CN103327029A - Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device - Google Patents
Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device Download PDFInfo
- Publication number
- CN103327029A CN103327029A CN2013102866199A CN201310286619A CN103327029A CN 103327029 A CN103327029 A CN 103327029A CN 2013102866199 A CN2013102866199 A CN 2013102866199A CN 201310286619 A CN201310286619 A CN 201310286619A CN 103327029 A CN103327029 A CN 103327029A
- Authority
- CN
- China
- Prior art keywords
- score value
- network address
- detected
- given negative
- domain name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the invention discloses a malicious URL (Uniform Resource Locator) detection method and a malicious URL detection device which are used in the technical field of information processing. The malicious URL detection device divides the to-be-detected URL into multiple components, assigns corresponding detection scores for each component, and determines the total score of the to-be-detected URL according to the detection score of each component, if the total score is in a preset first score range of the malicious URL, the malicious URL detection device determines that the to-be-detected URL is the malicious URL. In this way, the malicious URL detection device can directly detect whether the to-be-detected URL is the malicious URL by the operations to the to-be-detected URL, rather than detecting whether the URL is the malicious URL by operating the content corresponding to the to-be-detected URL, thus, time for obtaining the content corresponding to the to-be-detected URL is saved, the detection efficiency can be improved, and the failure caused by failure in acquisition of the content of the to-be-detected URL is avoided.
Description
Technical field
The present invention relates to technical field of information processing, particularly detection method and the equipment of malice network address.
Background technology
Client is when access web server, generally be to input the network address of server such as URL(uniform resource locator) (Uniform Resource Locator in client, URL), and by this network address connection server, if client input malice network address, just might threaten to user profile, therefore need to detect the malice network address.
In the prior art, when carrying out the detection of malice network address, need checkout equipment first by the network address connection server, the content that obtaining the server of this network address provides is content of pages, and the coupling of the coupling by content of pages or page screenshot is determined whether malice of content corresponding to this network address, if so, then this network address is the malice network address.As seen, all need in the prior art to obtain first content corresponding to network address, so that the efficient of detection of malicious network address is lower.And in actual application, server corresponding to malice network address can shield the address of checkout equipment that the fail-safe software system is arranged, causes checkout equipment can't obtain content corresponding to network address, thereby so that detects unsuccessfully.
Summary of the invention
The embodiment of the invention provides detection method and the equipment of malice network address, improves the detection efficiency of malice network address.
The embodiment of the invention provides a kind of detection method of malice network address, comprising:
Network address to be detected is divided into a plurality of parts;
For each part in described a plurality of parts distributes corresponding detection score value;
Determine the overall score value of described network address to be detected according to the detection score value of described each part;
If it is the malice network address that described overall score value in the first mark scope of the malice network address that presets, is then determined described network address to be detected.
The embodiment of the invention provides a kind of checkout equipment of malice network address, comprising:
Division unit is used for network address to be detected is divided into a plurality of parts;
The score value allocation units are used to that each part distributes corresponding detection score value in a plurality of parts that described division unit is divided into;
Overall score value determining unit, the detection score value that is used for each part of distributing according to described score value allocation units is determined the overall score value of described network address to be detected;
Malice network address determining unit if be used for the definite overall score value of described overall score value determining unit in the first mark scope of the malice network address that presets, determines that then described network address to be detected is the malice network address.
As seen, the checkout equipment of malice network address can be divided into a plurality of parts with network address to be detected, for each part in a plurality of parts distributes corresponding detection score value, and determine the overall score value of network address to be detected according to the detection score value of each part, when if totally score value is in the first mark scope of the malice network address that presets, determine that then network address to be detected is the malice network address.Like this can be directly whether detect the malice network address by the operation to network address to be detected, and need not whether operate to detect the malice network address to content corresponding to network address to be detected, saved the time of obtaining content corresponding to network address to be detected, can improve detection efficiency, also avoid owing to the content failure of obtaining network address to be detected causes the failure that detects.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art, apparently, accompanying drawing in the following describes only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the flow chart of the detection method of a kind of malice network address of providing of the embodiment of the invention;
Fig. 2 is the structural representation of the checkout equipment of a kind of malice network address of providing of the embodiment of the invention;
Fig. 3 is the structural representation of the terminal that is applied to of the detection method of a kind of malice network address of providing of the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The embodiment of the invention provides a kind of detection method of malice network address, mainly is the performed method of checkout equipment of malice network address, and flow chart comprises as shown in Figure 1:
Domain name is used for identifying the electronic bearing of computer by a string title with total a certain the computer of a network that the name of separating forms or calculating unit when transfer of data, sometimes also refer to the geographical position.Domain name can have a plurality of ranks, and each rank of domain name is separated by ". ", and in brief, it is exactly that what points are arranged for what domain name, is TLD at rightmost word wherein.
Port is a computer and extraneous outlet of communicating by letter; The path typically refers to a position on a file or the webserver; Concrete file on the server that filename is used for representing to access; Data parameters mainly be with question mark (?) beginning, with (﹠amp; ) information that separates; Anchor point is a character string or an order anchor chain, refers to the Partial Fragment in content corresponding to this network address to be detected.
For example, for network address:
Http:// video.google.co.uk:80/videoplay/index.html docid=10086﹠amp; Hl=en#00h02m30s, domain name is google.co.uk, and port is 80, and the path is/videoplay, and file is called index.html, and the data parameters name is docid, and the value of data parameters is 10086, and anchor point is #00h02m30s.
Further, in a specific embodiment, when in the first mark scope of judging the malice network address that overall score value is not presetting, when the checkout equipment of malice network address can continue to judge that this overall score value is whether in the second mark scope of the suspicious network address that presets, can determine that this network address to be detected is suspicious network address, namely may be the malice network address, so just can process accordingly suspicious network address.Be higher than the first threshold that presets such as overall score value, and when being lower than the Second Threshold that presets, then be suspicious network address.
As seen, in the present embodiment, the checkout equipment of malice network address can be divided into a plurality of parts with network address to be detected, for each part in a plurality of parts distributes corresponding detection score value, and determine the overall score value of network address to be detected according to the detection score value of each part, when if totally score value is in the first mark scope of the malice network address that presets, determine that then network address to be detected is the malice network address.Like this can be directly whether detect the malice network address by the operation to network address to be detected, and need not whether operate to detect the malice network address to content corresponding to network address to be detected, saved the time of obtaining content corresponding to network address to be detected, can improve detection efficiency, also avoid owing to the content failure of obtaining network address to be detected causes the failure that detects.
In specific embodiment, the checkout equipment of malice network address need to distribute according to different strategies the detection score value for different parts when carrying out above-mentioned steps 102, specific as follows:
(1) part is domain name
If the progression of domain name surpasses and to preset progression (such as 4), then be the given negative mark of this domain name, and along with the increase of progression, given mark is lower, wherein, each rank by ". " separately, in brief, what have put is exactly for what domain name.
When if the spelling of domain name does not meet the spelling logic, it then is the given negative mark of this domain name, wherein generally speaking, the spelling logic of domain name is ABC, ab12 and 12ab etc., namely only has letter, or letter and number can not mix arrangement, if letter and number mixes when arranging such as a1b2, then do not meet the spelling logic; In another case, the checkout equipment of malice network address can also by domain name and the feature that does not meet the spelling logic that presets are compared, determine whether domain name meets the spelling logic.
If domain name is higher than the similarity that presets with the similarity of the domain name that presets, it then is the given negative mark of this domain name, specifically can preset some easily by counterfeit domain name, and after similarity refers to that domain name and the domain name that presets are mated, the percentage of the character that is complementary.
If domain name is China's duty-free name overseas, be negative mark also can for this domain name.
(2) part is the path
If comprise spcial character in the path, then be the given negative mark in this path, wherein spcial character refer to except letter and number and limited punctuate (%,? ,/,=, #. ,-, _) outside character.
Symbol segmentation is carried out in the path, if the spelling of plural partitioning portion does not meet the spelling logic, then is the given negative mark in this path.
Symbol segmentation is carried out in the path, if the length of the plural partitioning portion of accumulative total then is the given negative mark in this path less than the length that presets (such as 2).Wherein symbol refers to the character except numeral and letter, such as/,? Deng.
(3) part is filename, if comprise spcial character in the filename, then is the given negative mark of filename.If the spelling of filename does not meet the spelling logic, it then is the given negative mark of filename.
(4) part is port, if this port is not complementary with the port that presets, then is the given negative mark of this port, and the well known port that generally presets is 80,8080 and 8081 etc.
(5) part is data parameters, is the form of data parameters title and data parameters numerical value if data parameters is not the k-v form, then is the given negative mark of this data parameters; If having comprised "/" in the data parameters value is slash, it then is the given negative mark of this data parameters.
(6) part is anchor point, if comprised "/" in the anchor point, then is the given negative mark of this anchor point.
Need to prove, the above-mentioned distribution for each part in the process that detects score value, whether the spelling that might need to judge some part meets the spelling logic, when specific implementation, can with the feature of part with meet the feature of spelling logic and compare, if be complementary, then meet the spelling logic, otherwise do not meet the spelling logic.In another case, can directly letter and number be mixed the part of arranging and be defined as not meeting the spelling logic.
In addition, the checkout equipment of malice network address according to the score value of the given mark of feature of each part the time, can come according to the significance level of this feature given, if important aspect ratio is such as the spelling logic, then when not meeting the spelling logic, given negative mark is lower.Further, the checkout equipment of malice network address can select wherein minimum mark as the detection score value of this part behind the given different mark of multinomial feature difference according to each part.
For example, for the URL:http of non-malice: //zh.wikipedia.org:80/wiki/TCP/UDP port list/index.html uid=1212#head, its domain name is zh.wikipedia.org, domain name progression is less than 4; Port is 80, is the well known port of server; The path is the wiki/TCP/UDP port list, and the title of each partitioning portion is the name of commonly using, and has certain semanteme; File name is index.html, is the network address homepage of acquiescence; Data parameters is uid=1212, meets the form of data parameters title and data data parameters value; After head represents to open the page corresponding to this network address in the anchor point, can be automatically scrolling to the position that the anchor point name is called head.
URL for malice:
Http:// qz0ne.qq.com.8866.org:6799/s3u/a/q.asp 2121﹠amp; 1312#^^^^^, its domain name is qz0ne.qq.com.8866.org, domain name progression is greater than 4, and adopts free TLD 8866.org, and higher with the similarity of the domain name qzone.qq.com that presets, so the detection score value of domain name is lower in this network address; Port is 6799, is not the port of the server commonly used; The path is s3u/a, s3u without any implied meaning, do not meet user's name; File is called a.asp; Data parameters is 2121﹠amp; 1312, do not meet the form of data parameters title and data parameters value; Include spcial character in the anchor point.
The present invention also provides a kind of checkout equipment of malice network address, wherein can carry out according to the method described above the detection of malice network address between the unit, and structural representation comprises as shown in Figure 2:
Division unit 10 is used for network address to be detected is divided into a plurality of parts.
Score value allocation units 11 are used to that each part distributes corresponding detection score value in a plurality of parts that described division unit 10 is divided into.
Overall score value determining unit 12, determine the overall score value of described network address to be detected for the detection score value of each part that distributes according to described score value allocation units 11, particularly, overall score value determining unit 12 can obtain described overall score value with the detection score value addition of described each part; Or, the weighted value addition of the detection score value of described each part is obtained described overall score value etc.
Malice network address determining unit 13, if be used for overall score value that described overall score value determining unit 12 determines in the first mark scope of the malice network address that presets, determine that then described network address to be detected is the malice network address, such as when overall score value is lower than the first threshold that presets, then be defined as the malice network address.
Further, in the equipment of the present embodiment, can also comprise suspicious network address determining unit 14, if be used for overall score value that described overall score value determining unit 12 determines in the second mark scope of the suspicious network address that presets the time, determine that then described network address to be detected is suspicious network address, such as being higher than the first threshold that presets when overall score value, and when being lower than the Second Threshold that presets, then be defined as the malice network address.
Need to prove, above-mentioned score value allocation units 11 specifically can distribute the detection score value according to different strategies to different parts, particularly:
When division unit 10 marks off domain name in described network address to be detected, then the score value allocation units 11, surpass and preset progression if be used for the progression of domain name, and then be the given negative mark of domain name; Or, if the similarity of domain name and the domain name that presets is higher than the similarity that presets; Or, if the spelling of domain name does not meet the spelling logic, then be the given negative mark of domain name etc.When division unit 10 marks off filename in described network address to be detected, then the score value allocation units 11, comprise spcial character if specifically be used for described filename, then are the given negative mark of described filename; Or, if the spelling of described filename does not meet the spelling logic, then be the given negative mark of described filename.When division unit 10 marks off the path in described network address to be detected, then the score value allocation units 11, comprise spcial character if specifically be used for described path, then are the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the spelling of plural partitioning portion does not meet the spelling logic, then be the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the length of plural partitioning portion less than the length that presets, then is the given negative mark in described path.
When division unit 10, in described network address to be detected, mark off data parameters, then described score value allocation units 11 are not the forms of data parameters title and data parameters numerical value if specifically be used for described data parameters, then are the given negative mark of described data parameters; Or, if comprised slash in the described data parameters value, then be the given negative mark of described data parameters.When division unit 10 marks off port in described network address to be detected, then described score value allocation units 11 are not complementary with the port that presets if specifically be used for described port, then give the given negative mark of described port.When division unit 10 marks off anchor point in described network address to be detected, then described score value allocation units 11 have comprised slash if specifically be used for described anchor point, then are the given negative mark of described anchor point.
As seen, in the checkout equipment of the malice network address of the present embodiment, division unit 10 can be divided into a plurality of parts with network address to be detected, score value allocation units 11 are that each part distributes corresponding detection score value in a plurality of parts, and determined the overall score value of network address to be detected according to the detection score value of each part by overall score value determining unit 12, when if totally score value is in the first mark scope of the malice network address that presets, then malice network address determining unit 13 determines that network address to be detected are the malice network address.Like this can be directly whether detect the malice network address by the operation to network address to be detected, and need not whether operate to detect the malice network address to content corresponding to network address to be detected, saved the time of obtaining content corresponding to network address to be detected, can improve detection efficiency, also avoid owing to the content failure of obtaining network address to be detected causes the failure that detects.
Below mainly be applied to illustrate in the terminal with the detection method of the rogue program of the embodiment of the invention, this terminal can comprise smart mobile phone, panel computer, E-book reader, dynamic image expert compression standard audio frequency aspect 3(Moving Picture Experts Group Audio Layer III, MP3) player, dynamic image expert compression standard audio frequency aspect 4(Moving Picture Experts Group Audio Layer IV, MP4) player, pocket computer on knee and desktop computer etc.
Please refer to Fig. 3, it shows the structural representation of the related terminal of the embodiment of the invention, specifically:
Terminal can comprise radio frequency (Radio Frequency, RF) parts such as circuit 20, the memory 21 that includes one or more computer-readable recording mediums, input unit 22, display unit 23, transducer 24, voicefrequency circuit 25, Wireless Fidelity (wireless fidelity, WiFi) module 26, the processor 27 that includes processing core more than or and power supply 28.It will be understood by those skilled in the art that the terminal structure shown in Fig. 3 does not consist of the restriction to terminal, can comprise the parts more more or less than diagram, perhaps make up some parts, perhaps different arrangements of components.Wherein:
Input unit 22 can be used for receiving numeral or the character information of input, and generation is inputted with the user arranges and function control is relevant keyboard, mouse, action bars, optics or trace ball signal.Particularly, in a specific embodiment, input unit 22 can comprise touch-sensitive surperficial 221 and other input equipments 222.Touch-sensitive surperficial 221, be also referred to as touch display screen or Trackpad, can collect the user thereon or near touch operation (use such as the user any suitable objects such as finger, stylus or annex on touch-sensitive surperficial 221 or near the operation touch-sensitive surperficial 221), and drive corresponding jockey according to predefined formula.Optionally, touch-sensitive surperficial 221 can comprise touch detecting apparatus and two parts of touch controller.Wherein, touch detecting apparatus detects user's touch orientation, and detects the signal that touch operation is brought, and sends signal to touch controller; Touch controller receives touch information from touch detecting apparatus, and converts it to contact coordinate, gives processor 27 again, and the order that energy receiving processor 27 is sent is also carried out.In addition, can adopt the polytypes such as resistance-type, condenser type, infrared ray and surface acoustic wave to realize touch-sensitive surperficial 221.Except touch-sensitive surperficial 221, input unit 22 can also comprise other input equipments 222.Particularly, other input equipments 222 can include but not limited to one or more in physical keyboard, function key (such as volume control button, switch key etc.), trace ball, mouse, the action bars etc.
Terminal also can comprise at least a transducer 24, such as optical sensor, motion sensor and other transducers.Particularly, optical sensor can comprise ambient light sensor and proximity transducer, and wherein, ambient light sensor can be regulated according to the light and shade of ambient light the brightness of display floater 231, proximity transducer can when fast mobile terminal arrives in one's ear, cut out display floater 231 and/or backlight.A kind of as motion sensor, Gravity accelerometer can detect the size of the acceleration that (is generally three axles) on all directions, size and the direction of gravity be can detect when static, application (such as horizontal/vertical screen switching, dependent game, magnetometer pose calibrating), Vibration identification correlation function (such as pedometer, knock) of mobile phone attitude etc. can be used for identifying; As for terminal other transducers such as configurable gyroscope, barometer, hygrometer, thermometer, infrared ray sensor also, do not repeat them here.
WiFi belongs to the short range wireless transmission technology, terminal by WiFi module 26 can help that the user sends and receive e-mail, browsing page and access streaming video etc., it provides wireless broadband internet access for the user.Although Fig. 3 shows WiFi module 26, be understandable that, it does not belong to must consisting of of terminal, fully can be as required in the scope of the essence that does not change invention and omit.
Terminal comprises that also power supply 28(to all parts power supply is such as battery), preferred, power supply can link to each other with processor 27 logics by power-supply management system, thereby realizes the management charging, discharges and the functions such as power managed by power-supply management system.Power supply 28 can also comprise one or more direct current or the random component such as AC power, recharging system, power failure detection circuit, power supply changeover device or inverter, power supply status indicator.
Although not shown, terminal can also comprise camera, bluetooth module etc., does not repeat them here.Specifically in the present embodiment, the processor 27 in the terminal can be according to following instruction, the process of the one or more application program that stores in the execute store 21, thus realize various functions:
Network address to be detected is divided into a plurality of parts; For each part in a plurality of parts that are divided into distributes corresponding detection score value; Determine the overall score value of described network address to be detected according to the detection score value of described each part; If described; Overall score value determines that then described network address to be detected is the malice network address in the first mark scope of the malice network address that presets, such as when overall score value is lower than the first threshold that presets, then be defined as the malice network address.
Further, if described overall score value is in the second mark scope of the suspicious network address that presets the time, processor 27 can determine that described network address to be detected is suspicious network address, such as being higher than the first threshold that presets when overall score value, and when being lower than the Second Threshold that presets, then be defined as the malice network address.
In the specific implementation process, processor 27 can obtain described overall score value with the detection score value addition of described each part when determining overall score value; Or, the weighted value addition of the detection score value of described each part is obtained described overall score value etc.And processor 27 can distribute the detection score value according to different strategies to different parts when distributing the detection score value, particularly:
When in described network address to be detected, marking off domain name, if surpassing, the progression of domain name presets progression, then be the given negative mark of domain name; Or, if the similarity of domain name and the domain name that presets is higher than the similarity that presets; Or, if the spelling of domain name does not meet the spelling logic, then be the given negative mark of domain name etc.When in described network address to be detected, marking off filename, if comprise spcial character in the described filename, then be the given negative mark of described filename; Or, if the spelling of described filename does not meet the spelling logic, then be the given negative mark of described filename.When in described network address to be detected, marking off the path, if comprise spcial character in the described path, then be the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the spelling of plural partitioning portion does not meet the spelling logic, then be the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the length of plural partitioning portion less than the length that presets, then is the given negative mark in described path.
When in described network address to be detected, marking off data parameters, not the form of data parameters title and data parameters numerical value if then be used for described data parameters, then be the given negative mark of described data parameters; Or, if comprised slash in the described data parameters value, then be the given negative mark of described data parameters.When in described network address to be detected, marking off port, if then described port is not complementary with the port that presets, then give the given negative mark of described port.When in described network address to be detected, marking off anchor point, if then comprised slash in the described anchor point, then be the given negative mark of described anchor point.
One of ordinary skill in the art will appreciate that all or part of step in the whole bag of tricks of above-described embodiment is to come the relevant hardware of instruction finish by program, this program can be stored in the computer-readable recording medium, and storage medium can comprise: read-only memory (ROM), random-access memory (ram), disk or CD etc.
Detection method and the equipment of the above malice network address that the embodiment of the invention is provided are described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (14)
1. the detection method of a malice network address is characterized in that, comprising:
Network address to be detected is divided into a plurality of parts;
For each part in described a plurality of parts distributes corresponding detection score value;
Determine the overall score value of described network address to be detected according to the detection score value of described each part;
If it is the malice network address that described overall score value in the first mark scope of the malice network address that presets, is then determined described network address to be detected.
2. the method for claim 1 is characterized in that, described part comprises domain name, and then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprises:
Presetting progression if the progression of domain name surpasses, then is the given negative mark of domain name; Or,
If domain name is higher than the similarity that presets with the similarity of the domain name that presets; Or,
If the spelling of domain name does not meet the spelling logic, it then is the given negative mark of domain name.
3. the method for claim 1 is characterized in that, described part comprises filename, and then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprises:
If comprise spcial character in the described filename, it then is the given negative mark of described filename; Or,
If the spelling of described filename does not meet the spelling logic, it then is the given negative mark of described filename.
4. the method for claim 1 is characterized in that, described part comprises the path, and then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprises:
If comprise spcial character in the described path, it then is the given negative mark in described path; Or,
Symbol segmentation is carried out in described path, if the spelling of plural partitioning portion does not meet the spelling logic, then is the given negative mark in described path; Or,
Symbol segmentation is carried out in described path, if the length of plural partitioning portion less than the length that presets, then is the given negative mark in described path.
5. the method for claim 1, it is characterized in that, if described part comprises data parameters, then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprise: if described data parameters is not the form of data parameters title and data parameters numerical value, then be the given negative mark of described data parameters; Or, if comprised slash in the described data parameters value, then be the given negative mark of described data parameters;
If described part comprises port, then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprises: if described port is not complementary with the port that presets, then give the given negative mark of described port;
If described part comprises anchor point, then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprises: if comprised slash in the described anchor point, then be the given negative mark of described anchor point.
6. such as each described method of claim 1 to 5, it is characterized in that, described detection score value according to described each part is determined the overall score value of described network address to be detected, specifically comprises:
The detection score value addition of described each part is obtained described overall score value; Or,
The weighted value addition of the detection score value of described each part is obtained described overall score value.
7. such as each described method of claim 1 to 5, it is characterized in that, described method also comprises:
If described overall score value in the second mark scope of the suspicious network address that presets the time, determines then that described network address to be detected is suspicious network address.
8. the checkout equipment of a malice network address is characterized in that, comprising:
Division unit is used for network address to be detected is divided into a plurality of parts;
The score value allocation units are used to that each part distributes corresponding detection score value in a plurality of parts that described division unit is divided into;
Overall score value determining unit, the detection score value that is used for each part of distributing according to described score value allocation units is determined the overall score value of described network address to be detected;
Malice network address determining unit if be used for the definite overall score value of described overall score value determining unit in the first mark scope of the malice network address that presets, determines that then described network address to be detected is the malice network address.
9. equipment as claimed in claim 8 is characterized in that,
Described division unit, concrete being used for marks off domain name in described network address to be detected;
Described score value allocation units are if the progression that specifically is used for domain name then is the given negative mark of domain name above presetting progression; Or, if the similarity of domain name and the domain name that presets is higher than the similarity that presets; Or, if the spelling of domain name does not meet the spelling logic, then be the given negative mark of domain name.
10. equipment as claimed in claim 8 is characterized in that,
Described division unit, concrete being used for marks off filename in described network address to be detected;
Described score value allocation units comprise spcial character if specifically be used for described filename, then are the given negative mark of described filename; Or, if the spelling of described filename does not meet the spelling logic, then be the given negative mark of described filename.
11. equipment as claimed in claim 8 is characterized in that,
Described division unit, concrete being used for marks off the path in described network address to be detected;
Described score value allocation units comprise spcial character if specifically be used for described path, then are the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the spelling of plural partitioning portion does not meet the spelling logic, then be the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the length of plural partitioning portion less than the length that presets, then is the given negative mark in described path.
12. as claimed in claim 8 setting is characterized in that,
Described division unit, concrete being used for marks off data parameters in described network address to be detected; Then described score value allocation units are not the forms of data parameters title and data parameters numerical value if specifically be used for described data parameters, then are the given negative mark of described data parameters; Or, if comprised slash in the described data parameters value, then be the given negative mark of described data parameters; Or,
Described division unit, concrete being used for marks off port in described network address to be detected; Then described score value allocation units are not complementary with the port that presets if specifically be used for described port, then give the given negative mark of described port; Or,
Described division unit, concrete being used for marks off anchor point in described network address to be detected; Then described score value allocation units have comprised slash if specifically be used for described anchor point, then are the given negative mark of described anchor point.
13. such as each described equipment of claim 8 to 12, it is characterized in that,
Described overall score value determining unit, concrete being used for obtains described overall score value with the detection score value addition of described each part; Or, the weighted value addition of the detection score value of described each part is obtained described overall score value.
14. such as each described equipment of claim 8 to 12, it is characterized in that, also comprise:
Suspicious network address determining unit if be used for described overall score value in the second mark scope of the suspicious network address that presets the time, determines that then described network address to be detected is suspicious network address.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310286619.9A CN103327029B (en) | 2013-07-09 | 2013-07-09 | A kind of detection method of malice network address and equipment |
PCT/CN2014/081861 WO2015003627A1 (en) | 2013-07-09 | 2014-07-09 | Method and device for detecting malicious uniform resource locator (url) |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310286619.9A CN103327029B (en) | 2013-07-09 | 2013-07-09 | A kind of detection method of malice network address and equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103327029A true CN103327029A (en) | 2013-09-25 |
CN103327029B CN103327029B (en) | 2015-09-09 |
Family
ID=49195559
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310286619.9A Active CN103327029B (en) | 2013-07-09 | 2013-07-09 | A kind of detection method of malice network address and equipment |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN103327029B (en) |
WO (1) | WO2015003627A1 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015003627A1 (en) * | 2013-07-09 | 2015-01-15 | 腾讯科技(深圳)有限公司 | Method and device for detecting malicious uniform resource locator (url) |
CN104333558A (en) * | 2014-11-17 | 2015-02-04 | 广州华多网络科技有限公司 | Website detection method and device |
WO2015101337A1 (en) * | 2014-01-03 | 2015-07-09 | Tencent Technology (Shenzhen) Company Limited | Malicious website address prompt method and router |
CN105791236A (en) * | 2014-12-23 | 2016-07-20 | 北京网御星云信息技术有限公司 | Trojan communication channel detection method and system |
CN107547552A (en) * | 2017-09-07 | 2018-01-05 | 杭州安恒信息技术有限公司 | A kind of website credit assessment and device based on web site features identification and relationship topology |
CN114650158A (en) * | 2020-12-21 | 2022-06-21 | 深信服科技股份有限公司 | HTTP detection method, system, equipment and computer storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102045360A (en) * | 2010-12-27 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Method and device for processing baleful website library |
CN102096683A (en) * | 2009-12-11 | 2011-06-15 | 奇智软件(北京)有限公司 | Method for realizing nameplate at browser address bar |
CN102622435A (en) * | 2012-02-29 | 2012-08-01 | 百度在线网络技术(北京)有限公司 | Method and device for detecting black chain |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7590707B2 (en) * | 2006-08-07 | 2009-09-15 | Webroot Software, Inc. | Method and system for identifying network addresses associated with suspect network destinations |
CN103077349B (en) * | 2013-01-05 | 2016-04-13 | 北京奇虎科技有限公司 | A kind of method of browser side prompting access secure information and device |
CN103327029B (en) * | 2013-07-09 | 2015-09-09 | 腾讯科技(深圳)有限公司 | A kind of detection method of malice network address and equipment |
-
2013
- 2013-07-09 CN CN201310286619.9A patent/CN103327029B/en active Active
-
2014
- 2014-07-09 WO PCT/CN2014/081861 patent/WO2015003627A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102096683A (en) * | 2009-12-11 | 2011-06-15 | 奇智软件(北京)有限公司 | Method for realizing nameplate at browser address bar |
CN102045360A (en) * | 2010-12-27 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Method and device for processing baleful website library |
CN102622435A (en) * | 2012-02-29 | 2012-08-01 | 百度在线网络技术(北京)有限公司 | Method and device for detecting black chain |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015003627A1 (en) * | 2013-07-09 | 2015-01-15 | 腾讯科技(深圳)有限公司 | Method and device for detecting malicious uniform resource locator (url) |
WO2015101337A1 (en) * | 2014-01-03 | 2015-07-09 | Tencent Technology (Shenzhen) Company Limited | Malicious website address prompt method and router |
US10375102B2 (en) | 2014-01-03 | 2019-08-06 | Tencent Technology (Shenzhen) Company Limitted | Malicious web site address prompt method and router |
CN104333558A (en) * | 2014-11-17 | 2015-02-04 | 广州华多网络科技有限公司 | Website detection method and device |
CN104333558B (en) * | 2014-11-17 | 2018-02-23 | 广州华多网络科技有限公司 | A kind of network address detection method and network address detection means |
CN105791236A (en) * | 2014-12-23 | 2016-07-20 | 北京网御星云信息技术有限公司 | Trojan communication channel detection method and system |
CN105791236B (en) * | 2014-12-23 | 2019-03-12 | 北京网御星云信息技术有限公司 | A kind of wooden horse communication channel detection method and system |
CN107547552A (en) * | 2017-09-07 | 2018-01-05 | 杭州安恒信息技术有限公司 | A kind of website credit assessment and device based on web site features identification and relationship topology |
CN107547552B (en) * | 2017-09-07 | 2020-02-21 | 杭州安恒信息技术股份有限公司 | Website reputation degree evaluation method and device based on website feature identification and relationship topology |
CN114650158A (en) * | 2020-12-21 | 2022-06-21 | 深信服科技股份有限公司 | HTTP detection method, system, equipment and computer storage medium |
Also Published As
Publication number | Publication date |
---|---|
WO2015003627A1 (en) | 2015-01-15 |
CN103327029B (en) | 2015-09-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104135501B (en) | Page sharing method, Apparatus and system | |
CN104978115A (en) | Content display method and device | |
CN104135502B (en) | A kind of method, relevant device and system realizing application message and remind | |
CN103327029B (en) | A kind of detection method of malice network address and equipment | |
CN104618217A (en) | Method, terminal, server and system for sharing resource | |
CN104301315A (en) | Method and device for limiting information access | |
CN104717125A (en) | Graphic code storage method and device | |
CN104717341A (en) | Message prompting method and terminal | |
CN104571787A (en) | Message display method and communication terminal | |
CN104065693A (en) | Method, device and system for accessing network data in webpage applications | |
CN104142868A (en) | Connection establishment method and device | |
CN104426963A (en) | Terminal associating method and terminal | |
CN103177217B (en) | A kind of file scanning method, system and client and server | |
CN104123120A (en) | Method, device and system for filtering page data of browser | |
CN103945241A (en) | Streaming data statistical method, system and related device | |
CN104954159A (en) | Network information statistics method and device | |
CN103763112A (en) | User identity protection method and apparatus | |
CN104735132A (en) | Information inquiry method, servers and terminal | |
CN104267882A (en) | Page suspension frame display method and device | |
CN103607431B (en) | Mobile terminal resource processing method, device and equipment | |
CN103607377B (en) | Information sharing method, Apparatus and system | |
CN103944922B (en) | Data processing method, terminal, server and system | |
CN104239369A (en) | Method, device and system for filtering out webpage advertisements | |
CN104281610A (en) | Method and device for filtering microblogs | |
CN104901992A (en) | Resource transfer method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |