Summary of the invention
The invention provides a kind of identification to be held as a hostage the method for network address and device, effectively can identify network address of being held as a hostage, for user and other Computer Service provide a kind of effective means whether network address is held as a hostage that judge.
The invention provides following scheme:
Identification is held as a hostage the method for network address, comprising:
In browser address bar, inputted the mode of uniform resource position mark URL by simulation, initiate the request of access destination network address, and the final access network address obtained is defined as the first network address;
Carried out the mode of redirect by simulation by link, initiate the request of the described target network address of access, and the final access network address obtained is defined as the second network address;
More described first network address and the second network address, obtain a comparative result;
According to described comparative result identification, whether target network address is network address of being held as a hostage.
Wherein, described mode of being carried out redirect by simulation by link, initiate the request of the described target network address of access, comprising:
The mode of redirect is carried out in link in the Search Results provided by search engine by simulation, initiates the request of the described target network address of access.
Wherein, described first network address and the second network address, obtain a comparative result, comprising:
The territory at the place of more described first network address and the second network address, obtains a comparative result.
Wherein, described according to described comparative result identification target network address whether for network address of being held as a hostage comprises:
If described comparative result is that described first network address is different from the territory at the place of the second network address, then described target network address is network address of being held as a hostage.
Wherein, described according to described comparative result identification target network address whether for network address of being held as a hostage comprises:
If described comparative result is that described first network address is different from the territory at the place of the second network address, then judge whether described second network address appears in known malice network address database, if so, then described target network address is network address of being held as a hostage.
Identification is held as a hostage the device of network address, comprising:
First network address acquiring unit, for being inputted the mode of uniform resource position mark URL in browser address bar by simulation, is initiated the request of access destination network address, and the final access network address obtained is defined as the first network address;
Second network address acquiring unit, for being carried out the mode of redirect by link by simulation, is initiated the request of the described target network address of access, and the final access network address obtained is defined as the second network address;
Comparing unit, for more described first network address and the second network address, obtains a comparative result;
Whether recognition unit is network address of being held as a hostage for target network address according to described comparative result identification.
Wherein, described second network address acquiring unit comprises:
Search engine analog submodule unit, for being carried out the mode of redirect by the link of simulating in the Search Results that provided by search engine, initiates the request of the described target network address of access.
Wherein, described comparing unit comprises:
Subelement is compared in territory, for the territory at the place of more described first network address and the second network address, obtains a comparative result.
Wherein, described recognition unit comprises:
First recognin unit, if be that described first network address is different from the territory at the place of the second network address for described comparative result, then described target network address is network address of being held as a hostage.
Wherein, described recognition unit comprises:
Second recognin unit, if be that described first network address is different from the territory at the place of the second network address for described comparative result, then judge whether described second network address appears in known malice network address database, if so, then described target network address is network address of being held as a hostage.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
Pass through the present invention, the mode of uniform resource position mark URL can be inputted in browser address bar by simulation, initiate the request of access destination network address, and carried out the mode of redirect by link by simulation, initiate the request of the described target network address of access, and compare the final access network address obtained, thus when finding by two kinds of mode access destination network address, the difference of the final access network address obtained, and disclose the behavior of kidnapping network address, effectively can identify whether target network address is network address of being held as a hostage.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain, all belongs to the scope of protection of the invention.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain, all belongs to the scope of protection of the invention.
First it should be noted that, when an internet user access network address, no matter be by the mode inputting uniform resource position mark URL direct in the address field of browser, or the mode of redirect is carried out by link, in fact be all the browser using local computer, a HTTP (HTML (Hypertext Markup Language) is have sent to server by the Internet, HyperText Transfer Protocol) request, this HTTP request typically includes one or several, necessary or non-essential request header, or be called header field, the request type information to server request is contained in request header.
As request header Accept-Charset, it illustrates the acceptable character set information of browser of local computer; Such as request header User-Agent again, it contains operating system and version, cpu type, browser and the version, browser renders engine, browser language, browser plug-in etc. of client's use, so that server is by judging the particular content of request header User-Agent, the computer software and hardware environment used according to different users when response user request, generates and sends the different pages; Such as request header Referer again, it contains a uniform resource position mark URL, to server table, it understands that this request is the URL redirect by wherein comprising, the i.e. page that represents from this URL of user, the page of access current request, current website business associate closely and search engine use frequently under environment, request header Referer is used in the request of most of page jump, serve convenient service device and the effects such as statistics are carried out to visit data, thus be widely used.
At the secure context of network; game between hacker and security service provider, computer user never stopped, and hacker, when implementing hacker's behavior, can take certain strategy usually; the malfeasance of oneself is pretended and covers up, to reach not by the object disclosed.For network address is kidnapped, wherein a kind of feature of hacking technique, the following situation run into can be used in the process of the Internet to reflect by user: user is when directly input target network address is browsed in the address field of browser, what open is normal target network address, and the Search Results by search engine or the link by other webpages carry out redirect when opening target network address, the final access network address opened but is through the network address that hacker is arranged, instead of real target network address.The content of presenting to user also usually has sizable gap with target web, is not the information required for user even completely.
Reality is in actual applications, ordinary internet users is when needing to open a new network address, in most cases, be not conducted interviews by the mode of input network address direct in address field, because the complete network address of the target web that most of user will browse is very long, be not easy to memory, knock complete network address and can waste user's a lot of time.So, when user wants to open certain network address, often adopt the Search Results by search engine, or redirect is carried out in the link of other webpage; In addition; Internet user is when surfing the web; much open the purpose that the behavior of network address is not clear and definite, namely when user finds interested content in the current webpage browsed, usually can open interested web page address by the link redirect of current web page.
And for the people of real concern particular web site, the owner of such as website, manager, when needs enter certain particular web site, owing to knowing specific network address, majority of case can't via search engine search results, or the mode that the link of other webpages jumps to particular web site is browsed, but the direct target network address that directly inputs in the address field at browser is browsed, now, the final access network address obtained is the target network address of not being held as a hostage, and based on such behavioral characteristic, for the behavior of kidnapping network address, this kind of special viewer is but difficult to find.
As can be seen here, when a needs access network address, domestic consumer use mode great majority belong to by link carry out redirect, and for the owner of website, the special populations such as manager, owing to usually there are not the needs using link redirect, the mode directly directly inputting target network address in browser address bar is usually used to conduct interviews, result in this kind of user crowd and can not find that network address is held as a hostage in most cases, and the behavioral characteristic of these browsing pages just, give enforcement network address and kidnap the hacker of behavior with opportunity, the network address implementing to have These characteristics is made to kidnap the hacker of behavior, the behavior of oneself being kidnapped to network address has been carried out effectively covering up.
The present inventor is realizing finding in process of the present invention, why can occur in direct input target network address in the address field of browser to browse, carry out the carrying out that redirect opens same network address browse with by the Search Results of search engine or by linking of other webpages, the final reference address obtained has difference, say from technology angle, owing to accessing in the process of network address user, implement the hacker that network address kidnaps behavior, the HTTP request sent when using browser to open network address to user implements abduction, and analyze the feature of HTTP request, then take different means according to different analysis results, to such an extent as to user opens different final access network address, thus obtain different webpages.Below this is introduced in detail.
When user initiates the access request to a network address, be actually and have sent a HTTP request by browser to Web server, the hacker implementing network address abduction behavior can kidnap and analyze this request, and carry out different process according to the feature of HTTP request: if in the browse request sent, the target network address asked comes from the direct input of user in the address field of browser, then this HTTP request is let pass, normal web page contents is returned by the destination Web server of HTTP request, thus, the final access network address that user obtains is normal target network address, the content be presented on user browser is also the normal web page contents returned by destination Web server, and the HTTP request that redirect visits target network address is carried out in the Search Results by search engine sent for user browser or the link by other webpages, then kidnapped, then a network address be pre-arranged is jumped to, thus, the final access network address that user obtains is the network address that hacker pre-sets, and the content presented also is the content that network address that this hacker pre-sets returns.
Concrete, carry out of hacker to the HTTP request to destination Web server transmission of kidnapping of implementing network address abduction behavior is analyzed, in fact, what implement that network address kidnaps that the hacker of behavior analyzes is the information that the HTTP head of HTTP request sent to destination Web server comprises.Particularly analyze Referer request header, thus obtain the URL that Referer request header comprises, namely analyze the page obtaining the page access current request that user from which URL represents, the hacker implementing network address abduction behavior so just can judge whether current HTTP request is the HTTP request sent by the link redirect of specific webpage.
Implement network address and kidnap the hacker of behavior by analyzing the carrying out of the HTTP request to destination Web server transmission of kidnapping, according to analysis result, determine it is this HTTP request of letting pass, webpage is returned by the destination Web server of this HTTP request, still jump to the network address pre-set, return webpage by the network address pre-set to user.Which results in the request being initiated the same network address of access by different modes, the final access network address obtained can be different, and the content had access to is also often different.
Based on above analysis, embodiments provide a kind of identification and to be held as a hostage the method for network address, see Fig. 1, the method includes the steps of:
S101: the mode being inputted uniform resource position mark URL by simulation in browser address bar, is initiated the request of access destination network address, and the final access network address obtained is defined as the first network address;
In embodiments of the present invention, first by structure HTTP request, simulate the mode to input URL in browser address bar, initiate the request of access destination network address.The HTTP request of this structure, possesses the mode to input URL in browser address bar, initiates the feature of the HTTP access request of access destination network address.To input the mode of URL in browser address bar, the HTTP access request of the access destination network address of initiation, in its request header, Referer request header is not involved, namely in this type of HTTP request, does not have Referer request header; In addition, in the request header of the HTTP request of structure, typically includes User-Agent request header, in User-Agent request header, construct user browser information, such as:
User-Agent:Mozilla/5.0(compatible;MSIE 9.0;Windows NT 6.1;Trident/5.0)
In the example of this User-Agent request header, give user browser type, version, the information such as operating system of user version.
The HTTP request of this structure can be identified as the mode to input URL in browser address bar, initiates the HTTP request head of the HTTP access request of access destination network address.By constructing the HTTP request that comprises above feature, simulate one to input the mode of URL in browser address bar, initiate the HTTP request of access destination network address, and send the HTTP request of this structure to destination Web server, the final access network address obtained is defined as the first network address.
HTTP request due to this structure possesses the mode to input URL in browser address bar, initiate the feature of the HTTP access request of access destination network address, if the hacker so implementing network address abduction behavior kidnaps and analyzes the HTTP request of this structure, according to the behavioural characteristic of hacker, meeting is identified as the mode to input URL in browser address bar this HTTP access request, initiate the HTTP request of access destination network address, and let pass, then by the destination Web server returned content of asking.Therefore in this step of the embodiment of the present invention, the first network address obtained is the real goal network address of request, instead of implements the network address that network address kidnaps hacker's setting of behavior.
S102: the mode of being carried out redirect by simulation by link, is initiated the request of the described target network address of access, and the final access network address obtained is defined as the second network address;
Except obtaining the first network address, also needing by constructing a HTTP request, simulating the mode of being carried out redirect by link, initiate the request of access destination network address.The HTTP request of this structure, possesses the mode of being carried out redirect by link, initiates the feature of the HTTP request of access destination network address.The mode of redirect is carried out by link, initiate the HTTP request of the described target network address of access, in its HTTP request, contain Referer request header, a URL information is contained in this Referer request header, describe this HTTP request be URL redirect by comprising in Referer request header and come, namely this HTTP request is that URL by comprising in this Referer request header sets out, the HTTP request of access destination network address.This Referer request header can be identified as the mode of being carried out redirect by link, initiates the request header of the HTTP request of access destination network address.
By constructing the HTTP request that comprises above Referer request header feature, simulate one is carried out redirect mode by link, initiate the HTTP request of access destination network address, and the HTTP request of this structure is sent to destination Web server, the final access network address obtained is defined as the second network address.
HTTP request due to this structure possesses the mode of being carried out redirect by link, initiate the feature of the HTTP request of access destination network address, if the hacker so implementing network address abduction behavior kidnaps and analyzes the HTTP request of this structure, according to the behavioural characteristic of hacker, this HTTP access request can be identified as the mode of being carried out redirect by link, initiate the HTTP request of access destination network address, then jump to the network address pre-set, and have the network address returned content pre-set.Therefore in embodiments of the present invention, if target network address is held as a hostage, the second network address obtained by the HTTP request of this structure is be implemented the network address that network address kidnaps hacker's setting of behavior, instead of the real goal network address of request.
S103: more described first network address and the second network address, obtain a comparative result;
During specific implementation, compare the first network address and the second network address obtains comparative result, multiple concrete implementation can be had.Such as, wherein a kind of implementation can be whether more whole first network address is identical with whole second network address, obtains an accurate comparative result.
In addition, another kind of manner of comparison can also be adopted to obtain comparative result: the territory of comparing the place of the first network address and the second network address.
Territory, also known as domain name, be the one on the Internet in computer address allocative decision, corresponding with IP (Internet protocol) address, the IP address that each computer on the Internet has unique Serial No. to represent, so that other computers can be accessed.For the ease of memory, people have invented again domain name, the computer on the Internet is identified with the combination of letter, numeral, symbol, territory is computer unique identifier on the internet, by territory, the numeric address of the computer on the Internet can be navigated to realize the access of computer and the communication of intercomputer.Such as, for certain website of access, be actually access websites and be positioned at computer on the Internet, i.e. Web server, sends request to Web server, returns to user content by web server response request.When accessing certain Web server, its IP address can be used, but use is more the domain name of Web server, such as uses www.abc.com.
When user accesses a certain target network address, main process generally, sends a HTTP request by client to destination Web server, and destination Web server receives and responds this HTTP request, and destination Web server transmits requested web page files to client.In this process, the network address that user asks generally represents with following form:
www.abc.com/d/e/f.html
Domain name part wherein identifies the position of destination Web server on network, and part below as in this example /d/e/f.html, then identify the memory location of user's demand file on destination Web server.This is the general type that user accesses a certain target network address, is also after user obtains the page that Web server returns, the general type of the final access network address simultaneously obtained.
The website of current era, much have employed dynamic web page technique, makes Web server can according to different user, and different settings, different user habits etc., returns to the content that user is different, to meet the different demands of different application environment.Different user, under different applied environments, submit access request to after, the final access network address that the Web server obtained returns may be not quite similar.In addition, the applied environment of some Web server meeting test access request submitters, returns the different pages according to testing result and finally accesses network address.Such as certain website, according to the IP address submitting access request to, can judge the geographic location area at user place, then returns to network address and the web page contents of the different pages that user designs for different regions.Therefore, for a network address of not being held as a hostage, the first network address utilizing the method described in the embodiment of the present invention to obtain and the second network address are not likely identical yet, but both domain name part are identical.Such as, the first network address may be www.abc.com/a.html, and the second network address may be www.abc.com/b.html, but this difference is not because network address is caused by hacker's abduction.Therefore, if whether directly compare the first network address identical with the second network address, judge whether network address is held as a hostage, situation about judging by accident may be occurred.
On the other hand, when hacker implements network address abduction behavior, that hacker prepares, be used for that alternative user asks, the final access network address that should be returned by destination Web server has following features usually: the first network address utilizing the method for the embodiment of the present invention to obtain is not only different from the second network address, and normally both are just different from domain name part.This is because hacker after certain network address of abduction, is used for that alternative user asks, and the final access network address that should be returned by destination Web server, and content of pages, the domain name usually can only held by hacker oneself generates.
For these features above-mentioned, embodiments provide the method in the territory at the place of comparing the first network address and the second network address, namely compare the first network address whether identical with the territory at the place of the second network address, obtain comparative result; Wherein, if to be the territory at two network address places identical for comparative result, then target network address can be waited to see as normal network address, and if the territory at two network address places is different, then prove that target network address may be held as a hostage.Thus effectively can identify that the first network address obtained and the second network address are different because adopting dynamic web page technique, the reasons such as Web server dynamic response technology, and in fact do not implemented the network address of network address abduction behavior by hacker.
In addition, in actual applications, in order to confirm whether target network address is held as a hostage further, can also after the territory difference identifying two network address places, judge whether the second network address appears in malice network address database (such as network security generates and the blacklist etc. safeguarded) further, if there is in blacklist, then determine that this target network address has been held as a hostage.That is, if a target network address is kidnapped by hacker, then because the second network address is that hacker provides, therefore, itself be a malice network address, and this network address may be collected into blacklist by other means, like this, if the second network address is not only different from the territory at the second network address place, but also appears in blacklist, then can be sure of that corresponding target network address has been kidnapped by hacker really.
In a word, pass through the embodiment of the present invention, the mode of uniform resource position mark URL can be inputted in browser address bar by simulation, initiate the request of access destination network address, and carried out the mode of redirect by link by simulation, initiate the request of the described target network address of access, and compare the final access network address obtained, thus when finding by two kinds of mode access destination network address, the difference of the final access network address obtained, and disclose the behavior of kidnapping network address, effectively can identify whether target network address is network address of being held as a hostage.
The be held as a hostage method of network address of the identification provided with the embodiment of the present invention additionally provides a kind of identification relative to, the embodiment of the present invention and to be held as a hostage the device of network address, and see Fig. 2, this device can comprise:
First network address acquiring unit 201, for being inputted the mode of uniform resource position mark URL in browser address bar by simulation, is initiated the request of access destination network address, and the final access network address obtained is defined as the first network address;
Second network address acquiring unit 202, for being carried out the mode of redirect by link by simulation, is initiated the request of the described target network address of access, and the final access network address obtained is defined as the second network address;
Comparing unit 203, for more described first network address and the second network address, obtains a comparative result;
Whether recognition unit 204 is network address of being held as a hostage for target network address according to described comparative result identification.
During specific implementation, the second network address acquiring unit 202 can comprise:
Search engine analog submodule unit, for being carried out the mode of redirect by the link of simulating in the Search Results that provided by search engine, initiates the request of the described target network address of access.
Wherein, comparing unit 203 can comprise:
Subelement is compared in territory, for the territory at the place of more described first network address and the second network address, obtains a comparative result.
Accordingly, recognition unit 204 can comprise:
First recognin unit, if be that described first network address is different from the territory at the place of the second network address for described comparative result, then described target network address is network address of being held as a hostage.
Or recognition unit 204 also can comprise:
Second recognin unit, if be that described first network address is different from the territory at the place of the second network address for described comparative result, then judge whether described second network address appears in known malice network address database, if so, then described target network address is network address of being held as a hostage.
The device that embodiment provides by the present invention, the mode of uniform resource position mark URL can be inputted in browser address bar by simulation, initiate the request of access destination network address, and carried out the mode of redirect by link by simulation, initiate the request of the described target network address of access, and compare the final access network address obtained, thus when finding by two kinds of mode access destination network address, the difference of the final access network address obtained, and disclose the behavior of kidnapping network address, effectively can identify whether target network address is network address of being held as a hostage.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realizes.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually see, what each embodiment stressed is the difference with other embodiments.Especially, for device or system embodiment, because it is substantially similar to embodiment of the method, so describe fairly simple, relevant part illustrates see the part of embodiment of the method.Apparatus and system embodiment described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
Above a kind of identification provided by the present invention is held as a hostage the method for network address and device, be described in detail, apply specific case herein to set forth principle of the present invention and execution mode, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications.In sum, this description should not be construed as limitation of the present invention.