CN105530251A - Method and device for identifying phishing website - Google Patents
Method and device for identifying phishing website Download PDFInfo
- Publication number
- CN105530251A CN105530251A CN201510927333.3A CN201510927333A CN105530251A CN 105530251 A CN105530251 A CN 105530251A CN 201510927333 A CN201510927333 A CN 201510927333A CN 105530251 A CN105530251 A CN 105530251A
- Authority
- CN
- China
- Prior art keywords
- domain name
- storehouse
- access request
- phishing
- fishing website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The invention discloses a method and device for identifying a phishing website. The method comprises: collecting the domain name of at least one non-phishing website, generating a normal domain name sample base according to the collected domain name; enumerating the domain name in the normal domain name sample base according to a preset rule so as to generate a network phishing domain name base; receiving a web access request sent by a customer, wherein the web access request comprises an access domain name; matching the access domain name in the web access request with the network phishing domain name base, if the matching is successful, generating warning information to the customer. The invention also discloses a device for identifying the phishing website. In adoption of the invention, the identifying effect of the phishing website is improved.
Description
Technical field
The present invention relates to Internet technical field, particularly relate to a kind of method and the device that identify fishing website.
Background technology
Fishing website typically refers to disguise oneself as website of bank or e-commerce website, to steal the illegal website of the private information such as Bank Account Number, password that user submits to.The fishing website that some lawless persons utilize various means to forge some to mix the spurious with the genuine, and induce victim to operate according to according to its intention, thus obtain the private information of user, thus reach the object obtaining user benefit.Phishing event becomes more and more frequent in a network, brings heavy losses to user.
Existing fishing website recognition technology mainly adopts: one, fishing webpage feature identification technique; Two, multi-factor comprehensive evaluation recognition technology; Wherein fishing webpage feature identification technique is specially: carry out data acquisition to the fishing page, and carry out signature analysis to each characteristic key words in web data and obtain page feature storehouse, thus utilizes page feature storehouse to carry out detections identification to fishing website; Multi-factor comprehensive evaluation recognition technology is specially: on fishing webpage feature identification technique basis, increase the foundation of IP address, domain-name information feature database newly, namely multi-factor comprehensive evaluation recognition technology is IP address to fishing website, domain-name information characteristic sum page feature assesses, and obtain the value-at-risk of every, and then obtain website total risk value.Existing fishing website recognition technology is adopted to be that the mode of feature based detection is to fishing website identification, but the feature of fishing website is periodically relatively short, therefore, adopt existing fishing website recognition technology, often page feature storehouse does not also have enough time to upgrade, and fishing website has just been changed feature or has not been present in; Therefore existing fishing website recognition technology poor real, existence are failed to report, and promptly and accurately can not identify fishing website.
Foregoing, only for auxiliary understanding technical scheme of the present invention, does not represent and admits that foregoing is prior art.
Summary of the invention
Main purpose of the present invention is to provide a kind of method and the device that identify fishing website, is intended to, in the prior art solved, promptly and accurately to identify the technical problem of fishing website.
For achieving the above object, the invention provides a kind of method identifying fishing website, the method comprises: the domain name gathering at least one non-fishing website, and generates normal domain name Sample Storehouse according to the domain name of described collection;
According to preset rules, the domain name in described normal domain name Sample Storehouse is enumerated, generating network fishing domain name storehouse;
Receive the web access request that client sends, described web access request comprises access domain name;
Access domain name in described web access request is mated with phishing domain name storehouse, if the match is successful, then sends warning message to client.
Optionally, describedly to enumerate the domain name in described normal domain name Sample Storehouse according to preset rules, the step in generating network fishing domain name storehouse comprises:
According to character enumerate dictionary in described normal domain name Sample Storehouse domain name add character and/or according to similar dictionary in described normal domain name Sample Storehouse domain name amendment character, generate described phishing domain name storehouse.
Optionally, described method also comprises:
Gather the domain name of at least one fishing website, and the dns server that the domain name obtaining the fishing website of described collection is corresponding, the dns server of described acquisition is malicious DNS server;
The domain name that malicious DNS server described in timing acquisition is registered in Preset Time, and add the domain name that the described malicious DNS server obtained is registered in Preset Time to phishing domain name storehouse.
Optionally, described method also comprises: mark corresponding for described malicious DNS server added in malicious DNS server record sheet;
Described access domain name in described web access request is carried out the step of mating with phishing domain name storehouse after, the method also comprises:
If it fails to match, then obtain the dns server that access domain name in described web access request is corresponding;
Dns server corresponding for access domain name in described web access request is mated with malicious DNS server record sheet, if the match is successful, then sends warning message to client, if it fails to match, then terminate to identify.
Optionally, the method also comprises: the page feature storehouse generating fishing website according to described phishing domain name storehouse;
Describedly access domain name in described web access request to be mated with phishing domain name storehouse, if the match is successful, then send warning message to client, if it fails to match, then, before terminating the step identified, the method also comprises:
Obtain the Answer Web that web page server returns according to described web access request;
The page feature of described Answer Web is mated with the page feature storehouse of fishing website, if the match is successful, then send warning message to client, if it fails to match, then perform step and the access domain name in described web access request is mated with phishing domain name storehouse.
Optionally, describedly send after warning message to client or simultaneously, the method also comprises:
Access domain name in described web access request is sent in Cloud Server, for described Cloud Server, the access domain name in described web access request is saved in the knowledge base of high in the clouds, and for described cloud server, the access domain name in described web access request is issued in firewall cluster.
In addition, for achieving the above object, the present invention also provides a kind of device identifying fishing website, and this device comprises:
First acquisition module, for gathering the domain name of at least one non-fishing website, and generates normal domain name Sample Storehouse according to the domain name of described collection;
First generation module, for enumerating the domain name in described normal domain name Sample Storehouse according to preset rules, generating network fishing domain name storehouse;
Receiver module, for receiving the web access request that client sends, described web access request comprises access domain name;
First identification module, for the access domain name in described web access request being mated with phishing domain name storehouse, if the match is successful, then sends warning message to client.
Optionally, described first generation module also for enumerate according to character dictionary in described normal domain name Sample Storehouse domain name add character and/or according to similar dictionary in described normal domain name Sample Storehouse domain name amendment character, generate described phishing domain name storehouse.
Optionally, described device also comprises:
Second acquisition module, for gathering the domain name of at least one fishing website, and the dns server that the domain name obtaining the fishing website of described collection is corresponding, the dns server of described acquisition is malicious DNS server;
First adds module, for the domain name that malicious DNS server described in timing acquisition is registered in Preset Time, and adds the domain name that the described malicious DNS server obtained is registered in Preset Time to phishing domain name storehouse.
Optionally, described device also comprises: second adds module, for adding in malicious DNS server record sheet by mark corresponding for described malicious DNS server;
Described first identification module is also when it fails to match for the matching result in the access domain name in described web access request and phishing domain name storehouse, obtains the dns server that access domain name in described web access request is corresponding; And for being mated with malicious DNS server record sheet by dns server corresponding for the access domain name in described web access request, if the match is successful, then send warning message to client, if it fails to match, then terminate to identify.
Optionally, this device also comprises: the second generation module, acquisition module and the second identification module,
Described second generation module, for generating the page feature storehouse of fishing website according to described phishing domain name storehouse;
Described acquisition module, for obtaining the Answer Web that web page server returns according to described web access request;
Described second identification module, for being mated with the page feature storehouse of fishing website by the page feature of described Answer Web, if the match is successful, then sends warning message to client;
Described first identification module, also for being when it fails to match at the matching result of the page feature of described Answer Web and the page feature storehouse of fishing website, mates the access domain name in described web access request with phishing domain name storehouse.
Optionally, described first identification module, also for after sending warning message to client or simultaneously, access domain name in described web access request is sent in Cloud Server, for described Cloud Server, the access domain name in described web access request is saved in the knowledge base of high in the clouds, and for described cloud server, the access domain name in described web access request is issued in firewall cluster.
The method of identification fishing website of the present invention and device, by gathering the domain name of at least one non-fishing website, and generate normal domain name Sample Storehouse according to the domain name of this collection; According to preset rules, the domain name in this normal domain name Sample Storehouse is enumerated, generating network fishing domain name storehouse; Receive the web access request that client sends, this web access request comprises access domain name; Access domain name in this web access request is mated with phishing domain name storehouse, if the match is successful, then sends warning message to client; Can dynamic generating network fishing domain name storehouse in time, then according to this phishing domain name storehouse, the access domain name in web access request is identified, the recognition effect of fishing website can be improved.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of the first embodiment of the method for identification fishing website of the present invention;
Fig. 2 is the schematic flow sheet of the second embodiment of the method for identification fishing website of the present invention;
Fig. 3 is the schematic flow sheet of the 3rd embodiment of the method for identification fishing website of the present invention;
Fig. 4 is the schematic flow sheet of the 4th embodiment of the method for identification fishing website of the present invention;
Fig. 5 is the structural representation of the first embodiment of the device of identification fishing website of the present invention;
Fig. 6 is the structural representation of the second embodiment of the device of identification fishing website of the present invention;
Fig. 7 is the structural representation of the 3rd embodiment of the device of identification fishing website of the present invention;
Fig. 8 is the structural representation of the 4th embodiment of the device of identification fishing website of the present invention.
The realization of the object of the invention, functional characteristics and advantage will in conjunction with the embodiments, are described further with reference to accompanying drawing.
Embodiment
Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
With reference to the schematic flow sheet that Fig. 1, Fig. 1 are the first embodiment of the method for identification fishing website of the present invention, the method comprises:
S10, gather the domain name of at least one non-fishing website, and generate normal domain name Sample Storehouse according to the domain name of this collection.
This at least one non-fishing website is conventional website, includes but not limited to carrier web site, e-commerce website, website of bank, security website, social media website, popular program website etc., concrete, as Baidu, google etc.In this step, the domain name of as far as possible many non-fishing websites can be gathered, the domain name of collection being generated normal domain name Sample Storehouse, namely in this normal domain name Sample Storehouse, including the domain name of multiple non-fishing website, as comprised baidu.com, 10086.com.
S20, according to preset rules, the domain name in this normal domain name Sample Storehouse to be enumerated, generating network fishing domain name storehouse.
In this step, can enumerate the domain name in this normal domain name Sample Storehouse according to preset rules in preset time period, on the basis of the domain name in this normal domain name Sample Storehouse, domain name in this normal domain name Sample Storehouse is modified, obtain phishing domain name, then according to the phishing domain name generating network fishing domain name storehouse obtained.Concrete, according to preset rules, the domain name in this normal domain name Sample Storehouse is being enumerated, after obtaining phishing domain name, send URL request according to this phishing domain name obtained and receive URL response, determine whether this phishing domain name exists according to the URL response received again, if this phishing domain name is survived, then according to phishing domain name generating network fishing domain name storehouse (phishing domain name storehouse comprises multiple phishing domain name) of this survival, otherwise this phishing domain name is abandoned.
Optionally, on the basis of the domain name in this normal domain name Sample Storehouse, when domain name in this normal domain name Sample Storehouse is modified, multiple phishing domain name can be obtained from a domain name this normal domain name Sample Storehouse, a domain name in domain name Sample Storehouse as normal in this is 10086.com, and the phishing domain name obtained by this domain name has 10086ab.com, 10086cd.com, 10086-ab.com etc.
This preset time period can be arranged as required, if this preset time period is every day, then at a certain moment or the synchronization of every day, enumerates the domain name in this normal domain name Sample Storehouse according to preset rules, generating network fishing domain name storehouse.
In one embodiment, this is enumerated the domain name in this normal domain name Sample Storehouse according to preset rules, generating network fishing domain name storehouse step comprise: according to character enumerate dictionary in this normal domain name Sample Storehouse domain name add character and/or according to similar dictionary in this normal domain name Sample Storehouse domain name amendment character, generate this phishing domain name storehouse.
This character is enumerated dictionary and is comprised multiple character and enumerate sub-dictionary, wherein, the non-fishing website of the corresponding type of sub-dictionary enumerated in a character, and the type of this non-fishing website comprises carrier web site, e-commerce website, website of bank, security website, social media website etc.The point of addition that dictionary comprises character and this character enumerated in this character, and this character comprises letter, numeral and/or additional character (as "-").
Character is enumerated dictionary and is generated in advance, gather by the phishing web corresponding to various types of non-fishing website and analyze, sub-dictionary enumerated in the character obtaining various types of non-fishing website, as after the phishing web corresponding to carrier web site gathers and analyzes, learn that the phishing web that this carrier web site is corresponding normally increases character ab on the basis of original domain name, and being generally increased in before original domain name, then the character that this carrier web site is corresponding is enumerated sub-dictionary and is comprised character ab and point of addition is before original domain name.
Optionally, this is enumerated dictionary according to character and adds character to the domain name in this normal domain name Sample Storehouse, the step in generating network fishing domain name storehouse comprises: analyze each domain name in normal domain name Sample Storehouse, determine the type of the non-fishing website belonging to each domain name in this normal domain name Sample Storehouse, then sub-dictionary enumerated in the character enumerating in dictionary the type of the non-fishing website found belonging to each domain name at character corresponding, then enumerate sub-dictionary according to the character found and add character to the corresponding domain name in normal domain name Sample Storehouse.As determined, in this normal domain name Sample Storehouse, domain name 10086.com belongs to carrier web site, sub-dictionary enumerated in the character that this carrier web site is corresponding is that sub-dictionary enumerated in the first character, this first character is enumerated sub-dictionary and is comprised character ab and point of addition is before original domain name, character abc and point of addition is after original domain name, then add character to this domain name 10086.com, the domain name of generation is ab10086.com, 10086abc.com.
This similar dictionary comprises multiple similar sub-dictionary, and wherein, the non-fishing website of a corresponding type of similar sub-dictionary, the type of this non-fishing website comprises carrier web site, e-commerce website, website of bank, security website, social media website etc.This similar sub-dictionary comprises similar character Substitution Rules, as numeral 1 is replaced with alphabetical I, numeral 0 is replaced with alphabetical o, alphabetical I is replaced with numeral 1, alphabetical o is replaced with numeral 0, etc., optionally, this similar sub-dictionary also comprises similar character and replaces position, carries out similar replacement as carried out similar replacement to the character of the position of first in domain name with to the character of second position.
This similar dictionary generates in advance, gather by the phishing web corresponding to various types of non-fishing website and analyze, obtain the similar sub-dictionary of various types of non-fishing website, as after the phishing web corresponding to carrier web site gathers and analyzes, learn that the phishing web that this carrier web site is corresponding normally makes the numeral 0 in original domain name into alphabetical o, and just revise the character of second position in original domain name, the similar character Substitution Rules that the similar sub-dictionary that then this carrier web site is corresponding comprises are for replace with alphabetical o by numeral 0, it is carry out similar replacement to the character of the position of second in domain name that similar character replaces position.
Optionally, according to similar dictionary to the domain name amendment character in this normal domain name Sample Storehouse, the step in generating network fishing domain name storehouse comprises: analyze each domain name in normal domain name Sample Storehouse, determine the type of the non-fishing website belonging to each domain name in this normal domain name Sample Storehouse, then in similar dictionary, find the similar sub-dictionary that the type of the non-fishing website belonging to each domain name is corresponding, then according to the similar sub-dictionary found to the corresponding domain name amendment character in normal domain name Sample Storehouse.As determined, in this normal domain name Sample Storehouse, domain name 10086.com belongs to carrier web site, the similar sub-dictionary that this carrier web site is corresponding is that first-phase is like sub-dictionary, the similar character Substitution Rules that this first-phase comprises like sub-dictionary are for replace with alphabetical o by numeral 0, it is carry out similar replacement to the character of the position of second in domain name that similar character replaces position, then revise character to this domain name 10086.com, the domain name of generation is 1o086.com.
The web access request that S30, reception client send, this web access request comprises access domain name.
In this step, receive the web access request that client sends, this web access request is resolved, obtain accessing domain name.
S40, the access domain name in this web access request to be mated with phishing domain name storehouse, if the match is successful, then perform step S50, if it fails to match, then perform step S60.
Travel through each phishing domain name in this phishing domain name storehouse successively, if there is the phishing domain name identical with this access domain name in this phishing domain name storehouse, think that the matching result in access domain name in this web access request and phishing domain name storehouse is for the match is successful, otherwise think that it fails to match.When the match is successful, think if client carries out corresponding access, probably by phishing attacks by this access domain name; When it fails to match, think that this access domain name is not phishing domain name, client carries out corresponding access by this access domain name.
S50, send warning message to client.
This warning message can be Word message or voice messaging.
S60, end identify.
Further, this sends after warning message to client or simultaneously, the method also comprises: be sent in Cloud Server by the access domain name in this web access request, the access domain name in this web access request is issued in firewall cluster for this Cloud Server.
Namely to send to client after warning message or simultaneously, access domain name in this web access request is reported Cloud Server, notice Cloud Server, access domain in this web access request is called fishing website domain name, access domain name in the web access request that this cloud server reports, then the access domain name in the web access request this reported is issued in each fire compartment wall in the firewall cluster be connected with this Cloud Server, upgrades the phishing domain name storehouse in fire compartment wall.
Adopting above-described embodiment, by gathering the domain name of at least one non-fishing website, and generating normal domain name Sample Storehouse according to the domain name of this collection; According to preset rules, the domain name in this normal domain name Sample Storehouse is enumerated, generating network fishing domain name storehouse; Receive the web access request that client sends, this web access request comprises access domain name; Access domain name in this web access request is mated with phishing domain name storehouse, if the match is successful, then sends warning message to client, if it fails to match, then terminate to identify; Can dynamic generating network fishing domain name storehouse in time, then according to this phishing domain name storehouse, the access domain name in web access request is identified, the recognition effect of fishing website can be improved.
With reference to the schematic flow sheet that Fig. 2, Fig. 2 are the second embodiment of the method for identification fishing website of the present invention.
Based on the first embodiment of the method for above-mentioned identification fishing website, the method also comprises:
S70, gather the domain name of at least one fishing website, and the dns server that the domain name obtaining the fishing website of this collection is corresponding, the dns server of this acquisition is malicious DNS server.
This at least one fishing website is the website that phishing attacks person commonly uses, the person that includes but not limited to phishing attacks carries out to carrier web site, e-commerce website, website of bank, security website, social media website, popular program website the website that similar amendment obtains, concrete, as baidu123.com, 10086ab.com etc.In this step, the domain name of as far as possible many fishing websites can be gathered, obtain the dns server that the domain name of the fishing website of this collection is corresponding, common, a domain name can only be resolved by a dns server, and a dns server can be resolved multiple domain name.
The domain name that this malicious DNS server of S80, timing acquisition is registered in Preset Time, and add the domain name that this malicious DNS server obtained is registered in Preset Time to phishing domain name storehouse.
Common, this malicious DNS server all can register some similar domain names according to some non-fishing websites (conventional normal website) every day, and this similar domain name is phishing domain name.
This Preset Time can be arranged as required, if this Preset Time is one day.
In one embodiment, the domain name that this malicious DNS server of this timing acquisition is registered in Preset Time, and the step of the domain name that this malicious DNS server obtained is registered in Preset Time being added to phishing domain name storehouse comprises:
The domain name that this malicious DNS server of timing acquisition is registered in Preset Time, send URL request according to the domain name of this acquisition and receive URL response, URL response according to receiving determines whether this domain name survives, if this domain name is survived, then add the domain name of this survival to phishing domain name storehouse, otherwise this domain name is abandoned.
Above-mentioned steps S70 performs after step S20 or step S30, above-mentioned steps S70 and step S80 is adopted to upgrade this phishing domain name storehouse, phishing domain name as much as possible can be collected accurately more in real time, so that the access domain name in the follow-up web access request to receiving identifies, improve recognition effect.
With reference to the schematic flow sheet that Fig. 3, Fig. 3 are the 3rd embodiment of the method for identification fishing website of the present invention.
Based on the second embodiment of the method for above-mentioned identification fishing website, the method also comprises: S90, add in malicious DNS server record sheet by mark corresponding for this malicious DNS server;
After the step s 40, the method also comprises:
If it fails to match for S100, then obtain the dns server that access domain name in this web access request is corresponding.
Be when it fails to match in the matching result of step S40, then need to identify further the access domain name in this web access request, obtain the dns server that access domain name in this web access request is corresponding.
S110, dns server corresponding for the access domain name in this web access request to be mated with malicious DNS server record sheet, if the match is successful, then send warning message to client, if it fails to match, then terminate to identify.
The mark that this malicious DNS server is corresponding can be the domain name of this malicious DNS server.
In this step S110, travel through each malicious DNS server in this malicious DNS server record sheet successively, if there is the identical dns server of the dns server corresponding with the access domain name in this web access request in this malicious DNS server record sheet, think that the matching result of the dns server that access domain name in this web access request is corresponding and malicious DNS server record sheet is for the match is successful, otherwise think that it fails to match.When the match is successful, think if client carries out corresponding access, probably by phishing attacks by this access domain name.When it fails to match, then terminate to identify.
With reference to the schematic flow sheet that Fig. 4, Fig. 4 are the 4th embodiment of the method for identification fishing website of the present invention.
Based on the 3rd embodiment of the method for above-mentioned identification fishing website, the method also comprises: S120, generate the page feature storehouse of fishing website according to this phishing domain name storehouse.
Before this step S40, the method also comprises:
The Answer Web that S130, acquisition web page server return according to this web access request.
S140, the page feature of this Answer Web to be mated with the page feature storehouse of fishing website, if the match is successful, then send warning message to client, if it fails to match, then perform step S40.
Concrete, in the step s 120, access request is sent to web page server according to each phishing domain name in this phishing domain name storehouse, and receive the Answer Web that this web page server returns, the Answer Web received is analyzed, obtain the page feature of Answer Web, then by the page feature set of each Answer Web, generate the page feature storehouse of fishing website.Common, the one or more phishing domain names in phishing domain name storehouse may correspond to a page feature.
In step S140, Answer Web is analyzed, obtain the page feature of Answer Web, then the page feature storehouse of this fishing website will be traveled through successively, if there is the page feature identical with the page feature of this Answer Web in the page feature storehouse of this fishing website, then think that the matching result in the page feature of this Answer Web and the page feature storehouse of fishing website is for the match is successful, otherwise think that it fails to match.When the match is successful, think if client carries out corresponding access by this access domain name, probably by phishing attacks, when it fails to match, perform step S40 and identify further.
Further, in this step S140, after sending warning message to client or simultaneously, also the access domain name in this web access request is sent in Cloud Server, for this Cloud Server, the access domain name in this web access request is saved in the knowledge base of high in the clouds, and for this cloud server, the access domain name in this web access request is issued in firewall cluster.
Namely to send to client after warning message or simultaneously, access domain name in this web access request is reported Cloud Server, notice Cloud Server, access domain in this web access request is called fishing website domain name, access domain name in the web access request that this cloud server reports, access domain name in the web access request this reported is saved in the knowledge base of high in the clouds, access domain name in the web access request simultaneously this reported is issued in each fire compartment wall in the firewall cluster be connected with this Cloud Server, phishing domain name storehouse in fire compartment wall is upgraded.
With reference to the structural representation that Fig. 5, Fig. 5 are the first embodiment of the device of identification fishing website of the present invention, this device comprises:
First acquisition module 10, for gathering the domain name of at least one non-fishing website, and generates normal domain name Sample Storehouse according to the domain name of this collection;
First generation module 20, for enumerating the domain name in this normal domain name Sample Storehouse according to preset rules, generating network fishing domain name storehouse;
Receiver module 30, for receiving the web access request that client sends, this web access request comprises access domain name;
First identification module 40, for the access domain name in this web access request being mated with phishing domain name storehouse, if the match is successful, then sends warning message to client, if it fails to match, then terminates to identify.
This at least one non-fishing website is conventional website, includes but not limited to carrier web site, e-commerce website, website of bank, security website, social media website, popular program website etc., concrete, as Baidu, google etc.This first acquisition module 10 can gather the domain name of as far as possible many non-fishing websites, the domain name of collection being generated normal domain name Sample Storehouse, namely in this normal domain name Sample Storehouse, including the domain name of multiple non-fishing website, as comprised baidu.com, 10086.com.
This first generation module 20 can be enumerated the domain name in this normal domain name Sample Storehouse according to preset rules in preset time period, on the basis of the domain name in this normal domain name Sample Storehouse, domain name in this normal domain name Sample Storehouse is modified, obtain phishing domain name, then according to the phishing domain name generating network fishing domain name storehouse obtained.Concrete, according to preset rules, the domain name in this normal domain name Sample Storehouse is being enumerated, after obtaining phishing domain name, send URL request according to this phishing domain name obtained and receive URL response, determine whether this phishing domain name exists according to the URL response received again, if this phishing domain name is survived, then according to phishing domain name generating network fishing domain name storehouse (phishing domain name storehouse comprises multiple phishing domain name) of this survival, otherwise this phishing domain name is abandoned.
Optionally, on the basis of the domain name of this first generation module 20 in this normal domain name Sample Storehouse, when domain name in this normal domain name Sample Storehouse is modified, multiple phishing domain name can be obtained from a domain name this normal domain name Sample Storehouse, a domain name in domain name Sample Storehouse as normal in this is 10086.com, and the phishing domain name obtained by this domain name has 10086ab.com, 10086cd.com, 10086-ab.com etc.
This preset time period can be arranged as required, if this preset time period is every day, then at a certain moment or the synchronization of every day, enumerates the domain name in this normal domain name Sample Storehouse according to preset rules, generating network fishing domain name storehouse.
In one embodiment, this first generation module 20 also for enumerate according to character dictionary in this normal domain name Sample Storehouse domain name add character and/or according to similar dictionary in this normal domain name Sample Storehouse domain name amendment character, generate this phishing domain name storehouse.
This character is enumerated dictionary and is comprised multiple character and enumerate sub-dictionary, wherein, the non-fishing website of the corresponding type of sub-dictionary enumerated in a character, and the type of this non-fishing website comprises carrier web site, e-commerce website, website of bank, security website, social media website etc.The point of addition that dictionary comprises character and this character enumerated in this character, and this character comprises letter, numeral and/or additional character (as "-").
Character is enumerated dictionary and is generated in advance, gather by the phishing web corresponding to various types of non-fishing website and analyze, sub-dictionary enumerated in the character obtaining various types of non-fishing website, as after the phishing web corresponding to carrier web site gathers and analyzes, learn that the phishing web that this carrier web site is corresponding normally increases character ab on the basis of original domain name, and being generally increased in before original domain name, then the character that this carrier web site is corresponding is enumerated sub-dictionary and is comprised character ab and point of addition is before original domain name.
Optionally, this first generation module 20 is analyzed each domain name in normal domain name Sample Storehouse, determine the type of the non-fishing website belonging to each domain name in this normal domain name Sample Storehouse, then sub-dictionary enumerated in the character enumerating in dictionary the type of the non-fishing website found belonging to each domain name at character corresponding, then enumerate sub-dictionary according to the character found and add character to the corresponding domain name in normal domain name Sample Storehouse.As determined, in this normal domain name Sample Storehouse, domain name 10086.com belongs to carrier web site, sub-dictionary enumerated in the character that this carrier web site is corresponding is that sub-dictionary enumerated in the first character, this first character is enumerated sub-dictionary and is comprised character ab and point of addition is before original domain name, character abc and point of addition is after original domain name, then add character to this domain name 10086.com, the domain name of generation is ab10086.com, 10086abc.com.
This similar dictionary comprises multiple similar sub-dictionary, and wherein, the non-fishing website of a corresponding type of similar sub-dictionary, the type of this non-fishing website comprises carrier web site, e-commerce website, website of bank, security website, social media website etc.This similar sub-dictionary comprises similar character Substitution Rules, as numeral 1 is replaced with alphabetical I, numeral 0 is replaced with alphabetical o, alphabetical I is replaced with numeral 1, alphabetical o is replaced with numeral 0, etc., optionally, this similar sub-dictionary also comprises similar character and replaces position, carries out similar replacement as carried out similar replacement to the character of the position of first in domain name with to the character of second position.
This similar dictionary generates in advance, gather by the phishing web corresponding to various types of non-fishing website and analyze, obtain the similar sub-dictionary of various types of non-fishing website, as after the phishing web corresponding to carrier web site gathers and analyzes, learn that the phishing web that this carrier web site is corresponding normally makes the numeral 0 in original domain name into alphabetical o, and just revise the character of second position in original domain name, the similar character Substitution Rules that the similar sub-dictionary that then this carrier web site is corresponding comprises are for replace with alphabetical o by numeral 0, it is carry out similar replacement to the character of the position of second in domain name that similar character replaces position.
Optionally, this first generation module 20 is analyzed each domain name in normal domain name Sample Storehouse, determine the type of the non-fishing website belonging to each domain name in this normal domain name Sample Storehouse, then in similar dictionary, find the similar sub-dictionary that the type of the non-fishing website belonging to each domain name is corresponding, then according to the similar sub-dictionary found to the corresponding domain name amendment character in normal domain name Sample Storehouse.As determined, in this normal domain name Sample Storehouse, domain name 10086.com belongs to carrier web site, the similar sub-dictionary that this carrier web site is corresponding is that first-phase is like sub-dictionary, the similar character Substitution Rules that this first-phase comprises like sub-dictionary are for replace with alphabetical o by numeral 0, it is carry out similar replacement to the character of the position of second in domain name that similar character replaces position, then revise character to this domain name 10086.com, the domain name of generation is 1o086.com.
This receiver module 30 receives the web access request that client sends, and resolves this web access request, obtains accessing domain name.
This first identification module 40 travels through each phishing domain name in this phishing domain name storehouse successively, if there is the phishing domain name identical with this access domain name in this phishing domain name storehouse, think that the matching result in access domain name in this web access request and phishing domain name storehouse is for the match is successful, otherwise think that it fails to match.When the match is successful, this first identification module 40 is thought if client carries out corresponding access, probably by phishing attacks by this access domain name; When it fails to match, think that this access domain name is not phishing domain name, client carries out corresponding access by this access domain name.
Further, this first identification module 40, also for after sending warning message to client or simultaneously, access domain name in this web access request is sent in Cloud Server, for this Cloud Server, the access domain name in this web access request is saved in the knowledge base of high in the clouds, and for this cloud server, the access domain name in this web access request is issued in firewall cluster.
Namely this first identification module 40 to send to client after warning message or simultaneously, access domain name in this web access request is reported Cloud Server, notice Cloud Server, access domain in this web access request is called fishing website domain name, access domain name in the web access request that this cloud server reports, access domain name in the web access request this reported is saved in the knowledge base of high in the clouds, access domain name in the web access request simultaneously this reported is issued in each fire compartment wall in the firewall cluster be connected with this Cloud Server, phishing domain name storehouse in fire compartment wall is upgraded.
With reference to the structural representation that Fig. 6, Fig. 6 are the second embodiment of the device of identification fishing website of the present invention.
Based on the first embodiment of the device of above-mentioned identification fishing website, this device also comprises:
Second acquisition module 50, for gathering the domain name of at least one fishing website, and the dns server that the domain name obtaining the fishing website of this collection is corresponding, the dns server of this acquisition is malicious DNS server;
First adds module 60, for the domain name that this malicious DNS server of timing acquisition is registered in Preset Time, and adds the domain name that this malicious DNS server obtained is registered in Preset Time to phishing domain name storehouse.
This at least one fishing website is the website that phishing attacks person commonly uses, the person that includes but not limited to phishing attacks carries out to carrier web site, e-commerce website, website of bank, security website, social media website, popular program website the website that similar amendment obtains, concrete, as baidu123.com, 10086ab.com etc.This second acquisition module 50 can gather the domain name of as far as possible many fishing websites, obtain the dns server that the domain name of the fishing website of this collection is corresponding, common, a domain name can only be resolved by a dns server, and a dns server can be resolved multiple domain name.
Common, this malicious DNS server all can register some similar domain names according to some non-fishing websites (conventional normal website) every day, and this similar domain name is phishing domain name.
This Preset Time can be arranged as required, if this Preset Time is one day.
In one embodiment, the domain name that this this malicious DNS server of the first interpolation module 60 timing acquisition is registered in Preset Time, send URL request according to the domain name of this acquisition and receive URL response, URL response according to receiving determines whether this domain name survives, if this domain name is survived, then add the domain name of this survival to phishing domain name storehouse, otherwise this domain name is abandoned.
With reference to the structural representation that Fig. 7, Fig. 7 are the 3rd embodiment of the device of identification fishing website of the present invention.
Based on the second embodiment of the device of above-mentioned identification fishing website, this device also comprises: second adds module 70, for adding in malicious DNS server record sheet by mark corresponding for this malicious DNS server;
This first identification module 40 is also when it fails to match for the matching result in the access domain name in this web access request and phishing domain name storehouse, obtains the dns server that access domain name in this web access request is corresponding; And for being mated with malicious DNS server record sheet by dns server corresponding for the access domain name in this web access request, if the match is successful, then send warning message to client, if it fails to match, then terminate to identify.
The mark that this malicious DNS server is corresponding can be the domain name of this malicious DNS server.
The matching result in the access domain name of this first identification module 40 in described web access request and phishing domain name storehouse is when it fails to match, need to identify further the access domain name in this web access request, obtain the dns server that access domain name in this web access request is corresponding; Then this first identification module 40 travels through each malicious DNS server in this malicious DNS server record sheet successively, if there is the identical dns server of the dns server corresponding with the access domain name in this web access request in this malicious DNS server record sheet, think that the matching result of the dns server that access domain name in this web access request is corresponding and malicious DNS server record sheet is for the match is successful, otherwise think that it fails to match.When the match is successful, this first identification module 40 is thought if client carries out corresponding access, probably by phishing attacks by this access domain name.When it fails to match, then terminate to identify.
With reference to the structural representation that Fig. 8, Fig. 8 are the 4th embodiment of the device of identification fishing website of the present invention.
Based on the 3rd embodiment of the device of above-mentioned identification fishing website, this device also comprises: the second generation module 80, acquisition module 90 and the second identification module 100,
This second generation module 80, for generating the page feature storehouse of fishing website according to this phishing domain name storehouse;
This acquisition module 90, for obtaining the Answer Web that web page server returns according to this web access request;
This second identification module 100, for being mated with the page feature storehouse of fishing website by the page feature of this Answer Web, if the match is successful, then sends warning message to client;
This first identification module 40, also for being when it fails to match at the matching result of the page feature of this this Answer Web and the page feature storehouse of fishing website, mates the access domain name in this web access request with phishing domain name storehouse.
This second generation module 80 sends access request according to each phishing domain name in this phishing domain name storehouse to web page server, and receive the Answer Web that this web page server returns, the Answer Web received is analyzed, obtain the page feature of Answer Web, then by the page feature set of each Answer Web, the page feature storehouse of fishing website is generated.Common, the one or more phishing domain names in phishing domain name storehouse may correspond to a page feature.
The Answer Web that this second identification module 100 pairs of acquisition modules 90 obtain is analyzed, obtain the page feature of Answer Web, then the page feature storehouse of this fishing website will be traveled through successively, if there is the page feature identical with the page feature of this Answer Web in the page feature storehouse of this fishing website, then think that the matching result in the page feature of this Answer Web and the page feature storehouse of fishing website is for the match is successful, otherwise think that it fails to match.When the match is successful, think if client carries out corresponding access by this access domain name, probably by phishing attacks, when it fails to match, need to be identified further by the first identification module 40.
This second identification module 100 is to after sending warning message to client or simultaneously, also the access domain name in this web access request is sent in Cloud Server, for this Cloud Server, the access domain name in this web access request is saved in the knowledge base of high in the clouds, and for this cloud server, the access domain name in this web access request is issued in firewall cluster.
Namely this second identification module 100 to send to client after warning message or simultaneously, access domain name in this web access request is reported Cloud Server, notice Cloud Server, access domain in this web access request is called fishing website domain name, access domain name in the web access request that this cloud server reports, access domain name in the web access request this reported is saved in the knowledge base of high in the clouds, access domain name in the web access request simultaneously this reported is issued in each fire compartment wall in the firewall cluster be connected with this Cloud Server, phishing domain name storehouse in fire compartment wall is upgraded.
These are only the preferred embodiments of the present invention; not thereby the scope of the claims of the present invention is limited; every utilize specification of the present invention and accompanying drawing content to do equivalent structure or equivalent flow process conversion; or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.
Claims (12)
1. identify a method for fishing website, it is characterized in that, the method comprises:
Gather the domain name of at least one non-fishing website, and generate normal domain name Sample Storehouse according to the domain name of described collection;
According to preset rules, the domain name in described normal domain name Sample Storehouse is enumerated, generating network fishing domain name storehouse;
Receive the web access request that client sends, described web access request comprises access domain name;
Access domain name in described web access request is mated with phishing domain name storehouse;
If the match is successful, then send warning message to client.
2. the as claimed in claim 1 method identifying fishing website, is characterized in that, describedly enumerates the domain name in described normal domain name Sample Storehouse according to preset rules, and the step in generating network fishing domain name storehouse comprises:
According to character enumerate dictionary in described normal domain name Sample Storehouse domain name add character and/or according to similar dictionary in described normal domain name Sample Storehouse domain name amendment character, generate described phishing domain name storehouse.
3. the method identifying fishing website as claimed in claim 1 or 2, it is characterized in that, described method also comprises:
Gather the domain name of at least one fishing website, and the dns server that the domain name obtaining the fishing website of described collection is corresponding, the dns server of described acquisition is malicious DNS server;
The domain name that malicious DNS server described in timing acquisition is registered in Preset Time, and add the domain name that the described malicious DNS server obtained is registered in Preset Time to phishing domain name storehouse.
4. the method identifying fishing website as claimed in claim 3, it is characterized in that, described method also comprises: mark corresponding for described malicious DNS server added in malicious DNS server record sheet;
Described access domain name in described web access request is carried out the step of mating with phishing domain name storehouse after, the method also comprises:
If it fails to match, then obtain the dns server that access domain name in described web access request is corresponding;
Dns server corresponding for access domain name in described web access request is mated with malicious DNS server record sheet, if the match is successful, then sends warning message to client, if it fails to match, then terminate to identify.
5. the method identifying fishing website as claimed in claim 4, it is characterized in that, the method also comprises: the page feature storehouse generating fishing website according to described phishing domain name storehouse;
Describedly access domain name in described web access request to be mated with phishing domain name storehouse, if the match is successful, then send warning message to client, if it fails to match, then, before terminating the step identified, the method also comprises:
Obtain the Answer Web that web page server returns according to described web access request;
The page feature of described Answer Web is mated with the page feature storehouse of fishing website, if the match is successful, then send warning message to client, if it fails to match, then perform step and the access domain name in described web access request is mated with phishing domain name storehouse.
6. the method for the identification fishing website as described in any one of claim 1 to 5, is characterized in that, describedly sends after warning message to client or simultaneously, the method also comprises:
Access domain name in described web access request is sent in Cloud Server, for described Cloud Server, the access domain name in described web access request is saved in the knowledge base of high in the clouds, and for described cloud server, the access domain name in described web access request is issued in firewall cluster.
7. identify a device for fishing website, it is characterized in that, this device comprises:
First acquisition module, for gathering the domain name of at least one non-fishing website, and generates normal domain name Sample Storehouse according to the domain name of described collection;
First generation module, for enumerating the domain name in described normal domain name Sample Storehouse according to preset rules, generating network fishing domain name storehouse;
Receiver module, for receiving the web access request that client sends, described web access request comprises access domain name;
First identification module, for the access domain name in described web access request being mated with phishing domain name storehouse, if the match is successful, then sends warning message to client.
8. the device identifying fishing website as claimed in claim 7, it is characterized in that, described first generation module also for enumerate according to character dictionary in described normal domain name Sample Storehouse domain name add character and/or according to similar dictionary in described normal domain name Sample Storehouse domain name amendment character, generate described phishing domain name storehouse.
9. identify the device of fishing website as claimed in claim 7 or 8, it is characterized in that, described device also comprises:
Second acquisition module, for gathering the domain name of at least one fishing website, and the dns server that the domain name obtaining the fishing website of described collection is corresponding, the dns server of described acquisition is malicious DNS server;
First adds module, for the domain name that malicious DNS server described in timing acquisition is registered in Preset Time, and adds the domain name that the described malicious DNS server obtained is registered in Preset Time to phishing domain name storehouse.
10. the device identifying fishing website as claimed in claim 9, it is characterized in that, described device also comprises: second adds module, for adding in malicious DNS server record sheet by mark corresponding for described malicious DNS server;
Described first identification module is also when it fails to match for the matching result in the access domain name in described web access request and phishing domain name storehouse, obtains the dns server that access domain name in described web access request is corresponding; And for being mated with malicious DNS server record sheet by dns server corresponding for the access domain name in described web access request, if the match is successful, then send warning message to client, if it fails to match, then terminate to identify.
11. devices identifying fishing website as claimed in claim 10, it is characterized in that, this device also comprises: the second generation module, acquisition module and the second identification module,
Described second generation module, for generating the page feature storehouse of fishing website according to described phishing domain name storehouse;
Described acquisition module, for obtaining the Answer Web that web page server returns according to described web access request;
Described second identification module, for being mated with the page feature storehouse of fishing website by the page feature of described Answer Web, if the match is successful, then sends warning message to client;
Described first identification module, also for being when it fails to match at the matching result of the page feature of described Answer Web and the page feature storehouse of fishing website, mates the access domain name in described web access request with phishing domain name storehouse.
The device of 12. identification fishing websites as described in any one of claim 7 to 11, it is characterized in that, described first identification module, also for after sending warning message to client or simultaneously, access domain name in described web access request is sent in Cloud Server, for described Cloud Server, the access domain name in described web access request is saved in the knowledge base of high in the clouds, and for described cloud server, the access domain name in described web access request is issued in firewall cluster.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510927333.3A CN105530251A (en) | 2015-12-14 | 2015-12-14 | Method and device for identifying phishing website |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510927333.3A CN105530251A (en) | 2015-12-14 | 2015-12-14 | Method and device for identifying phishing website |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105530251A true CN105530251A (en) | 2016-04-27 |
Family
ID=55772233
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510927333.3A Pending CN105530251A (en) | 2015-12-14 | 2015-12-14 | Method and device for identifying phishing website |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105530251A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106101117A (en) * | 2016-06-28 | 2016-11-09 | 中国联合网络通信集团有限公司 | A kind of fishing website blocking-up method, device and system |
| CN106790102A (en) * | 2016-12-26 | 2017-05-31 | 中南林业科技大学 | A kind of QR based on URL features yards of phishing recognition methods and system |
| CN110650108A (en) * | 2018-06-26 | 2020-01-03 | 深信服科技股份有限公司 | Fishing page identification method based on icon and related equipment |
| CN110740117A (en) * | 2018-10-31 | 2020-01-31 | 哈尔滨安天科技集团股份有限公司 | Counterfeit domain name detection method and device, electronic equipment and storage medium |
| CN113890866A (en) * | 2021-09-26 | 2022-01-04 | 恒安嘉新(北京)科技股份公司 | Illegal application software identification method, device, medium and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102082792A (en) * | 2010-12-31 | 2011-06-01 | 成都市华为赛门铁克科技有限公司 | Phishing webpage detection method and device |
| CN103152354A (en) * | 2013-03-19 | 2013-06-12 | 北京奇虎科技有限公司 | Method and system for promoting dangerous website and client device |
| CN103152355A (en) * | 2013-03-19 | 2013-06-12 | 北京奇虎科技有限公司 | Method and system for promoting dangerous website and client device |
-
2015
- 2015-12-14 CN CN201510927333.3A patent/CN105530251A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102082792A (en) * | 2010-12-31 | 2011-06-01 | 成都市华为赛门铁克科技有限公司 | Phishing webpage detection method and device |
| CN103152354A (en) * | 2013-03-19 | 2013-06-12 | 北京奇虎科技有限公司 | Method and system for promoting dangerous website and client device |
| CN103152355A (en) * | 2013-03-19 | 2013-06-12 | 北京奇虎科技有限公司 | Method and system for promoting dangerous website and client device |
Non-Patent Citations (1)
| Title |
|---|
| 张天红: "网络钓鱼预警系统设计与分析", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106101117A (en) * | 2016-06-28 | 2016-11-09 | 中国联合网络通信集团有限公司 | A kind of fishing website blocking-up method, device and system |
| CN106101117B (en) * | 2016-06-28 | 2019-06-07 | 中国联合网络通信集团有限公司 | A kind of fishing website blocking-up method, device and system |
| CN106790102A (en) * | 2016-12-26 | 2017-05-31 | 中南林业科技大学 | A kind of QR based on URL features yards of phishing recognition methods and system |
| CN110650108A (en) * | 2018-06-26 | 2020-01-03 | 深信服科技股份有限公司 | Fishing page identification method based on icon and related equipment |
| CN110740117A (en) * | 2018-10-31 | 2020-01-31 | 哈尔滨安天科技集团股份有限公司 | Counterfeit domain name detection method and device, electronic equipment and storage medium |
| CN113890866A (en) * | 2021-09-26 | 2022-01-04 | 恒安嘉新(北京)科技股份公司 | Illegal application software identification method, device, medium and electronic equipment |
| CN113890866B (en) * | 2021-09-26 | 2024-03-12 | 恒安嘉新(北京)科技股份公司 | Illegal application software identification method, device, medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10193923B2 (en) | Methods for preventing cyber intrusions and phishing activity | |
| Bilge et al. | EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. | |
| Cova et al. | An analysis of rogue AV campaigns | |
| CN108092963B (en) | Webpage identification method and device, computer equipment and storage medium | |
| CN108574742B (en) | Domain name information collection method and domain name information collection device | |
| CN105530251A (en) | Method and device for identifying phishing website | |
| CA3079840A1 (en) | Analysis and reporting of suspicious email | |
| CN102594825A (en) | Method and device for detecting intranet Trojans | |
| CN105827594A (en) | Suspicion detection method based on domain name readability and domain name analysis behavior | |
| CN103916490A (en) | DNS tamper-proof method and device | |
| CN102833262A (en) | Whois information-based phishing website gathering, identification method and system | |
| CN103067387B (en) | A kind of anti-phishing monitoring system and method | |
| CN112929390B (en) | Network intelligent monitoring method based on multi-strategy fusion | |
| CN108063833B (en) | HTTP DNS analysis message processing method and device | |
| CN105337993A (en) | Dynamic and static combination-based mail security detection device and method | |
| CN111147489B (en) | Link camouflage-oriented fishfork attack mail discovery method and device | |
| CN104579773A (en) | Domain name system analysis method and device | |
| CN105072120A (en) | Method and device for malicious domain name detection based on domain name service state analysis | |
| CN105635064B (en) | CSRF attack detection method and device | |
| CN105072119A (en) | Domain name resolution conversation mode analysis-based method and device for detecting malicious domain name | |
| Celik et al. | Detection of Fast-Flux Networks using various DNS feature sets | |
| CN103841123A (en) | Number information obtaining method and obtaining system, and cloud number information system | |
| CN111010405B (en) | SaaS-based website security monitoring system | |
| CN102882889A (en) | Method and system for concentrated IP (Internet Protocol) collection and identification of phishing websites | |
| CN111010456B (en) | Main domain name acquisition and verification method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160427 |
|
| RJ01 | Rejection of invention patent application after publication |