Summary of the invention
The object of the invention is to provide a kind of detection method, Apparatus and system that is applied to detect hacker's server, and whether can accurate recognition go out the reply data bag is hacker's server, thereby guarantees the fail safe of user terminal online transaction.
According to an aspect of the present invention, a kind of detection method that is applied to detect hacker's server is provided, comprises:
Obtain the reply data bag to be assembled into data flow;
Extract the feature field in the said data flow, the feature field in the said data flow comprises: title, list name, list page object;
Whether the title of judging the feature field of the data flow of being extracted is stored in the database;
When the title of the feature field of the data flow of being extracted is stored in the database; List name as if the list name of the said title correspondence in the said data flow is corresponding with the said title of said database storage is inconsistent; Then judge the reply data bag that the corresponding reply data bag of said data flow sends for hacker's server, the feature field of storing in the said database is the feature field of the webpage of non-hacker's server;
When the title of the feature field of the data flow of being extracted is not stored in the database; Then remind the feature field of the said data flow of said user terminal not to be stored in said database, and remind said user terminal whether the feature field of said data flow to be stored in said database;
If be judged as the reply data bag that hacker's server sends, then interrupt and being connected of said hacker's server.
According to a further aspect in the invention, a kind of checkout gear that is applied to detect hacker's server is provided, comprises:
Knockdown block is used for the reply data package that receives is dressed up data flow;
Extraction module is used for extracting the feature field of said data flow, and the feature field in the said data flow comprises: title, list name, list page object;
Judge module; Whether the title that is used for judging the feature field of the data flow of being extracted is stored in database; When the title of the feature field of the data flow of being extracted is stored in the database; List name as if the list name of the said title correspondence in the said data flow is corresponding with the said title of said database storage is inconsistent; Then judge the reply data bag that the corresponding reply data bag of said data flow sends for hacker's server, the feature field of storing in the said database is the feature field of the webpage of non-hacker's server;
Administration module is used for when being judged as the reply data bag of hacker's server transmission, and the interruption user terminal is connected with said hacker's server;
Said judge module also is used for when said title is not stored in said database; The notice administration module reminds the feature field of the said data flow of said user terminal not to be stored in said database, and reminds said user terminal whether the feature field of said data flow to be stored in said database.
According to a further aspect in the invention, a kind of detection system is provided, said detection system is connected with non-hacker's server or hacker's server through network, and is connected with user terminal, and said detection system comprises:
Receiving system is used to receive the packet that non-hacker's server or hacker's server are sent to said user terminal;
Checkout gear, whether the reply data bag that is used for detecting the packet that said receiving system receives is the reply data bag that said hacker's server sends;
Said checkout gear comprises:
Acquisition module is used for obtaining the said reply data bag of the packet that is received;
Filtering module is used to filter out the said reply data bag with identical five-tuple, and judges whether to stop to obtain said reply data bag, and said five-tuple is source IP, purpose IP, source port, destination interface, protocol type;
Knockdown block is used for receiving the said reply data bag that said filtering module sends, and being assembled into data flow when need stop to obtain said reply data bag when judging;
Database is used to store the feature field of the webpage of non-hacker's server, and said feature field comprises title, list name, list page object;
Extraction module is used for extracting the feature field of said data flow;
Judge module is used for judging according to the feature field of storing in the feature field of said data flow and the said database is whether consistent whether the corresponding reply data bag of said data flow is the reply data bag that said hacker's server sends;
Said judge module also is used for when judging that said title is stored in said database; Judge whether the corresponding list name of the corresponding list name of said title in the said data flow and the said title of said database storage is consistent; And when judging that said list name is inconsistent, judge that the corresponding reply data bag of said data flow is the reply data bag that said hacker's server sends;
Administration module is used for when being judged as the reply data bag that said hacker's server sends, and interrupts being connected of said user terminal and said hacker's server.
The detection method of the embodiment of the invention, Apparatus and system; Through the packet that obtains is reassembled into data flow; And the feature field of extraction data flow; The feature field of feature field of being extracted and storage is compared, can guarantee whether accurate recognition goes out the reply data bag is the fishing website of hacker's server, thereby guarantee the fail safe of user terminal online transaction.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
Fig. 1 is the application architecture figure of the detection system 2 of the embodiment of the invention.In the present embodiment, user terminal 1 is connected with network 3 through detection system 2, and is connected or 5 connections of hacker's server with non-hacker's server 4 communications through network 3.In the present embodiment; Non-hacker's server is official's server of the website of bank or finance; Hacker's server 5 is hacker's a fishing website; When the request that receives user terminal 1 when non-hacker's server 4 obtains the packet of webpage, then return corresponding reply data bag a to user terminal 1 of packet with this request acquisition webpage, at this moment; When if hacker's server 5 is also accepted the request of user terminal 1 and obtained the packet of webpage, also return another corresponding reply data bag to the user terminal 1 of packet with this request acquisition webpage.In other embodiments, non-hacker's server 4 also can be official's server of other website.Whether the reply data bag that detection system 2 is used for detecting the packet that is sent to user terminal 1 is the reply data bag that hacker's server 5 sends.In the present embodiment, detection system 2 detects the reply data bag that reply data bag that the reply data bag right and wrong hacker server 1 in the packet that is sent to user terminal 1 sends still sends for hacker's server 5.In the present embodiment, the reply data bag is HTTP/1.1 200 OK packets, wherein 1.1 the expression http protocols version number, 200 OK represent that the request of user terminal 1 is accepted, the web document of request finds.
Fig. 2 is the structure chart of the detection system 2 of the embodiment of the invention.In the present embodiment, the anti-system 2 of angling comprises receiving system 21 and checkout gear 22.Receiving system 21 is used to receive the packet that non-hacker's server 4 or hacker's server 5 are sent to user terminal 1.
Whether the reply data bag that checkout gear 22 is used for detecting the packet that receiving system 21 receives is the reply data bag that hacker's server 5 sends.In the present embodiment, the reply data bag of reply data bag right and wrong hacker server 4 transmissions in the packet of checkout gear 22 detection receiving systems 21 receptions still is the reply data bag that hacker's server 5 sends.Checkout gear 22 comprises acquisition module 220, filtering module 221, Knockdown block 222, extraction module 223, judge module 224, database 225, output module 226 and administration module 227.
Database 225 is used to store the feature field of the webpage of non-hacker's server 4.
Acquisition module 220 is used for obtaining the reply data bag of the packet that receiving system 21 receives, and is sent to filtering module 221 with crossing the reply data bag that obtains.In the present embodiment, the reply data bag is HTTP/1.1 200 OK packets.
Administration module 227 is used to control the type that acquisition module 220 obtains packet.
The reply data bag that filtering module 221 is used for acquisition module 220 is obtained filters, and judges whether to stop to obtain the reply data bag.In the present embodiment, the reply data packet filtering with identical five-tuple in the reply data bag that filtering module 221 obtains acquisition module 220 goes out, and the reply data bag with identical five-tuple that will filter out is sent to Knockdown block 223.In the present embodiment, five-tuple is source IP, purpose IP, source port, destination interface, protocol type.In the present embodiment, whether have in the reply data bag that filtering module 221 filters out through judgement with identical five-tuple</html>Perhaps</HTML>Character string judges whether to stop to obtain the reply data bag, has if judge in the reply data bag that filters out</html>Perhaps</HTML>Character string is promptly judged to stop to obtain the reply data bag, then notify administration module 227 control acquisition modules 221 to stop to obtain the packet that receiving system 21 receives, and the assembling control command is carried out in 227 transmissions of notice administration module.
Knockdown block 222 is used for when control command is assembled in the execution that receiving management module 227 is sent; The reply data package with identical five-tuple that filters out of filtering module 221 transmissions is dressed up the data flow of HTML; After having assembled data flow, notice administration module 227 sends to extract carries out control command.In the present embodiment, the data flow of HTML is the data flow of webpage.
Extraction module 223 is used for when the extraction control command of receiving management module 227 transmissions, from the html data stream that Knockdown block 222 has been assembled, extracting feature field.In the present embodiment, feature field comprises title, list name and list page object.In the present embodiment; In html language; Label < title>... and title>in the middle of field be the field of < form...action=...>ellipsis representative in the title and list of this webpage of expression; Be respectively list name and list page object, and, the corresponding list name of each title and a list page object.In the present embodiment, after extraction module 233 had extracted feature field, notice administration module 227 sends judged the execution control command.
Judge module 224 is used for when control command is carried out in the judgement that receiving management module 227 is sent, and judges whether the data flow characteristic of correspondence field of extraction module 223 transmissions is consistent in field with the characteristic of the webpage of non-hacker's server 4 of database 225 storages.
In the present embodiment; Judge module 224 judges earlier whether the title in the data flow characteristic of correspondence field of extraction module 223 transmissions is stored in the database 225; If judge that this title is not stored in the database 225; Then notify administration module 227 to remind user terminals 1 this data flow characteristic of correspondence field not to be stored in the database 225, and remind user terminal 1 whether with this data flow characteristic of correspondence field store in database 225, and this data flow is sent to output module 226.Be stored in the database 225 if judge this title, whether the list name that the list name that then title of judgment data stream is corresponding and the title in being stored in database 225 are corresponding is consistent.
If judge module 224 judges that the list names are inconsistent, then notify administration module 227 to remind these data flow corresponding server of user to be hacker's server 5, and interrupt being connected of user terminal 1 and hacker's server 5; If it is consistent that judge module 224 is judged the list names, whether the list page object that the list page object that then title of judgment data stream is corresponding and the title in being stored in database 225 are corresponding is consistent.
If judge module 224 judges that the list page objects are inconsistent, then notify administration module 227 to remind these data flow corresponding server of user to be hacker's server 5, and interrupt being connected of user terminal 1 and hacker's server 5; If judge that the list page object is consistent, then notify administration module 227 to send forwarding and carry out control command, promptly the data flow corresponding server of this moment is non-hacker's server 4.
Output module 226 is used for when control command is carried out in the forwarding that receiving management module 227 is sent, and the data flow that judge module 224 is sent is forwarded to user terminal 1.
Detection system that the embodiment of the invention provides and checkout gear; Through the packet that obtains being reassembled into html data stream; And the feature field of extraction data flow; The feature field of feature field of being extracted and storage is compared, can guarantee whether accurate recognition goes out the reply data bag is hacker's server, thereby guarantee the fail safe of user terminal online transaction.
Fig. 3 is the overview flow chart of the detection method of the embodiment of the invention.
In the present embodiment, step S200, the packet that reception server sends.In the present embodiment, server can be non-hacker's server, also can be hacker's server.
Step S202 obtains the reply data bag in the packet that is received, and is reassembled into the data flow of HTML.
Step S204 extracts the feature field in the html data stream after having assembled.In the present embodiment, feature field comprises title, list name and list page object.In the present embodiment; In html language; Label < title>... and tit1e>in the middle of field be the field of < form...action=...>ellipsis representative in the title and list of this webpage of expression; Be respectively list name and list page object, and, the corresponding list name of each title and a list page object.
Step S206 judges whether the tagged word of storing in feature field and the database in the data flow after having assembled is consistent.In the present embodiment, feature field comprises title, list name and list page object.
If judge unanimity, promptly this data flow corresponding server is non-hacker's server, then gets into step S210, and this data flow is forwarded to user terminal;
If judge inconsistently, promptly this data flow corresponding server be hacker's server, then gets into step S208, and reminding this data flow corresponding server of user terminal is hacker's server, and being connected of interruption user terminal and hacker's server.
Fig. 4 is the particular flow sheet of the detection method of the embodiment of the invention.
In the present embodiment, step S300-step S304 is identical with the step S200-step S204 of Fig. 3, no longer repeats here.
Step 306 judges whether the title of the feature field of the data flow of being extracted is stored in the database.
If judging the title of the feature field of the data flow of being extracted is not stored in the database; Then get into step S308; Remind the feature field of this data flow of user terminal not to be stored in the database, and remind user terminal whether the feature field of this data flow to be stored in the database.Behind the execution of step S308, get into step S318, this data flow is forwarded to user terminal.
Be stored in the database if judge the title of the feature field of the data flow of being extracted, then got into step S310, from database, obtained list name corresponding and list page object with this title.
Step S312, whether the list name of the feature field of the data flow that judgement is extracted is consistent with the list name of obtaining.If judge inconsistently, then get into step S316, reminding this data flow corresponding server of user terminal be hacker's server, and being connected of interruption user terminal and hacker's server; If judge unanimity, then get into step S314.
Step S314, whether the list page object of the feature field of the data flow that judgement is extracted is consistent with the list page object that obtains.Judging inconsistently, then getting into step S316, reminding this data flow corresponding server of user terminal be hacker's server, and being connected of interruption user terminal and hacker's server; If judge unanimity, promptly these data flow corresponding server right and wrong hacker server then gets into step S318.
Step S318 is sent to user terminal with this data flow.
Fig. 5 is the particular flow sheet of step S302 of Fig. 4 of the embodiment of the invention.
In the present embodiment, step S400 obtains the reply data bag in the packet that is received.In the present embodiment, the reply data bag is HTTP/1.1 200 OK packets.
Step S402 filters out the reply data bag with identical five-tuple.In the present embodiment, five-tuple is source IP, purpose IP, source port, destination interface, protocol type.
Step S404 judges whether to stop to obtain the reply data bag.In the present embodiment, judge in the reply data bag that filters out whether have with identical five-tuple</html>Perhaps</HTML>Character string.
Have if judge in the reply data bag that filters out</html>Perhaps</HTML>Character string, i.e. judgement need stop to obtain the reply data bag, then get into step S414, stop to obtain the reply data bag, and the reply data package that is obtained is dressed up the data flow of HTML.
If judging the reply data bag that filters out does not have</html>Perhaps</HTML>Character string is promptly judged and still need be obtained the reply data bag, then gets into step S400.
The detection method that the embodiment of the invention provides; Through the packet that obtains being reassembled into html data stream; And the feature field of extraction data flow; The feature field of feature field of being extracted and storage is compared, thereby can guarantee whether accurate recognition goes out the reply data bag is hacker's server, thereby guarantee the fail safe of user terminal online transaction.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method; Be to instruct relevant hardware to accomplish through computer program; Described program can be stored in the computer read/write memory medium; This program can comprise the flow process like the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
What should explain at last is: above embodiment is only in order to technical scheme of the present invention to be described but not limit it; Although the present invention has been carried out detailed explanation with reference to preferred embodiment; Those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, also can not make amended technical scheme break away from the spirit and the scope of technical scheme of the present invention and these are revised or be equal to replacement.