CN103036896B - Method and system for testing malicious links - Google Patents
Method and system for testing malicious links Download PDFInfo
- Publication number
- CN103036896B CN103036896B CN201210560165.5A CN201210560165A CN103036896B CN 103036896 B CN103036896 B CN 103036896B CN 201210560165 A CN201210560165 A CN 201210560165A CN 103036896 B CN103036896 B CN 103036896B
- Authority
- CN
- China
- Prior art keywords
- malicious
- link
- host name
- malice
- embedded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method and a system for testing malicious links. The method of testing the malicious links comprises the steps of testing malicious act, testing the malicious act for other embedded links, estimating malicious value for each malicious link and malicious web site host name relevant to each malicious link, updating the malicious value of the relevant malicious links or the malicious web site host name, filtering out dangerous malicious link assembly, informing information of the dangerous malicious web site host name assembly and the dangerous malicious link assembly on a client-side device, obtaining new questionable links, and testing the malicious act of the new questionable links. The other embedded links of the malicious links or the questionable links comprises other links which are automatically conducted when the malicious links or the questionable links are visited.
Description
Technical field
The present invention relates to technical field of network security, be specifically related to a kind of method and system for detection of malicious link.
Background technology
Along with the development of the Internet, the attack pattern of various computer rogue program becomes and more and more emerges in an endless stream.Such as the rogue program attack means of similar extension horse class is varied, such as, comprise SQL (StructuredQuery Language, SQL) inject, website sensitive document scanning, server leak, the various method such as procedure site 0day obtains webmaster's account, then backstage, website is logged in, by database backup/restoration or upload leak and obtain a webshell (web invasion script attack tool).Utilize the webshell obtained to revise the content of Website page, in the page, add malice turn to code.Also directly can obtain server or website FTP (File Transfer Protocal, file transfer protocol (FTP)) by weak passwurd, then direct Website page directly to be modified.When access is added into the page of malicious code, the address or download trojan horse that are diverted will be accessed automatically.
In the defense system that whole extension horse detects, about malice URL (Universal Resource Locator, URL(uniform resource locator)) collection be exactly a very important link, how can collect malice URL more fast more comprehensively, to determine whether in time antivirus software killing hangs horse website, whether effectively.
Existing one detects extension horse website scheme, the high-risk website that anti-extension horse spider is collected after some vulnerability scannings captures as seed, by doing link analysis to the newfound page, therefrom obtain new URL, then download new URL, the content after download is submitted to and is hung horse recognition system.For the detection system of carrying out capturing based on seed, because kind of subpage frame is only high-risk website, but may not be hung the website of horse, hang horse website so cannot detect fast, coverage rate is also just comprehensive not simultaneously.
Existing another kind of scheme is, detection system by client software detect find high-risk website, after discovery by data feedback to spider system, undertaken downloading by spider system and submit subsequent analysis system.For this detection system based on client detection, because the malicious attack code embedded after hacker attacks can stop at any time, so often cannot malicious act have been detected, also just service end detection system cannot be passed back to by by the network address of attacking, more passive in detection gimmick.Therefore, this scheme also cannot find as far as possible many extension horse websites to be detected fast, and as far as possible many extension horse websites also cannot be detected.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or the system for detection of malicious link solved the problem at least in part and accordingly for the method for detection of malicious link.
According to one aspect of the present invention, provide a kind of system for detection of malicious link, comprise server-side devices and client device;
Described server-side devices comprises network security management equipment, and described client device comprises checkout equipment; Described malicious link comprises the chained address of the Internet resources of malice in the Internet, wherein,
Described checkout equipment comprises: the second behavioral value device, is configured to detect the suspicious actions of Internet resources, the suspicious link detected is transferred to server-side devices and detects further, second getter, be configured to obtain the set of dangerous malicious websites host name and dangerous malicious link set that described server-side devices determines based on the suspicious link that described second behavioral value device provides, the set of described dangerous malicious websites host name is the set of the malice value that filters out of server-side devices higher than each malicious websites host name of the first preset threshold value, described dangerous malicious link set is under all the other the malicious websites host name beyond described dangerous malicious websites host name set that server end filters out, malice value is higher than the set of each malicious link of the second preset threshold value, second link detection device, be configured to according to described second getter obtain the set of dangerous malicious websites host name and dangerous malicious link set detect the suspicious link made new advances, and described suspicious link is newly transferred to described server-side devices and carry out detecting and upgrade relevant malice value, the set of described dangerous malicious websites host name or described dangerous malicious link set are hit in other embedded links of described suspicious link newly,
Described network security management equipment comprises: the first behavior detector, be configured at least carry out malicious act detection to the suspicious link that client device detects, whether detect is malicious link, and malicious act detection is carried out to described other embedded links being detected as malicious link, detect other embedded malicious link of described malicious link; First behavior evaluator, be configured to the embedded relation between each malicious link of at least detecting according to described first behavior detector, to each malicious link assessment malice value, and the malicious websites host name assessment malice value relevant to each malicious link, and upgrade according to the malice value of new malicious link to relevant malicious link or malicious websites host name that described first behavior detector detects; First screening washer, be configured to the result evaluated according to described first behavior evaluator, filter out malice value higher than under the dangerous malicious websites host name set of the first preset threshold value and all the other malicious websites host name, malice value higher than the dangerous malicious link set of the second preset threshold value, and by the message notice extremely described client device of the set of described dangerous malicious websites host name and dangerous malicious link set; First getter, be configured to the new suspicious link that acquisition client device detects based on the set of described dangerous malicious websites host name and described dangerous malicious link set, and described suspicious link is newly transferred to described first behavior detector detect, embedded other link hit described dangerous malicious websites host name set or described dangerous malicious link set of described suspicious link newly.
Optionally, the malicious link of malice value to be assessed is target malicious link, other embedded malicious link of target malicious link are the embedded malicious link of target malicious link, the outer chain number of malice of each embedded malicious link is specifically using this embedded malicious link as the sum of all malicious link of embedded link, first behavior evaluator comprises: the first identification module, embedded relation between being configured to according to each malicious link, identifies all embedded malicious link of target malicious link and the outer chain number of malice of each embedded malicious link; First evaluation module, is configured to the up-to-date malice value of each embedded malicious link of the target malicious link identified according to the first identification module, and the outer chain number of the malice of each embedded malicious link, the malice value of assessment objective malicious link.
Optionally, the malicious websites main frame of malice value to be assessed is called target malicious websites host name, the embedded malicious websites host name belonging to other malicious link of each malicious link under target malicious websites host name, be there is with target malicious websites host name incidence relation associate malicious websites host name, the outer chain number of the malice of each association malicious websites host name is the outer chain number sum of malice of all malicious link under this association malicious websites host name specifically, first behavior evaluator comprises: the second identification module, embedded relation between being configured to according to each malicious link, identify the relevant malicious websites host name of target malicious websites host name, and the outer chain number of the malice of each association malicious websites host name, second evaluation module, is configured to the up-to-date malice value of each association malicious websites host name according to target malicious websites host name, and the outer chain number of the malice of each association malicious websites host name, the malice value of assessment objective malicious websites host name.
Optionally, the first evaluation module is also configured to the malice value obtaining each target malicious link by taking turns iterative manner more, is that each target malicious link arranges initial malice value when the first round processes; Second evaluation module is also configured to the malice value obtaining each target malicious websites host name by taking turns iterative manner more, is that each target malicious websites host name arranges initial malice value when the first round processes.
Optionally, other embedded links of malicious link or suspicious link comprise: other links be performed automatically when access malicious link or suspicious link.
Optionally, other embedded link hit dangerous malicious websites host name set of new suspicious link or dangerous malicious link set comprise: the web host name of other embedded links of new suspicious link is at least a web host name in the set of dangerous malicious websites host name; Or other embedded links of new suspicious link are at least links in dangerous malicious link set.
Optionally, horse behavioral value device specifically hung by first behavior detector, malicious act detect and specifically hang horse malicious act and detect, malicious link is specially malice and hangs horse link, and other embedded malicious link of malicious link are specially other embedded malice that malice hangs horse link and hang horses link.
According to a further aspect in the invention, provide a kind of method for detection of malicious link, malicious link comprises the chained address of the Internet resources of various malice in the Internet, comprise: at least malicious act detection is carried out to the suspicious link that client device detects, whether detect is malicious link, and malicious act detection is carried out to other the embedded links being detected as malicious link, detect other embedded malicious link of malicious link; At least according to the embedded relation between each malicious link, to each malicious link assessment malice value, and the malicious websites host name assessment malice value relevant to each malicious link, and upgrade according to the malice value of the new malicious link detected to relevant malicious link or malicious websites host name; Filter out malice value higher than under the dangerous malicious websites host name set of the first preset threshold value and all the other malicious websites host name, maliciously value is higher than the dangerous malicious link set of the second preset threshold value, and by the message notice of the set of dangerous malicious websites host name and dangerous malicious link set to client device; Obtain the new suspicious link that client device detects based on the set of dangerous malicious websites host name and dangerous malicious link set, and malicious act detection is carried out in new suspicious link, embedded other link hit dangerous malicious websites host name set or dangerous malicious link set of new suspicious link; Wherein, other embedded links of described malicious link or suspicious link comprise: other links be performed automatically when accessing described malicious link or suspicious link.
According to the system and method for detection of malicious link of the present invention, can fast detecting to more suspicious link, malicious link, solve thus prior art cannot fast detecting to the technical problem of as far as possible many malicious link, achieve can fast detecting to the beneficial effect of a large amount of malicious link.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows according to an embodiment of the invention for the system schematic of detection of malicious link;
Fig. 2 shows the schematic diagram of embedded relation between malicious link according to an embodiment of the invention;
Fig. 3 shows the schematic diagram of incidence relation between malicious websites host name according to an embodiment of the invention;
Fig. 4 shows according to an embodiment of the invention for the method flow diagram of detection of malicious link; And
Fig. 5 shows according to an embodiment of the invention for the detection method flow chart of detection of malicious link.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
The embodiment of the present invention can be applied to computer system/server, and it can operate with other universal or special computing system environment numerous or together with configuring.The example of the well-known computing system being suitable for using together with computer system/server, environment and/or configuration includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, the system based on microprocessor, Set Top Box, programmable consumer electronics, NetPC Network PC, little type Ji calculate machine Xi Tong ﹑ large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.
Computer system/server can describe under the general linguistic context of the computer system executable instruction (such as program module) performed by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they perform specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in distributed cloud computing environment, task is performed by the remote processing devices by communication network links.In distributed cloud computing environment, program module can be positioned at and comprise on the Local or Remote computing system storage medium of memory device.
Refer to Fig. 1, it illustrates according to an embodiment of the invention for the system schematic of detection of malicious link, this system comprises server-side devices 100 and client device 200, wherein, server-side devices at least comprises the network security management equipment 110 for detection of malicious link, specifically, network security management equipment 110 comprises the first behavior detector 112, first behavior evaluator 114, first getter 116 and the first screening washer 118; Client device at least comprises the checkout equipment 210 for detection of malicious link, and specifically, checkout equipment 210 comprises the second behavioral value device 212, second getter 214 and the second link detection device 216.
First, the suspicious actions of the second behavioral value device 212 pairs of Internet resources in client-side checkout equipment 200 detect, and Internet resources include but not limited to webpage, video and audio frequency etc. in the Internet.Client-side safeguards a suspicious actions feature database in advance, the feature (feature of suspicious program behavior) recording some suspicious actions in this feature database includes but not limited to call some specific system function in certain webpage process of access, execution is loaded with some particular code, be assigned with suspicious internal memory, some file is stored in suspicious position, or create internal memory spilling etc., these suspicious actions can be that the checkout equipment 200 of client-side is summed up according to the characteristic value of the historical data after encryption in the past, also can be from the characteristic value after the encryption of server side acquisition or program behavior, the particular content of suspicious actions can be constantly updated, kind also can be enriched constantly, service end can utilize and be similar to decision tree, bayesian algorithm, the methods such as nerve net territory calculating, or use simple Threshold Analysis to carry out machine learning etc., the various suspicious actions known by various mode client-side and the detection means of various suspicious actions are all applicable in embodiments of the present invention, the present invention is to this not restriction.
When client-side accesses the Internet resources of some chained address, the second behavioral value device 212 will carry out monitor and detection according to known suspicious actions feature database to current access process, behavior.Because client-side preserves the various documentum privatums of user, and the operating analysis ability of client-side is also limited, therefore the second behavioral value device 212 is after suspicious actions being detected, generally tackled after the agreement obtaining user, can not continue again to perform current operation, prevent from endangering real generation.Such as, if detect that certain suspicious system function is being called in certain web page interlinkage of current login, so client generally will allow this call to continue again, and then also perform which program after also just cannot knowing the complete suspicious function of subsequent calls or downloaded which document, therefore client accurately cannot judge whether this web page interlinkage is really malicious link, only can be defined as suspicious link, the network security management equipment 110 then this suspicious link being reported to server end does and detects confirmation further.Server end and client feedback link, and keep multiple server cluster parallel connection to carry out task process.
Whether after first behavior detector 112 of network security management equipment 110 receives the suspicious link information from client-side, carry out malicious act detection to these suspicious links, detecting is malicious link.Specifically, because the operating analysis ability of server end is stronger, multiple more advanced, authoritative detection means is therefore had to do further confirmation to suspicious link.Such as, when not affecting server end overall network Environmental security, the whole access to suspicious link or downloading process can be completed in based on running environment such as virtual machines, allow program finishes execution, such as complete calling of suspicious system function, load suspect code, distribute suspicious memory headroom etc., thus detect in the whole process of this links and accesses or download, downloaded which code actually, download which file, call suspicious system function and what has done, even can also continue the various codes performing this download program, run file of various download etc., and then by the feature database that these detect and network side is more powerful, can determine whether this link is real malicious link more accurately.For another example, utilize the server end suspicious link that more in time, comprehensively malice property data base, black and white lists etc. also can report client than client renewal to do to judge further to confirm.It should be noted that, server end has, more timely detection means and resource more powerful than client-side,
Therefore existing and in the future various server end is in order to confirm that whether certain suspicious link is the technology of malicious link, be all applicable to the present invention, therefore the present invention is to this not restriction.
The suspicious link that client-side is informed, after the first behavior detector 112 of server side detects further, may detect it is all real malicious link, but also likely detect that some is not real malicious link.Therefore the main purpose of the first behavior detector 112 from the suspicious link that client-side is informed, detects real malicious link, so that subsequent operation.
After the first behavior detector 112 detects malicious link, further malicious act detection is carried out to other embedded links of these malicious link, detect other embedded malicious link of these malicious link.Other embedded links of malicious link can be access, perform other links automatically performed in the process of this malicious link, other links of redirect access automatically in other words.Specifically, first behavior detector 112 meeting monitor network port, after certain malicious link of access, which other link that the data message that can be provided by the network port has been opened while knowing this malicious link of access automatically (or claiming access), and then these other link is exactly the embedded link of this malicious link.And then first behavior detector 112 also can to these embedded links and accesses, perform one time so that in judging these embedded links which be malice link.By above-mentioned operation, the first behavior detector 112 just can detect some malicious link, and the embedded relation between these malicious link.
Such as, first the first behavior detector 112 detects certain A link is malicious link,
Does A link: hxxp: //www.cqcmc.cn/xxx/xxx/? list_5.html,
Detected by the Visitor Logs of monitor network port simultaneously and can link the content automatically downloaded in other words in B link by automatic access B when accessing this malicious link A,
B links: hxxp: //vma.jkub.com:xx/3/maay.htm,
Can determine that B link is the embedded link of A link thus, and then first behavior detector 12 detect whether B link is malicious link by aforesaid various detection means again, if so, then can determine that B link is the embedded malicious link that malicious link A links.By that analogy, in this way, the first behavior detector 112 can detect some malicious link and their embedded malicious link, and then is also just aware of the embedded relation between each malicious link.
In one embodiment, first behavior detector 112 is after detecting each malicious link and the embedded relation between them, embedded relation between each malicious link that first behavior evaluator 114 provides according to the first behavior detector 112, to each malicious link assessment malice value.Specifically, for sake of convenience, the malicious link that malice to be assessed is worth is called target malicious link, other embedded malicious link of target malicious link are called the embedded malicious link of this target malicious link, the outer chain number of malice of each embedded malicious link is the sum of all malicious link using this embedded malicious link as embedded link.
Such as Fig. 2, it illustrates the linking relationship schematic diagram to malicious link assessment malice value.The malicious link A supposing in figure is the target malicious link of malice value to be assessed, know that malicious link A has 3 embedded malicious link according to the first behavior detector 112, namely link B, link C and link D and detect through the first behavior detector 112 malicious link confirmed.It can also be seen that from figure, in fact link the embedded link that E is also malicious link A, but be non-malicious link owing to linking E, therefore do not give reference when the malice value of assessment objective malicious link A;
In addition, redirect can be automatically performed when supposing access links A and perform link F, but link F is and links A and belong to linking in same website, such as the domain name of these two links is identical, whether so when the malice value of assessment objective malicious link A, no matter linking F is malicious link, does not consider to link F, namely only considering the embedded relation between different web sites when assessing the malice value of malicious link, not considering the embedded relation between each link in same website.Other embedded malicious link by target malicious link are defined as the malicious link of non-same website, and in other words, the malicious link of the embedded non-same website of target malicious link is the embedded malicious link of this target malicious link.Although other malicious link for the embedded same website of target malicious link are not used in the malice value calculating target malicious link, but the whether also embedded malicious link of other websites of this embedded malicious link can also to be analyzed further, namely other malicious link of same website embedded for target malicious websites can be gone to analyze as a new malicious link, and assess its malice value.Should be noted that, also not exclusively get rid of under certain special applications scene, other embedded malicious link of target malicious link need not be defined as the embedded malicious link of non-same website, namely the embedded malicious link of same website also participates in the malice value calculating target malicious link, in such cases, the embedded various malicious link of target malicious link, comprise in non-same website, also may comprise in same website, be the embedded malicious link of this target malicious link.Therefore, above two schemes, all in protection scope of the present invention, can adopt different schemes to be achieved according to the difference of practical application scene.
When assessing the malice value of each target malicious link, perform mainly through the first behavior evaluator 114.Specifically, the first behavior evaluator 114 can comprise the first identification module and the first evaluation module.
First, the embedded relation between each malicious link that the first identification module provides according to the first behavior detector 112, identifies all embedded malicious link of target malicious link and the outer chain number of malice of each embedded malicious link.Still for Fig. 2, the information that the first identification module first provides according to the first detector 112, all embedded malicious link identifying target malicious link A is malicious link B, C, D respectively.And then the outer chain number of the malice of adding up each embedded malicious link again.As can be seen from Figure 2, malicious link B is except being the embedded malicious link of malicious link A, or the embedded malicious link of malicious link G, H, I, it can thus be appreciated that the outer chain number of the malice of the embedded malicious link B of A is 4; In like manner, know that the outer chain number of the malice of the embedded malicious link C of A is 3 (the outer chain of malice is link A, J, K respectively), the outer chain number of malice of the embedded malicious link D of A is 1 (the outer chain of malice only has link A).
Then, above-mentioned information notification first evaluation module that first identification module will count, first evaluation module is according to the up-to-date malice value of each embedded malicious link of target malicious link, and the outer chain number of the malice of each embedded malicious link, the malice value of assessment objective malicious link.In one embodiment, the first evaluation module can comprise: the first ratio submodule, the ratio of the outer chain number of the malice for the up-to-date malice value and this embedded malicious link that obtain each embedded malicious link of target malicious link; First cumulative submodule, the ratio for the outer chain number of up-to-date malice value and corresponding malice of each embedded malicious link by target malicious link adds up, and obtains the first accumulated value; And the first weighting submodule, be added with the second weights after described first accumulated value is multiplied by the first weights, obtain the malice value of target malicious link.Still be described in detail for Fig. 2.
In one embodiment, following formula can be adopted to assess when the malice value of assessment objective malicious link A:
PR(A)=a+b*(PR(B)/links(B)+PR(C)/links(C)+PR(D)/links(D)+······)
Wherein, PR () represents the malice value (also can be described as rank value) of relevant malicious link, links () represents the outer chain number of the malice of relevant malicious link, and a is equivalent to aforesaid first weights, and b is equivalent to aforesaid second weights.Malice value tax one initial value of all malicious link can be given time initial.It should be noted that this initial value, weights a and weights b, all can arrange different numerical value according to practical application scene demand or experience, the embodiment of the present invention is to this not restriction.In most cases, weights a can be limited and b sum equals 1.The value of practical significance is set certainly even also can not in some cases weights a and b.Suppose in one embodiment, a is set to 0.15, b and is set to 0.85, the initial malice value of each malicious link is set to 1.
Known by the description of the first identification module above, in the embodiment that Fig. 2 is corresponding, links (B)=4, links (C)=3, links (D)=1, when the first round calculates the malice value of each malicious link, the malice value of relevant malicious link all uses initial value, as PR (B)=1, PR (C)=1, PR (D)=1, and then
PR(A)=0.15+0.85*(1/4+1/3+1/1)=1.4958
So when the first round calculates each target malicious link, the malice value of malicious link A is 1.4958, in like manner, after the same method, the malice value of other malicious link of the first round can also be evaluated, as the malice value of malicious link B, C, D, G etc.
First evaluation module can obtain the malice value of each target malicious link by many wheel iterative manner, be that each target malicious link arranges initial malice value when the first round processes, the relevant malicious link malice value of bringing into during follow-up often wheel process takes turns the result calculated on being all; When after too much wheel iteration, the embedded relation between malicious link data volume and each malicious link does not occur more under news, and the malice value of each target malicious link can be tending towards constant, namely can show that is comparatively close to an actual malice value.When having after the first behavior detector 112 detects the malicious link made new advances, the first behavior evaluator just can recalculate the malice value of relevant malicious link in time or regularly, namely upgrades.This malicious link of the higher explanation of malice value is more likely one and hangs horse linking sources.This malicious link may infect a lot of other link or website.
In a upper embodiment, the embedded relation between each malicious link that the first behavior evaluator 114 detects according to the first behavior detector 112, to each malicious link assessment malice value.In another embodiment of the present invention, first behavior evaluator 114 can also according to the embedded relation between each malicious link, the malicious websites host name assessment malice value relevant to each malicious link, and upgrade according to the malice value of new malicious link to relevant malicious link or malicious websites host name that the first behavior detector 112 detects.
Specifically, the first behavior evaluator 114 can comprise the second identification module and the second evaluation module.The malicious websites main frame of malice value to be assessed is called target malicious websites host name, the embedded malicious websites host name belonging to other malicious link of each malicious link under target malicious websites host name, be there is with target malicious websites host name incidence relation associate malicious websites host name.How to determine that other embedded malicious link of certain malicious link referring to the associated description in previous embodiment, can repeat no more herein.Refer to Fig. 3, it is the incidence relation schematic diagram between each according to an embodiment of the invention malicious websites host name.First behavior evaluator 114 detects that the first behavior detector 112 exists 4 malicious link under detecting certain web host name aaa, such as, www.aaa.com/a, www.aaa.com/b, www.aaa.com/c and www.aaa.com/d, wherein, www.aaa.com/a has an embedded malicious link www.bbb.com/h, www.aaa.com/c also has embedded malicious link www.ccc.com/g, www.aaa.com/b and www.aaa.com/d without embedded malicious link.Further analysis URL is known, the web host name of malice belonging to embedded link www.bbb.com/h is bbb, web host name belonging to embedded malicious link www.ccc.com/g is ccc, it can thus be appreciated that the malicious websites host name that associates with target malicious websites host name aaa with incidence relation is " bbb " and " ccc " respectively.
The outer chain number of the malice of each association malicious websites host name is the outer chain number sum of malice of all malicious link under this association malicious websites host name specifically.Such as, supposing that " bbb " web host has 3 malicious link under one's name, is ww.bbb.com/h, ww.bbb.com/i and ww.bbb.com/k respectively.Wherein, www.bbb.com/h be respectively again malicious link G (
www.aaa.com/a), the embedded malicious link of malicious link H, namely illustrate that the outer chain number of the malice of www.bbb.com/h is 2; In like manner, the outer chain number of the malice of www.bbb.com/i is 3; The outer chain number of malice of www.bbb.com/k is 0, and so the outer chain number of the malice of " bbb " web host name is exactly 2+3+0=5.Can count the outer chain number of the malice associating malicious websites host name ccc be associated with malicious websites host name aaa according to identical mode, be such as 2.
Second identification module by the way according to the embedded relation between each malicious link, can identify the relevant malicious websites host name of each target malicious websites host name, and the outer chain number of the malice of each association malicious websites host name.Then, the second evaluation module, according to the up-to-date malice value of each association malicious websites host name of target malicious websites host name, and the outer chain number of the malice of each association malicious websites host name, assess the malice value of described target malicious websites host name.
Such as, in one embodiment, second evaluation module can comprise: the second ratio submodule, and the up-to-date malice value for obtaining each association malicious websites host name of described target malicious websites host name to associate the ratio of the outer chain number of malice of malicious websites host name with this; Second cumulative submodule, each ratio for the outer chain number of up-to-date malice value and corresponding malice of each association malicious websites host name by target malicious websites host name adds up, and obtains the second accumulated value; Second weighting submodule, is added with the 4th weights, obtains the malice value of target malicious websites host name after the second accumulated value is multiplied by the 3rd weights.Still be described in detail to assess malicious websites host name aaa in Fig. 3 below.
Following formula can be adopted when assessing the malice value of malicious websites host name A:
PR(a)=A+B*(PR(b)/links(b)+PR(c)/links(c)+PR(d)/links(d)+······)
Wherein, PR () represents the malice value (also can be described as rank value) of relevant malicious websites host name, links () represents the outer chain number of the malice of relevant malicious websites host name, and A is equivalent to aforesaid 3rd weights, and B is equivalent to aforesaid 4th weights.Malice value tax one initial value of all malicious websites host name can be given time initial.It should be noted that this initial value, weights A and weights B, all can arrange different numerical value according to practical application scene demand or experience, the embodiment of the present invention is to this not restriction.In most cases, weights A can be limited and B sum equals 1.The value of practical significance is set certainly even also can not in some cases weights A and B.Suppose in one embodiment, A is set to 0.15, B and is set to 0.85, the initial malice value of each malicious websites host name is set to 1.
Known by the description of the second identification module above, in the embodiment that Fig. 3 is corresponding, malicious websites host name aaa always has two association malicious websites host name, is bbb and ccc respectively, and links (bbb)=5, links (ccc)=2, when the first round calculates the malice value of each malicious link, the malice value of association malicious websites host name all uses initial value, as PR (bbb)=1, PR (ccc)=1, and then
PR(aaa)=0.15+0.85*(1/5+1/2)=0.745
So when the first round calculates each target malicious websites host name, the malice value of malicious websites host name aaa is 0.745, in like manner, after the same method, the malice value of other malicious websites host name of the first round can also be evaluated, as the malice value of malicious websites host name bbb, ccc etc.General web host has malicious link under one's name, just can be called malicious websites host name, and then can assess its malice value.Embedded relation between malicious link data volume and each malicious link does not occur more under news, the malice value of each target malicious websites host name can be tending towards constant after too much taking turns iterative computation, namely can show that is comparatively close to an actual malice value.When having after the first behavior detector 112 detects the malicious link made new advances, the first behavior evaluator just can recalculate the malice value of relevant malicious websites host name in time or regularly, namely upgrades.The malice higher explanation of value this malicious websites host name is more likely one and hangs horse website, may infect much other website or link.
Should be noted that; first behavior evaluator 114 can only to malicious link assessment malice value; also can only to malicious websites host name assessment malice value, can also assess malicious link and malicious websites host name, this several scheme is all in protection scope of the present invention simultaneously.After the first behavior evaluator 114 evaluates the malice value of each malicious link and/or each malicious websites host name, the result that the first screening washer evaluates according to the first behavior evaluator 114, the set that screening is relevant.
In one embodiment, if the first behavior evaluator 114 had both evaluated the malice value of each malicious link, evaluate again the malice value of each malicious websites host name, so the first screening washer 118 filters out malice value higher than the dangerous malicious websites host name set of the first preset threshold value, and under all the other malicious websites host name, malice is worth dangerous malicious link set higher than the second preset threshold value.Such as, suppose that the first behavior evaluator has evaluated the malice value of 1000 malicious websites host name, wherein malice value has 700 more than the first preset threshold value, so the first screening washer 118 just using these 700 web host names as the set of dangerous malicious websites host name, then in all malicious link under these 300 malicious websites host name remaining, select malice value those malicious link higher than the second preset threshold value, and then these malicious link form dangerous malicious link set.
In yet another embodiment, if the first behavior evaluator 114 has only evaluated the malice value of each malicious link, do not assess the malice value of each malicious websites host name, so the first screening washer 118 can filter out the malicious link of malice value higher than the 3rd preset threshold value, and then the malicious link these filtered out forms dangerous malicious link set.
In like manner, In yet another embodiment, if the first behavior evaluator 114 has only evaluated the malice value of each malicious websites host name, do not assess the malice value of each malicious link, so the first screening washer 118 can filter out the malicious link of malice value higher than the 4th preset threshold value, and then the malicious websites host name these filtered out forms the set of dangerous malicious websites host name.
Should be noted that, above first, second, third and the 4th the concrete numerical value of preset threshold value arrange, can rule of thumb, the many factors such as actual demand index considers, these four values may be identical, also may be different, the embodiment of the present invention does not all limit these.Can find out, the various set that the first screening washer 118 filters out in essence come from suspicious link that client-side second behavioral value device 212 reports to carry out gained after analyzing and processing.
After the first screening washer 118 filters out corresponding set, by the message notice of the set of dangerous malicious websites host name and/or dangerous malicious link set to the second getter 214 of client device 100.And then, the dangerous malicious websites host name set obtained and/or dangerous malicious link set are informed that the second link detection device 216, second link detection device 216 detects according to the set of dangerous malicious websites host name and/or dangerous malicious link set the suspicious link made new advances by the second getter 214.Specifically, second link detection device 216 by other embedded links (abbreviation embedded link) of the follow-up new urls of monitor network Port detecting specifically what, and the content in these embedded link and the set of dangerous malicious websites host name and/or dangerous malicious link set is contrasted, if detect hit, then this new url is defined as new suspicious link.
Such as, second link detection device 216 of client-side detects has the embedded link of a new url A to comprise link B, C and D, so the link information in dangerous malicious link set embedded link B, C, D and server end issued contrasts, detect in dangerous malicious link set the information also having link A, so link A is just defined as new suspicious link by the second link detection device 216.Again such as, the second link detection device 216 detects a new url E, and its embedded link is
www.aaa.com.cn/XXXso, will
www.aaa.com.cn/XXXthe dangerous malicious websites host name set that issues of host name " aaa " and server end in information contrast, if comprise " aaa " this web host name in the set of dangerous website host name, then show the embedded link hit dangerous website host name set of new url E, so new url E is defined as new suspicious link.In other words, the web host name of other embedded links of described suspicious link is newly at least a web host name in the set of dangerous malicious websites host name; Or other embedded links of new suspicious link are at least links in dangerous malicious link set.
This shows, even if by other means, client device 200 cannot detect that link A and E has aforesaid various suspicious actions, but, these two links also can be defined as suspicious link by the dangerous malicious link set provided by server end and/or the set of dangerous malicious websites host name.Carried above, malicious link in dangerous malicious link set and the set of dangerous malicious websites host name or malicious websites host name are all that malice value is higher, namely they are likely the real source of infection, such as real extension horse linking sources or extension horse source web host name, and be not only infected person, a source of infection can infect a lot of website usually, therefore, the source of infection is found out in a passage point website, and then just can detect other infected websites more by this source of infection, in this way, expand the Websites quantity that client device 200 detects suspicious link, also improve the efficiency detecting suspicious link, therefore, it is possible to collect a large amount of malicious link or the information of malicious websites very soon, thus provide better guarantee for network security.
At the second link detection device 216 by after detecting based on the set of dangerous malicious websites host name and/or dangerous malicious link set the suspicious link made new advances, be sent to the first getter 116 of server-side devices 100, and then first getter 116 the new suspicious link information got transferred to the first behavior detector 112 carry out malicious act detection, if it is malicious link that the first behavior detector 112 is confirmed as, then inform the first behavior evaluator 114, if the first behavior evaluator 114 detects in original database for calculating malicious link or malicious websites host name do not have this malicious link, to cause the adding of this malicious link between original malicious link embedded there occurs change, so the first behavior evaluator 114 can recalculate the malice value of relevant malicious link and/or malicious websites host name, thus the malice value of relevant malicious websites host name or malicious link constantly can be revised according to the increase of data volume, thus make their malice value more press close to real situation, can reflect that this malicious link or malicious websites host name are the source of infection or infected person by malice value more accurately, so-called infected person refers to that own website self is no problem, just be infected the infected virus of the malicious attack in source, such as hung the normal website of horse, and the extension Ma Yuan website of really.
The scheme that previous embodiments provides may be used for the detection of multiple malicious link or malicious websites, can be such as hang horse to detect, accordingly, horse behavioral value device specifically hung by first behavior detector, malicious act detects specifically hangs the detection of horse malicious act, malicious link is specially malice extension horse and links, and other embedded malicious link of malicious link are specially other embedded maliciously extension horses links that malice hangs horse link.Certainly, can also being other Viral diagnosis similar with hanging horse, as long as have the viral propagation characteristic that a virus infections source can infect a collection of normal website usually, substantially can adopting various technical scheme of the present invention.
Refer to Fig. 4, it illustrates according to an embodiment of the invention for the method for detection of malicious link, malicious link comprises the chained address of the Internet resources of various malice in the Internet.The method can be achieved at server end.
The method starts from step S410, in step S410, at least malicious act detection is carried out to the suspicious link that client device detects, whether detect is malicious link, and malicious act detection is carried out to other the embedded links being detected as malicious link, detect other embedded malicious link of malicious link, then enter step S420.
In the step s 420, at least according to the embedded relation between each malicious link, to each malicious link assessment malice value and/or the malicious websites host name assessment malice value relevant to each malicious link, and upgrade according to the malice value of the new malicious link detected to relevant malicious link or malicious websites host name; Then step S430 is entered.
In S430, filter out malice value higher than under the dangerous malicious websites host name set of the first preset threshold value and all the other malicious websites host name, maliciously value is higher than the dangerous malicious link set of the second preset threshold value, or, only filter out the dangerous malicious websites host name set of malice value higher than the 3rd preset threshold value, filter out malice value again or only higher than the dangerous malicious link set of the 4th preset threshold value, then by the message notice of the set of dangerous malicious websites host name and/or dangerous malicious link set to client device.By this step, can find out may be relatively malicious link or the malicious link host name of the source of infection, to allow client go to detect other infected link or website again according to these most probable virus infections sources.After this, step S440 is entered.
In step S440, obtain the new suspicious link that client device detects based on the set of dangerous malicious websites host name and/or dangerous malicious link set, and malicious act detection is carried out in new suspicious link, embedded other link hit dangerous malicious websites host name set or dangerous malicious link set of new suspicious link.By this step, server end can obtain more suspicious link, and then can obtain more malicious link information after tested.
Above step S410 can be performed by the first behavior detector 112 in foregoing embodiments, step S420 can be performed by the first behavior evaluator 114, step S430 can be performed by the first screening washer 118, and step S440 can be performed jointly by the first getter 116 and the first behavior detector 112.The specific implementation of each step referring to the description of associated components above, can repeat no more herein.
The method that above detection of malicious links mainly describes from service end angle, describes below from client angle.Refer to Fig. 5, it illustrates according to an embodiment of the invention for the detection method of detection of malicious link.
The method starts from step S510, in step S510, first the malicious act of Internet resources is detected, the suspicious link detected is transferred to server-side devices detect further, then step S520 is entered, in step S520, obtain the set of dangerous malicious websites host name and/or dangerous malicious link set from server-side devices.In one embodiment, the set of dangerous malicious websites host name is the set of the malice value that filters out of server-side devices higher than each malicious websites host name of the first preset threshold value, and dangerous malicious link set is under all the other the malicious websites host name beyond the dangerous malicious websites host name set that filters out of server end, malice value is higher than the set of each malicious link of the second preset threshold value.In another embodiment, the set of dangerous malicious websites host name is the set of the malice value that filters out of server-side devices higher than each malicious websites host name of the 3rd preset threshold value.In yet another embodiment, dangerous malicious link set is the malicious link set of the malice value that filters out of server-side devices higher than the 4th preset threshold value.Wherein, first, second, third and the 4th preset threshold value can according to actual needs or experience arrange, can be the same or different, the embodiment of the present invention is not limited in this respect.
Then step S530 is entered, the suspicious link made new advances is detected according to the set of dangerous malicious websites host name and/or dangerous malicious link set, embedded other link hit dangerous malicious websites host name set or dangerous malicious link set of new suspicious link, and then new suspicious link transferred to server-side devices and carry out detecting and upgrade relevant malice value, the malice value of such as relevant malicious link, or the malice value of relevant malicious websites host name.Because the link in the set of dangerous malicious websites host name or dangerous malicious link set or web host name are all that malice value is higher, namely real virus infections source is likely, such as real extension horse linking sources or website, and one or two website is generally not only infected in these real virus infections sources, often infect a lot of website, namely the embedded link of a lot of normal website originally can be become, therefore these virus infections sources and other websites can be passed through, embedded relation between link, detect more how infected website or malicious link, thus expand detection efficiency and the quantity of suspicious link.
Above step S510 can be performed by the second behavioral value device 212 in foregoing embodiments, and step S520 can be performed by the second getter 214, and step S530 can be performed by the second link detection device 118.The specific implementation of each step referring to the description of associated components above, can repeat no more herein.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that can use in practice microprocessor or digital signal processor (DSP) realize according to the embodiment of the present invention for the some or all functions of some or all parts in the system of detection of malicious link.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Claims (10)
1., for a system for detection of malicious link, comprise server-side devices and client device;
Described server-side devices comprises network security management equipment, and described client device comprises checkout equipment; Described malicious link comprises the chained address of the Internet resources of malice in the Internet, wherein,
Described checkout equipment comprises:
Second behavioral value device, is configured to detect the suspicious actions of Internet resources, the suspicious link detected is transferred to server-side devices and detects further;
Second getter, be configured to obtain the set of dangerous malicious websites host name and dangerous malicious link set that described server-side devices determines based on the suspicious link that described second behavioral value device provides, the set of described dangerous malicious websites host name is the set of the malice value that filters out of server-side devices higher than each malicious websites host name of the first preset threshold value, described dangerous malicious link set is under all the other the malicious websites host name beyond described dangerous malicious websites host name set that server end filters out, malice value is higher than the set of each malicious link of the second preset threshold value,
Second link detection device, be configured to according to described second getter obtain the set of dangerous malicious websites host name and dangerous malicious link set detect the suspicious link made new advances, and described suspicious link is newly transferred to described server-side devices and carry out detecting and upgrade relevant malice value, the set of described dangerous malicious websites host name or described dangerous malicious link set are hit in other embedded links of described suspicious link newly;
Described network security management equipment comprises:
First behavior detector, be configured at least carry out malicious act detection to the suspicious link that client device detects, whether detect is malicious link, and malicious act detection is carried out to described other embedded links being detected as malicious link, detect other embedded malicious link of described malicious link;
First behavior evaluator, be configured to the embedded relation between each malicious link of at least detecting according to described first behavior detector, to each malicious link assessment malice value, and the malicious websites host name assessment malice value relevant to each malicious link, and upgrade according to the malice value of new malicious link to relevant malicious link or malicious websites host name that described first behavior detector detects;
First screening washer, be configured to the result evaluated according to described first behavior evaluator, filter out malice value higher than under the dangerous malicious websites host name set of the first preset threshold value and all the other malicious websites host name, malice value higher than the dangerous malicious link set of the second preset threshold value, and by the message notice extremely described client device of the set of described dangerous malicious websites host name and dangerous malicious link set;
First getter, be configured to the new suspicious link that acquisition client device detects based on the set of described dangerous malicious websites host name and described dangerous malicious link set, and described suspicious link is newly transferred to described first behavior detector detect, embedded other link hit described dangerous malicious websites host name set or described dangerous malicious link set of described suspicious link newly.
2. system according to claim 1, described each malicious link is the malicious link of malice value to be assessed, the malicious link of described malice value to be assessed is target malicious link, other embedded malicious link of described target malicious link are the embedded malicious link of described target malicious link, the outer chain number of malice of each embedded malicious link is specifically using this embedded malicious link as the sum of all malicious link of embedded link, and described first behavior evaluator comprises:
First identification module, the embedded relation between being configured to according to each malicious link, identifies all embedded malicious link of described target malicious link and the outer chain number of malice of each embedded malicious link;
First evaluation module, is configured to the up-to-date malice value of each embedded malicious link of the target malicious link identified according to described first identification module, and the outer chain number of the malice of each embedded malicious link, assesses the malice value of described target malicious link.
3. system according to claim 1 and 2, described each malicious link is the malicious link of malice value to be assessed, the malicious websites main frame of described malice value to be assessed is called target malicious websites host name, the embedded malicious websites host name belonging to other malicious link of each malicious link under described target malicious websites host name, be there is with described target malicious websites host name incidence relation associate malicious websites host name, the outer chain number of the malice of described each association malicious websites host name is the outer chain number sum of malice of all malicious link under this association malicious websites host name specifically, described first behavior evaluator comprises:
Second identification module, the embedded relation between being configured to according to each malicious link, identifies the relevant malicious websites host name of described target malicious websites host name, and the outer chain number of the malice of each association malicious websites host name;
Second evaluation module, is configured to the up-to-date malice value of each association malicious websites host name according to described target malicious websites host name, and the outer chain number of the malice of each association malicious websites host name, assesses the malice value of described target malicious websites host name.
4. system according to claim 3,
Described first evaluation module is also configured to the malice value obtaining each target malicious link by taking turns iterative manner more, is that each target malicious link arranges initial malice value when the first round processes;
Described second evaluation module is also configured to the malice value obtaining each target malicious websites host name by taking turns iterative manner more, is that each target malicious websites host name arranges initial malice value when the first round processes.
5. system according to claim 4, other embedded links of described malicious link or suspicious link comprise: other links be performed automatically when accessing described malicious link or suspicious link.
6. system according to claim 5, other embedded link hit described dangerous malicious websites host name set of described suspicious link newly or described dangerous malicious link set comprise:
The web host name of other embedded links of described suspicious link is newly at least a web host name in the set of described dangerous malicious websites host name;
Or,
Other embedded links of described suspicious link newly are at least links in described dangerous malicious link set.
7. system according to claim 6, horse behavioral value device specifically hung by described first behavior detector, described malicious act detects specifically hangs the detection of horse malicious act, described malicious link is specially malice extension horse and links, and other embedded malicious link of described malicious link are specially other embedded maliciously extension horses links that malice hangs horse link.
8., for a method for detection of malicious link, described malicious link comprises the chained address of the Internet resources of various malice in the Internet, comprising:
At least malicious act detection is carried out to the suspicious link that client device detects, whether detect is malicious link, and malicious act detection is carried out to described other embedded links being detected as malicious link, detect other embedded malicious link of described malicious link;
At least according to the embedded relation between each malicious link, to each malicious link assessment malice value, and the malicious websites host name assessment malice value relevant to each malicious link, and upgrade according to the malice value of the new malicious link detected to relevant malicious link or malicious websites host name;
Filter out malice value higher than under the dangerous malicious websites host name set of the first preset threshold value and all the other malicious websites host name, malice value higher than the dangerous malicious link set of the second preset threshold value, and by the message notice extremely described client device of the set of described dangerous malicious websites host name and dangerous malicious link set;
Obtain the new suspicious link that client device detects based on the set of described dangerous malicious websites host name and described dangerous malicious link set, and malicious act detection is carried out in described suspicious link newly, embedded other link hit described dangerous malicious websites host name set or described dangerous malicious link set of described suspicious link newly;
Wherein, other embedded links of described malicious link or suspicious link comprise: other links be performed automatically when accessing described malicious link or suspicious link.
9. method according to claim 8, described each malicious link is the malicious link of malice value to be assessed, the malicious link of described malice value to be assessed is target malicious link, other embedded malicious link of described target malicious link are the embedded malicious link of described target malicious link, the outer chain number of malice of each embedded malicious link is specifically using this embedded malicious link as the sum of all malicious link of embedded link, described according to the embedded relation between each malicious link, each malicious link assessment malice value is comprised:
According to the embedded relation between each malicious link, identify all embedded malicious link of described target malicious link and the outer chain number of malice of each embedded malicious link;
According to the up-to-date malice value of each embedded malicious link of described target malicious link, and the outer chain number of the malice of each embedded malicious link, assess the malice value of described target malicious link.
10. method according to claim 8 or claim 9, described each malicious link is the malicious link of malice value to be assessed, the malicious websites main frame of described malice value to be assessed is called target malicious websites host name, the embedded malicious websites host name belonging to other malicious link of each malicious link under described target malicious websites host name, be there is with described target malicious websites host name incidence relation associate malicious websites host name, the outer chain number of the malice of described each association malicious websites host name is the outer chain number sum of malice of all malicious link under this association malicious websites host name specifically, described according to the embedded relation between each malicious link, the malicious websites host name assessment malice value relevant to each malicious link comprises:
According to the embedded relation between each malicious link, identify the relevant malicious websites host name of described target malicious websites host name, and the outer chain number of the malice of each association malicious websites host name;
According to the up-to-date malice value of each association malicious websites host name of described target malicious websites host name, and the outer chain number of the malice of each association malicious websites host name, assess the malice value of described target malicious websites host name.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210560165.5A CN103036896B (en) | 2012-12-20 | 2012-12-20 | Method and system for testing malicious links |
| PCT/CN2013/090104 WO2014094653A1 (en) | 2012-12-20 | 2013-12-20 | Device, method and system for detecting malicious links |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210560165.5A CN103036896B (en) | 2012-12-20 | 2012-12-20 | Method and system for testing malicious links |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103036896A CN103036896A (en) | 2013-04-10 |
| CN103036896B true CN103036896B (en) | 2015-07-01 |
Family
ID=48023379
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210560165.5A Active CN103036896B (en) | 2012-12-20 | 2012-12-20 | Method and system for testing malicious links |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103036896B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014094653A1 (en) * | 2012-12-20 | 2014-06-26 | 北京奇虎科技有限公司 | Device, method and system for detecting malicious links |
| CN103685307B (en) * | 2013-12-25 | 2017-08-11 | 北京奇虎科技有限公司 | The method and system of feature based storehouse detection fishing fraud webpage, client, server |
| CN106789958A (en) * | 2016-12-01 | 2017-05-31 | 张振中 | A kind of method and system for detecting link |
| CN106992975B (en) * | 2017-03-21 | 2021-01-12 | 腾讯科技(深圳)有限公司 | Malicious website identification method and device |
| CN108306864B (en) * | 2018-01-12 | 2021-02-26 | 深圳壹账通智能科技有限公司 | Network data detection method and device, computer equipment and storage medium |
| CN109145585B (en) * | 2018-08-23 | 2020-09-22 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting weak password of website |
| CN114726559A (en) * | 2020-12-22 | 2022-07-08 | 深信服科技股份有限公司 | URL detection method, system, equipment and computer readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101971591A (en) * | 2006-12-01 | 2011-02-09 | 网圣公司 | System and method of analyzing web addresses |
| CN102171657A (en) * | 2008-06-30 | 2011-08-31 | 赛门铁克公司 | Simplified communication of a reputation score for an entity |
| CN102622435A (en) * | 2012-02-29 | 2012-08-01 | 百度在线网络技术(北京)有限公司 | Method and device for detecting black chain |
| CN102663000A (en) * | 2012-03-15 | 2012-09-12 | 北京百度网讯科技有限公司 | Establishment method for malicious website database, method and device for identifying malicious website |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| MY154409A (en) * | 2008-07-21 | 2015-06-15 | Secure Corp M Sdn Bhd F | Website content regulation |
-
2012
- 2012-12-20 CN CN201210560165.5A patent/CN103036896B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101971591A (en) * | 2006-12-01 | 2011-02-09 | 网圣公司 | System and method of analyzing web addresses |
| CN102171657A (en) * | 2008-06-30 | 2011-08-31 | 赛门铁克公司 | Simplified communication of a reputation score for an entity |
| CN102622435A (en) * | 2012-02-29 | 2012-08-01 | 百度在线网络技术(北京)有限公司 | Method and device for detecting black chain |
| CN102663000A (en) * | 2012-03-15 | 2012-09-12 | 北京百度网讯科技有限公司 | Establishment method for malicious website database, method and device for identifying malicious website |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103036896A (en) | 2013-04-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103023905B (en) | A kind of equipment, method and system for detection of malicious link | |
| US11809555B2 (en) | Deception-based responses to security attacks | |
| CN103036896B (en) | Method and system for testing malicious links | |
| US10574695B2 (en) | Gateway apparatus, detecting method of malicious domain and hacked host thereof, and non-transitory computer readable medium | |
| US8572750B2 (en) | Web application exploit mitigation in an information technology environment | |
| US10454963B1 (en) | Historical exploit and vulnerability detection | |
| CN102833258B (en) | Network address access method and system | |
| CN103384888A (en) | Systems and methods for malware detection and scanning | |
| GB2507360A (en) | Threat detection through the accumulated detection of threat characteristics | |
| US20090113548A1 (en) | Executable Download Tracking System | |
| US8789177B1 (en) | Method and system for automatically obtaining web page content in the presence of redirects | |
| CN105550593A (en) | Cloud disk file monitoring method and device based on local area network | |
| CN103152323A (en) | Method and system of controlling access behaviors of client network | |
| CN104378389A (en) | Website security detecting method and device | |
| CN104363252A (en) | Website security detecting method and device | |
| Wu et al. | Detect repackaged android application based on http traffic similarity | |
| Sommestad et al. | Variables influencing the effectiveness of signature-based network intrusion detection systems | |
| CN107231364B (en) | Website vulnerability detection method and device, computer device and storage medium | |
| Hashmi et al. | On optimization of ad-blocking lists for mobile devices | |
| CN105100065A (en) | Cloud-based webshell attack detection method, cloud-based webshell attack detection device and gateway | |
| JP2022067092A (en) | Cyber security protection system and related proactive suspicious domain alert system | |
| CN103561076A (en) | Webpage trojan-linking real-time protection method and system based on cloud | |
| Akiyama et al. | Improved blacklisting: inspecting the structural neighborhood of malicious URLs | |
| Elsabagh et al. | Practical and accurate runtime application protection against dos attacks | |
| KR101968633B1 (en) | Method for providing real-time recent malware and security handling service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220330 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |