CN101325495B - Method, apparatus and system for detecting hacker server - Google Patents
Method, apparatus and system for detecting hacker server Download PDFInfo
- Publication number
- CN101325495B CN101325495B CN2008100685041A CN200810068504A CN101325495B CN 101325495 B CN101325495 B CN 101325495B CN 2008100685041 A CN2008100685041 A CN 2008100685041A CN 200810068504 A CN200810068504 A CN 200810068504A CN 101325495 B CN101325495 B CN 101325495B
- Authority
- CN
- China
- Prior art keywords
- data bag
- reply data
- data flow
- hacker
- title
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title description 6
- 238000001514 detection method Methods 0.000 claims abstract description 32
- 238000003860 storage Methods 0.000 claims description 18
- 238000001914 filtration Methods 0.000 claims description 14
- 238000000605 extraction Methods 0.000 claims description 13
- 230000005540 biological transmission Effects 0.000 claims description 9
- 239000000284 extract Substances 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000002354 daily effect Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a detection method applied in detecting hacker server, including acquiring answer data packet to assemble into a data stream; extracting the characteristic field of the data stream; judging whether answer data packet corresponding to the data stream is the answer data packet transmitted by the hacker server by judging whether the characteristic field in the data stream is identical to the stored characteristic field; if it is judged as the answer data packet transmitted by the hacker server, interrupting the connection to the hacker server. The embodiment of the invention also provides a device and system, capable of exactly recognizing whether the answer data packet is an angling website of the hacker server, thereby guaranteeing safety of network business of user terminals.
Description
Technical field
The embodiment of the invention relates to the mobile communication technology field, particularly relates to a kind of detection method, device and system that is applied to detect hacker's server.
Background technology
Along with developing rapidly of internet, network has been deep into the various aspects of people's daily life, simultaneously also for people's life brought more convenient.The particularly appearance of Web bank makes people's shopping online, and it is more quick that banking operations such as online transaction become.But the thing followed is that sensitive informations such as user's the Web bank and the account number of other financial institutions and password become the target of public criticism of network hacker.When the general user carried out online transaction or bank transfer through Web bank, the account number and the password of input oneself on bank or financial website were just concluded the business then normally earlier.Generally, user's account number and password are to submit to server with the form of list.List is the client user submits data to server end with reference format a kind of mode; At HTML (Hyper Text Mark-up Language; HTML) in the language; List is with < form...action=...>label form performance, and the action attribute in the list is provided with the URL (Uniform Resource Locator, URL) of the page object that form data will send.And network hacker is usually through forging the official website of bank or finance; And the mode of the action attribute in the modification list (being phishing) makes the user can't learn that whether the bank of current operation or the website of finance are the real bank or the website of finance, thereby steals user's account number and password.
In order to oppose the phishing behavior of network hacker, utilize mail reminder user guarding phishing usually, and if find fishing website, report.Collect the URL of fishing website in this way, thereby set up the blacklist database of fishing website.When user's request URL, compare through the URL in the blacklist database of detection URL that the user asked and existing fishing website, if exist, then be judged to be fishing website, otherwise think safe website.
In realizing embodiment of the invention process, the inventor finds to have following problem in the prior art at least: because the foundation of blacklist database is mainly derived from user's report, real-time and completeness are all bad; Simultaneously,, and every day all can occur a hundreds of new fishing website, therefore judge whether to ensure for the accuracy of fishing website owing to the time-to-live that fishing website is general is very of short duration.
Summary of the invention
The object of the invention is to provide a kind of detection method, Apparatus and system that is applied to detect hacker's server, and whether can accurate recognition go out the reply data bag is hacker's server, thereby guarantees the fail safe of user terminal online transaction.
According to an aspect of the present invention, a kind of detection method that is applied to detect hacker's server is provided, comprises:
Obtain the reply data bag to be assembled into data flow;
Extract the feature field in the said data flow, the feature field in the said data flow comprises: title, list name, list page object;
Whether the title of judging the feature field of the data flow of being extracted is stored in the database;
When the title of the feature field of the data flow of being extracted is stored in the database; List name as if the list name of the said title correspondence in the said data flow is corresponding with the said title of said database storage is inconsistent; Then judge the reply data bag that the corresponding reply data bag of said data flow sends for hacker's server, the feature field of storing in the said database is the feature field of the webpage of non-hacker's server;
When the title of the feature field of the data flow of being extracted is not stored in the database; Then remind the feature field of the said data flow of said user terminal not to be stored in said database, and remind said user terminal whether the feature field of said data flow to be stored in said database;
If be judged as the reply data bag that hacker's server sends, then interrupt and being connected of said hacker's server.
According to a further aspect in the invention, a kind of checkout gear that is applied to detect hacker's server is provided, comprises:
Knockdown block is used for the reply data package that receives is dressed up data flow;
Extraction module is used for extracting the feature field of said data flow, and the feature field in the said data flow comprises: title, list name, list page object;
Judge module; Whether the title that is used for judging the feature field of the data flow of being extracted is stored in database; When the title of the feature field of the data flow of being extracted is stored in the database; List name as if the list name of the said title correspondence in the said data flow is corresponding with the said title of said database storage is inconsistent; Then judge the reply data bag that the corresponding reply data bag of said data flow sends for hacker's server, the feature field of storing in the said database is the feature field of the webpage of non-hacker's server;
Administration module is used for when being judged as the reply data bag of hacker's server transmission, and the interruption user terminal is connected with said hacker's server;
Said judge module also is used for when said title is not stored in said database; The notice administration module reminds the feature field of the said data flow of said user terminal not to be stored in said database, and reminds said user terminal whether the feature field of said data flow to be stored in said database.
According to a further aspect in the invention, a kind of detection system is provided, said detection system is connected with non-hacker's server or hacker's server through network, and is connected with user terminal, and said detection system comprises:
Receiving system is used to receive the packet that non-hacker's server or hacker's server are sent to said user terminal;
Checkout gear, whether the reply data bag that is used for detecting the packet that said receiving system receives is the reply data bag that said hacker's server sends;
Said checkout gear comprises:
Acquisition module is used for obtaining the said reply data bag of the packet that is received;
Filtering module is used to filter out the said reply data bag with identical five-tuple, and judges whether to stop to obtain said reply data bag, and said five-tuple is source IP, purpose IP, source port, destination interface, protocol type;
Knockdown block is used for receiving the said reply data bag that said filtering module sends, and being assembled into data flow when need stop to obtain said reply data bag when judging;
Database is used to store the feature field of the webpage of non-hacker's server, and said feature field comprises title, list name, list page object;
Extraction module is used for extracting the feature field of said data flow;
Judge module is used for judging according to the feature field of storing in the feature field of said data flow and the said database is whether consistent whether the corresponding reply data bag of said data flow is the reply data bag that said hacker's server sends;
Said judge module also is used for when judging that said title is stored in said database; Judge whether the corresponding list name of the corresponding list name of said title in the said data flow and the said title of said database storage is consistent; And when judging that said list name is inconsistent, judge that the corresponding reply data bag of said data flow is the reply data bag that said hacker's server sends;
Administration module is used for when being judged as the reply data bag that said hacker's server sends, and interrupts being connected of said user terminal and said hacker's server.
The detection method of the embodiment of the invention, Apparatus and system; Through the packet that obtains is reassembled into data flow; And the feature field of extraction data flow; The feature field of feature field of being extracted and storage is compared, can guarantee whether accurate recognition goes out the reply data bag is the fishing website of hacker's server, thereby guarantee the fail safe of user terminal online transaction.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the application architecture figure of the detection system of the embodiment of the invention;
Fig. 2 is the structure chart of the detection system of the embodiment of the invention;
Fig. 3 is the overview flow chart of the detection method of the embodiment of the invention;
Fig. 4 is the particular flow sheet of the detection method of the embodiment of the invention;
Fig. 5 is the particular flow sheet of step S302 of Fig. 4 of the embodiment of the invention.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
Fig. 1 is the application architecture figure of the detection system 2 of the embodiment of the invention.In the present embodiment, user terminal 1 is connected with network 3 through detection system 2, and is connected or 5 connections of hacker's server with non-hacker's server 4 communications through network 3.In the present embodiment; Non-hacker's server is official's server of the website of bank or finance; Hacker's server 5 is hacker's a fishing website; When the request that receives user terminal 1 when non-hacker's server 4 obtains the packet of webpage, then return corresponding reply data bag a to user terminal 1 of packet with this request acquisition webpage, at this moment; When if hacker's server 5 is also accepted the request of user terminal 1 and obtained the packet of webpage, also return another corresponding reply data bag to the user terminal 1 of packet with this request acquisition webpage.In other embodiments, non-hacker's server 4 also can be official's server of other website.Whether the reply data bag that detection system 2 is used for detecting the packet that is sent to user terminal 1 is the reply data bag that hacker's server 5 sends.In the present embodiment, detection system 2 detects the reply data bag that reply data bag that the reply data bag right and wrong hacker server 1 in the packet that is sent to user terminal 1 sends still sends for hacker's server 5.In the present embodiment, the reply data bag is HTTP/1.1 200 OK packets, wherein 1.1 the expression http protocols version number, 200 OK represent that the request of user terminal 1 is accepted, the web document of request finds.
Fig. 2 is the structure chart of the detection system 2 of the embodiment of the invention.In the present embodiment, the anti-system 2 of angling comprises receiving system 21 and checkout gear 22.Receiving system 21 is used to receive the packet that non-hacker's server 4 or hacker's server 5 are sent to user terminal 1.
Whether the reply data bag that checkout gear 22 is used for detecting the packet that receiving system 21 receives is the reply data bag that hacker's server 5 sends.In the present embodiment, the reply data bag of reply data bag right and wrong hacker server 4 transmissions in the packet of checkout gear 22 detection receiving systems 21 receptions still is the reply data bag that hacker's server 5 sends.Checkout gear 22 comprises acquisition module 220, filtering module 221, Knockdown block 222, extraction module 223, judge module 224, database 225, output module 226 and administration module 227.
The reply data bag that filtering module 221 is used for acquisition module 220 is obtained filters, and judges whether to stop to obtain the reply data bag.In the present embodiment, the reply data packet filtering with identical five-tuple in the reply data bag that filtering module 221 obtains acquisition module 220 goes out, and the reply data bag with identical five-tuple that will filter out is sent to Knockdown block 223.In the present embodiment, five-tuple is source IP, purpose IP, source port, destination interface, protocol type.In the present embodiment, whether have in the reply data bag that filtering module 221 filters out through judgement with identical five-tuple</html>Perhaps</HTML>Character string judges whether to stop to obtain the reply data bag, has if judge in the reply data bag that filters out</html>Perhaps</HTML>Character string is promptly judged to stop to obtain the reply data bag, then notify administration module 227 control acquisition modules 221 to stop to obtain the packet that receiving system 21 receives, and the assembling control command is carried out in 227 transmissions of notice administration module.
In the present embodiment; Judge module 224 judges earlier whether the title in the data flow characteristic of correspondence field of extraction module 223 transmissions is stored in the database 225; If judge that this title is not stored in the database 225; Then notify administration module 227 to remind user terminals 1 this data flow characteristic of correspondence field not to be stored in the database 225, and remind user terminal 1 whether with this data flow characteristic of correspondence field store in database 225, and this data flow is sent to output module 226.Be stored in the database 225 if judge this title, whether the list name that the list name that then title of judgment data stream is corresponding and the title in being stored in database 225 are corresponding is consistent.
If judge module 224 judges that the list names are inconsistent, then notify administration module 227 to remind these data flow corresponding server of user to be hacker's server 5, and interrupt being connected of user terminal 1 and hacker's server 5; If it is consistent that judge module 224 is judged the list names, whether the list page object that the list page object that then title of judgment data stream is corresponding and the title in being stored in database 225 are corresponding is consistent.
If judge module 224 judges that the list page objects are inconsistent, then notify administration module 227 to remind these data flow corresponding server of user to be hacker's server 5, and interrupt being connected of user terminal 1 and hacker's server 5; If judge that the list page object is consistent, then notify administration module 227 to send forwarding and carry out control command, promptly the data flow corresponding server of this moment is non-hacker's server 4.
Detection system that the embodiment of the invention provides and checkout gear; Through the packet that obtains being reassembled into html data stream; And the feature field of extraction data flow; The feature field of feature field of being extracted and storage is compared, can guarantee whether accurate recognition goes out the reply data bag is hacker's server, thereby guarantee the fail safe of user terminal online transaction.
Fig. 3 is the overview flow chart of the detection method of the embodiment of the invention.
In the present embodiment, step S200, the packet that reception server sends.In the present embodiment, server can be non-hacker's server, also can be hacker's server.
Step S202 obtains the reply data bag in the packet that is received, and is reassembled into the data flow of HTML.
Step S204 extracts the feature field in the html data stream after having assembled.In the present embodiment, feature field comprises title, list name and list page object.In the present embodiment; In html language; Label < title>... and tit1e>in the middle of field be the field of < form...action=...>ellipsis representative in the title and list of this webpage of expression; Be respectively list name and list page object, and, the corresponding list name of each title and a list page object.
Step S206 judges whether the tagged word of storing in feature field and the database in the data flow after having assembled is consistent.In the present embodiment, feature field comprises title, list name and list page object.
If judge unanimity, promptly this data flow corresponding server is non-hacker's server, then gets into step S210, and this data flow is forwarded to user terminal;
If judge inconsistently, promptly this data flow corresponding server be hacker's server, then gets into step S208, and reminding this data flow corresponding server of user terminal is hacker's server, and being connected of interruption user terminal and hacker's server.
Fig. 4 is the particular flow sheet of the detection method of the embodiment of the invention.
In the present embodiment, step S300-step S304 is identical with the step S200-step S204 of Fig. 3, no longer repeats here.
Step 306 judges whether the title of the feature field of the data flow of being extracted is stored in the database.
If judging the title of the feature field of the data flow of being extracted is not stored in the database; Then get into step S308; Remind the feature field of this data flow of user terminal not to be stored in the database, and remind user terminal whether the feature field of this data flow to be stored in the database.Behind the execution of step S308, get into step S318, this data flow is forwarded to user terminal.
Be stored in the database if judge the title of the feature field of the data flow of being extracted, then got into step S310, from database, obtained list name corresponding and list page object with this title.
Step S312, whether the list name of the feature field of the data flow that judgement is extracted is consistent with the list name of obtaining.If judge inconsistently, then get into step S316, reminding this data flow corresponding server of user terminal be hacker's server, and being connected of interruption user terminal and hacker's server; If judge unanimity, then get into step S314.
Step S314, whether the list page object of the feature field of the data flow that judgement is extracted is consistent with the list page object that obtains.Judging inconsistently, then getting into step S316, reminding this data flow corresponding server of user terminal be hacker's server, and being connected of interruption user terminal and hacker's server; If judge unanimity, promptly these data flow corresponding server right and wrong hacker server then gets into step S318.
Step S318 is sent to user terminal with this data flow.
Fig. 5 is the particular flow sheet of step S302 of Fig. 4 of the embodiment of the invention.
In the present embodiment, step S400 obtains the reply data bag in the packet that is received.In the present embodiment, the reply data bag is HTTP/1.1 200 OK packets.
Step S402 filters out the reply data bag with identical five-tuple.In the present embodiment, five-tuple is source IP, purpose IP, source port, destination interface, protocol type.
Step S404 judges whether to stop to obtain the reply data bag.In the present embodiment, judge in the reply data bag that filters out whether have with identical five-tuple</html>Perhaps</HTML>Character string.
Have if judge in the reply data bag that filters out</html>Perhaps</HTML>Character string, i.e. judgement need stop to obtain the reply data bag, then get into step S414, stop to obtain the reply data bag, and the reply data package that is obtained is dressed up the data flow of HTML.
If judging the reply data bag that filters out does not have</html>Perhaps</HTML>Character string is promptly judged and still need be obtained the reply data bag, then gets into step S400.
The detection method that the embodiment of the invention provides; Through the packet that obtains being reassembled into html data stream; And the feature field of extraction data flow; The feature field of feature field of being extracted and storage is compared, thereby can guarantee whether accurate recognition goes out the reply data bag is hacker's server, thereby guarantee the fail safe of user terminal online transaction.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method; Be to instruct relevant hardware to accomplish through computer program; Described program can be stored in the computer read/write memory medium; This program can comprise the flow process like the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
What should explain at last is: above embodiment is only in order to technical scheme of the present invention to be described but not limit it; Although the present invention has been carried out detailed explanation with reference to preferred embodiment; Those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, also can not make amended technical scheme break away from the spirit and the scope of technical scheme of the present invention and these are revised or be equal to replacement.
