CN103368957B - Method and system that web page access behavior is processed, client, server - Google Patents

Method and system that web page access behavior is processed, client, server Download PDF

Info

Publication number
CN103368957B
CN103368957B CN201310279888.2A CN201310279888A CN103368957B CN 103368957 B CN103368957 B CN 103368957B CN 201310279888 A CN201310279888 A CN 201310279888A CN 103368957 B CN103368957 B CN 103368957B
Authority
CN
China
Prior art keywords
page
stage
url
refer
chains
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310279888.2A
Other languages
Chinese (zh)
Other versions
CN103368957A (en
Inventor
肖鹏
郑劲松
刘起
符云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qizhi Business Consulting Co ltd
Beijing Qihoo Technology Co Ltd
360 Digital Security Technology Group Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201310279888.2A priority Critical patent/CN103368957B/en
Publication of CN103368957A publication Critical patent/CN103368957A/en
Application granted granted Critical
Publication of CN103368957B publication Critical patent/CN103368957B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a kind of method and system processed by web page access behavior, client, server.Wherein method includes:After the access request for monitoring the i-stage page, the refer chains of the page ID comprising the i-stage page, page ID and URL of the refer chains comprising initial page to the i-stage page are obtained;All URL that refer chains are included are sent to server, so that whether all URL that server lookup refer chains are included belong to blacklist and/or the white list database which preserves, then Query Result and default rule are carried out mating obtaining matching result;The matching result that the reception server is returned, is processed to the access behavior of the i-stage page according to matching result.Compared with prior art, as the URL provided by refer chains is more, coverage rate is wider, thus detection efficiency is higher, the security that can more effectively protect client terminal web page to browse for the present invention.

Description

Method and system that web page access behavior is processed, client, server
Technical field
The present invention relates to technical field of the computer network, and in particular to a kind of method processed by web page access behavior And system, client, server.
Background technology
Malicious websites, such as fishing website or be fraud, counterfeit website etc., mainly by counterfeit actual site URL addresses or content of pages, the website of the types such as bank and ecommerce that disguise oneself as, or utilize actual site server journey Leak in sequence, is inserted the web page code of danger in some webpages of the website, is gained user bank or credit card with this by cheating The private datas such as account, password.Include the feature of many sensitivities, for example, the malicious web pages of financial fraud class in malicious web pages In the counterfeit official website of the aspects such as word, picture, or false ticketing service, false prize-winning, personation Net silver, void can be inserted in true webpage The information such as false shopping, these features are occurred in webpage in the form of text string mostly.
Method for distinguishing is known to malicious web pages at present, mainly by manual examination and verification malicious web pages, simple to collect some Web page contents are judged according to these text features for browser plug-in, filter out these by the text feature of malicious websites The attack website that has reported.But, the survival period of malicious websites is shorter and shorter now, and new malicious web pages emerge in an endless stream, and needs The webpage amount of examination & verification is too big;And the changing features of malicious websites are accelerated, according to the mode of traditional manual examination and verification, information is extracted Efficiency can be than relatively low.
The existing Main Means for preventing malice website are that client is by website when user accesses certain website URL sends to the black and white lists database of server end and is inquired about, and so-called black list database is to have audited confirmation The URL name single database of malicious websites, so-called white list database are the URL of the security website for having audited confirmation.Service The result whether website belongs to malicious websites is fed back to client after inquiry by device end.
Above-mentioned existing technological means is only capable of being detected for single URL.But the URL due to current malicious websites It is continually changing, the renewal speed of the black and white lists database of server end is fast far away from the pace of change of malicious websites, therefore pin The technological means detected by single URL can not effectively detect malicious websites, thus can not be real-time, quickly and efficiently The web page browsing safety of protection client.
Content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome the problems referred to above or at least in part solve on State the system processed by web page access behavior of problem, client, server and accordingly web page access behavior is carried out The method of process.
According to an aspect of the invention, there is provided a kind of method processed by web page access behavior, for detecting The opened i-stage page, i >=2 are linked by the i-stage of initial page;The method includes:
After the access request for monitoring the i-stage page, the refer chains of the page ID comprising the i-stage page are obtained, described Page ID and URL of the refer chains comprising initial page to the i-stage page;
All URL that the refer chains are included are sent to server, for refer described in the server lookup All URL that chain is included whether belong to server preservation blacklist and/or white list database, then by Query Result with Default rule carries out coupling and obtains matching result;
The matching result that the reception server is returned, enters to the access behavior of the i-stage page according to the matching result Row is processed.
According to a further aspect in the invention, there is provided a kind of client, linked by the i-stage of initial page for detection The i-stage page that is opened, i >=2;The client includes:
Monitoring module, is suitable to after the access request for monitoring the i-stage page, obtains the page ID comprising the i-stage page Refer chains, the refer chains comprising initial page to the i-stage page page ID and URL;
Query interface, is suitable to for all URL that the refer chains are included to be sent to server, for the server Blacklist and/or white list database that whether all URL that the refer chains are included belong to server preservation is inquired about, so Afterwards Query Result and default rule are carried out mating obtaining matching result;And, receive the coupling knot that the server is returned Really;
Protection module, is suitable to process the access behavior of the i-stage page according to the matching result.
According to a further aspect in the invention, there is provided a kind of server, linked by the i-stage of initial page for detection The i-stage page that is opened, i >=2;The server includes:
Blacklist and/or white list database, are suitable to preserve the URL for belonging to blacklist and/or white list;
Query interface, is suitable to receive all URL that the refer chains of client transmission are included, inquires about the refer chains institute Comprising all URL whether belong to the blacklist and/or white list database, then Query Result is entered with default rule Row coupling obtains matching result, and the matching result is returned to the client.
According to a further aspect in the invention, there is provided a kind of system processed by web page access behavior, including:Above-mentioned Client and server.
The method and system processed by web page access behavior, client according to present invention offer, server, whenever Client control obtains the new page corresponding to after the access request by the links at different levels of initial page to new page All URL that refer chains include are reported server, detect matching result by server according to these URL by refer chains, The access behavior of new page is processed according to the matching result by client.With prior art merely with new page URL Carry out detection to compare, as the URL provided by refer chains is more, coverage rate is wider, thus detection efficiency is higher, can be more The security that effectively protection client terminal web page is browsed.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are common for this area Technical staff will be clear from understanding.Accompanying drawing is only used for the purpose for illustrating preferred embodiment, and is not considered as to the present invention Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 shows the flow chart to method that web page access behavior is processed according to an embodiment of the invention;
The flow chart that Fig. 2 shows the method for establishment refer chains according to an embodiment of the invention;
Fig. 3 shows the structured flowchart of client according to an embodiment of the invention;
Fig. 4 shows the structured flowchart of server according to an embodiment of the invention;
Fig. 5 shows the structural frames to system that web page access behavior is processed according to an embodiment of the invention Figure.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.
The technological means detected for the single URL of the utilization of prior art presence can not effectively detect malice Website, thus the technical problem of the web page browsing safety of client can not be real-time, quickly and efficiently protected, the invention provides one Plant scheme web page access behavior processed using refer chains.For the page that active user is accessing, its refer Information is the URL of the parent page of the current page, that is, be linked to the URL of the previous stage page of the current page.Basis of the present invention The URL for being linked to some grades of pages of current page obtains refer chains, using refer chains come to web page access behavior Reason.
Fig. 1 shows the flow process of the method 100 processed by web page access behavior according to an embodiment of the invention Figure.In the present embodiment, current page is referred to as the i-stage page, i >=2, the i-stage page are by the i-stage chain of initial page Connect the opened page.Generally, after user opens browser, the initial page of browser access acquiescence is existed by user Address field input triggering initial page access request, by user in initial page clickthrough or other side of link Formula is linked to the 2nd grade of page by initial page, by user on the 2nd grade of page clickthrough or other on-link mode (OLM)s by , to the 3rd level page, the rest may be inferred for 2 grades of page links, finally by the i-th -1 grade page link to the i-stage page.For example, use Family is input into www.so.com in address field after opening browser, and the page is exactly initial page(Its URL is represented with A below); Then, user is input into " telephone recharge " in search column, clicks on search button, and browser can jump to http://www.so.com/s? Ie=utf-8&src=360sou_home&q=%E8%AF%9D%E8%B4%B9%E5%85%85%E 5%80%BC, the page are the 2nd grade The page(Its URL is represented with B below);The 2nd grade of page provides a lot of links, and user clicks on one of link, browser The corresponding page http of this link can be jumped to://chongzhi.360.cn/mobile/, the page are the 3rd level page(Use below C is representing its URL);User clicks on " network game point card " link on the 3rd level page, and browser can jump to http:// Chongzhi.360.cn/GameCard/index, the page are the 4th grade of page(Its URL is represented with D below).
As shown in figure 1, this method 100 starts from step S101, the wherein browser of client monitors the access of the i-stage page Request.The access request of the i-stage page is that user is triggered in the i-th -1 grade page clickthrough or other on-link mode (OLM)s.? In above-mentioned example, user clicks on " network game point card " link on the 3rd level page, and browser will monitor the 4th grade of page: http:The access request of //chongzhi.360.cn/GameCard/index.
After the access request for monitoring the i-stage page, browser will load the i-stage page, in the loading i-stage page During, obtain the refer chains of the page ID comprising the i-stage page, i.e. step S102.Refer chains include initial page to i-th The page ID of the level page and URL, the page ID of the pages wherein at different levels is that browser is given birth to by the page during loading page Into unique ID, its index value as the URL of the page in refer chains.Browser is looked into by the page ID of the i-stage page Ask the refer chains that URL and the i-stage page comprising the i-stage page are the afterbody pages.For example, refer chains be A (ID1)-> B(ID2)->C(ID3)->D (ID4), wherein A, B, C and D are respectively the URL of the pages at different levels, and ID1, ID2, ID3 and ID4 are respectively The page ID of the pages at different levels.In browser loading page D, the page ID 4 according to page D inquires above-mentioned refer chains.
In the examples described above, during the 4th grade of page is loaded, following refer chains will be obtained:
A(ID1)->B(ID2)->C(ID3)->D(ID4)
After step s 102, method 100 enters step S103, all URL that wherein refer chains are included by client It is sent to server.The URL of the pages at different levels that refer chains only can be included by client reports server, need not report The page ID of the pages at different levels.For refer chains:A(ID1)->B(ID2)->C(ID3)->D (ID4), client is by A->B->C-> D is sent to server.Alternatively, according to the cloud vlan query protocol VLAN between server, refer chains can be included by this method All URL are encrypted to ciphertext and are sent to server.Here, the present invention all URL can be carried out using reversible encryption method plus Close, it would however also be possible to employ irreversible encryption method is encrypted to all URL.For example, calculate refer chains included each The characteristic value of URL is used as ciphertext.Alternatively, characteristic value can MD5 according to(Message Digest Algorithm, message Digest algorithm the 5th edition)Calculated cryptographic Hash, or SHA1(Secure Hash Algorithm, Secure Hash Algorithm)Code, Or CRC(Cyclic Redundancy Check, CRC)Code etc. can unique mark prime information condition code.Need Illustrate, when the ciphertext of URL being uploaded to cloud security service device, need shielding first carry the net of user cipher Location character string, does not upload such URL, to ensure the safety of user profile
After step s 103, method 100 enters step S104, and what wherein server lookup refer chains were included owns Whether URL belongs to the blacklist and/or white list database of server preservation, obtains Query Result.If in client-side, All URL that refer chains are included are encrypted through reversible encryption method, then ciphertext of the server first to receiving It is decrypted, obtains all URL that refer chains are included;Accordingly, server is preserved blacklist and/or white list data In storehouse, that storage is URL, after all URL that server obtains that refer chains are included, inquires about blacklist and/or white list Database, obtains whether these URL belong to blacklist or whether belong to the Query Result of white list.If in client-side, The URL included by refer chains is encrypted through irreversible encryption method, accordingly, server preserve blacklist and/or Stored in white list database is also the characteristic value of corresponding URL, obtains all URL that refer chains are included in server Characteristic value after, inquiry blacklist and/or white list database obtains whether these URL belong to blacklist or whether belong to Query Result in white list.
After step s 104, method 100 enters step S105, and Query Result is entered by wherein server with default rule Row coupling obtains matching result.Wherein default rule is to set according to the actual requirements, and its concrete regulation needs to carry out The situation of indicating risk.Illustrate by taking two kinds of preset rules as an example below:
Rule one:The malice page or the dangerous page or the unknown page are jumped to through search engine
If Query Result shows that the URL of the i-stage page belongs to black list database, i.e. the i-stage page for the malice page Or the dangerous page;Or, the URL of the i-stage page is not belonging to white list database, i.e. the i-stage page for the unknown page;And sentence Break initial page be to redirect through search engine to arbitrary page in the i-th -1 grade page for searched page, i.e. the i-stage page and Come, show that Query Result regular one is mated with this, it is indicating risk information to obtain matching result.
Alternatively, server also preserves searched page url list.In this step, judge initial page to the i-th -1 grade page In face, whether the URL of arbitrary page belongs to searched page url list, if so, then judges initial page into the i-th -1 grade page Arbitrary page is searched page.It should be noted that judging that searched page can also adopt other methods, this side is not limited only to Method.
Rule two:Through the malice page or the dangerous page or unknown page jump to the payment page
If Query Result shows that the URL of the arbitrary page in initial page to the i-th -1 grade page belongs to blacklist data Storehouse, the i.e. page are the malice page or the dangerous page;Or, the URL of the arbitrary page in initial page to the i-th -1 grade page is not Belong to white list database, i.e., the page is the unknown page;And judge that the i-stage page, for paying the page, shows inquiry knot Fruit is mated with the rule two, obtains matching result for indicating risk information.
Alternatively, server also preserves payment page url list.In this step, whether the URL of the i-stage page is judged Belong to payment page url list, if so, then judge that the i-stage page is the payment page.It should be noted that judging to pay page Face can also adopt other methods, be not limited only to this method.
Above-mentioned regular one and regular two is only two specific examples, and the present invention is not limited only to both rules, according to reality Border demand, server can preset multiple rule for matching inquiry result.
After step S105, method 100 enters step S106, the coupling knot that wherein client the reception server is returned Really.
Subsequently, method 100 enters step S107, the access of the browser of client according to matching result to the i-stage page Behavior is processed.If the matching result for receiving is indicating risk information, browser prompts the user with risk.Alternatively, Browser can provide a user with the option for intercepting current page and continuing to access current page, if user selects to intercept currently The page, then browser the access behavior of current page is intercepted.Here prompt the user with risk to be specially:In user The problematic page is marked on interface;Or, suspended window prompting is carried out when mouse is moved on on the page;If it is determined that to the page Access behavior is intercepted, then can directly shield or cover the problematic page.
The method processed by web page access behavior for providing according to embodiments of the present invention, whenever monitoring by initial After the links at different levels of the page are to the access request of new page, the corresponding refer chains of the new page obtained, refer chains are included All URL report server, detect matching result by server according to these URL, by client according to the matching result The access behavior of new page is processed.With prior art merely with new page URL carry out detection compared with, due to refer The URL provided by chain is more, and coverage rate is wider, thus detection efficiency is higher, can more effectively protect client terminal web page clear The security that lookes at.
Further, on the basis of above-described embodiment, also include the process for creating refer chains before step S102. Existing browser provides the interface of the refer information for obtaining URL, i.e. get_refer interfaces.But, by get_refer Refer information acquired in interface is only contained in the URL of the page accessed by the last time before accessing current page, that is, be linked to The URL of the previous stage page of current page;Also, needs can be used longer from a page open to get_refer interfaces Time, if the overlong time that can be spent needed for going again to be detected after use when get_refer interfaces.In order to The refer chains being made up of the URL of the pages at different levels are obtained in real time, the invention provides the method for creating refer chains, the method is concrete For:Whenever new page being opened by the links at different levels of initial page, be responsible for safeguarding that the process of refer chains obtains the page of new page The page ID of the upper level page of face ID and URL and new page or URL, look into according to the page ID of the upper level page or URL Corresponding refer chains are ask, the corresponding node of refer chains is created.
The flow chart that Fig. 2 shows the method 200 of establishment refer chains according to an embodiment of the invention.Such as Fig. 2 institutes Show, method 200 starts from the 1st grade of node foundation step S201.In the 1st grade of node foundation step S201, initial page is being monitored The page ID of initial page after the access request in face, is generated, the URL of initial page is obtained, the 1st grade of node of refer chains is created, The page ID of initial page and URL are write refer chains as the information of the 1st grade of node.Acquiescence page for browser access Face triggers the page for accessing by user in the input of address field, as initial page, creates a new refer Chain.Specifically, after browser monitors the access request of initial page, the initial page can be loaded.In loading initial page During, browser generates a unique ID as the page ID of the initial page, and obtains the URL of initial page.Its The URL of middle initial page can be obtained by specified response event interface, such as by realizing the specified sound of standard plug-in unit mechanism Answer event interface to obtain.
In IE(Internet Explorer)Browser auxiliary object used in browser(Browser Helper Object, referred to as:BHO)Plugin Mechanism, can obtain IE currently loadings by responding " BeforeNavigate2 " event URL.In red fox(Firefox)The specified response event interface that red fox extension mechanism is provided used in browser, obtains red fox clear The URL of device of looking at currently loading.In Google(chrome)Netscape plug-in applications DLL used in browser(Netscape Plugin Application Programming Interface, referred to as:NPAPI)Plugin Mechanism, obtains Google's browser and works as The URL of front loading.In the page ID for obtaining initial page(Such as ID1)And URL(Such as A)Afterwards, using ID1 and A as the refer chains The information of the 1st grade of node, creating refer chains is:A(ID1).Wherein, ID1 is index information.
It should be noted that in due to practical application, people use computer application environment, such as operating system, browse Device type etc. is not quite similar, and therefore, the executive agent of each step aforementioned can also have multiple implementations.Can for example be A kind of with identification and add the browser of mark function, wherein, browser can be browsing of carrying of Windows operating system Device Internet Explorer(Abbreviation IE), and other third party's browsers.So-called third party's browser, is often referred to The browser software of the non-IE run in Windows operating system, this kind of third party's browser would generally have for use because of which The abundant unique function design at family and personalized extension, have provided the user many convenient applications.For example, same plug-in unit Mechanism can run on polytype browser, for example, browser be IE, firefox, google chrome, safari, Opera, QQ browser, browser of roaming, sogou browser or cheetah browser etc..
After the 1st grade of node foundation step S201, method 200 enters the process that circulation creates i-stage node.From i=2 Start, method 200 enters step S202, wherein after the access request for monitoring the i-stage page, generate the page of the i-stage page Face ID, obtains page ID or the URL of the URL and the i-th -1 grade page of the i-stage page, and the i-stage page is the i-th -1 grade page Page-level jump page.Herein by the chain by user's clickthrough or triggering of other user behaviors on the i-th -1 grade page Connect mode to be redirected by the i-th -1 grade page link to the i-stage page referred to as page-level.Monitor in browser and redirect through page-level The i-stage page access request after, the i-stage page can be loaded.During the loading i-stage page, browser generates one Page IDs of the individual unique ID as the i-stage page, and obtain the URL of the i-stage page.The URL of the wherein i-stage page can Obtained by specified response event interface, for example, obtained by realizing the specified response event interface of standard plug-in unit mechanism. Concrete mode can be found in the associated description of the URL for being previously with regard to how to obtain initial page.
In order to find corresponding refer chains and continue thereon to create node, also need to obtain the in step S202 The page ID of the i-1 level pages or URL.The present invention provides two kinds of different sides for the different situations of browser access new page Formula is obtaining the information of the i-th -1 grade page, a kind of mode(That is following manner one)It is applied to by new window or new label(tab) Page opens the situation of the i-stage page;Another way(That is following manner two)It is applied to yet by current window or current label Page opens the situation of the i-stage page.
Mode one:
First, the interface object pointer of the i-stage page, after the access request for monitoring the i-stage page, is obtained, according to connecing The i-th -1 grade acquired during being written in the i-th -1 grade page of loading to the interface object of i-stage page page of mouth pointer to object The page ID in face.Then, during the loading i-stage page, by reading the letter that provided of interface object of the i-stage page Breath, obtains the page ID of the i-th -1 grade page.
Aforesaid way one is applied to by new window or new label(tab)Page opens the situation of the i-stage page.Browsed with IE As a example by device, principle is realized by analyze that IE browser opens new window or new tab page, have found IE browser internal module wound The relevant treatment function called by new window or new tab page is built, is captured(Hook)The function, is obtained using the return value of the function New window or new tab page(Window or the tab page of the i-stage page will be loaded)Interface object pointer, such as IWEBBROWSER2 Pointer;As now browser does not have started the loading i-stage page, the page ID of the current page recorded by browser still exists The page ID of the i-th -1 grade acquired page during the i-th -1 grade page of loading, therefore, now browser can be connect according to this Mouth pointer to object writes the page ID of the i-th -1 grade page to IWEBBROWSER2 objects.After starting to load the i-stage page, By reading the information provided by the IWEBBROWSER2 objects of the i-stage page, it is possible to obtain the page of the i-th -1 grade page ID.
Mode two:
After the access request for monitoring the i-stage page and before the loading i-stage page, provided by browser Get_locationURL interfaces obtain the URL of the i-th -1 grade page.
Aforesaid way two is applied to the situation for opening the i-stage page yet by current window or current label page.This In the case of, due to being not turned on new window or new Shipping Options Page, so can not adopt, with one similar mode of mode, i-th -1 is obtained The page ID of the level page.For such case, after the access request for monitoring the i-stage page, but in the i-stage page Before " BeforeNavigate2 " event, get_locationURL interfaces provided still or the i-th -1 grade page URL, hence with the URL that get_locationURL interfaces can obtain the i-th -1 grade page.
But, the step of the get_locationURL interfaces provided by browser obtain the URL of the i-th -1 grade page Also need to afterwards judge whether the i-stage page to be opened by the input behavior triggering of browser address bar, specifically, can pass through root Click and input action according to browser address bar is judging;If the determination result is YES, then the get_ that will be provided by browser The URL of the i-th -1 grade page that locationURL interfaces are obtained is emptied, and the i-stage page is processed as initial page, is held Row step S201;If judged result is no, execution step S203.
Aforesaid way one and mode two are respectively directed to different situations.If the i-stage page is by new window or new mark Sign page open, then step S202 by the way one obtain the i-th -1 grade page page ID;If the i-stage page is Opened by current window or current label page, then step S202 two obtains the i-th -1 grade page by the way URL.If step S202 obtain be the i-th -1 grade page page ID, then follow-up then inquired about according to the page ID corresponding Refer chains;If step S202 obtain be the i-th -1 grade page URL, then follow-up then inquired about according to the URL corresponding Refer chains.
After step S202, method 200 enter step S203, wherein inquiry comprising the i-th -1 grade page page ID or The refer chains of URL, create the i-stage node of the refer chains, using the page ID of the i-stage page and URL as i-stage node Information.
Specifically, if in step S202, page ID that the i-th -1 grade page is acquired using aforesaid way one, that Directly inquiry includes the refer chains of the page ID of the i-th -1 grade page.For example, if obtaining the 2nd grade by step S202 The page ID of the page is ID2, and URL is B, and the 1st grade of page(It is exactly initial page)Page ID be ID1, then in this step In, refer chain of the inquiry comprising ID1, and the index information of the afterbody node of the refer chains is ID1, i.e. A (ID1); Create the 2nd grade of node of the refer chains, using ID2 and B as the 2nd grade of node information, obtain refer chains for A (ID1)->B (ID2).If in step S202, URL that the i-th -1 grade page is acquired using aforesaid way two, then then need to inquire about The refer chains of the URL comprising the i-th -1 grade page.Process due to safeguarding refer chains be possible to maintenance have a plurality of comprising identical The refer chains of URL, so this step is possible to inquire about the refer chains for obtaining a plurality of URL for including the i-th -1 grade page.But, Due to aforesaid way two be suitable for open the i-stage page yet by current window or current label page in the case of, the page The timing for redirecting is good, it is possible to select the refer chains of recent renewal as the refer chains of i-stage node to be created.
Alternatively, in the mode one of above-mentioned steps S202, it is also possible to only to the i-stage page interface object write i-th- The URL of 1 grade of page, the information provided by the interface object for reading the i-stage page obtain the URL of the i-th -1 grade page.Connect , in step S203, the refer chains of URL of the inquiry comprising the i-th -1 grade page, and inquiring the situation of a plurality of refer chains Refer chain of the lower refer chains for selecting recent renewal as i-stage node to be created.But, due to fitted in aforesaid way one By new window or new label(tab)In the case that page opens the i-stage page, the timing of page jump is poor, so The degree of accuracy for searching the method for refer chains according to page ID can be higher than the method for searching refer chains according to URL.
Circulation executes above-mentioned steps S202 and step S203, thus creates complete refer chains.For above-mentioned example, institute The refer chains of establishment are:A(ID1)->B(ID2)->C(ID3)->D(ID4).
During refer chains are created, in addition it is also necessary in view of a kind of special circumstances, i.e.,:When some pages are accessed, should The page can occur situation about repeatedly redirecting automatically, such as 3xx etc. and redirect situation, referred to as redirect this redirecting between the page herein. In IE browser, when the same page is accessed, BHO mechanism provides three events, respectively BeforeNavigate2, NavigateComplete2 and DocumentComplete2.Under normal circumstances, the corresponding URL of three events is identical , but if occur multiple 302 redirecting, following situation will occur:(BeforeNavigate2)url0->(302)url1-> (302)url2->(NavigateComplete2)url2->(DocumentComplete2)url2.If still with above-mentioned example As a example by, in accession page C, page C is likely to occur and repeatedly redirects automatically, jumps to C1 and C2 successively.Therefore, if it happens Situation about redirecting between the page, by the URL that said method possibly cannot capture all jump page.
In view of above-mentioned special circumstances, the embodiment of the present invention also includes creating at least one i-th after above-mentioned steps S203 The step of level child node, i.e. step S204, the step, are executed in the case where the i-stage page occurs to redirect between the page, its In at least one i-stage child node corresponding to the i-stage page at least one page between jump page.In step S204, catch Obtain the function called during re-orientation processes, from re-orientation processes when the |input paramete of function called in obtain i-stage page The URL of jump page between at least one page in face;And, the refer chains of page ID of the inquiry comprising the i-stage page are created At least one i-stage child node of the refer chains, by between at least one page of the page ID of the i-stage page and the i-stage page Information of the URL of jump page as at least one i-stage child node.Specifically, when generation 3xx etc. redirects situation, browse Device can redirect process, and in re-orientation processes, browser can call " Urlmon!CINet::OnRedirect " functions, The |input paramete of the function just have recorded the URL of jump page between the page, by capturing the function, it is possible to obtain i-stage page The URL of jump page between at least one page in face.Using the URL of jump page between the page for obtaining by this method as The information of i level child nodes, between the page, the index ID of jump page is identical with the page ID of the i-stage page.For above-mentioned example, The refer chains for being created are:A(ID1)->B(ID2)->C(ID3)->C1(ID3)->C2(ID3)->D(ID4).
The method processed by web page access behavior for providing according to embodiments of the present invention, whenever monitoring by initial After the links at different levels of the page are to the access request of new page, the corresponding refer chains of the new page obtained, refer chains are included All URL report server, detect matching result by server according to these URL, by client according to the matching result The access behavior of new page is processed.With prior art merely with new page URL carry out detection compared with, due to refer The URL provided by chain is more, and coverage rate is wider, thus detection efficiency is higher, can more effectively protect client terminal web page clear The security that lookes at.Further, the embodiment of the present invention additionally provides the method for creating refer chains, can be real-time according to the method The refer chains being made up of the URL of the pages at different levels are obtained, such client can also timely by owning that refer chains are included URL is sent to server, server thus, it is possible to obtain very comprehensive URL information in time, according to these URL informations, server Matching result can be returned to client timely, it is achieved thereby that the safety of the web page browsing of real-time protection client Property.
Fig. 3 shows the structured flowchart of client according to an embodiment of the invention.The client passes through for detection The i-stage of initial page links the opened i-stage page, i >=2.As shown in figure 3, client includes:Monitoring module 31, look into Interface 32 and protection module 33 is ask, alternatively, client can also include:Encrypting module 34.
Monitoring module 31 is suitable to after the access request for monitoring the i-stage page, obtains the page ID comprising the i-stage page Refer chains.The access request of the i-stage page is that user is triggered in the i-th -1 grade page clickthrough or other on-link mode (OLM)s 's.After the access request for monitoring the i-stage page, browser will load the i-stage page to monitoring module 31, in loading i-stage During the page, monitoring module 31 obtains the refer chains of the page ID comprising the i-stage page.Refer chains include initial page To page ID and the URL of the i-stage page, it is the page during loading page that the page ID of the pages wherein at different levels is browser The unique ID for being generated, its index value as the URL of the page in refer chains.The page of the browser by the i-stage page The URL and the i-stage page that ID inquiries include the i-stage page is the refer chains of the afterbody page.
Query interface 32 is suitable to for all URL that refer chains are included to be sent to server, for server lookup Whether all URL that refer chains are included belong to the blacklist and/or white list database of server preservation, then will inquiry As a result carry out mating obtaining matching result with default rule;And, the matching result that the reception server is returned.Alternatively, root According to the cloud vlan query protocol VLAN between server, all URL that refer chains are included are encrypted to ciphertext by encrypting module 34(Relevant The description of encryption method can be found in embodiment of the method), query interface 32 is sent to, ciphertext is sent to service by query interface 32 Device.The ciphertext of the URL of the pages at different levels that refer chains only can be included by query interface 32 reports server, need not report The page ID of the pages at different levels.
Protection module 33 is suitable to process the access behavior of the i-stage page according to matching result.If matching result For indicating risk information, protection module 33 prompts the user with risk.Alternatively, protection module 33 can provide a user with interception and work as The front page and the option for continuing to access current page, if user selects to intercept current page, protection module 33 is to current page The access behavior in face is intercepted.
Further, client can also include refer chain creations module 35.Refer chain creations module 35 includes:First Node creating unit 36 and Section Point creating unit 37.
First node creating unit 36 is suitable to after the access request for monitoring initial page, generates the page of initial page ID, obtains the URL of initial page, creates the 1st grade of node of refer chains, using the page ID of initial page and URL as the 1st grade The information write refer chains of node.Further, first node creating unit 36 includes:The page ID of initial page generates single Unit 361, the URL acquiring units 362 of initial page and first node create subelement 363.The page ID of initial page generates single Unit 361 is suitable to after the access request for monitoring initial page, generates the page ID of initial page.The URL of initial page is obtained Unit 362 is suitable to the initial page for during loading initial page, obtaining current loading by specified response event interface URL.For example, obtained by realizing the specified response event interface of standard plug-in unit mechanism.Browse used in IE browser Device auxiliary object BHO Plugin Mechanisms, can obtain the URL of IE currently loadings by responding " BeforeNavigate2 " event.? Red fox(Firefox)The specified response event interface that red fox extension mechanism is provided used in browser, obtains red fox browser and works as The URL of front loading.In Google(chrome)NPAPI Plugin Mechanisms used in browser, obtain the currently loading of Google's browser URL.First node creates the 1st grade of node that subelement 363 is suitable to create refer chains, and the page ID of initial page and URL are made Information write refer chains for the 1st grade of node.
Section Point creating unit 37, i >=2 are suitable to after the access request for monitoring the i-stage page, generate i-stage page The page ID in face, obtains page ID or the URL of the URL and the i-th -1 grade page of the i-stage page, and the i-stage page is the i-th -1 grade The page-level jump page of the page;And, the refer chains of page ID of the inquiry comprising the i-th -1 grade page or URL, creating should The i-stage node of refer chains, using the page ID of the i-stage page and URL as i-stage node information;Section Point creates single Unit 37 is suitable to the nodes at different levels for creating refer chains.Further, Section Point creating unit 37 includes:The page of the i-stage page ID signal generating units 371,373 and of the page ID of the URL acquiring units 372, the i-th -1 grade page of the i-stage page or URL acquiring units Section Point creates subelement 374.The page ID signal generating unit 371 of the i-stage page is suitable in the access for monitoring the i-stage page After request, the page ID of the i-stage page is generated.The URL acquiring units 372 of the i-stage page are suitable to the mistake in the loading i-stage page Cheng Zhong, obtains the URL of the i-stage page of current loading by specified response event interface.Obtain the i-stage page of current loading URL concrete mode can be found in obtain initial page URL associated description.The page ID of the i-th -1 grade page or URL are obtained Unit 373 is suitable to after the access request for monitoring the i-stage page, obtains page ID or the URL of the i-th -1 grade page.Second section Point creates the refer chains that subelement 374 is suitable to inquire about the page ID comprising the i-th -1 grade page or URL, creates the refer chains I-stage node, using the page ID of the i-stage page and URL as i-stage node information.
Alternatively, the Section Point creating unit 37 of client also includes:Capturing unit 375 and writing unit 376.Capture Unit 375 is suitable to after the access request for monitoring the i-stage page, obtains the interface object pointer of the i-stage page.Writing unit 376 be suitable to be written in the i-th -1 grade page of loading according to interface object pointer to the interface object of the i-stage page during obtained The page ID of the i-th -1 grade page for taking.This embodiment is applied to by new window or new label(tab)Page opens i-stage The situation of the page.By taking IE browser as an example, capturing unit 375 is further adapted for after the access request for monitoring the i-stage page, Capture browser creates the function called by new window or new Shipping Options Page, obtains the i-stage page using the return value of the function Interface object pointer, such as IWEBBROWSER2 pointers.As now browser does not have started the loading i-stage page, browser institute The page of the i-th -1 grade still acquired during the i-th -1 grade page is loaded page of the page ID of the current page of record ID, therefore, now writing unit 376 can write the i-th -1 grade page according to the interface object pointer to IWEBBROWSER2 objects Page ID.The page ID of the i-th -1 grade page or URL acquiring units 373 are particularly adapted to:During the loading i-stage page, The information provided by the interface object for reading the i-stage page, obtains the page ID of the i-th -1 grade page.Alternatively, write single Unit 376 be suitable to be written in the i-th -1 grade page of loading according to interface object pointer to the interface object of the i-stage page during institute The URL of the i-th -1 grade page for obtaining.
Alternatively, the page ID of the i-th -1 grade page or URL acquiring units 373 are further adapted for:Monitoring i-stage page After the access request in face and before the loading i-stage page, the get_locationURL interfaces provided by browser are obtained The URL of the i-th -1 grade page.Section Point creating unit 37 also includes:Judging unit 377 and empty unit 378.Wherein, judge Unit 377 is suitable to judge whether to open the i-stage page by the input behavior triggering of browser address bar, specifically, can pass through Judged according to the click of browser address bar and input action;Empty unit 378 and be suitable to the judged result in judging unit 377 In the case of being, will be clear for the URL of the i-th -1 grade page acquired in the page ID of the i-th -1 grade page or URL acquiring units 373 Sky, and trigger first node creating unit 36 the i-stage page is processed as initial page;In sentencing for judging unit 377 In the case that disconnected result is no, the triggering Section Point of judging unit 377 creates the i-stage section that subelement 374 creates refer chains Point.
If the page ID of the i-th -1 grade page or URL acquiring units 373 acquire the page ID of the i-th -1 grade page, that Section Point creates the refer chains that the page ID comprising the i-th -1 grade page directly inquired about by subelement 374, creates the refer chains I-stage node, using the page ID of the i-stage page and URL as i-stage node information.If the page of the i-th -1 grade page ID or URL acquiring units 373 acquire the URL of the i-th -1 grade page, then Section Point creates the inquiry of subelement 374 and includes The refer chains of the URL of the i-th -1 grade page, and the refer chains of recent renewal are selected in the case where a plurality of refer chains are inquired, Create the i-stage node of the refer chains, using the page ID of the i-stage page and URL as i-stage node information.
During refer chains are created, it is contemplated that the page occurs situation about repeatedly redirecting automatically, refer chain creation moulds Block 35 also includes:Second child node creating unit 38, is suitable to capture the function called during re-orientation processes, from re-orientation processes When the |input paramete of function called in obtain the URL of jump page between at least one page of the i-stage page;And, look into The refer chains of the page ID comprising the i-stage page are ask, at least one i-stage child node of the refer chains is created, by i-stage page Between at least one page of the page ID in face and the i-stage page, the URL of jump page is used as at least one i-stage child node Information.
Fig. 4 shows the structured flowchart of server according to an embodiment of the invention.The server passes through for detection The i-stage of initial page links the opened i-stage page, i >=2.As shown in figure 4, server includes:Blacklist and/or white List data storehouse 41 and query interface 42.Wherein,
Blacklist and/or white list database 41 are suitable to preserve the URL for belonging to blacklist and/or white list.Server is pre- Identified secure web-page and danger/malicious web pages are collected first, the URL of secure web-page is stored in white list database, will The URL of danger/malicious web pages is stored in black list database.Alternatively, store in blacklist and/or white list database 41 Can also be URL characteristic value.
Preferably, in the embodiment of the present invention blacklist and/or white list database 41 including but not limited to can be gone fishing URL library, cheating in advertisement URL library, or other any kind of malice URL libraries etc..
Query interface 42 is suitable to receive all URL that the refer chains of client transmission are included, and inquiry refer chains are wrapped Whether all URL for containing belong to blacklist and/or white list database, then mate Query Result with default rule Matching result is obtained, matching result is returned to client.If in client-side, all URL that refer chains are included are passed through Reversible encryption method is encrypted, then comprising the module is decrypted by the encrypted cipher text for receiving in query interface 42, All URL that refer chains are included are obtained after the module decryption processing.
Default rule is to set according to the actual requirements, and its concrete regulation needs the situation for carrying out indicating risk. Illustrate by taking two kinds of preset rules as an example below:
Rule one:The malice page or the dangerous page or the unknown page are jumped to through search engine
For the rule one, query interface 42 is further adapted for:If Query Result shows that the URL of the i-stage page belongs to Black list database, i.e. the i-stage page are the malice page or the dangerous page;Or, the URL of the i-stage page is not belonging to white list Database, i.e. the i-stage page are the unknown page;And judge that initial page to arbitrary page in the i-th -1 grade page is search The page, i.e. the i-stage page are redirected through search engine, are shown that Query Result regular one is mated with this, are mated As a result it is indicating risk information.
Rule two:Through the malice page or the dangerous page or unknown page jump to the payment page
For the rule two, query interface 42 is further adapted for:If Query Result shows initial page to the i-th -1 grade page The URL of the arbitrary page in face belongs to black list database, i.e., the page is the malice page or the dangerous page;Or, initial page The URL of the arbitrary page in face to the i-th -1 grade page is not belonging to white list database, i.e., the page is the unknown page;And sentence Break and the i-stage page for paying the page, show that Query Result regular two is mated with this, matching result is obtained for indicating risk letter Breath.
Above-mentioned regular one and regular two is only two specific examples, and the present invention is not limited only to both rules, according to reality Border demand, server can preset multiple rule for matching inquiry result.
Further, server can also include:Searched page url database 43, is suitable to preserve searched page URL column Table;Page url database 44 is paid, is suitable to preserve payment page url list.Query interface 42 is by judging initial page to the In the i-1 level pages, the URL of arbitrary page belongs to default searched page url list, determines initial page into the i-th -1 grade page Arbitrary page is searched page;And, by judging that the URL of the i-stage page belongs to default payment page url list, determine The i-stage page is the payment page.
Fig. 5 shows the structural frames to system that web page access behavior is processed according to an embodiment of the invention Figure.As shown in figure 5, system includes client 30 and server 40, with regard to client 30 and the concrete structure and work(of server 40 Can will not be described here referring to the description of above-described embodiment.
Client, server and the system processed by web page access behavior for providing according to embodiments of the present invention, After client control to the access request by the links at different levels of initial page to new page, the new page is obtained corresponding All URL that refer chains include are reported server, detect matching result by server according to these URL by refer chains, The access behavior of new page is processed according to the matching result by client.With prior art merely with new page URL Carry out detection to compare, as the URL provided by refer chains is more, coverage rate is wider, thus detection efficiency is higher, can be more The security that effectively protection client terminal web page is browsed.Further, the client of the embodiment of the present invention also has establishment refer The function of chain, can obtain the refer chains being made up of the URL of the pages at different levels in real time according to the function, and such client can also All URL that refer chains are included are sent to server timely, server is thus, it is possible to obtain very comprehensive URL in time Information, according to these URL informations, server timely can return matching result to client, it is achieved thereby that real-time Protection client web page browsing security.
The method for providing according to embodiments of the present invention, in the get_locationURL interfaces provided by browser Also include after the step of page ID of the i-th -1 grade page of acquisition and URL:
Judge whether it is that the i-stage page is opened by the input behavior triggering of browser address bar;
If the determination result is YES, then the i-th -1 grade page for the get_locationURL interfaces provided by browser being obtained The URL in face is emptied, and the i-stage page is processed as initial page;
If judged result is no, execute described create the refer chains i-stage node the step of.
The method for providing according to embodiments of the present invention, also includes after the i-stage node foundation step:At least one I-stage child node foundation step, jumps between at least one page of at least one i-stage child node corresponding to the i-stage page Blade-rotating face:The function that called during capture re-orientation processes, from the re-orientation processes when |input paramete of function called The URL of jump page between middle at least one page for obtaining the i-stage page;And, the page of the inquiry comprising the i-stage page The refer chains of ID, create at least one i-stage child node of the refer chains, by the page ID of the i-stage page and described Information of the URL of jump page as at least one i-stage child node between at least one page of the i-stage page.
The client for providing according to embodiments of the present invention, is opened by the i-stage link of initial page for detection The i-stage page, i >=2;The client includes:
Monitoring module, is suitable to after the access request for monitoring the i-stage page, obtains the page ID comprising the i-stage page Refer chains, the refer chains comprising initial page to the i-stage page page ID and URL;
Query interface, is suitable to for all URL that the refer chains are included to be sent to server, for the server Blacklist and/or white list database that whether all URL that the refer chains are included belong to server preservation is inquired about, so Afterwards Query Result and default rule are carried out mating obtaining matching result;And, receive the coupling knot that the server is returned Really;
Protection module, is suitable to process the access behavior of the i-stage page according to the matching result.
Client described according to embodiments of the present invention, if the matching result that the query interface is received is carried for risk Show information, the protection module is further adapted for:Risk is prompted the user with according to the indicating risk information, and according to user's Select to intercept the access behavior of the i-stage page.
Described client, also includes according to embodiments of the present invention:Encrypting module, is suitable to be included the refer chains All URL be encrypted to ciphertext, be sent to the query interface, the ciphertext be sent to server by the query interface.
Described client, also includes according to embodiments of the present invention:Refer chain creation modules;
The refer chain creations module includes:
First node creating unit, is suitable to after the access request for monitoring initial page, generates the page of initial page ID, obtains the URL of initial page, creates the 1st grade of node of refer chains, using the page ID of the initial page and URL as the The information write refer chains of 1 grade of node;
Section Point creating unit, i >=2 are suitable to after the access request for monitoring the i-stage page, generate the i-stage page Page ID, obtain the i-stage page URL and the i-th -1 grade page page ID or URL, the i-stage page is i-th -1 The page-level jump page of the level page;And, the refer chains of page ID of the inquiry comprising the i-th -1 grade page or URL, wound Build the i-stage node of the refer chains, using the page ID of the i-stage page and URL as i-stage node information;
The Section Point creating unit is suitable to the nodes at different levels for creating the refer chains.
Client described according to embodiments of the present invention,
The first node creating unit includes:
The page ID signal generating unit of initial page, is suitable to after the access request for monitoring initial page, generates initial page The page ID in face;
The URL acquiring units of initial page, are suitable to during loading initial page, by specified response event interface Obtain the URL of the initial page of current loading;
First node creates subelement, is suitable to the 1st grade of node for creating refer chains, by the page ID of the initial page Refer chains are write with URL as the information of the 1st grade of node;
The Section Point creating unit includes:
The page ID signal generating unit of the i-stage page, is suitable to after the access request for monitoring the i-stage page, generates i-stage The page ID of the page;
The URL acquiring units of the i-stage page, are suitable to, during the loading i-stage page, connect by specified response event Mouth obtains the URL of the i-stage page of current loading;
The page ID of the i-th -1 grade page or URL acquiring units, are suitable to after the access request for monitoring the i-stage page, obtain Take page ID or the URL of the i-th -1 grade page;
Section Point creates subelement, is suitable to the refer chains for inquiring about the page ID comprising the i-th -1 grade page or URL, Create the i-stage node of the refer chains, using the page ID of the i-stage page and URL as i-stage node information.
Client described according to embodiments of the present invention, the Section Point creating unit also include:Capturing unit, is suitable to After the access request for monitoring the i-stage page, the interface object pointer of the i-stage page is obtained;And, writing unit is suitable to According to acquired in during the interface object pointer is written in the i-th -1 grade page of loading to the interface object of the i-stage page The i-th -1 grade page page ID;
The page ID of the i-th -1 grade page or URL acquiring units are particularly adapted to:During the loading i-stage page, The information provided by the interface object for reading the i-stage page, obtains the page ID of the i-th -1 grade page.
Client described according to embodiments of the present invention, the capturing unit are further adapted for:Monitoring the i-stage page Access request after, capture browser and create the function called by new window or new Shipping Options Page, obtained using the return value of the function Take the interface object pointer of the i-stage page.
Client described according to embodiments of the present invention, the page ID of the i-th -1 grade page or URL acquiring units enter one Step is suitable to:After the access request for monitoring the i-stage page and before the loading i-stage page, provided by browser Get_locationURL interfaces obtain the URL of the i-th -1 grade page.
Client described according to embodiments of the present invention, the Section Point creating unit also include:
Judging unit, is suitable to judge whether be to open the i-stage page by the input behavior triggering of browser address bar;
Unit is emptied, and judged result in the judging unit is suitable to in the case of being, by the i-th -1 grade page The URL of the i-th -1 grade page acquired in page ID or URL acquiring units is emptied, and triggers first node creating unit by i-stage The page is processed as initial page;
In the case where the judged result of the judging unit is no, the judging unit triggers the Section Point and creates Subelement creates the i-stage node of the refer chains.
Client described according to embodiments of the present invention, the refer chain creations module also include:Second child node is created Unit, the function that called when being suitable to capture re-orientation processes, from the re-orientation processes when input ginseng of function called The URL of jump page between at least one page of the i-stage page is obtained in number;And, page of the inquiry comprising the i-stage page The refer chains of face ID, create at least one i-stage child node of the refer chains, by the page ID of the i-stage page and institute State the information of the URL as at least one i-stage child node of jump page between at least one page of the i-stage page.
Described server, is opened by the i-stage link of initial page for detection according to embodiments of the present invention The i-stage page, i >=2;The server includes:
Blacklist and/or white list database, are suitable to preserve the URL for belonging to blacklist and/or white list;
Query interface, is suitable to receive all URL that the refer chains of client transmission are included, inquires about the refer chains institute Comprising all URL whether belong to the blacklist and/or white list database, then Query Result is entered with default rule Row coupling obtains matching result, and the matching result is returned to the client.
Server described according to embodiments of the present invention, the query interface are further adapted for:
If Query Result shows that the URL of the i-stage page belongs to black list database or is not belonging to white list database, and And judge that initial page is searched page to arbitrary page in the i-th -1 grade page, then obtain matching result and believe for indicating risk Breath;
Or, if Query Result shows that initial page belongs to blacklist number to the URL of arbitrary page in the i-th -1 grade page According to storehouse or white list database is not belonging to, and judges that the i-stage page for paying the page, then obtains matching result and carries for risk Show information.
Described server, also includes according to embodiments of the present invention:
Searched page url database, is suitable to preserve searched page url list;
Page url database is paid, is suitable to preserve payment page url list;
The query interface belongs to default by judging the initial page to the URL of arbitrary page in the i-th -1 grade page Searched page url list, determine the initial page to arbitrary page in the i-th -1 grade page be searched page;And, pass through Judge that the URL of the i-stage page belongs to default payment page url list, determine that the i-stage page is the payment page.
The system processed by web page access behavior according to embodiments of the present invention, including above-mentioned client and above-mentioned Server.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together based on teaching in this.As described above, construct required by this kind of system Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use various Programming language realizes the content of invention described herein, and the above description done by language-specific is to disclose this Bright preferred forms.
In specification mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention Example can be put into practice in the case where not having these details.In some instances, known method, structure are not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure helping understand one or more in each inventive aspect, Above in the description to the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes In example, figure or descriptions thereof.However, should not be construed to reflect following intention by the method for the disclosure:I.e. required guarantor The more features of feature that the application claims ratio of shield is expressly recited in each claim.More precisely, such as following Claims reflected as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as the separate embodiments of the present invention.
Those skilled in the art be appreciated that can to embodiment in equipment in module carry out adaptively Change and they are arranged in one or more equipment different from the embodiment.Can be the module in embodiment or list Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any Combination is to this specification(Including adjoint claim, summary and accompanying drawing)Disclosed in all features and so disclosed appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification(Including adjoint power Profit requires, makes a summary and accompanying drawing)Disclosed in each feature can be by providing identical, equivalent or the alternative features of similar purpose carry out generation Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In some included features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint One of meaning can in any combination mode using.
The present invention all parts embodiment can be realized with hardware, or with one or more processor operation Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor(DSP)To realize client according to embodiments of the present invention, server and to net The some or all functions of some or all parts in the system processed by access to web page behavior.Of the invention acceptable real It is now for executing some or all equipment of method as described herein or program of device(For example, computer journey Sequence and computer program).Such program for realizing the present invention can be stored on a computer-readable medium, or can be with There is the form of one or more signal.Such signal can be downloaded from internet website and be obtained, or believe in carrier There is provided on number, or provided with any other form.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol being located between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element listed in the claims or step.Word "a" or "an" before being located at element does not exclude the presence of multiple such Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer Existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame Claim.

Claims (26)

1. a kind of method processed by web page access behavior, is opened by the i-stage link of initial page for detection The i-stage page, the access request of the i-stage page is triggered in the i-th -1 grade page clickthrough or other on-link mode (OLM)s, i ≥2;Methods described includes:
The step of creating refer chains, wherein, when the i-stage page is opened in the i-stage link by initial page, is responsible for dimension The process of shield refer chains obtains the page ID of the i-stage page and the page ID or URL of URL and the i-th -1 grade page, according to the The page ID of the i-1 level pages or URL inquire about corresponding refer chains, create the corresponding node of refer chains;
After the access request for monitoring the i-stage page, the refer chains of the page ID comprising the i-stage page are obtained, described Page ID and URL of the refer chains comprising initial page to the i-stage page;
All URL that the refer chains are included are sent to server, for refer chains institute described in the server lookup Comprising all URL whether belong to the blacklist and/or white list database of server preservation, then by Query Result with default Rule carry out coupling and obtain matching result;
The matching result that the reception server is returned, at access behavior of the matching result to the i-stage page Reason.
2. Query Result and default rule described are carried out mating obtaining matching result by method according to claim 1 Further include:
If Query Result shows that the URL of the i-stage page belongs to black list database or is not belonging to white list database, and sentences Breaking, initial page to arbitrary page in the i-th -1 grade page be searched page, then obtain matching result for indicating risk information;
Or, if Query Result shows that initial page belongs to black list database to the URL of arbitrary page in the i-th -1 grade page White list database is not belonging to or, and judge that the i-stage page for paying the page, then obtains matching result and believes for indicating risk Breath.
3. method according to claim 2, described judges that initial page to arbitrary page in the i-th -1 grade page is search The page is specially:Judge whether the initial page belongs to default searched page to the URL of arbitrary page in the i-th -1 grade page Url list, if so, then judges that the initial page to arbitrary page in the i-th -1 grade page is searched page;
Described judge the i-stage page for pay the page be specially:Judge whether the URL of the i-stage page belongs to default Page url list is paid, if so, then judges that the i-stage page is the payment page.
4. according to the method in claim 2 or 3, if the matching result is indicating risk information, described according to institute State matching result process is carried out to the access behavior of the i-stage page and specifically include:According to the indicating risk information to Risk is pointed out at family, and the access behavior of the i-stage page is intercepted according to the selection of user.
5. all URL that refer chains are included described be sent to server and be specially by method according to claim 1: All URL that the refer chains are included are encrypted to ciphertext and are sent to server.
6. the step of method according to claim 1 or 2 or 3 or 5, establishment refer chains, further includes:
1st grade of node foundation step:The page ID of initial page after the access request for monitoring initial page, is generated, is obtained The URL of initial page, creates the 1st grade of node of refer chains, using the page ID of the initial page and URL as the 1st grade of node Information write refer chains;
I-stage node foundation step, i >=2:After the access request for monitoring the i-stage page, the page of the i-stage page is generated ID, obtains page ID or the URL of the URL and the i-th -1 grade page of the i-stage page, and the i-stage page is the i-th -1 grade page Page-level jump page;And, the refer chains of page ID of the inquiry comprising the i-th -1 grade page or URL, creating should The i-stage node of refer chains, using the page ID of the i-stage page and URL as i-stage node information;
The nodes at different levels that the refer chains are created by the i-stage node foundation step.
7. method according to claim 6, described after the access request for monitoring initial page, obtains initial page URL is specially:During loading initial page, the initial page of current loading is obtained by specified response event interface URL;
Described after the access request for monitoring the i-stage page, obtain the i-stage page URL be specially:In loading i-stage page During face, the URL of the i-stage page of current loading is obtained by specified response event interface.
8. method according to claim 7, the page ID of the i-th -1 grade page of acquisition are further included:
After the access request for monitoring the i-stage page, the interface object pointer of the i-stage page is obtained, according to the interface pair The i-th -1 grade acquired page during the i-th -1 grade page of loading being written in as pointer to the interface object of the i-stage page Page ID;
During the loading i-stage page, by reading the information that provided of interface object of the i-stage page, i-th -1 is obtained The page ID of the level page.
9. the step of method according to claim 8, interface object pointer of the acquisition i-stage page, includes:Capture Browser creates the function called by new window or new Shipping Options Page, obtains the interface of the i-stage page using the return value of the function Pointer to object.
10. method according to claim 7, the URL of the i-th -1 grade page of acquisition are further included:
After the access request for monitoring the i-stage page and before the loading i-stage page, the get_ that provided by browser LocationURL interfaces obtain the URL of the i-th -1 grade page.
11. methods according to claim 10, are obtained in the get_locationURL interfaces provided by browser Also include after the step of page ID of the i-th -1 grade page and URL:
Judge whether it is that the i-stage page is opened by the input behavior triggering of browser address bar;
If the determination result is YES, then the i-th -1 grade page for the get_locationURL interfaces provided by browser being obtained URL is emptied, and the i-stage page is processed as initial page;
If judged result is no, execute described create the refer chains i-stage node the step of.
12. methods according to claim 6, also include after the i-stage node foundation step:At least one i-th Level child node foundation step, redirects page between at least one page of at least one i-stage child node corresponding to the i-stage page Face:The function that called during capture re-orientation processes, from the re-orientation processes when |input paramete of function called in obtain Take the URL of jump page between at least one page of the i-stage page;And, page ID of the inquiry comprising the i-stage page Refer chains, create at least one i-stage child node of the refer chains, by the page ID and the i-stage of the i-stage page Information of the URL of jump page as at least one i-stage child node between at least one page of the page.
A kind of 13. clients, link the opened i-stage page, the i-stage page for detection by the i-stage of initial page Access request be to trigger in the i-th -1 grade page clickthrough or other on-link mode (OLM)s, i >=2;The client includes:
Refer chain creation modules, are suitable to, when the i-stage page is opened in the i-stage link by initial page, be responsible for maintenance The process of refer chains obtains the page ID of the i-stage page and the page ID or URL of URL and the i-th -1 grade page, according to i-th -1 The page ID of the level page or URL inquire about corresponding refer chains, create the corresponding node of refer chains;
Monitoring module, is suitable to after the access request for monitoring the i-stage page, obtains the page ID comprising the i-stage page Refer chains, page ID and URL of the refer chains comprising initial page to the i-stage page;
Query interface, is suitable to for all URL that the refer chains are included to be sent to server, for the server lookup Whether all URL that the refer chains are included belong to the blacklist and/or white list database of server preservation, then will Query Result carries out mating obtaining matching result with default rule;And, receive the matching result that the server is returned;
Protection module, is suitable to process the access behavior of the i-stage page according to the matching result.
14. clients according to claim 13, if the matching result that the query interface is received is indicating risk Information, the protection module are further adapted for:Risk, and the choosing according to user are prompted the user with according to the indicating risk information Select and the access behavior of the i-stage page is intercepted.
15. clients according to claim 13, also include:Encrypting module, is suitable to the institute for including the refer chains There is URL to be encrypted to ciphertext, be sent to the query interface, the ciphertext is sent to server by the query interface.
16. clients according to claim 13 or 14 or 15, the refer chain creations module are further included:
First node creating unit, is suitable to after the access request for monitoring initial page, generates the page ID of initial page, obtains The URL of initial page is taken, the 1st grade of node of refer chains is created, the page ID of the initial page and URL are saved as the 1st grade The information write refer chains of point;
Section Point creating unit, i >=2 are suitable to after the access request for monitoring the i-stage page, generate the page of the i-stage page Face ID, obtains page ID or the URL of the URL and the i-th -1 grade page of the i-stage page, and the i-stage page is the i-th -1 grade page The page-level jump page in face;And, the refer chains of page ID of the inquiry comprising the i-th -1 grade page or URL, creating should The i-stage node of refer chains, using the page ID of the i-stage page and URL as i-stage node information;
The Section Point creating unit is suitable to the nodes at different levels for creating the refer chains.
17. clients according to claim 16,
The first node creating unit includes:
The page ID signal generating unit of initial page, is suitable to after the access request for monitoring initial page, generates initial page Page ID;
The URL acquiring units of initial page, are suitable to, during loading initial page, obtain by specified response event interface The URL of the initial page of current loading;
First node creates subelement, is suitable to the 1st grade of node for creating refer chains, by the page ID of the initial page and URL Information write refer chains as the 1st grade of node;
The Section Point creating unit includes:
The page ID signal generating unit of the i-stage page, is suitable to after the access request for monitoring the i-stage page, generates the i-stage page Page ID;
The URL acquiring units of the i-stage page, are suitable to, during the loading i-stage page, obtain by specified response event interface Take the URL of the i-stage page of current loading;
The page ID of the i-th -1 grade page or URL acquiring units, are suitable to after the access request for monitoring the i-stage page, obtain the The page ID of the i-1 level pages or URL;
Section Point creates subelement, is suitable to the refer chains for inquiring about the page ID comprising the i-th -1 grade page or URL, creates The i-stage node of the refer chains, using the page ID of the i-stage page and URL as i-stage node information.
18. clients according to claim 17, the Section Point creating unit also include:Capturing unit, is suitable to After monitoring the access request of the i-stage page, the interface object pointer of the i-stage page is obtained;And, writing unit is suitable to root Acquired in during the i-th -1 grade page of loading being written according to the interface object pointer to the interface object of the i-stage page The page ID of the i-th -1 grade page;
The page ID of the i-th -1 grade page or URL acquiring units are particularly adapted to:During the loading i-stage page, pass through The information provided by the interface object of the i-stage page is read, the page ID of the i-th -1 grade page is obtained.
19. clients according to claim 18, the capturing unit are further adapted for:Monitoring the i-stage page After access request, capture browser and create the function called by new window or new Shipping Options Page, obtained using the return value of the function The interface object pointer of the i-stage page.
20. clients according to claim 17, the page ID of the i-th -1 grade page or URL acquiring units further It is suitable to:After the access request for monitoring the i-stage page and before the loading i-stage page, provided by browser Get_locationURL interfaces obtain the URL of the i-th -1 grade page.
21. clients according to claim 20, the Section Point creating unit also include:
Judging unit, is suitable to judge whether be to open the i-stage page by the input behavior triggering of browser address bar;
Unit is emptied, and judged result in the judging unit is suitable to in the case of being, by the page of the i-th -1 grade page The URL of the i-th -1 grade page acquired in ID or URL acquiring units is emptied, and triggers first node creating unit by the i-stage page Processed as initial page;
In the case where the judged result of the judging unit is no, the judging unit triggers the Section Point and creates son list Unit creates the i-stage node of the refer chains.
22. clients according to claim 16, the refer chain creations module also include:Second child node creates single Unit, the function that called when being suitable to capture re-orientation processes, from the re-orientation processes when |input paramete of function called The URL of jump page between middle at least one page for obtaining the i-stage page;And, the page of the inquiry comprising the i-stage page The refer chains of ID, create at least one i-stage child node of the refer chains, by the page ID of the i-stage page and described Information of the URL of jump page as at least one i-stage child node between at least one page of the i-stage page.
A kind of 23. servers, link the opened i-stage page, the i-stage page for detection by the i-stage of initial page Access request be to trigger in the i-th -1 grade page clickthrough or other on-link mode (OLM)s, i >=2;The server includes:
Blacklist and/or white list database, are suitable to preserve the URL for belonging to blacklist and/or white list;
Query interface, is suitable to receive all URL that the refer chains of client transmission are included, inquires about the refer chains and included All URL whether belong to the blacklist and/or white list database, then Query Result and default rule are carried out With matching result is obtained, the matching result is returned to the client;
Wherein, the refer chains are created in the following manner:Whenever the i-stage page is opened in the i-stage link by initial page When, be responsible for safeguarding the process of refer chains obtain the page ID of the page ID of the i-stage page and URL and the i-th -1 grade page or URL, according to page ID or the corresponding refer chains of URL inquiries of the i-th -1 grade page, creates the corresponding node of refer chains.
24. servers according to claim 23, the query interface are further adapted for:
If Query Result shows that the URL of the i-stage page belongs to black list database or is not belonging to white list database, and sentences Breaking, initial page to arbitrary page in the i-th -1 grade page be searched page, then obtain matching result for indicating risk information;
Or, if Query Result shows that initial page belongs to black list database to the URL of arbitrary page in the i-th -1 grade page White list database is not belonging to or, and judge that the i-stage page for paying the page, then obtains matching result and believes for indicating risk Breath.
25. servers according to claim 24, also include:
Searched page url database, is suitable to preserve searched page url list;
Page url database is paid, is suitable to preserve payment page url list;
The query interface is searched by judging that the initial page belongs to default to the URL of arbitrary page in the i-th -1 grade page Rope page url list, determines that the initial page to arbitrary page in the i-th -1 grade page is searched page;And, by judging The URL of the i-stage page belongs to default payment page url list, determines that the i-stage page is the payment page.
A kind of 26. systems processed by web page access behavior, including the client described in any one of the claims 13-22 End and the server described in any one of the claims 23-25.
CN201310279888.2A 2013-07-04 2013-07-04 Method and system that web page access behavior is processed, client, server Active CN103368957B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310279888.2A CN103368957B (en) 2013-07-04 2013-07-04 Method and system that web page access behavior is processed, client, server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310279888.2A CN103368957B (en) 2013-07-04 2013-07-04 Method and system that web page access behavior is processed, client, server

Publications (2)

Publication Number Publication Date
CN103368957A CN103368957A (en) 2013-10-23
CN103368957B true CN103368957B (en) 2017-03-15

Family

ID=49369494

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310279888.2A Active CN103368957B (en) 2013-07-04 2013-07-04 Method and system that web page access behavior is processed, client, server

Country Status (1)

Country Link
CN (1) CN103368957B (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103581321B (en) * 2013-11-06 2017-05-31 北京奇虎科技有限公司 A kind of creation method of refer chains, device and safety detection method and client
CN103634117B (en) * 2013-12-09 2017-04-05 北京奇虎科技有限公司 A kind of control method and device of net purchase security protection
CN104182687B (en) * 2014-08-01 2016-10-05 北京奇虎科技有限公司 The safety detection method of mobile terminal input window and safety detection device
CN106161352A (en) * 2015-03-31 2016-11-23 阿里巴巴集团控股有限公司 A kind of matching process and client, server and matching unit
CN105100061B (en) * 2015-06-19 2018-09-04 小米科技有限责任公司 Network address kidnaps the method and device of detection
US10050934B2 (en) * 2015-07-31 2018-08-14 Citrix Systems, Inc. Redirector for secure web browsing
CN105183873A (en) * 2015-09-18 2015-12-23 北京博雅立方科技有限公司 Malicious clicking behavior detection method and device
CN105243134B (en) * 2015-09-30 2019-07-16 北京奇虎科技有限公司 A kind of method and apparatus handling browser of being held as a hostage
CN105635126B (en) * 2015-12-24 2018-10-09 北京奇虎科技有限公司 Malice network address accesses means of defence, client, security server and system
CN105574724B (en) * 2015-12-24 2020-02-14 北京奇虎科技有限公司 Safety payment protection method, safety application client, safety server and system
CN106407799A (en) * 2016-10-26 2017-02-15 北京金山安全软件有限公司 Malicious file installation detection method and device, terminal and server
CN110392032B (en) * 2018-04-23 2021-03-30 华为技术有限公司 Method, device and storage medium for detecting abnormal URL
CN110535862A (en) * 2019-08-30 2019-12-03 深信服科技股份有限公司 A kind of flow rate testing methods, system, device and computer readable storage medium
CN110704779A (en) * 2019-09-27 2020-01-17 杭州迪普科技股份有限公司 Website page access compliance detection method, device and equipment
CN110795663B (en) * 2019-10-10 2022-07-29 上海上湖信息技术有限公司 Webpage loading method and equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102147842A (en) * 2010-07-23 2011-08-10 卡巴斯基实验室封闭式股份公司 Defense of malware of network resource
CN102339320A (en) * 2011-11-04 2012-02-01 成都市华为赛门铁克科技有限公司 Malicious web recognition method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8073855B2 (en) * 2005-03-28 2011-12-06 Duaxes Corporation Communication control device and communication control system
CN103116725B (en) * 2013-02-01 2015-12-02 北京奇虎科技有限公司 The method of screen locking, device and browser are carried out to webpage
CN103152355A (en) * 2013-03-19 2013-06-12 北京奇虎科技有限公司 Method and system for promoting dangerous website and client device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102147842A (en) * 2010-07-23 2011-08-10 卡巴斯基实验室封闭式股份公司 Defense of malware of network resource
CN102339320A (en) * 2011-11-04 2012-02-01 成都市华为赛门铁克科技有限公司 Malicious web recognition method and device

Also Published As

Publication number Publication date
CN103368957A (en) 2013-10-23

Similar Documents

Publication Publication Date Title
CN103368957B (en) Method and system that web page access behavior is processed, client, server
US10079854B1 (en) Client-side protective script to mitigate server loading
US9552470B2 (en) Method, device, and system of generating fraud-alerts for cyber-attacks
CN104767757B (en) Various dimensions safety monitoring method and system based on WEB service
EP3136277B1 (en) Illicit activity sensing network system and illicit activity sensing method
US10728274B2 (en) Method and system for injecting javascript into a web page
CN103607385B (en) Method and apparatus for security detection based on browser
CN104009977B (en) A kind of method and system of information protection
CN103617395B (en) Method, device and system for intercepting advertisement programs based on cloud security
CN105631359B (en) A kind of control method and device of web page operation
CN104572263B (en) A kind of page data exchange method, relevant apparatus and system
Xing et al. Integuard: Toward automatic protection of third-party web service integrations
US20150213282A1 (en) Online Privacy Management System with Enhanced Automatic Information Detection
CN109376078B (en) Mobile application testing method, terminal equipment and medium
CN106411578A (en) Website monitoring system and method applicable to power industry
CN109039987A (en) A kind of user account login method, device, electronic equipment and storage medium
CN103634317A (en) Method and system of performing safety appraisal on malicious web site information on basis of cloud safety
CN105631355A (en) Data processing method and device
CN109361713A (en) Internet risk monitoring and control method, apparatus, equipment and storage medium
CN111245838B (en) Method for protecting key information by anti-crawler
CN103780450B (en) The detection method and system of browser access network address
CN108696481A (en) leak detection method and device
US20210092146A1 (en) Dynamic security test system
CN103336693B (en) The creation method of refer chain, device and security detection equipment
CN107896218A (en) A kind of method and system of automatic detection identifying code passback logic leak

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Beijing Qizhi Business Consulting Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right

Effective date of registration: 20220324

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Beijing Qizhi Business Consulting Co.,Ltd.

TR01 Transfer of patent right