CN102594934B - Method and device for identifying hijacked website - Google Patents
Method and device for identifying hijacked website Download PDFInfo
- Publication number
- CN102594934B CN102594934B CN201110456055.XA CN201110456055A CN102594934B CN 102594934 B CN102594934 B CN 102594934B CN 201110456055 A CN201110456055 A CN 201110456055A CN 102594934 B CN102594934 B CN 102594934B
- Authority
- CN
- China
- Prior art keywords
- network address
- request
- access
- hostage
- comparative result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000000052 comparative effect Effects 0.000 claims description 37
- 238000004088 simulation Methods 0.000 claims description 22
- 230000000977 initiatory effect Effects 0.000 abstract description 3
- 230000006399 behavior Effects 0.000 description 22
- 238000005516 engineering process Methods 0.000 description 5
- 230000003542 behavioural effect Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a method and a device for identifying a hijacked website. The method comprises the following steps of: initiating a request for accessing a target website by simulating a mode of inputting a uniform resource locator (URL) into an address bar of a browser, and determining the obtained final access website as a first website; initiating a request for accessing the target website by simulating a mode of skipping according to a link, and determining the obtained final access website as a second website; comparing the first website with the second website to obtain a comparison result; and identifying whether the target website is the hijacked website according to the comparison result. According to the method and the device, the hijacked website can be identified effectively, so that an effective measure for judging whether the website is hijacked is supplied to a user and other computer services.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to a kind of identification and to be held as a hostage the method for network address and device.
Background technology
In today that E-Government, ecommerce are popularized day by day, the window that website has become government bodies, enterprises and institutions show image, the foundation in succession of various institutional settings website, for its release news, service be provided, the work such as to commence business provides effective means, also brings huge facility.If but the network address of website is held as a hostage, not only carrying out of regular traffic can be affected, even can bring to government's prestige, corporate image the negative effect that cannot estimate.What is more, and some lawless person also utilizes criminal activities such as kidnapping hacker's means such as network address carry out instigating, swindle, brings loss to institutional settings and the masses.If this hacker's behavior for be government website, once network address is held as a hostage, during masses' browsing page, can not get correct information, can cause serious harm to government image; The people that other is had ulterior motives may utilize the people to the trust of government website, kidnaps network address, spread rumors, the fear causing the common people unnecessary and suspecting, thus causes huge loss to the country and people.
Along with developing rapidly of the Internet, the event that invasion, network address are kidnapped also frequently occurs.For showing off technology, publicity product, the objects such as illegal profit, various hacking technique is misused in the Internet, has seriously harmed the normal use of user to the Internet.Wherein, a kind of hacking technique kidnapping network address, makes Internet user when clickthrough, and what open is not real target network address, and is through other network address well-designed, these network address or contain boring advertisement, waste user's browsing time; Or contain illegal information, publicity malfeasance; What even have contains virus, wooden horse, carries out malicious sabotage etc. to the computer of user.As somewhere, lottery ticket official website is kidnapped, user click after obtain be one so-called " website of national lottery forecasting research " center ", induction user registration, consumption, to reach the object of unlawful profit-making.
Therefore, the technical problem solved in the urgent need to those skilled in the art is just how to provide a kind of method whether effective identification network address has been held as a hostage, for user and other Computer Service provide a kind of effective means whether network address is held as a hostage that judge.
Summary of the invention
The invention provides a kind of identification to be held as a hostage the method for network address and device, effectively can identify network address of being held as a hostage, for user and other Computer Service provide a kind of effective means whether network address is held as a hostage that judge.
The invention provides following scheme:
Identification is held as a hostage the method for network address, comprising:
In browser address bar, inputted the mode of uniform resource position mark URL by simulation, initiate the request of access destination network address, and the final access network address obtained is defined as the first network address;
Carried out the mode of redirect by simulation by link, initiate the request of the described target network address of access, and the final access network address obtained is defined as the second network address;
More described first network address and the second network address, obtain a comparative result;
According to described comparative result identification, whether target network address is network address of being held as a hostage.
Wherein, described mode of being carried out redirect by simulation by link, initiate the request of the described target network address of access, comprising:
The mode of redirect is carried out in link in the Search Results provided by search engine by simulation, initiates the request of the described target network address of access.
Wherein, described first network address and the second network address, obtain a comparative result, comprising:
The territory at the place of more described first network address and the second network address, obtains a comparative result.
Wherein, described according to described comparative result identification target network address whether for network address of being held as a hostage comprises:
If described comparative result is that described first network address is different from the territory at the place of the second network address, then described target network address is network address of being held as a hostage.
Wherein, described according to described comparative result identification target network address whether for network address of being held as a hostage comprises:
If described comparative result is that described first network address is different from the territory at the place of the second network address, then judge whether described second network address appears in known malice network address database, if so, then described target network address is network address of being held as a hostage.
Identification is held as a hostage the device of network address, comprising:
First network address acquiring unit, for being inputted the mode of uniform resource position mark URL in browser address bar by simulation, is initiated the request of access destination network address, and the final access network address obtained is defined as the first network address;
Second network address acquiring unit, for being carried out the mode of redirect by link by simulation, is initiated the request of the described target network address of access, and the final access network address obtained is defined as the second network address;
Comparing unit, for more described first network address and the second network address, obtains a comparative result;
Whether recognition unit is network address of being held as a hostage for target network address according to described comparative result identification.
Wherein, described second network address acquiring unit comprises:
Search engine analog submodule unit, for being carried out the mode of redirect by the link of simulating in the Search Results that provided by search engine, initiates the request of the described target network address of access.
Wherein, described comparing unit comprises:
Subelement is compared in territory, for the territory at the place of more described first network address and the second network address, obtains a comparative result.
Wherein, described recognition unit comprises:
First recognin unit, if be that described first network address is different from the territory at the place of the second network address for described comparative result, then described target network address is network address of being held as a hostage.
Wherein, described recognition unit comprises:
Second recognin unit, if be that described first network address is different from the territory at the place of the second network address for described comparative result, then judge whether described second network address appears in known malice network address database, if so, then described target network address is network address of being held as a hostage.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
Pass through the present invention, the mode of uniform resource position mark URL can be inputted in browser address bar by simulation, initiate the request of access destination network address, and carried out the mode of redirect by link by simulation, initiate the request of the described target network address of access, and compare the final access network address obtained, thus when finding by two kinds of mode access destination network address, the difference of the final access network address obtained, and disclose the behavior of kidnapping network address, effectively can identify whether target network address is network address of being held as a hostage.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the method that the embodiment of the present invention provides;
Fig. 2 is the schematic diagram of the device that the embodiment of the present invention provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain, all belongs to the scope of protection of the invention.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain, all belongs to the scope of protection of the invention.
First it should be noted that, when an internet user access network address, no matter be by the mode inputting uniform resource position mark URL direct in the address field of browser, or the mode of redirect is carried out by link, in fact be all the browser using local computer, a HTTP (HTML (Hypertext Markup Language) is have sent to server by the Internet, HyperText Transfer Protocol) request, this HTTP request typically includes one or several, necessary or non-essential request header, or be called header field, the request type information to server request is contained in request header.
As request header Accept-Charset, it illustrates the acceptable character set information of browser of local computer; Such as request header User-Agent again, it contains operating system and version, cpu type, browser and the version, browser renders engine, browser language, browser plug-in etc. of client's use, so that server is by judging the particular content of request header User-Agent, the computer software and hardware environment used according to different users when response user request, generates and sends the different pages; Such as request header Referer again, it contains a uniform resource position mark URL, to server table, it understands that this request is the URL redirect by wherein comprising, the i.e. page that represents from this URL of user, the page of access current request, current website business associate closely and search engine use frequently under environment, request header Referer is used in the request of most of page jump, serve convenient service device and the effects such as statistics are carried out to visit data, thus be widely used.
At the secure context of network; game between hacker and security service provider, computer user never stopped, and hacker, when implementing hacker's behavior, can take certain strategy usually; the malfeasance of oneself is pretended and covers up, to reach not by the object disclosed.For network address is kidnapped, wherein a kind of feature of hacking technique, the following situation run into can be used in the process of the Internet to reflect by user: user is when directly input target network address is browsed in the address field of browser, what open is normal target network address, and the Search Results by search engine or the link by other webpages carry out redirect when opening target network address, the final access network address opened but is through the network address that hacker is arranged, instead of real target network address.The content of presenting to user also usually has sizable gap with target web, is not the information required for user even completely.
Reality is in actual applications, ordinary internet users is when needing to open a new network address, in most cases, be not conducted interviews by the mode of input network address direct in address field, because the complete network address of the target web that most of user will browse is very long, be not easy to memory, knock complete network address and can waste user's a lot of time.So, when user wants to open certain network address, often adopt the Search Results by search engine, or redirect is carried out in the link of other webpage; In addition; Internet user is when surfing the web; much open the purpose that the behavior of network address is not clear and definite, namely when user finds interested content in the current webpage browsed, usually can open interested web page address by the link redirect of current web page.
And for the people of real concern particular web site, the owner of such as website, manager, when needs enter certain particular web site, owing to knowing specific network address, majority of case can't via search engine search results, or the mode that the link of other webpages jumps to particular web site is browsed, but the direct target network address that directly inputs in the address field at browser is browsed, now, the final access network address obtained is the target network address of not being held as a hostage, and based on such behavioral characteristic, for the behavior of kidnapping network address, this kind of special viewer is but difficult to find.
As can be seen here, when a needs access network address, domestic consumer use mode great majority belong to by link carry out redirect, and for the owner of website, the special populations such as manager, owing to usually there are not the needs using link redirect, the mode directly directly inputting target network address in browser address bar is usually used to conduct interviews, result in this kind of user crowd and can not find that network address is held as a hostage in most cases, and the behavioral characteristic of these browsing pages just, give enforcement network address and kidnap the hacker of behavior with opportunity, the network address implementing to have These characteristics is made to kidnap the hacker of behavior, the behavior of oneself being kidnapped to network address has been carried out effectively covering up.
The present inventor is realizing finding in process of the present invention, why can occur in direct input target network address in the address field of browser to browse, carry out the carrying out that redirect opens same network address browse with by the Search Results of search engine or by linking of other webpages, the final reference address obtained has difference, say from technology angle, owing to accessing in the process of network address user, implement the hacker that network address kidnaps behavior, the HTTP request sent when using browser to open network address to user implements abduction, and analyze the feature of HTTP request, then take different means according to different analysis results, to such an extent as to user opens different final access network address, thus obtain different webpages.Below this is introduced in detail.
When user initiates the access request to a network address, be actually and have sent a HTTP request by browser to Web server, the hacker implementing network address abduction behavior can kidnap and analyze this request, and carry out different process according to the feature of HTTP request: if in the browse request sent, the target network address asked comes from the direct input of user in the address field of browser, then this HTTP request is let pass, normal web page contents is returned by the destination Web server of HTTP request, thus, the final access network address that user obtains is normal target network address, the content be presented on user browser is also the normal web page contents returned by destination Web server, and the HTTP request that redirect visits target network address is carried out in the Search Results by search engine sent for user browser or the link by other webpages, then kidnapped, then a network address be pre-arranged is jumped to, thus, the final access network address that user obtains is the network address that hacker pre-sets, and the content presented also is the content that network address that this hacker pre-sets returns.
Concrete, carry out of hacker to the HTTP request to destination Web server transmission of kidnapping of implementing network address abduction behavior is analyzed, in fact, what implement that network address kidnaps that the hacker of behavior analyzes is the information that the HTTP head of HTTP request sent to destination Web server comprises.Particularly analyze Referer request header, thus obtain the URL that Referer request header comprises, namely analyze the page obtaining the page access current request that user from which URL represents, the hacker implementing network address abduction behavior so just can judge whether current HTTP request is the HTTP request sent by the link redirect of specific webpage.
Implement network address and kidnap the hacker of behavior by analyzing the carrying out of the HTTP request to destination Web server transmission of kidnapping, according to analysis result, determine it is this HTTP request of letting pass, webpage is returned by the destination Web server of this HTTP request, still jump to the network address pre-set, return webpage by the network address pre-set to user.Which results in the request being initiated the same network address of access by different modes, the final access network address obtained can be different, and the content had access to is also often different.
Based on above analysis, embodiments provide a kind of identification and to be held as a hostage the method for network address, see Fig. 1, the method includes the steps of:
S101: the mode being inputted uniform resource position mark URL by simulation in browser address bar, is initiated the request of access destination network address, and the final access network address obtained is defined as the first network address;
In embodiments of the present invention, first by structure HTTP request, simulate the mode to input URL in browser address bar, initiate the request of access destination network address.The HTTP request of this structure, possesses the mode to input URL in browser address bar, initiates the feature of the HTTP access request of access destination network address.To input the mode of URL in browser address bar, the HTTP access request of the access destination network address of initiation, in its request header, Referer request header is not involved, namely in this type of HTTP request, does not have Referer request header; In addition, in the request header of the HTTP request of structure, typically includes User-Agent request header, in User-Agent request header, construct user browser information, such as:
User-Agent:Mozilla/5.0(compatible;MSIE 9.0;Windows NT 6.1;Trident/5.0)
In the example of this User-Agent request header, give user browser type, version, the information such as operating system of user version.
The HTTP request of this structure can be identified as the mode to input URL in browser address bar, initiates the HTTP request head of the HTTP access request of access destination network address.By constructing the HTTP request that comprises above feature, simulate one to input the mode of URL in browser address bar, initiate the HTTP request of access destination network address, and send the HTTP request of this structure to destination Web server, the final access network address obtained is defined as the first network address.
HTTP request due to this structure possesses the mode to input URL in browser address bar, initiate the feature of the HTTP access request of access destination network address, if the hacker so implementing network address abduction behavior kidnaps and analyzes the HTTP request of this structure, according to the behavioural characteristic of hacker, meeting is identified as the mode to input URL in browser address bar this HTTP access request, initiate the HTTP request of access destination network address, and let pass, then by the destination Web server returned content of asking.Therefore in this step of the embodiment of the present invention, the first network address obtained is the real goal network address of request, instead of implements the network address that network address kidnaps hacker's setting of behavior.
S102: the mode of being carried out redirect by simulation by link, is initiated the request of the described target network address of access, and the final access network address obtained is defined as the second network address;
Except obtaining the first network address, also needing by constructing a HTTP request, simulating the mode of being carried out redirect by link, initiate the request of access destination network address.The HTTP request of this structure, possesses the mode of being carried out redirect by link, initiates the feature of the HTTP request of access destination network address.The mode of redirect is carried out by link, initiate the HTTP request of the described target network address of access, in its HTTP request, contain Referer request header, a URL information is contained in this Referer request header, describe this HTTP request be URL redirect by comprising in Referer request header and come, namely this HTTP request is that URL by comprising in this Referer request header sets out, the HTTP request of access destination network address.This Referer request header can be identified as the mode of being carried out redirect by link, initiates the request header of the HTTP request of access destination network address.
By constructing the HTTP request that comprises above Referer request header feature, simulate one is carried out redirect mode by link, initiate the HTTP request of access destination network address, and the HTTP request of this structure is sent to destination Web server, the final access network address obtained is defined as the second network address.
HTTP request due to this structure possesses the mode of being carried out redirect by link, initiate the feature of the HTTP request of access destination network address, if the hacker so implementing network address abduction behavior kidnaps and analyzes the HTTP request of this structure, according to the behavioural characteristic of hacker, this HTTP access request can be identified as the mode of being carried out redirect by link, initiate the HTTP request of access destination network address, then jump to the network address pre-set, and have the network address returned content pre-set.Therefore in embodiments of the present invention, if target network address is held as a hostage, the second network address obtained by the HTTP request of this structure is be implemented the network address that network address kidnaps hacker's setting of behavior, instead of the real goal network address of request.
S103: more described first network address and the second network address, obtain a comparative result;
During specific implementation, compare the first network address and the second network address obtains comparative result, multiple concrete implementation can be had.Such as, wherein a kind of implementation can be whether more whole first network address is identical with whole second network address, obtains an accurate comparative result.
In addition, another kind of manner of comparison can also be adopted to obtain comparative result: the territory of comparing the place of the first network address and the second network address.
Territory, also known as domain name, be the one on the Internet in computer address allocative decision, corresponding with IP (Internet protocol) address, the IP address that each computer on the Internet has unique Serial No. to represent, so that other computers can be accessed.For the ease of memory, people have invented again domain name, the computer on the Internet is identified with the combination of letter, numeral, symbol, territory is computer unique identifier on the internet, by territory, the numeric address of the computer on the Internet can be navigated to realize the access of computer and the communication of intercomputer.Such as, for certain website of access, be actually access websites and be positioned at computer on the Internet, i.e. Web server, sends request to Web server, returns to user content by web server response request.When accessing certain Web server, its IP address can be used, but use is more the domain name of Web server, such as uses www.abc.com.
When user accesses a certain target network address, main process generally, sends a HTTP request by client to destination Web server, and destination Web server receives and responds this HTTP request, and destination Web server transmits requested web page files to client.In this process, the network address that user asks generally represents with following form:
www.abc.com/d/e/f.html
Domain name part wherein identifies the position of destination Web server on network, and part below as in this example /d/e/f.html, then identify the memory location of user's demand file on destination Web server.This is the general type that user accesses a certain target network address, is also after user obtains the page that Web server returns, the general type of the final access network address simultaneously obtained.
The website of current era, much have employed dynamic web page technique, makes Web server can according to different user, and different settings, different user habits etc., returns to the content that user is different, to meet the different demands of different application environment.Different user, under different applied environments, submit access request to after, the final access network address that the Web server obtained returns may be not quite similar.In addition, the applied environment of some Web server meeting test access request submitters, returns the different pages according to testing result and finally accesses network address.Such as certain website, according to the IP address submitting access request to, can judge the geographic location area at user place, then returns to network address and the web page contents of the different pages that user designs for different regions.Therefore, for a network address of not being held as a hostage, the first network address utilizing the method described in the embodiment of the present invention to obtain and the second network address are not likely identical yet, but both domain name part are identical.Such as, the first network address may be www.abc.com/a.html, and the second network address may be www.abc.com/b.html, but this difference is not because network address is caused by hacker's abduction.Therefore, if whether directly compare the first network address identical with the second network address, judge whether network address is held as a hostage, situation about judging by accident may be occurred.
On the other hand, when hacker implements network address abduction behavior, that hacker prepares, be used for that alternative user asks, the final access network address that should be returned by destination Web server has following features usually: the first network address utilizing the method for the embodiment of the present invention to obtain is not only different from the second network address, and normally both are just different from domain name part.This is because hacker after certain network address of abduction, is used for that alternative user asks, and the final access network address that should be returned by destination Web server, and content of pages, the domain name usually can only held by hacker oneself generates.
For these features above-mentioned, embodiments provide the method in the territory at the place of comparing the first network address and the second network address, namely compare the first network address whether identical with the territory at the place of the second network address, obtain comparative result; Wherein, if to be the territory at two network address places identical for comparative result, then target network address can be waited to see as normal network address, and if the territory at two network address places is different, then prove that target network address may be held as a hostage.Thus effectively can identify that the first network address obtained and the second network address are different because adopting dynamic web page technique, the reasons such as Web server dynamic response technology, and in fact do not implemented the network address of network address abduction behavior by hacker.
In addition, in actual applications, in order to confirm whether target network address is held as a hostage further, can also after the territory difference identifying two network address places, judge whether the second network address appears in malice network address database (such as network security generates and the blacklist etc. safeguarded) further, if there is in blacklist, then determine that this target network address has been held as a hostage.That is, if a target network address is kidnapped by hacker, then because the second network address is that hacker provides, therefore, itself be a malice network address, and this network address may be collected into blacklist by other means, like this, if the second network address is not only different from the territory at the second network address place, but also appears in blacklist, then can be sure of that corresponding target network address has been kidnapped by hacker really.
In a word, pass through the embodiment of the present invention, the mode of uniform resource position mark URL can be inputted in browser address bar by simulation, initiate the request of access destination network address, and carried out the mode of redirect by link by simulation, initiate the request of the described target network address of access, and compare the final access network address obtained, thus when finding by two kinds of mode access destination network address, the difference of the final access network address obtained, and disclose the behavior of kidnapping network address, effectively can identify whether target network address is network address of being held as a hostage.
The be held as a hostage method of network address of the identification provided with the embodiment of the present invention additionally provides a kind of identification relative to, the embodiment of the present invention and to be held as a hostage the device of network address, and see Fig. 2, this device can comprise:
First network address acquiring unit 201, for being inputted the mode of uniform resource position mark URL in browser address bar by simulation, is initiated the request of access destination network address, and the final access network address obtained is defined as the first network address;
Second network address acquiring unit 202, for being carried out the mode of redirect by link by simulation, is initiated the request of the described target network address of access, and the final access network address obtained is defined as the second network address;
Comparing unit 203, for more described first network address and the second network address, obtains a comparative result;
Whether recognition unit 204 is network address of being held as a hostage for target network address according to described comparative result identification.
During specific implementation, the second network address acquiring unit 202 can comprise:
Search engine analog submodule unit, for being carried out the mode of redirect by the link of simulating in the Search Results that provided by search engine, initiates the request of the described target network address of access.
Wherein, comparing unit 203 can comprise:
Subelement is compared in territory, for the territory at the place of more described first network address and the second network address, obtains a comparative result.
Accordingly, recognition unit 204 can comprise:
First recognin unit, if be that described first network address is different from the territory at the place of the second network address for described comparative result, then described target network address is network address of being held as a hostage.
Or recognition unit 204 also can comprise:
Second recognin unit, if be that described first network address is different from the territory at the place of the second network address for described comparative result, then judge whether described second network address appears in known malice network address database, if so, then described target network address is network address of being held as a hostage.
The device that embodiment provides by the present invention, the mode of uniform resource position mark URL can be inputted in browser address bar by simulation, initiate the request of access destination network address, and carried out the mode of redirect by link by simulation, initiate the request of the described target network address of access, and compare the final access network address obtained, thus when finding by two kinds of mode access destination network address, the difference of the final access network address obtained, and disclose the behavior of kidnapping network address, effectively can identify whether target network address is network address of being held as a hostage.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realizes.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually see, what each embodiment stressed is the difference with other embodiments.Especially, for device or system embodiment, because it is substantially similar to embodiment of the method, so describe fairly simple, relevant part illustrates see the part of embodiment of the method.Apparatus and system embodiment described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
Above a kind of identification provided by the present invention is held as a hostage the method for network address and device, be described in detail, apply specific case herein to set forth principle of the present invention and execution mode, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications.In sum, this description should not be construed as limitation of the present invention.
Claims (10)
1. identification is held as a hostage a method for network address, it is characterized in that, comprising:
In browser address bar, inputted the mode of uniform resource position mark URL by simulation, initiate the request of access destination network address, and the final access network address obtained is defined as the first network address;
Carried out the mode of redirect by simulation by link, initiate the request of the described target network address of access, and the final access network address obtained is defined as the second network address;
More described first network address and the second network address, obtain a comparative result;
According to described comparative result identification, whether target network address is network address of being held as a hostage;
Wherein, described request comprises HTTP request.
2. method according to claim 1, is characterized in that, described mode of being carried out redirect by simulation by link, initiates the request of the described target network address of access, comprising:
The mode of redirect is carried out in link in the Search Results provided by search engine by simulation, initiates the request of the described target network address of access.
3. method according to claim 1, is characterized in that, described first network address and the second network address, obtain a comparative result, comprising:
The territory at the place of more described first network address and the second network address, obtains a comparative result.
4. method according to claim 3, is characterized in that, described according to described comparative result identification target network address whether for network address of being held as a hostage comprises:
If described comparative result is that described first network address is different from the territory at the place of the second network address, then described target network address is network address of being held as a hostage.
5. method according to claim 3, is characterized in that, described according to described comparative result identification target network address whether for network address of being held as a hostage comprises:
If described comparative result is that described first network address is different from the territory at the place of the second network address, then judge whether described second network address appears in known malice network address database, if so, then described target network address is network address of being held as a hostage.
6. identification is held as a hostage a device for network address, it is characterized in that, comprising:
First network address acquiring unit, for being inputted the mode of uniform resource position mark URL in browser address bar by simulation, is initiated the request of access destination network address, and the final access network address obtained is defined as the first network address;
Second network address acquiring unit, for being carried out the mode of redirect by link by simulation, is initiated the request of the described target network address of access, and the final access network address obtained is defined as the second network address;
Comparing unit, for more described first network address and the second network address, obtains a comparative result;
Whether recognition unit, be network address of being held as a hostage for target network address according to described comparative result identification, wherein, described request comprises HTTP request.
7. device according to claim 6, is characterized in that, described second network address acquiring unit comprises:
Search engine analog submodule unit, for being carried out the mode of redirect by the link of simulating in the Search Results that provided by search engine, initiates the request of the described target network address of access.
8. device according to claim 6, is characterized in that, described comparing unit comprises:
Subelement is compared in territory, for the territory at the place of more described first network address and the second network address, obtains a comparative result.
9. device according to claim 8, is characterized in that, described recognition unit comprises:
First recognin unit, if be that described first network address is different from the territory at the place of the second network address for described comparative result, then described target network address is network address of being held as a hostage.
10. device according to claim 8, is characterized in that, described recognition unit comprises:
Second recognin unit, if be that described first network address is different from the territory at the place of the second network address for described comparative result, then judge whether described second network address appears in known malice network address database, if so, then described target network address is network address of being held as a hostage.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110456055.XA CN102594934B (en) | 2011-12-30 | 2011-12-30 | Method and device for identifying hijacked website |
| US14/368,992 US20140380477A1 (en) | 2011-12-30 | 2012-12-27 | Methods and devices for identifying tampered webpage and inentifying hijacked web address |
| PCT/CN2012/087640 WO2013097742A1 (en) | 2011-12-30 | 2012-12-27 | Methods and devices for identifying tampered webpage and identifying hijacked website |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110456055.XA CN102594934B (en) | 2011-12-30 | 2011-12-30 | Method and device for identifying hijacked website |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102594934A CN102594934A (en) | 2012-07-18 |
| CN102594934B true CN102594934B (en) | 2015-03-25 |
Family
ID=46483127
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110456055.XA Active CN102594934B (en) | 2011-12-30 | 2011-12-30 | Method and device for identifying hijacked website |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102594934B (en) |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140380477A1 (en) * | 2011-12-30 | 2014-12-25 | Beijing Qihoo Technology Company Limited | Methods and devices for identifying tampered webpage and inentifying hijacked web address |
| CN103685584B (en) * | 2012-09-07 | 2016-12-21 | 中国科学院计算机网络信息中心 | A kind of anti-Domain Hijacking method and system based on tunneling technique |
| CN104052630B (en) * | 2013-03-14 | 2019-10-11 | 北京百度网讯科技有限公司 | The method and system of verifying is executed to website |
| CN103218561B (en) * | 2013-03-18 | 2016-04-06 | 珠海市君天电子科技有限公司 | Tamper-proof method and device for protecting browser |
| CN104216930B (en) * | 2013-07-30 | 2018-04-27 | 腾讯科技(深圳)有限公司 | A kind of detection method and device of jump class fishing webpage |
| CN104348803B (en) * | 2013-07-31 | 2018-12-11 | 深圳市腾讯计算机系统有限公司 | Link kidnaps detection method, device, user equipment, Analysis server and system |
| CN103699840B (en) * | 2013-12-12 | 2017-07-11 | 北京奇虎科技有限公司 | Detection method and device that webpage is kidnapped |
| CN104125121A (en) * | 2014-08-15 | 2014-10-29 | 携程计算机技术(上海)有限公司 | Network hijacking behavior detecting system and method |
| CN104486140B (en) * | 2014-11-28 | 2017-12-19 | 华北电力大学 | It is a kind of to detect device and its detection method that webpage is held as a hostage |
| CN105100061B (en) * | 2015-06-19 | 2018-09-04 | 小米科技有限责任公司 | Network address kidnaps the method and device of detection |
| CN105141709B (en) * | 2015-07-24 | 2019-02-05 | 北京奇虎科技有限公司 | Determine the method and device of page jump in application program |
| CN105243085A (en) * | 2015-09-08 | 2016-01-13 | 北京网康科技有限公司 | Website search keyword blocking method and apparatus |
| CN105245518B (en) * | 2015-09-30 | 2018-07-24 | 小米科技有限责任公司 | The detection method and device that network address is kidnapped |
| CN105354490B (en) * | 2015-09-30 | 2020-07-28 | 北京奇虎科技有限公司 | Method and equipment for processing hijacked browser |
| CN105243134B (en) * | 2015-09-30 | 2019-07-16 | 北京奇虎科技有限公司 | A kind of method and apparatus handling browser of being held as a hostage |
| CN106304087B (en) * | 2016-08-20 | 2020-01-17 | 北京海云好物科技有限公司 | Anti-wifi hijacking method and device |
| CN106960152A (en) * | 2017-04-27 | 2017-07-18 | 成都奇鲁科技有限公司 | A kind of page protection method and page protection device |
| CN108173814B (en) * | 2017-12-08 | 2021-02-05 | 深信服科技股份有限公司 | Phishing website detection method, terminal device and storage medium |
| CN108920589B (en) * | 2018-06-26 | 2021-08-10 | 百度在线网络技术(北京)有限公司 | Browsing hijacking identification method, device, server and storage medium |
| JP6716051B2 (en) * | 2018-07-26 | 2020-07-01 | デジタルア−ツ株式会社 | Information processing apparatus, information processing method, and information processing program |
| CN110851747B (en) * | 2018-08-01 | 2022-08-02 | 北京国双科技有限公司 | Information matching method and device |
| CN109800378A (en) * | 2019-01-23 | 2019-05-24 | 北京字节跳动网络技术有限公司 | Content processing method, device and electronic equipment based on custom browser |
| CN112311724B (en) * | 2019-07-26 | 2023-06-20 | 贵州白山云科技股份有限公司 | Method, device, medium and equipment for positioning HTTP hijacking |
| CN112714132A (en) * | 2020-12-31 | 2021-04-27 | 北京奇艺世纪科技有限公司 | Webpage hijacking detection method, device and system and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601528A (en) * | 2003-09-25 | 2005-03-30 | 微软公司 | Systems and methods for client-based web crawling |
| CN101626368A (en) * | 2008-07-11 | 2010-01-13 | 中联绿盟信息技术(北京)有限公司 | Device, method and system for preventing web page from being distorted |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9442621B2 (en) * | 2009-05-05 | 2016-09-13 | Suboti, Llc | System, method and computer readable medium for determining user attention area from user interface events |
-
2011
- 2011-12-30 CN CN201110456055.XA patent/CN102594934B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601528A (en) * | 2003-09-25 | 2005-03-30 | 微软公司 | Systems and methods for client-based web crawling |
| CN101626368A (en) * | 2008-07-11 | 2010-01-13 | 中联绿盟信息技术(北京)有限公司 | Device, method and system for preventing web page from being distorted |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102594934A (en) | 2012-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102594934B (en) | Method and device for identifying hijacked website | |
| Urban et al. | Measuring the impact of the GDPR on data sharing in ad networks | |
| US20140380477A1 (en) | Methods and devices for identifying tampered webpage and inentifying hijacked web address | |
| CN102436564A (en) | Method and device for identifying falsified webpage | |
| US7533084B2 (en) | Monitoring user specific information on websites | |
| US8131799B2 (en) | User-transparent system for uniquely identifying network-distributed devices without explicitly provided device or user identifying information | |
| US20180096070A1 (en) | Method And Apparatus For Remotely Monitoring A Social Website | |
| Zheng et al. | Web analytics overview | |
| US9323859B2 (en) | Dynamic client side name suggestion service | |
| KR20060121923A (en) | Techniques for analyzing the performance of websites | |
| US20070220145A1 (en) | Computer product, access-restricting method, and proxy server | |
| US8407766B1 (en) | Method and apparatus for monitoring sensitive data on a computer network | |
| TW200908641A (en) | Contextually aware client application | |
| CN110929183A (en) | Data processing method, device and machine readable medium | |
| Pouryousef et al. | Extortion or expansion? an investigation into the costs and consequences of icann’s gtld experiments | |
| Fletcher et al. | Practical web traffic analysis: standards, privacy, techniques, and results | |
| CN113553601B (en) | Webpage content encryption method and equipment | |
| CN110825976B (en) | Website page detection method and device, electronic equipment and medium | |
| US20110072038A1 (en) | Web site with content based on referring link information | |
| Mohsen et al. | Quantifying information exposure by web browsers | |
| KR20090116429A (en) | Advertising system and method using contents of personal homepage | |
| Horsman | A forensic examination of online search facility URL record structures | |
| Amarasekara et al. | Improving the robustness of the cross-domain tracking process | |
| KR19990018591U (en) | Internet harmful site access restriction device | |
| KR102520329B1 (en) | System for providing blockchain based abusing detection service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20150909 Owner name: BEIJING QIHU TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20150909 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20150909 Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee after: Beijing Qihu Technology Co., Ltd. Patentee after: Qizhi Software (Beijing) Co., Ltd. Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Patentee before: Qizhi Software (Beijing) Co., Ltd. |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20161208 Address after: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Patentee after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee before: Beijing Qihu Technology Co., Ltd. Patentee before: Qizhi Software (Beijing) Co., Ltd. |
|
| CP03 | Change of name, title or address |
Address after: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Patentee after: Qianxin Technology Group Co., Ltd. Address before: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. |
|
| CP03 | Change of name, title or address |