Summary of the invention
The invention provides a kind of identification the be held as a hostage method and the device of network address, can effectively discern the network address of being held as a hostage, for user and other Computer Service provide a kind of effective means of judging whether network address is held as a hostage.
The invention provides following scheme:
The be held as a hostage method of network address of a kind of identification comprises:
Through the mode of simulation input uniform resource position mark URL in browser address bar, initiate the request of access destination network address, and the final visit network address that will obtain is confirmed as first network address;
Through the mode that simulation is carried out redirect by link, initiate the request of the said target network address of visit, and the final visit network address that will obtain is confirmed as second network address;
More said first network address and second network address obtain a comparative result;
Discern said target network address according to said comparative result and whether be the network address of being held as a hostage.
Wherein, said mode of carrying out redirect by link through simulation is initiated the request of the said target network address of visit, comprising:
Through the mode that redirect is carried out in the link of simulating in the Search Results that is provided by search engine, initiate the request of the said target network address of visit.
Wherein, said first network address and second network address obtain a comparative result, comprising:
The territory at the place of more said first network address and second network address obtains a comparative result.
Wherein, saidly discern said target network address according to said comparative result and whether comprise for the network address of being held as a hostage:
If said comparative result is that said first network address is different with the territory at the place of second network address, then said target network address is the network address of being held as a hostage.
Wherein, saidly discern said target network address according to said comparative result and whether comprise for the network address of being held as a hostage:
If said comparative result is that said first network address is different with the territory at the place of second network address, judge then whether said second network address appears in the known malice network address database, if then said target network address is the network address of being held as a hostage.
The be held as a hostage device of network address of a kind of identification comprises:
The first network address acquiring unit is used for initiate the request of access destination network address, and the final visit network address that will obtain being confirmed as first network address through the mode of simulation in browser address bar input uniform resource position mark URL;
The second network address acquiring unit is used for the mode of carrying out redirect by link through simulation, initiate the request of the said target network address of visit, and the final visit network address that will obtain is confirmed as second network address;
Comparing unit is used for more said first network address and second network address, obtains a comparative result;
Recognition unit is used for discerning said target network address according to said comparative result and whether is the network address of being held as a hostage.
Wherein, the said second network address acquiring unit comprises:
Search engine analog submodule unit, the mode that redirect is carried out in the link of the Search Results that is used for being provided by search engine through simulation is initiated the request of the said target network address of visit.
Wherein, said comparing unit comprises:
The territory is subelement relatively, is used for the territory at the place of more said first network address and second network address, obtains a comparative result.
Wherein, said recognition unit comprises:
The first recognin unit is that said first network address is different with the territory at the place of second network address if be used for said comparative result, and then said target network address is the network address of being held as a hostage.
Wherein, said recognition unit comprises:
The second recognin unit; If be used for said comparative result is that said first network address is different with the territory at the place of second network address; Judge then whether said second network address appears in the known malice network address database, if then said target network address is the network address of being held as a hostage.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
Through the present invention, can initiate the request of access destination network address through the mode of simulation input uniform resource position mark URL in browser address bar; And, initiate the request of the said target network address of visit, and the final visit network address that relatively obtains through the mode that simulation is carried out redirect by link; Thereby when finding by dual mode access destination network address; The difference of the final visit network address that obtains, and disclose the behavior of kidnapping network address, can effective recognition target network address whether be the network address of being held as a hostage.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills obtained belongs to the scope that the present invention protects.
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills obtained belongs to the scope that the present invention protects.
No matter at first need to prove, in the time of network address of internet user access, be through in browser's address bar, directly importing the mode of uniform resource position mark URL; The mode of still carrying out redirect by link; In fact all be to use the browser of local computer, sent a HTTP (HTTP, HyperText Transfer Protocol) request to server through the Internet; This HTTP request has comprised one or several usually; Necessary or non-essential request header perhaps is called header field, has comprised the request type information to server requests in the request header.
Like request header Accept-Charset, it has represented the acceptable character set information of browser of local computer; Again such as request header User-Agent; It has comprised operating system that the client uses and version, cpu type, browser and version, browser renders engine, browser language, browser plug-in etc.; So that server is through judging the particular content of request header User-Agent; In response user request,, generate and send the different pages according to the employed computer software and hardware environment of different users; Such as request header Referer, it has comprised a uniform resource position mark URL again, and it is to come through the URL redirect that wherein comprises to clear this request of server table; Be the page of user from this URL representative; Visit the page of current request, under the environment that current website commerce is cooperated closely and the search engine use is frequent, request header Referer is used in the request of most of page jump; Played and make things convenient for server that visit data such as is added up at effect, thereby be widely used.
Secure context at network; Game between hacker and security service provider, the computer user never stopped, and the hacker can take certain strategy usually when implementing hacker's behavior; The malfeasance of oneself is pretended and covered up, to reach the purpose that is not disclosed.For network address is kidnapped; A kind of characteristics of hacking technique wherein; The following situation that runs in can the process through user's internet usage reflects: the user is when directly input target network address is browsed in browser's address bar, and what open is normal target network address, and the Search Results through search engine or when carrying out redirect and open the target network address by the link of other webpages; The final visit network address of opening but is the network address that is provided with through the hacker, rather than real target network address.The content of presenting to the user also usually has sizable gap with target web, even is not the needed information of user fully.
Reality in practical application is; The general internet user is when needs are opened a new network address; Under most of situation, be not to conduct interviews, because the complete network address of the target web that most of user will browse is very long through the mode of in address field, directly importing network address; Be not easy to memory, knock complete network address and can waste a lot of times of user.So, when the user wants to open certain network address, often adopt Search Results through search engine, perhaps redirect is carried out in the link of other webpage; In addition; The Internet user is when surfing the web; The behavior of much opening network address does not have clear and definite purpose, promptly when finding interested content in the webpage of user in current browsing, can open interested web page address through the link redirect of current web page usually.
And for the people of real concern particular web site, such as the owner, the manager of website, when needs get into certain particular web site; Owing to know specific network address, most applications can't be via search engine search results, and perhaps the link of other webpages mode that jumps to particular web site is browsed; But directly browse in direct input target network address in browser's address bar; At this moment, the final visit network address that obtains is the target network address of not being held as a hostage, and based on such behavioral characteristic; For the behavior of kidnapping network address, this type special viewer but be difficult to find.
This shows; When network address of needs visit; The mode great majority that domestic consumer uses belong to through link and carry out redirect, and for special populations such as the owner of website, managers, owing to there are not the needs that use the link redirect usually; Usually use the mode of directly in browser address bar, directly importing the target network address to conduct interviews; Caused to find under the most of situation of this type user crowd that network address is held as a hostage, and the behavioral characteristic of these browsing pages just, given and implemented hacker that network address kidnaps behavior with opportunity; The hacker that feasible enforcement has the network address abduction behavior of These characteristics kidnaps the behavior of network address and has carried out effectively covering up to oneself.
The inventor finds in realizing process of the present invention; Why can occur in the browser's address bar directly input target network address and browse, with Search Results through search engine or carry out redirect by linking of other webpages and open browsing of same network address, resulting final reference address has difference; Say from technology angle; Be that abduction has been implemented in the HTTP that is sent when using browser to open network address to user request owing in the process of user capture network address, implement the hacker that network address is kidnapped behavior; And analysis HTTP requested feature; Then take different means,, thereby obtained different webpages to such an extent as to the user has opened different final visit network address according to different analysis results.At length introduce in the face of this down.
When the user initiates the access request to a network address; Be actually by browser and sent a HTTP request to Web server; The hacker who implements network address abduction behavior can kidnap and analyze this request; And carry out different processing according to the HTTP requested feature: if in the browse request of sending, the target network address of being asked comes from the direct input of user in browser's address bar, then this HTTP request is let pass; Target Web server by the HTTP request returns normal web page contents; Thus, the final visit network address that the user obtains is normal target network address, and the content that is presented on the user browser also is the normal web page contents that is returned by the target Web server; And perhaps carry out the HTTP request that redirect visits the target network address by the link of other webpages for the Search Results that passes through search engine that user browser sends; Then kidnap; Jump to the network address that a quilt pre-sets then; Thereby the network address that the final visit network address that the user obtains pre-sets for the hacker, the content that is shown also are the contents that network address that this hacker is provided with is in advance returned.
Concrete; The hacker who implements network address abduction behavior analyzes what the HTTP that sends to the target Web server that kidnaps asked; What in fact, the hacker of enforcement network address abduction behavior analyzed is the information that is comprised to the HTTP head that the HTTP that the target Web server sends asks.Concrete is to analyze the Referer request header; Thereby obtain the URL that the Referer request header is comprised; Promptly analyze and obtain the page of user, implement network address like this and kidnap the hacker of behavior whether just can judge current HTTP request be the HTTP request of sending through the link redirect of specific webpage from the page visit current request of which URL representative.
The hacker who implements network address abduction behavior analyzes through what the HTTP that sends to the target Web server that kidnaps was asked; According to analysis result; Confirm it is this HTTP request of letting pass; Target Web server by this HTTP request returns webpage, still jumps to the network address that pre-sets, and returns webpage by the network address that pre-sets to the user.So just caused initiating through different modes the request of the same network address of visit, the final visit network address that obtains can be different, and the content that has access to is also often different.
Based on above analysis, the method that the embodiment of the invention provides a kind of identification to be held as a hostage network address, referring to Fig. 1, the method includes the steps of:
S101:, initiate the request of access destination network address, and the final visit network address that will obtain is confirmed as first network address through the mode of simulation input uniform resource position mark URL in browser address bar;
In embodiments of the present invention, at first through HTTP request of structure, simulation is initiated the request of access destination network address with the mode of input URL in browser address bar.The HTTP request of this structure possesses the mode with input URL in browser address bar, initiates the characteristic of the HTTP access request of access destination network address.With the mode of input URL in browser address bar, the HTTP access request of the access destination network address of initiation, in its request header, the Referer request header is not involved, promptly in this type of HTTP request, does not have the Referer request header; In addition, in the request header of the HTTP of structure request, comprise the User-Agent request header usually, in the User-Agent request header, constructed user browser information, for example:
User-Agent:Mozilla/5.0(compatible;MSIE?9.0;Windows?NT?6.1;Trident/5.0)
In the example of this User-Agent request header, user browser type, version have been provided, information such as operating system of user version.
The HTTP request of this structure can be identified as the mode with input URL in browser address bar, the HTTP request header of initiating the HTTP access request of access destination network address.Through constructing a HTTP request that comprises above characteristic; Simulate a mode with input URL in browser address bar; Initiate the HTTP request of access destination network address, and, the final visit network address that obtains is confirmed as first network address to the HTTP request that the target Web server sends this structure.
Because the HTTP of this structure request possesses the mode with input URL in browser address bar; Initiate the characteristic of the HTTP access request of access destination network address; Kidnap the HTTP request that the hacker of behavior kidnapped and analyzed this structure if implement network address so; According to hacker's behavioural characteristic, can be identified as mode to this HTTP access request with input URL in browser address bar, initiate the HTTP request of access destination network address; And let pass, then by the target Web server returned content of asking.Therefore in this step of the embodiment of the invention, first network address that obtains is the real goal network address of request, rather than implements network address and kidnap the network address that the hacker of behavior is provided with.
S102:, initiate the request of the said target network address of visit, and the final visit network address that will obtain is confirmed as second network address through the mode that simulation is carried out redirect by link;
Except obtaining first network address, also need be through HTTP request of structure, the mode that simulation is carried out redirect by link is initiated the request of access destination network address.The HTTP request of this structure possesses the mode of being carried out redirect by link, initiates the HTTP requested feature of access destination network address.Carry out the mode of redirect by link; Initiate the HTTP request of the said target network address of visit, in its HTTP request, comprised the Referer request header; Comprised a URL information in this Referer request header; Explained that this HTTP request is to come through the URL redirect that comprises in the Referer request header, promptly this HTTP request is to set out through the URL that comprises in this Referer request header, the HTTP request of access destination network address.This Referer request header can be identified as the mode of being carried out redirect by link, initiates the request header of the HTTP request of access destination network address.
Through constructing a HTTP request that comprises above Referer request header characteristic; Simulate a mode of carrying out redirect by link; Initiate the HTTP request of access destination network address; And, the final visit network address that obtains is confirmed as second network address to the HTTP request that the target Web server sends this structure.
Because the HTTP of this structure request possesses the mode of being carried out redirect by link; Initiate the HTTP requested feature of access destination network address, kidnap the HTTP request that the hacker of behavior kidnapped and analyzed this structure if implement network address so, according to hacker's behavioural characteristic; Can be identified as the mode of carrying out redirect by link to this HTTP access request; Initiate the HTTP request of access destination network address, jump to the network address that pre-sets then, and the network address returned content that pre-sets is arranged.Therefore in embodiments of the present invention, if the target network address is held as a hostage, second network address that the HTTP request through this structure obtains is kidnapped the network address that the hacker of behavior is provided with for implementing network address, rather than the real goal network address of request.
S103: more said first network address and second network address obtain a comparative result;
During concrete the realization, relatively first network address and second network address obtain comparative result, and multiple concrete implementation can be arranged.For example, wherein a kind of implementation can be whether more whole first network address and whole second network address be identical, obtains an accurate comparative result.
In addition, can also adopt another kind of manner of comparison to obtain comparative result: the territory of comparing the place of first network address and second network address.
Domain name is claimed in the territory again, is a kind of in the computer address allocative decision on the Internet, and corresponding with IP (Internet protocol) address, the IP address that the computer of each on the Internet all has unique Serial No. to represent is so that other computers can be visited.For the ease of memory; People have invented domain name again; Combination with letter, numeral, symbol identifies the computer on the Internet; The territory is computer unique identifier on the internet, and through the territory, the numeric address that can navigate to the computer on the Internet is to realize the visit of computer and the communication of intercomputer.Such as, for certain website of visit, being actually access websites and being positioned at the computer on the Internet, i.e. Web server sends request to Web server, by the web server response request and return to user content.When certain Web server of visit, can use its IP address, more be the domain name of Web server but use, such as using www.abc.com.
During a certain target network address of user capture, main process generally is, sends a HTTP request through client to the target Web server, and the target Web server receives and respond this HTTP request that the target Web server transmits requested web page files to client.In this process, the network address that the user asked is generally represented with following form:
www.abc.com/d/e/f.html
Domain name part has wherein identified the position of target Web server on network, and in the part of back such as this example /d/e/f.html, then identified the memory location of user's demand file on the target Web server.This is the general type of a certain target network address of user capture, also is after the user obtains the page that Web server returns, the general type of the final visit network address that obtains simultaneously.
Dynamic web page technique has much been adopted in the website of current era, makes that Web server can be according to different user, different settings, and different user's customs etc. return to the different content of user, to satisfy the different demands of different application environment.Different user, under different application environments, submit access request to after, the final visit network address that the Web server that obtains returns possibly be not quite similar.In addition, the Web server meeting test access request submission person's who has applied environment returns the different pages and final visit network address according to testing result.Such as certain website, can be according to the IP address of submitting access request to, the geographic location area at judges place returns to network address and the web page contents of user to the different pages of different regions design then.Therefore, for a network address of not being held as a hostage, first network address and second network address of utilizing the described method of the embodiment of the invention to obtain might not be identical also, but both domain name part are identical.For example, first network address possibly be www.abc.com/a.html, and second network address possibly be www.abc.com/b.html, and network address is not kidnapped by the hacker and caused but this difference is.Therefore, if directly relatively whether first network address and second network address be identical, judge whether network address is held as a hostage, the situation that may occur judging by accident.
On the other hand; When the hacker implements network address abduction behavior; That the hacker prepares, be used for that alternate user asks; Should have following characteristics usually by the final visit network address that the target Web server returns: first network address of utilizing the method for the embodiment of the invention to obtain is not only different with second network address, and normally both are just different from domain name part.This be because, the hacker is used for that alternate user asks after kidnapping certain network address, the final visit network address that should be returned by the target Web server, and content of pages can only be generated by the domain name that hacker oneself holds usually.
To above-mentioned these characteristics, the embodiment of the invention provides the method in the territory at the place of comparing first network address and second network address, and promptly relatively whether first network address is identical with the territory at the place of second network address, obtains comparative result; Wherein, identical if comparative result is the territory at two network address place, then can the target network address be waited to see as normal network address, and if the territory differences at two network address places prove that then the target network address possibly be held as a hostage.Thereby can effective recognition because of adopting dynamic web page technique, reasons such as Web server dynamic response technology, first network address and second network address that obtain are different, and have not in fact been implemented the network address of network address abduction behavior by the hacker.
In addition; In practical application; Confirm for further whether the target network address is held as a hostage, can also after the territory difference that identifies two network address places, judge further whether second network address appears in the malice network address database (for example network security produces the blacklist of generation and maintenance etc.); If in blacklist, then definite this target network address has been held as a hostage.That is to say, if a target network address is kidnapped by the hacker, be that the hacker provides owing to second network address then; Therefore, itself has been a malice network address, and this network address possibly be collected into blacklist through other modes; Like this; If second network address is not only different with the territory at second network address place, but also appears in the blacklist, can be sure of that then the target network address of correspondence has been kidnapped by the hacker really.
In a word, through the embodiment of the invention, can be through the mode of simulation input uniform resource position mark URL in browser address bar; Initiate the request of access destination network address; And, initiate the request of the said target network address of visit, and the final visit network address that relatively obtains through the mode that simulation is carried out redirect by link; Thereby when finding by dual mode access destination network address; The difference of the final visit network address that obtains, and disclose the behavior of kidnapping network address, can effective recognition target network address whether be the network address of being held as a hostage.
The identification that provides with the embodiment of the invention is held as a hostage the method for network address with respect to, the device that the embodiment of the invention also provides a kind of identification to be held as a hostage network address, and referring to Fig. 2, this device can comprise:
The first network address acquiring unit 201 is used for initiate the request of access destination network address, and the final visit network address that will obtain being confirmed as first network address through the mode of simulation in browser address bar input uniform resource position mark URL;
The second network address acquiring unit 202 is used for the mode of carrying out redirect by link through simulation, initiate the request of the said target network address of visit, and the final visit network address that will obtain is confirmed as second network address;
Comparing unit 203 is used for more said first network address and second network address, obtains a comparative result;
Recognition unit 204 is used for discerning said target network address according to said comparative result and whether is the network address of being held as a hostage.
During concrete the realization, the second network address acquiring unit 202 can comprise:
Search engine analog submodule unit, the mode that redirect is carried out in the link of the Search Results that is used for being provided by search engine through simulation is initiated the request of the said target network address of visit.
Wherein, comparing unit 203 can comprise:
The territory is subelement relatively, is used for the territory at the place of more said first network address and second network address, obtains a comparative result.
Accordingly, recognition unit 204 can comprise:
The first recognin unit is that said first network address is different with the territory at the place of second network address if be used for said comparative result, and then said target network address is the network address of being held as a hostage.
Perhaps, recognition unit 204 also can comprise:
The second recognin unit; If be used for said comparative result is that said first network address is different with the territory at the place of second network address; Judge then whether said second network address appears in the known malice network address database, if then said target network address is the network address of being held as a hostage.
Through the present invention is the device that embodiment provides; Can initiate the request of access destination network address through the mode of simulation input uniform resource position mark URL in browser address bar, and through simulating the mode of carrying out redirect by link; Initiate the request of the said target network address of visit; And the final visit network address that relatively obtains, thereby when finding by dual mode access destination network address, the difference of the final visit network address that obtains; And disclose the behavior of kidnapping network address, can effective recognition target network address whether be the network address of being held as a hostage.
Description through above execution mode can know, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform.Based on such understanding; The part that technical scheme of the present invention contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product can be stored in the storage medium, like ROM/RAM, magnetic disc, CD etc., comprises that some instructions are with so that a computer equipment (can be a personal computer; Server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses all is the difference with other embodiment.Especially, for device or system embodiment, because it is basically similar in appearance to method embodiment, so describe fairly simplely, relevant part gets final product referring to the part explanation of method embodiment.Apparatus and system embodiment described above only is schematic; Wherein said unit as the separating component explanation can or can not be physically to separate also; The parts that show as the unit can be or can not be physical locations also; Promptly can be positioned at a place, perhaps also can be distributed on a plurality of NEs.Can realize the purpose of present embodiment scheme according to the needs selection some or all of module wherein of reality.Those of ordinary skills promptly can understand and implement under the situation of not paying creative work.
More than to a kind of identification provided by the present invention the be held as a hostage method and the device of network address; Carried out detailed introduction; Used concrete example among this paper principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, part all can change on embodiment and range of application.In sum, this description should not be construed as limitation of the present invention.