CN103685312A - Method and system for detecting phishing pages, client side and server - Google Patents

Method and system for detecting phishing pages, client side and server Download PDF

Info

Publication number
CN103685312A
CN103685312A CN201310739785.XA CN201310739785A CN103685312A CN 103685312 A CN103685312 A CN 103685312A CN 201310739785 A CN201310739785 A CN 201310739785A CN 103685312 A CN103685312 A CN 103685312A
Authority
CN
China
Prior art keywords
page
pages
grades
fishing
url
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201310739785.XA
Other languages
Chinese (zh)
Inventor
郭峰
符云
杨东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201310739785.XA priority Critical patent/CN103685312A/en
Publication of CN103685312A publication Critical patent/CN103685312A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a method and system for detecting phishing pages, a client side and a server. The method comprises the following steps: detecting an access request of a user on a payment page; after the access request of the user on the payment page is detected, inquiring the URL (Uniform Resource Locator) of first several levels of pages linked to the payment page; reporting the URL of the first several levels of pages to the server to cause the server to inquire a blacklist and/or a white list and a gray list stored by the server according to the URL of the first several levels of pages to obtain a query result; if the query result shows that the first several levels of pages contain the phishing pages or unknown suspicious pages, popping up a hint window. Under the condition that a phishing website is not determined, the scheme can also judge the phishing behaviors aiming at the network behavior characteristics. The scheme effectively makes prompts in real time when the user accesses the payment page, realizes the real-time interception for the phishing website, and protects the web browsing safety of the user.

Description

A kind of method and system, client, server that detects the fishing page
Technical field
The present invention relates to Internet technical field, be specifically related to a kind of detection and by fishing page access, pay method and system, client, the server of the page, and the method and the device that based on local rules repository, detect the fishing page.
Background technology
So-called " fishing website " is a kind of network fraud behavior, refer to that lawless person utilizes various means, URL address and the content of pages of counterfeit true website, or utilize the leak in true Website server program to insert dangerous HTML code in some webpage of website, with this, gain user bank or the private data such as credit card account, password by cheating." fishing website " mainly concentrated both ways: a kind of is to imitate the personation prize drawing websites such as CCTV, the network defraud event of gaining netizen's wealth by cheating as counterfeit " very 6+1 " the program prize-winning information how occurring, principal character is that to get the winning number in a bond be bait, and deception netizen fills in the information such as identity information, bank account; Another kind is to imitate the on-line payment webpages such as Taobao, bank, gains netizen's bank card information or Alipay account by cheating.
Prior art is when user accesses certain page in order to take precautions against the Main Means of fishing website, the black and white lists database that client is sent to server end by the URL of the page is inquired about, so-called blacklist database is the URL name single database of having examined the fishing website of confirmation, and so-called white list database is the URL that has examined the security website of confirmation.Server end is after inquiry, and the result feedback whether website is belonged to fishing website is to client.But because the URL of current fishing website constantly changes; the renewal speed of the black and white lists database of server end is fast far away from the pace of change of fishing website; therefore the technological means that above-mentioned prior art provides can not effectively detect malicious websites, thereby can not protect real-time, quickly and efficiently the web page browsing safety of client.
Summary of the invention
In view of the above problems, the present invention has been proposed to provide a kind of detection that overcomes the problems referred to above or address the above problem at least in part to pay method and system, client, the server of the page by fishing page access, and the method and the device that based on local rules repository, detect the fishing page.
According to an aspect of the present invention, provide a kind of detection by fishing page access, to pay the method for the page, having comprised:
Detect user to paying the access request of the page;
Described user detected to after paying the access request of the page, query link is to the URL of the front some grades of pages of the described payment page;
The URL of the described front some grades of pages is reported to server, for described server according to the URL of the described front some grades of pages, blacklist and/or white list and gray list that querying server is preserved, obtain the Query Result that whether comprises the fishing page or the unknown suspicious page in the described front some grades of pages;
The described Query Result that reception server returns, if described Query Result shows to comprise the fishing page or the unknown suspicious page in the described front some grades of pages, ejects prompt window.
According to an aspect of the present invention, provide a kind of client, having comprised:
Detection module, the access request for detection of user to the payment page;
The first enquiry module, for described user being detected at described detection module to after paying the access request of the page, query link is to the URL of the front some grades of pages of the described payment page;
The first sending module, for the URL of the described front some grades of pages is reported to server, for described server according to the URL of the described front some grades of pages, blacklist and/or white list and gray list that querying server is preserved, obtain the Query Result that whether comprises the fishing page or the unknown suspicious page in the described front some grades of pages;
The first receiver module, the described Query Result returning for reception server;
Display module, for show that at described Query Result the described front some grades of pages comprise the fishing page or the unknown suspicious page in the situation that, ejects prompt window.
According to an aspect of the present invention, provide a kind of server, having comprised:
The second receiver module, is detecting user to after paying the access request of the page, the URL that is linked to the front some grades of pages that pay the page reporting after inquiry for receiving client;
The second enquiry module, for according to the URL of the described front some grades of pages, inquires about blacklist and/or white list and gray list that described server is preserved, obtains the Query Result that whether comprises the fishing page or the unknown suspicious page in the described front some grades of pages;
The second sending module, for return to described Query Result to client, after comprising the Query Result of the fishing page or the unknown suspicious page, ejects prompt window for described client in obtaining the described front some grades of pages.
According to an aspect of the present invention, provide a kind of detection by fishing page access, to pay the system of the page, having comprised: above-mentioned client and server.
According to a further aspect in the invention, provide a kind of method that detects the fishing page based on local rules repository, described local rules repository comprises first kind rule and Equations of The Second Kind rule, and described method comprises:
In the situation that user's triggering behavior meets described first kind rule, detect user by the behavior of the browser access page;
Judge whether user in the given time meets described Equations of The Second Kind rule by the behavior of the browser access page, or it is regular judge whether user meets described Equations of The Second Kind by the behavior in the link page process of browser access predetermined number; If meet, eject fishing page prompts window.
According to a further aspect in the invention, provide a kind of device that detects the fishing page based on local rules repository, having comprised:
Local rules repository, comprises first kind rule and Equations of The Second Kind rule;
Whether first detection module, meet described first kind rule for detection of user's triggering behavior;
The second detection module, for meeting described first kind rule in the situation that described first detection module detects user's triggering behavior, detect user by the behavior of the browser access page, judge whether user in the given time meets described Equations of The Second Kind rule by the behavior of the browser access page, or it is regular judge whether user meets described Equations of The Second Kind by the behavior in the link page process of browser access predetermined number;
Reminding module, the in the situation that of meeting described Equations of The Second Kind rule, ejects fishing page prompts window for judging described behavior at described the second detection module.
Such scheme provided by the invention is not being determined be fishing website in the situation that; also can judge fishing behavior for network behavior feature; when user accesses the payment page, effectively make in real time prompting, realized the real-time blocking to fishing website, the fail safe of protection user network page browsing.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Accompanying drawing explanation
By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, by identical reference symbol, represent identical parts.In the accompanying drawings:
Fig. 1 shows and detects according to an embodiment of the invention the flow chart that pays the method for the page by fishing page access;
Fig. 2 shows and detects in accordance with another embodiment of the present invention the flow chart that pays the method for the page by fishing page access;
Fig. 3 shows the flow chart that detects according to an embodiment of the invention the method for the fishing page based on local rules repository;
Fig. 4 shows and detects according to an embodiment of the invention the structured flowchart that pays the system of the page by fishing page access;
Fig. 5 shows the structured flowchart that detects according to an embodiment of the invention the device of the fishing page based on local rules repository.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can by the scope of the present disclosure complete convey to those skilled in the art.
Fig. 1 shows and detects according to an embodiment of the invention the flow chart that pays the method for the page by fishing page access, and as shown in Figure 1, the method comprises the steps:
Step S110, detects user to paying the access request of the page.
Net purchase is exactly that user retrieves merchandise news by the Internet, and send shopping request by electronic purchase order, then in the website of on-line payment, fill out the number of private account number or bank card, manufacturer delivers by the mode of mail-order, or the shopping mode of delivering goods to the customers by express company.In this shopping mode, user must access the website of on-line payment.For emerging fishing website, user first accesses this fishing website, then pays the bill in the website that is linked to on-line payment.The present invention is directed to the behavioral characteristic of net purchase, when user accesses the payment page, the access history of on-line payment is recalled.The first step of the method that therefore, the embodiment of the present invention provides is exactly to detect user to paying the access request of the page.
Step S120, is detecting user to after paying the access request of the page, and query link is to the URL that pays the front some grades of pages of the page.
Access while paying the page user being detected, the access history of on-line payment is recalled, specifically refer to that query link arrives the URL of the front some grades of pages of this payment page.The scene that general fishing website occurs is, user is by accidentally clicking the link of fishing website in the process of browser browsing page, or user is by clicking the link that other account sends in MSN chat process, and then pay the page by these links and accesses.If the current payment page, by fishing page link, will comprise the URL of the page of going fishing in the URL of the front some grades of pages that the embodiment of the present invention inquires so.
Step S130, the URL of the front some grades of pages is reported to server, for server, according to the URL of the front some grades of pages, blacklist and/or white list and gray list that querying server is preserved, obtain the Query Result that whether comprises the fishing page or the unknown suspicious page in the front some grades of pages.
The URL that pays the front some grades of pages of the page is reported to server.Server has the database of preserving blacklist and/or white list and gray list, and wherein that blacklist record is the URL that has examined the fishing website of confirmation, and that white list records is the URL that has examined the security website of confirmation.Except black and white lists, server is also preserved gray list, and this gray list is used for judging whether the page belongs to the unknown suspicious page.
Step S140, the Query Result that reception server returns, if Query Result shows to comprise the fishing page or the unknown suspicious page in the front some grades of pages, ejects prompt window.
The method providing according to the above embodiment of the present invention, is detecting user to after paying the access request of the page, and query link arrives the URL of the front some grades of pages that pay the page, and the URL of the front some grades of pages is reported to server; The blacklist that server lookup is preserved and/or white list, gray list, obtain in the front some grades of pages whether comprise the fishing page or the unknown suspicious page, if comprise, ejects prompt window.The gray list that this method provides by server can judge in the link page that user accessed before access pays the page whether comprise the unknown suspicious page, the network behavior that is linked to the payment page by the suspicious page of the unknown can judge it is fishing behavior substantially, can eject thus prompt window for pointing out user careful payment.This method, not determining be fishing website in the situation that, also can be judged fishing behavior for network behavior feature, user, accesses while paying the page and effectively make in real time prompting, has realized the real-time blocking to fishing website, the fail safe of protection user network page browsing.
Fig. 2 shows and detects in accordance with another embodiment of the present invention the flow chart that pays the method for the page by fishing page access, and as shown in Figure 2, the method comprises the steps:
Step S210, client detects user to paying the access request of the page.
It can be that characteristic information based on the page judges to paying the access request of the page that client detects user, for paying the page, it generally comprises account, password, identifying code and corresponding list input domain, if client detects these characteristic informations, just can judge and user be detected to paying the access request of the page.
Step S220, is detecting user to after paying the access request of the page, and client query is linked to the URL of the front some grades of pages that pay the page.
Client can be linked to based on refer information inquiry the URL of the front some grades of pages that pay the page.Particularly, the refer information recording of the current payment page has the URL of the previous stage page, and the refer information of the previous stage page records again the URL of the front two-stage page.User, by links and accesses at different levels, pay in the process of the pages, URL that just can the real time record pages at different levels, and pass through the linking relationship of the refer information recording pages at different levels of the pages at different levels.
For instance, establish the links and accesses page A that user sends over by clicking other account in MSN chat process, its URL is url1; In the process of user to access pages A, click the links and accesses page B on page A, its URL is url2, and now client learns that by the refer information of query page B the URL of the previous stage page of page B is url1, sets up the linking relationship of url1 → url2 thus; The links and accesses that user continues to click on page B pays page C, and its URL is url3, and now client learns that by the refer information of query page C the URL of the previous stage page of page C is url2, sets up the linking relationship of url1 → url2 → url3 thus.In client, know that page C is for after paying the page, the URL that just can obtain paying the front two-stage page of the page by this linking relationship is respectively url1 and url2.
Alternatively, above-mentioned linking relationship can reach 7 grades at the most, but is not limited only to this.Owing to being generally linked to the payment page by fishing website, can not surpass 7 grades, so maintain the linking relationship of 7 grades of records, just can meet the demand that detects fishing website.
Step S230, client reports server by the URL of the front some grades of pages.
Step S240, server, according to the URL of the front some grades of pages, is inquired about the blacklist of preserving, and whether any of the URL of the front some grades of pages of judgement belongs to blacklist, if so, obtains the Query Result that the front some grades of pages comprise the page of going fishing, execution step S270; Otherwise execution step S250.
After the URL of server some grades of pages before receiving, the blacklist that preferably first inquiry is preserved, that blacklist records is the URL that has examined the fishing website of confirmation, if any in the URL of the front some grades of pages belongs to this blacklist, show to there is fishing website in user's access history, the payment page that is linked by fishing website so and come is exactly highly dangerous, and server need to return to this Query Result client to point out.If do not belong to the URL of blacklist in the URL of the front some grades of pages, continue inquiry white list and gray list.
Step S250, server is according to the URL of the front some grades of pages, and the white list that inquiry is preserved, judges whether the URL of the front some grades of pages belongs to white list entirely, if so, obtains the Query Result that the front some grades of pages are secure page table, execution step S270; Otherwise execution step S260.
After not belonging to the URL of blacklist in the URL of server some grades of pages before judging, the white list that inquiry is preserved, that white list records is the URL that has examined the security website of confirmation, if the URL of the front some grades of pages belongs to white list entirely, show to be security website in user's access history; If the URL of the front some grades of pages does not belong to white list entirely, continue inquiry gray list.
The execution sequence of above-mentioned steps S240 and step S250 can be changed.
Step S260, server is according to the URL of the front some grades of pages, the page info recording in the gray list that inquiry is preserved, before judgement, whether arbitrary page info of the some grades of pages meets unknown suspicious condition, if, obtain the Query Result that comprises the unknown suspicious page in the front some grades of pages, otherwise obtain the Query Result that the front some grades of pages are secure page table, then perform step S270.
The gray list that server is preserved can be used for judging whether the page belongs to the unknown suspicious page.Particularly, in gray list, record page info and unknown suspicious condition.Wherein page info comprises: record information, visit capacity information or website log-on message.Server inquires about according to the URL of the front some grades of pages the above-mentioned page info that each page is corresponding, and then judges whether these page infos meet following unknown suspicious condition:
A) page info does not comprise record information; Record information refers to the information of putting on record through official, for example ICP record information.Comprising record information proves that this website obtains the approval of official, otherwise shows that this website is incredible website, and the page that meets this condition just belongs to the unknown suspicious page.And/or,
B) the visit capacity information that page info comprises shows that visit capacity is lower than setting threshold; The general fishing website that does not belong to high in the clouds blacklist is all emerging, and the visit capacity of this fishing website is all very low, therefore can be using visit capacity as its whether unknown suspicious condition of assessment.And/or,
C) the website log-on message that page info comprises shows that website hour of log-on is less than setting duration.For emerging fishing website, its website hour of log-on is also very short, also can be using website hour of log-on as its whether unknown suspicious condition of assessment.
Step S270, the Query Result that client server returns.
Step S280, if Query Result shows to comprise the fishing page or the unknown suspicious page in the front some grades of pages, ejects prompt window; If Query Result shows the front some grades of pages and is the Query Result of secure page table, allows user to access the payment page.
Alternatively, before ejecting prompt window, can also obtain the URL of the fishing page or the unknown suspicious page and the Business Information relevant with the fishing page or the unknown suspicious page, in the prompt window ejecting, show URL and the Business Information of the fishing page or the unknown suspicious page.For example, from buying the corresponding URL of the problematic angle prompting user of commodity, be the unknown suspicious page, suggestion user cancels payment.Further, according to Business Information, add the prompting of " the * * seller of vending articles has problem ", show problematic seller simultaneously, and provide relevant qualitative description.
Alternatively, the blacklist that the embodiment of the present invention is not limited only to provide based on server and/or white list and gray list judge the fishing page or the unknown suspicious page, also can judge based on the preset blacklist in this locality and/or white list and gray list.Relevant judgment mode is identical.
The method providing according to the above embodiment of the present invention, is detecting user to after paying the access request of the page, and query link arrives the URL of the front some grades of pages that pay the page, and the URL of the front some grades of pages is reported to server; The blacklist that server lookup is preserved and/or white list, gray list, obtain in the front some grades of pages whether comprise the fishing page or the unknown suspicious page, if comprise, ejects prompt window.The gray list that this method provides by server can judge in the link page that user accessed before access pays the page whether comprise the unknown suspicious page, the network behavior that is linked to the payment page by the suspicious page of the unknown can judge it is fishing behavior substantially, can eject thus prompt window for pointing out user careful payment.This method, not determining be fishing website in the situation that, also can be judged fishing behavior for network behavior feature, user, accesses while paying the page and effectively make in real time prompting, has realized the real-time blocking to fishing website, the fail safe of protection user network page browsing.
Above-described embodiment one and embodiment bis-provide a kind of when user accesses the payment page, recall user's access history, determine and in the access history page, whether have the fishing page or the unknown suspicious page, and then determine whether the method that will point out user's payment behavior.It is fast and can not effectively detect fishing website and cause user's payment behavior to have the technical problem of high risk that the method has solved the pace of change due to fishing website that exists in prior art.Except said method, the present invention also provides a kind of method that detects the fishing page based on local rules repository, and this method also can solve the technical problem existing in prior art.
Fig. 3 shows the flow chart that detects according to an embodiment of the invention the method for the fishing page based on local rules repository, and as shown in Figure 3, the method comprises the steps:
Step S310, whether the triggering behavior that detects user meets first kind rule, if so, performs step S320; Otherwise this method finishes.
Local rules repository that feature that the embodiment of the present invention occurs according to fishing behavior is pre-configured.In local rules repository, comprise first kind rule and Equations of The Second Kind rule.Wherein, first kind rule is for judging whether user's triggering behavior meets special scenes, if meet special scenes, just the object using this user's access to netwoks behavior as subsequent detection, is also that first kind rule should be concerned for determining which user's access to netwoks behavior.
In the embodiment of the present invention, first kind rule comprises the one or more combination in following rule: enter net purchase and/or payment mode; The access classified information page.Under net purchase and/or payment mode, the possibility that fishing behavior occurs is very large, therefore when user's triggering behavior shows to enter net purchase and/or payment mode, and further detection that should triggering following.In addition, user accesses a kind of that the classified information page also should be as special scenes, the classified information page is to provide the page of information issuing service, it provides various service for life information such as comprising second-hand article trading, housing, recruitment and job hunting, friend-making activity, and for example 58 same cities, the net of going to market all belong to classified information website.The classified information page is also the ground occurred frequently of fishing behavior, further detection that therefore also should triggering following when user accesses the classified information page.
Step S320, detects user by the behavior of the browser access page.
In the situation that user's triggering behavior detected, meet first kind rule, continue to detect user by the behavior of the browser access page.Generally, when user enters after net purchase and/or payment mode or the access classified information page, can search required commodity or information by the adopting consecutive click chemical reaction link page, browser meeting recording user is clicked the relevant information of each link page.
Step S330, judges whether user in the given time meets Equations of The Second Kind rule by the behavior of the browser access page, or, judge whether user meets Equations of The Second Kind rule by the behavior in the link page process of browser access predetermined number; If meet, perform step S340; Otherwise this method finishes.
The embodiment of the present invention provides two kinds of modes of definite subsequent detection scope: a kind of mode is to determine by the scheduled time, and for example the scheduled time is 30 minutes, detects the accession page behavior of user in 30 minutes and whether meets Equations of The Second Kind rule; Another kind of mode is that for example predetermined number is 20 by the number of the link page, and detection user accesses 20 behaviors in link page process and whether meets Equations of The Second Kind rule.
Equations of The Second Kind rule comprises the one or more combinations in following rule:
A) URL of the page of access comprises predetermined keyword, but the domain name of this page corresponding domain name that is not predetermined keyword.Browser obtains the URL of accession page, and whether inquiry wherein comprises predetermined keyword, as tao, 58 etc., as comprise, continue to obtain the domain name of this page, whether inquire about its domain name is domain name corresponding to predetermined keyword, if not, judge that it meets this Equations of The Second Kind rule a).For instance, the URL that browser obtains the page is: http://item.taobao.com-oio0.tk/auction/item.asp sp_id=248, wherein comprise predetermined keyword taobao, but the domain name of this page is not the domain name of Taobao official website, substantially can judge that this page is as the fishing page.
B) domain name of the page of access is high-risk domain name or domain name overseas.Browser obtains the domain name of accession page, judges that whether this domain name is high-risk domain name or domain name overseas, if so, judges that it meets this Equations of The Second Kind rule b).
C) Whois information or the NS(Name Server of the page of access) record meets default feature.Whios packets of information is containing IP information and the owner information of domain name, and NS record is name server record, is used for specifying this domain name by which dns server to be resolved.According to Whois information or NS record, whether meet the high-risk property that default feature also can be judged the page, can eject prompt window according to this rule.
D) page that the page of access is opened for the link of sending according to the high-risk account in instant messaging application program.By analyzing known to actual conditions, a lot of fishing pages transmit by instant messaging application program, if the page that the page of access is opened for the link of sending according to the high-risk account in instant messaging application program, the high-risk property of this page is also very high, can eject prompt window according to this rule.
E) page that the page of access is opened for the link providing according to downloaded dangerous file, dangerous file is definite by local content identification facility.In actual access to netwoks process, having a lot of fishing pages is not to transmit by the form of link yet, but transmits by the form of file, for example mht file, doc file or html file.Take mht file as example, and it is called again polymerization html document, Web archives or single page file.Single document webpage can all be saved in all elements of website (comprising text and figure) in Single document.This encapsulation makes whole website to be issued as to single embedded MIME, or sends using whole website as an Email or annex.For this class file, client provides local content identification facility, can identify the safe class of download file by this local content identification facility.
The concrete grammar of local content identification facility identification download file can be: after monitoring file and having downloaded, obtain and scan download file, obtain the file feature information that download file is corresponding; The local characteristic information storehouse that inquiry is default, judges according to preset rules whether file feature information corresponding to download file mates with canned data item in local characteristic information storehouse; According to matching result, determine the safe class of download file.Wherein, the file feature information that download file is corresponding comprises: the URL address that download file is corresponding, and in local characteristic information storehouse, canned data item comprises: the URL item of information of a plurality of safe classes; And/or the file feature information that download file is corresponding comprises: the plaintext character string comprising in download file, in local characteristic information storehouse, canned data item comprises: the plaintext string assemble of a plurality of safe classes.And/or, the file feature information that download file is corresponding comprises: the file page surface element that download file is corresponding, file page surface element further comprises: picture, text feature and web page interlinkage, in local characteristic information storehouse, canned data item comprises: the page elements template of a plurality of safe classes.
In above-mentioned local characteristic information storehouse, the safe class of canned data item obtains by machine learning algorithm, is specially: obtain in advance the sample of each safe class, extract the file feature information of each sample; By default machine learning algorithm, the file feature information of each sample is learnt; According to learning outcome, obtain the item of information of each safe class required in local characteristic information storehouse.
If determine that by local content identification facility download file is the file of hazard class, the page that the link providing according to this danger file is so opened is also high-risk, thereby also can eject prompt window according to this rule.
Step S340, ejects fishing page prompts window.
Alternatively, before ejecting fishing page prompts window, can also obtain the URL of the suspicious page and the Business Information relevant with the suspicious page, in the prompt window ejecting, show URL and the Business Information of the suspicious page.For example, from buying the corresponding URL of the problematic angle prompting user of commodity, be the suspicious page, suggestion user cancels payment.Further, according to Business Information, add the prompting of " the * * seller of vending articles has problem ", show problematic seller simultaneously, and provide relevant qualitative description.
The method providing according to the above embodiment of the present invention, two rule-likes that provide by local rules repository detect the fishing page, wherein first kind rule is for determining whether user's triggering behavior meets special scenes, Equations of The Second Kind rule is for further determining whether user's access behavior has high-risk property, thus as the foundation that ejects prompt window.This method is also not determine be fishing website in the situation that, judging fishing behavior, and then effectively prompting is in real time provided for network behavior feature, realizing the real-time blocking to fishing website, the fail safe of protection user network page browsing.
In the situation that above protection interception was all lost efficacy, if user is still deceived by fishing, wooden horse, the present invention also provides the mode of user's loss being carried out to certain reparation, this fishing, wooden horse information are supplemented in interception rule simultaneously, basis, net purchase enhancing and user are commented on to protection rule and expand, upgrade blacklist and white list in cloud server.
When user's loss is compensated, fishing website, wooden horse information are added to net purchase risk site databases, and the end of uploading onto the server.The information of the net purchase behavior that user is carried out is stored and shows, wherein shows protection user's net purchase number of times and the amount for which loss settled of current enjoyment; Show nearest net purchase and payment record, Claims Resolution can be applied in the record completing for payment; By calendar button, represent calendar, mark the date of all net purchases of user, facilitate user to check and select and compensate.
Fig. 4 shows and detects according to an embodiment of the invention the structured flowchart that pays the system of the page by fishing page access.As shown in Figure 4, this system comprises client 410 and server 420.
Wherein, client 410 comprises: detection module 411, the first enquiry module 412, the first sending module 413, the first receiver module 414 and display module 415; Server 420 comprises: the second receiver module 421, the second enquiry module 422 and the second sending module 423.
Detection module 411 is the access request to the payment page for detection of user.It can be that characteristic information based on the page judges to paying the access request of the page that detection module 411 detects users, for paying the page, it generally comprises account, password, identifying code and corresponding list input domain, if detection module 411 detects these characteristic informations, just can judge and user be detected to paying the access request of the page.
The first enquiry module 412 is for user being detected to after paying the access request of the page at detection module 411, query link is to the URL that pays the front some grades of pages of the page.The first enquiry module 412 can be linked to based on refer information inquiry the URL of the front some grades of pages that pay the page.Particularly, the refer information recording of the current payment page has the URL of the previous stage page, and the refer information of the previous stage page records again the URL of the front two-stage page.User, by links and accesses at different levels, pay in the process of the pages, URL that just can the real time record pages at different levels, and pass through the linking relationship of the refer information recording pages at different levels of the pages at different levels.Alternatively, linking relationship can reach 7 grades at the most, but is not limited only to this.Owing to being generally linked to the payment page by fishing website, can not surpass 7 grades, so maintain the linking relationship of 7 grades of records, just can meet the demand that detects fishing website.
The first sending module 413 is for reporting server 420 by the URL of the front some grades of pages, for server 420 according to the URL of the front some grades of pages, blacklist and/or white list and gray list that querying server is preserved, obtain the Query Result that whether comprises the fishing page or the unknown suspicious page in the front some grades of pages.
The Query Result that the first receiver module 414 returns for reception server 420.
The in the situation that display module 415 comprising the fishing page or the unknown suspicious page for some grades of pages before Query Result shows, eject prompt window.Display module 415 is further used for: obtain the URL of the fishing page or the unknown suspicious page and the Business Information relevant with the fishing page or the unknown suspicious page, eject prompt window and also show therein URL and the Business Information of the fishing page or the unknown suspicious page.
The second receiver module 421 is detecting user to after paying the access request of the page, the URL that is linked to the front some grades of pages that pay the page reporting after inquiry for receiving client 410.
The second enquiry module 422 is for according to the URL of the front some grades of pages, and blacklist and/or white list and gray list that querying server is preserved, obtain the Query Result that whether comprises the fishing page or the unknown suspicious page in the front some grades of pages.
Further, the second enquiry module 422 specifically for: if any inquiring in the URL of the front some grades of pages belongs to the blacklist that server 420 is preserved, know the Query Result that comprises the page of going fishing in the front some grades of pages.
Further, the second enquiry module 422 specifically for: if inquire, any in the URL of the front some grades of pages do not belong to the blacklist that server 420 preserves and/or the URL that inquires the front some grades of pages does not belong to white list entirely, the page info recording in the gray list that querying server 420 is preserved, before judgement, whether arbitrary page info of the some grades of pages meets unknown suspicious condition, if meet, know the Query Result that comprises the unknown suspicious page in the front some grades of pages.The page info recording in the gray list that server 420 is preserved comprises: record information, visit capacity information or website log-on message.
Further, the second enquiry module 422 specifically for: before judgement, whether arbitrary page info of the some grades of pages meets following unknown suspicious condition: page info does not comprise record information; And/or the visit capacity information that page info comprises shows that visit capacity is lower than setting threshold; And/or the website log-on message that page info comprises shows that website hour of log-on is less than setting duration.
The second sending module 423, for returning to Query Result to client 410, after comprising the Query Result of the fishing page or the unknown suspicious page, ejects prompt window for client 410 before obtaining in the some grades of pages.
The system providing according to the above embodiment of the present invention and corresponding client, server, in client, user detected to after paying the access request of the page, query link arrives the URL of the front some grades of pages that pay the page, and the URL of the front some grades of pages is reported to server; The blacklist that server lookup is preserved and/or white list, gray list, obtain in the front some grades of pages whether comprise the fishing page or the unknown suspicious page, if comprise, ejects prompt window.The gray list that native system provides by server can judge in the link page that user accessed before access pays the page whether comprise the unknown suspicious page, the network behavior that is linked to the payment page by the suspicious page of the unknown can judge it is fishing behavior substantially, can eject thus prompt window for pointing out user careful payment.Native system, not determining be fishing website in the situation that, also can be judged fishing behavior for network behavior feature, user, accesses while paying the page and effectively make in real time prompting, has realized the real-time blocking to fishing website, the fail safe of protection user network page browsing.
Fig. 5 shows the structured flowchart that detects according to an embodiment of the invention the device of the fishing page based on local rules repository.As shown in Figure 5, this device comprises: local rules repository 510, first detection module 520, the second detection module 530 and reminding module 540.
Local rules repository 510 comprises first kind rule and Equations of The Second Kind rule.Wherein, first kind rule is for judging whether user's triggering behavior meets special scenes, if meet special scenes, just the object using this user's access to netwoks behavior as subsequent detection, is also that first kind rule should be concerned for determining which user's access to netwoks behavior.In the embodiment of the present invention, first kind rule comprises the one or more combination in following rule: enter net purchase and/or payment mode; The access classified information page.Equations of The Second Kind rule comprises the one or more combinations in following rule: the URL of the page of access comprises predetermined keyword, but the domain name of this page corresponding domain name that is not predetermined keyword; The domain name of the page of access is high-risk domain name or domain name overseas; The Whois information of the page of access or NS record meet default feature; The page that the page of access is opened for the link of sending according to the high-risk account in instant messaging application program; The page that the page of access is opened for the link providing according to downloaded dangerous file, dangerous file is definite by local content identification facility.The relevant method by local content identification facility hazard recognition file can be referring to the description of embodiment of the method.
Whether first detection module 520 meets first kind rule for detection of user's triggering behavior.
The second detection module 530 is for meeting first kind rule in the situation that first detection module 520 detects user's triggering behavior, detect user by the behavior of the browser access page, judge whether user in the given time meets Equations of The Second Kind rule by the behavior of the browser access page, or judge whether user meets Equations of The Second Kind rule by the behavior in the link page process of browser access predetermined number.
The in the situation that reminding module 540 meeting Equations of The Second Kind rule for judging behavior at the second detection module 530, eject fishing page prompts window.Alternatively, before ejecting fishing page prompts window, can also obtain the URL of the suspicious page and the Business Information relevant with the suspicious page, in the prompt window ejecting, show URL and the Business Information of the suspicious page.For example, from buying the corresponding URL of the problematic angle prompting user of commodity, be the suspicious page, suggestion user cancels payment.Further, according to Business Information, add the prompting of " the * * seller of vending articles has problem ", show problematic seller simultaneously, and provide relevant qualitative description.
The device providing according to the above embodiment of the present invention, two rule-likes that provide by local rules repository detect the fishing page, wherein first kind rule is for determining whether user's triggering behavior meets special scenes, Equations of The Second Kind rule is for further determining whether user's access behavior has high-risk property, thus as the foundation that ejects prompt window.This device is also not determine be fishing website in the situation that, judging fishing behavior, and then effectively prompting is in real time provided for network behavior feature, realizing the real-time blocking to fishing website, the fail safe of protection user network page browsing.
The algorithm providing at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration.Various general-purpose systems also can with based on using together with this teaching.According to description above, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.It should be understood that and can utilize various programming languages to realize content of the present invention described here, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.
In the specification that provided herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can not put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.Yet, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this specification (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module moved on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that can use in practice microprocessor or digital signal processor (DSP) to realize according to the detection of the embodiment of the present invention pays the system of the page and the some or all functions of the some or all parts in the device based on the local rules repository detection fishing page by fishing page access.The present invention for example can also be embodied as, for carrying out part or all equipment or device program (, computer program and computer program) of method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not depart from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
The invention discloses: A1, a kind of detection pay the method for the page by fishing page access, comprising:
Detect user to paying the access request of the page;
Described user detected to after paying the access request of the page, query link is to the URL of the front some grades of pages of the described payment page;
The URL of the described front some grades of pages is reported to server, for described server according to the URL of the described front some grades of pages, blacklist and/or white list and gray list that querying server is preserved, obtain the Query Result that whether comprises the fishing page or the unknown suspicious page in the described front some grades of pages;
The described Query Result that reception server returns, if described Query Result shows to comprise the fishing page or the unknown suspicious page in the described front some grades of pages, ejects prompt window.
A2, according to the method described in A1, if server lookup belongs to any in the URL of the described front some grades of pages blacklist that described server is preserved, know the Query Result that comprises the page of going fishing in the described front some grades of pages.
A3, according to the method described in A1, if server lookup does not belong to the blacklist that described server preserves and/or the URL that inquires the described front some grades of pages does not belong to white list entirely to any in the URL of the described front some grades of pages, inquire about the page info recording in the gray list of described server preservation, whether the arbitrary page info that judges the described front some grades of pages meets unknown suspicious condition, if meet, know the Query Result that comprises the unknown suspicious page in the described front some grades of pages.
A4, according to the method described in A3, described page info comprises: record information, visit capacity information or website log-on message.
A5, according to the method described in A4, the suspicious Conditional Include of described the unknown:
Described page info does not comprise record information;
And/or the visit capacity information that described page info comprises shows that visit capacity is lower than setting threshold;
And/or the website log-on message that described page info comprises shows that website hour of log-on is less than setting duration.
A6, according to the method described in A1-A4 any one, if described Query Result shows to comprise in the described front some grades of pages fishing page or the unknown suspicious page, eject prompt window and further comprise:
Obtain the URL of the described fishing page or the unknown suspicious page and the Business Information relevant with the described fishing page or the unknown suspicious page, eject prompt window and also show therein URL and the described Business Information of the described fishing page or the unknown suspicious page.
The invention also discloses: B7, a kind of client, comprising:
Detection module, the access request for detection of user to the payment page;
The first enquiry module, for described user being detected at described detection module to after paying the access request of the page, query link is to the URL of the front some grades of pages of the described payment page;
The first sending module, for the URL of the described front some grades of pages is reported to server, for described server according to the URL of the described front some grades of pages, blacklist and/or white list and gray list that querying server is preserved, obtain the Query Result that whether comprises the fishing page or the unknown suspicious page in the described front some grades of pages;
The first receiver module, the described Query Result returning for reception server;
Display module, for show that at described Query Result the described front some grades of pages comprise the fishing page or the unknown suspicious page in the situation that, ejects prompt window.
B8, according to the client described in B7, described display module is further used for: obtain the URL of the described fishing page or the unknown suspicious page and the Business Information relevant with the described fishing page or the unknown suspicious page, eject prompt window and also show therein URL and the described Business Information of the described fishing page or the unknown suspicious page.
The invention also discloses: C9, a kind of server, comprising:
The second receiver module, is detecting user to after paying the access request of the page, the URL that is linked to the front some grades of pages that pay the page reporting after inquiry for receiving client;
The second enquiry module, for according to the URL of the described front some grades of pages, inquires about blacklist and/or white list and gray list that described server is preserved, obtains the Query Result that whether comprises the fishing page or the unknown suspicious page in the described front some grades of pages;
The second sending module, for return to described Query Result to client, after comprising the Query Result of the fishing page or the unknown suspicious page, ejects prompt window for described client in obtaining the described front some grades of pages.
C10, according to the server described in C9, described the second enquiry module specifically for: if any inquiring in the URL of the described front some grades of pages belongs to the blacklist that described server is preserved, know the Query Result that comprises the page of going fishing in the described front some grades of pages.
C11, according to the server described in C9, described the second enquiry module specifically for: if inquire, any in the URL of the described front some grades of pages do not belong to the blacklist that described server preserves and/or the URL that inquires the described front some grades of pages does not belong to white list entirely, inquire about the page info recording in the gray list of described server preservation, whether the arbitrary page info that judges the described front some grades of pages meets unknown suspicious condition, if meet, know the Query Result that comprises the unknown suspicious page in the described front some grades of pages.
C12, according to the server described in C11, the page info recording in the gray list that described server is preserved comprises: record information, visit capacity information or website log-on message.
C13, according to the server described in C12, described the second enquiry module specifically for: whether the arbitrary page info that judges the described front some grades of pages meets following unknown suspicious condition:
Described page info does not comprise record information;
And/or the visit capacity information that described page info comprises shows that visit capacity is lower than setting threshold;
And/or the website log-on message that described page info comprises shows that website hour of log-on is less than setting duration.
The invention also discloses: D14, a kind of detection pay the system of the page by fishing page access, comprising: the server described in the client described in B7 or B8 and C9-C13 any one.
The invention also discloses: E15, a kind of method that detects the fishing page based on local rules repository, described local rules repository comprises first kind rule and Equations of The Second Kind rule, and described method comprises:
In the situation that user's triggering behavior meets described first kind rule, detect user by the behavior of the browser access page;
Judge whether user in the given time meets described Equations of The Second Kind rule by the behavior of the browser access page, or it is regular judge whether user meets described Equations of The Second Kind by the behavior in the link page process of browser access predetermined number; If meet, eject fishing page prompts window.
E16, according to the method described in E15, described first kind rule comprises the one or more combination in following rule:
Enter net purchase and/or payment mode;
The access classified information page.
E17, according to the method described in E15 or E16, described Equations of The Second Kind rule comprises the one or more combinations in following rule:
The URL of the described page of access comprises predetermined keyword, but the domain name of this page corresponding domain name that is not predetermined keyword;
The domain name of the described page of access is high-risk domain name or domain name overseas;
The Whois information of the described page of access or NS record meet default feature;
The page that the described page of access is opened for the link of sending according to the high-risk account in instant messaging application program.
E18, according to the method described in E15 or E16, described Equations of The Second Kind rule comprises:
The page that the described page of access is opened for the link providing according to downloaded dangerous file, described dangerous file is definite by local content identification facility.
E19, according to the method described in E18, described dangerous file is mht file, doc file or html file.
The invention also discloses: F20, a kind of device that detects the fishing page based on local rules repository, comprising:
Local rules repository, comprises first kind rule and Equations of The Second Kind rule;
Whether first detection module, meet described first kind rule for detection of user's triggering behavior;
The second detection module, for meeting described first kind rule in the situation that described first detection module detects user's triggering behavior, detect user by the behavior of the browser access page, judge whether user in the given time meets described Equations of The Second Kind rule by the behavior of the browser access page, or it is regular judge whether user meets described Equations of The Second Kind by the behavior in the link page process of browser access predetermined number;
Reminding module, the in the situation that of meeting described Equations of The Second Kind rule, ejects fishing page prompts window for judging described behavior at described the second detection module.
F21, according to the device described in F20, described first kind rule comprises the one or more combination in following rule:
Enter net purchase and/or payment mode;
The access classified information page.
F22, according to the device described in F20 or F21, described Equations of The Second Kind rule comprises the one or more combinations in following rule:
The URL of the described page of access comprises predetermined keyword, but the domain name of this page corresponding domain name that is not predetermined keyword;
The domain name of the described page of access is high-risk domain name or domain name overseas;
The Whois information of the described page of access or NS record meet default feature;
The page that the described page of access is opened for the link of sending according to the high-risk account in instant messaging application program.
F23, according to the device described in F20 or F21, described Equations of The Second Kind rule comprises:
The page that the described page of access is opened for the link providing according to downloaded dangerous file, described dangerous file is definite by local content identification facility.

Claims (10)

1. detection pays a method for the page by fishing page access, comprising:
Detect user to paying the access request of the page;
Described user detected to after paying the access request of the page, query link is to the URL of the front some grades of pages of the described payment page;
The URL of the described front some grades of pages is reported to server, for described server according to the URL of the described front some grades of pages, blacklist and/or white list and gray list that querying server is preserved, obtain the Query Result that whether comprises the fishing page or the unknown suspicious page in the described front some grades of pages;
The described Query Result that reception server returns, if described Query Result shows to comprise the fishing page or the unknown suspicious page in the described front some grades of pages, ejects prompt window.
2. method according to claim 1, if server lookup belongs to any in the URL of the described front some grades of pages blacklist that described server is preserved, knows the Query Result that comprises the page of going fishing in the described front some grades of pages.
3. method according to claim 1, if server lookup does not belong to the blacklist that described server preserves and/or the URL that inquires the described front some grades of pages does not belong to white list entirely to any in the URL of the described front some grades of pages, inquire about the page info recording in the gray list of described server preservation, whether the arbitrary page info that judges the described front some grades of pages meets unknown suspicious condition, if meet, know the Query Result that comprises the unknown suspicious page in the described front some grades of pages.
4. according to the method described in claim 1-3 any one, if described Query Result shows to comprise the fishing page or the unknown suspicious page in the described front some grades of pages, eject prompt window and further comprise:
Obtain the URL of the described fishing page or the unknown suspicious page and the Business Information relevant with the described fishing page or the unknown suspicious page, eject prompt window and also show therein URL and the described Business Information of the described fishing page or the unknown suspicious page.
5. a client, comprising:
Detection module, the access request for detection of user to the payment page;
The first enquiry module, for described user being detected at described detection module to after paying the access request of the page, query link is to the URL of the front some grades of pages of the described payment page;
The first sending module, for the URL of the described front some grades of pages is reported to server, for described server according to the URL of the described front some grades of pages, blacklist and/or white list and gray list that querying server is preserved, obtain the Query Result that whether comprises the fishing page or the unknown suspicious page in the described front some grades of pages;
The first receiver module, the described Query Result returning for reception server;
Display module, for show that at described Query Result the described front some grades of pages comprise the fishing page or the unknown suspicious page in the situation that, ejects prompt window.
6. a server, comprising:
The second receiver module, is detecting user to after paying the access request of the page, the URL that is linked to the front some grades of pages that pay the page reporting after inquiry for receiving client;
The second enquiry module, for according to the URL of the described front some grades of pages, inquires about blacklist and/or white list and gray list that described server is preserved, obtains the Query Result that whether comprises the fishing page or the unknown suspicious page in the described front some grades of pages;
The second sending module, for return to described Query Result to client, after comprising the Query Result of the fishing page or the unknown suspicious page, ejects prompt window for described client in obtaining the described front some grades of pages.
7. detection pays a system for the page by fishing page access, comprising: client claimed in claim 5 and server claimed in claim 6.
8. based on local rules repository, detect a method for the fishing page, described local rules repository comprises first kind rule and Equations of The Second Kind rule, and described method comprises:
In the situation that user's triggering behavior meets described first kind rule, detect user by the behavior of the browser access page;
Judge whether user in the given time meets described Equations of The Second Kind rule by the behavior of the browser access page, or it is regular judge whether user meets described Equations of The Second Kind by the behavior in the link page process of browser access predetermined number; If meet, eject fishing page prompts window.
9. method according to claim 8, described first kind rule comprises the one or more combination in following rule:
Enter net purchase and/or payment mode;
The access classified information page.
10. based on local rules repository, detect a device for the fishing page, comprising:
Local rules repository, comprises first kind rule and Equations of The Second Kind rule;
Whether first detection module, meet described first kind rule for detection of user's triggering behavior;
The second detection module, for meeting described first kind rule in the situation that described first detection module detects user's triggering behavior, detect user by the behavior of the browser access page, judge whether user in the given time meets described Equations of The Second Kind rule by the behavior of the browser access page, or it is regular judge whether user meets described Equations of The Second Kind by the behavior in the link page process of browser access predetermined number;
Reminding module, the in the situation that of meeting described Equations of The Second Kind rule, ejects fishing page prompts window for judging described behavior at described the second detection module.
CN201310739785.XA 2013-12-26 2013-12-26 Method and system for detecting phishing pages, client side and server Pending CN103685312A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310739785.XA CN103685312A (en) 2013-12-26 2013-12-26 Method and system for detecting phishing pages, client side and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310739785.XA CN103685312A (en) 2013-12-26 2013-12-26 Method and system for detecting phishing pages, client side and server

Publications (1)

Publication Number Publication Date
CN103685312A true CN103685312A (en) 2014-03-26

Family

ID=50321626

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310739785.XA Pending CN103685312A (en) 2013-12-26 2013-12-26 Method and system for detecting phishing pages, client side and server

Country Status (1)

Country Link
CN (1) CN103685312A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104202318A (en) * 2014-08-22 2014-12-10 北京奇虎科技有限公司 Method, client and system for keeping away a phishing behavior
CN105306419A (en) * 2014-06-25 2016-02-03 腾讯科技(深圳)有限公司 Page information interaction method, device and system
CN106027644A (en) * 2016-05-18 2016-10-12 广州市忆科计算机系统有限公司 Service checking method and system
CN106506547A (en) * 2016-12-23 2017-03-15 北京奇虎科技有限公司 Processing method, WAF, router and system for Denial of Service attack
CN108337259A (en) * 2018-02-01 2018-07-27 南京邮电大学 A kind of suspicious web page identification method based on HTTP request Host information
CN108647959A (en) * 2018-03-30 2018-10-12 平安科技(深圳)有限公司 Indicating risk method and device when on-line payment
CN108933823A (en) * 2018-06-28 2018-12-04 北京京东尚科信息技术有限公司 User's touching reaches method and apparatus
CN108965251A (en) * 2018-06-08 2018-12-07 广州大学 A kind of safe mobile phone guard system that cloud combines
CN109862025A (en) * 2019-02-28 2019-06-07 北京安护环宇科技有限公司 Access control method, apparatus and system based on black and white lists
CN110020239A (en) * 2017-09-20 2019-07-16 腾讯科技(深圳)有限公司 Malice resource transfers web page identification method and device
CN110278271A (en) * 2019-06-24 2019-09-24 厦门美图之家科技有限公司 Network request control method, device and terminal device
CN111159701A (en) * 2019-12-25 2020-05-15 五八同城信息技术有限公司 Third-party page loading method and device, electronic equipment and storage medium
CN112769731A (en) * 2019-10-21 2021-05-07 腾讯科技(深圳)有限公司 Process control method, device, server and storage medium

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105306419A (en) * 2014-06-25 2016-02-03 腾讯科技(深圳)有限公司 Page information interaction method, device and system
CN105306419B (en) * 2014-06-25 2019-12-13 腾讯科技(深圳)有限公司 Page information interaction method, device and system
CN104202318A (en) * 2014-08-22 2014-12-10 北京奇虎科技有限公司 Method, client and system for keeping away a phishing behavior
CN106027644A (en) * 2016-05-18 2016-10-12 广州市忆科计算机系统有限公司 Service checking method and system
CN106027644B (en) * 2016-05-18 2020-01-07 广州市忆科计算机系统有限公司 Service verification method and system
CN106506547A (en) * 2016-12-23 2017-03-15 北京奇虎科技有限公司 Processing method, WAF, router and system for Denial of Service attack
CN110020239A (en) * 2017-09-20 2019-07-16 腾讯科技(深圳)有限公司 Malice resource transfers web page identification method and device
CN108337259A (en) * 2018-02-01 2018-07-27 南京邮电大学 A kind of suspicious web page identification method based on HTTP request Host information
CN108647959A (en) * 2018-03-30 2018-10-12 平安科技(深圳)有限公司 Indicating risk method and device when on-line payment
CN108647959B (en) * 2018-03-30 2024-04-09 平安科技(深圳)有限公司 Risk prompt method and device during online payment
CN108965251B (en) * 2018-06-08 2019-07-26 广州大学 A kind of safe mobile phone guard system that cloud combines
CN108965251A (en) * 2018-06-08 2018-12-07 广州大学 A kind of safe mobile phone guard system that cloud combines
CN108933823A (en) * 2018-06-28 2018-12-04 北京京东尚科信息技术有限公司 User's touching reaches method and apparatus
CN109862025A (en) * 2019-02-28 2019-06-07 北京安护环宇科技有限公司 Access control method, apparatus and system based on black and white lists
CN109862025B (en) * 2019-02-28 2021-10-01 北京安护环宇科技有限公司 Access control method, device and system based on black and white lists
CN110278271A (en) * 2019-06-24 2019-09-24 厦门美图之家科技有限公司 Network request control method, device and terminal device
CN112769731A (en) * 2019-10-21 2021-05-07 腾讯科技(深圳)有限公司 Process control method, device, server and storage medium
CN112769731B (en) * 2019-10-21 2022-11-04 腾讯科技(深圳)有限公司 Process control method, device, server and storage medium
CN111159701A (en) * 2019-12-25 2020-05-15 五八同城信息技术有限公司 Third-party page loading method and device, electronic equipment and storage medium
CN111159701B (en) * 2019-12-25 2023-09-29 五八同城信息技术有限公司 Third-party page loading method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN103685312A (en) Method and system for detecting phishing pages, client side and server
EP3818675B1 (en) System and method for polluting phishing campaign responses
US11570211B1 (en) Detection of phishing attacks using similarity analysis
US20200195688A1 (en) Systems And Methods For Takedown Of Counterfeit Websites
CN104040557B (en) Online swindle detection dynamic grading aggregation system and method
CN103368957B (en) Method and system that web page access behavior is processed, client, server
US20170155666A1 (en) Attracting and analyzing spam postings
US20090144308A1 (en) Phishing redirect for consumer education: fraud detection
US20220070216A1 (en) Phishing detection system and method of use
CN103152354B (en) To method, system and client device that dangerous website is pointed out
CN102882886B (en) A kind of network terminal and method presenting the relevant information of access websites
CN102957693B (en) Fishing website determination methods and device
CN104079475A (en) Message processing method and system
CN104185158A (en) Malicious short message processing method and client based on false base station
CN103685307A (en) Method, system, client and server for detecting phishing fraud webpage based on feature library
CN105635126A (en) Malicious URL access protection method, client side, security server and system
WO2007044619A2 (en) Anti-phishing system and methods
CN103647779A (en) Method and device for detecting fishing fraud information through two-dimensional code
CN103763686A (en) Processing method and device for short messages
CN104158828B (en) The method and system of suspicious fishing webpage are identified based on cloud content rule base
CN103701804A (en) Network shopping environment safety detecting method and device
Koide et al. Detecting phishing sites using chatgpt
CN104143008A (en) Method and device for detecting phishing webpage based on picture matching
CN102739653A (en) Detection method and device aiming at webpage address
CN103986731A (en) Method and device for detecting phishing web pages through picture matching

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20140326