CN103096321B - A kind of method and apparatus for detection of malicious server - Google Patents
A kind of method and apparatus for detection of malicious server Download PDFInfo
- Publication number
- CN103096321B CN103096321B CN201110341370.8A CN201110341370A CN103096321B CN 103096321 B CN103096321 B CN 103096321B CN 201110341370 A CN201110341370 A CN 201110341370A CN 103096321 B CN103096321 B CN 103096321B
- Authority
- CN
- China
- Prior art keywords
- malicious server
- network connecting
- connecting request
- server
- degree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
According to a kind of method and apparatus for detection of malicious server of the embodiment of the present invention, wherein, this device comprises: acquisition module, for obtaining the network connecting request that mobile terminal sends to the webserver; Detection module, the information relevant with known malicious server prestored for basis and the network connecting request in the network connecting request obtained, whether detect the described webserver is possible malicious server; Checking module, for when testing result is for time certainly, checks whether the described webserver includes mobile phone viruses; And determination module, for when check result is for time certainly, determines that the described webserver is malicious server.Utilize the method and device, can correctly detection of malicious server.
Description
Technical field
The present invention relates to network security detection technique, particularly a kind of method and apparatus for detection of malicious server.
Background technology
Along with the extensive use of intelligent mobile terminal, there is the virus for intelligent mobile terminal.Usually, this virus for mobile terminal is called mobile phone viruses.
Major part mobile phone viruses is usually diffused into mobile terminal via the such as network such as the Internet, mobile network and and then infects mobile terminal.First, mobile phone viruses is hidden in the file of the webserver by the assailant of malice, and wherein, this webserver including mobile phone viruses is commonly referred to as malicious server.Then, the assailant of mobile phone viruses, malicious server or malice sends deception information to mobile terminal, lure the user of mobile terminal to connect malicious server and from malicious server download package containing the file of mobile phone viruses.Finally, when user opens on mobile terminals or perform downloaded file, the mobile phone viruses be included in downloaded file infects mobile terminal.
In order to prevent mobile phone viruses by network diffusive infection mobile terminal, good method identifies the malicious server including mobile phone viruses, and when mobile terminal connects malicious server download file, its webserver connected of user of warning mobile terminal is malicious server, if connect this webserver to there is the risk infected by mobile phone viruses.At present many schemes for detection of malicious server are proposed.
The first scheme is that detection of malicious server is carried out in address Network Based.Concrete, first, prestore the network address of known malicious server.Then, when mobile terminal connects a webserver with download file, detect the network address whether including the webserver that mobile terminal connects in the network address stored.If testing result is affirmative, then mean that the webserver that mobile terminal connects is malicious server, thus stop mobile terminal to connect this webserver.
First scheme carrys out detection of malicious server based on keyword.Particularly, first from before obtain mobile terminal to the network connecting request that known malicious server sends, extract keyword and store.Then, when mobile terminal connects a webserver with download file, detect in the network connecting request that mobile terminal sends to the webserver whether comprise the keyword stored to some extent.If testing result is affirmative, then mean that the webserver that mobile terminal connects is malicious server, thus stop mobile terminal to connect this webserver.
In this two schemes superincumbent, whether be malicious server owing to only carrying out Sampling network server according to the network address or keyword, therefore, the webserver is once after being detected and being malicious server, just be detected as malicious server afterwards always, even if be also like this after the mobile phone viruses in the webserver is eliminated, this can cause the webserver not being malicious server to be still detected as malicious server mistakenly.
Summary of the invention
Consider the problems referred to above of prior art, embodiments of the invention provide a kind of method and apparatus for detection of malicious server, and it can correct detection of malicious server.
According to a kind of method for detection of malicious server of the embodiment of the present invention, comprise step: obtain the network connecting request that mobile terminal sends to the webserver; Whether according to the information relevant with known malicious server prestored and the network connecting request obtained, detecting the described webserver is possible malicious server; If testing result is affirmative, then check whether the described webserver includes mobile phone viruses; And, if check result is affirmative, then determine that the described webserver is malicious server.
Wherein, detecting step can comprise: the information relevant according to described with known malicious server, calculates the correlation degree value relevant to malicious server of described network connecting request; And, if the described correlation degree value of described network connecting request is greater than assign thresholds, then judge that the described webserver is possible malicious server.
Wherein, calculation procedure can comprise: perform following at least two degree of correlation subvalues and calculate: the domain name of server comprised according to described network connecting request and the similarity degree of the domain name of known malicious server, calculate the first degree of correlation subvalue of described network connecting request; The network address of the webserver comprised according to described network connecting request and the similarity degree of the network address of known malicious server, calculate the second degree of correlation subvalue of described network connecting request; According to the port numbers whether including the server that described network connecting request comprises in the port numbers of known malicious server, the third phase calculating described network connecting request closes degree subvalue; According to connect known malicious server the similarity degree of user agent that comprises of used user agent and described network connecting request, calculate the 4th degree of correlation subvalue of described network connecting request; And, whether include keyword related with known malicious server according to described network connecting request, calculate the 5th degree of correlation subvalue of described network connecting request; And according to execution, at least two degree of correlation subvalues calculate the degree of correlation subvalue obtained, and calculate the described correlation degree value of described network connecting request.
Wherein, check that step can comprise: download the file in the described webserver; Virus scan is carried out to downloaded file; And, if described virus scan finds that the file downloaded includes mobile phone viruses, then judge that the described webserver includes mobile phone viruses.
Wherein, download step may further include: download the All Files in the described webserver or all executable files.
According to a kind of device for detection of malicious server of the embodiment of the present invention, comprising: acquisition module, for obtaining the network connecting request that mobile terminal sends to the webserver; Detection module, the information relevant with known malicious server prestored for basis and the network connecting request obtained, whether detect the described webserver is possible malicious server; Checking module, for when testing result is for time certainly, checks whether the described webserver includes mobile phone viruses; And determination module, for when check result is for time certainly, determines that the described webserver is malicious server.
Wherein, detection module can comprise: computing module, for the information relevant according to described with known malicious server, calculates the correlation degree value relevant to malicious server of described network connecting request; And determination module, if be greater than assign thresholds for the correlation degree value of described network connecting request, then judges that the described webserver is possible malicious server.
Wherein, detection module can also comprise memory module, for storing described relevant with known malicious server information, wherein, computing module can be further used for, according to information relevant with known malicious server described in stored, calculating the correlation degree value relevant to malicious server of described network connecting request.
Wherein, computing module can comprise at least two computing modules in the first computing module, the second computing module, the 3rd computing module, the 4th computing module and the 5th computing module and the 6th computing module.Wherein, the first computing module is used for the similarity degree of the domain name of the webserver and the domain name of known malicious server comprised according to described network connecting request, calculates the first degree of correlation subvalue of described network connecting request; Second computing module is used for the similarity degree of the network address of the webserver and the network address of known malicious server comprised according to described network connecting request, calculates the second degree of correlation subvalue of described network connecting request; 3rd computing module is used for according to the port numbers whether including the webserver that described network connecting request comprises in the port numbers of known malicious server, and the third phase calculating described network connecting request closes degree subvalue; 4th computing module be used for according to connect known malicious server the similarity degree of user agent that comprises of used user agent and described network connecting request, calculate the 4th degree of correlation subvalue of described network connecting request; 5th computing module is used for whether including keyword related with known malicious server according to described network connecting request, calculates the 5th degree of correlation subvalue of described network connecting request; And the 6th computing module is used for the degree of correlation subvalue calculated at least two computing modules in the 5th computing module according to described first computing module, calculates the described correlation degree value of described network connecting request.
Wherein, checking module can comprise: download module, for downloading the file in the described webserver; Scan module, for carrying out virus scan to downloaded file; And, confirm module, for when described virus scan finds that the file downloaded includes mobile phone viruses, then confirm that the described webserver includes mobile phone viruses.
Wherein, download module is specifically for downloading All Files in the described webserver or all executable files.
According to a kind of equipment for detection of malicious server of the embodiment of the present invention, comprising: memory is used for stores executable instructions; And processor, for performing following steps according to stored executable instruction: obtain the network connecting request that mobile terminal sends to the webserver; Whether according to the information relevant with known malicious server prestored and the network connecting request obtained, detecting the described webserver is possible malicious server; If testing result is affirmative, then check whether the described webserver includes mobile phone viruses; And, if check result is affirmative, then determine that the described webserver is malicious server.
According to a kind of machine readable media of the embodiment of the present invention, it has program stored therein code, when described program code is performed, makes machine perform following steps: to obtain the network connecting request that mobile terminal sends to the webserver; Whether according to the information relevant with known malicious server prestored and the network connecting request obtained, detecting the described webserver is possible malicious server; If testing result is affirmative, then check whether the described webserver includes mobile phone viruses; And, if check result is affirmative, then determine that the described webserver is malicious server.
From the above description, in an embodiment of the present invention, first determine whether the webserver that mobile terminal will connect is possible malicious server, then when the webserver determining that mobile terminal will connect is possible malicious server, whether the webserver that will be connected by inspection mobile terminal again includes mobile phone viruses is finally determined whether the webserver that mobile terminal will connect is malicious server, thus only come compared with the scheme of detection of malicious server according to the network address or keyword with prior art, scheme disclosed in embodiments of the invention correctly can detect malicious server.
Accompanying drawing explanation
Other feature of the present invention, feature, advantage and benefit will become more apparent by the detailed description below in conjunction with accompanying drawing.Wherein:
Fig. 1 shows the flow chart of the method for detection of malicious server according to one embodiment of the invention;
Fig. 2 shows the schematic diagram of the device for detection of malicious server according to one embodiment of the invention;
Fig. 3 shows the schematic diagram of the detection module according to one embodiment of the invention;
Fig. 4 shows the schematic diagram of the checking module according to one embodiment of the invention; And
Fig. 5 shows the schematic diagram of the equipment for detection of malicious server according to one embodiment of the invention.
Embodiment
According to the scheme disclosed in embodiments of the invention, obtain the network connecting request that mobile terminal sends to the webserver; Come whether the webserver that Preliminary detection mobile terminal connects is possible malicious server according to obtained network connecting request; If testing result is affirmative, then check whether the webserver that mobile terminal connects includes mobile phone viruses; And, if check result is affirmative, then determine that the webserver that mobile terminal connects is malicious server.
Below, each embodiment of the present invention will be described by reference to the accompanying drawings in detail.
Referring now to Fig. 1, it illustrates the flow chart of the method for detection of malicious server according to one embodiment of the invention.Those skilled in the art are to be understood that, method disclosed in the present embodiment both can perform on mobile terminal or other any terminal, also can perform by the arbitrary network physical entity (such as gateway, router, safety monitoring device etc.) in network (such as the Internet, mobile network etc.).
As shown in Figure 1, in step S100, when mobile terminal T wants to be connected to the webserver S in network and sends network connecting request (such as session request) to webserver S, obtain the network connecting request Q that mobile terminal T sends to webserver S.
In step S120, utilize the domain name of the known malicious server prestored, the network address of known malicious server, the port numbers of known malicious server, the user agent relevant with known malicious server (UserAgent) and the keyword relevant with known malicious server, the correlation degree value relevant to malicious server of computing network connection request Q.Here, the port numbers of the network address of the domain name of known malicious server, known malicious server, known malicious server, the user agent relevant with known malicious server and the keyword relevant with known malicious server are referred to as the information relevant with known malicious server.
Concrete, the domain name of webserver S comprised according to network connecting request Q and the similarity degree of the domain name of the known malicious server prestored, calculate the first degree of correlation subvalue that the URI that extracts is relevant to malicious server.Wherein, if the domain name of webserver S that network connecting request Q comprises is identical with the domain name of the known malicious server prestored, then the first degree of correlation subvalue has maximum; If the domain name of the webserver S that network connecting request Q comprises is not identical but similar with the domain name of the known malicious server prestored, then the first degree of correlation subvalue has the higher value less than maximum, here, similar example as can be the domain name of webserver S and known malicious server domain name between the two the number of identical characters be greater than appointment ratio with the ratio of total number of characters of the domain name of webserver S; If the domain name of the webserver S that network connecting request Q comprises is dissimilar with the domain name of the known malicious server prestored, then the first degree of correlation subvalue has the smaller value less than higher value, here, dissmilarity can be such as the domain name of webserver S and known malicious server domain name between the two the number of identical characters be less than appointment ratio with the ratio of total number of characters of the domain name of webserver S.In addition, those skilled in the art are to be understood that, in some network connecting request, use domain name to carry out marked network server, and in other network connecting request, use the network address to carry out marked network server, therefore, if network connecting request Q comprises the network address of webserver S instead of the domain name of webserver S, then the first degree of correlation subvalue has minimum value or is zero.
The network address of webserver S comprised according to network connecting request Q and the similarity degree of the network address of the known malicious server prestored, the second degree of correlation subvalue that computing network connection request Q is relevant to malicious server.Wherein, if the network address of webserver S that network connecting request Q comprises is identical with the network address of the known malicious server prestored, then the second degree of correlation subvalue has maximum; If the network address of the webserver S that network connecting request Q comprises is not identical with the network address of the known malicious server prestored but be arranged in same or analogous subnet, then the second degree of correlation subvalue has the higher value less than maximum; If the network address of the webserver S that network connecting request Q comprises is neither identical with the network address of the known malicious server prestored also be not arranged in same or analogous subnet, then the second degree of correlation subvalue has the smaller value less than higher value.In addition, it will be appreciated by those skilled in the art that then the second degree of correlation subvalue has minimum value or is zero if network connecting request Q includes the domain name of webserver S instead of the network address of webserver S.
Whether include the port numbers of the webserver S that network connecting request Q comprises in port numbers according to the known malicious server prestored, the third phase relevant to malicious server of computing network connection request Q closes degree subvalue.Wherein, if include the port numbers of the webserver S that network connecting request Q comprises in the port numbers of the known malicious server prestored, then third phase pass degree subvalue has higher value, otherwise third phase pass degree subvalue has smaller value.
The malicious server that the interconnection network server S comprised according to network connecting request Q user agent used is known with the connection prestored the similarity degree of used user agent, the 4th degree of correlation subvalue that computing network connection request Q is relevant to malicious server.Wherein, if the malicious server that the connection prestored is known include the identical user agent of interconnection network server S that request Q connected to the network comprises user agent used in used user agent, then the 4th degree of correlation subvalue has maximum, if the malicious server that the connection prestored is known do not include the identical user agent of interconnection network server S that request Q connected to the network comprises user agent used in used user agent but include the similar user agent of interconnection network server S that request Q connected to the network comprises user agent used, then the 4th degree of correlation subvalue has the higher value less than maximum, here, similar example as can be interconnection network server S user agent used and be connected known malicious server the ratio of total number of characters of the number of the used user agent identical characters between the two user agent used with interconnection network server S be greater than appointment ratio, and, if the malicious server that the connection prestored is known both do not included the identical user agent of interconnection network server S that request Q connected to the network comprises user agent used in used user agent and do not included the similar user agent of interconnection network server S that request Q connected to the network comprises user agent used yet, then the 4th degree of correlation subvalue has the smaller value less than higher value.
According to whether including the keyword relevant with known malicious server prestored in network connecting request Q, the five degree of correlation subvalue relevant to malicious server of computing network connection request Q.Wherein, if include the keyword identical with the keyword relevant with known malicious server prestored in network connecting request Q, then the 5th degree of correlation subvalue has maximum; If do not include the keyword identical with the keyword relevant with known malicious server prestored in network connecting request Q, but include the keyword similar with the keyword relevant to known malicious server prestored, then the 5th degree of correlation subvalue has higher value, here, similar example is as can be that the number ratio of total number of characters of the keyword included by Q of asking connected to the network of keyword included by network connecting request Q and the keyword relevant with known malicious server identical characters is between the two greater than appointment ratio; And, if network connecting request Q had not both included the keyword identical with the keyword relevant with known malicious server prestored, also do not include the keyword similar with the keyword relevant to known malicious server prestored, then the 5th degree of correlation subvalue has smaller value.
Then, first, second, third and fourth and five degree of correlation subvalues that calculate is utilized, the correlation degree value relevant to malicious server of computing network connection request Q.Here, simply first, second, third and fourth and five degree of correlation subvalues can be added the summation obtained, as the correlation degree value relevant to malicious server of network connecting request Q.Or, first, second, third and fourth can be multiplied with the weight coefficient of specifying respectively with five degree of correlation subvalues, then added togetherly obtain summation, as the correlation degree value relevant to malicious server of network connecting request Q.
In step S130, judge whether the correlation degree value of the network connecting request Q calculated is greater than assign thresholds Y.If the correlation degree value of the network connecting request Q calculated is greater than assign thresholds Y, then show that webserver S is a possible malicious server, otherwise webserver S not malicious server.
If the judged result of step S130 is negative, that is: the correlation degree value of the network connecting request Q calculated is less than or equal to assign thresholds Y, then flow process terminates.
In step S140, if the judged result of step S130 is affirmative, that is: the correlation degree value of the network connecting request Q calculated is greater than assign thresholds Y, then download its All Files from webserver S.
In step S150, virus scan is carried out to downloaded file, to check whether webserver S includes mobile phone viruses.
In step S160, if the check result of step S150 shows that webserver S does not include mobile phone viruses, then determine that webserver S is not malicious server, flow process terminates.
In step S170, if the check result of step S150 shows that webserver S includes mobile phone viruses, then determine that webserver S is malicious server, flow process terminates.
After determining that webserver S is malicious server, mobile terminal T interconnection network server S can be stoped, or the user network server S of informing mobile terminal T is malicious server, and interconnection network server S exists the risk of infected mobile phone viruses, or can take other measure.
As can be seen from the above description, in the present embodiment, first determine whether the webserver that mobile terminal will connect is possible malicious server, then when the webserver determining that mobile terminal will connect is possible malicious server, whether the webserver that will be connected by inspection mobile terminal again includes mobile phone viruses is finally determined whether the webserver that mobile terminal will connect is malicious server, thus only come compared with the scheme of detection of malicious server according to the network address or keyword with prior art, the scheme of the present embodiment correctly can detect malicious server.And, due to when determining whether malicious server, the method that the embodiment of the present invention provides is not simply server address or keyword are compared, but carried out Similarity Measure, so just may find potential malicious server, and in order to find malicious server more accurately, avoid non-malicious server owing to having certain similarity with the information existed before and misjudged, the method that the embodiment of the present invention provides further comprises the step downloaded and check, thus ensure that comprehensively, accurately and efficiently detect malicious server, thus improve internet security.Further, many factors can also be considered the similarity of itself and known malicious server by the method that the embodiment of the present invention provides, thus more accurately can detect malicious server efficiently.The various technical schemes provided in following each embodiment also have the beneficial effect of foregoing description, repeat no more afterwards.
Those skilled in the art are to be understood that, although in the above embodiments, the information relevant with known malicious server comprises the domain name of known malicious server, the network address of known malicious server, the port numbers of known malicious server, the user agent relevant with known malicious server and the keyword relevant with known malicious server, but the present invention is not limited thereto.In some other embodiment of the present invention, the information relevant with known malicious server also can only comprise the domain name of known malicious server, the network address of known malicious server, known malicious server port numbers, connect known malicious server one or more in used user agent and the keyword relevant with known malicious server.
Those skilled in the art are to be understood that, although in the above embodiments, the information relevant with known malicious server is the domain name of known malicious server, the network address of known malicious server, known malicious server port numbers, connect known malicious server used user agent and the keyword relevant with known malicious server, but the present invention is not limited thereto.In some other embodiment of the present invention, the information relevant with known malicious server is not the domain name of known malicious server, the network address of known malicious server, known malicious server port numbers, connect known malicious server used user agent and the keyword relevant with known malicious server, but the former network connecting request that sends to malicious server of mobile terminal.
When the network connecting request that mobile terminal before the information relevant with known malicious server refers to sends to malicious server, the network connecting request Q sent to webserver S according to mobile terminal T with from before the similarity degree of network connecting request that sends to malicious server of mobile terminal, the correlation degree value that the network connecting request Q that calculating mobile terminal T sends to webserver S is relevant to malicious server.Here, such as when network connecting request Q and before the ratio of the network connecting request that sends to malicious server of mobile terminal total number of characters of the number request connected to the network Q of identical characters be between the two greater than specify ratio time, computing network connection request Q has larger correlation degree value, and when network connecting request Q and before the ratio of the network connecting request that sends to malicious server of mobile terminal total number of characters of the number request connected to the network Q of identical characters be between the two less than specify ratio time, computing network connection request Q has less correlation degree value.
Although it will be appreciated by those skilled in the art that in the above embodiments, the All Files of download network server S carries out virus scan, and to check whether webserver S includes mobile phone viruses, but the present invention is not limited thereto.In some other embodiment of the present invention, also all executable files of only download network server S can carry out virus scan, because mobile phone viruses is generally hidden in executable file.
Those skilled in the art are to be understood that, although in the above embodiments, the mode of being carried out virus scan by the All Files of download network server S or all executable files checks whether webserver S includes mobile phone viruses, but the present invention is not limited thereto.In some other embodiment of the present invention, also can utilize and not need to carry out the mode of virus scan to check whether webserver S includes mobile phone viruses from webserver S download file.
Those skilled in the art are to be understood that, although in the above embodiments, first, second, third and fourth and five degree of correlation subvalues of computing network connection request, and utilize calculate first, second, third and fourth carry out the computing network connection request correlation degree value relevant to malicious server with five degree of correlation subvalues, but the present invention is not limited thereto.In some other embodiment of the present invention, also can in first, second, third and fourth and five degree of correlation subvalues of only computing network connection request any one, two, three or four, and utilize one, two, three or four the degree of correlation subvalue calculated to carry out the correlation degree value relevant to malicious server of computing network connection request.
Referring now to Fig. 2, it illustrates the device for detection of malicious server according to one embodiment of the invention.It will be appreciated by those skilled in the art that the device 20 for detection of malicious server both can be arranged in mobile terminal, also can be arranged in arbitrary network physical entity of network.In addition, device 20 can utilize the mode of software, hardware or software and hardware combining to realize.
As shown in Figure 2, device 20 can comprise acquisition module 210, detection module 220, checking module 230 and determination module 240.
Wherein, acquisition module 210 can obtain the network connecting request N that mobile terminal T1 sends to webserver S1.Detection module 220 can according to the information relevant with known malicious server prestored and the network connecting request N obtained, and whether Sampling network server S 1 is possible malicious server.The information relevant with known malicious server can be the domain name of known malicious server, the network address of known malicious server, known malicious server port numbers, connect known malicious server in used user agent and the keyword relevant with known malicious server one, multiple or whole.Checking module 230 in the testing result of detection module 220 for time certainly, can check whether webserver S1 includes mobile phone viruses.Determination module 230 in the check result of checking module 230 for time certainly, can determine that webserver S1 is malicious server.
In addition, as shown in Figure 3, detection module 220 can comprise: computing module 222, for the information relevant according to described with known malicious server, calculates the correlation degree value relevant to malicious server of the network connecting request N obtained; And determination module 224, for when the correlation degree value of described network connecting request N is greater than assign thresholds, decision network server S 1 is possible malicious server.
In addition, detection module 220 can also comprise memory module 226, for prestoring described relevant with known malicious server information.Wherein, computing module 222 is further used for the information relevant with known malicious server stored according to storage module 226, calculates the correlation degree value relevant to malicious server of the network connecting request N obtained.
In addition, computing module 222 can comprise at least one, two, three, four or five computing modules in the first computing module 2221, second computing module 2222, the 3rd computing module 2223, the 4th computing module 2224, the 5th computing module 2225 and the 6th computing module 2226.Wherein, the first computing module 2221 may be used for the similarity degree of the domain name of the webserver S1 comprised according to network connecting request N and the domain name of known malicious server, the first degree of correlation subvalue of computing network connection request N.Second computing module 2222 may be used for the similarity degree of the network address of the webserver S1 comprised according to network connecting request N and the network address of known malicious server, the second degree of correlation subvalue of computing network connection request N.3rd computing module 2223 is for according to the port numbers whether including the server S 1 that network connecting request N comprises in the port numbers of known malicious server, and the third phase of computing network connection request N closes degree subvalue.4th computing module 2224 for according to connect known malicious server the similarity degree of the interconnection network server S 1 that comprises of used user agent and network connecting request N user agent used, the 4th degree of correlation subvalue of computing network connection request N.5th computing module 2225 for whether including keyword related with known malicious server according to network connecting request N, the 5th degree of correlation subvalue of computing network connection request N.And, the degree of correlation subvalue of network connecting request N of the 6th computing module 2226 for calculating according to described at least one, two, three, four or five computing modules, the correlation degree value of computing network connection request N.
In addition, as shown in Figure 4, checking module 230 can comprise: download module 232, for the file in download network server S 1; Scan module 234, for carrying out virus scan to downloaded file; And, confirm module 236, for when described virus scan finds that the file downloaded includes mobile phone viruses, then confirm that webserver S1 includes mobile phone viruses.
In addition, download module 232 can be further used for All Files in download network server S 1 or all executable files.
Referring now to Fig. 5, it illustrates the equipment for detection of malicious server according to one embodiment of the invention.It will be appreciated by those skilled in the art that the device 30 for detection of malicious server both can be mobile terminal, also can be the arbitrary network physical entity in the network side of mobile network.
As shown in Figure 5, memory 310 for stores executable instructions and processor 320 can be comprised for the device 30 of detection of malicious server.
Wherein, the executable instruction that processor 320 can store according to memory 310 performs following steps: obtain the network connecting request M that mobile terminal sends to webserver SS; According to the information relevant with known malicious server prestored and network connecting request M, whether Sampling network server S S is possible malicious server; If testing result is affirmative, then check whether webserver SS includes mobile phone viruses; And, if check result is affirmative, then determine that webserver SS is malicious server.
In addition, detecting step can comprise: the information relevant according to described with known malicious server, the correlation degree value relevant to malicious server of computing network connection request M; And if the described correlation degree value of network connecting request M is greater than assign thresholds, then decision network server S S is possible malicious server.
In addition, calculation procedure can comprise: perform following at least one, two, three, four or five degree of correlation subvalues calculating: the domain name of server comprised according to network connecting request M and the similarity degree of the domain name of known malicious server, the first degree of correlation subvalue of computing network connection request M; The network address of server comprised according to network connecting request M and the similarity degree of the network address of known malicious server, the second degree of correlation subvalue of computing network connection request M; According to the port numbers whether including the server that network connecting request M comprises in the port numbers of known malicious server, the third phase of computing network connection request M closes degree subvalue; According to connect known malicious server the similarity degree of the interconnection network server S S that comprises of used user agent and network connecting request M user agent used, the 4th degree of correlation subvalue of computing network connection request M; Described and the known related keyword of malicious server whether is included, the 5th degree of correlation subvalue of computing network connection request M according to network connecting request M; And, according to performing described at least one, degree of correlation subvalue that two, three, four or five degree of correlation subvalues calculate the network connecting request M obtained, the correlation degree value of computing network connection request M.
In addition, check that step can comprise: the file in download network server S S; Virus scan is carried out to downloaded file; And if described virus scan finds that the file downloaded includes mobile phone viruses, then decision network server S S includes mobile phone viruses.
In addition, download step may further include All Files in download network server S S or all executable files.
Embodiments of the invention also provide a kind of machine readable media, and it has program stored therein code, when described program code is performed, make machine perform following steps: to obtain the network connecting request Y that mobile terminal sends to webserver Z; According to the information relevant with known malicious server and the network connecting request Y obtained, whether Sampling network server Z is possible malicious server; If testing result is affirmative, then check whether webserver Z includes mobile phone viruses; And, if check result is affirmative, then determine that webserver Z is malicious server.
In addition, detecting step can comprise: the information relevant according to described with known malicious server, the correlation degree value relevant to malicious server of computing network connection request Y; And if the described correlation degree value of network connecting request Y is greater than assign thresholds, then decision network server Z is possible malicious server.
In addition, calculation procedure can comprise: perform following at least one, two, three, four or five degree of correlation subvalues calculating: the domain name of server comprised according to network connecting request Y and the similarity degree of the domain name of known malicious server, the first degree of correlation subvalue of computing network connection request Y; The network address of server comprised according to network connecting request Y and the similarity degree of the network address of known malicious server, the second degree of correlation subvalue of computing network connection request Y; According to the port numbers whether including the server that network connecting request Y comprises in the port numbers of known malicious server, the third phase of computing network connection request Y closes degree subvalue; According to connect known malicious server the similarity degree of the interconnection network server Z that comprises of used user agent and network connecting request Y user agent used, the 4th degree of correlation subvalue of computing network connection request Y; And, whether include keyword related with known malicious server according to network connecting request Y, the 5th degree of correlation subvalue of computing network connection request Y; And, according to performing described at least one, degree of correlation subvalue that two, three, four or five degree of correlation subvalues calculate the network connecting request Y obtained, the correlation degree value of computing network connection request Y.
In addition, check that step can comprise: the file in download network server Z; Virus scan is carried out to downloaded file; And if described virus scan finds that the file downloaded includes mobile phone viruses, then decision network server Z includes mobile phone viruses.
In addition, download step may further include All Files in download network server Z or all executable files.
Above by drawings and Examples to invention has been detail display and explanation, but the invention is not restricted to these embodiments disclosed, other schemes that those skilled in the art therefrom derive are also within protection scope of the present invention.Therefore, protection scope of the present invention should be defined by appending claims.
Claims (6)
1., for a method for detection of malicious server, comprise step:
Obtain the network connecting request that mobile terminal sends to the webserver;
Whether according to the information relevant with known malicious server prestored and the network connecting request obtained, detecting the described webserver is possible malicious server; Wherein, described detecting step comprises:
Perform following at least two degree of correlation subvalues to calculate: the domain name of server comprised according to network connecting request and the similarity degree of the domain name of known malicious server, calculate the first degree of correlation subvalue of described network connecting request; The network address of server comprised according to described network connecting request and the similarity degree of the network address of known malicious server, calculate the second degree of correlation subvalue of described network connecting request; According to the port numbers whether including the server that described network connecting request comprises in the port numbers of known malicious server, the third phase calculating described network connecting request closes degree subvalue; According to connect known malicious server the similarity degree of user agent that comprises of used user agent and described network connecting request, calculate the 4th degree of correlation subvalue of described network connecting request; And, whether include keyword related with known malicious server according to described network connecting request, calculate the 5th degree of correlation subvalue of described network connecting request;
According to execution, at least two degree of correlation subvalues calculate the degree of correlation subvalue obtained, and calculate the correlation degree value relevant to malicious server of described network connecting request; And
If the described correlation degree value of described network connecting request is greater than assign thresholds, then judge that the described webserver is possible malicious server;
If testing result is affirmative, then check whether the described webserver includes mobile phone viruses; And
If check result is affirmative, then determine that the described webserver is malicious server.
2. the method for claim 1, wherein described inspection step comprises:
Download the file in the described webserver;
Virus scan is carried out to downloaded file; And
If described virus scan finds that the file downloaded includes mobile phone viruses, then judge that the described webserver includes mobile phone viruses.
3. method as claimed in claim 2, wherein, described download step comprises further:
Download the All Files in the described webserver or all executable files.
4., for a device for detection of malicious server, comprising:
Acquisition module (210), for obtaining the network connecting request that mobile terminal sends to the webserver;
Detection module (220), the information relevant with known malicious server prestored for basis and the network connecting request obtained, whether detect the described webserver is possible malicious server; Wherein, described detection module (220) comprising: at least two computing modules in the first computing module (2221), the second computing module (2222), the 3rd computing module (2223), the 4th computing module (2224) and the 5th computing module (2225), 6th computing module (2226), and determination module (224), wherein:
Described first computing module (2221), for the similarity degree of the domain name of server that comprises according to described network connecting request and the domain name of known malicious server, calculates the first degree of correlation subvalue of described network connecting request;
Described second computing module (2222), for the similarity degree of the network address of server that comprises according to described network connecting request and the network address of known malicious server, calculates the second degree of correlation subvalue of described network connecting request;
Described 3rd computing module (2223), for according to the port numbers whether including the server that described network connecting request comprises in the port numbers of known malicious server, calculates the module of the third phase pass degree subvalue of described network connecting request;
Described 4th computing module (2224) for according to connect known malicious server the similarity degree of user agent that comprises of used user agent and described network connecting request, calculate the 4th degree of correlation subvalue of described network connecting request;
Described 5th computing module (2225), for whether including keyword related with known malicious server according to described network connecting request, calculates the 5th degree of correlation subvalue of described network connecting request;
The described 6th degree of correlation subvalue of computing module (2226) for calculating at least two computing modules in the 5th computing module according to described first computing module, calculates the correlation degree value relevant to malicious server of described network connecting request; And
Described determination module (224) if be greater than assign thresholds for described correlation degree value, then judges that the described webserver is possible malicious server;
Checking module (230), for when testing result is for time certainly, checks whether the described webserver includes mobile phone viruses; And
Determination module (240), for when check result is for time certainly, determines that the described webserver is malicious server.
5. device as claimed in claim 4, wherein, described checking module (230) comprising:
Download module (232), for downloading the file in the described webserver;
Scan module (234), for carrying out virus scan to downloaded file; And
Confirm module (236), for when described virus scan finds that the file downloaded includes mobile phone viruses, then confirm that the described webserver includes mobile phone viruses.
6. device as claimed in claim 5, wherein
Described download module (232) is specifically for downloading All Files in the described webserver or all executable files.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110341370.8A CN103096321B (en) | 2011-11-02 | 2011-11-02 | A kind of method and apparatus for detection of malicious server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110341370.8A CN103096321B (en) | 2011-11-02 | 2011-11-02 | A kind of method and apparatus for detection of malicious server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103096321A CN103096321A (en) | 2013-05-08 |
| CN103096321B true CN103096321B (en) | 2015-11-25 |
Family
ID=48208336
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110341370.8A Expired - Fee Related CN103096321B (en) | 2011-11-02 | 2011-11-02 | A kind of method and apparatus for detection of malicious server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103096321B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103605922B (en) * | 2013-11-28 | 2016-07-27 | 安一恒通(北京)科技有限公司 | A kind of method and apparatus downloading protection |
| TWI492091B (en) * | 2013-11-29 | 2015-07-11 | Univ Nat Chiao Tung | Data detection system |
| CN107241344B (en) * | 2017-06-30 | 2019-11-12 | 北京知道创宇信息技术股份有限公司 | Client is intercepted to the method, apparatus and system of the access of hostile network server |
| TWI729320B (en) * | 2018-11-01 | 2021-06-01 | 財團法人資訊工業策進會 | Suspicious packet detection device and suspicious packet detection method thereof |
| CN110266724B (en) * | 2019-07-08 | 2021-12-14 | 北京微步在线科技有限公司 | Malicious server detection method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101098226A (en) * | 2006-06-27 | 2008-01-02 | 飞塔信息科技(北京)有限公司 | Online real-time virus processing system and method |
| CN101316171A (en) * | 2008-06-30 | 2008-12-03 | 华为技术有限公司 | Virus precaution method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ATE338418T1 (en) * | 2004-06-07 | 2006-09-15 | Cit Alcatel | METHOD AND DEVICE FOR PREVENTING ATTACKS ON A CALL SERVER |
-
2011
- 2011-11-02 CN CN201110341370.8A patent/CN103096321B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101098226A (en) * | 2006-06-27 | 2008-01-02 | 飞塔信息科技(北京)有限公司 | Online real-time virus processing system and method |
| CN101316171A (en) * | 2008-06-30 | 2008-12-03 | 华为技术有限公司 | Virus precaution method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103096321A (en) | 2013-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20170034188A1 (en) | Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation | |
| CN103096321B (en) | A kind of method and apparatus for detection of malicious server | |
| US9462009B1 (en) | Detecting risky domains | |
| US9679136B2 (en) | Method and system for discrete stateful behavioral analysis | |
| EP2550601B1 (en) | Executable code validation in a web browser | |
| US7958559B2 (en) | Method, device and computer program product for determining a malicious workload pattern | |
| US8990938B2 (en) | Analyzing response traffic to detect a malicious source | |
| EP2940957A1 (en) | Method, apparatus and system for detecting malicious process behavior | |
| CN107979581B (en) | Detection method and device for zombie characteristics | |
| CN107395608B (en) | Network access abnormity detection method and device | |
| EP3136276A1 (en) | System and method for detecting harmful files executable on a virtual stack machine | |
| US10885162B2 (en) | Automated determination of device identifiers for risk-based access control in a computer network | |
| CN108200095B (en) | Method and device for determining vulnerability of Internet boundary security policy | |
| CN110995684B (en) | Vulnerability detection method and device | |
| CN109450690B (en) | Method and device for quickly locking lost host in networking | |
| KR20080043201A (en) | Detection apparatus and method of embedded malicious code in file | |
| JP2004038273A (en) | Computer virus checking equipment and method, computer program, and mail gateway system | |
| CN113326514A (en) | Risk assessment method and device for network assets, switch, equipment and server | |
| JP2016081518A (en) | Determining attack surface of software | |
| US8763121B2 (en) | Mitigating multiple advanced evasion technique attacks | |
| CN106302347B (en) | A kind of network attack treating method and apparatus | |
| CN109495471A (en) | A kind of pair of WEB attack result determination method, device, equipment and readable storage medium storing program for executing | |
| CN101741645A (en) | Method, device and system for detecting storage-type cross-site scripting attack and attack detector | |
| US8966638B2 (en) | System, method, and computer program product for selecting a wireless network based on security information | |
| US10645098B2 (en) | Malware analysis system, malware analysis method, and malware analysis program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20151125 Termination date: 20171102 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |