279710A (en) | Method and system for detecting malicious codes of Internet information system | |
CN101916285A (en) | Method and device for analyzing internet web page contents | |
CN105337993A (en) | Dynamic and static combination-based mail security detection device and method | |
CN112350992A (en) | Safety protection method, device, equipment and storage medium based on web white list | |
CN105049301A (en) | Method and device for providing comprehensive evaluation services of websites | |
CN105760379A (en) | Webshell page detection method and device based on intra-domain page association | |
CN105138907A (en) | Method and system for actively detecting attacked website | |
CN103701769A (en) | Method and system for detecting hazardous network source | |
CN103220277B (en) | The monitoring method of cross-site scripting attack, Apparatus and system | |
CN111541672A (en) | Method and system for detecting security of HTTP (hyper text transport protocol) request | |
CN104268289A (en) | Link URL (Uniform Resource Locator) failure detection method and device | |
Khade et al. | Detection of phishing websites using data mining techniques | |
CN104717226A (en) | Method and device for detecting website address |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |