CN103379111A - Intelligent anti-phishing defensive system - Google Patents

Intelligent anti-phishing defensive system Download PDF

Info

Publication number
CN103379111A
CN103379111A CN2012101297567A CN201210129756A CN103379111A CN 103379111 A CN103379111 A CN 103379111A CN 2012101297567 A CN2012101297567 A CN 2012101297567A CN 201210129756 A CN201210129756 A CN 201210129756A CN 103379111 A CN103379111 A CN 103379111A
Authority
CN
China
Prior art keywords
phishing
website
user
intelligent
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2012101297567A
Other languages
Chinese (zh)
Inventor
黄华军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Central South University of Forestry and Technology
Original Assignee
Central South University of Forestry and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Central South University of Forestry and Technology filed Critical Central South University of Forestry and Technology
Priority to CN2012101297567A priority Critical patent/CN103379111A/en
Publication of CN103379111A publication Critical patent/CN103379111A/en
Pending legal-status Critical Current

Links

Abstract

The invention relates to an intelligent anti-phishing defensive system. The intelligent anti-phishing defensive system is particularly composed of a user behavior identification module, a phishing website lightweight intelligent detection engine module and an intelligent phishing-processing module. The user behavior identification module is a user behavior identification algorithm based on Bayes. The phishing website lightweight intelligent detection engine module performs rapid detection through four layers including a URL, interactivity, webpage noise and website Logo identification, and comprises a phishing URL online detection algorithm which integrates characteristics of multiple layers, webpage server submitted form identification and filtration based on a DOM tree, a phishing website detection learning algorithm for the webpage noise and a phishing website detection algorithm based on the website Logo identification. According to a browser BHO object standard, a user is alerted to a detected phishing website through a processing mechanism such as a URL address bar or a status bar or other warning marks; if the user ignores an alerting mechanism, a module used for mixing information input by the user for protection provides intelligent and timely anti-phishing defensive service for the network user.

Description

A kind of phishing intelligence system of defense
Technical field:
The present invention relates to a kind of phishing intelligence system of defense, a kind of protecting network user's phishing intelligence system of defense.
Background technology:
Phishing (phishing) is based on a kind of attack means of social engineering.It sends the duplicity information that comes from bank or other well-known mechanisms of claiming by spam, instant messenger, SMS or webpage sham publicity, be intended to lure the user to login and seem extremely real fake site, provide a kind of attack pattern of sensitive information (such as user name, password, account ID, ATM PIN code, credit card).
The phishing defence is the countermeasure techniques of phishing, can be divided into server end defence, user side defence and third party's defence.Server end defence refers to web site server end by other technologies, and such as digital watermark, digital finger-print, dynamic security skin (dynamic security skin), double verification protocol etc. prove the authenticity of website identity to the user.User side defence refers at user browser plug-in unit is installed, and detects prompting user or the input of protection user sensitive information etc. behind the fishing webpage.Third party defence comprises the URL blacklist strobe utility, fail-safe software manufacturer defense mechanism, public's protection mechanism of fishing Spam filtering, Third Party Authentication mechanism, browser provider etc.It is target that server end defends to protect the website identity reality, has increased the counterfeit cost of fisherman, produces from source containment fishing website, belongs to Initiative Defense; Both fishing websites of then occurring take defence are as target afterwards, and defense technique falls behind the counterfeit technology of fishing website, belongs to Passive Defence.Though the phishing defence has obtained considerable progress, the Initiative Defense technology exists allows the client user finally judge the website identity reality, and the Passive Defence technology is not installed the defective that plug-in unit just can't be defendd.
Summary of the invention:
For the problems referred to above, the purpose of this invention is to provide a kind of phishing intelligence system of defense, formed by user behavior identification module, fishing website lightweight Intelligent Measurement engine and phishing intelligent processing module, for the network user provides intelligence, timely phishing defence service.
For achieving the above object, the present invention takes following technical scheme:
1, user behavior identification module;
2, fishing website lightweight Intelligent Measurement engine;
3, phishing intelligent processing module;
The present invention is owing to take above technical scheme, and it has the following advantages:
1, based on The user behavior recognizer of Bayes;
2, the fishing website based on the webpage noise detects learning algorithm;
3, detect learning algorithm based on website Logo identification fishing website.
Embodiment:
(1) user behavior understanding, study and Study of recognition
User behavior is understood and to be comprised that the user behavior formalization is understood and study, user browsing behavior priori probability density distributed data base build and based on The user behavior identification of Bayes.Adopt investigation on the net questionnaire, manual research questionnaire, send the mode such as mail test at random, obtain in the URL address browse web sites, the access of input information, clickthrough, the user that downloads is normal and the suspicious behavior type of browsing of electronics Email, QQ, shopping website link, adopt similar " behavior of if URL Input Address then normal browsing " rule that the user is browsed capable formalized description, set up the priori probability density regularity of distribution of user browsing behavior, utilize Bayes sets up the user behavior recognizer, activates when the user may access fishing website and detects engine.
(2) fishing website lightweight Intelligent Measurement engine research
Monthly statistical information by pertinent literature reading and PhishTank and the upper announcement of APAC shows: the phishing attacks number of times comes and go, but target of attack is concentrated, mainly concentrates on the websites such as payment transaction, financial instrument, instant messaging, broadcasting media.According to APAC2011 bulletin in December, the fishing website total amount that relates to Taobao, Tengxun, industrial and commercial bank, Bank of China accounts for 94.39% of whole report amounts.The famous website knowledge base of model is as the Heuristics that detects engine.Comprise in the knowledge base: domain name, IP address, URL, trade (brand) name, copyright information, Logo describe the information that the factor, WHOIS etc. describe identity.The detailed technology route of fishing website lightweight Intelligent Measurement engine research is as follows:
The online fast filtering Mechanism Study of URL adopts white list fast filtering mechanism, to the white list of user add, detects engine and directly ignores detection; Seminar intends adopting the blacklist mechanism of synchronous PhishTank, APWG, Google Safe Browser API, to fishing URL fast filtering, stops user's access.
For the URL that can't judge, adopt the online detection algorithm of fishing URL that merges multilayer feature.This algorithm intends adopting structure, vocabulary, domain name and four layers of feature of server, sets up the learning classification model based on SVM, calculates as the Fast Classification of fishing website URL.
Fishing website interactivity fast filtering Mechanism Study is because the purpose of fishing website is for obtaining user's input information, therefore whether comprise server input list in the analyzing web page, such as form mark, input mark, login logon form, can effectively determine whether fishing website.For the website that does not have server input list, can directly judge not to be fishing website have the website of input list just need to detect from content is similar with vision.Detect for the fishing website interactivity, adopt the identification of web page server submission form and filtration based on dom tree.Utilize the markup language sources program analysis method, make up the webpage dom tree, form, input, login submission form control in the identification dom tree are realized quick fishing webpage classification.
Detect the contents such as navigation bar that learning algorithm research webpage noise refers to that web page template comprises, tissue marker, contact details, advertisement bar based on the fishing website of webpage noise.The webpage noise content comprises the website identity information mostly, and fishing website can be applied mechanically these information of targeted website in order better to confuse the user.Replace the whole content of webpage can realize the website identification with the webpage noise, can reduce again the webpage other guide to the impact of detection algorithm performance and efficient.To the webpage noise, seminar intends adopting n-gram, word frequency vector, the Web information processing technology such as TF-IDF, Shingle that the webpage noise is analyzed, determine the feature mode of webpage noise, make up SVM machine learning and disaggregated model, to judge that the suspected site has used famous website template, but inconsistent again with information in the knowledge base, judge fishing website with this.
The fishing website sorting algorithm research website Logo of website Logo identification is significant point in the webpage, also is user's area-of-interest.Often with website Logo identification website, fishing website also utilizes this characteristics user cheating to the network user.Seminar intends adopting SIFT to analyze famous website Logo characteristics, determine the characterization factor of describing website Logo, frequent counterfeit famous targeted sites Logo carries out modeling to fishing website, to judge that the suspected site has used famous Net station logo, but inconsistent again with information in the knowledge base, judge fishing website with this.
(3) phishing Intelligent treatment mechanism research
Browser BHO interface provides relevant interface specification, for phishing Intelligent treatment fishing website provides interface.Adopt and analyze first the various standards of browser BHO, interface, method, event, common class etc., determine and catch the click of user's mouse, keyboard input behavior, address field and status bar event methods; Input message uses the SHA-1 algorithm to obscure, and realizes phishing Intelligent treatment mechanism by programming.

Claims (4)

1. a phishing intelligence system of defense is characterized in that it is comprised of user behavior identification module, fishing website lightweight Intelligent Measurement engine and phishing intelligent processing module, for the network user provides intelligence, timely phishing defence service.
2. a kind of phishing intelligence system of defense according to claim 1 is characterized in that the user behavior identification module is based on The user behavior recognizer of Bayes.
3. a kind of phishing intelligence system of defense according to claim 1 is characterized in that fishing website lightweight Intelligent Measurement engine modules is identified four layers by URL, interactivity, webpage noise and website Logo and carried out fast detecting; Comprise the online detection algorithm of fishing URL that merges multilayer feature, detect learning algorithm and based on the fishing website detection algorithm of website Logo identification based on the fishing website of the web page server submission form identification of dom tree and filtration, webpage noise.
4. a kind of phishing intelligence system of defense according to claim 1 is characterized in that, for browser BHO object standard, to detected fishing website, adopts first the treatment mechanism of URL address field, status bar or other warning mark reminding users; When the user ignores caution mechanism, the information of user's input is obscured the module of protection.
CN2012101297567A 2012-04-21 2012-04-21 Intelligent anti-phishing defensive system Pending CN103379111A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2012101297567A CN103379111A (en) 2012-04-21 2012-04-21 Intelligent anti-phishing defensive system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2012101297567A CN103379111A (en) 2012-04-21 2012-04-21 Intelligent anti-phishing defensive system

Publications (1)

Publication Number Publication Date
CN103379111A true CN103379111A (en) 2013-10-30

Family

ID=49463674

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2012101297567A Pending CN103379111A (en) 2012-04-21 2012-04-21 Intelligent anti-phishing defensive system

Country Status (1)

Country Link
CN (1) CN103379111A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104715369A (en) * 2015-04-02 2015-06-17 江苏金智教育信息技术有限公司 Anti-phishing third party transaction method, device and system
CN104901847A (en) * 2015-05-27 2015-09-09 国家计算机网络与信息安全管理中心 Social network zombie account detection method and device
CN104899508A (en) * 2015-06-17 2015-09-09 中国互联网络信息中心 Multistage phishing website detecting method and system
CN105956633A (en) * 2016-06-22 2016-09-21 北京小米移动软件有限公司 Search engine category identification method and apparatus
CN108965245A (en) * 2018-05-31 2018-12-07 国家计算机网络与信息安全管理中心 Detection method for phishing site and system based on the more disaggregated models of adaptive isomery
US10313352B2 (en) 2016-10-26 2019-06-04 International Business Machines Corporation Phishing detection with machine learning
CN110784462A (en) * 2019-10-23 2020-02-11 北京邮电大学 Three-layer phishing website detection system based on hybrid method
CN112567710A (en) * 2018-08-09 2021-03-26 微软技术许可有限责任公司 System and method for polluting phishing activity responses

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102316099A (en) * 2011-07-28 2012-01-11 中国科学院计算机网络信息中心 Network fishing detection method and apparatus thereof

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102316099A (en) * 2011-07-28 2012-01-11 中国科学院计算机网络信息中心 Network fishing detection method and apparatus thereof

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
李立: "基于贝叶斯网络的主机入侵检测系统研究与设计", 《万方学位论文》 *
黄华军等: "网络钓鱼防御技术研究", 《信息网络安全》 *
黄华军等: "网络钓鱼防御技术研究", 《信息网络安全》, 10 April 2012 (2012-04-10), pages 3 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104715369A (en) * 2015-04-02 2015-06-17 江苏金智教育信息技术有限公司 Anti-phishing third party transaction method, device and system
CN104715369B (en) * 2015-04-02 2017-11-03 江苏金智教育信息股份有限公司 A kind of methods, devices and systems of the third party transaction of anti-fishing
CN104901847A (en) * 2015-05-27 2015-09-09 国家计算机网络与信息安全管理中心 Social network zombie account detection method and device
CN104901847B (en) * 2015-05-27 2018-10-30 国家计算机网络与信息安全管理中心 A kind of social networks corpse account detection method and device
CN104899508A (en) * 2015-06-17 2015-09-09 中国互联网络信息中心 Multistage phishing website detecting method and system
CN104899508B (en) * 2015-06-17 2018-12-07 中国互联网络信息中心 A kind of multistage detection method for phishing site and system
CN105956633A (en) * 2016-06-22 2016-09-21 北京小米移动软件有限公司 Search engine category identification method and apparatus
US10313352B2 (en) 2016-10-26 2019-06-04 International Business Machines Corporation Phishing detection with machine learning
CN108965245A (en) * 2018-05-31 2018-12-07 国家计算机网络与信息安全管理中心 Detection method for phishing site and system based on the more disaggregated models of adaptive isomery
CN112567710A (en) * 2018-08-09 2021-03-26 微软技术许可有限责任公司 System and method for polluting phishing activity responses
CN110784462A (en) * 2019-10-23 2020-02-11 北京邮电大学 Three-layer phishing website detection system based on hybrid method
CN110784462B (en) * 2019-10-23 2020-11-03 北京邮电大学 Three-layer phishing website detection system based on hybrid method

Similar Documents

Publication Publication Date Title
US20200042696A1 (en) Dynamic page similarity measurement
CN103379111A (en) Intelligent anti-phishing defensive system
RU2607229C2 (en) Systems and methods of dynamic indicators aggregation to detect network fraud
Fette et al. Learning to detect phishing emails
CN103179095B (en) A kind of method and client terminal device detecting fishing website
CN105119909B (en) A kind of counterfeit website detection method and system based on page visual similarity
CN104982011A (en) Document classification using multiscale text fingerprints
Wardman et al. High-performance content-based phishing attack detection
Mishra et al. SMS phishing and mitigation approaches
Zeydan et al. Survey of anti-phishing tools with detection capabilities
CN110474889A (en) One kind being based on the recognition methods of web graph target fishing website and device
Rajalingam et al. Prevention of phishing attacks based on discriminative key point features of webpages
Wang et al. Verilogo: Proactive phishing detection via logo recognition
US20220030029A1 (en) Phishing Protection Methods and Systems
Zeydan et al. Current state of anti-phishing approaches and revealing competencies
Nivedha et al. Improving phishing URL detection using fuzzy association mining
Alnajjar et al. TrustQR: A new technique for the detection of phishing attacks on QR code
CN105653941A (en) Heuristic detection method and system for phishing website
CN108173814A (en) Detection method for phishing site, terminal device and storage medium
CN106060038B (en) Detection method for phishing site based on client-side program behavioural analysis
Rathee et al. Detection of E-mail phishing attacks–using machine learning and deep learning
Singh et al. Investigating the effect of feature selection and dimensionality reduction on phishing website classification problem
KR20070067651A (en) Method on prevention of phishing through analysis of the internet site pattern
Abiodun et al. Linkcalculator–an efficient link-based phishing detection tool
Parekh et al. Spam URL detection and image spam filtering using machine learning

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20131030