CN103327029A - Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device - Google Patents

Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device Download PDF

Info

Publication number
CN103327029A
CN103327029A CN2013102866199A CN201310286619A CN103327029A CN 103327029 A CN103327029 A CN 103327029A CN 2013102866199 A CN2013102866199 A CN 2013102866199A CN 201310286619 A CN201310286619 A CN 201310286619A CN 103327029 A CN103327029 A CN 103327029A
Authority
CN
China
Prior art keywords
score value
network address
detected
given negative
domain name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2013102866199A
Other languages
Chinese (zh)
Other versions
CN103327029B (en
Inventor
申飞龙
张辉
刘健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201310286619.9A priority Critical patent/CN103327029B/en
Publication of CN103327029A publication Critical patent/CN103327029A/en
Priority to PCT/CN2014/081861 priority patent/WO2015003627A1/en
Application granted granted Critical
Publication of CN103327029B publication Critical patent/CN103327029B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the invention discloses a malicious URL (Uniform Resource Locator) detection method and a malicious URL detection device which are used in the technical field of information processing. The malicious URL detection device divides the to-be-detected URL into multiple components, assigns corresponding detection scores for each component, and determines the total score of the to-be-detected URL according to the detection score of each component, if the total score is in a preset first score range of the malicious URL, the malicious URL detection device determines that the to-be-detected URL is the malicious URL. In this way, the malicious URL detection device can directly detect whether the to-be-detected URL is the malicious URL by the operations to the to-be-detected URL, rather than detecting whether the URL is the malicious URL by operating the content corresponding to the to-be-detected URL, thus, time for obtaining the content corresponding to the to-be-detected URL is saved, the detection efficiency can be improved, and the failure caused by failure in acquisition of the content of the to-be-detected URL is avoided.

Description

A kind of detection method of malice network address and equipment
Technical field
The present invention relates to technical field of information processing, particularly detection method and the equipment of malice network address.
Background technology
Client is when access web server, generally be to input the network address of server such as URL(uniform resource locator) (Uniform Resource Locator in client, URL), and by this network address connection server, if client input malice network address, just might threaten to user profile, therefore need to detect the malice network address.
In the prior art, when carrying out the detection of malice network address, need checkout equipment first by the network address connection server, the content that obtaining the server of this network address provides is content of pages, and the coupling of the coupling by content of pages or page screenshot is determined whether malice of content corresponding to this network address, if so, then this network address is the malice network address.As seen, all need in the prior art to obtain first content corresponding to network address, so that the efficient of detection of malicious network address is lower.And in actual application, server corresponding to malice network address can shield the address of checkout equipment that the fail-safe software system is arranged, causes checkout equipment can't obtain content corresponding to network address, thereby so that detects unsuccessfully.
Summary of the invention
The embodiment of the invention provides detection method and the equipment of malice network address, improves the detection efficiency of malice network address.
The embodiment of the invention provides a kind of detection method of malice network address, comprising:
Network address to be detected is divided into a plurality of parts;
For each part in described a plurality of parts distributes corresponding detection score value;
Determine the overall score value of described network address to be detected according to the detection score value of described each part;
If it is the malice network address that described overall score value in the first mark scope of the malice network address that presets, is then determined described network address to be detected.
The embodiment of the invention provides a kind of checkout equipment of malice network address, comprising:
Division unit is used for network address to be detected is divided into a plurality of parts;
The score value allocation units are used to that each part distributes corresponding detection score value in a plurality of parts that described division unit is divided into;
Overall score value determining unit, the detection score value that is used for each part of distributing according to described score value allocation units is determined the overall score value of described network address to be detected;
Malice network address determining unit if be used for the definite overall score value of described overall score value determining unit in the first mark scope of the malice network address that presets, determines that then described network address to be detected is the malice network address.
As seen, the checkout equipment of malice network address can be divided into a plurality of parts with network address to be detected, for each part in a plurality of parts distributes corresponding detection score value, and determine the overall score value of network address to be detected according to the detection score value of each part, when if totally score value is in the first mark scope of the malice network address that presets, determine that then network address to be detected is the malice network address.Like this can be directly whether detect the malice network address by the operation to network address to be detected, and need not whether operate to detect the malice network address to content corresponding to network address to be detected, saved the time of obtaining content corresponding to network address to be detected, can improve detection efficiency, also avoid owing to the content failure of obtaining network address to be detected causes the failure that detects.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art, apparently, accompanying drawing in the following describes only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the flow chart of the detection method of a kind of malice network address of providing of the embodiment of the invention;
Fig. 2 is the structural representation of the checkout equipment of a kind of malice network address of providing of the embodiment of the invention;
Fig. 3 is the structural representation of the terminal that is applied to of the detection method of a kind of malice network address of providing of the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The embodiment of the invention provides a kind of detection method of malice network address, mainly is the performed method of checkout equipment of malice network address, and flow chart comprises as shown in Figure 1:
Step 101, network address to be detected is divided into a plurality of parts, generally speaking, network address particularly URL can be comprised of domain name (Domain Name), port (port), path (parh), filename (filename), data parameters (query) and anchor point (anchor) etc., wherein:
Domain name is used for identifying the electronic bearing of computer by a string title with total a certain the computer of a network that the name of separating forms or calculating unit when transfer of data, sometimes also refer to the geographical position.Domain name can have a plurality of ranks, and each rank of domain name is separated by ". ", and in brief, it is exactly that what points are arranged for what domain name, is TLD at rightmost word wherein.
Port is a computer and extraneous outlet of communicating by letter; The path typically refers to a position on a file or the webserver; Concrete file on the server that filename is used for representing to access; Data parameters mainly be with question mark (?) beginning, with (﹠amp; ) information that separates; Anchor point is a character string or an order anchor chain, refers to the Partial Fragment in content corresponding to this network address to be detected.
For example, for network address:
Http:// video.google.co.uk:80/videoplay/index.html docid=10086﹠amp; Hl=en#00h02m30s, domain name is google.co.uk, and port is 80, and the path is/videoplay, and file is called index.html, and the data parameters name is docid, and the value of data parameters is 10086, and anchor point is #00h02m30s.
Step 102, for each part in a plurality of parts distributes corresponding detection score value, when distributing the detection score value for each part, the feature of the malice network address that presets in can the checkout equipment with the malice network address compares with the feature of corresponding each part, if similar or be complementary, then would be that a certain part distributes a negative detection score value.Feature such as the domain name that obtains in the feature of the domain name of the malice network address that will preset and the step 101 compares, thereby detects score value for part that should " domain name " distributes.
Step 103 is determined according to the detection score value of each part the overall score value of network address to be detected particularly, the detection score value addition of each part to be obtained overall score value; Maybe need to consider each part shared significance level in whole malice network address, obtain weighted value after the detection score value of each part is weighted, and these weighted value additions are obtained overall score value, wherein, when obtaining weighted value, specifically will detect score value and weight coefficient and multiply each other and obtain, and the weight coefficient that important part uses when being weighted is larger.
Step 104, the overall score value that obtains in the determining step 103 whether in the mark scope of the malice network address that presets, if, then execution in step 105, determine that namely network address to be detected be the malice network address, if do not exist, then this network address to be detected is not network address maliciously.Particularly, the mark scope of the malice network address that presets can be that the user is preset in the checkout equipment of malice network address according to actual needs, when being lower than the first threshold that presets such as overall score value, then is malice network address etc.
Further, in a specific embodiment, when in the first mark scope of judging the malice network address that overall score value is not presetting, when the checkout equipment of malice network address can continue to judge that this overall score value is whether in the second mark scope of the suspicious network address that presets, can determine that this network address to be detected is suspicious network address, namely may be the malice network address, so just can process accordingly suspicious network address.Be higher than the first threshold that presets such as overall score value, and when being lower than the Second Threshold that presets, then be suspicious network address.
As seen, in the present embodiment, the checkout equipment of malice network address can be divided into a plurality of parts with network address to be detected, for each part in a plurality of parts distributes corresponding detection score value, and determine the overall score value of network address to be detected according to the detection score value of each part, when if totally score value is in the first mark scope of the malice network address that presets, determine that then network address to be detected is the malice network address.Like this can be directly whether detect the malice network address by the operation to network address to be detected, and need not whether operate to detect the malice network address to content corresponding to network address to be detected, saved the time of obtaining content corresponding to network address to be detected, can improve detection efficiency, also avoid owing to the content failure of obtaining network address to be detected causes the failure that detects.
In specific embodiment, the checkout equipment of malice network address need to distribute according to different strategies the detection score value for different parts when carrying out above-mentioned steps 102, specific as follows:
(1) part is domain name
If the progression of domain name surpasses and to preset progression (such as 4), then be the given negative mark of this domain name, and along with the increase of progression, given mark is lower, wherein, each rank by ". " separately, in brief, what have put is exactly for what domain name.
When if the spelling of domain name does not meet the spelling logic, it then is the given negative mark of this domain name, wherein generally speaking, the spelling logic of domain name is ABC, ab12 and 12ab etc., namely only has letter, or letter and number can not mix arrangement, if letter and number mixes when arranging such as a1b2, then do not meet the spelling logic; In another case, the checkout equipment of malice network address can also by domain name and the feature that does not meet the spelling logic that presets are compared, determine whether domain name meets the spelling logic.
If domain name is higher than the similarity that presets with the similarity of the domain name that presets, it then is the given negative mark of this domain name, specifically can preset some easily by counterfeit domain name, and after similarity refers to that domain name and the domain name that presets are mated, the percentage of the character that is complementary.
If domain name is China's duty-free name overseas, be negative mark also can for this domain name.
(2) part is the path
If comprise spcial character in the path, then be the given negative mark in this path, wherein spcial character refer to except letter and number and limited punctuate (%,? ,/,=, #. ,-, _) outside character.
Symbol segmentation is carried out in the path, if the spelling of plural partitioning portion does not meet the spelling logic, then is the given negative mark in this path.
Symbol segmentation is carried out in the path, if the length of the plural partitioning portion of accumulative total then is the given negative mark in this path less than the length that presets (such as 2).Wherein symbol refers to the character except numeral and letter, such as/,? Deng.
(3) part is filename, if comprise spcial character in the filename, then is the given negative mark of filename.If the spelling of filename does not meet the spelling logic, it then is the given negative mark of filename.
(4) part is port, if this port is not complementary with the port that presets, then is the given negative mark of this port, and the well known port that generally presets is 80,8080 and 8081 etc.
(5) part is data parameters, is the form of data parameters title and data parameters numerical value if data parameters is not the k-v form, then is the given negative mark of this data parameters; If having comprised "/" in the data parameters value is slash, it then is the given negative mark of this data parameters.
(6) part is anchor point, if comprised "/" in the anchor point, then is the given negative mark of this anchor point.
Need to prove, the above-mentioned distribution for each part in the process that detects score value, whether the spelling that might need to judge some part meets the spelling logic, when specific implementation, can with the feature of part with meet the feature of spelling logic and compare, if be complementary, then meet the spelling logic, otherwise do not meet the spelling logic.In another case, can directly letter and number be mixed the part of arranging and be defined as not meeting the spelling logic.
In addition, the checkout equipment of malice network address according to the score value of the given mark of feature of each part the time, can come according to the significance level of this feature given, if important aspect ratio is such as the spelling logic, then when not meeting the spelling logic, given negative mark is lower.Further, the checkout equipment of malice network address can select wherein minimum mark as the detection score value of this part behind the given different mark of multinomial feature difference according to each part.
For example, for the URL:http of non-malice: //zh.wikipedia.org:80/wiki/TCP/UDP port list/index.html uid=1212#head, its domain name is zh.wikipedia.org, domain name progression is less than 4; Port is 80, is the well known port of server; The path is the wiki/TCP/UDP port list, and the title of each partitioning portion is the name of commonly using, and has certain semanteme; File name is index.html, is the network address homepage of acquiescence; Data parameters is uid=1212, meets the form of data parameters title and data data parameters value; After head represents to open the page corresponding to this network address in the anchor point, can be automatically scrolling to the position that the anchor point name is called head.
URL for malice:
Http:// qz0ne.qq.com.8866.org:6799/s3u/a/q.asp 2121﹠amp; 1312#^^^^^, its domain name is qz0ne.qq.com.8866.org, domain name progression is greater than 4, and adopts free TLD 8866.org, and higher with the similarity of the domain name qzone.qq.com that presets, so the detection score value of domain name is lower in this network address; Port is 6799, is not the port of the server commonly used; The path is s3u/a, s3u without any implied meaning, do not meet user's name; File is called a.asp; Data parameters is 2121﹠amp; 1312, do not meet the form of data parameters title and data parameters value; Include spcial character in the anchor point.
The present invention also provides a kind of checkout equipment of malice network address, wherein can carry out according to the method described above the detection of malice network address between the unit, and structural representation comprises as shown in Figure 2:
Division unit 10 is used for network address to be detected is divided into a plurality of parts.
Score value allocation units 11 are used to that each part distributes corresponding detection score value in a plurality of parts that described division unit 10 is divided into.
Overall score value determining unit 12, determine the overall score value of described network address to be detected for the detection score value of each part that distributes according to described score value allocation units 11, particularly, overall score value determining unit 12 can obtain described overall score value with the detection score value addition of described each part; Or, the weighted value addition of the detection score value of described each part is obtained described overall score value etc.
Malice network address determining unit 13, if be used for overall score value that described overall score value determining unit 12 determines in the first mark scope of the malice network address that presets, determine that then described network address to be detected is the malice network address, such as when overall score value is lower than the first threshold that presets, then be defined as the malice network address.
Further, in the equipment of the present embodiment, can also comprise suspicious network address determining unit 14, if be used for overall score value that described overall score value determining unit 12 determines in the second mark scope of the suspicious network address that presets the time, determine that then described network address to be detected is suspicious network address, such as being higher than the first threshold that presets when overall score value, and when being lower than the Second Threshold that presets, then be defined as the malice network address.
Need to prove, above-mentioned score value allocation units 11 specifically can distribute the detection score value according to different strategies to different parts, particularly:
When division unit 10 marks off domain name in described network address to be detected, then the score value allocation units 11, surpass and preset progression if be used for the progression of domain name, and then be the given negative mark of domain name; Or, if the similarity of domain name and the domain name that presets is higher than the similarity that presets; Or, if the spelling of domain name does not meet the spelling logic, then be the given negative mark of domain name etc.When division unit 10 marks off filename in described network address to be detected, then the score value allocation units 11, comprise spcial character if specifically be used for described filename, then are the given negative mark of described filename; Or, if the spelling of described filename does not meet the spelling logic, then be the given negative mark of described filename.When division unit 10 marks off the path in described network address to be detected, then the score value allocation units 11, comprise spcial character if specifically be used for described path, then are the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the spelling of plural partitioning portion does not meet the spelling logic, then be the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the length of plural partitioning portion less than the length that presets, then is the given negative mark in described path.
When division unit 10, in described network address to be detected, mark off data parameters, then described score value allocation units 11 are not the forms of data parameters title and data parameters numerical value if specifically be used for described data parameters, then are the given negative mark of described data parameters; Or, if comprised slash in the described data parameters value, then be the given negative mark of described data parameters.When division unit 10 marks off port in described network address to be detected, then described score value allocation units 11 are not complementary with the port that presets if specifically be used for described port, then give the given negative mark of described port.When division unit 10 marks off anchor point in described network address to be detected, then described score value allocation units 11 have comprised slash if specifically be used for described anchor point, then are the given negative mark of described anchor point.
As seen, in the checkout equipment of the malice network address of the present embodiment, division unit 10 can be divided into a plurality of parts with network address to be detected, score value allocation units 11 are that each part distributes corresponding detection score value in a plurality of parts, and determined the overall score value of network address to be detected according to the detection score value of each part by overall score value determining unit 12, when if totally score value is in the first mark scope of the malice network address that presets, then malice network address determining unit 13 determines that network address to be detected are the malice network address.Like this can be directly whether detect the malice network address by the operation to network address to be detected, and need not whether operate to detect the malice network address to content corresponding to network address to be detected, saved the time of obtaining content corresponding to network address to be detected, can improve detection efficiency, also avoid owing to the content failure of obtaining network address to be detected causes the failure that detects.
Below mainly be applied to illustrate in the terminal with the detection method of the rogue program of the embodiment of the invention, this terminal can comprise smart mobile phone, panel computer, E-book reader, dynamic image expert compression standard audio frequency aspect 3(Moving Picture Experts Group Audio Layer III, MP3) player, dynamic image expert compression standard audio frequency aspect 4(Moving Picture Experts Group Audio Layer IV, MP4) player, pocket computer on knee and desktop computer etc.
Please refer to Fig. 3, it shows the structural representation of the related terminal of the embodiment of the invention, specifically:
Terminal can comprise radio frequency (Radio Frequency, RF) parts such as circuit 20, the memory 21 that includes one or more computer-readable recording mediums, input unit 22, display unit 23, transducer 24, voicefrequency circuit 25, Wireless Fidelity (wireless fidelity, WiFi) module 26, the processor 27 that includes processing core more than or and power supply 28.It will be understood by those skilled in the art that the terminal structure shown in Fig. 3 does not consist of the restriction to terminal, can comprise the parts more more or less than diagram, perhaps make up some parts, perhaps different arrangements of components.Wherein:
RF circuit 20 can be used for receiving and sending messages or communication process in, the reception of signal and transmission especially, after the downlink information of base station received, are transferred to one or an above processor 27 and are processed; In addition, will be referred to up data and send to the base station.Usually, RF circuit 20 includes but not limited to antenna, at least one amplifier, tuner, one or more oscillator, subscriber identity module (SIM) card, transceiver, coupler, low noise amplifier (Low Noise Amplifier, LNA), duplexer etc.In addition, RF circuit 20 can also be by radio communication and network and other devices communicatings.Described radio communication can be used arbitrary communication standard or agreement, include but not limited to global system for mobile communications (Global System of Mobile communication, GSM), general packet radio service (General Packet Radio Service, GPRS), code division multiple access (Code Division Multiple Access, CDMA), Wideband Code Division Multiple Access (WCDMA) (Wideband Code Division Multiple Access, WCDMA), Long Term Evolution (Long Term Evolution, LTE), Email, Short Message Service (Short Messaging Service, SMS) etc.
Memory 21 can be used for storing software program and module, and processor 27 is stored in software program and the module of memory 21 by operation, and various functions are used and data are processed thereby carry out.Memory 21 can mainly comprise storage program district and storage data field, wherein, but the required application program (such as sound-playing function, image player function etc.) of storage program district storage operating system, at least one function etc.; The data (such as voice data, phone directory etc.) that the use according to terminal creates etc. can be stored in the storage data field.In addition, memory 21 can comprise high-speed random access memory, can also comprise nonvolatile memory, for example at least one disk memory, flush memory device or other volatile solid-state parts.Correspondingly, memory 21 can also comprise Memory Controller, so that the access of processor 27 and 22 pairs of memories 21 of input unit to be provided.
Input unit 22 can be used for receiving numeral or the character information of input, and generation is inputted with the user arranges and function control is relevant keyboard, mouse, action bars, optics or trace ball signal.Particularly, in a specific embodiment, input unit 22 can comprise touch-sensitive surperficial 221 and other input equipments 222.Touch-sensitive surperficial 221, be also referred to as touch display screen or Trackpad, can collect the user thereon or near touch operation (use such as the user any suitable objects such as finger, stylus or annex on touch-sensitive surperficial 221 or near the operation touch-sensitive surperficial 221), and drive corresponding jockey according to predefined formula.Optionally, touch-sensitive surperficial 221 can comprise touch detecting apparatus and two parts of touch controller.Wherein, touch detecting apparatus detects user's touch orientation, and detects the signal that touch operation is brought, and sends signal to touch controller; Touch controller receives touch information from touch detecting apparatus, and converts it to contact coordinate, gives processor 27 again, and the order that energy receiving processor 27 is sent is also carried out.In addition, can adopt the polytypes such as resistance-type, condenser type, infrared ray and surface acoustic wave to realize touch-sensitive surperficial 221.Except touch-sensitive surperficial 221, input unit 22 can also comprise other input equipments 222.Particularly, other input equipments 222 can include but not limited to one or more in physical keyboard, function key (such as volume control button, switch key etc.), trace ball, mouse, the action bars etc.
Display unit 23 can be used for showing by the information of user's input or offers user's information and the various graphical user interface of terminal, and these graphical user interface can be made of figure, text, icon, video and its combination in any.Display unit 23 can comprise display floater 231, optionally, can adopt the forms such as liquid crystal display (Liquid Crystal Display, LCD), Organic Light Emitting Diode (Organic Light-Emitting Diode, OLED) to configure display floater 231.Further, touch-sensitive surperficial 221 can cover display floater 231, when touch-sensitive surperficial 221 detect thereon or near touch operation after, send processor 27 to determining the type of touch event, provide corresponding vision output according to the type of touch event at display floater 231 with preprocessor 27.Although in Fig. 3, touch-sensitive surperficial 221 with display floater 231 be as two independently parts realize input and input function, in certain embodiments, can with touch-sensitive surperficial 221 with the integrated and realization input and output function of display floater 231.
Terminal also can comprise at least a transducer 24, such as optical sensor, motion sensor and other transducers.Particularly, optical sensor can comprise ambient light sensor and proximity transducer, and wherein, ambient light sensor can be regulated according to the light and shade of ambient light the brightness of display floater 231, proximity transducer can when fast mobile terminal arrives in one's ear, cut out display floater 231 and/or backlight.A kind of as motion sensor, Gravity accelerometer can detect the size of the acceleration that (is generally three axles) on all directions, size and the direction of gravity be can detect when static, application (such as horizontal/vertical screen switching, dependent game, magnetometer pose calibrating), Vibration identification correlation function (such as pedometer, knock) of mobile phone attitude etc. can be used for identifying; As for terminal other transducers such as configurable gyroscope, barometer, hygrometer, thermometer, infrared ray sensor also, do not repeat them here.
Voicefrequency circuit 25, loud speaker 251, microphone 252 can provide the audio interface between user and the terminal.Voicefrequency circuit 25 can be transferred to loud speaker 251 with the signal of telecommunication after the voice data conversion that receives, and is converted to voice signal output by loud speaker 251; On the other hand, microphone 252 is converted to the signal of telecommunication with the voice signal of collecting, by being converted to voice data after voicefrequency circuit 25 receptions, after again voice data output processor 27 being processed, to send to such as another terminal, perhaps export voice data to memory 21 in order to further process through RF circuit 20.Voicefrequency circuit 25 also may comprise earphone jack, so that communicating by letter of peripheral hardware earphone and terminal to be provided.
WiFi belongs to the short range wireless transmission technology, terminal by WiFi module 26 can help that the user sends and receive e-mail, browsing page and access streaming video etc., it provides wireless broadband internet access for the user.Although Fig. 3 shows WiFi module 26, be understandable that, it does not belong to must consisting of of terminal, fully can be as required in the scope of the essence that does not change invention and omit.
Processor 27 is control centres of terminal, utilize the various piece of various interface and the whole mobile phone of connection, by moving or carry out software program and/or the module that is stored in the memory 21, and call the data that are stored in the memory 21, carry out various functions and the deal with data of terminal, thereby mobile phone is carried out integral monitoring.Optionally, processor 27 can comprise one or more processing cores; Preferably, processor 27 can integrated application processor and modem processor, and wherein, application processor is mainly processed operating system, user interface and application program etc., and modem processor is mainly processed radio communication.Be understandable that, above-mentioned modem processor also can not be integrated in the processor 27.
Terminal comprises that also power supply 28(to all parts power supply is such as battery), preferred, power supply can link to each other with processor 27 logics by power-supply management system, thereby realizes the management charging, discharges and the functions such as power managed by power-supply management system.Power supply 28 can also comprise one or more direct current or the random component such as AC power, recharging system, power failure detection circuit, power supply changeover device or inverter, power supply status indicator.
Although not shown, terminal can also comprise camera, bluetooth module etc., does not repeat them here.Specifically in the present embodiment, the processor 27 in the terminal can be according to following instruction, the process of the one or more application program that stores in the execute store 21, thus realize various functions:
Network address to be detected is divided into a plurality of parts; For each part in a plurality of parts that are divided into distributes corresponding detection score value; Determine the overall score value of described network address to be detected according to the detection score value of described each part; If described; Overall score value determines that then described network address to be detected is the malice network address in the first mark scope of the malice network address that presets, such as when overall score value is lower than the first threshold that presets, then be defined as the malice network address.
Further, if described overall score value is in the second mark scope of the suspicious network address that presets the time, processor 27 can determine that described network address to be detected is suspicious network address, such as being higher than the first threshold that presets when overall score value, and when being lower than the Second Threshold that presets, then be defined as the malice network address.
In the specific implementation process, processor 27 can obtain described overall score value with the detection score value addition of described each part when determining overall score value; Or, the weighted value addition of the detection score value of described each part is obtained described overall score value etc.And processor 27 can distribute the detection score value according to different strategies to different parts when distributing the detection score value, particularly:
When in described network address to be detected, marking off domain name, if surpassing, the progression of domain name presets progression, then be the given negative mark of domain name; Or, if the similarity of domain name and the domain name that presets is higher than the similarity that presets; Or, if the spelling of domain name does not meet the spelling logic, then be the given negative mark of domain name etc.When in described network address to be detected, marking off filename, if comprise spcial character in the described filename, then be the given negative mark of described filename; Or, if the spelling of described filename does not meet the spelling logic, then be the given negative mark of described filename.When in described network address to be detected, marking off the path, if comprise spcial character in the described path, then be the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the spelling of plural partitioning portion does not meet the spelling logic, then be the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the length of plural partitioning portion less than the length that presets, then is the given negative mark in described path.
When in described network address to be detected, marking off data parameters, not the form of data parameters title and data parameters numerical value if then be used for described data parameters, then be the given negative mark of described data parameters; Or, if comprised slash in the described data parameters value, then be the given negative mark of described data parameters.When in described network address to be detected, marking off port, if then described port is not complementary with the port that presets, then give the given negative mark of described port.When in described network address to be detected, marking off anchor point, if then comprised slash in the described anchor point, then be the given negative mark of described anchor point.
One of ordinary skill in the art will appreciate that all or part of step in the whole bag of tricks of above-described embodiment is to come the relevant hardware of instruction finish by program, this program can be stored in the computer-readable recording medium, and storage medium can comprise: read-only memory (ROM), random-access memory (ram), disk or CD etc.
Detection method and the equipment of the above malice network address that the embodiment of the invention is provided are described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (14)

1. the detection method of a malice network address is characterized in that, comprising:
Network address to be detected is divided into a plurality of parts;
For each part in described a plurality of parts distributes corresponding detection score value;
Determine the overall score value of described network address to be detected according to the detection score value of described each part;
If it is the malice network address that described overall score value in the first mark scope of the malice network address that presets, is then determined described network address to be detected.
2. the method for claim 1 is characterized in that, described part comprises domain name, and then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprises:
Presetting progression if the progression of domain name surpasses, then is the given negative mark of domain name; Or,
If domain name is higher than the similarity that presets with the similarity of the domain name that presets; Or,
If the spelling of domain name does not meet the spelling logic, it then is the given negative mark of domain name.
3. the method for claim 1 is characterized in that, described part comprises filename, and then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprises:
If comprise spcial character in the described filename, it then is the given negative mark of described filename; Or,
If the spelling of described filename does not meet the spelling logic, it then is the given negative mark of described filename.
4. the method for claim 1 is characterized in that, described part comprises the path, and then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprises:
If comprise spcial character in the described path, it then is the given negative mark in described path; Or,
Symbol segmentation is carried out in described path, if the spelling of plural partitioning portion does not meet the spelling logic, then is the given negative mark in described path; Or,
Symbol segmentation is carried out in described path, if the length of plural partitioning portion less than the length that presets, then is the given negative mark in described path.
5. the method for claim 1, it is characterized in that, if described part comprises data parameters, then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprise: if described data parameters is not the form of data parameters title and data parameters numerical value, then be the given negative mark of described data parameters; Or, if comprised slash in the described data parameters value, then be the given negative mark of described data parameters;
If described part comprises port, then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprises: if described port is not complementary with the port that presets, then give the given negative mark of described port;
If described part comprises anchor point, then described is that each part distributes corresponding detection score value in described a plurality of part, specifically comprises: if comprised slash in the described anchor point, then be the given negative mark of described anchor point.
6. such as each described method of claim 1 to 5, it is characterized in that, described detection score value according to described each part is determined the overall score value of described network address to be detected, specifically comprises:
The detection score value addition of described each part is obtained described overall score value; Or,
The weighted value addition of the detection score value of described each part is obtained described overall score value.
7. such as each described method of claim 1 to 5, it is characterized in that, described method also comprises:
If described overall score value in the second mark scope of the suspicious network address that presets the time, determines then that described network address to be detected is suspicious network address.
8. the checkout equipment of a malice network address is characterized in that, comprising:
Division unit is used for network address to be detected is divided into a plurality of parts;
The score value allocation units are used to that each part distributes corresponding detection score value in a plurality of parts that described division unit is divided into;
Overall score value determining unit, the detection score value that is used for each part of distributing according to described score value allocation units is determined the overall score value of described network address to be detected;
Malice network address determining unit if be used for the definite overall score value of described overall score value determining unit in the first mark scope of the malice network address that presets, determines that then described network address to be detected is the malice network address.
9. equipment as claimed in claim 8 is characterized in that,
Described division unit, concrete being used for marks off domain name in described network address to be detected;
Described score value allocation units are if the progression that specifically is used for domain name then is the given negative mark of domain name above presetting progression; Or, if the similarity of domain name and the domain name that presets is higher than the similarity that presets; Or, if the spelling of domain name does not meet the spelling logic, then be the given negative mark of domain name.
10. equipment as claimed in claim 8 is characterized in that,
Described division unit, concrete being used for marks off filename in described network address to be detected;
Described score value allocation units comprise spcial character if specifically be used for described filename, then are the given negative mark of described filename; Or, if the spelling of described filename does not meet the spelling logic, then be the given negative mark of described filename.
11. equipment as claimed in claim 8 is characterized in that,
Described division unit, concrete being used for marks off the path in described network address to be detected;
Described score value allocation units comprise spcial character if specifically be used for described path, then are the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the spelling of plural partitioning portion does not meet the spelling logic, then be the given negative mark in described path; Or, symbol segmentation is carried out in described path, if the length of plural partitioning portion less than the length that presets, then is the given negative mark in described path.
12. as claimed in claim 8 setting is characterized in that,
Described division unit, concrete being used for marks off data parameters in described network address to be detected; Then described score value allocation units are not the forms of data parameters title and data parameters numerical value if specifically be used for described data parameters, then are the given negative mark of described data parameters; Or, if comprised slash in the described data parameters value, then be the given negative mark of described data parameters; Or,
Described division unit, concrete being used for marks off port in described network address to be detected; Then described score value allocation units are not complementary with the port that presets if specifically be used for described port, then give the given negative mark of described port; Or,
Described division unit, concrete being used for marks off anchor point in described network address to be detected; Then described score value allocation units have comprised slash if specifically be used for described anchor point, then are the given negative mark of described anchor point.
13. such as each described equipment of claim 8 to 12, it is characterized in that,
Described overall score value determining unit, concrete being used for obtains described overall score value with the detection score value addition of described each part; Or, the weighted value addition of the detection score value of described each part is obtained described overall score value.
14. such as each described equipment of claim 8 to 12, it is characterized in that, also comprise:
Suspicious network address determining unit if be used for described overall score value in the second mark scope of the suspicious network address that presets the time, determines that then described network address to be detected is suspicious network address.
CN201310286619.9A 2013-07-09 2013-07-09 A kind of detection method of malice network address and equipment Active CN103327029B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201310286619.9A CN103327029B (en) 2013-07-09 2013-07-09 A kind of detection method of malice network address and equipment
PCT/CN2014/081861 WO2015003627A1 (en) 2013-07-09 2014-07-09 Method and device for detecting malicious uniform resource locator (url)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310286619.9A CN103327029B (en) 2013-07-09 2013-07-09 A kind of detection method of malice network address and equipment

Publications (2)

Publication Number Publication Date
CN103327029A true CN103327029A (en) 2013-09-25
CN103327029B CN103327029B (en) 2015-09-09

Family

ID=49195559

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310286619.9A Active CN103327029B (en) 2013-07-09 2013-07-09 A kind of detection method of malice network address and equipment

Country Status (2)

Country Link
CN (1) CN103327029B (en)
WO (1) WO2015003627A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015003627A1 (en) * 2013-07-09 2015-01-15 腾讯科技(深圳)有限公司 Method and device for detecting malicious uniform resource locator (url)
CN104333558A (en) * 2014-11-17 2015-02-04 广州华多网络科技有限公司 Website detection method and device
WO2015101337A1 (en) * 2014-01-03 2015-07-09 Tencent Technology (Shenzhen) Company Limited Malicious website address prompt method and router
CN105791236A (en) * 2014-12-23 2016-07-20 北京网御星云信息技术有限公司 Trojan communication channel detection method and system
CN107547552A (en) * 2017-09-07 2018-01-05 杭州安恒信息技术有限公司 A kind of website credit assessment and device based on web site features identification and relationship topology
CN114650158A (en) * 2020-12-21 2022-06-21 深信服科技股份有限公司 HTTP detection method, system, equipment and computer storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045360A (en) * 2010-12-27 2011-05-04 成都市华为赛门铁克科技有限公司 Method and device for processing baleful website library
CN102096683A (en) * 2009-12-11 2011-06-15 奇智软件(北京)有限公司 Method for realizing nameplate at browser address bar
CN102622435A (en) * 2012-02-29 2012-08-01 百度在线网络技术(北京)有限公司 Method and device for detecting black chain

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7590707B2 (en) * 2006-08-07 2009-09-15 Webroot Software, Inc. Method and system for identifying network addresses associated with suspect network destinations
CN103077349B (en) * 2013-01-05 2016-04-13 北京奇虎科技有限公司 A kind of method of browser side prompting access secure information and device
CN103327029B (en) * 2013-07-09 2015-09-09 腾讯科技(深圳)有限公司 A kind of detection method of malice network address and equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102096683A (en) * 2009-12-11 2011-06-15 奇智软件(北京)有限公司 Method for realizing nameplate at browser address bar
CN102045360A (en) * 2010-12-27 2011-05-04 成都市华为赛门铁克科技有限公司 Method and device for processing baleful website library
CN102622435A (en) * 2012-02-29 2012-08-01 百度在线网络技术(北京)有限公司 Method and device for detecting black chain

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015003627A1 (en) * 2013-07-09 2015-01-15 腾讯科技(深圳)有限公司 Method and device for detecting malicious uniform resource locator (url)
WO2015101337A1 (en) * 2014-01-03 2015-07-09 Tencent Technology (Shenzhen) Company Limited Malicious website address prompt method and router
US10375102B2 (en) 2014-01-03 2019-08-06 Tencent Technology (Shenzhen) Company Limitted Malicious web site address prompt method and router
CN104333558A (en) * 2014-11-17 2015-02-04 广州华多网络科技有限公司 Website detection method and device
CN104333558B (en) * 2014-11-17 2018-02-23 广州华多网络科技有限公司 A kind of network address detection method and network address detection means
CN105791236A (en) * 2014-12-23 2016-07-20 北京网御星云信息技术有限公司 Trojan communication channel detection method and system
CN105791236B (en) * 2014-12-23 2019-03-12 北京网御星云信息技术有限公司 A kind of wooden horse communication channel detection method and system
CN107547552A (en) * 2017-09-07 2018-01-05 杭州安恒信息技术有限公司 A kind of website credit assessment and device based on web site features identification and relationship topology
CN107547552B (en) * 2017-09-07 2020-02-21 杭州安恒信息技术股份有限公司 Website reputation degree evaluation method and device based on website feature identification and relationship topology
CN114650158A (en) * 2020-12-21 2022-06-21 深信服科技股份有限公司 HTTP detection method, system, equipment and computer storage medium

Also Published As

Publication number Publication date
WO2015003627A1 (en) 2015-01-15
CN103327029B (en) 2015-09-09

Similar Documents

Publication Publication Date Title
CN104135501B (en) Page sharing method, Apparatus and system
CN104978115A (en) Content display method and device
CN104135502B (en) A kind of method, relevant device and system realizing application message and remind
CN103327029B (en) A kind of detection method of malice network address and equipment
CN104618217A (en) Method, terminal, server and system for sharing resource
CN104301315A (en) Method and device for limiting information access
CN104717125A (en) Graphic code storage method and device
CN104717341A (en) Message prompting method and terminal
CN104571787A (en) Message display method and communication terminal
CN104065693A (en) Method, device and system for accessing network data in webpage applications
CN104142868A (en) Connection establishment method and device
CN104426963A (en) Terminal associating method and terminal
CN103177217B (en) A kind of file scanning method, system and client and server
CN104123120A (en) Method, device and system for filtering page data of browser
CN103945241A (en) Streaming data statistical method, system and related device
CN104954159A (en) Network information statistics method and device
CN103763112A (en) User identity protection method and apparatus
CN104735132A (en) Information inquiry method, servers and terminal
CN104267882A (en) Page suspension frame display method and device
CN103607431B (en) Mobile terminal resource processing method, device and equipment
CN103607377B (en) Information sharing method, Apparatus and system
CN103944922B (en) Data processing method, terminal, server and system
CN104239369A (en) Method, device and system for filtering out webpage advertisements
CN104281610A (en) Method and device for filtering microblogs
CN104901992A (en) Resource transfer method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant