CN103927480A - Method, device and system for identifying malicious web page - Google Patents
Method, device and system for identifying malicious web page Download PDFInfo
- Publication number
- CN103927480A CN103927480A CN201310012256.XA CN201310012256A CN103927480A CN 103927480 A CN103927480 A CN 103927480A CN 201310012256 A CN201310012256 A CN 201310012256A CN 103927480 A CN103927480 A CN 103927480A
- Authority
- CN
- China
- Prior art keywords
- webpage
- checked
- domain name
- information
- record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
An embodiment of the invention discloses a method, a device and a system for identifying a malicious web page. The method includes the steps: extracting a domain name of a web page to be detected, and querying filing information through the domain name; acquiring text information of the web page to be detected, and extracting characteristic information of the web page to be detected from the text information; determining that the web page to be detected is a malicious web page if similarity of the filing information and the characteristic information is lower than a preset threshold value. By the aid of the scheme, whether the web page to be detected is the malicious web page or not is determined by comparing the filing information and the characteristic information of the web page to be detected through the similarity of the filing information and the characteristic information, the web page to be detected is detected without being based on the fact that whether the web page has black chains or not, the filing information is advanced filing information before the web page is altered, and the filing information has quite high reliability, so that the identifying success rate of the malicious web page is increased.
Description
Technical field
The present invention relates to communication technical field, particularly a kind of recognition methods of malicious web pages, device and system.
Background technology
Along with constantly popularizing of internet, user becomes very general by Network Capture various information.Meanwhile, on internet, all kinds of swindle fishing websites also emerge in an endless stream, and internet security situation allows of no optimist.
Malicious websites on current internet mainly can be divided into two classes: a class is the website of " initiatively doing evil ", that is: hacker initiatively creates the malice website with user cheating, another kind of is the website of " passive doing evil ", is subject to that the page that assault causes webpage is tampered and the normal website of becoming malice website that is:.Search engine is experienced for improving user, for the website of last class " initiatively do evil ", can directly it be removed from Search Results, and for the website of a rear class " passive doing evil ", generally can only add certain careful access of signal language warning user.
Conventionally, fail-safe software can effectively identify malicious websites by the method such as similarity of collecting malice keyword, comparison malicious websites and targeted website, belongs to maliciously website of above-mentioned which class but be difficult to further distinguish this website.
The scheme that whether comparatively common detection webpage is tampered is at present whether to contain black chain by the detection page to realize.Black chain claims again dark chain, refers to that hacker improves weight or the PR(Page Rank of targeted website at search engine, webpage rank) and implant the hyperlink of pointing to targeted website in normal website.Normal hyperlink is visible for user, and black chain conventionally for user be hide (such as arrange hyperlink be positioned at screen can indication range outside or hyperlink color be set equal background colour), thereby make it be difficult for being realized.If find a large amount of black chains in a page, conventionally illustrate that it is by assault with distorted.
The scheme that whether contains black chain with the detection page is determined the scheme whether webpage is tampered, for implanting the class page as the black chain of object and distort and can effectively identify improving search engine rank, but for directly to inveigle user to distort and cannot accomplish effective judgement as the malice page of object.This is because hacker, attacking normal website and adding after swindle content, might not implant black chain, so the mode by detecting black chain the None-identified page whether be tampered, therefore malicious web pages recognition success rate is low.
Summary of the invention
The embodiment of the present invention provides a kind of recognition methods, device and system of malicious web pages, for improving malicious web pages recognition success rate.
A recognition methods for malicious web pages, comprising:
Extract the domain name of webpage to be checked, inquire about record information by domain name;
Obtain the text message of described webpage to be checked, from described text message, extract the characteristic information of described webpage to be checked;
If the similarity of described record information and described characteristic information lower than default threshold value, determines that described webpage to be checked is malicious web pages.
A recognition device for malicious web pages, comprising:
Domain name extraction unit, for extracting the domain name of webpage to be checked;
The query unit of putting on record, for the inquiry of the domain name record information extracting by domain name extraction unit;
Webpage acquiring unit, for obtaining the text message of described webpage to be checked;
Feature extraction unit, extracts the characteristic information of described webpage to be checked for the text message obtaining from described webpage acquiring unit;
Decision unit, if for described in put the similarity of the characteristic information that record information and the described feature extraction unit of query unit inquiry extract on record lower than default threshold value, definite described webpage to be checked is malicious web pages.
A kind of network system, comprising: put on record server and recognition device;
The described server stores of putting on record has the record information of webpage;
Described recognition device, for extracting the domain name of webpage to be checked, by domain name at the described server lookup record information of putting on record; Obtain the text message of described webpage to be checked, from described text message, extract the characteristic information of described webpage to be checked; If the similarity of described record information and described characteristic information lower than default threshold value, determines that described webpage to be checked is malicious web pages.
As can be seen from the above technical solutions, the embodiment of the present invention has the following advantages: the record information and the characteristic information that adopt contrast webpage to be checked, determine by both similarities whether webpage to be checked is the scheme of malicious web pages, whether do not exist black chain to detect based on webpage, record information is the information of putting on record in advance before webpage is not modified, there is high reliability, therefore improved malicious web pages recognition success rate.
Brief description of the drawings
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, below the accompanying drawing of required use during embodiment is described is briefly introduced, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is embodiment of the present invention method flow schematic diagram;
Fig. 2 is the html source code sectional drawing schematic diagram of an example of the embodiment of the present invention;
Fig. 3 is embodiment of the present invention other method schematic flow sheet;
Fig. 4 is the structural representation of embodiment of the present invention system architecture;
Fig. 5 is embodiment of the present invention apparatus structure schematic diagram;
Fig. 6 is embodiment of the present invention system architecture schematic diagram.
Embodiment
In order to make the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, the present invention is described in further detail, and obviously, described embodiment is only a part of embodiment of the present invention, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making all other embodiment that obtain under creative work prerequisite, belong to the scope of protection of the invention.
The embodiment of the present invention provides a kind of recognition methods of malicious web pages, as shown in Figure 1, comprising:
101: extract the domain name of webpage to be checked, by above-mentioned inquiry of the domain name record information;
Record information is the information of putting on record in advance before webpage is not modified.Can be specifically the putting on record of carrying out of the operator of the domain name that above-mentioned webpage is corresponding, there is legitimacy; This record information is putting on record of carrying out of operator, so therefore the information that this record information is operator to be approved have high reliability.
Alternatively, the domain name of said extracted webpage to be checked, comprises by above-mentioned inquiry of the domain name record information: getting behind the address of webpage to be checked, extracting domain name, by above-mentioned inquiry of the domain name record information from address above mentioned.The address of above-mentioned webpage to be checked can be generally the URL(Universal Resource Locator of webpage to be checked, and URL(uniform resource locator), also referred to as web page address).
Alternatively, above-mentionedly comprise by above-mentioned inquiry of the domain name record information: from Ministry of Industry and Information's filing database, extract the record information corresponding with above-mentioned domain name.
Must obtain industry and the ICP(Internet Content Provider of (being called for short Ministry of Industry and Information) of information-based portion owing to being engaged in the website of Internet Information Service within Chinese territory, Web content service provider) put on record, the information such as title, the scope of business, sponsor's title that therefore can obtain website by the record information of query web, this is conventionally consistent with the information of showing on Website page.
Such as for qq.com, by Ministry of Industry and Information website:
http://www.miibeian.gov.cn/publish/query/indexFirst.action
The record information inquiring is as shown in table 1 below:
Table 1
102: obtain the text message of above-mentioned webpage to be checked, from above-mentioned text message, extract the characteristic information of above-mentioned webpage to be checked;
Alternatively, the above-mentioned text message that obtains above-mentioned webpage to be checked, the characteristic information that extracts above-mentioned webpage to be checked from above-mentioned text message comprises: the address that obtains above-mentioned webpage to be checked, then obtain the web page text of address above mentioned, and from above-mentioned web page text, extract the characteristic information of above-mentioned webpage to be checked.
Alternatively, above-mentioned characteristic information comprises: system label information.
The text message of above-mentioned webpage and web page text information can be all HTML(Hypertext Markup Language, HTML (Hypertext Markup Language)) sound code file, equally taking qq.com as example, directly access qq.com, by checking its webpage html source code, refer to Fig. 2 sectional drawing.Can find its system label information (system label information refers to title label and the description content corresponding to meta label of Fig. 2 sectional drawing), description content corresponding to system label information is very consistent with ICP record information, all contains keyword " Tengxun ".
103: if the similarity of above-mentioned record information and above-mentioned characteristic information lower than default threshold value, determines that above-mentioned webpage to be checked is malicious web pages.
Adopt record information and the characteristic information of contrast webpage to be checked, determine by both similarities whether webpage to be checked is the scheme of malicious web pages, whether do not exist black chain to detect based on webpage, record information is the information of putting on record in advance before webpage is not modified, there is high reliability, therefore improved malicious web pages recognition success rate.
Whether above-mentioned steps 103, by the characteristic information of the description to content of pages in the webpage to be checked extracting, is then mated to detect webpage with its record information and is maliciously tampered: if both content consistencies are high, think that webpage is normal; If both correlativitys are very low, think that webpage is tampered.
The similarity of above-mentioned record information and above-mentioned characteristic information comprises lower than default threshold value: by any one similarity of determining above-mentioned record information and above-mentioned characteristic information in longest common subsequence, minimum editing distance, Hamming distance, proper vector cosine value lower than default threshold value.
Following examples provided one of above embodiment more specifically implementation as an example, above embodiment is described in more detail, refer to Fig. 3.
301: the URL to be detected that receives input;
Two steps 302 after step 301 and 303 can be carried out simultaneously.
302: download the webpage html text that above-mentioned URL is corresponding, and extract wherein important label substance, such as title and meta label, combination producing is for the descriptive text A of this webpage;
303: extract the domain name in URL, inquire about the ICP record information of this domain name, obtain the wherein important content of putting on record, such as web site name, sponsor's character and title, scope of business etc., combination producing is for the descriptive text B of this webpage;
304: judge whether above-mentioned domain name puts on record, if this domain name (website) is not put on record, cannot judge that whether it is tampered, and directly returns to the unknown; Otherwise enter 305;
305: judged whether characteristic information, if this URL cannot access or web page contents in lack title, the label substance that the systems such as meta are required, directly returns to the unknown; Otherwise enter 306;
306: do similarity calculating for text A and B, judge that whether the similarity of above-mentioned A and B is lower than default threshold value.If similarity, lower than default threshold value, is exported the result that webpage is tampered; Otherwise think that webpage is normal.
The algorithm of weighing text similarity has a lot, for example longest common subsequence, and minimum editing distance, Hamming distance, proper vector cosine value etc., the embodiment of the present invention is not restricted similarity algorithm, and only does an explanation with longest common subsequence algorithm.Suppose that (length is 4 to the text A obtaining by html page feature extraction for " Tengxun's homepage ", taking Chinese character as unit), the text B obtaining by inquiry ICP information is " www.qq.com " (length is 3), and its longest common subsequence is " Tengxun ", and length is 2; The similarity of text A and B can be defined as (longest common subsequence length)/(average length of A and B), i.e. 2/[(4+3)/2]=0.57; Be 0.05 if threshold value is set, similarity, higher than threshold value, thinks that webpage is not tampered.
The embodiment of the present invention also provides the embodiment of system architecture to be described as follows, and refers to Fig. 4.
URL load module: this module is used for the URL of the webpage to be checked that receives input, then the URL of reception is mail to following domain name extraction module and webpage download module and carries out subsequent treatment;
Domain name extraction module: this module extracts domain name from above-mentioned URL, then mails to the ICP enquiry module of putting on record;
The ICP enquiry module of putting on record: this module is obtained the record information of this domain name, and sends to comparison module;
Webpage download module: this module is downloaded the webpage html text that above-mentioned URL is corresponding, then mails to characteristic extracting module and carries out subsequent treatment;
Characteristic extracting module: this module is carried out feature extraction to html text, and send to comparison module; The characteristic information that this module is extracted includes but not limited to title and the interior content of text of meta label in webpage;
Comparison module: this module is collected after the result of domain name extraction module and characteristic extracting module, and the characteristic information of record information and html text is compared, and determines that whether both similarities are lower than predetermined threshold value; And comparative result is informed to result output module;
Result output module: whether this module is exported webpage to be checked according to comparative result is the result of malicious web pages.Particularly: if quilt similarity is lower than predetermined threshold value, can confirm that webpage is tampered, export the conclusion that this webpage to be checked is malicious web pages; Otherwise what to export this webpage to be checked be normal webpage gives opinion.
The embodiment of the present invention provides a kind of recognition device of malicious web pages, as shown in Figure 5, comprising:
Domain name extraction unit 501, for extracting the domain name of webpage to be checked;
The query unit 502 of putting on record, for the inquiry of the domain name record information extracting by above-mentioned domain name extraction unit 501;
Webpage acquiring unit 503, for obtaining the text message of above-mentioned webpage to be checked;
Feature extraction unit 504, extracts the characteristic information of above-mentioned webpage to be checked for the text message obtaining from above-mentioned webpage acquiring unit 503;
Decision unit 505, if the similarity of the characteristic information that the record information of inquiring about for the above-mentioned query unit 502 of putting on record and above-mentioned feature extraction unit 504 are extracted lower than default threshold value, determines that above-mentioned webpage to be checked is malicious web pages.
Adopt record information and the characteristic information of contrast webpage to be checked, determine by both similarities whether webpage to be checked is the scheme of malicious web pages, whether do not exist black chain to detect based on webpage, record information is the information of putting on record in advance before webpage is not modified, there is high reliability, therefore improved malicious web pages recognition success rate.
Alternatively, above-mentioned domain name extraction unit 501, specifically for getting behind the address of webpage to be checked, extracts domain name from address above mentioned.
Alternatively, above-mentioned webpage acquiring unit 503, specifically for obtaining the address of above-mentioned webpage to be checked, then obtains the web page text of address above mentioned;
Above-mentioned feature extraction unit 504, specifically for extracting the characteristic information of above-mentioned webpage to be checked the web page text obtaining from above-mentioned webpage acquiring unit 503.
Alternatively, above-mentioned feature extraction unit 504, comprises for characteristic information extraction: specifically for extraction system label information.
Alternatively, above-mentioned decision unit 505, lower than default threshold value, determine that above-mentioned webpage to be checked is malicious web pages specifically for any one similarity of determining above-mentioned record information and above-mentioned characteristic information by longest common subsequence, minimum editing distance, Hamming distance, proper vector cosine value.
Alternatively, the above-mentioned query unit 502 of putting on record, specifically for extracting record information corresponding to domain name extracting with above-mentioned domain name extraction unit 501 from Ministry of Industry and Information's filing database.
The embodiment of the present invention also provides a kind of network system, as shown in Figure 6, comprising: put on record server 601 and recognition device 602;
The above-mentioned server 601 of putting on record stores the record information of webpage;
Above-mentioned recognition device 602, for extracting the domain name of webpage to be checked, inquires about record information by above-mentioned domain name at the above-mentioned server 601 of putting on record; Obtain the text message of above-mentioned webpage to be checked, from above-mentioned text message, extract the characteristic information of above-mentioned webpage to be checked; If the similarity of above-mentioned record information and above-mentioned characteristic information lower than default threshold value, determines that above-mentioned webpage to be checked is malicious web pages.
Adopt record information and the characteristic information of contrast webpage to be checked, determine by both similarities whether webpage to be checked is the scheme of malicious web pages, whether do not exist black chain to detect based on webpage, record information is the information of putting on record in advance before webpage is not modified, there is high reliability, therefore improved malicious web pages recognition success rate.
Alternatively, above-mentioned recognition device 602, for extracting the domain name of webpage to be checked, comprises by above-mentioned inquiry of the domain name record information: specifically for getting behind the address of webpage to be checked, extract domain name, by above-mentioned inquiry of the domain name record information from address above mentioned.
Alternatively, above-mentioned recognition device 602, for obtaining the text message of above-mentioned webpage to be checked, the characteristic information that extracts above-mentioned webpage to be checked from above-mentioned text message comprises: specifically for obtaining the address of above-mentioned webpage to be checked, then obtain the web page text of address above mentioned, and from above-mentioned web page text, extract the characteristic information of above-mentioned webpage to be checked.
Alternatively, above-mentioned recognition device 602, comprises for characteristic information extraction: specifically for extraction system label information.
Alternatively, above-mentioned recognition device 602, comprises lower than default threshold value for the similarity of determining record information and above-mentioned characteristic information: specifically for any one similarity of determining above-mentioned record information and above-mentioned characteristic information by longest common subsequence, minimum editing distance, Hamming distance, proper vector cosine value lower than default threshold value.
It should be noted that in said apparatus embodiment, included unit is just divided according to function logic, but is not limited to above-mentioned division, as long as can realize corresponding function; In addition, the concrete title of each functional unit also, just for the ease of mutual differentiation, is not limited to protection scope of the present invention.
In addition, one of ordinary skill in the art will appreciate that all or part of step realizing in above-mentioned each embodiment of the method is can carry out the hardware that instruction is relevant by program to complete, corresponding program can be stored in a kind of computer-readable recording medium, the above-mentioned storage medium of mentioning can be ROM (read-only memory), disk or CD etc.
These are only preferably embodiment of the present invention; but protection scope of the present invention is not limited to this; any be familiar with those skilled in the art the embodiment of the present invention disclose technical scope in, the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.
Claims (17)
1. a recognition methods for malicious web pages, is characterized in that, comprising:
Extract the domain name of webpage to be checked, inquire about record information by domain name;
Obtain the text message of described webpage to be checked, from described text message, extract the characteristic information of described webpage to be checked;
If the similarity of described record information and described characteristic information lower than default threshold value, determines that described webpage to be checked is malicious web pages.
2. method according to claim 1, is characterized in that the domain name of described extraction webpage to be checked is inquired about record information by domain name and comprised:
Getting behind the address of webpage to be checked, from described address extraction domain name, inquiring about record information by domain name.
3. method according to claim 1, is characterized in that, described in obtain the text message of described webpage to be checked, the characteristic information that extracts described webpage to be checked from described text message comprises:
Obtain the address of described webpage to be checked, then obtain the web page text of described address, and from described web page text, extract the characteristic information of described webpage to be checked.
4. according to method described in claims 1 to 3 any one, it is characterized in that, described characteristic information comprises: system label information.
5. according to method described in claims 1 to 3 any one, it is characterized in that, the similarity of described record information and described characteristic information comprises lower than default threshold value:
By any one similarity of determining described record information and described characteristic information in longest common subsequence, minimum editing distance, Hamming distance, proper vector cosine value lower than default threshold value.
6. according to method described in claims 1 to 3 any one, it is characterized in that, describedly inquire about record information by domain name and comprise:
From Ministry of Industry and Information's filing database, extract the record information corresponding with domain name.
7. a recognition device for malicious web pages, is characterized in that, comprising:
Domain name extraction unit, for extracting the domain name of webpage to be checked;
The query unit of putting on record, for the inquiry of the domain name record information extracting by domain name extraction unit;
Webpage acquiring unit, for obtaining the text message of described webpage to be checked;
Feature extraction unit, extracts the characteristic information of described webpage to be checked for the text message obtaining from described webpage acquiring unit;
Decision unit, if for described in put the similarity of the characteristic information that record information and the described feature extraction unit of query unit inquiry extract on record lower than default threshold value, definite described webpage to be checked is malicious web pages.
8. install according to claim 7, it is characterized in that,
Domain name extraction unit, specifically for getting behind the address of webpage to be checked, from described address extraction domain name.
9. install according to claim 7, it is characterized in that,
Described webpage acquiring unit, specifically for obtaining the address of described webpage to be checked, then obtains the web page text of described address;
Described feature extraction unit, specifically for extracting the characteristic information of described webpage to be checked the web page text obtaining from described webpage acquiring unit.
10. described in claim 7 to 9 any one, install, it is characterized in that,
Described feature extraction unit, comprises for characteristic information extraction: specifically for extraction system label information.
11. install described in claim 7 to 9 any one, it is characterized in that,
Described decision unit, lower than default threshold value, determine that described webpage to be checked is malicious web pages specifically for any one similarity of determining described record information and described characteristic information by longest common subsequence, minimum editing distance, Hamming distance, proper vector cosine value.
12. install described in claim 7 to 9 any one, it is characterized in that,
The described query unit of putting on record, for extracting record information corresponding to domain name extracting with domain name extraction unit from Ministry of Industry and Information's filing database.
13. 1 kinds of network systems, is characterized in that, comprising: put on record server and recognition device;
The described server stores of putting on record has the record information of webpage;
Described recognition device, for extracting the domain name of webpage to be checked, by domain name at the described server lookup record information of putting on record; Obtain the text message of described webpage to be checked, from described text message, extract the characteristic information of described webpage to be checked; If the similarity of described record information and described characteristic information lower than default threshold value, determines that described webpage to be checked is malicious web pages.
14. according to system described in claim 13, it is characterized in that,
Described recognition device, for extracting the domain name of webpage to be checked, inquires about record information by domain name and comprises: specifically for getting behind the address of webpage to be checked, from described address extraction domain name, inquire about record information by domain name.
15. according to system described in claim 13, it is characterized in that,
Described recognition device, for obtaining the text message of described webpage to be checked, the characteristic information that extracts described webpage to be checked from described text message comprises: specifically for obtaining the address of described webpage to be checked, then obtain the web page text of described address, and from described web page text, extract the characteristic information of described webpage to be checked.
16. according to claim 13 to system described in 15 any one, it is characterized in that,
Described recognition device, comprises for characteristic information extraction: specifically for extraction system label information.
17. according to claim 13 to system described in 15 any one, it is characterized in that,
Described recognition device, comprises lower than default threshold value for the similarity of determining record information and described characteristic information: specifically for any one similarity of determining described record information and described characteristic information by longest common subsequence, minimum editing distance, Hamming distance, proper vector cosine value lower than default threshold value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310012256.XA CN103927480A (en) | 2013-01-14 | 2013-01-14 | Method, device and system for identifying malicious web page |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310012256.XA CN103927480A (en) | 2013-01-14 | 2013-01-14 | Method, device and system for identifying malicious web page |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103927480A true CN103927480A (en) | 2014-07-16 |
Family
ID=51145698
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310012256.XA Pending CN103927480A (en) | 2013-01-14 | 2013-01-14 | Method, device and system for identifying malicious web page |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103927480A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104301300A (en) * | 2014-08-04 | 2015-01-21 | 北京奇虎科技有限公司 | Method, client and system for detecting network phishing fraud risk |
| CN104978423A (en) * | 2015-06-30 | 2015-10-14 | 北京奇虎科技有限公司 | Website type detection method and apparatus |
| WO2016201994A1 (en) * | 2015-06-15 | 2016-12-22 | 中兴通讯股份有限公司 | Method and device for determining domain name credibility |
| CN106685936A (en) * | 2016-12-14 | 2017-05-17 | 深圳市深信服电子科技有限公司 | Webpage defacement detection method and apparatus |
| CN108173877A (en) * | 2018-02-02 | 2018-06-15 | 克洛斯比尔有限公司 | For preventing the method and apparatus of fishing website |
| CN108197473A (en) * | 2017-12-25 | 2018-06-22 | 中国科学院信息工程研究所 | A kind of jamproof environment sensitive type Malware behavioral similarity evaluating method and device |
| CN108363599A (en) * | 2018-01-12 | 2018-08-03 | 深圳壹账通智能科技有限公司 | User interface shows recognition methods and terminal device |
| CN108681705A (en) * | 2018-05-15 | 2018-10-19 | 国网重庆市电力公司电力科学研究院 | A kind of measuring equipment consistency checking method and system based on figure identification |
| CN109495471A (en) * | 2018-11-15 | 2019-03-19 | 东信和平科技股份有限公司 | A kind of pair of WEB attack result determination method, device, equipment and readable storage medium storing program for executing |
| CN109522494A (en) * | 2018-11-08 | 2019-03-26 | 杭州安恒信息技术股份有限公司 | A kind of dark chain detection method, device, equipment and computer readable storage medium |
| CN110191124A (en) * | 2019-05-29 | 2019-08-30 | 哈尔滨安天科技集团股份有限公司 | Website discrimination method, device and storage equipment based on web front-end exploitation data |
| CN110971571A (en) * | 2018-09-29 | 2020-04-07 | 北京国双科技有限公司 | Website domain name verification method and related device |
| CN111563276A (en) * | 2019-01-25 | 2020-08-21 | 深信服科技股份有限公司 | Webpage tampering detection method, detection system and related equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1728655A (en) * | 2004-11-25 | 2006-02-01 | 刘文印 | Method and system for detecting and identifying counterfeit web page |
| US20060080735A1 (en) * | 2004-09-30 | 2006-04-13 | Usa Revco, Llc | Methods and systems for phishing detection and notification |
| CN102592067A (en) * | 2011-01-17 | 2012-07-18 | 腾讯科技(深圳)有限公司 | Webpage recognition method, device and system |
| CN102622435A (en) * | 2012-02-29 | 2012-08-01 | 百度在线网络技术(北京)有限公司 | Method and device for detecting black chain |
| CN102622553A (en) * | 2012-04-24 | 2012-08-01 | 腾讯科技(深圳)有限公司 | Method and device for detecting webpage safety |
| CN102737183A (en) * | 2012-06-12 | 2012-10-17 | 腾讯科技(深圳)有限公司 | Method and device for webpage safety access |
-
2013
- 2013-01-14 CN CN201310012256.XA patent/CN103927480A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060080735A1 (en) * | 2004-09-30 | 2006-04-13 | Usa Revco, Llc | Methods and systems for phishing detection and notification |
| CN1728655A (en) * | 2004-11-25 | 2006-02-01 | 刘文印 | Method and system for detecting and identifying counterfeit web page |
| CN102592067A (en) * | 2011-01-17 | 2012-07-18 | 腾讯科技(深圳)有限公司 | Webpage recognition method, device and system |
| CN102622435A (en) * | 2012-02-29 | 2012-08-01 | 百度在线网络技术(北京)有限公司 | Method and device for detecting black chain |
| CN102622553A (en) * | 2012-04-24 | 2012-08-01 | 腾讯科技(深圳)有限公司 | Method and device for detecting webpage safety |
| CN102737183A (en) * | 2012-06-12 | 2012-10-17 | 腾讯科技(深圳)有限公司 | Method and device for webpage safety access |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104301300A (en) * | 2014-08-04 | 2015-01-21 | 北京奇虎科技有限公司 | Method, client and system for detecting network phishing fraud risk |
| WO2016201994A1 (en) * | 2015-06-15 | 2016-12-22 | 中兴通讯股份有限公司 | Method and device for determining domain name credibility |
| CN106330811A (en) * | 2015-06-15 | 2017-01-11 | 中兴通讯股份有限公司 | Domain name credibility determination method and device |
| CN104978423A (en) * | 2015-06-30 | 2015-10-14 | 北京奇虎科技有限公司 | Website type detection method and apparatus |
| CN106685936A (en) * | 2016-12-14 | 2017-05-17 | 深圳市深信服电子科技有限公司 | Webpage defacement detection method and apparatus |
| CN108197473A (en) * | 2017-12-25 | 2018-06-22 | 中国科学院信息工程研究所 | A kind of jamproof environment sensitive type Malware behavioral similarity evaluating method and device |
| CN108363599B (en) * | 2018-01-12 | 2019-07-19 | 深圳壹账通智能科技有限公司 | User interface shows recognition methods and terminal device |
| CN108363599A (en) * | 2018-01-12 | 2018-08-03 | 深圳壹账通智能科技有限公司 | User interface shows recognition methods and terminal device |
| WO2019136961A1 (en) * | 2018-01-12 | 2019-07-18 | 深圳壹账通智能科技有限公司 | User interface display identification method, terminal device, storage medium and apparatus |
| CN108173877A (en) * | 2018-02-02 | 2018-06-15 | 克洛斯比尔有限公司 | For preventing the method and apparatus of fishing website |
| CN108681705A (en) * | 2018-05-15 | 2018-10-19 | 国网重庆市电力公司电力科学研究院 | A kind of measuring equipment consistency checking method and system based on figure identification |
| CN110971571A (en) * | 2018-09-29 | 2020-04-07 | 北京国双科技有限公司 | Website domain name verification method and related device |
| CN109522494A (en) * | 2018-11-08 | 2019-03-26 | 杭州安恒信息技术股份有限公司 | A kind of dark chain detection method, device, equipment and computer readable storage medium |
| CN109522494B (en) * | 2018-11-08 | 2020-09-15 | 杭州安恒信息技术股份有限公司 | Dark chain detection method, device, equipment and computer readable storage medium |
| CN109495471A (en) * | 2018-11-15 | 2019-03-19 | 东信和平科技股份有限公司 | A kind of pair of WEB attack result determination method, device, equipment and readable storage medium storing program for executing |
| CN109495471B (en) * | 2018-11-15 | 2021-07-02 | 东信和平科技股份有限公司 | Method, device and equipment for judging WEB attack result and readable storage medium |
| CN111563276A (en) * | 2019-01-25 | 2020-08-21 | 深信服科技股份有限公司 | Webpage tampering detection method, detection system and related equipment |
| CN111563276B (en) * | 2019-01-25 | 2024-04-09 | 深信服科技股份有限公司 | Webpage tampering detection method, detection system and related equipment |
| CN110191124A (en) * | 2019-05-29 | 2019-08-30 | 哈尔滨安天科技集团股份有限公司 | Website discrimination method, device and storage equipment based on web front-end exploitation data |
| CN110191124B (en) * | 2019-05-29 | 2022-02-22 | 安天科技集团股份有限公司 | Web front-end development data-based website identification method and device and storage equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103927480A (en) | Method, device and system for identifying malicious web page | |
| US9614862B2 (en) | System and method for webpage analysis | |
| CN104125209B (en) | Malice website prompt method and router | |
| US9544316B2 (en) | Method, device and system for detecting security of download link | |
| CN103559235B (en) | A kind of online social networks malicious web pages detection recognition methods | |
| CN103023712B (en) | Method and system for monitoring malicious property of webpage | |
| CN102957664B (en) | A kind of method and device identifying fishing website | |
| CN107786537B (en) | Isolated page implantation attack detection method based on Internet cross search | |
| CN101964025A (en) | XSS (Cross Site Scripting) detection method and device | |
| CN107888606B (en) | Domain name credit assessment method and system | |
| CN108023868B (en) | Malicious resource address detection method and device | |
| CN102868773B (en) | Method, device and system for detecting domain name system (DNS) black hole hijack | |
| CN105760379B (en) | Method and device for detecting webshell page based on intra-domain page association relation | |
| KR20090108000A (en) | Method and apparatus for detecting computer fraud | |
| CN103281320A (en) | Website icon matching-based detection method for brand counterfeit websites | |
| CN110430188B (en) | Rapid URL filtering method and device | |
| CN112989348B (en) | Attack detection method, model training method, device, server and storage medium | |
| CN102622553A (en) | Method and device for detecting webpage safety | |
| CN105376217B (en) | A kind of malice jumps and the automatic judging method of malice nested class objectionable website | |
| CN108566399A (en) | Fishing website recognition methods and system | |
| CN104158828B (en) | The method and system of suspicious fishing webpage are identified based on cloud content rule base | |
| CN102917049A (en) | Method for showing information of visited website, browser and system | |
| CN103647767A (en) | Website information display method and apparatus | |
| CN108494728B (en) | Method, device, equipment and medium for creating blacklist library for preventing traffic hijacking | |
| CN110135153A (en) | The credible detection method and device of software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140716 |