Claims (10)
1. a detection method that is applied to detect hacker's server is characterized in that, comprising:
Obtain the reply data bag to be assembled into data flow;
Extract the feature field in the said data flow, the feature field in the said data flow comprises: title, list name, list page object;
Whether the title of judging the feature field of the data flow of being extracted is stored in the database;
When the title of the feature field of the data flow of being extracted is stored in the database; List name as if the list name of the said title correspondence in the said data flow is corresponding with the said title of said database storage is inconsistent; Then judge the reply data bag that the corresponding reply data bag of said data flow sends for hacker's server, the feature field of storing in the said database is the feature field of the webpage of non-hacker's server;
When the title of the feature field of the data flow of being extracted is not stored in the database; Then remind the feature field of the said data flow of said user terminal not to be stored in said database, and remind said user terminal whether the feature field of said data flow to be stored in said database;
If be judged as the reply data bag that hacker's server sends, then interrupt and being connected of said hacker's server.
2. detection method according to claim 1 is characterized in that, the said reply data bag that obtains comprises with the step that is assembled into data flow:
Obtain the said reply data bag in the packet that is received, said reply data bag is a HTTP/1.1 200OK packet, and said data flow is a html data stream;
Filter out the said reply data bag with identical five-tuple, said five-tuple is source IP, purpose IP, source port, destination interface, protocol type;
Judge whether to stop to obtain said reply data bag;
When judgement stops to obtain said reply data bag, said reply data package is adorned said data flow.
3. detection method according to claim 2 is characterized in that, the step that judges whether to stop to obtain said reply data bag comprises:
Whether have in the reply data bag that filters out through judgement with identical five-tuple</html>Perhaps</HTML>Character string judges whether to stop to obtain said reply data bag;
Have if judge in the reply data bag that filters out</html>Perhaps</HTML>Character string is then judged to stop to obtain said reply data bag.
4. detection method according to claim 1 is characterized in that, also comprises:
When the title of the feature field of the data flow of being extracted is stored in the database; If the list name that the corresponding list name of the said title in the said data flow and the said title of said database storage are corresponding is consistent, whether the list page object that the list page object of then judging the said title correspondence in the said data flow and the said title of said database storage are corresponding is consistent;
If judge that said list page object is inconsistent, then judge the reply data bag that the corresponding reply data bag of said data flow sends for hacker's server;
If judge that said list page object is consistent, judge that then the corresponding reply data bag of said data flow is the reply data bag that non-hacker's server sends.
5. a checkout gear that is applied to detect hacker's server is characterized in that, comprising:
Knockdown block is used for the reply data package that receives is dressed up data flow;
Extraction module is used for extracting the feature field of said data flow, and the feature field in the said data flow comprises: title, list name, list page object;
Judge module; Whether the title that is used for judging the feature field of the data flow of being extracted is stored in database; When the title of the feature field of the data flow of being extracted is stored in the database; List name as if the list name of the said title correspondence in the said data flow is corresponding with the said title of said database storage is inconsistent; Then judge the reply data bag that the corresponding reply data bag of said data flow sends for hacker's server, the feature field of storing in the said database is the feature field of the webpage of non-hacker's server;
Administration module is used for when being judged as the reply data bag of hacker's server transmission, and the interruption user terminal is connected with said hacker's server;
Said judge module also is used for when said title is not stored in said database; The notice administration module reminds the feature field of the said data flow of said user terminal not to be stored in said database, and reminds said user terminal whether the feature field of said data flow to be stored in said database.
6. checkout gear according to claim 5 is characterized in that, said checkout gear also comprises:
Acquisition module is used for obtaining the said reply data bag of the packet that is received, and said reply data bag is a HTTP/1.1 200OK packet, and said data flow is a html data stream;
Filtering module is used to filter out the said reply data bag with identical five-tuple, and judges whether to stop to obtain said reply data bag; And when judgement need stop to obtain said reply data bag, said reply data bag being sent to said Knockdown block, said five-tuple is source IP; Purpose IP; Source port, destination interface, protocol type;
Database is used to store the feature field of the webpage of non-hacker's server, and said feature field comprises: title, list name, list page object.
7. whether checkout gear according to claim 6 is characterized in that, have in the reply data bag with identical five-tuple that said filtering module filters out through judgement</html>Perhaps</HTML>Character string judges whether to stop to obtain said reply data bag; Said administration module also is used for when said filtering module judgement need stop to obtain said reply data bag, controlling said acquisition module and stopping to obtain said reply data bag.
8. checkout gear according to claim 5; It is characterized in that; When the title that said judge module also is used for working as the feature field of the data flow of being extracted is stored in database; If the list name that the corresponding list name of the said title in the said data flow and the said title of said database storage are corresponding is consistent; Judge then whether the corresponding list page object of the corresponding list page object of said title in the said data flow and the said title of said database storage is consistent, and when the said list page object of judgement is inconsistent, judge the reply data bag of the reply data bag of said data flow correspondence for the transmission of hacker's server; And when judging that said list page object is consistent, judge that the corresponding reply data bag of said data flow is the reply data bag that non-hacker's server sends.
9. a detection system is characterized in that, said detection system is connected with non-hacker's server or hacker's server through network, and is connected with user terminal, and said detection system comprises:
Receiving system is used to receive the packet that non-hacker's server or hacker's server are sent to said user terminal;
Checkout gear, whether the reply data bag that is used for detecting the packet that said receiving system receives is the reply data bag that said hacker's server sends;
Said checkout gear comprises:
Acquisition module is used for obtaining the said reply data bag of the packet that is received;
Filtering module is used to filter out the said reply data bag with identical five-tuple, and judges whether to stop to obtain said reply data bag, and said five-tuple is source IP, purpose IP, source port, destination interface, protocol type;
Knockdown block is used for receiving the said reply data bag that said filtering module sends, and being assembled into data flow when need stop to obtain said reply data bag when judging;
Database is used to store the feature field of the webpage of non-hacker's server, and said feature field comprises title, list name, list page object;
Extraction module is used for extracting the feature field of said data flow;
Judge module is used for judging according to the feature field of storing in the feature field of said data flow and the said database is whether consistent whether the corresponding reply data bag of said data flow is the reply data bag that said hacker's server sends;
Said judge module also is used for when judging that said title is stored in said database; Judge whether the corresponding list name of the corresponding list name of said title in the said data flow and the said title of said database storage is consistent; And when judging that said list name is inconsistent, judge that the corresponding reply data bag of said data flow is the reply data bag that said hacker's server sends;
Administration module is used for when being judged as the reply data bag that said hacker's server sends, and interrupts being connected of said user terminal and said hacker's server.
10. detection system according to claim 9; It is characterized in that; Said judge module also is used to work as the corresponding list name of the corresponding list name of the said title of the data flow extracted and the said title of said database storage when consistent; Judge whether the corresponding list page object of the corresponding list page object of said title in the said data flow and the said title of said database storage is consistent; And when judging that said list page object is inconsistent; Judge the reply data bag that the corresponding reply data bag of said data flow sends for hacker's server, and when judging that said list page object is consistent, judge that the corresponding reply data bag of said data flow is the reply data bag that non-hacker's server sends.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100685041A CN101325495B (en) | 2008-07-10 | 2008-07-10 | Method, apparatus and system for detecting hacker server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100685041A CN101325495B (en) | 2008-07-10 | 2008-07-10 | Method, apparatus and system for detecting hacker server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101325495A CN101325495A (en) | 2008-12-17 |
| CN101325495B true CN101325495B (en) | 2012-02-01 |
Family
ID=40188845
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100685041A Expired - Fee Related CN101325495B (en) | 2008-07-10 | 2008-07-10 | Method, apparatus and system for detecting hacker server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101325495B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101534306B (en) * | 2009-04-14 | 2012-01-11 | 深圳市腾讯计算机系统有限公司 | Detecting method and a device for fishing website |
| CN102340428B (en) * | 2011-09-29 | 2014-01-15 | 哈尔滨安天科技股份有限公司 | URL (Uniform Resource Locator) detection and interception method and system based on network packet loss |
| CN103457924B (en) * | 2012-06-05 | 2016-08-03 | 珠海市君天电子科技有限公司 | Detect the method and system of coming into force property type fishing website point-to-point, instantaneous |
| CN103455758A (en) * | 2013-08-22 | 2013-12-18 | 北京奇虎科技有限公司 | Method and device for identifying malicious website |
| CN103685289B (en) * | 2013-12-19 | 2017-02-08 | 北京奇虎科技有限公司 | Method and device for detecting phishing website |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1585346A (en) * | 2004-05-28 | 2005-02-23 | 南京邮电学院 | Method for realizing chaff network data flow heavy orientation |
| CN1859398A (en) * | 2006-01-05 | 2006-11-08 | 珠海金山软件股份有限公司 | System and method for reverse network fishing |
| CN101009704A (en) * | 2006-01-13 | 2007-08-01 | 飞塔信息科技(北京)有限公司 | Computer system and method for processing advanced network content |
| CN101141244A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | Network encrypted data virus detection and elimination system, proxy server and method |
| CN101147138A (en) * | 2005-02-18 | 2008-03-19 | Duaxes株式会社 | Communication control device and communication control system |
| CN101167063A (en) * | 2005-03-28 | 2008-04-23 | Duaxes株式会社 | Communication control device and communication control system |
-
2008
- 2008-07-10 CN CN2008100685041A patent/CN101325495B/en not_active Expired - Fee Related
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1585346A (en) * | 2004-05-28 | 2005-02-23 | 南京邮电学院 | Method for realizing chaff network data flow heavy orientation |
| CN101147138A (en) * | 2005-02-18 | 2008-03-19 | Duaxes株式会社 | Communication control device and communication control system |
| CN101176080A (en) * | 2005-02-18 | 2008-05-07 | Duaxes株式会社 | Communication control device and communication control system |
| CN101167063A (en) * | 2005-03-28 | 2008-04-23 | Duaxes株式会社 | Communication control device and communication control system |
| CN1859398A (en) * | 2006-01-05 | 2006-11-08 | 珠海金山软件股份有限公司 | System and method for reverse network fishing |
| CN101009704A (en) * | 2006-01-13 | 2007-08-01 | 飞塔信息科技(北京)有限公司 | Computer system and method for processing advanced network content |
| CN101141244A (en) * | 2006-09-08 | 2008-03-12 | 飞塔信息科技(北京)有限公司 | Network encrypted data virus detection and elimination system, proxy server and method |
Non-Patent Citations (1)
| Title |
|---|
| JP特開2008-139993A 2008.06.19 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101325495A (en) | 2008-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7631046B2 (en) | Method and apparatus for lawful interception of web based messaging communication | |
| CN104065632B (en) | The processing method of sharing contents, server, client and system | |
| CN101325495B (en) | Method, apparatus and system for detecting hacker server | |
| CN102655481B (en) | A kind of instant messaging chat content inspection method based on webpage and system | |
| CN104462509A (en) | Review spam detection method and device | |
| CN105847288B (en) | A kind of identifying code treating method and apparatus | |
| CN102223316A (en) | Method and device for processing electronic mail | |
| CN105677512B (en) | Data processing method and device and electronic equipment | |
| CN107124430A (en) | Pagejack monitoring method, device, system and storage medium | |
| WO2014194808A1 (en) | Method and device for comparing and analysing pcb engineering problems and for sending results thereof | |
| CN112822286B (en) | Message pushing method and device | |
| CN101389074A (en) | Short message monitoring method ensuring identity of sender based social network mechanism | |
| CN111126071A (en) | Method and device for determining questioning text data and data processing method of customer service group | |
| CN115002148A (en) | Internet of things cloud side communication method and system | |
| JP2004173284A (en) | Tracking method and tracking device for multimedia message through remote communication network | |
| EP2640035B1 (en) | Hypertext transfer protocol (http) stream association method and device | |
| CN101626319A (en) | Method, device and system for detecting gateway virus | |
| CN104125130B (en) | A kind of safety prompt function method, device and communication system | |
| CN105664490A (en) | Method and system for realizing game interaction | |
| US9584537B2 (en) | System and method for detecting mobile cyber incident | |
| CN104796426B (en) | The detection method at webpage back door | |
| US20190208471A1 (en) | Smart card control method and device, terminal device and smart card | |
| CN103609193B (en) | The method and wireless access network equipment of identification terminal type | |
| CN103780659A (en) | Method for processing webpage address inputted by mobile subscriber and wireless application protocol gateway | |
| CN109120603A (en) | A kind of injection loophole detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: CHENGDU CITY HUAWEI SAIMENTEKE SCIENCE CO., LTD. Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD. Effective date: 20090424 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20090424 Address after: Qingshui River District, Chengdu high tech Zone, Sichuan Province, China: 611731 Applicant after: Chengdu Huawei Symantec Technologies Co., Ltd. Address before: Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Province, China: 518129 Applicant before: Huawei Technologies Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120201 Termination date: 20190710 |