CN102891861B - Client-based phishing website detection method and device - Google Patents
Client-based phishing website detection method and device Download PDFInfo
- Publication number
- CN102891861B CN102891861B CN201210422629.6A CN201210422629A CN102891861B CN 102891861 B CN102891861 B CN 102891861B CN 201210422629 A CN201210422629 A CN 201210422629A CN 102891861 B CN102891861 B CN 102891861B
- Authority
- CN
- China
- Prior art keywords
- network address
- client
- website
- user
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention relates to a phishing website detection method based on a client, which comprises the following steps: sending the website logged in by the user to a server to inquire the security of the website, and if the website is an unknown website, sending the website back to the client for detection; step two: extracting website characteristics of the user login website from the client side, comparing the website characteristics with a characteristic library of the user side, judging whether the website is a phishing website, if the website is the phishing website, sending the phishing website to the server side, and if the website is not the phishing website, allowing access; step three: and accumulating the number of people accessing the website at the server, and when the accumulated number of people exceeds a threshold value, judging the website as a false report of the client by the server and allowing the access. Compared with the prior art, the phishing website detection method based on the client side disclosed by the invention has the advantages that the server side is used for quickly checking the black, then the client side is used for quickly judging unknown websites, and finally the server side is used for preventing misjudgment. The phishing website can be detected quickly and accurately.
Description
Technical field
The present invention relates to information filtering field, the communications field, be specifically related to a kind of client-based detection method for phishing site andDevice.
Background technology
Along with popularizing of internet, increasing user starts to exchange and business transaction by internet, ecommerce,The Internet service such as e-bank, online game is development thereupon also. When user's access websites, need to input the letter such as account and passwordBreath, it is that user enters the unique identification that these websites operate, if there is people to usurp user's account and password, pretends to be useFamily enters website, may cause infringement to user's interests.
In the use of internet, some lawless person, by the mode of fishing website, inveigles user to input account and password, rightUser's account and password are usurped. Fishing website refers to that lawless person utilizes various means, the URL ground of counterfeit true websiteLocation and content of pages, or it is dangerous to utilize leak in true Website server program to insert in some webpage of websiteHTML code, gains user bank or the private data such as credit card account, password by cheating with this. Seriously affect on-line financeThe development of service, ecommerce, endangers public interest, affects the confidence of public's applying Internet.
At present, in existing fishing website recognition technology, many by building name of station, the IP of large-scale detection model to fishing network addressThe information such as address detect judgement. But due to the complex structure of this detection model, operational data amount is large, therefore need to beService end detects judgement. It is slow that its problem of bringing is exactly the speed detecting, and affected user's experience.
Summary of the invention
The object of the invention is to overcome shortcoming of the prior art with not enough, a kind of base that can fast detecting fishing website is providedIn the detection method for phishing site of client.
The present invention adopts following technical scheme to realize: a kind of client-based detection method for phishing site, comprises as followsStep:
Step 1: the network address of user's login is sent to service end and inquires about the security of this network address, if unknown network address is beamed backClient detects;
Step 2: extract in client that this user logins the web site features of network address and the feature database of user side is compared, judge itWhether be fishing network address, if fishing network address is sent to service end, if not, allow access;
Step 3: access the number of this network address in service end accumulative total, in the time that accumulated number exceedes a threshold value, this service end can judgeThis network address is client wrong report, allows access.
With respect to prior art, client-based detection method for phishing site of the present invention is first black by the fast quick checking of service end,Then by client, unknown website is judged fast, finally prevent the operation of erroneous judgement by service end. Can be to anglingFishnet station is detected rapidly and accurately.
Further, the present invention also provides a kind of client-based fishing website that can fast detecting fishing website to detect dressPut.
A kind of client-based fishing website checkout gear, comprises
Enquiry module, it is arranged on service end, and first client is sent to this enquiry module by the network address of user's login and inquires about this netThe security of location, if unknown website is beamed back client and is detected;
Judge module, it is arranged on client, comprises a feature database, and it is by web site features and the feature database of the network address of user's loginCompare, judge that whether it is fishing network address, if fishing network address is sent to service end, if not, allows access;
Anti-erroneous judgement module, it is arranged on service end, and its accumulative total is accessed the number of the network address of this user's login, when accumulated number exceedesWhen one threshold value, this anti-erroneous judgement module judges that this network address is the judge module wrong report of client, allows access.
With respect to prior art, client-based fishing website checkout gear of the present invention is first by the enquiry module of service endFast quick checking is black, then by the judge module of client, unknown website is judged fast, finally by the anti-erroneous judgement of service endModule prevents the operation of erroneous judgement. Can detect rapidly and accurately fishing website.
In order to understand more clearly the present invention, set forth the specific embodiment of the present invention below with reference to brief description of the drawings.
Brief description of the drawings
Fig. 1 is the flow chart that the present invention is based on the detection method for phishing site of client.
Fig. 2 is the module diagram that the present invention is based on the fishing website checkout gear of client.
Detailed description of the invention
Refer to Fig. 1, it is the detection method for phishing site flow chart that the present invention is based on client. This client-based fishingWebsite detection method comprises the steps:
Step S11: user's Website login.
Step S12: the network address of user's login is sent to service end and inquires about the security of this network address.
Wherein, this service end is provided with a black and white network address storehouse, has collected current found all black network address in this black and white network address storehouseWith white network address, the black network address network address of going fishing, white network address is legal normal network address. The network address of user login be sent to service end withAll network address in black and white network address storehouse are compared, if mate with a black network address, are judged as fishing website, and prompting forbids that client visitsAsk this network address; If mate with a white network address, be judged as normal network address, allow user to access this network address. If this user's loginNone mates the network address in network address and black and white network address storehouse, is unknown network address, sends a unknown and judges to client, in clientCarrying out step S13 further judges.
Step S13: extract that this user logins the web site features of network address and the feature database of client is compared, judge that whether it beFishing network address.
Particularly, because website is by HTML(HTML) write, according to the feature of html language, netThe feature of standing is made up of multiple characteristic elements, wherein, characteristic element comprise network address (URL), title (Title), keyword (Keywork),(Description) and content of text (Body) are described. The feature database of this client has been included some feature units, each spyLevying unit is by network address (URL), title (Title), keyword (Keywork), description (Description) and textThe particular content that holds (Body) forms. Login a certain feature of the network address feature of network address and the feature database of client when extracting userWhen units match, tentatively judge that the network address of this user's login is fishing website, enter step S14. Login net if extract userThe network address feature of location is not all mated with all feature units of the feature database of client, is judged as legal normal network address, allowsThis website of client access. The feature unit of this feature database is exclusive list rule of thumb.
Step S14: in the time that client is judged as fishing network address, again this network address is sent to service end inquiry, judges whether to blockCut this network address.
This service end has a number of visiting people counting unit, and in the time having client to send judgement request, this counting unit is tired outAdd counting, in the time that the number of visiting people accumulation exceedes a threshold value, this service end can judge that this network address is client wrong report, is white network address,Do not tackle this network address. In the time that the number of access is less than this threshold value, this service end judges that this network address is fishing network address, tackles.In the present embodiment, this threshold value setting is 50 people,, in the time that the number of visiting people of this unknown network address is less than 50 people, it is blockedCut, in the time that the number of visiting people of this unknown network address is greater than 50 people, allow this website of client-access.
The determining step again of service end is set, and is the erroneous judgement in order to prevent client. Allow the number of asking generally all due to fishing websiteSeldom, so in the time that the number of visiting people exceedes the threshold value of setting, can judge that this unknown website is not fishing website.
In this client-based detection method for phishing site, first black by the fast quick checking of service end, then by client pairUnknown website judges fast, finally prevents the operation of erroneous judgement by service end. Can carry out quick standard to fishing websiteReally detect.
Refer to Fig. 2, it is client-based fishing website checkout gear schematic diagram of the present invention. This client-based anglingFishnet station checkout gear comprises enquiry module 21, judge module 22 and anti-erroneous judgement module 23. Wherein, this enquiry module 21 and anti-Erroneous judgement module 23 is arranged on service end, and this judge module 22 is arranged on client. When user logins a network address, client firstThe enquiry module 21 that the network address of user's login is sent to service end is inquired about the security of this network address, if this network address is unknown netLocation, is done and is further judged that whether it is fishing network address by the judge module 22 of client, if judgement is fishing network address, againThe anti-erroneous judgement module 23 that judgement information is sent to service end, judges whether to tackle this network address.
Further, this enquiry module 21 comprises black and white network address storehouse 212, this black and white network address storehouse 212 is interior collected current foundAll black network address and white network address, the black network address network address of going fishing, white network address is legal normal network address. The network address of user's login sendsTo service end, its enquiry module 21 is compared the network address of user's login and all network address in black and white network address storehouse 212, if with oneBlack network address coupling, is judged as fishing website, and this network address of client access is forbidden in prompting; If mate with a white network address, be judged asNormal network address, allows user to access this network address. If none mates the network address of this user's login and the network address in black and white network address storehouse 212,Be unknown network address, send a unknown and judge to client, further judge in client.
The judge module 22 of this client comprises a feature database 222. Because website is by HTML(HTML) compileWrite, according to the feature of html language, web site features is made up of multiple characteristic elements, and wherein, characteristic element comprises network address(URL), title (Title), keyword (Keywork), description (Description) and content of text (Body). This visitorThe feature database 222 of family end has been included some feature units, each feature unit be by network address (URL), title (Title),The particular content of keyword (Keywork), description (Description) and content of text (Body) forms. When extracting userWhen a certain feature unit of the login network address feature of network address and the feature database 222 of client mates, tentatively judge this user's loginNetwork address be fishing website. All feature units that user logins the network address feature of network address and the feature database of client if extract are not allCoupling, is judged as legal normal network address, allows this website of client access. The feature unit of this feature database is rule of thumb poorEnumerate to the greatest extent.
The anti-erroneous judgement module 23 of this service end comprises a number of visiting people counting unit 232, in the time having client to send judgement request,This number of visiting people counting unit 232 is carried out accumulated counts, in the time that the number of visiting people accumulation exceedes a threshold value, and the anti-erroneous judgement of this service endModule 23 judges that this network address is client wrong report, is white network address, does not tackle this network address. In the time that the number of access is less than this threshold value,This anti-erroneous judgement module 23 judges that this network address is fishing network address, tackles. In the present embodiment, this threshold value setting is 50 people,In the time that the number of visiting people of this unknown network address is less than 50 people, it is tackled, when the number of visiting people of this unknown network address is greater than 50When people, allow this website of client-access.
With respect to prior art, first quick by the enquiry module of service end at this client-based fishing website checkout gearLook into blackly, then by the judge module of client, unknown website is judged fast, finally by the anti-erroneous judgement module of service endPrevent the operation of erroneous judgement. Can detect rapidly and accurately fishing website.
The present invention is not limited to above-mentioned embodiment, if various changes of the present invention or distortion are not departed to spirit of the present inventionAnd scope, if within these changes and distortion belong to claim of the present invention and equivalent technologies scope, the present invention is also intended toComprise these changes and distortion.
Claims (9)
1. a client-based detection method for phishing site, comprises the steps:
Step 1: the network address of user's login is sent to service end and inquires about the security of this network address, if unknown network address is beamed back visitorFamily end detects;
Step 2: extract in client that this user logins the web site features of network address and the feature database of client is compared, judge that it isNo is fishing website, if fishing website is sent to service end, if not, allows access;
Step 3: access the number of this network address in service end accumulative total, in the time that accumulated number exceedes a threshold value, this service end can judge thisNetwork address is client wrong report, allows access.
2. client-based detection method for phishing site according to claim 1, is characterized in that: this step 1 is specially useThe network address of family login is sent to service end, compares with all network address in the black and white network address storehouse of service end; If with a black network addressCoupling, is judged as fishing website, and this network address of client access is forbidden in prompting; If mate with a white network address, be judged as normalNetwork address, allows user to access this network address; If the network address of this user login and the network address in black and white network address storehouse none mate, for notKnow network address, beam back client and detect.
3. client-based detection method for phishing site according to claim 2, is characterized in that: the feature database of this clientSome feature units are included, if extraction user logins a certain feature unit of the web site features of network address and the feature database of clientWhen coupling, judge that the network address of this user's login is fishing website, if extraction user logins web site features and the client of network addressAll feature units of feature database all do not mate, be judged as legal normal network address, allow this website of client access.
4. client-based detection method for phishing site according to claim 3, is characterized in that: each feature unit isBe made up of any one or more particular contents, described particular content comprises network address, title, keyword, description and textContent.
5. a client-based fishing website checkout gear, is characterized in that: comprise
---enquiry module, it is arranged on service end, and first client is sent to this enquiry module inquiry by the network address of user's login shouldThe security of network address, if unknown website is beamed back client and is detected;
---judge module, it is arranged on client, comprises a feature database, and it is by web site features and the feature of the network address of user's loginComparing in storehouse, judges whether it is fishing website, if fishing website is sent to service end, if not, allows to visitAsk;
---anti-erroneous judgement module, it is arranged on service end, and its accumulative total is accessed the number of the network address of this user's login, when accumulated number surpassesWhile crossing a threshold value, this anti-erroneous judgement module judges that this network address is the judge module wrong report of client, allows access.
6. client-based fishing website checkout gear according to claim 5, is characterized in that: this enquiry module comprises oneBlack and white network address storehouse, all network address in this black and white network address storehouse of network address of user's login are compared; If mate with a black network address,Be judged as fishing website, this network address of client access is forbidden in prompting; If mate with a white network address, be judged as normal network address, permitThis network address is accessed at family allowable; If none mates the network address of this user's login and the network address in black and white network address storehouse, is unknown network address,Beaming back client detects.
7. client-based fishing website checkout gear according to claim 6, is characterized in that: if this feature database has been includedDry feature unit, when a certain feature unit that user logins the network address feature of network address and the feature database of client if extract mates,The network address that judges this user's login is fishing website, logins the network address feature of network address and the feature database of client if extract userAll feature units all do not mate, be judged as legal normal network address, allow this website of client access.
8. client-based fishing website checkout gear according to claim 7, is characterized in that: each feature unit isBe made up of any one or more particular contents, described particular content comprises network address, title, keyword, description and textContent.
9. according to the client-based fishing website checkout gear described in any claim in claim 5~8, its feature existsIn: this anti-erroneous judgement module comprises a number of visiting people counting unit, in the time having client to send judgement request, this number of visiting peopleCounting unit is carried out accumulated counts.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210422629.6A CN102891861B (en) | 2012-10-29 | 2012-10-29 | Client-based phishing website detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210422629.6A CN102891861B (en) | 2012-10-29 | 2012-10-29 | Client-based phishing website detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102891861A CN102891861A (en) | 2013-01-23 |
| CN102891861B true CN102891861B (en) | 2016-05-11 |
Family
ID=47535228
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210422629.6A Active CN102891861B (en) | 2012-10-29 | 2012-10-29 | Client-based phishing website detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102891861B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368958A (en) | 2013-07-05 | 2013-10-23 | 腾讯科技(深圳)有限公司 | Method, device and system for detecting webpage |
| CN104077396B (en) * | 2014-07-01 | 2017-05-17 | 清华大学深圳研究生院 | Method and device for detecting phishing website |
| CN104580203A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Website malicious program detection method and device |
| KR102482114B1 (en) * | 2015-12-31 | 2022-12-29 | 삼성전자주식회사 | Method of performing secured communication, system on chip performing the same and mobile system including the same |
| CN106230848A (en) * | 2016-08-11 | 2016-12-14 | 国家计算机网络与信息安全管理中心 | A kind of method of Behavior-based control feature detection fishing website |
| CN106506547B (en) * | 2016-12-23 | 2020-07-10 | 北京奇虎科技有限公司 | Processing method, WAF, router and system for denial of service attack |
| CN110929129B (en) * | 2018-08-31 | 2023-12-26 | 阿里巴巴集团控股有限公司 | Information detection method, equipment and machine-readable storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102083100A (en) * | 2010-12-31 | 2011-06-01 | 百度在线网络技术(北京)有限公司 | Method and device for detecting states of multiple resource links based on sites |
| CN102727183A (en) * | 2012-06-14 | 2012-10-17 | 深圳市元征科技股份有限公司 | Device for detecting cell vigor |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012084010A1 (en) * | 2010-12-20 | 2012-06-28 | Telefonaktiebolaget L M Ericsson (Publ) | Method of and device for service monitoring and service monitoring management |
| CN102710646B (en) * | 2012-06-06 | 2016-08-03 | 珠海市君天电子科技有限公司 | Method and system for collecting phishing websites |
-
2012
- 2012-10-29 CN CN201210422629.6A patent/CN102891861B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102083100A (en) * | 2010-12-31 | 2011-06-01 | 百度在线网络技术(北京)有限公司 | Method and device for detecting states of multiple resource links based on sites |
| CN102727183A (en) * | 2012-06-14 | 2012-10-17 | 深圳市元征科技股份有限公司 | Device for detecting cell vigor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102891861A (en) | 2013-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102891861B (en) | Client-based phishing website detection method and device | |
| CN105930727B (en) | Reptile recognition methods based on Web | |
| US10721245B2 (en) | Method and device for automatically verifying security event | |
| CN106295349A (en) | Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen | |
| US20130054433A1 (en) | Multi-Factor Identity Fingerprinting with User Behavior | |
| CN102724186B (en) | Phishing website detection system and detection method | |
| US9210189B2 (en) | Method, system and client terminal for detection of phishing websites | |
| CN103139138B (en) | A kind of application layer denial of service means of defence based on client detection and system | |
| CN104580230B (en) | Verification method and device are attacked in website | |
| CN102647408A (en) | Method for judging phishing website based on content analysis | |
| CN102467633A (en) | Method and system for safely browsing webpage | |
| CN104077396A (en) | Method and device for detecting phishing website | |
| CN102769632A (en) | Method and system for grading detection and prompt of fishing website | |
| CN102622553A (en) | Method and device for detecting webpage safety | |
| CN103443800A (en) | Network rating | |
| CN102413074A (en) | Method for detecting login of instant messenger terminal in another place | |
| CN103209177A (en) | Detection method and device for network phishing attacks | |
| CN105376217B (en) | A kind of malice jumps and the automatic judging method of malice nested class objectionable website | |
| KR20180074774A (en) | How to identify malicious websites, devices and computer storage media | |
| CN104852916A (en) | Social engineering-based webpage verification code recognition method and system | |
| CN107800686A (en) | A kind of fishing website recognition methods and device | |
| CN104158789A (en) | Method and device for detecting security of payment type website | |
| CN108270754B (en) | Detection method and device for phishing website | |
| CN106060038A (en) | Client program behavior analysis-based phishing website detection method | |
| CN103475673A (en) | Phishing website recognizing method and device and client side |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: KINGSOFT CORPORATION LIMITED BEIKE INTERNET (BEIJI Effective date: 20130503 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20130503 Address after: Jingshan Hill Road, Lane 519015 Lianshan Jida Guangdong province Zhuhai City No. 8 Applicant after: ZHUHAI JUNTIAN ELECTRONIC TECHNOLOGY Co.,Ltd. Applicant after: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. Applicant after: SHELL INTERNET (BEIJING) SECURITY TECHNOLOGY Co.,Ltd. Applicant after: BEIJING KINGSOFT NETWORK TECHNOLOGY Co.,Ltd. Address before: Jingshan Hill Road, Lane 519015 Lianshan Jida Guangdong province Zhuhai City No. 8 Applicant before: Zhuhai Juntian Electronic Technology Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Jingshan Hill Road, Lane 519015 Lianshan Jida Guangdong province Zhuhai City No. 8 Patentee after: ZHUHAI JUNTIAN ELECTRONIC TECHNOLOGY Co.,Ltd. Patentee after: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. Patentee after: Beijing Cheetah Mobile Technology Co.,Ltd. Patentee after: Beijing Cheetah Network Technology Co.,Ltd. Address before: Jingshan Hill Road, Lane 519015 Lianshan Jida Guangdong province Zhuhai City No. 8 Patentee before: Zhuhai Juntian Electronic Technology Co.,Ltd. Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. Patentee before: SHELL INTERNET (BEIJING) SECURITY TECHNOLOGY Co.,Ltd. Patentee before: BEIJING KINGSOFT NETWORK TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20191203 Address after: 519031 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee after: Zhuhai Leopard Technology Co.,Ltd. Address before: Jingshan Hill Road, Lane 519015 Lianshan Jida Guangdong province Zhuhai City No. 8 Co-patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. Patentee before: Zhuhai Juntian Electronic Technology Co.,Ltd. Co-patentee before: Beijing Cheetah Mobile Technology Co.,Ltd. Co-patentee before: Beijing Cheetah Network Technology Co.,Ltd. |