CN102611691A - Method, system and gateway device for detecting phishing websites - Google Patents
Method, system and gateway device for detecting phishing websites Download PDFInfo
- Publication number
- CN102611691A CN102611691A CN2012100086234A CN201210008623A CN102611691A CN 102611691 A CN102611691 A CN 102611691A CN 2012100086234 A CN2012100086234 A CN 2012100086234A CN 201210008623 A CN201210008623 A CN 201210008623A CN 102611691 A CN102611691 A CN 102611691A
- Authority
- CN
- China
- Prior art keywords
- similar
- domain name
- website
- character
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method for detecting phishing websites, which comprises the following steps: setting a website required to be protected; replacing corresponding characters in a domain name of the website with similar characters, wherein, a new similar domain name is formed through each replacement; carrying out matching on a domain name for accessing and a similar domain name by the gateway device so as to obtain a first similar value N of the two; comparing the first similar value N with a first preset value N1, if N is greater than N1, carrying out further direction, otherwise, ending the detection; respectively calculating the global features of an accessed page and the page of the website required to be protected, obtaining a second similar value N' through a similarity algorithm, comparing the second similar value N' with a second preset value N2, when N' is greater than N2, making an alarm; otherwise, ending the detection. The invention also discloses a system and a gateway device for detecting phishing websites. The method, system and gateway device for detecting phishing websites disclosed by the invention are accurate in detection, strong in pertinence, and good in protective effect.
Description
Technical field
The present invention relates to the cyber-defence technology, more particularly, relate to a kind of method, system and gateway device that is used to detect fishing website.
Background technology
Fishing website typically refers to disguise oneself as website of bank or e-commerce website, to steal the illegal website of private informations such as Bank Account Number that the user submits to, password.Some disabled users produce the fishing website that some are mixed the spurious with the genuine through puppet, and lure the victim to operate according to its intention, thereby obtain user's private information, thereby reach the purpose of obtaining user benefit.Be accompanied by the popular of shopping at network in recent years, it is more and more frequent that the phishing incident also becomes in the networking, brought great loss to the masses.Simultaneously, development of internet technology also makes fishing website that new variation has taken place, and often has bigger fascination, has brought great challenge to traditional detection method.
Traditional anti-phishing web technology mainly adopts " blacklist technology ", and the blacklist technology is through in fishing site record to an address list that all are had been found that, whether the website visited of judges is fishing website in view of the above.The blacklist technology realizes simple, but its problem is to accomplish the very difficulty that upgrades in time to blacklist; New fishing website life cycle is very short, and can so the hysteresis quality of blacklist technology is also more and more obvious, be difficult to obtain the protection effect of expection at section emerge in multitude sometime.Therefore, need the testing that a kind of new method can more efficiently completion fishing website.
Summary of the invention
The technical problem that the present invention will solve is, to defective of the prior art, a kind of method, system and gateway device that accurate, with strong points and good being used to of protection effect detects fishing website that detect is provided.
The technical solution adopted for the present invention to solve the technical problems is: a kind of method that is used to detect fishing website is provided, may further comprise the steps:
The website that S1, setting need protection, and store the domain name of the website that needs protection and the global characteristics of the page;
S2, according to the character similitude that is stored in the rule base regulation in the gateway device, utilize corresponding character in the domain name of the said website that needs protection of similar character replacement; Replacement each time all forms a new similar domain name, and deposits said similar domain name in database;
S3, gateway device obtain user access request and are transmitted to web page server, are provided with the domain name that is used to visit in the said user access request; Said gateway device matees said domain name that is used to visit and said similar domain name through the similitude matching algorithm, draw both first similar value N; The said first similar value N and the first preset value N1 are compared, if N>N1 then further detects, otherwise direct detection of end;
S4, calculate by the global characteristics of the page of the global characteristics of accession page and the website that needs protection respectively; Draw the second similar value N ' through the similitude algorithm; The said second similar value N ' and the second preset value N2 are compared, work as N '>N2, send warning to client; Otherwise direct detection of end.
In the method that is used for detecting fishing website of the present invention, said step S2 also according to the font similitude or the Semantic Similarity of character, produces similar character, and all said similar characters are deposited in the said rule base; Said character similitude comprises said font similitude and Semantic Similarity.
In the method that is used for detecting fishing website of the present invention; Among the said step S3 the said domain name that is used for visiting is mated with all corresponding said similar domain names of database respectively; The a plurality of first similar value N that draw are compared with the first preset value N1 respectively; As long as any one first similar value N greater than the first preset value N1, then further detects.
In the method that is used for detecting fishing website of the present invention; Among the said step S3 the said domain name that is used for visiting is mated with all said similar domain names of database respectively; Draw a plurality of first similar value N and ask for maximum; If said maximum greater than said first preset value, then further detects.
In the method that is used for detecting fishing website of the present invention, the global characteristics of the said page comprises the text feature of webpage, picture feature and global image characteristic.
The present invention also provides a kind of gateway device, comprising:
Memory cell is used to store the domain name of the website that needs protection and the global characteristics of webpage, is used for storage rule storehouse and database; Said page global characteristics comprises text feature, picture feature and the global image characteristic of webpage;
The domain name processing unit is used for the character similitude according to said rule base regulation, utilizes corresponding character in the domain name of the said website that needs protection of similar character replacement; Replacement each time all forms a new similar domain name, and deposits said similar domain name in database;
Retransmission unit is used to obtain the user access request of client, and is transmitted to web page server, is provided with the domain name that is used to visit in the said user access request;
Detecting unit is used for the said domain name that is used to visit mated through the similitude matching algorithm with said similar domain name and draws the first similar value N, as the first similar value N during, further detects greater than the first preset value N1, otherwise direct detection of end; Said detecting unit also is used in said first similar value during greater than said first preset value; Calculate respectively by the global characteristics of the global characteristics of accession page with the page of the website that needs protection; Draw the second similar value N ' through the similitude algorithm, and compare the size of the second similar value N ' and the second preset value N2;
Alarm unit is used for sending warning as the second similar value N ' during greater than second preset value to client.
In gateway device of the present invention; Said gateway device also comprises the character processing unit; Said character processing unit is used for font similitude or the Semantic Similarity according to character, produces similar character, and all said similar characters are deposited in the said rule base; Said character similitude comprises said font similitude and Semantic Similarity.
In gateway device of the present invention; Said detecting unit also is used for the said domain name that is used to visit is mated with all said similar domain names of database respectively; The a plurality of first similar value N that draw are compared with the first preset value N1 respectively; As long as any one first similar value N greater than the first preset value N1, then further detects.
In gateway device of the present invention; Said detecting unit also is used for the said domain name that is used to visit is mated with all said similar domain names of database respectively; Draw a plurality of first similar value N and ask for maximum; If said maximum greater than said first preset value, then further detects.
The present invention also provides a kind of system that is used to detect fishing website that comprises above-mentioned gateway device, and the said system that is used to detect fishing website also comprises client and web page server;
Said client is used to send user access request; Said client comprises the unit is set that the said unit that is provided with is used to be provided with the website that needs protection, and deposits the domain name of the said website that needs protection and the global characteristics of the page in memory cell;
Said web page server is used to handle said user access request.
Method, system and the gateway device that is used to detect fishing website of the present invention has following beneficial effect: method, system and the gateway device that is used to detect fishing website of the present invention generates the corresponding similar domain name of domain name of the said website that needs protection according to the character similitude; The similitude of more similar domain name and the domain name that is used to visit; If it is closely similar; Then relatively by the global characteristics of access websites with the website that needs protection; Both are also closely similar, are that the risk of fishing website is very high by access websites then, send warning to client.Method of the present invention, system and gateway device are provided with similar domain name to the website that needs protection automatically when detecting fishing website, with strong points and needn't collect all blacklists blindly, and be with strong points; And similar domain name is set according to the character similitude, and also obtaining through such modification of fishing website domain name often also can further be detected the global characteristics of webpage simultaneously after the domain name similitude detects, and testing result is more accurate, and protection effect is good.
Description of drawings
To combine accompanying drawing and embodiment that the present invention is described further below, in the accompanying drawing:
Fig. 1 is a kind of according to an embodiment of the invention flow chart that is used to detect the method for fishing website;
Fig. 2 is the theory diagram of gateway device according to an embodiment of the invention;
Fig. 3 is a kind of according to an embodiment of the invention theory diagram that is used to detect the system of fishing website.
Embodiment
In order to make the object of the invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with accompanying drawing and embodiment.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Fig. 1 is a kind of according to an embodiment of the invention flow chart that is used to detect the method for fishing website.With reference to figure 1, can know that this method may further comprise the steps:
Among the step S1, the website that needs protection is set, and stores the domain name of the website that needs protection and the global characteristics of the page; Be to accomplish as this step 1 in client 1; Because the website that needs protection generally all is website of bank or some e-commerce websites; And the website that often also to be fishing website often go forges, these websites, so this method detects at fishing website and has more specific aim in the protection; And these websites are with respect to collecting known fishing website, and quantity is few, collect easily and can not produce hysteresis.Simultaneously the domain name of the website that needs protection and the global characteristics of the page are stored in this step, to be used for follow-up detection fishing website.
Among the step S2,, utilize corresponding character in the domain name of the website that similar character replacement needs protection according to the character similitude that is stored in the rule bases regulation in the gateway device 2; Replacement each time all forms a new similar domain name, and should similar domain name deposit database in; Rule base is pre-configured in the present embodiment, before this method is implemented, has defined its corresponding similar character of corresponding character similitude and each character in advance.Also there is embodiment direct similar character of definition or increase the rule etc. of character similitude in testing process in the present invention in addition, and this embodiment produces similar character according to font similitude or Semantic Similarity, and all similar characters are deposited in the rule base; It is understandable that wherein the character similitude comprises font similitude and Semantic Similarity.Character similitude of the present invention all can obtain through following method: according to the similar summary character of the font similitude rule of summing up letter or number; English alphabet " l " such as small letter is similar with Arabic numerals " 1 ", and the English alphabet of capitalization " O " is similar with Arabic numerals " 0 " etc.; The similitude of the semanteme of with good grounds statement is summed up character similitude rule again, such as, the mother tongue justice of can prescribed level writing is identical, does not belong to similar character, and perhaps the similar similar character etc. that belongs to of dot matrix that shows of character is listed here no longer one by one.
Domain name with the website that needs protection of storing among the step S1 in this step is a foundation; Utilize similar character that corresponding characters in the domain name of the website that needs protection is replaced; Its corresponding one or more characters of each replacement similar character replacement capable of using; Also can utilize a plurality of similar characters to replace its corresponding characters respectively; Each replacement produces a new similar domain name, and this domain name is deposited in the database, with the similar domain name of guaranteeing to generate all possible similar domain name and not generating repetition.And the similar domain name that generates also should be the heuristic coupling of supporting such as regular expression.
Among the step S3, gateway device 2 obtains user access request and is transmitted to web page server 3, is provided with the domain name that is used to visit in the user access request; Domain name that gateway device 2 will be used to visit and similar domain name are mated through the similitude matching algorithm, draw both first similar value N; The first similar value N and the first preset value N1 are compared, if N>N1 then further detects, otherwise direct detection of end; In the present embodiment; Gateway device 2 obtains the domain name that is used to visit from client 1; The domain name that will be used to visit is mated through the similitude matching algorithm with similar domain name; The first similar value N that obtains is quantity and the shared ratio thereof that can reflect kinds of characters in two domain names in fact; Wherein the first preset value N1 is provided with in advance, also can regulate its concrete numerical value according to actual needs simultaneously; The size that directly compares N and N1 is if N, explains then that the domain name that is used for visiting is closely similar with the similar domain name that is stored in database greater than N1; The website of being visited very likely is a fishing website, but the accuracy in order to detect, can be in the present embodiment to its further detection; If N is not more than N1; Then the explanation domain name that is used to visit is that the possibility of domain name of fishing website is very little, can get rid of it and be possible of fishing website, and direct detection of end is just passable; Should be understood that if the domain name that is used to visit is the domain name of the website that needs protection, its first similar value N is not more than the first preset value N1 certainly, belongs to the category of non-fishing website, directly detection of end.
Because the quantity of similar domain name is more; The calculating of first similar value reaches and the comparison of first preset value possibly comprise numerous embodiments; Wherein a kind of execution mode is that the domain name that is used for visiting is mated with all corresponding similar domain names of database respectively; Any one first similar value N a plurality of first similar value N that draw compared with the first preset value N1 respectively, as long as greater than the first preset value N1, can further detect; Another kind of execution mode is that the domain name that is used for visiting is mated with all corresponding similar domain names of database respectively, draws a plurality of first similar value N and asks for maximum, if maximum greater than the first preset value N1, then further detects.It is understandable that step S3 has more than and is limited to above two kinds of execution modes.
Among the step S4; Calculate respectively by the global characteristics of the global characteristics of accession page, draw the second similar value N ', the said second similar value N ' and the second preset value N2 are compared through the similitude algorithm with the page of the website that needs protection; Work as N '>N2, send warning to client 1; Otherwise direct detection of end.Step S4 promptly is the further detection of carrying out during greater than the first preset value N1 as the first similar value N that calculates among the step S3.The global characteristics of the page comprises text feature, picture feature and the global image characteristic of webpage.Wherein text feature mainly comprises content, font size, font name and the information such as position in webpage of corresponding text, and picture feature mainly comprises src attribute (the scr attribute is meant that the red look of picture is worth frequently), picture area, picture color and the position in webpage thereof of corresponding picture; The global image characteristic of webpage is meant the information through pixel in the final display result of webpage, as has the number of different colours pixel, the coordinate information of some character pixel etc.Local feature in comprehensive above-mentioned each classification of the global characteristics of webpage, in addition corresponding weights is formed.
After obtaining its global characteristics, calculate the similarity of global characteristics of the webpage of itself and claimed website, calculate the second similar value N ', wherein the second preset value N2 is provided with in advance, also can regulate its concrete numerical value according to actual needs simultaneously; The size that directly compares N ' and N2 is if N ', explains then that the website of being visited and its both page of the website that needs protection are closely similar greater than N2; The quilt similar domain name with at least one of its domain name of website of visiting that it should be noted that this moment is very approaching, very possibly be exactly fishing website; And the website that fishing website disguises oneself as and needs protection; Be bound to design the page similar,, need to remind the user so this moment, the website visited was that the possibility of fishing website is very high with the website that needs protection; Gateway device 2 will send to client 1 and report to the police; Such as on webpage, informing the user, this website of being visited very likely is a fishing website, and the suggestion user carefully discerns; If N ' is not more than N2, the website of then being visited possibly be irrelevant website fully, can think safely, and it is that the risk of fishing website is less, and directly detection of end gets final product.Also can compare the local feature (being a part of characteristic of global characteristics) of webpage among the step S4 in fact, but can reduce its accuracy, avoid the possibility of taking a part for the whole.
The present invention is provided with similar domain name to the website that needs protection automatically when detecting fishing website, with strong points and needn't collect all blacklists blindly, and is with strong points; And similar domain name is set according to the character similitude, and also obtaining through such modification of fishing website domain name often also can further be detected the global characteristics of webpage simultaneously after the domain name similitude detects, and testing result is more accurate, and protection effect is good.
Fig. 2 is the theory diagram of gateway device according to an embodiment of the invention.Gateway device 2 comprises memory cell 201, domain name processing unit 205, retransmission unit 203, detecting unit 202 and alarm unit 204.
Memory cell 201 is used to store the domain name of the website that needs protection and the global characteristics of webpage, also is used for storage rule storehouse and database; Page global characteristics comprises text feature, picture feature and the global image characteristic of webpage; Wherein text feature mainly comprises content, font size, font name and the information such as position in webpage of corresponding text, and picture feature mainly comprises src attribute (the scr attribute is meant that the red look of picture is worth frequently), picture area, picture color and the position in webpage thereof of corresponding picture; The global image characteristic of webpage is meant the information through pixel in the final display result of webpage, as has the number of different colours pixel, the coordinate information of some character pixel etc.Local feature in comprehensive above-mentioned each classification of the global characteristics of webpage, in addition corresponding weights is formed.
Domain name processing unit 205 is used for the character similitude according to the rule base regulation, utilizes corresponding character in the similar character replacement protection domain name; Replacement each time all forms a new similar domain name, and deposits similar domain name in database;
Retransmission unit 203 is used to obtain the user access request of client 1, and is transmitted to web page server 3, is provided with the domain name that is used to visit in the user access request;
Detecting unit 202 is used for the domain name that visit mated through the similitude matching algorithm with similar domain name and draws the first similar value N, as the first similar value N during, further detects greater than the first preset value N1, otherwise direct detection of end; Detecting unit 202 also is used in said first similar value during greater than said first preset value; Calculate respectively by the global characteristics of the global characteristics of accession page with the page of the website that needs protection; Draw the second similar value N ' through the similitude algorithm, and compare the size of the second similar value N ' and the second preset value N2;
Alarm unit 204 is used for sending warning as the second similar value N ' during greater than second preset value to client 1.
The gateway device 2 of the foregoing description; The domain name that is used to visit through coupling and what generate automatically possibly be the similar domain name of the domain name of fishing website; Whether the website that Preliminary detection is visited is fishing website; Through relatively itself and the similarity of the global characteristics of the page of the website that needs protection, further judge; How to have guaranteed its accuracy from detection, and just to the specific website that needs protection, rather than collect blacklist blindly, have more specific aim.
Gateway device 2 also comprises character processing unit 206, and character processing unit 206 is used for font similitude or the Semantic Similarity according to character, produces similar character, and all corresponding similar characters are deposited in the rule base; The character similitude comprises said font similitude and Semantic Similarity.Except the preset rule base of gateway device 2, can also more increase its flexibility through the direct rule of the similar character of definition or increase character similitude etc. before detecting.
Detecting unit 202 also is used for the domain name that visit is mated with all corresponding similar domain names of database respectively in one embodiment of the present of invention; The a plurality of first similar value N that draw are compared with the first preset value N1 respectively; As long as any one first similar value N greater than the first preset value N1, then further detects.Detecting unit 202 also is used for the domain name that visit is mated with all similar domain names of database respectively in the another embodiment of the present invention; Draw a plurality of first similar value N and ask for maximum; If maximum greater than first preset value, then further detects.It is understandable that this detection has more than and is limited to above two kinds of execution modes.
Concrete workflow about gateway device 2 can repeat no more referring to the description of Fig. 1 here.
Fig. 3 is a kind of according to an embodiment of the invention theory diagram that is used to detect the system of fishing website.This system comprises client 1, web page server 3 and gateway device 2.
Client 1 is sent user access request to web page server 3; Client 1 comprises unit 101 is set, and unit 101 is set in client 1 website that needs protection is set, and deposit the global characteristics of the corresponding domain name and the page in memory cell 201 automatically;
Gateway device 2 obtains the user access request of client 1, and is transmitted to web page server 3.The gateway device 2 of an embodiment comprises memory cell 201, domain name processing unit 205, retransmission unit 203, detecting unit 202 and alarm unit 204.Memory cell 201 is used to store the domain name of the website that needs protection and the global characteristics of webpage, also is used for storage rule storehouse and database; Page global characteristics comprises text feature, picture feature and the global image characteristic of webpage; Local feature in comprehensive above-mentioned each classification of the global characteristics of webpage, in addition corresponding weights is formed.Domain name processing unit 205 is used for the character similitude according to rule base regulation, utilizes corresponding character in the domain name of the website that similar character replacement needs protection; Replacement each time all forms a new similar domain name, and deposits similar domain name in database; Retransmission unit 203 is used to obtain the user access request of client 1, and is transmitted to web page server 3, is provided with the domain name that is used to visit in the user access request; Detecting unit 202 is used for the domain name that visit mated through the similitude matching algorithm with similar domain name and draws the first similar value N, as the first similar value N during, further detects greater than the first preset value N1, otherwise direct detection of end; Detecting unit 202 also is used in said first similar value during greater than said first preset value; Calculate respectively by the global characteristics of the global characteristics of accession page with the page of the website that needs protection; Draw the second similar value N ' through the similitude algorithm, and compare the size of the second similar value N ' and the second preset value N2; Alarm unit 204 is used for sending warning as the second similar value N ' during greater than second preset value to client 1.
Gateway device 2 also comprises character processing unit 206, and character processing unit 206 is used for font similitude or the Semantic Similarity according to character, produces similar character, and all corresponding similar characters are deposited in the rule base; The character similitude comprises said font similitude and Semantic Similarity.Except the preset rule base of gateway device 2, can also more increase its flexibility through the direct rule of the similar character of definition or increase character similitude etc. before detecting.
Detecting unit 202 also is used for the domain name that visit is mated with all corresponding similar domain names of database respectively in one embodiment of the present of invention; The a plurality of first similar value N that draw are compared with the first preset value N1 respectively; As long as any one first similar value N greater than the first preset value N1, then further detects.Detecting unit 202 also is used for the domain name that visit is mated with all similar domain names of database respectively in the another embodiment of the present invention; Draw a plurality of first similar value N and ask for maximum; If maximum greater than first preset value, then further detects.It is understandable that this detection has more than and is limited to above two kinds of execution modes.
The domain name that the present invention is used to visit through coupling and what generate automatically possibly be the similar domain name of the domain name of fishing website; Whether the website that Preliminary detection is visited is fishing website; Through relatively itself and the similarity of the global characteristics of the page of the website that needs protection, further judge; How to have guaranteed its accuracy from detection, and just to the specific website that needs protection, rather than collect blacklist blindly, have more specific aim.Except the preset rule base of gateway device 2, can also more increase its flexibility through the direct rule of the similar character of definition or increase character similitude etc. before detecting.The present invention is through to being detected by the domain name of the website visited and the global characteristics of the page, and whether in time detect is fishing website, the user is reminded import private information further such as payment cipher the user before, has guaranteed user's property safety.
Detailed content about system can repeat no more referring to the description of Fig. 1-2 here.
Though the present invention describes through specific embodiment, it will be appreciated by those skilled in the art that, without departing from the present invention, can also carry out various conversion and be equal to alternative the present invention.In addition, to particular condition or material, can make various modifications to the present invention, and not depart from the scope of the present invention.Therefore, the present invention is not limited to disclosed specific embodiment, and should comprise the whole execution modes that fall in the claim scope of the present invention.
Claims (10)
1. a method that is used to detect fishing website is characterized in that, may further comprise the steps:
The website that S1, setting need protection, and store the domain name of the website that needs protection and the global characteristics of the page;
S2, according to the character similitude that is stored in the rule base regulation in the gateway device, utilize corresponding character in the domain name of the said website that needs protection of similar character replacement; Replacement each time all forms a new similar domain name, and deposits said similar domain name in database;
S3, said gateway device obtain user access request and are transmitted to web page server, are provided with the domain name that is used to visit in the said user access request; Said gateway device matees said domain name that is used to visit and said similar domain name through the similitude matching algorithm, draw both first similar value N; The said first similar value N and the first preset value N1 are compared, if N N1, then further detect, otherwise direct detection of end;
S4, calculate by the global characteristics of the page of the global characteristics of accession page and the website that needs protection respectively; Draw the second similar value N ' through the similitude algorithm; The said second similar value N ' and the second preset value N2 are compared, work as N ' N2, send warning to client; Otherwise direct detection of end.
2. the method that is used to detect fishing website according to claim 1 is characterized in that, said step S2 also according to the font similitude or the Semantic Similarity of character, produces similar character, and all said similar characters are deposited in the said rule base; Said character similitude comprises said font similitude and Semantic Similarity.
3. the method that is used to detect fishing website according to claim 1; It is characterized in that; Among the said step S3 the said domain name that is used for visiting is mated with all corresponding said similar domain names of database respectively; The a plurality of first similar value N that draw are compared with the first preset value N1 respectively, as long as any one first similar value N greater than the first preset value N1, then further detects.
4. the method that is used to detect fishing website according to claim 1; It is characterized in that; Among the said step S3 the said domain name that is used for visiting is mated with all said similar domain names of database respectively; Draw a plurality of first similar value N and ask for maximum, if said maximum greater than said first preset value, then further detects.
5. according to any described method that is used to detect fishing website of claim 1~4, it is characterized in that the global characteristics of the said page comprises the text feature of webpage, picture feature and global image characteristic.
6. a gateway device is characterized in that, comprising:
Memory cell is used to store domain name and the global characteristics of webpage of the website that needs protection of the website that needs protection, and is used for storage rule storehouse and database; Said page global characteristics comprises text feature, picture feature and the global image characteristic of webpage;
The domain name processing unit is used for the character similitude according to said rule base regulation, utilizes corresponding character in the domain name of the said website that needs protection of similar character replacement; Replacement each time all forms a new similar domain name, and deposits said similar domain name in database;
Retransmission unit is used to obtain the user access request of client, and is transmitted to web page server, is provided with the domain name that is used to visit in the said user access request;
Detecting unit is used for the said domain name that is used to visit mated through the similitude matching algorithm with said similar domain name and draws the first similar value N, as the first similar value N during, further detects greater than the first preset value N1, otherwise direct detection of end; Said detecting unit also is used in said first similar value during greater than said first preset value; Calculate respectively by the global characteristics of the global characteristics of accession page with the page of the website that needs protection; Draw the second similar value N ' through the similitude algorithm, and compare the size of the second similar value N ' and the second preset value N2;
Alarm unit is used for sending warning as the second similar value N ' during greater than second preset value to client.
7. gateway device according to claim 6; It is characterized in that said gateway device also comprises the character processing unit, said character processing unit is used for font similitude or the Semantic Similarity according to character; Produce similar character, and all said similar characters are deposited in the said rule base; Said character similitude comprises said font similitude and Semantic Similarity.
8. gateway device according to claim 7; It is characterized in that; Said detecting unit also is used for the said domain name that is used to visit is mated with all said similar domain names of database respectively; The a plurality of first similar value N that draw are compared with the first preset value N1 respectively, as long as any one first similar value N greater than the first preset value N1, then further detects.
9. gateway device according to claim 7; It is characterized in that; Said detecting unit also is used for the said domain name that is used to visit is mated with all said similar domain names of database respectively; Draw a plurality of first similar value N and ask for maximum, if said maximum greater than said first preset value, then further detects.
10. a system that is used to detect fishing website that comprises any described gateway device of claim 6-9 is characterized in that, the said system that is used to detect fishing website also comprises client and web page server;
Said client is used to send user access request; Said client comprises the unit is set that the said unit that is provided with is used to be provided with the website that needs protection, and deposits the domain name of the said website that needs protection and the global characteristics of the page in memory cell;
Said web page server is used to handle said user access request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210008623.4A CN102611691B (en) | 2012-01-12 | 2012-01-12 | Method, system and gateway device for detecting phishing websites |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210008623.4A CN102611691B (en) | 2012-01-12 | 2012-01-12 | Method, system and gateway device for detecting phishing websites |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102611691A true CN102611691A (en) | 2012-07-25 |
| CN102611691B CN102611691B (en) | 2015-06-03 |
Family
ID=46528847
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210008623.4A Active CN102611691B (en) | 2012-01-12 | 2012-01-12 | Method, system and gateway device for detecting phishing websites |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102611691B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049483A (en) * | 2012-11-30 | 2013-04-17 | 北京奇虎科技有限公司 | System for recognizing web page dangerousness |
| CN103209177A (en) * | 2013-03-13 | 2013-07-17 | 深信服网络科技(深圳)有限公司 | Detection method and device for network phishing attacks |
| CN105471807A (en) * | 2014-05-28 | 2016-04-06 | 腾讯科技(深圳)有限公司 | Network access security detecting method and network access security detecting system based on barcode information |
| CN106850500A (en) * | 2015-12-03 | 2017-06-13 | 中国移动通信集团公司 | Fishing website processing method and processing device |
| CN108270754A (en) * | 2017-01-03 | 2018-07-10 | 中国移动通信有限公司研究院 | A kind of detection method and device of fishing website |
| CN111224923A (en) * | 2018-11-26 | 2020-06-02 | 阿里巴巴集团控股有限公司 | Detection method, device and system for counterfeit websites |
| CN113507485A (en) * | 2021-08-12 | 2021-10-15 | 河北民族师范学院 | Cloud security access system and method |
| CN113630399A (en) * | 2021-07-28 | 2021-11-09 | 上海纽盾网安科技有限公司 | Anti-phishing method, device and system based on gateway |
| CN113923193A (en) * | 2021-10-27 | 2022-01-11 | 北京知道创宇信息技术股份有限公司 | Network domain name association method, device, storage medium and electronic equipment |
| CN114710468A (en) * | 2022-03-31 | 2022-07-05 | 绿盟科技集团股份有限公司 | Domain name generation and identification method, device, equipment and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1728655A (en) * | 2004-11-25 | 2006-02-01 | 刘文印 | Method and system for detecting and discriminating counterfeit web page |
| CN1952947A (en) * | 2005-10-17 | 2007-04-25 | 左其其 | A system and method for web site against clone |
-
2012
- 2012-01-12 CN CN201210008623.4A patent/CN102611691B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1728655A (en) * | 2004-11-25 | 2006-02-01 | 刘文印 | Method and system for detecting and discriminating counterfeit web page |
| CN1952947A (en) * | 2005-10-17 | 2007-04-25 | 左其其 | A system and method for web site against clone |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049483B (en) * | 2012-11-30 | 2016-04-20 | 北京奇虎科技有限公司 | The recognition system of webpage danger |
| CN103049483A (en) * | 2012-11-30 | 2013-04-17 | 北京奇虎科技有限公司 | System for recognizing web page dangerousness |
| CN103209177A (en) * | 2013-03-13 | 2013-07-17 | 深信服网络科技(深圳)有限公司 | Detection method and device for network phishing attacks |
| CN103209177B (en) * | 2013-03-13 | 2016-08-03 | 深信服网络科技(深圳)有限公司 | The detection method of phishing attacks and device |
| CN105471807A (en) * | 2014-05-28 | 2016-04-06 | 腾讯科技(深圳)有限公司 | Network access security detecting method and network access security detecting system based on barcode information |
| CN105471807B (en) * | 2014-05-28 | 2019-05-24 | 腾讯科技(深圳)有限公司 | Network-access security detection method and system based on bar code information |
| CN106850500A (en) * | 2015-12-03 | 2017-06-13 | 中国移动通信集团公司 | Fishing website processing method and processing device |
| CN108270754B (en) * | 2017-01-03 | 2021-08-06 | 中国移动通信有限公司研究院 | Detection method and device for phishing website |
| CN108270754A (en) * | 2017-01-03 | 2018-07-10 | 中国移动通信有限公司研究院 | A kind of detection method and device of fishing website |
| CN111224923A (en) * | 2018-11-26 | 2020-06-02 | 阿里巴巴集团控股有限公司 | Detection method, device and system for counterfeit websites |
| CN111224923B (en) * | 2018-11-26 | 2022-07-22 | 阿里巴巴集团控股有限公司 | Detection method, device and system for counterfeit websites |
| CN113630399A (en) * | 2021-07-28 | 2021-11-09 | 上海纽盾网安科技有限公司 | Anti-phishing method, device and system based on gateway |
| CN113507485A (en) * | 2021-08-12 | 2021-10-15 | 河北民族师范学院 | Cloud security access system and method |
| CN113507485B (en) * | 2021-08-12 | 2022-07-29 | 河北民族师范学院 | Cloud security access system and method |
| CN113923193A (en) * | 2021-10-27 | 2022-01-11 | 北京知道创宇信息技术股份有限公司 | Network domain name association method, device, storage medium and electronic equipment |
| CN113923193B (en) * | 2021-10-27 | 2023-11-28 | 北京知道创宇信息技术股份有限公司 | Network domain name association method and device, storage medium and electronic equipment |
| CN114710468A (en) * | 2022-03-31 | 2022-07-05 | 绿盟科技集团股份有限公司 | Domain name generation and identification method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102611691B (en) | 2015-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102611691A (en) | Method, system and gateway device for detecting phishing websites | |
| US10142351B1 (en) | Retrieving contact information based on image recognition searches | |
| CN106789939B (en) | A kind of detection method for phishing site and device | |
| US9317777B2 (en) | Analyzing font similarity for presentation | |
| CN105786807B (en) | Exhibition information pushing method, equipment and system | |
| US9471714B2 (en) | Method for increasing the security level of a user device that is searching and browsing web pages on the internet | |
| CN104184832B (en) | Data submission method and device in network application | |
| CN107943949B (en) | Method and server for determining web crawler | |
| JP2015521413A5 (en) | ||
| KR20150067758A (en) | Improving user engagement in a social network using indications of acknowledgement | |
| CN104065632A (en) | Shared-content processing method, server, client and system | |
| CN106790085B (en) | Vulnerability scanning method, device and system | |
| CN106658568A (en) | Method and device for providing information of available wireless access point | |
| CN108134760A (en) | Website monitoring data acquisition methods and device | |
| CN101739412A (en) | Web page safety evaluating device and web page safety evaluating method for intelligent card | |
| CN108173814A (en) | Detection method for phishing site, terminal device and storage medium | |
| CN109190412A (en) | The detection method and device of webpage tamper | |
| CN105490913B (en) | Instant message processing method and device | |
| CN104125130B (en) | A kind of safety prompt function method, device and communication system | |
| US9332031B1 (en) | Categorizing accounts based on associated images | |
| CN109101577A (en) | A kind of data circulation method, apparatus and system | |
| US10652276B1 (en) | System and method for distinguishing authentic and malicious electronic messages | |
| WO2016180229A1 (en) | Terminal data processing method and device | |
| CN105550317B (en) | Method and device for displaying news through news list | |
| US10158659B1 (en) | Phony profiles detector |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20200624 Address after: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518000 No. 1001 Nanshan Chi Park building A1 layer Patentee after: SANGFOR TECHNOLOGIES Inc. Address before: 518000 Nanshan Science and Technology Pioneering service center, No. 1 Qilin Road, Guangdong, Shenzhen 418, 419, Patentee before: Shenxin network technology (Shenzhen) Co.,Ltd. |