CN106549931A - A kind of method and system of the attacker that traced to the source based on URL secret marks - Google Patents

A kind of method and system of the attacker that traced to the source based on URL secret marks Download PDF

Info

Publication number
CN106549931A
CN106549931A CN201610679210.7A CN201610679210A CN106549931A CN 106549931 A CN106549931 A CN 106549931A CN 201610679210 A CN201610679210 A CN 201610679210A CN 106549931 A CN106549931 A CN 106549931A
Authority
CN
China
Prior art keywords
url
attacker
secret mark
identity information
secret
Prior art date
Application number
CN201610679210.7A
Other languages
Chinese (zh)
Other versions
CN106549931B (en
Inventor
李柏松
Original Assignee
北京安天电子设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京安天电子设备有限公司 filed Critical 北京安天电子设备有限公司
Priority to CN201610679210.7A priority Critical patent/CN106549931B/en
Publication of CN106549931A publication Critical patent/CN106549931A/en
Application granted granted Critical
Publication of CN106549931B publication Critical patent/CN106549931B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Abstract

The invention discloses a kind of method and system of the attacker that traced to the source based on URL secret marks, including:The identity information of visitor is obtained, and secret mark is formed based on the identity information;The secret mark is added in the URL for accessing;Screen message disclosed in capture attacker;The URL in screen message is extracted, and the identity information of attacker is obtained based on the secret mark in URL;Wherein, the identity information is included but are not limited to:IP, OS Type and version, browser version, screen resolution or time.Technical scheme of the present invention by arranging the method that the URL to jump page adds secret mark in Website development, so as to secret mark is hidden in the URL of the screen message issued in attacker, by obtaining secret mark and parsing the identity information for learning attacker, and then seat offence person or association is assisted to attack tissue.

Description

A kind of method and system of the attacker that traced to the source based on URL secret marks

Technical field

The present invention relates to technical field of network security, more particularly to it is a kind of based on URL secret marks trace to the source attacker method and System.

Background technology

For political motives or commercial object, some attackers can repeatedly distort website after invasion government, enterprise web site The page, for example, leave reactionary slogan or slander by the information of invasion website.In order to prove its invasion achievement, show off or real to others Existing its politics, commercial object, attacker often to distorting after the page(Including pointing to the page in browser address bar URL)Record screen message is carried out, and this kind of sectional drawing, photo are shared by social networks using sectional drawing, the mode such as take pictures.

Although the screen message described in these sectional drawings, photo, nothing can got by invasion government, enterprise afterwards Method judges that whom attacker is accordingly, cannot also judge whether different intrusion events belong to same and attack tissue.

The content of the invention

For above-mentioned technical problem, technical solutions according to the invention carry out correlation in related web site development process and set Put, if there is access request, the identity information identity-based information for obtaining visitor forms secret mark, and the secret mark is added Enter in URL, once attacker is recorded screen message, and is issued without restraint by sectional drawing, the form such as take pictures, then in screen message Secret mark can obtain attacker identity information, be easy to later stage seat offence source or association attack tissue.

The present invention adopts with the following method to realize:A kind of method of the attacker that traced to the source based on URL secret marks, including:

The identity information of visitor is obtained, and secret mark is formed based on the identity information;

The secret mark is added in the URL for accessing;

Screen message disclosed in capture attacker;

The URL in screen message is extracted, and the identity information of attacker is obtained based on the secret mark in URL.

Further, the identity information for obtaining visitor, and secret mark is formed based on the identity information, specially:

If Website server receives the access request of visitor, the identity information of visitor is obtained, and the identity is believed Breath carries out coding and forms secret mark.

Further, it is described that the secret mark is added in the URL for accessing, specially:

If Accessor Access's is homepage, the secret mark is added in the URL for accessing using refresh page is forced;Or,

If Accessor Access's is subpage frame, the secret mark is added when generating using higher level's page dynamic the subordinate's page for accessing In the URL in face.

Further, screen message disclosed in the capture attacker, including:Judge whether webpage is tampered, if so, then Screen message disclosed in capture attacker, otherwise continues as visitor and provides normal web service.

In said method, also include:Based on the identity information of attacker trace to the source attacker or association attack tissue.

The present invention can be realized using following system:A kind of system of the attacker that traced to the source based on URL secret marks, including:

Secret mark generation module, for obtaining the identity information of visitor, and forms secret mark based on the identity information;

Secret mark add module, for the secret mark is added in the URL for accessing;

Information capture module, for capturing screen message disclosed in attacker;

Identification module, for extracting the URL in screen message, and obtains the identity letter of attacker based on the secret mark in URL Breath.

Further, the secret mark generation module, specifically for:

If Website server receives the access request of visitor, the identity information of visitor is obtained, and the identity is believed Breath carries out coding and forms secret mark.

Further, the secret mark add module, specifically for:

If Accessor Access's is homepage, the secret mark is added in the URL for accessing using refresh page is forced;Or,

If Accessor Access's is subpage frame, the secret mark is added when generating using higher level's page dynamic the subordinate's page for accessing In the URL in face.

Further, described information trapping module, specifically for:Judge whether webpage is tampered, if so, then capture is attacked Screen message disclosed in person, otherwise continues as visitor and provides normal web service.

In said system, also include:Attack is traced to the source module, for based on the identity information of attacker trace to the source attacker or Tissue is attacked in association.

To sum up, the present invention provides a kind of method and system of the attacker that traces to the source based on URL secret marks, and the present invention is by service Add secret mark in the URL that device end returns, and the secret mark does not affect the access to the true page, it is ignorant in attacker so as to realize In the case of the secret mark of identity information of record attacker is recorded, if getting distorting for attacker's distribution in a network The sectional drawing or photo of webpage, then obtain sectional drawing or the secret mark in the URL in photo, decode its secret mark and then obtain attacker Identity information.

Have the beneficial effect that:Technical scheme of the present invention can be obtained from the webpage capture of attacker's issue or photo Secret mark, so as to the identity information of the attacker drawn based on parsing secret mark assists the attacker that traces to the source, association to attack tissue, make with this To prosecute the aucillary document of attacker, or as the trail of evidence of legal agency law enforcement.

Description of the drawings

In order to be illustrated more clearly that technical scheme, letter will be made to accompanying drawing to be used needed for embodiment below Singly introduce, it should be apparent that, drawings in the following description are only some embodiments described in the present invention, for this area For those of ordinary skill, on the premise of not paying creative work, can be with according to these other accompanying drawings of accompanying drawings acquisition.

A kind of 1 flow chart of embodiment of the method for attacker that traced to the source based on URL secret marks that Fig. 1 is provided for the present invention;

A kind of 2 flow chart of embodiment of the method for attacker that traced to the source based on URL secret marks that Fig. 2 is provided for the present invention;

A kind of 1 structure chart of system embodiment of attacker that traced to the source based on URL secret marks that Fig. 3 is provided for the present invention.

Specific embodiment

The present invention gives a kind of method and system embodiment of the attacker that traced to the source based on URL secret marks, in order that this technology The personnel in field more fully understand the technical scheme in the embodiment of the present invention, and make the above objects, features and advantages of the present invention Can become apparent from understandable, below in conjunction with the accompanying drawings technical scheme in the present invention is described in further detail:

Present invention firstly provides a kind of embodiment of the method 1 of the attacker that traced to the source based on URL secret marks, as shown in figure 1, including:

S101 obtains the identity information of visitor, and forms secret mark based on the identity information;Wherein, the identity information includes But it is not limited only to:IP, OS Type and version, browser version, screen resolution or time;In above-mentioned identity information Can also include:Terminal iidentification, ID or system banner etc.;Although in the prior art, can be with server side The identity information of record access person, but cannot be according to these identity informations seat offence person;

S102 adds the secret mark in the URL for accessing;When web page contents are returned, to secret mark, related parameter is disregarded i.e. Can;

Screen message disclosed in S103 capture attackers;Wherein, attacker discloses the form of screen message and includes but is not limited to:Cut Figure or the various ways such as take pictures;

S104 extracts the URL in screen message, and the identity information of attacker is obtained based on the secret mark in URL.

Preferably, the identity information for obtaining visitor, and secret mark is formed based on the identity information, specially:

If Website server receives the access request of visitor, the identity information of visitor is obtained, and the identity is believed Breath carries out coding and forms secret mark.Wherein, the identity information of the visitor for getting is arranged, and is selected pre-arranged code mode Secret mark is formed after encoding to the identity information after arrangement.

For example:The identity information of visitor, including:IP:11.22.33.44;OS Type and version:Windows XP SP3;Browser version:IE8;Screen resolution:1024 x 768;Then the identity information after arrangement is:11.22.33.44/ Windows XP SP3/ IE8/1024 x 768;Wherein, coded system can be selected as needed, and each coded system has each Benefit, here by taking BASE64 as an example, the secret mark formed after encoding to the identity information after arrangement is:

MTEuMjIuMzMuNDR8V2luZG93cyBYUCBTUDN8IElFOHwxMDI0IHggNzY4Cg==;Then by the secret mark In adding the URL for accessing, then above-mentioned secret mark is appeared in the URL of the screen message of attacker.For example:http:// www.baidu.com/?a=MTEuMjIuMzMuNDR8V2luZG93cyBYUCBTUDN8IElFOHwxMDI0IHggNzY4Cg= =;

If above-mentioned secret mark is included in the screen message of attacker, above-mentioned secret mark is decoded beneficial to pre-arranged code, obtained then Take the identity information of attacker.

Preferably, it is described that the secret mark is added in the URL for accessing, specially:

If Accessor Access's is homepage, the secret mark is added in the URL for accessing using refresh page is forced;Or,

If Accessor Access's is subpage frame, the secret mark is added when generating using higher level's page dynamic the subordinate's page for accessing In the URL in face.The above-mentioned attention that secret mark is added the method in the URL for accessing will not cause attacker.

Preferably, screen message disclosed in the capture attacker, including:Judge whether webpage is tampered, if so, then catch Screen message disclosed in attacker is obtained, visitor is otherwise continued as and normal web service is provided.

In said method embodiment, also include:Based on the identity information of attacker trace to the source attacker or association attack group Knit.

Invention also provides a kind of embodiment of the method 2 of the attacker that traced to the source based on URL secret marks, as shown in Fig. 2 bag Include:

S201 obtains the identity information of visitor, and forms secret mark based on the identity information;

S202 adds the secret mark in the URL for accessing;

Screen message disclosed in S203 capture attackers;

S204 extracts the URL in screen message, and the identity information of attacker is obtained based on the secret mark in URL;

S205 based on the identity information of attacker trace to the source attacker or association attack tissue.

Preferably, the info web for being distorted by attacker is repaired, and then recovers the normal access service of website.

Preferably, the identity information for obtaining visitor, and secret mark is formed based on the identity information, specially:

If Website server receives the access request of visitor, the identity information of visitor is obtained, and the identity is believed Breath carries out coding and forms secret mark.

Preferably, it is described that the secret mark is added in the URL for accessing, specially:

If Accessor Access's is homepage, the secret mark is added in the URL for accessing using refresh page is forced;Or,

If Accessor Access's is subpage frame, the secret mark is added when generating using higher level's page dynamic the subordinate's page for accessing In the URL in face.

Secondly the present invention provides a kind of system embodiment 1 of the attacker that traces to the source based on URL secret marks, as shown in figure 3, bag Include:

Secret mark generation module 301, for obtaining the identity information of visitor, and forms secret mark based on the identity information;

Secret mark add module 302, for the secret mark is added in the URL for accessing;

Information capture module 303, for capturing screen message disclosed in attacker;

Identification module 304, for extracting the URL in screen message, and obtains the identity of attacker based on the secret mark in URL Information.

Preferably, the secret mark generation module, specifically for:

If Website server receives the access request of visitor, the identity information of visitor is obtained, and the identity is believed Breath carries out coding and forms secret mark.

Preferably, the secret mark add module, specifically for:

If Accessor Access's is homepage, the secret mark is added in the URL for accessing using refresh page is forced;Or,

If Accessor Access's is subpage frame, the secret mark is added when generating using higher level's page dynamic the subordinate's page for accessing In the URL in face.

Preferably, described information trapping module, specifically for:Judge whether webpage is tampered, if so, then capture attacker Disclosed screen message, otherwise continues as visitor and provides normal web service.

In said system embodiment, also include:Attack is traced to the source module, for being traced to the source attack based on the identity information of attacker Tissue is attacked in person or association.

Each embodiment in this specification is described by the way of progressive, same or analogous between each embodiment Part is mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for system For embodiment, as which is substantially similar to embodiment of the method, so description is fairly simple, related part is implemented referring to method The part explanation of example.

As described above, above-described embodiment gives a kind of method and system embodiment of the attacker that traces to the source based on URL secret marks, By, in Website page development process, adding secret mark to the URL of different jump page, obtained by the open channel such as social networks The screen message of the attacker's record for taking, parses the secret mark of URL parts in screen message, obtains the identity information of attacker, base In the identity information trace to the source attacker or association attack tissue.

Above example is to illustrative and not limiting technical scheme.Appointing without departing from spirit and scope of the invention What modification or local are replaced, and all should cover in the middle of scope of the presently claimed invention.

Claims (10)

1. a kind of method of the attacker that traced to the source based on URL secret marks, it is characterised in that include:
The identity information of visitor is obtained, and secret mark is formed based on the identity information;
The secret mark is added in the URL for accessing;
Screen message disclosed in capture attacker;
The URL in screen message is extracted, and the identity information of attacker is obtained based on the secret mark in URL.
2. the method for claim 1, it is characterised in that the identity information of the acquisition visitor, and it is based on the body Part information forms secret mark, specially:
If Website server receives the access request of visitor, the identity information of visitor is obtained, and the identity is believed Breath carries out coding and forms secret mark.
3. method as claimed in claim 1 or 2, it is characterised in that described that the secret mark is added in the URL for accessing, specifically For:
If Accessor Access's is homepage, the secret mark is added in the URL for accessing using refresh page is forced;Or,
If Accessor Access's is subpage frame, the secret mark is added when generating using higher level's page dynamic the subordinate's page for accessing In the URL in face.
4. method as claimed in claim 3, it is characterised in that screen message disclosed in the capture attacker, including:Judge Whether webpage is tampered, if so, then capture attacker disclosed in screen message, otherwise continue as visitor and normal webpage be provided Service.
5. the method as described in claim 1 or 2 or 4, it is characterised in that also include:Traced to the source based on the identity information of attacker Tissue is attacked in attacker or association.
6. a kind of system of the attacker that traced to the source based on URL secret marks, it is characterised in that include:
Secret mark generation module, for obtaining the identity information of visitor, and forms secret mark based on the identity information;
Secret mark add module, for the secret mark is added in the URL for accessing;
Information capture module, for capturing screen message disclosed in attacker;
Identification module, for extracting the URL in screen message, and obtains the identity letter of attacker based on the secret mark in URL Breath.
7. system as claimed in claim 6, it is characterised in that the secret mark generation module, specifically for:
If Website server receives the access request of visitor, the identity information of visitor is obtained, and the identity is believed Breath carries out coding and forms secret mark.
8. system as claimed in claims 6 or 7, it is characterised in that the secret mark add module, specifically for:
If Accessor Access's is homepage, the secret mark is added in the URL for accessing using refresh page is forced;Or,
If Accessor Access's is subpage frame, the secret mark is added when generating using higher level's page dynamic the subordinate's page for accessing In the URL in face.
9. system as claimed in claim 8, it is characterised in that described information trapping module, specifically for:Whether judge webpage Be tampered, if so, then capture attacker disclosed in screen message, otherwise continue as visitor and normal web service be provided.
10. the system as described in claim 6 or 7 or 9, it is characterised in that also include:Attack is traced to the source module, for based on attacking The identity information of the person of hitting trace to the source attacker or association attack tissue.
CN201610679210.7A 2016-08-17 2016-08-17 It is a kind of to be traced to the source the method and system of attacker based on URL secret mark CN106549931B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610679210.7A CN106549931B (en) 2016-08-17 2016-08-17 It is a kind of to be traced to the source the method and system of attacker based on URL secret mark

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610679210.7A CN106549931B (en) 2016-08-17 2016-08-17 It is a kind of to be traced to the source the method and system of attacker based on URL secret mark

Publications (2)

Publication Number Publication Date
CN106549931A true CN106549931A (en) 2017-03-29
CN106549931B CN106549931B (en) 2019-09-27

Family

ID=58367884

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610679210.7A CN106549931B (en) 2016-08-17 2016-08-17 It is a kind of to be traced to the source the method and system of attacker based on URL secret mark

Country Status (1)

Country Link
CN (1) CN106549931B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120166458A1 (en) * 2010-12-23 2012-06-28 Microsoft Corporation Spam tracking analysis reporting system
US20130263226A1 (en) * 2012-01-22 2013-10-03 Frank W. Sudia False Banking, Credit Card, and Ecommerce System
CN104378361A (en) * 2014-10-24 2015-02-25 苏州阔地网络科技有限公司 Network intrusion detection method and system
CN105516174A (en) * 2015-12-25 2016-04-20 北京奇虎科技有限公司 Network attack tracking display system and method
CN105827582A (en) * 2015-09-14 2016-08-03 维沃移动通信有限公司 Communication encryption method, device and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120166458A1 (en) * 2010-12-23 2012-06-28 Microsoft Corporation Spam tracking analysis reporting system
US20130263226A1 (en) * 2012-01-22 2013-10-03 Frank W. Sudia False Banking, Credit Card, and Ecommerce System
CN104378361A (en) * 2014-10-24 2015-02-25 苏州阔地网络科技有限公司 Network intrusion detection method and system
CN105827582A (en) * 2015-09-14 2016-08-03 维沃移动通信有限公司 Communication encryption method, device and system
CN105516174A (en) * 2015-12-25 2016-04-20 北京奇虎科技有限公司 Network attack tracking display system and method

Also Published As

Publication number Publication date
CN106549931B (en) 2019-09-27

Similar Documents

Publication Publication Date Title
US10069857B2 (en) Performing rule-based actions based on accessed domain name registrations
Liu et al. Cloudy with a chance of breach: Forecasting cyber security incidents
Kirilenko et al. Public microblogging on climate change: One year of Twitter worldwide
Forelle et al. Political bots and the manipulation of public opinion in Venezuela
US20160119344A1 (en) System and method for web application security
CN103888490B (en) A kind of man-machine knowledge method for distinguishing of full automatic WEB client side
CN104125209B (en) Malice website prompt method and router
CN103179132B (en) A kind of method and device detecting and defend CC attack
US20130306721A1 (en) Method of Coding, Decoding and Usage of Three-Dimensional Code
CN102868719B (en) A kind of Network Access Method based on buffer memory and server
Hegarty et al. Digital Evidence Challenges in the Internet of Things.
CN102722284B (en) Touch-panel-based handwritten signing recording method
US9218482B2 (en) Method and device for detecting phishing web page
Ratcliffe Damned if you don't, damned if you do: crime mapping and its implications in the real world
US8412683B2 (en) Systems and methods for identification and reporting of ad delivery hierarchy
US20100088522A1 (en) Method and Apparatus for Tamper Proof Camera Logs
KR20140042905A (en) Identity authentication and management device and method thereof
EP2698967A1 (en) Social network data mining method for terminal user, and relevant method, device and system
AU2013204865A1 (en) Methods and apparatus to share online media impressions data
US8312538B2 (en) Site check method
US9042863B2 (en) Service classification of web traffic
CN103389969B (en) A kind of methods, devices and systems for mobile terminal preview pdf document
US8914859B2 (en) Managing the progressive legible obfuscation and de-obfuscation of public and quasi-public broadcast messages
CN101075866B (en) Method and system for loading message on Internet
CN104468531B (en) The authorization method of sensitive data, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100080 Beijing city Haidian District minzhuang Road No. 3, Tsinghua Science Park Building 1 Yuquan Huigu a

Applicant after: Beijing ahtech network Safe Technology Ltd

Address before: 100080 Zhongguancun Haidian District street, No. 14, layer, 1 1415-16

Applicant before: Beijing Antiy Electronic Installation Co., Ltd.

Address after: 100080 Beijing city Haidian District minzhuang Road No. 3, Tsinghua Science Park Building 1 Yuquan Huigu a

Applicant after: Beijing ahtech network Safe Technology Ltd

Address before: 100080 Zhongguancun Haidian District street, No. 14, layer, 1 1415-16

Applicant before: Beijing Antiy Electronic Installation Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant