CN102663000A - Establishment method for malicious website database, method and device for identifying malicious website - Google Patents

Establishment method for malicious website database, method and device for identifying malicious website Download PDF

Info

Publication number
CN102663000A
CN102663000A CN2012100694437A CN201210069443A CN102663000A CN 102663000 A CN102663000 A CN 102663000A CN 2012100694437 A CN2012100694437 A CN 2012100694437A CN 201210069443 A CN201210069443 A CN 201210069443A CN 102663000 A CN102663000 A CN 102663000A
Authority
CN
China
Prior art keywords
url
website
network address
detected
weights
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012100694437A
Other languages
Chinese (zh)
Other versions
CN102663000B (en
Inventor
梁知音
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201210069443.7A priority Critical patent/CN102663000B/en
Publication of CN102663000A publication Critical patent/CN102663000A/en
Application granted granted Critical
Publication of CN102663000B publication Critical patent/CN102663000B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an establishment method for a malicious website database, and a method and a device for identifying a malicious website. The establishment method comprises the following steps: S1, constructing a site information association database; S2, constructing an backlink association database; S3, acquiring known malicious websites and adding the websites to a queue to be detected, repeating step S4 until the queue to be detected is empty, and using all the data appeared in the queue to be detected to construct a malicious website database; and S4, querying the backlink association database, determining all the backlink urls of the current url, adding the backlink urls, of which the weight exceeds a preset threshold to the queue to be detected, or analyzing site attribute information of the current url, querying the site information association database, and determining website domain names which have the same site attribute information with the current url, and adding the website domain names of which the weight exceeds a preset threshold to the queue to be detected. Compared with the prior art, the establishment method for a malicious website database, the method and the device for identifying a malicious website provided by the invention improve detection timeliness and accuracy, and reduce failure alert.

Description

The recognition methods of the method for building up of malice network address database, malice network address and device
[technical field]
The present invention relates to the computer security technique field, the recognition methods and the device of particularly a kind of method for building up of malice network address database, malice network address.
[background technology]
Along with the continuous development of computing machine and network technology, the internet is important to People more and more, has been deep into the various aspects of people's work and life.But the thing followed, also more and more to the malicious act of internet, various safety problems have greatly perplexed the network user.Be used to the website One's name is legion of malicious acts such as swindling at present on the internet, the website of these illegal profits is threatening user security because of the disguise of its profit channel.Yet these illegal websites are of short duration life cycle; Usually once discovery, usually can be banned or be cancelled, in order to ensure effect; The illegal website operator holds a large amount of similar station crowds usually and is used for replacing at any time; Close association is arranged between the crowd of these stations, and refinement and formed a huge black industrial chain gradually often is called as " the underground industrial chain in internet ".
Existing malice network address detection means has: static nature detects and the simulation browser detects.Static Detection is to utilize the malicious code characteristic of collecting in advance, through whether comprising those condition codes in inspection webpage HTML (Hypertext Markup Language, the HTML) code judges, if comprise, then is judged as the malice network address.The discrimination of this detection method is lower usually, is prone to got around by various script encryptions and coded system.It is to utilize the browser environment that builds in advance that the simulation browser detects, and analog subscriber visit network address is if during illegal behavioural characteristic, then be identified as the malice network address with it.The detection efficiency of this mode is lower, and after running into the malice network address, browser environment also possibly need to recover again, and the fully real browser environment of difficult structure, causes easily failing to report.For the network address storehouse that the illegal website operator replaces at any time, just can judge after needing to carry out one by one, can't find the malice network address in advance, ageing relatively poor.
[summary of the invention]
In view of this, the invention provides a kind of method for building up of malice network address database, the recognition methods and the device of malice network address, so that improve promptness and the accuracy that detects, minimizing is failed to report.
Concrete technical scheme is following:
A kind of method for building up of malice network address database, this method may further comprise the steps:
S1, in advance each website domain name and corresponding website attribute information are carried out related, structure the website associating information database;
S2, make up the anti-chain linked database in advance, preserve the linking relationship between each url;
S3, obtain the url of known malicious network address; Add in the formation to be detected; From formation to be detected, take out url and current url difference execution in step S4 one by one to taking out; Until formation to be detected is empty, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database;
S4, the said anti-chain linked database of inquiry are confirmed all anti-chain url of current url, with and the url of known malicious network address between the correlation degree anti-chain url that satisfies preset requirement add in the formation to be detected; Perhaps
Resolve the website attribute information of current url; Inquire about said site information linked database; Confirm to have the website domain name of same site attribute information with current url, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
According to one preferred embodiment of the present invention, said website attribute information comprises following listed at least a: the website name, the website everyone, everyone contact information of website, company information, IP address information, ICP information.
According to one preferred embodiment of the present invention; In said step S3, also comprise: for the url of said malice network address gives initial weight; For setting the anti-chain factor between each url that has the anti-chain relation; Type to website attribute information total between the domain name of website is set factor of influence, and the span of the said anti-chain factor and factor of influence is interval (0,1);
The calculating of correlation degree comprises between the url of anti-chain url and known malicious network address: the weights of current url multiply by the anti-chain factor, obtain the weights of anti-chain url;
The calculating of correlation degree comprises between the url of website domain name and known malicious network address: the weights of current url multiply by the corresponding factor of influence of type of website domain name and the common website attribute information of current url, obtain the weights of website domain name;
Said correlation degree satisfies preset requirement: the weights of said anti-chain url or website domain name surpass predetermined threshold value.
According to one preferred embodiment of the present invention, said malice network address database also comprises: all add url or corresponding website attribute information and the weights of website domain name in the formation to be detected to.
A kind of recognition methods of malice network address, this method comprises:
Obtain url to be detected, whether comprise said url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address;
Wherein said malice network address database is to adopt the method for building up of said malice network address database to set up.
A kind of recognition methods of malice network address, this method may further comprise the steps:
S201, obtain url to be detected, resolve the website attribute information of this url;
S202, the website attribute information that utilizes parsing to obtain are searched the malice network address that has same alike result information with said url to be detected in the malice network address database, said malice network address database is to adopt the method for the foundation of said malice network address database to set up;
The weights of the malice network address that S203, utilization find calculate the weights of url to be detected;
S204, judge that whether the weights of said url to be detected surpass predetermined threshold value, if then said url to be detected is identified as malice url.
According to one preferred embodiment of the present invention, said step S203 is specially:
The weights of the malice network address that step S202 is found carry out joint account, obtain the weights of said url to be detected.
According to one preferred embodiment of the present invention, said joint account is to get maximal value, perhaps averages, perhaps summation.
A kind of apparatus for establishing of malice network address database, this device comprises:
The site information relating module, be used in advance each website domain name and corresponding website attribute information being carried out related, structure the website associating information database;
The anti-chain relating module is used for making up the anti-chain linked database in advance, preserves the linking relationship between each url;
Database is set up module; Be used to obtain the url of known malicious network address; Add in the formation to be detected; The current url that from formation to be detected, takes out url one by one and will take out offers anti-chain detection module or site information detection module, is empty until formation to be detected, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database;
The anti-chain detection module; Be used to inquire about said anti-chain linked database; Confirm that said database sets up all anti-chain url of the current url that module provides, with and the url of known malicious network address between the correlation degree anti-chain url that satisfies preset requirement add in the formation to be detected;
The site information detection module; Be used to resolve the website attribute information of current url; Inquire about said site information linked database; Confirm that the current url that sets up module and provide with said database has the website domain name of same site attribute information, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
According to one preferred embodiment of the present invention, said website attribute information comprises following listed at least a: the website name, the website everyone, everyone contact information of website, company information, IP address information, ICP information.
According to one preferred embodiment of the present invention, this device also comprises:
Factor setting module is used to and sets the anti-chain factor between each url that has the anti-chain relation, and, set factor of influence to the type of website attribute information total between the domain name of website, the span of the said anti-chain factor and factor of influence is interval (0,1);
Said database is set up the url that module also is used to said malice network address and is given initial weight;
Said anti-chain detection module multiply by the anti-chain factor respectively with the weights of current url, obtains the weights of each anti-chain url, is embodied correlation degree between the url of anti-chain url and known malicious network address by the weights of anti-chain url;
Said site information detection module multiply by the weights of current url respectively the corresponding factor of influence of type of website domain name and the common website attribute information of current url; Obtain the weights of website domain name, embody correlation degree between the url of website domain name and known malicious network address by the weights of website domain name.
According to one preferred embodiment of the present invention, said malice network address database also comprises: all add url or corresponding website attribute information and the weights of website domain name in the formation to be detected to.
A kind of recognition device of malice network address, this device comprises: the inquiry judging module, be used to obtain url to be detected, whether comprise said url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address;
Wherein said malice network address database is to adopt the apparatus for establishing of said malice network address database to set up.
A kind of recognition device of malice network address, this device comprises:
Parsing module is used to obtain url to be detected, resolves the website attribute information of this url;
Enquiry module; Be used to utilize and resolve the website attribute information that obtains; In the malice network address database, search the malice network address that has same alike result information with said url to be detected, said malice network address database is to adopt the apparatus for establishing of said malice network address database to set up;
Merge module, be used to utilize the weights of the malice network address that finds to calculate the weights of url to be detected;
Judge module is used to judge whether the weights of said url to be detected surpass predetermined threshold value, if then said url to be detected is identified as malice url.
According to one preferred embodiment of the present invention, said merging module concrete configuration is:
The weights of the malice network address that finds in the said enquiry module are carried out joint account, obtain the weights of said url to be detected.
According to one preferred embodiment of the present invention, said joint account is to get maximal value, perhaps averages, perhaps summation.
Can find out by above technical scheme; The recognition methods of the method for building up of malice network address database provided by the invention, malice network address and device; Consider entirely to descend the relevance between the industrial chain, utilize on the internet between each website the associated data of website attribute information and linking relationship that known malicious network address url is expanded, based on the correlation degree of url that expands and malice network address url; Make up the malice network address database; The recognition methods that is realized based on this malice network address database has the higher detection accuracy rate not based on the malicious code characteristic, and need not to simulate browser environment and carry out and also can judge the network address that does not come into operation as yet; Improved the promptness and the accuracy that detect, minimizing is failed to report.
[description of drawings]
The method for building up process flow diagram of the malice network address database that Fig. 1 provides for the embodiment of the invention one;
The recognition methods process flow diagram of the malice network address that Fig. 2 provides for the embodiment of the invention two;
The apparatus for establishing synoptic diagram of the malice network address database that Fig. 3 provides for the embodiment of the invention three;
The recognition device synoptic diagram of the malice network address that Fig. 4 provides for the embodiment of the invention four.
[embodiment]
In order to make the object of the invention, technical scheme and advantage clearer, describe the present invention below in conjunction with accompanying drawing and specific embodiment.
Embodiment one,
Fig. 1 is the method for building up process flow diagram of the malice network address database that provides of present embodiment, and as shown in Figure 1, this method comprises:
Step S101, in advance each website domain name and corresponding website attribute information are carried out related, structure the website associating information database.
A website generally includes many webpages, and each webpage all has corresponding network address, and network address adopts url (uniform resource locator, URL) to represent usually, is generally the form of access protocal+domain name.For example, the Baidu website comprises many webpages, and the url of Baidu's homepage is " http://www.baidu.com ", and domain name is " baidu.com ".Because the website domain name has uniqueness, thereby can utilize the website domain name to represent a website.
For a domain name, utilize instruments such as whois, can inquire the log-on message of the corresponding website of this domain name.Usually log-on message comprises domain name, website everyone, the host name of everyone contact information (comprising organization, head of the unit, unit one belongs to's industry, mailing address, postcode, Email, telephone number, fax number and authentication information) of website, name server and IP address or the like of website name, application.
In underground industrial chain; Same illegal website operator holds a plurality of malicious websites usually and forms similar station crowd; These malicious websites have identical website attribute information usually, such as, possibly have identical website everyone or identical information such as name server.Utilize the incidence relation between these website attribute informations, find illegal website operator's station crowd.
Utilize the website attribute information of the website that exists on the internet in advance, structure the website associating information database is in order to inquire about the incidence relation between each website.
Particularly, when structure the website associating information database, earlier to the website that exists on the internet through the whois instrument, collect those website log-on messages, comprise the website name, the website everyone, everyone contact information of website, company information, IP address information etc.Through methods such as spiders, obtain ICP (Internet Content Provider, the Web content service provider) information of website again; Comprise company information, the website number of putting on record, website name; Information such as website homepage network address; These information and website domain name are carried out related, form the incidence relation between website domain name and the website attribute information, structure the website associating information database.
Said site information linked database can but be not limited to adopt the mode of table index to store; The incidence relation that comprises website domain name and corresponding website attribute information; Wherein the website attribute information comprises the website name, the website everyone, everyone contact information of website; Company information, IP address information etc.
Step S102, make up the anti-chain linked database in advance, preserve the linking relationship between each url.
It is related to comprise in the webpage that a plurality of derivation links and other webpages take place, and correspondingly, a webpage also might with the mode that imports link association take place in a plurality of webpages.
Anti-chain promptly imports link, is meant in other webpages through one section source literal or path a url to be incorporated into the link in their webpage.Every network address that in webpage, comprises the importing link of this url all is the anti-chain url of this url.
Utilize the linking relationship between the corresponding url of these webpages, make up the anti-chain linked database.Adopt existing web crawlers methods such as (web crawler) to climb and get web page contents, preserve the linking relationship between each url, make up and obtain the anti-chain linked database, so that the follow-up anti-chain of searching url.
Step S103, be that different incidence relation is set different factors of influence.
Association takes place in two websites, is meant that these two websites have identical website attribute information.It is different that related website attribute information type takes place each web-site that is meant different incidence relations between any two.Because it is different that the type of related website attribute information takes place between the website, the correlation degree between the website is also not too identical.For example, adopt the website of identical email address registration can confirm as same registrant basically, identical ip addresses then representes to share between the website host ip.
According to the type of website attribute information, for different incidence relations is set different factors of influence.Preset all types of factors of influence are that the type according to website attribute information total between the domain name of website is provided with.For example, set the email factor, be fixed value 0.9, set the IP factor, be fixed value 0.8, set the anti-chain factor, be fixed value 0.8 for the website of anti-chain relation for the website of adopting identical ip addresses for the website of adopting identical email address registration.Type to website attribute information total between the domain name of website is set factor of influence, between each url that has the anti-chain relation anti-chain factor being set.
All types of factors of influence comprise the factor of influence of each website attribute information types such as the anti-chain factor, the email factor, the IP factor, the registered user name factor, company incorporated's factor, the ICP factor.Those dissimilar factor of influence α can but be not limited to set 0<α<1 wherein according to existing empirical data.
Step S104, obtain the url of known malicious network address, add in the formation to be detected, from formation to be detected, take out url one by one and the current url that takes out execution in step S105 respectively.
The known malicious network address can be the network address of confirming through the modes such as malicious websites monitoring technology that existing antivirus software or every day upgrade.Those malice network address as input, for the known malicious network address is given initial weight, and are added in the formation to be detected.At this moment, the initial weight that comprises each malice network address and each malice network address in the formation to be detected.
Take out one by one to the network address in the formation to be detected (url) and to detect, to the current url execution in step S 105 that takes out.
Step S105, the said anti-chain linked database of inquiry are confirmed all anti-chain url of current url, with and the url of known malicious network address between the correlation degree anti-chain url that satisfies preset requirement add in the formation to be detected.
The calculating of correlation degree comprises between the url of anti-chain url and known malicious network address: the weights and the anti-chain factor of current url are multiplied each other, obtain the weights of each anti-chain url.
In this step, anti-chain url that retrieves and current url are the anti-chain relations, thereby the factor of influence of employing is the anti-chain factor.
For detected malice network address, the weights of employing are the initial weight of malice network address, are 1.Utilize the initial weight of malice network address and the weights that the anti-chain factor obtains each anti-chain url.If the anti-chain factor of setting is 0.8, then the weights of each anti-chain url are 0.8*1=0.8.
Said correlation degree satisfies preset requirement: the weights of said anti-chain url surpass predetermined threshold value.The anti-chain url that weights is surpassed predetermined threshold value adds in the formation to be detected.Said predetermined threshold value can be set according to practical experience, such as, it is 0.7 that predetermined threshold value is set, and then weights is surpassed 0.7 anti-chain url and corresponding weights and adds in the formation to be detected.
The website attribute information of step S106, the current url of parsing; Inquire about said site information linked database; Confirm to have the website domain name of same site attribute information with current url, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
The calculating of correlation degree comprises between the url of website domain name and known malicious network address: the weights of current url multiply by the corresponding factor of influence of type of website domain name and the common website attribute information of current url, obtain the weights of website domain name.
Said correlation degree satisfies preset requirement: the weights of said website domain name surpass predetermined threshold value.
Particularly, earlier according to the definite corresponding factor of influence of type of website attribute information total between each website domain name and the current url.The factor of influence that the weights of current url are corresponding with each multiplies each other, and obtains the weights of each website domain name, and the website domain name that weights is surpassed predetermined threshold value is added in the formation to be detected.
Extract the corresponding website domain name of current url, utilize the inquiry of whois instrument, obtain the corresponding website attribute information of current url; Comprise the website name, the website everyone, everyone email of website; Exabyte ICP number etc., utilizes these website attribute informations in the site information linked database, to mate; Inquire website domain name, and write down those website domain names and the related website attribute information type of current url generation, in order to confirm each factor of influence with same alike result.
Each factor of influence is meant that each website domain name with current url the related corresponding factor of influence of website attribute information type takes place.For example, website domain name A has identical email address with current url, and then the weights of this website domain name A are the weights of current url and the product of the email factor.If website domain name B has identical IP address with current url, then the weights of this website domain name B are the weights of current url and the product of the IP factor.And the like, calculate the weights of each website domain name.
If it is a plurality of that the website domain name with current url related factor of influence takes place; For example; When having identical email address, can select the maximal value of these two factors of influence to be used as the factor of influence of website domain name and current url when then confirming factor of influence with identical registered user name.Perhaps, also can be the different different weights of website attribute information distribution, but summation is 1, if exist a plurality of website attribute informations identical, then that each website attribute information is corresponding coefficient carries out weighting, confirms factor of influence.
The website domain name that weights is surpassed predetermined threshold value is added in the formation to be detected.Identical among said predetermined threshold value and the step S105.
What deserves to be mentioned is that the sequencing of said step S105 and step S106 can be changed, also can only adopt a kind of mode wherein to detect.
Step S107, from formation to be detected, take out next url or website domain name; Repeating step S105 and step S106; Until said formation to be detected is empty, utilizes all to appear at url or website domain name and corresponding website attribute information structure malice network address database in the formation to be detected.
Because the website domain name is the special case of url, in the url storehouse, what the website domain name was pointed to is the homepage of this website.Thereby the website domain name can change into website homepage url, and the unified url that adopts representes in the malice network address database.
Because factor of influence 0<α<1 that is provided with; After through continuous the repetition; The weights of the url that calculates can be more and more littler, be in the convergence process, when the weights of all url all less than predetermined threshold value; When promptly no longer newly-increased formation to be detected and formation to be detected are empty, the closure of collecting the suspected site that obtains a collection of association.
All appear at url or corresponding website attribute information and the weights of website domain name, those url or website domain name in the formation to be detected to utilize these, are saved in the database, make up the malice network address database, form a underground industry data database.In the malice network address database can but be not limited to adopt the mode of table index to store, comprise the url information of collecting, email address information, domain name (domain) information, ICP information, IP address information or the like.
Giving an example, if the known malicious network address that obtains has url1, then give initial weight with those malice network address, is 1 for example, adds in the formation to be detected.Take out a url, analyze as current url like url1.
Utilize url1 in the anti-chain linked database, to find out all anti-chain urls corresponding, for example possibly comprise url2, url3 with this malice network address url1.Utilize the weights (being initial weight) of this malice network address url1 to multiply each other with the anti-chain factor of setting, as the weights of anti-chain url2 and url3, the anti-chain factor of for example setting is 0.8, and then the weights of url2 and url3 are 0.8*1=0.8.The anti-chain url that weights is surpassed predetermined threshold value adds in the formation to be detected, if predetermined threshold value is 0.7, then url2 and url3 is added in the formation to be detected.
Extracting from url1 and to obtain corresponding domain name, be www.xxx123.com for example, utilizes instrument inquiry such as whois to obtain the website attribute information of this url1 correspondence; Comprise the website name, the website everyone, everyone emai of website; Exabyte, IP address, ICP number etc.; Utilize these website attribute informations in the site information linked database, to mate, inquire website domain name, the domain name 1 and the domain name 2 that identical ip addresses is arranged of identical email address for example arranged with same alike result.Calculate the weights of domain name 1 and domain name 2; If the email factor of setting is 0.9; The IP factor is 0.8, and then the weights of domain name 1 are the product of the initial weight and the email factor: 0.9*1=0.9, and the weights of domain name 2 are the product of the initial weight and the IP factor: 0.8*1=0.8.Because the weights of domain name 1 and domain name 2 also surpass predetermined threshold value 0.7, then also domain name 1 and domain name 2 are added in the formation to be detected.
Take out next url or website domain name, suppose to take out url2, carry out duplicate detection.
Utilize url2 in the anti-chain linked database, to find out all anti-chain urls corresponding, for example possibly comprise url4, url5 with url2.Utilize the weights of this url2 and the anti-chain factor 0.8 of setting to multiply each other, as the weights of anti-chain url4 and url5, then the weights of url4 and url5 are 0.8*0.8=0.64.Because the weights of url4 and url5 then do not add in the formation to be detected all less than predetermined threshold value 0.7.
Obtain corresponding domain name from the url2 extraction; Utilize the inquiry of instrument such as whois to obtain the corresponding website attribute information of this url2; Utilize these website attribute informations in the site information linked database, to mate; Inquire website domain name, the domain name 3 and the domain name that identical company incorporated is arranged 4 of identical email address for example arranged with same alike result.The weights that calculate domain name 3 are 0.8*0.9=0.72, if company incorporated's factor of setting is 0.8, then the weights of domain name 4 are 0.8*0.8=0.64.Because domain name 3 surpasses predetermined threshold value 0.7, then also domain name 3 is added in the formation to be detected, and domain name 4 is not then added less than predetermined threshold value 0.7.
The rest may be inferred, and repeating step S105 and S106 are empty up to formation to be detected, obtain information and corresponding weights about url1, url2, url3, domain name 1, domain name 2 and domain name 3 etc., make up the malice network address database.
The malice network address database that utilization builds, can to the unknown whether the url of malice detect.A kind of mode can directly be obtained url to be detected, whether comprises this url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address.And, can utilize the record that comprises relevant information for the url that can't in the malice network address database, directly find, discern.Recognition methods through two pairs of malice network address provided by the invention of embodiment describes below.
Embodiment two,
Fig. 2 is the recognition methods process flow diagram of the malice network address that provides of present embodiment, and as shown in Figure 2, this method comprises:
Step S201, obtain url to be detected, resolve the website attribute information of this url to be detected.
For url to be detected, extract corresponding domain name, utilize instrument inquiry such as whois to obtain the website attribute information of this url to be detected, comprise the website name, the website everyone, everyone email of website, exabyte, IP address, information such as ICP number.
Step S202, the website attribute information that utilizes parsing to obtain are searched the malice network address that has same alike result information with said url to be detected in the malice network address database, said malice network address database is to adopt like embodiment one described method to set up.
In the malice network address database that embodiment one builds, utilize the website attribute information of url to be detected, extract the malice url that comprises those website attribute informations, obtain a collection of malice url that is associated with this url to be detected.
The weights of the malice network address that step S203, utilization find calculate the weights of url to be detected.
The weights of the malice network address that step S202 is found carry out joint account, obtain the weights of said url to be detected.Said joint account can be to get maximal value, perhaps averages, perhaps mode such as summation.Preferably, choose the weights of maximal value in the weights with the malice url correspondence that finds as said url to be detected.
For repeating to occur malice url repeatedly, the power of when carrying out joint account, can also transferring is handled, and increases a preset accent weight factor.When url when all being judged as suspicious url from different data sources, represent that this url is that the suspicion degree of malice network address is high more.
Step S204, judge that whether the weights of said url to be detected surpass predetermined threshold value, if then said url to be detected is identified as malice url.
Said predetermined threshold value can with step S105 among the embodiment one and step S106 in identical, also can establish a fixed value in addition.
Thereby for unknown url, good malice network address database judges whether to be the malice network address can to utilize foundation.
More than be the detailed description that method provided by the present invention is carried out, face the apparatus for establishing of malice network address database provided by the invention and the recognition device of malice network address down and be described in detail.
Embodiment three
Fig. 3 is the apparatus for establishing synoptic diagram of the malice network address database that provides of present embodiment.As shown in Figure 3, this device comprises:
Site information relating module 301, be used in advance each website domain name and corresponding website attribute information being carried out related, structure the website associating information database.
Site information relating module 301 utilizes the website attribute information of the website that exists on the internet in advance, and structure the website associating information database is in order to inquire about the incidence relation between each website.
Particularly, when structure the website associating information database, earlier to the website that exists on the internet through the whois instrument, collect those website log-on messages, comprise the website name, the website everyone, everyone contact information of website, company information, IP address information etc.Through methods such as spiders, obtain ICP (Internet Content Provider, the Web content service provider) information of website again; Comprise company information, the website number of putting on record, website name; Information such as website homepage network address; These information and website domain name are carried out related, form the incidence relation between website domain name and the website attribute information, structure the website associating information database.
Said site information linked database can but be not limited to adopt the mode of table index to store; The incidence relation that comprises website domain name and corresponding website attribute information; Wherein the website attribute information comprises the website name, the website everyone, everyone contact information of website; Company information, IP address information etc.
Anti-chain relating module 302 is used for making up the anti-chain linked database in advance, preserves the linking relationship between each url.
It is related to comprise in the webpage that a plurality of derivation links and other webpages take place, and correspondingly, a webpage also might with the mode that imports link association take place in a plurality of webpages.
Anti-chain promptly imports link, is meant in other webpages through one section source literal or path a url to be incorporated into the link in their webpage.Every network address that in webpage, comprises the importing link of this url all is the anti-chain url of this url.
Anti-chain relating module 302 utilizes the linking relationship between the corresponding url of these webpages, makes up the anti-chain linked database.Adopt existing web crawlers methods such as (web crawler) to climb and get web page contents, preserve the linking relationship between each url, make up and obtain the anti-chain linked database, so that the follow-up anti-chain of searching url.
Factor setting module 303 is used to and sets the anti-chain factor between each url that has the anti-chain relation, and, set factor of influence to the type of website attribute information total between the domain name of website.
The span of the said anti-chain factor and factor of influence is interval (0,1).
Factor setting module 303 is according to the type of website attribute information, for different incidence relations is set different factors of influence.Preset all types of factors of influence are that the type according to website attribute information total between the domain name of website is provided with.For example, set the email factor, be fixed value 0.9, set the IP factor, be fixed value 0.8, set the anti-chain factor, be fixed value 0.8 for the website of anti-chain relation for the website of adopting identical ip addresses for the website of adopting identical email address registration.Type according to website attribute information total between the domain name of website is set corresponding factor of influence, between each url that has the anti-chain relation anti-chain factor being set.
All types of factors of influence comprise the factor of influence of each website attribute information types such as the anti-chain factor, the email factor, the IP factor, the registered user name factor, company incorporated's factor, the ICP factor.Those dissimilar factor of influence α can but be not limited to set 0<α<1 wherein according to existing empirical data.
Database is set up module 304; Be used to obtain the url of known malicious network address; Add in the formation to be detected; The current url that from formation to be detected, takes out url one by one and will take out offers anti-chain detection module 305 or site information detection module 306, is empty until formation to be detected, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database.
The known malicious network address can be the network address of confirming through the modes such as malicious websites monitoring technology that existing antivirus software or every day upgrade.Those malice network address as input, for the known malicious network address is given initial weight, and are added in the formation to be detected.At this moment, the initial weight that comprises each malice network address and each malice network address in the formation to be detected.
Take out one by one to the network address in the formation to be detected (url), utilize anti-chain detection module 305 or site information detection module 306 to detect.
Anti-chain detection module 305; Be used to inquire about said anti-chain linked database; All anti-chain url of the current url that module 304 provides are set up in the specified data storehouse, with and the url of known malicious network address between the correlation degree anti-chain url that satisfies preset requirement add in the formation to be detected.
Anti-chain detection module 305 multiplies each other the weights and the anti-chain factor of current url, obtains the weights of each anti-chain url, is embodied correlation degree between the url of anti-chain url and known malicious network address by the weights of anti-chain url.The anti-chain url that weights is surpassed predetermined threshold value adds in the formation to be detected.
For detected malice network address, the weights of employing are the initial weight of malice network address, are 1.Utilize the initial weight of malice network address and the weights that the anti-chain factor obtains each anti-chain url.If the anti-chain factor of setting is 0.8, then the weights of each anti-chain url are 0.8*1=0.8.
Anti-chain detection module 305 adds the anti-chain url that weights surpass predetermined threshold value in the formation to be detected to.Said predetermined threshold value can be set according to practical experience, such as, it is 0.7 that predetermined threshold value is set, and then weights is surpassed 0.7 anti-chain url and corresponding weights and adds in the formation to be detected.
Site information detection module 306; Be used to resolve the website attribute information of current url; Inquire about said site information linked database; Confirm that the current url that sets up module 304 and provide with database has the website domain name of same site attribute information, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
Site information detection module 306 is earlier according to the definite corresponding factor of influence of type of website attribute information total between each website domain name and the current url.The weights of current url multiply by the corresponding factor of influence of type of website domain name and the common website attribute information of current url respectively, obtain the weights of website domain name, embody correlation degree between the url of website domain name and known malicious network address by the weights of website domain name.The website domain name that weights is surpassed predetermined threshold value is added in the formation to be detected.
Extract the corresponding website domain name of current url, utilize the inquiry of whois instrument, obtain the corresponding website attribute information of current url; Comprise the website name, the website everyone, everyone email of website; Exabyte ICP number etc., utilizes these website attribute informations in the site information linked database, to mate; Inquire website domain name, and write down those website domain names and the related website attribute information type of current url generation, in order to confirm each factor of influence with same alike result.
Each factor of influence is meant that each website domain name with current url the related corresponding factor of influence of website attribute information type takes place.For example, website domain name A has identical email address with current url, and then the weights of this website domain name A are the weights of current url and the product of the email factor.If website domain name B has identical IP address with current url, then the weights of this website domain name B are the weights of current url and the product of the IP factor.And the like, calculate the weights of each website domain name.
If it is a plurality of that the website domain name with current url related factor of influence takes place; For example; When having identical email address, can select the maximal value of these two factors of influence to be used as the factor of influence of website domain name and current url when then confirming factor of influence with identical registered user name.Perhaps, also can be the different different weights of website attribute information distribution, but summation is 1, if exist a plurality of website attribute informations identical, then that each website attribute information is corresponding coefficient carries out weighting, confirms factor of influence.The website domain name that weights is surpassed predetermined threshold value is added in the formation to be detected.
Then; Database is set up module 304 and from formation to be detected, is taken out url one by one and the current url that takes out is triggered anti-chain detection module 305 or site information detection module 306; Until formation to be detected is empty, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database.
Because the website domain name is the special case of url, in the url storehouse, what the website domain name was pointed to is the homepage of this website.Thereby the website domain name can change into website homepage url, and the unified url that adopts representes in the malice network address database.
Because factor of influence 0<α<1 that is provided with; After through continuous the repetition; The weights of the url that calculates can be more and more littler, be in the convergence process, when the weights of all url all less than predetermined threshold value; When promptly no longer newly-increased formation to be detected and formation to be detected are empty, the closure of collecting the suspected site that obtains a collection of association.
All appear at url or corresponding website attribute information and the weights of website domain name, those url or website domain name in the formation to be detected to utilize these, are saved in the database, make up the malice network address database, form a underground industry data database.In the malice network address database can but be not limited to adopt the mode of table index to store, comprise the url information of collecting, email address information, domain name (domain) information, ICP information, IP address information or the like.
The malice network address database that utilization builds, can to the unknown whether the url of malice detect.A kind of recognition device can comprise: the inquiry judging module, directly obtain url to be detected, and whether comprise this url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address.And, can utilize the record that comprises relevant information for the url that can't in the malice network address database, directly find, discern.Recognition device through four pairs of malice network address provided by the invention of embodiment describes below.
Fig. 4 is the recognition device synoptic diagram of the malice network address that provides of present embodiment.As shown in Figure 4, this device comprises:
Parsing module 401 is used to obtain url to be detected, resolves the website attribute information of this url.
For url to be detected, parsing module 401 extracts corresponding domain name, utilizes instrument inquiry such as whois to obtain the website attribute information of this url to be detected, comprises the website name, the website everyone, everyone email of website, exabyte, IP address, information such as ICP number.
Enquiry module 402 is used to utilize and resolves the website attribute information that obtains, and in the malice network address database, searches the malice network address that has same alike result information with said url to be detected, and said malice network address database is to adopt embodiment three described devices to set up.
Enquiry module 402 utilizes the website attribute information of url to be detected, extracts the malice url that comprises those website attribute informations, and inquiry obtains a collection of malice url that is associated with this url to be detected.
Merge module 403, be used to utilize the weights of the malice network address that enquiry module 402 finds to calculate the weights of url to be detected.
The weights of the malice network address that enquiry module 402 is found carry out joint account, obtain the weights of said url to be detected.Said joint account can be to get maximal value, perhaps averages, perhaps mode such as summation.Preferably, choose the weights of maximal value in the weights with the malice url correspondence that finds as said url to be detected.
For repeating to occur malice url repeatedly, the power of when carrying out joint account, can also transferring is handled, and increases a preset accent weight factor.When url when all being judged as suspicious url from different data sources, represent that this url is that the suspicion degree of malice network address is high more.
Judge module 404 is used to judge whether the weights of said url to be detected surpass predetermined threshold value, if then said url to be detected is identified as malice url.
For unknown url, good malice network address database judges whether to be the malice network address can to utilize foundation.
The recognition methods of the method for building up of malice network address database provided by the invention, malice network address and device; Consider entirely to descend the relevance between the industrial chain; Utilize on the internet associated data of website attribute information between each website, make up the malice network address database, need not to carry out and also can judge unknown network address; Improved the promptness and the accuracy that detect, minimizing is failed to report.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope that the present invention protects.

Claims (16)

1. the method for building up of a malice network address database is characterized in that, this method comprises:
S1, in advance each website domain name and corresponding website attribute information are carried out related, structure the website associating information database;
S2, make up the anti-chain linked database in advance, preserve the linking relationship between each url;
S3, obtain the url of known malicious network address; Add in the formation to be detected; From formation to be detected, take out url and current url difference execution in step S4 one by one to taking out; Until formation to be detected is empty, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database;
S4, the said anti-chain linked database of inquiry are confirmed all anti-chain url of current url, with and the url of known malicious network address between the correlation degree anti-chain url that satisfies preset requirement add in the formation to be detected; Perhaps,
Resolve the website attribute information of current url; Inquire about said site information linked database; Confirm to have the website domain name of same site attribute information with current url, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
2. method according to claim 1 is characterized in that, said website attribute information comprises following listed at least a: the website name, the website everyone, everyone contact information of website, company information, IP address information, ICP information.
3. method according to claim 1; It is characterized in that; In said step S3, also comprise: for the url of said malice network address gives initial weight, be to exist between each url of anti-chain relation to set the anti-chain factor, set factor of influence to the type of website attribute information total between the domain name of website; The span of the said anti-chain factor and factor of influence is interval (0,1);
The calculating of correlation degree comprises between the url of anti-chain url and known malicious network address: the weights of current url multiply by the anti-chain factor, obtain the weights of anti-chain url;
The calculating of correlation degree comprises between the url of website domain name and known malicious network address: the weights of current url multiply by the corresponding factor of influence of type of website domain name and the common website attribute information of current url, obtain the weights of website domain name;
Said correlation degree satisfies preset requirement: the weights of said anti-chain url or website domain name surpass predetermined threshold value.
4. method according to claim 3 is characterized in that, said malice network address database also comprises: all add url or corresponding website attribute information and the weights of website domain name in the formation to be detected to.
5. the recognition methods of a malice network address is characterized in that, this method comprises:
Obtain url to be detected, whether comprise said url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address;
Wherein said malice network address database is to adopt like the described method of the arbitrary claim of claim 1 to 4 to set up.
6. the recognition methods of a malice network address is characterized in that, this method comprises:
S201, obtain url to be detected, resolve the website attribute information of this url;
S202, the website attribute information that utilizes parsing to obtain are searched the malice network address that has same alike result information with said url to be detected in the malice network address database, said malice network address database is to adopt method as claimed in claim 4 to set up;
The weights of the malice network address that S203, utilization find calculate the weights of url to be detected;
S204, judge that whether the weights of said url to be detected surpass predetermined threshold value, if then said url to be detected is identified as malice url.
7. method according to claim 6 is characterized in that, said step S203 is specially:
The weights of the malice network address that step S202 is found carry out joint account, obtain the weights of said url to be detected.
8. method according to claim 7 is characterized in that, said joint account is to get maximal value, perhaps averages, perhaps summation.
9. the apparatus for establishing of a malice network address database is characterized in that, this device comprises:
The site information relating module, be used in advance each website domain name and corresponding website attribute information being carried out related, structure the website associating information database;
The anti-chain relating module is used for making up the anti-chain linked database in advance, preserves the linking relationship between each url;
Database is set up module; Be used to obtain the url of known malicious network address; Add in the formation to be detected; The current url that from formation to be detected, takes out url one by one and will take out offers anti-chain detection module or site information detection module, is empty until formation to be detected, and url or the website domain name of utilizing all to add in the formation to be detected make up the malice network address database;
The anti-chain detection module; Be used to inquire about said anti-chain linked database; Confirm that said database sets up all anti-chain url of the current url that module provides, with and the url of known malicious network address between the correlation degree anti-chain url that satisfies preset requirement add in the formation to be detected;
The site information detection module; Be used to resolve the website attribute information of current url; Inquire about said site information linked database; Confirm that the current url that sets up module and provide with said database has the website domain name of same site attribute information, with and the url of known malicious network address between the correlation degree website domain name that satisfies preset requirement add in the formation to be detected.
10. device according to claim 9 is characterized in that, said website attribute information comprises following listed at least a: the website name, the website everyone, everyone contact information of website, company information, IP address information, ICP information.
11. device according to claim 9 is characterized in that, this device also comprises:
Factor setting module is used to and sets the anti-chain factor between each url that has the anti-chain relation, and, set factor of influence to the type of website attribute information total between the domain name of website, the span of the said anti-chain factor and factor of influence is interval (0,1);
Said database is set up the url that module also is used to said malice network address and is given initial weight;
Said anti-chain detection module multiply by the anti-chain factor respectively with the weights of current url, obtains the weights of each anti-chain url, is embodied correlation degree between the url of anti-chain url and known malicious network address by the weights of anti-chain url;
Said site information detection module multiply by the weights of current url respectively the corresponding factor of influence of type of website domain name and the common website attribute information of current url; Obtain the weights of website domain name, embody correlation degree between the url of website domain name and known malicious network address by the weights of website domain name.
12. device according to claim 11 is characterized in that, said malice network address database also comprises: all add url or corresponding website attribute information and the weights of website domain name in the formation to be detected to.
13. the recognition device of a malice network address is characterized in that, this device comprises: the inquiry judging module; Be used to obtain url to be detected; Whether comprise said url to be detected in the inquiry malice network address database, if confirm that then said url to be detected is the malice network address;
Wherein said malice network address database is to adopt like the described device of the arbitrary claim of claim 9 to 12 to set up.
14. the recognition device of a malice network address is characterized in that, this device comprises:
Parsing module is used to obtain url to be detected, resolves the website attribute information of this url;
Enquiry module is used to utilize and resolves the website attribute information that obtains, and in the malice network address database, searches the malice network address that has same alike result information with said url to be detected, and said malice network address database is to adopt device as claimed in claim 12 to set up;
Merge module, be used to utilize the weights of the malice network address that finds to calculate the weights of url to be detected;
Judge module is used to judge whether the weights of said url to be detected surpass predetermined threshold value, if then said url to be detected is identified as malice url.
15. device according to claim 14 is characterized in that, said merging module concrete configuration is:
The weights of the malice network address that finds in the said enquiry module are carried out joint account, obtain the weights of said url to be detected.
16. device according to claim 15 is characterized in that, said joint account is to get maximal value, perhaps averages, perhaps summation.
CN201210069443.7A 2012-03-15 2012-03-15 The maliciously recognition methods of the method for building up of network address database, maliciously network address and device Active CN102663000B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210069443.7A CN102663000B (en) 2012-03-15 2012-03-15 The maliciously recognition methods of the method for building up of network address database, maliciously network address and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210069443.7A CN102663000B (en) 2012-03-15 2012-03-15 The maliciously recognition methods of the method for building up of network address database, maliciously network address and device

Publications (2)

Publication Number Publication Date
CN102663000A true CN102663000A (en) 2012-09-12
CN102663000B CN102663000B (en) 2016-08-03

Family

ID=46772491

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210069443.7A Active CN102663000B (en) 2012-03-15 2012-03-15 The maliciously recognition methods of the method for building up of network address database, maliciously network address and device

Country Status (1)

Country Link
CN (1) CN102663000B (en)

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102945349A (en) * 2012-10-19 2013-02-27 北京奇虎科技有限公司 Method and device for processing unknown files
CN103036896A (en) * 2012-12-20 2013-04-10 北京奇虎科技有限公司 Method and system for testing malicious links
CN103778113A (en) * 2012-10-17 2014-05-07 腾讯科技(深圳)有限公司 Terminal and server and webpage processing method of terminal and server
WO2014094653A1 (en) * 2012-12-20 2014-06-26 北京奇虎科技有限公司 Device, method and system for detecting malicious links
CN104615695A (en) * 2015-01-23 2015-05-13 腾讯科技(深圳)有限公司 Malicious website detecting method and system
CN104980446A (en) * 2015-06-30 2015-10-14 百度在线网络技术(北京)有限公司 Detection method and system for malicious behavior
CN105335480A (en) * 2015-10-13 2016-02-17 国家电网公司 Internet website liability subject identifying method
CN105956472A (en) * 2016-05-12 2016-09-21 宝利九章(北京)数据技术有限公司 Method and system for identifying whether webpage includes malicious content or not
CN106992967A (en) * 2017-02-28 2017-07-28 北京瑞星信息技术股份有限公司 Malicious websites recognition methods and system
CN107463583A (en) * 2016-06-06 2017-12-12 广州泰尔智信科技有限公司 Application developer region determines method and apparatus
CN107517193A (en) * 2016-06-17 2017-12-26 百度在线网络技术(北京)有限公司 Malicious websites recognition methods and device
CN108062413A (en) * 2017-12-30 2018-05-22 平安科技(深圳)有限公司 Web data processing method, device, computer equipment and storage medium
CN109063106A (en) * 2018-07-27 2018-12-21 北京字节跳动网络技术有限公司 Network address modification method, device, computer equipment and storage medium
CN109391583A (en) * 2017-08-03 2019-02-26 武汉安天信息技术有限责任公司 A kind of attacker's source tracing method and system based on malicious application
WO2019109529A1 (en) * 2017-12-08 2019-06-13 平安科技(深圳)有限公司 Webpage identification method, device, computer apparatus, and computer storage medium
CN110012030A (en) * 2019-04-23 2019-07-12 北京微步在线科技有限公司 A kind of method and device of association detection hacker
CN110837619A (en) * 2019-11-05 2020-02-25 北京锐安科技有限公司 Website auditing method, device, equipment and storage medium
CN110851680A (en) * 2015-05-15 2020-02-28 阿里巴巴集团控股有限公司 Web crawler identification method and device
CN110865818A (en) * 2018-08-28 2020-03-06 优视科技有限公司 Application associated domain name detection method and device and electronic equipment
CN112351441A (en) * 2019-08-06 2021-02-09 中国移动通信集团广东有限公司 Data processing method and device and electronic equipment
CN112954083A (en) * 2019-12-11 2021-06-11 中盈优创资讯科技有限公司 Method and device for managing registered IP address
CN113360895A (en) * 2021-06-02 2021-09-07 北京百度网讯科技有限公司 Station group detection method and device and electronic equipment
CN113742627A (en) * 2021-09-08 2021-12-03 北京百度网讯科技有限公司 Bad website identification method, device, electronic equipment and medium
CN114172725A (en) * 2021-12-07 2022-03-11 百度在线网络技术(北京)有限公司 Illegal website processing method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5732264A (en) * 1994-11-08 1998-03-24 Matsushita Electric Industrial Co., Ltd. Information management system and method for managing, processing storing and displaying attribute information of object information
CN101547197A (en) * 2009-04-30 2009-09-30 珠海金山软件股份有限公司 A URL washing device and a washing method
CN102045360A (en) * 2010-12-27 2011-05-04 成都市华为赛门铁克科技有限公司 Method and device for processing baleful website library
CN102045358A (en) * 2010-12-29 2011-05-04 深圳市永达电子股份有限公司 Intrusion detection method based on integral correlation analysis and hierarchical clustering
CN102096683A (en) * 2009-12-11 2011-06-15 奇智软件(北京)有限公司 Method for realizing nameplate at browser address bar

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5732264A (en) * 1994-11-08 1998-03-24 Matsushita Electric Industrial Co., Ltd. Information management system and method for managing, processing storing and displaying attribute information of object information
CN101547197A (en) * 2009-04-30 2009-09-30 珠海金山软件股份有限公司 A URL washing device and a washing method
CN102096683A (en) * 2009-12-11 2011-06-15 奇智软件(北京)有限公司 Method for realizing nameplate at browser address bar
CN102045360A (en) * 2010-12-27 2011-05-04 成都市华为赛门铁克科技有限公司 Method and device for processing baleful website library
CN102045358A (en) * 2010-12-29 2011-05-04 深圳市永达电子股份有限公司 Intrusion detection method based on integral correlation analysis and hierarchical clustering

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103778113A (en) * 2012-10-17 2014-05-07 腾讯科技(深圳)有限公司 Terminal and server and webpage processing method of terminal and server
CN103778113B (en) * 2012-10-17 2017-04-19 腾讯科技(深圳)有限公司 Terminal and server and webpage processing method of terminal and server
CN102945349B (en) * 2012-10-19 2016-06-22 北京奇虎科技有限公司 unknown file processing method and device
CN102945349A (en) * 2012-10-19 2013-02-27 北京奇虎科技有限公司 Method and device for processing unknown files
CN103036896A (en) * 2012-12-20 2013-04-10 北京奇虎科技有限公司 Method and system for testing malicious links
WO2014094653A1 (en) * 2012-12-20 2014-06-26 北京奇虎科技有限公司 Device, method and system for detecting malicious links
CN103036896B (en) * 2012-12-20 2015-07-01 北京奇虎科技有限公司 Method and system for testing malicious links
CN104615695A (en) * 2015-01-23 2015-05-13 腾讯科技(深圳)有限公司 Malicious website detecting method and system
CN104615695B (en) * 2015-01-23 2018-10-09 腾讯科技(深圳)有限公司 A kind of detection method and system of malice network address
CN110851680B (en) * 2015-05-15 2023-06-30 阿里巴巴集团控股有限公司 Web crawler identification method and device
CN110851680A (en) * 2015-05-15 2020-02-28 阿里巴巴集团控股有限公司 Web crawler identification method and device
WO2017000439A1 (en) * 2015-06-30 2017-01-05 百度在线网络技术(北京)有限公司 Detection method, system and device for malicious behaviour, and computer storage medium
CN104980446A (en) * 2015-06-30 2015-10-14 百度在线网络技术(北京)有限公司 Detection method and system for malicious behavior
CN105335480A (en) * 2015-10-13 2016-02-17 国家电网公司 Internet website liability subject identifying method
CN105956472A (en) * 2016-05-12 2016-09-21 宝利九章(北京)数据技术有限公司 Method and system for identifying whether webpage includes malicious content or not
CN107463583A (en) * 2016-06-06 2017-12-12 广州泰尔智信科技有限公司 Application developer region determines method and apparatus
CN107517193A (en) * 2016-06-17 2017-12-26 百度在线网络技术(北京)有限公司 Malicious websites recognition methods and device
CN106992967A (en) * 2017-02-28 2017-07-28 北京瑞星信息技术股份有限公司 Malicious websites recognition methods and system
CN109391583A (en) * 2017-08-03 2019-02-26 武汉安天信息技术有限责任公司 A kind of attacker's source tracing method and system based on malicious application
CN109391583B (en) * 2017-08-03 2021-06-25 武汉安天信息技术有限责任公司 Attacker tracing method and system based on malicious application
WO2019109529A1 (en) * 2017-12-08 2019-06-13 平安科技(深圳)有限公司 Webpage identification method, device, computer apparatus, and computer storage medium
CN108062413A (en) * 2017-12-30 2018-05-22 平安科技(深圳)有限公司 Web data processing method, device, computer equipment and storage medium
CN109063106A (en) * 2018-07-27 2018-12-21 北京字节跳动网络技术有限公司 Network address modification method, device, computer equipment and storage medium
CN109063106B (en) * 2018-07-27 2022-03-04 北京字节跳动网络技术有限公司 Website correction method and device, computer equipment and storage medium
CN110865818B (en) * 2018-08-28 2023-07-28 阿里巴巴(中国)有限公司 Detection method and device for application associated domain name and electronic equipment
CN110865818A (en) * 2018-08-28 2020-03-06 优视科技有限公司 Application associated domain name detection method and device and electronic equipment
CN110012030A (en) * 2019-04-23 2019-07-12 北京微步在线科技有限公司 A kind of method and device of association detection hacker
CN112351441B (en) * 2019-08-06 2023-08-15 中国移动通信集团广东有限公司 Data processing method and device and electronic equipment
CN112351441A (en) * 2019-08-06 2021-02-09 中国移动通信集团广东有限公司 Data processing method and device and electronic equipment
CN110837619A (en) * 2019-11-05 2020-02-25 北京锐安科技有限公司 Website auditing method, device, equipment and storage medium
CN112954083A (en) * 2019-12-11 2021-06-11 中盈优创资讯科技有限公司 Method and device for managing registered IP address
CN112954083B (en) * 2019-12-11 2022-03-08 中盈优创资讯科技有限公司 Method and device for managing registered IP address
CN113360895A (en) * 2021-06-02 2021-09-07 北京百度网讯科技有限公司 Station group detection method and device and electronic equipment
CN113360895B (en) * 2021-06-02 2023-07-25 北京百度网讯科技有限公司 Station group detection method and device and electronic equipment
CN113742627A (en) * 2021-09-08 2021-12-03 北京百度网讯科技有限公司 Bad website identification method, device, electronic equipment and medium
CN114172725A (en) * 2021-12-07 2022-03-11 百度在线网络技术(北京)有限公司 Illegal website processing method and device, electronic equipment and storage medium
CN114172725B (en) * 2021-12-07 2023-11-14 百度在线网络技术(北京)有限公司 Illegal website processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN102663000B (en) 2016-08-03

Similar Documents

Publication Publication Date Title
CN102663000B (en) The maliciously recognition methods of the method for building up of network address database, maliciously network address and device
Maggi et al. Two years of short urls internet measurement: security threats and countermeasures
CN102739653B (en) Detection method and device aiming at webpage address
CN102663319B (en) Prompting method and device for download link security
CN101964025A (en) XSS (Cross Site Scripting) detection method and device
CN102833258A (en) Website access method and system
CN101895516A (en) Method and device for positioning cross-site scripting attack source
CN107437026B (en) Malicious webpage advertisement detection method based on advertisement network topology
CN104683328A (en) Method and system for scanning cross-site vulnerability
CN103281320A (en) Website icon matching-based detection method for brand counterfeit websites
CN104767747A (en) Click jacking safety detection method and device
US11763032B2 (en) Method and system for preserving privacy in an HTTP communication between a client and a server
CN103279710A (en) Method and system for detecting malicious codes of Internet information system
CN101916285A (en) Method and device for analyzing internet web page contents
CN105337993A (en) Dynamic and static combination-based mail security detection device and method
CN112350992A (en) Safety protection method, device, equipment and storage medium based on web white list
CN105049301A (en) Method and device for providing comprehensive evaluation services of websites
CN105760379A (en) Webshell page detection method and device based on intra-domain page association
CN105138907A (en) Method and system for actively detecting attacked website
CN103701769A (en) Method and system for detecting hazardous network source
CN103220277B (en) The monitoring method of cross-site scripting attack, Apparatus and system
CN111541672A (en) Method and system for detecting security of HTTP (hyper text transport protocol) request
CN104268289A (en) Link URL (Uniform Resource Locator) failure detection method and device
Khade et al. Detection of phishing websites using data mining techniques
CN104717226A (en) Method and device for detecting website address

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant