CN102594934A - Method and device for identifying hijacked website - Google Patents
Method and device for identifying hijacked website Download PDFInfo
- Publication number
- CN102594934A CN102594934A CN201110456055XA CN201110456055A CN102594934A CN 102594934 A CN102594934 A CN 102594934A CN 201110456055X A CN201110456055X A CN 201110456055XA CN 201110456055 A CN201110456055 A CN 201110456055A CN 102594934 A CN102594934 A CN 102594934A
- Authority
- CN
- China
- Prior art keywords
- network address
- request
- target
- hostage
- comparative result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a method and a device for identifying a hijacked website. The method comprises the following steps of: initiating a request for accessing a target website by simulating a mode of inputting a uniform resource locator (URL) into an address bar of a browser, and determining the obtained final access website as a first website; initiating a request for accessing the target website by simulating a mode of skipping according to a link, and determining the obtained final access website as a second website; comparing the first website with the second website to obtain a comparison result; and identifying whether the target website is the hijacked website according to the comparison result. According to the method and the device, the hijacked website can be identified effectively, so that an effective measure for judging whether the website is hijacked is supplied to a user and other computer services.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to a kind of identification the be held as a hostage method and the device of network address.
Background technology
In today that E-Government, ecommerce are popularized day by day; The website has become government bodies, enterprises and institutions show the window of image; The foundation in succession of various institutional settings website; For it releases news, provides service, work such as commence business provides effective means, also brought huge facility.If but the network address of website is held as a hostage, not only can influences carrying out of regular traffic, even can bring the negative effect that to estimate government's prestige, corporate image.What is more, and some lawless person also utilizes criminal activities such as hacker's means such as kidnapping network address are instigated, swindle, brings loss for the institutional settings and the masses.If what this hacker's behavior was directed against is government website, in case network address is held as a hostage, can not get correct information during masses' browsing page, can cause serious harm to government image; The unique people of other may utilize the trust of the people to government website, kidnaps network address, and spread rumors causes the unnecessary fear of the common people and suspects, thereby has caused tremendous loss to the country and people.
Along with Internet fast development, the incident that invasion, network address are kidnapped also frequently takes place.Start from and show off technology, promote products, purposes such as illegal profit, various hacking techniques are misused in the Internet, have seriously harmed the normal use of user to the Internet.Wherein, a kind of hacking technique of kidnapping network address makes the Internet user when clickthrough, and what open is not real target network address, but through well-designed other network address, these network address or comprised boring advertisement, waste user's browsing time; Or comprised illegal information, propagate malfeasance; Even have comprised virus, wooden horse, user's computer is carried out malicious sabotage or the like.Official website is kidnapped like the somewhere lottery ticket, and what obtain after the user clicks is one so-called " website of national lottery forecasting research " center " induces the user to register, consume, to reach the purpose of unlawful profit-making.
Therefore, press for the technical problem that those skilled in the art solve and just be, the method that how to provide a kind of effective recognition network address whether to be held as a hostage is for user and other Computer Service provide a kind of effective means of judging whether network address is held as a hostage.
Summary of the invention
The invention provides a kind of identification the be held as a hostage method and the device of network address, can effectively discern the network address of being held as a hostage, for user and other Computer Service provide a kind of effective means of judging whether network address is held as a hostage.
The invention provides following scheme:
The be held as a hostage method of network address of a kind of identification comprises:
Through the mode of simulation input uniform resource position mark URL in browser address bar, initiate the request of access destination network address, and the final visit network address that will obtain is confirmed as first network address;
Through the mode that simulation is carried out redirect by link, initiate the request of the said target network address of visit, and the final visit network address that will obtain is confirmed as second network address;
More said first network address and second network address obtain a comparative result;
Discern said target network address according to said comparative result and whether be the network address of being held as a hostage.
Wherein, said mode of carrying out redirect by link through simulation is initiated the request of the said target network address of visit, comprising:
Through the mode that redirect is carried out in the link of simulating in the Search Results that is provided by search engine, initiate the request of the said target network address of visit.
Wherein, said first network address and second network address obtain a comparative result, comprising:
The territory at the place of more said first network address and second network address obtains a comparative result.
Wherein, saidly discern said target network address according to said comparative result and whether comprise for the network address of being held as a hostage:
If said comparative result is that said first network address is different with the territory at the place of second network address, then said target network address is the network address of being held as a hostage.
Wherein, saidly discern said target network address according to said comparative result and whether comprise for the network address of being held as a hostage:
If said comparative result is that said first network address is different with the territory at the place of second network address, judge then whether said second network address appears in the known malice network address database, if then said target network address is the network address of being held as a hostage.
The be held as a hostage device of network address of a kind of identification comprises:
The first network address acquiring unit is used for initiate the request of access destination network address, and the final visit network address that will obtain being confirmed as first network address through the mode of simulation in browser address bar input uniform resource position mark URL;
The second network address acquiring unit is used for the mode of carrying out redirect by link through simulation, initiate the request of the said target network address of visit, and the final visit network address that will obtain is confirmed as second network address;
Comparing unit is used for more said first network address and second network address, obtains a comparative result;
Recognition unit is used for discerning said target network address according to said comparative result and whether is the network address of being held as a hostage.
Wherein, the said second network address acquiring unit comprises:
Search engine analog submodule unit, the mode that redirect is carried out in the link of the Search Results that is used for being provided by search engine through simulation is initiated the request of the said target network address of visit.
Wherein, said comparing unit comprises:
The territory is subelement relatively, is used for the territory at the place of more said first network address and second network address, obtains a comparative result.
Wherein, said recognition unit comprises:
The first recognin unit is that said first network address is different with the territory at the place of second network address if be used for said comparative result, and then said target network address is the network address of being held as a hostage.
Wherein, said recognition unit comprises:
The second recognin unit; If be used for said comparative result is that said first network address is different with the territory at the place of second network address; Judge then whether said second network address appears in the known malice network address database, if then said target network address is the network address of being held as a hostage.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
Through the present invention, can initiate the request of access destination network address through the mode of simulation input uniform resource position mark URL in browser address bar; And, initiate the request of the said target network address of visit, and the final visit network address that relatively obtains through the mode that simulation is carried out redirect by link; Thereby when finding by dual mode access destination network address; The difference of the final visit network address that obtains, and disclose the behavior of kidnapping network address, can effective recognition target network address whether be the network address of being held as a hostage.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use among the embodiment below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of the method that provides of the embodiment of the invention;
Fig. 2 is the schematic representation of apparatus that the embodiment of the invention provides.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills obtained belongs to the scope that the present invention protects.
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills obtained belongs to the scope that the present invention protects.
No matter at first need to prove, in the time of network address of internet user access, be through in browser's address bar, directly importing the mode of uniform resource position mark URL; The mode of still carrying out redirect by link; In fact all be to use the browser of local computer, sent a HTTP (HTTP, HyperText Transfer Protocol) request to server through the Internet; This HTTP request has comprised one or several usually; Necessary or non-essential request header perhaps is called header field, has comprised the request type information to server requests in the request header.
Like request header Accept-Charset, it has represented the acceptable character set information of browser of local computer; Again such as request header User-Agent; It has comprised operating system that the client uses and version, cpu type, browser and version, browser renders engine, browser language, browser plug-in etc.; So that server is through judging the particular content of request header User-Agent; In response user request,, generate and send the different pages according to the employed computer software and hardware environment of different users; Such as request header Referer, it has comprised a uniform resource position mark URL again, and it is to come through the URL redirect that wherein comprises to clear this request of server table; Be the page of user from this URL representative; Visit the page of current request, under the environment that current website commerce is cooperated closely and the search engine use is frequent, request header Referer is used in the request of most of page jump; Played and make things convenient for server that visit data such as is added up at effect, thereby be widely used.
Secure context at network; Game between hacker and security service provider, the computer user never stopped, and the hacker can take certain strategy usually when implementing hacker's behavior; The malfeasance of oneself is pretended and covered up, to reach the purpose that is not disclosed.For network address is kidnapped; A kind of characteristics of hacking technique wherein; The following situation that runs in can the process through user's internet usage reflects: the user is when directly input target network address is browsed in browser's address bar, and what open is normal target network address, and the Search Results through search engine or when carrying out redirect and open the target network address by the link of other webpages; The final visit network address of opening but is the network address that is provided with through the hacker, rather than real target network address.The content of presenting to the user also usually has sizable gap with target web, even is not the needed information of user fully.
Reality in practical application is; The general internet user is when needs are opened a new network address; Under most of situation, be not to conduct interviews, because the complete network address of the target web that most of user will browse is very long through the mode of in address field, directly importing network address; Be not easy to memory, knock complete network address and can waste a lot of times of user.So, when the user wants to open certain network address, often adopt Search Results through search engine, perhaps redirect is carried out in the link of other webpage; In addition; The Internet user is when surfing the web; The behavior of much opening network address does not have clear and definite purpose, promptly when finding interested content in the webpage of user in current browsing, can open interested web page address through the link redirect of current web page usually.
And for the people of real concern particular web site, such as the owner, the manager of website, when needs get into certain particular web site; Owing to know specific network address, most applications can't be via search engine search results, and perhaps the link of other webpages mode that jumps to particular web site is browsed; But directly browse in direct input target network address in browser's address bar; At this moment, the final visit network address that obtains is the target network address of not being held as a hostage, and based on such behavioral characteristic; For the behavior of kidnapping network address, this type special viewer but be difficult to find.
This shows; When network address of needs visit; The mode great majority that domestic consumer uses belong to through link and carry out redirect, and for special populations such as the owner of website, managers, owing to there are not the needs that use the link redirect usually; Usually use the mode of directly in browser address bar, directly importing the target network address to conduct interviews; Caused to find under the most of situation of this type user crowd that network address is held as a hostage, and the behavioral characteristic of these browsing pages just, given and implemented hacker that network address kidnaps behavior with opportunity; The hacker that feasible enforcement has the network address abduction behavior of These characteristics kidnaps the behavior of network address and has carried out effectively covering up to oneself.
The inventor finds in realizing process of the present invention; Why can occur in the browser's address bar directly input target network address and browse, with Search Results through search engine or carry out redirect by linking of other webpages and open browsing of same network address, resulting final reference address has difference; Say from technology angle; Be that abduction has been implemented in the HTTP that is sent when using browser to open network address to user request owing in the process of user capture network address, implement the hacker that network address is kidnapped behavior; And analysis HTTP requested feature; Then take different means,, thereby obtained different webpages to such an extent as to the user has opened different final visit network address according to different analysis results.At length introduce in the face of this down.
When the user initiates the access request to a network address; Be actually by browser and sent a HTTP request to Web server; The hacker who implements network address abduction behavior can kidnap and analyze this request; And carry out different processing according to the HTTP requested feature: if in the browse request of sending, the target network address of being asked comes from the direct input of user in browser's address bar, then this HTTP request is let pass; Target Web server by the HTTP request returns normal web page contents; Thus, the final visit network address that the user obtains is normal target network address, and the content that is presented on the user browser also is the normal web page contents that is returned by the target Web server; And perhaps carry out the HTTP request that redirect visits the target network address by the link of other webpages for the Search Results that passes through search engine that user browser sends; Then kidnap; Jump to the network address that a quilt pre-sets then; Thereby the network address that the final visit network address that the user obtains pre-sets for the hacker, the content that is shown also are the contents that network address that this hacker is provided with is in advance returned.
Concrete; The hacker who implements network address abduction behavior analyzes what the HTTP that sends to the target Web server that kidnaps asked; What in fact, the hacker of enforcement network address abduction behavior analyzed is the information that is comprised to the HTTP head that the HTTP that the target Web server sends asks.Concrete is to analyze the Referer request header; Thereby obtain the URL that the Referer request header is comprised; Promptly analyze and obtain the page of user, implement network address like this and kidnap the hacker of behavior whether just can judge current HTTP request be the HTTP request of sending through the link redirect of specific webpage from the page visit current request of which URL representative.
The hacker who implements network address abduction behavior analyzes through what the HTTP that sends to the target Web server that kidnaps was asked; According to analysis result; Confirm it is this HTTP request of letting pass; Target Web server by this HTTP request returns webpage, still jumps to the network address that pre-sets, and returns webpage by the network address that pre-sets to the user.So just caused initiating through different modes the request of the same network address of visit, the final visit network address that obtains can be different, and the content that has access to is also often different.
Based on above analysis, the method that the embodiment of the invention provides a kind of identification to be held as a hostage network address, referring to Fig. 1, the method includes the steps of:
S101:, initiate the request of access destination network address, and the final visit network address that will obtain is confirmed as first network address through the mode of simulation input uniform resource position mark URL in browser address bar;
In embodiments of the present invention, at first through HTTP request of structure, simulation is initiated the request of access destination network address with the mode of input URL in browser address bar.The HTTP request of this structure possesses the mode with input URL in browser address bar, initiates the characteristic of the HTTP access request of access destination network address.With the mode of input URL in browser address bar, the HTTP access request of the access destination network address of initiation, in its request header, the Referer request header is not involved, promptly in this type of HTTP request, does not have the Referer request header; In addition, in the request header of the HTTP of structure request, comprise the User-Agent request header usually, in the User-Agent request header, constructed user browser information, for example:
User-Agent:Mozilla/5.0(compatible;MSIE?9.0;Windows?NT?6.1;Trident/5.0)
In the example of this User-Agent request header, user browser type, version have been provided, information such as operating system of user version.
The HTTP request of this structure can be identified as the mode with input URL in browser address bar, the HTTP request header of initiating the HTTP access request of access destination network address.Through constructing a HTTP request that comprises above characteristic; Simulate a mode with input URL in browser address bar; Initiate the HTTP request of access destination network address, and, the final visit network address that obtains is confirmed as first network address to the HTTP request that the target Web server sends this structure.
Because the HTTP of this structure request possesses the mode with input URL in browser address bar; Initiate the characteristic of the HTTP access request of access destination network address; Kidnap the HTTP request that the hacker of behavior kidnapped and analyzed this structure if implement network address so; According to hacker's behavioural characteristic, can be identified as mode to this HTTP access request with input URL in browser address bar, initiate the HTTP request of access destination network address; And let pass, then by the target Web server returned content of asking.Therefore in this step of the embodiment of the invention, first network address that obtains is the real goal network address of request, rather than implements network address and kidnap the network address that the hacker of behavior is provided with.
S102:, initiate the request of the said target network address of visit, and the final visit network address that will obtain is confirmed as second network address through the mode that simulation is carried out redirect by link;
Except obtaining first network address, also need be through HTTP request of structure, the mode that simulation is carried out redirect by link is initiated the request of access destination network address.The HTTP request of this structure possesses the mode of being carried out redirect by link, initiates the HTTP requested feature of access destination network address.Carry out the mode of redirect by link; Initiate the HTTP request of the said target network address of visit, in its HTTP request, comprised the Referer request header; Comprised a URL information in this Referer request header; Explained that this HTTP request is to come through the URL redirect that comprises in the Referer request header, promptly this HTTP request is to set out through the URL that comprises in this Referer request header, the HTTP request of access destination network address.This Referer request header can be identified as the mode of being carried out redirect by link, initiates the request header of the HTTP request of access destination network address.
Through constructing a HTTP request that comprises above Referer request header characteristic; Simulate a mode of carrying out redirect by link; Initiate the HTTP request of access destination network address; And, the final visit network address that obtains is confirmed as second network address to the HTTP request that the target Web server sends this structure.
Because the HTTP of this structure request possesses the mode of being carried out redirect by link; Initiate the HTTP requested feature of access destination network address, kidnap the HTTP request that the hacker of behavior kidnapped and analyzed this structure if implement network address so, according to hacker's behavioural characteristic; Can be identified as the mode of carrying out redirect by link to this HTTP access request; Initiate the HTTP request of access destination network address, jump to the network address that pre-sets then, and the network address returned content that pre-sets is arranged.Therefore in embodiments of the present invention, if the target network address is held as a hostage, second network address that the HTTP request through this structure obtains is kidnapped the network address that the hacker of behavior is provided with for implementing network address, rather than the real goal network address of request.
S103: more said first network address and second network address obtain a comparative result;
During concrete the realization, relatively first network address and second network address obtain comparative result, and multiple concrete implementation can be arranged.For example, wherein a kind of implementation can be whether more whole first network address and whole second network address be identical, obtains an accurate comparative result.
In addition, can also adopt another kind of manner of comparison to obtain comparative result: the territory of comparing the place of first network address and second network address.
Domain name is claimed in the territory again, is a kind of in the computer address allocative decision on the Internet, and corresponding with IP (Internet protocol) address, the IP address that the computer of each on the Internet all has unique Serial No. to represent is so that other computers can be visited.For the ease of memory; People have invented domain name again; Combination with letter, numeral, symbol identifies the computer on the Internet; The territory is computer unique identifier on the internet, and through the territory, the numeric address that can navigate to the computer on the Internet is to realize the visit of computer and the communication of intercomputer.Such as, for certain website of visit, being actually access websites and being positioned at the computer on the Internet, i.e. Web server sends request to Web server, by the web server response request and return to user content.When certain Web server of visit, can use its IP address, more be the domain name of Web server but use, such as using www.abc.com.
During a certain target network address of user capture, main process generally is, sends a HTTP request through client to the target Web server, and the target Web server receives and respond this HTTP request that the target Web server transmits requested web page files to client.In this process, the network address that the user asked is generally represented with following form:
www.abc.com/d/e/f.html
Domain name part has wherein identified the position of target Web server on network, and in the part of back such as this example /d/e/f.html, then identified the memory location of user's demand file on the target Web server.This is the general type of a certain target network address of user capture, also is after the user obtains the page that Web server returns, the general type of the final visit network address that obtains simultaneously.
Dynamic web page technique has much been adopted in the website of current era, makes that Web server can be according to different user, different settings, and different user's customs etc. return to the different content of user, to satisfy the different demands of different application environment.Different user, under different application environments, submit access request to after, the final visit network address that the Web server that obtains returns possibly be not quite similar.In addition, the Web server meeting test access request submission person's who has applied environment returns the different pages and final visit network address according to testing result.Such as certain website, can be according to the IP address of submitting access request to, the geographic location area at judges place returns to network address and the web page contents of user to the different pages of different regions design then.Therefore, for a network address of not being held as a hostage, first network address and second network address of utilizing the described method of the embodiment of the invention to obtain might not be identical also, but both domain name part are identical.For example, first network address possibly be www.abc.com/a.html, and second network address possibly be www.abc.com/b.html, and network address is not kidnapped by the hacker and caused but this difference is.Therefore, if directly relatively whether first network address and second network address be identical, judge whether network address is held as a hostage, the situation that may occur judging by accident.
On the other hand; When the hacker implements network address abduction behavior; That the hacker prepares, be used for that alternate user asks; Should have following characteristics usually by the final visit network address that the target Web server returns: first network address of utilizing the method for the embodiment of the invention to obtain is not only different with second network address, and normally both are just different from domain name part.This be because, the hacker is used for that alternate user asks after kidnapping certain network address, the final visit network address that should be returned by the target Web server, and content of pages can only be generated by the domain name that hacker oneself holds usually.
To above-mentioned these characteristics, the embodiment of the invention provides the method in the territory at the place of comparing first network address and second network address, and promptly relatively whether first network address is identical with the territory at the place of second network address, obtains comparative result; Wherein, identical if comparative result is the territory at two network address place, then can the target network address be waited to see as normal network address, and if the territory differences at two network address places prove that then the target network address possibly be held as a hostage.Thereby can effective recognition because of adopting dynamic web page technique, reasons such as Web server dynamic response technology, first network address and second network address that obtain are different, and have not in fact been implemented the network address of network address abduction behavior by the hacker.
In addition; In practical application; Confirm for further whether the target network address is held as a hostage, can also after the territory difference that identifies two network address places, judge further whether second network address appears in the malice network address database (for example network security produces the blacklist of generation and maintenance etc.); If in blacklist, then definite this target network address has been held as a hostage.That is to say, if a target network address is kidnapped by the hacker, be that the hacker provides owing to second network address then; Therefore, itself has been a malice network address, and this network address possibly be collected into blacklist through other modes; Like this; If second network address is not only different with the territory at second network address place, but also appears in the blacklist, can be sure of that then the target network address of correspondence has been kidnapped by the hacker really.
In a word, through the embodiment of the invention, can be through the mode of simulation input uniform resource position mark URL in browser address bar; Initiate the request of access destination network address; And, initiate the request of the said target network address of visit, and the final visit network address that relatively obtains through the mode that simulation is carried out redirect by link; Thereby when finding by dual mode access destination network address; The difference of the final visit network address that obtains, and disclose the behavior of kidnapping network address, can effective recognition target network address whether be the network address of being held as a hostage.
The identification that provides with the embodiment of the invention is held as a hostage the method for network address with respect to, the device that the embodiment of the invention also provides a kind of identification to be held as a hostage network address, and referring to Fig. 2, this device can comprise:
The first network address acquiring unit 201 is used for initiate the request of access destination network address, and the final visit network address that will obtain being confirmed as first network address through the mode of simulation in browser address bar input uniform resource position mark URL;
The second network address acquiring unit 202 is used for the mode of carrying out redirect by link through simulation, initiate the request of the said target network address of visit, and the final visit network address that will obtain is confirmed as second network address;
Comparing unit 203 is used for more said first network address and second network address, obtains a comparative result;
During concrete the realization, the second network address acquiring unit 202 can comprise:
Search engine analog submodule unit, the mode that redirect is carried out in the link of the Search Results that is used for being provided by search engine through simulation is initiated the request of the said target network address of visit.
Wherein, comparing unit 203 can comprise:
The territory is subelement relatively, is used for the territory at the place of more said first network address and second network address, obtains a comparative result.
Accordingly, recognition unit 204 can comprise:
The first recognin unit is that said first network address is different with the territory at the place of second network address if be used for said comparative result, and then said target network address is the network address of being held as a hostage.
Perhaps, recognition unit 204 also can comprise:
The second recognin unit; If be used for said comparative result is that said first network address is different with the territory at the place of second network address; Judge then whether said second network address appears in the known malice network address database, if then said target network address is the network address of being held as a hostage.
Through the present invention is the device that embodiment provides; Can initiate the request of access destination network address through the mode of simulation input uniform resource position mark URL in browser address bar, and through simulating the mode of carrying out redirect by link; Initiate the request of the said target network address of visit; And the final visit network address that relatively obtains, thereby when finding by dual mode access destination network address, the difference of the final visit network address that obtains; And disclose the behavior of kidnapping network address, can effective recognition target network address whether be the network address of being held as a hostage.
Description through above execution mode can know, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform.Based on such understanding; The part that technical scheme of the present invention contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product can be stored in the storage medium, like ROM/RAM, magnetic disc, CD etc., comprises that some instructions are with so that a computer equipment (can be a personal computer; Server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses all is the difference with other embodiment.Especially, for device or system embodiment, because it is basically similar in appearance to method embodiment, so describe fairly simplely, relevant part gets final product referring to the part explanation of method embodiment.Apparatus and system embodiment described above only is schematic; Wherein said unit as the separating component explanation can or can not be physically to separate also; The parts that show as the unit can be or can not be physical locations also; Promptly can be positioned at a place, perhaps also can be distributed on a plurality of NEs.Can realize the purpose of present embodiment scheme according to the needs selection some or all of module wherein of reality.Those of ordinary skills promptly can understand and implement under the situation of not paying creative work.
More than to a kind of identification provided by the present invention the be held as a hostage method and the device of network address; Carried out detailed introduction; Used concrete example among this paper principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, part all can change on embodiment and range of application.In sum, this description should not be construed as limitation of the present invention.
Claims (10)
1. the identification method of network address of being held as a hostage is characterized in that, comprising:
Through the mode of simulation input uniform resource position mark URL in browser address bar, initiate the request of access destination network address, and the final visit network address that will obtain is confirmed as first network address;
Through the mode that simulation is carried out redirect by link, initiate the request of the said target network address of visit, and the final visit network address that will obtain is confirmed as second network address;
More said first network address and second network address obtain a comparative result;
Discern said target network address according to said comparative result and whether be the network address of being held as a hostage.
2. method according to claim 1 is characterized in that, said mode of carrying out redirect by link through simulation is initiated the request of the said target network address of visit, comprising:
Through the mode that redirect is carried out in the link of simulating in the Search Results that is provided by search engine, initiate the request of the said target network address of visit.
3. method according to claim 1 is characterized in that, said first network address and second network address obtain a comparative result, comprising:
The territory at the place of more said first network address and second network address obtains a comparative result.
4. whether method according to claim 3 is characterized in that, saidly discern said target network address according to said comparative result and comprise for the network address of being held as a hostage:
If said comparative result is that said first network address is different with the territory at the place of second network address, then said target network address is the network address of being held as a hostage.
5. whether method according to claim 3 is characterized in that, saidly discern said target network address according to said comparative result and comprise for the network address of being held as a hostage:
If said comparative result is that said first network address is different with the territory at the place of second network address, judge then whether said second network address appears in the known malice network address database, if then said target network address is the network address of being held as a hostage.
6. the identification device of network address of being held as a hostage is characterized in that, comprising:
The first network address acquiring unit is used for initiate the request of access destination network address, and the final visit network address that will obtain being confirmed as first network address through the mode of simulation in browser address bar input uniform resource position mark URL;
The second network address acquiring unit is used for the mode of carrying out redirect by link through simulation, initiate the request of the said target network address of visit, and the final visit network address that will obtain is confirmed as second network address;
Comparing unit is used for more said first network address and second network address, obtains a comparative result;
Recognition unit is used for discerning said target network address according to said comparative result and whether is the network address of being held as a hostage.
7. device according to claim 6 is characterized in that, the said second network address acquiring unit comprises:
Search engine analog submodule unit, the mode that redirect is carried out in the link of the Search Results that is used for being provided by search engine through simulation is initiated the request of the said target network address of visit.
8. device according to claim 6 is characterized in that, said comparing unit comprises:
The territory is subelement relatively, is used for the territory at the place of more said first network address and second network address, obtains a comparative result.
9. device according to claim 8 is characterized in that, said recognition unit comprises:
The first recognin unit is that said first network address is different with the territory at the place of second network address if be used for said comparative result, and then said target network address is the network address of being held as a hostage.
10. device according to claim 8 is characterized in that, said recognition unit comprises:
The second recognin unit; If be used for said comparative result is that said first network address is different with the territory at the place of second network address; Judge then whether said second network address appears in the known malice network address database, if then said target network address is the network address of being held as a hostage.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110456055.XA CN102594934B (en) | 2011-12-30 | 2011-12-30 | Method and device for identifying hijacked website |
| US14/368,992 US20140380477A1 (en) | 2011-12-30 | 2012-12-27 | Methods and devices for identifying tampered webpage and inentifying hijacked web address |
| PCT/CN2012/087640 WO2013097742A1 (en) | 2011-12-30 | 2012-12-27 | Methods and devices for identifying tampered webpage and identifying hijacked website |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110456055.XA CN102594934B (en) | 2011-12-30 | 2011-12-30 | Method and device for identifying hijacked website |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102594934A true CN102594934A (en) | 2012-07-18 |
| CN102594934B CN102594934B (en) | 2015-03-25 |
Family
ID=46483127
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110456055.XA Active CN102594934B (en) | 2011-12-30 | 2011-12-30 | Method and device for identifying hijacked website |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102594934B (en) |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013097742A1 (en) * | 2011-12-30 | 2013-07-04 | 北京奇虎科技有限公司 | Methods and devices for identifying tampered webpage and identifying hijacked website |
| CN103218561A (en) * | 2013-03-18 | 2013-07-24 | 珠海市君天电子科技有限公司 | Tamper-proof method and device for protecting browser |
| CN103699840A (en) * | 2013-12-12 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for detecting page jacking |
| CN104052630A (en) * | 2013-03-14 | 2014-09-17 | 北京百度网讯科技有限公司 | Method and system for executing verification on website |
| CN104125121A (en) * | 2014-08-15 | 2014-10-29 | 携程计算机技术(上海)有限公司 | Network hijacking behavior detecting system and method |
| CN104216930A (en) * | 2013-07-30 | 2014-12-17 | 腾讯科技(深圳)有限公司 | Method and device for detecting skipping type phishing webpage |
| CN104348803A (en) * | 2013-07-31 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Link hijacking detecting method and device, user equipment, analysis server and link hijacking detecting system |
| CN104486140A (en) * | 2014-11-28 | 2015-04-01 | 华北电力大学 | Device and method for detecting hijacking of web page |
| CN105100061A (en) * | 2015-06-19 | 2015-11-25 | 小米科技有限责任公司 | Method and device for detecting hijacking of website |
| CN105141709A (en) * | 2015-07-24 | 2015-12-09 | 北京奇虎科技有限公司 | Method and device for determining page jump in application program |
| CN105245518A (en) * | 2015-09-30 | 2016-01-13 | 小米科技有限责任公司 | Website hijacking detection method and device |
| CN105243085A (en) * | 2015-09-08 | 2016-01-13 | 北京网康科技有限公司 | Website search keyword blocking method and apparatus |
| CN105243134A (en) * | 2015-09-30 | 2016-01-13 | 北京奇虎科技有限公司 | Method and equipment for processing hijacked browser |
| CN105354490A (en) * | 2015-09-30 | 2016-02-24 | 北京奇虎科技有限公司 | Method and device for processing hijacked browser |
| CN103685584B (en) * | 2012-09-07 | 2016-12-21 | 中国科学院计算机网络信息中心 | A kind of anti-Domain Hijacking method and system based on tunneling technique |
| CN106304087A (en) * | 2016-08-20 | 2017-01-04 | 北京云艾科技有限公司 | A kind of anti-wifi kidnaps method and apparatus |
| CN106960152A (en) * | 2017-04-27 | 2017-07-18 | 成都奇鲁科技有限公司 | A kind of page protection method and page protection device |
| CN108173814A (en) * | 2017-12-08 | 2018-06-15 | 深信服科技股份有限公司 | Detection method for phishing site, terminal device and storage medium |
| CN108920589A (en) * | 2018-06-26 | 2018-11-30 | 百度在线网络技术(北京)有限公司 | Browsing kidnaps recognition methods, device, server and storage medium |
| CN109800378A (en) * | 2019-01-23 | 2019-05-24 | 北京字节跳动网络技术有限公司 | Content processing method, device and electronic equipment based on custom browser |
| CN110851747A (en) * | 2018-08-01 | 2020-02-28 | 北京国双科技有限公司 | Information matching method and device |
| CN112311724A (en) * | 2019-07-26 | 2021-02-02 | 贵州白山云科技股份有限公司 | Method, device, medium and equipment for positioning HTTP hijacking |
| CN112424778A (en) * | 2018-07-26 | 2021-02-26 | 电子技巧股份有限公司 | Information processing device, information processing method, and information processing program |
| CN112714132A (en) * | 2020-12-31 | 2021-04-27 | 北京奇艺世纪科技有限公司 | Webpage hijacking detection method, device and system and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601528A (en) * | 2003-09-25 | 2005-03-30 | 微软公司 | Systems and methods for client-based web crawling |
| CN101626368A (en) * | 2008-07-11 | 2010-01-13 | 中联绿盟信息技术(北京)有限公司 | Device, method and system for preventing web page from being distorted |
| US20100287013A1 (en) * | 2009-05-05 | 2010-11-11 | Paul A. Lipari | System, method and computer readable medium for determining user attention area from user interface events |
-
2011
- 2011-12-30 CN CN201110456055.XA patent/CN102594934B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601528A (en) * | 2003-09-25 | 2005-03-30 | 微软公司 | Systems and methods for client-based web crawling |
| CN101626368A (en) * | 2008-07-11 | 2010-01-13 | 中联绿盟信息技术(北京)有限公司 | Device, method and system for preventing web page from being distorted |
| US20100287013A1 (en) * | 2009-05-05 | 2010-11-11 | Paul A. Lipari | System, method and computer readable medium for determining user attention area from user interface events |
Cited By (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013097742A1 (en) * | 2011-12-30 | 2013-07-04 | 北京奇虎科技有限公司 | Methods and devices for identifying tampered webpage and identifying hijacked website |
| CN103685584B (en) * | 2012-09-07 | 2016-12-21 | 中国科学院计算机网络信息中心 | A kind of anti-Domain Hijacking method and system based on tunneling technique |
| CN104052630B (en) * | 2013-03-14 | 2019-10-11 | 北京百度网讯科技有限公司 | The method and system of verifying is executed to website |
| CN104052630A (en) * | 2013-03-14 | 2014-09-17 | 北京百度网讯科技有限公司 | Method and system for executing verification on website |
| CN103218561B (en) * | 2013-03-18 | 2016-04-06 | 珠海市君天电子科技有限公司 | Tamper-proof method and device for protecting browser |
| CN103218561A (en) * | 2013-03-18 | 2013-07-24 | 珠海市君天电子科技有限公司 | Tamper-proof method and device for protecting browser |
| WO2015014271A1 (en) * | 2013-07-30 | 2015-02-05 | Tencent Technology (Shenzhen) Company Limited | Method and device for detecting jump actd/ities of phishing webpages |
| CN104216930B (en) * | 2013-07-30 | 2018-04-27 | 腾讯科技(深圳)有限公司 | A kind of detection method and device of jump class fishing webpage |
| CN104216930A (en) * | 2013-07-30 | 2014-12-17 | 腾讯科技(深圳)有限公司 | Method and device for detecting skipping type phishing webpage |
| CN104348803B (en) * | 2013-07-31 | 2018-12-11 | 深圳市腾讯计算机系统有限公司 | Link kidnaps detection method, device, user equipment, Analysis server and system |
| CN104348803A (en) * | 2013-07-31 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Link hijacking detecting method and device, user equipment, analysis server and link hijacking detecting system |
| CN103699840A (en) * | 2013-12-12 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for detecting page jacking |
| CN104125121A (en) * | 2014-08-15 | 2014-10-29 | 携程计算机技术(上海)有限公司 | Network hijacking behavior detecting system and method |
| CN104486140A (en) * | 2014-11-28 | 2015-04-01 | 华北电力大学 | Device and method for detecting hijacking of web page |
| CN104486140B (en) * | 2014-11-28 | 2017-12-19 | 华北电力大学 | It is a kind of to detect device and its detection method that webpage is held as a hostage |
| CN105100061A (en) * | 2015-06-19 | 2015-11-25 | 小米科技有限责任公司 | Method and device for detecting hijacking of website |
| US10313392B2 (en) | 2015-06-19 | 2019-06-04 | Xiaomi Inc. | Method and device for detecting web address hijacking |
| WO2016201889A1 (en) * | 2015-06-19 | 2016-12-22 | 小米科技有限责任公司 | Website hijack detection method and device |
| CN105141709A (en) * | 2015-07-24 | 2015-12-09 | 北京奇虎科技有限公司 | Method and device for determining page jump in application program |
| CN105141709B (en) * | 2015-07-24 | 2019-02-05 | 北京奇虎科技有限公司 | Determine the method and device of page jump in application program |
| CN105243085A (en) * | 2015-09-08 | 2016-01-13 | 北京网康科技有限公司 | Website search keyword blocking method and apparatus |
| CN105245518A (en) * | 2015-09-30 | 2016-01-13 | 小米科技有限责任公司 | Website hijacking detection method and device |
| CN105354490B (en) * | 2015-09-30 | 2020-07-28 | 北京奇虎科技有限公司 | Method and equipment for processing hijacked browser |
| CN105245518B (en) * | 2015-09-30 | 2018-07-24 | 小米科技有限责任公司 | The detection method and device that network address is kidnapped |
| CN105354490A (en) * | 2015-09-30 | 2016-02-24 | 北京奇虎科技有限公司 | Method and device for processing hijacked browser |
| CN105243134A (en) * | 2015-09-30 | 2016-01-13 | 北京奇虎科技有限公司 | Method and equipment for processing hijacked browser |
| CN106304087A (en) * | 2016-08-20 | 2017-01-04 | 北京云艾科技有限公司 | A kind of anti-wifi kidnaps method and apparatus |
| CN106304087B (en) * | 2016-08-20 | 2020-01-17 | 北京海云好物科技有限公司 | Anti-wifi hijacking method and device |
| CN106960152A (en) * | 2017-04-27 | 2017-07-18 | 成都奇鲁科技有限公司 | A kind of page protection method and page protection device |
| CN108173814A (en) * | 2017-12-08 | 2018-06-15 | 深信服科技股份有限公司 | Detection method for phishing site, terminal device and storage medium |
| CN108173814B (en) * | 2017-12-08 | 2021-02-05 | 深信服科技股份有限公司 | Phishing website detection method, terminal device and storage medium |
| CN108920589A (en) * | 2018-06-26 | 2018-11-30 | 百度在线网络技术(北京)有限公司 | Browsing kidnaps recognition methods, device, server and storage medium |
| CN112424778A (en) * | 2018-07-26 | 2021-02-26 | 电子技巧股份有限公司 | Information processing device, information processing method, and information processing program |
| CN110851747A (en) * | 2018-08-01 | 2020-02-28 | 北京国双科技有限公司 | Information matching method and device |
| CN110851747B (en) * | 2018-08-01 | 2022-08-02 | 北京国双科技有限公司 | Information matching method and device |
| CN109800378A (en) * | 2019-01-23 | 2019-05-24 | 北京字节跳动网络技术有限公司 | Content processing method, device and electronic equipment based on custom browser |
| CN112311724A (en) * | 2019-07-26 | 2021-02-02 | 贵州白山云科技股份有限公司 | Method, device, medium and equipment for positioning HTTP hijacking |
| CN112714132A (en) * | 2020-12-31 | 2021-04-27 | 北京奇艺世纪科技有限公司 | Webpage hijacking detection method, device and system and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102594934B (en) | 2015-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102594934B (en) | Method and device for identifying hijacked website | |
| US20180096070A1 (en) | Method And Apparatus For Remotely Monitoring A Social Website | |
| CN102436564A (en) | Method and device for identifying falsified webpage | |
| US20140380477A1 (en) | Methods and devices for identifying tampered webpage and inentifying hijacked web address | |
| US7533084B2 (en) | Monitoring user specific information on websites | |
| AU2008200613B2 (en) | Tracking web server | |
| US8286248B1 (en) | System and method of web application discovery via capture and analysis of HTTP requests for external resources | |
| Zheng et al. | Web analytics overview | |
| CN104717185B (en) | Displaying response method, device, server and the system of short uniform resource locator | |
| US20130254649A1 (en) | Establishing user consent to cookie storage on user terminal equipment | |
| US20070220145A1 (en) | Computer product, access-restricting method, and proxy server | |
| KR20060121923A (en) | Techniques for analyzing the performance of websites | |
| CN102868773B (en) | Method, device and system for detecting domain name system (DNS) black hole hijack | |
| JP2006520940A (en) | Invalid click detection method and apparatus in internet search engine | |
| CN102833212A (en) | Webpage visitor identity identification method and system | |
| TW200908641A (en) | Contextually aware client application | |
| KR20090048998A (en) | System and method for alarming bad public opinion using keyword and recording medium | |
| CN101887463B (en) | Virtual domain-based HTTP reduction display method | |
| Puglisi et al. | On Web user tracking: How third-party http requests track users' browsing patterns for personalised advertising | |
| Pouryousef et al. | Extortion or expansion? an investigation into the costs and consequences of icann’s gtld experiments | |
| Guo et al. | A web crawler detection algorithm based on web page member list | |
| CN103118024B (en) | Prevent the system and method that webpage is followed the tracks of | |
| JP5231328B2 (en) | Advertisement information providing device | |
| Wang et al. | Identification of MEEK-Based TOR Hidden Service Access Using the Key Packet Sequence | |
| Vlajic et al. | The Double Life of Your Browser: Implications on Privacy and Forensics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20150909 Owner name: BEIJING QIHU TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20150909 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20150909 Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee after: Beijing Qihu Technology Co., Ltd. Patentee after: Qizhi Software (Beijing) Co., Ltd. Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Patentee before: Qizhi Software (Beijing) Co., Ltd. |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20161208 Address after: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Patentee after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee before: Beijing Qihu Technology Co., Ltd. Patentee before: Qizhi Software (Beijing) Co., Ltd. |
|
| CP03 | Change of name, title or address |
Address after: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Patentee after: Qianxin Technology Group Co., Ltd. Address before: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. |
|
| CP03 | Change of name, title or address |