CN106936791B

CN106936791B - Method and device for intercepting malicious website access

Info

Publication number: CN106936791B
Application number: CN201511025734.6A
Authority: CN
Inventors: 王灏; 韩建兵
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2015-12-31
Filing date: 2015-12-31
Publication date: 2021-02-19
Anticipated expiration: 2035-12-31
Also published as: CN106936791A

Abstract

The invention provides a method and a device for intercepting malicious website access, wherein the method comprises the following steps: analyzing an IP data packet, wherein the IP data packet comprises an IP data packet at a virtual network card; comparing the domain name information with information in a malicious website set under the condition that the IP data packet is determined to contain the domain name information; and intercepting the IP data packet under the condition that the comparison result is that the domain name information is matched with the information in the malicious website set. According to the scheme of the invention, the harm caused by malicious network access behaviors can be comprehensively and effectively prevented, the safety performance of the intelligent electronic equipment is improved, and the intelligent electronic equipment has the characteristics of good applicability, easiness in popularization and the like.

Description

Method and device for intercepting malicious website access

Technical Field

The invention relates to the technical field of internet, in particular to a method and a device for intercepting malicious website access.

Background

With the rapid development of internet technology, especially mobile internet technology, users can often use their intelligent electronic devices, especially intelligent mobile phones, to perform network access anytime and anywhere. Because the access behavior of the intelligent electronic device (such as an application installed in the intelligent electronic device) to the malicious website often causes the leakage of personal information of the user and even the damage of personal property loss, etc., the attention degree of the user to the network access security problem is gradually enhanced.

The existing method for avoiding the intelligent electronic device from accessing the malicious website mainly comprises the following three steps:

the method comprises the steps that on the basis of Root technology, access of intelligent electronic equipment to malicious websites is avoided; in a Root state, hooks are set based on Netfilter to enable response messages of the DNS request to enter a local predetermined queue, so that when an MD5 value of a domain name of the response message in the predetermined queue matches an MD5 value in a local malicious website library, a WEB server with a locally set port number of 80 can be used to present a warning page to a user to prompt that a website currently visited by the user is a malicious website.

The method II is used for avoiding the access of the intelligent electronic equipment to the malicious website based on the log; that is, under the condition that a certain website needs to be accessed in an application and a corresponding webpage needs to be opened by using a browser application, a relevant record of the jump behavior can be obtained from a log generated by an operating system (such as an Android operating system), a website needing to be accessed is extracted from the record, and when the website is detected to be a malicious website, the website currently accessed by a user can be prompted to be the malicious website in a manner of pop-up frames and the like.

The method III avoids the access of the intelligent electronic equipment to the malicious website through the browser; in other words, in the process of opening a webpage by using a browser, the browser extracts a website to be accessed, detects the website to be accessed by using a local or cloud malicious website library, and prompts a user that the website currently accessed is a malicious website in a manner of popping a frame and the like under the condition that the website to be accessed is detected to be the malicious website.

The inventor finds that the application range of the method is limited due to the fact that Root authority needs to be obtained; the second method is not suitable for application scenes without using a browser application to open a corresponding webpage, such as a piece of false red packet information in the WeChat, and the information can display a webpage corresponding to the malicious website inside the WeChat after being clicked; in addition, logs generated by the operating system change due to different versions of the operating system and different types of intelligent electronic equipment, so that a certain difficulty exists in accurately extracting the website to be accessed; the third method is also not applicable to application scenarios that do not require the use of a browser application to open a corresponding web page.

Disclosure of Invention

The invention aims to provide a method and a device for intercepting malicious website access.

According to an aspect of the present invention, there is provided a method for intercepting malicious website access, wherein the method comprises the following steps: analyzing an IP data packet, wherein the IP data packet comprises an IP data packet at a virtual network card; comparing the domain name information with information in a malicious website set under the condition that the IP data packet is determined to contain the domain name information; and intercepting the IP data packet under the condition that the comparison result is that the domain name information is matched with the information in the malicious website set.

According to another aspect of the present invention, there is also provided an apparatus for intercepting malicious website access, wherein the apparatus includes: the analysis module is used for analyzing an IP data packet, wherein the IP data packet comprises an IP data packet at the virtual network card; the domain name information comparison module is used for comparing the domain name information with information in a malicious website set under the condition that the IP data packet is determined to contain the domain name information; and the interception processing module is used for intercepting the IP data packet under the condition that the comparison result is that the domain name information is matched with the information in the malicious website set.

Compared with the prior art, the invention has the following advantages: by utilizing a virtual network card (such as a virtual network card based on VPN) in intelligent electronic equipment (such as an intelligent mobile phone or a tablet personal computer and the like), all IP data packets sent to the outside by all applications in the intelligent electronic equipment can be transmitted to the virtual network card, and all IP data packets sent to all applications in the intelligent electronic equipment from the outside can also be transmitted to the virtual network card, so that all IP data packets containing domain name information can be accurately obtained by analyzing the IP data packets read from the virtual network card, the domain name information in each IP data packet is judged, and the IP data packets can be intercepted when the domain name information in the IP data packets is judged to belong to information in a malicious website set; therefore, the method and the device can effectively avoid the occurrence of malicious website access behaviors under the condition of not acquiring the Root authority. Therefore, the technical scheme provided by the invention can comprehensively and effectively prevent the harm caused by malicious network access behaviors, improves the safety performance of the intelligent electronic equipment, and has the characteristics of good applicability, easiness in popularization and the like.

Drawings

Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments made with reference to the following drawings:

fig. 1 is a flowchart of a method for intercepting malicious website access according to a first embodiment of the present invention;

fig. 2 is a flowchart of a method for intercepting malicious website access according to a second embodiment of the present invention;

fig. 3 is a flowchart of processing UDP packets according to a second embodiment of the present invention;

fig. 4 is a flowchart of processing a TCP packet according to a second embodiment of the present invention;

fig. 5 is a schematic diagram of an apparatus for intercepting malicious website access according to a third embodiment of the present invention;

fig. 6 is a schematic structural diagram of a first determining module according to a third embodiment of the present invention;

fig. 7 is another schematic structural diagram of a first determining module according to a third embodiment of the present invention;

fig. 8 is a schematic structural diagram of a third determining module according to a third embodiment of the present invention;

fig. 9 is a schematic structural diagram of a first transmission processing module according to a third embodiment of the present invention;

fig. 10 is a schematic structural diagram of an interception processing module according to a third embodiment of the present invention;

fig. 11 is a schematic structural diagram of a second transmission processing module according to a third embodiment of the present invention;

fig. 12 is a schematic view of an application scenario of the apparatus for intercepting malicious website access according to the third embodiment of the present invention.

The same or similar reference numbers in the drawings identify the same or similar elements.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel, concurrently, or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.

The intelligent electronic device comprises user equipment and network equipment. Wherein, the user equipment includes but is not limited to computers, smart mobile phones, PDAs and the like; the network device includes, but is not limited to, a single network server, a server group consisting of a plurality of network servers, or a Cloud Computing (Cloud Computing) based Cloud consisting of a large number of computers or network servers, wherein the Cloud Computing is one of distributed Computing, a super virtual computer consisting of a collection of loosely coupled computers. The intelligent electronic device can be accessed to the network and performs information interaction operation with other intelligent electronic devices in the network. The network that the intelligent electronic device can access includes, but is not limited to, the internet, a wide area network, a metropolitan area network, a local area network, a VPN network, and the like.

It should be noted that the user device, the network, and the like are only examples, and other existing or future intelligent electronic devices or networks may also be included in the scope of the present application, and are included by reference herein.

The embodiments of the methods discussed in the following description, some of which are illustrated by flow diagrams, may be implemented by hardware, software, firmware, middleware, microcode, hardware description languages, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments to perform the necessary tasks may be stored in a machine or computer readable medium such as a storage medium. The processor(s) may perform the necessary tasks.

Specific structural and functional details disclosed herein are merely representative and are presented for purposes of describing example embodiments of the present application, however, the present application may be embodied in many alternate forms and should not be construed as limited to only the embodiments set forth herein.

It will be understood that, although the terms first, second, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element may be termed a second element, and, similarly, a second element may be termed a first element, without departing from the scope of example embodiments. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.

It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. In contrast, when an element is referred to as being "directly connected" or "directly coupled" to another element, there are no intervening elements present. Other words used to describe the relationship between elements (e.g., "between" as opposed to "directly between", "adjacent" as opposed to "directly adjacent", etc.) should be interpreted in a similar manner.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It should also be noted that, in some alternative implementations, the functions/acts noted may occur out of the order noted in the figures. For example, two figures shown in succession may, in fact, be executed substantially concurrently, or the figures may sometimes be executed in the reverse order, depending upon the functionality/acts involved.

The technical solution of the present application is further described in detail below with reference to the accompanying drawings.

The embodiment one is a method for intercepting malicious website access.

Fig. 1 is a flowchart of a method for intercepting malicious website access according to this embodiment. As shown in fig. 1, the method of the present embodiment mainly includes: step S100, step S110, and step S120. The method described in this embodiment is usually executed in an intelligent electronic device, and preferably, the method described in this embodiment is usually executed in an intelligent electronic mobile device (i.e., a user mobile device) such as an intelligent mobile phone and a tablet computer.

The respective steps in fig. 1 are described in detail below.

S100, an IP (Internet Protocol) packet is analyzed.

Specifically, the IP data packet in this embodiment includes an IP data packet at a Virtual Network card, and further, the IP data packet in this embodiment includes an IP data packet at a Virtual Network card based on a VPN (Virtual Private Network).

In this embodiment, the IP data packet may be read from the VPN-based virtual network card in the intelligent electronic device, and then the read IP data packet may be analyzed.

The intelligent electronic device in this embodiment is generally an intelligent electronic device based on an Android operating system (Android), and if other operating systems also support a VPN function, the intelligent electronic device in this embodiment may also be an intelligent electronic device based on other operating systems.

In the implementation process of this embodiment, if the VPN function provided by the operating system of the intelligent electronic device is not in an open state, an operation of opening the VPN function provided by the operating system of the intelligent electronic device should be performed first, and in the process of opening the VPN function, a corresponding IP address should be set for the virtual network card, for example, the IP address of the virtual network card is set to 192.168.1.8. In the case that the information interaction between the virtual network card and the destination device (such as a remote server) is implemented in a proxy server transfer manner, the embodiment should also set a proxy server in the intelligent electronic device, for example, set an IP address of the proxy server and a port of the proxy server. Of course, the information interaction between the virtual network card and the destination device may also be implemented by other means besides the proxy server, for example, by setting a corresponding protocol stack between the virtual network card and the destination device, the information interaction between the virtual network card and the destination device is implemented.

After the VPN function provided by an operating system of the intelligent electronic equipment is successfully started, the virtual network card is arranged in the intelligent electronic equipment, all IP data packets sent to the outside by each application in the intelligent electronic equipment are transmitted to the virtual network card, and all IP data packets sent to each application in the intelligent electronic equipment from the outside are also transmitted to the virtual network card; that is to say, all the applications in the intelligent electronic device need to interact with the external IP data packets through the virtual network card, and therefore, the IP data packets read from the virtual network card may be the IP data packets from the applications in the intelligent electronic device, or the IP data packets transmitted to the applications in the intelligent electronic device.

It should be noted that, after the VPN function provided by the operating system of the intelligent electronic device is successfully started, when each application in the intelligent electronic device sends an IP packet to the outside, the IP address of the virtual network card is used as the source IP address of the IP packet sent to the destination device (e.g., a remote server) (e.g., 192.168.1.8 is used as the source IP address of the IP packet), and the IP address of the physical network card in the intelligent electronic device is no longer used as the source IP address of the IP packet.

The parsing of the IP packet is mainly used to obtain information of a receiver of the IP packet (i.e., a destination IP address and a destination port), information of a sender of the IP packet (i.e., a source IP address and a source port), and payload type information of the IP packet (e.g., content in an upper layer protocol field).

The information of the IP data packet sender and the information of the IP data packet receiver can accurately show the transmission direction of the IP data packet, namely can accurately show whether the IP data packet is an IP data packet from an application in the intelligent electronic equipment or an IP data packet sent to the application in the intelligent electronic equipment (namely, an IP data packet from an external destination device).

The payload type information of the IP data packet can accurately indicate whether the payload in the IP data packet is a TCP (Transmission Control Protocol) data packet and whether the payload in the IP data packet is a UDP (User Datagram Protocol) data packet.

The embodiment does not limit the specific implementation manner of parsing the read IP packet.

S110, comparing the domain name information with information in the malicious website set under the condition that the IP data packet is determined to contain the domain name information.

Specifically, the embodiment may determine whether the IP packet includes the domain name information according to the IP packet analysis result information. In this embodiment, by determining analysis result information (such as information of a receiver of the IP data packet, information of a sender of the IP data packet, and information of a payload type of the IP data packet) obtained by analyzing the IP data packet, it can be determined whether the IP data packet includes domain name information.

As an example, in this embodiment, by determining a source IP address or a destination IP address in analysis result information of an IP data packet, a transmission direction of the IP data packet may be determined, for example, whether the source IP address in the analysis result information of the IP data packet is an IP address of a virtual network card in an intelligent electronic device is determined, and if the source IP address is the IP address of the virtual network card, it may be determined that the IP data packet is from an application in the intelligent electronic device; if the destination IP address in the analysis result information of the IP data packet is the IP address of the proxy server in the intelligent electronic device, it may be determined that the IP data packet is an IP data packet sent to an application in the intelligent electronic device.

As an example, in this embodiment, by determining the payload type information of the IP data packet in the analysis result information of the IP data packet, it can be determined whether the payload of the IP data packet is a TCP data packet or a UDP data packet.

As an example, in this embodiment, by determining whether a source port in the analysis result information of the IP packet is a port for DNS (Domain Name System) response, and combining the above determination process for the payload type information, it can be determined whether a UDP packet in the IP packet is a UDP packet based on DNS response.

As an example, in this embodiment, by determining a destination port of an IP data packet and combining the above determination process on the transmission direction and the payload type information of the IP data packet, it can be determined whether a TCP data packet in the IP data packet is a TCP data packet for a network access request.

The first specific example that the IP data packet does not include the domain name information is determined by the present embodiment as follows: and under the condition that the source IP address in the analysis result information of the IP data packet is judged to be the IP address of the virtual network card, and the payload type information of the IP data packet in the analysis result information of the IP data packet indicates that the payload of the IP data packet is a UDP data packet, determining that the IP data packet comes from the IP data packet which is applied in the intelligent electronic equipment and contains the UDP data packet, thereby determining that the IP data packet does not contain the domain name information.

The second specific example that the IP data packet does not include the domain name information is determined by the present embodiment as follows: when it is determined that the destination IP address in the analysis result information of the IP packet is the IP address of the virtual network card, and the payload type information of the IP packet in the analysis result information of the IP packet indicates that the payload of the IP packet is a UDP packet, and the source port of the IP packet is not a port for DNS response, it may be determined that the IP packet is an IP packet that is sent to an application in the intelligent electronic device and includes a UDP packet that does not include DNS response, thereby determining that the IP packet does not include domain name information.

The third specific example of determining that the IP data packet does not include the domain name information by judgment in this embodiment is as follows: when it is determined that the source IP address in the analysis result information of the IP packet is the IP address of the virtual network card, and the payload type information of the IP packet in the analysis result information of the IP packet indicates that the payload of the IP packet is a TCP packet, and the destination port of the IP packet is not a port (e.g., an 80 port or an 8080 port) used for a network access request (HTTP/HTTPs request), it may be determined that the IP packet is not an IP packet used for a network access request, i.e., it may be determined that the IP packet does not include domain name information.

The fourth specific example of determining that the IP data packet does not include the domain name information by judgment in this embodiment is as follows: when the destination IP address in the analysis result information of the IP data packet is determined to be the IP address of the proxy server, and the payload type information of the IP data packet in the analysis result information of the IP data packet indicates that the payload of the IP data packet is a TCP data packet, it may be determined that the IP data packet does not include domain name information.

The first specific example of determining that the IP data packet includes the domain name information by judgment in this embodiment is as follows: when it is determined that the destination IP address in the analysis result information of the IP packet is the IP address of the virtual network card, and the payload type information of the IP packet in the analysis result information of the IP packet indicates that the payload of the IP packet is a UDP packet, and the source port of the IP packet is a port (for example, 53 ports) for DNS response, it may be determined that the IP packet is an IP packet that is sent to an application in the intelligent electronic device and includes a UDP packet with DNS response, thereby determining that the IP packet includes domain name information.

The second specific example of determining that the IP data packet includes the domain name information by judgment in this embodiment is as follows: when the source IP address in the analysis result information of the IP data packet is determined to be the IP address of the virtual network card, and the payload type information of the IP data packet in the analysis result information of the IP data packet indicates that the payload of the IP data packet is a TCP data packet, and the destination port of the IP data packet is a port (e.g., an 80 port or an 8080 port) for a network access request (HTTP/HTTPs request), it may be determined that the IP data packet is the IP data packet for the network access request, that is, it may be determined that the IP data packet includes the domain name information. It should be noted that, in this embodiment, when it is determined that the destination IP address corresponding to the payload of the TCP data packet is not the predetermined IP address, it may be determined whether the destination port of the IP data packet is a port for a network access request, and when it is determined that the original destination IP address corresponding to the payload of the TCP data packet is the predetermined IP address, the operation of determining whether the IP data packet includes the domain name information is not performed any more.

In this embodiment, in the case that the proxy server is set in the intelligent electronic device, a determination operation of whether the domain name information is included in the IP data packet whose payload is a TCP data packet may be performed at the proxy server (the determination operation of whether the domain name information is included in the IP data packet whose payload is a UDP data packet may not be performed at the proxy server); for example, the determination operation of whether the IP packet contains domain name information is performed by a TCP session (TCP session) established by the proxy server for the IP packet.

In this embodiment, by setting the proxy server and combining the socket connection technology, the technical scheme for intercepting malicious website access of the present invention can be implemented more easily. Of course, this embodiment may also be implemented by setting a protocol stack, that is, data transfer between the virtual network card and the destination device is implemented by the protocol stack, so that the present invention may implement, at the protocol stack, the operation of determining whether domain name information is included, the operation of transmitting an IP data packet, the operation of intercepting an IP data packet, and the like.

In the case that the proxy server is set in the intelligent electronic device, a specific implementation process of determining whether the IP packet includes the domain name information in this embodiment may be: judging whether a source IP address of an IP data packet read from a virtual network card is the IP address of the virtual network card in the intelligent electronic equipment or not, if the source IP address of the IP data packet is the IP address of the virtual network card, determining that the IP data packet is from the application in the intelligent electronic equipment, and if the destination IP address of the IP data packet is the IP address of a proxy server, determining that the IP data packet is the IP data packet sent to the application in the intelligent electronic equipment; meanwhile, the type information of the payload of the IP data packet is judged so as to determine whether the payload of the IP data packet is a TCP data packet or a UDP data packet; combining the above determination processes, if it is determined that the IP data packet is from an application in the intelligent electronic device, and the payload of the IP data packet is a TCP data packet, the payload of the TCP data packet may be transmitted to the proxy server through a socket connection (for distinguishing from other socket connections, the socket connection is referred to as a first socket connection in the following description) based on a virtual network card and the proxy server, which is established for the sender and the receiver of the IP data packet. Specifically, in this embodiment, under the condition that the first socket connection is not established yet for the sender and the receiver of the IP data packet, the first socket connection should be established first, and then the payload of the TCP data packet is transmitted by using the first socket connection. The process of establishing the first socket connection in this embodiment may be: storing the source port, the destination IP address, and the destination port of the IP packet locally, for example, storing the source port, the destination IP address, and the destination port of the IP packet as a record in a table (e.g., table 1 below); then, the IP address of the proxy server and the port of the proxy server are used as a destination IP address and a destination port of the IP data packet, a first socket connection request is sent by utilizing the current source IP address, the current source port, the current destination IP address and the current destination port, and after the proxy server makes a response of agreeing to connection to the connection request, the first socket connection request is successfully established. After receiving the payload of the TCP packet, at the proxy server, after the payload of the TCP packet is received, the original destination port corresponding to the payload of the TCP packet (i.e. the destination port of the IP packet when the IP packet is read from the virtual network card) may be obtained by querying in the stored information (as shown in table 1 below), and it is determined whether the original destination port is a port (e.g. 80 port or 8080 port, etc.) for a network access request (e.g. HTTP/HTTPs request), if the original destination port is not a port for a network access request (e.g. HTTP/HTTPs request), it may be determined that the IP packet is not an IP packet for a network access request, that is, the IP packet does not include domain name information, if the destination port of the IP packet is a port (e.g. 80 port or 8080 port) for a network access request (e.g. HTTP/HTTPs request), it may be determined that the IP packet is an IP packet for a network access request, i.e., the IP packet includes domain name information.

As an example, in this embodiment, when it is determined that the IP packet does not include domain name information, transmission processing is performed on the IP packet, for example, when the IP packet is an IP packet from an application in the intelligent electronic device, the IP packet is sent to the destination device, and when the IP packet is an IP packet sent to an application in the intelligent electronic device, the IP packet is sent to the application by writing the IP packet into the virtual network card.

For the first specific example described above, in this embodiment, when it is determined that the IP packet does not include domain name information, the transmission processing operation performed on the IP packet may be: the payload of the UDP packet is transmitted using a socket connection (for effective distinction from other socket connections, this socket connection is referred to as a third socket connection in the following description) based on a virtual network card and a destination device, which is established for the receiver and the sender of the IP packet. It should be noted that, in this embodiment, when the third socket connection is not established yet for the sender and the receiver of the IP data packet, the third socket connection should be established first, and then the payload of the UDP data packet is transmitted (for example, after a socket connection request is sent and an agreed response is made by the other party to the connection request, the third socket connection is successfully established), and then the payload of the UDP data packet is transmitted by using the currently established third socket connection. In this embodiment, when the third socket connection has been successfully established for the sender and the receiver of the IP data packet, the payload of the UDP data packet may be transmitted directly by using the third socket connection. The payload of the UDP packet sent to the destination device is usually processed by a protocol stack corresponding to the physical network card, such as IP packet encapsulation, and the encapsulated IP packet is sent to the destination device.

For the second specific example described above, in the present embodiment, when it is determined that the IP packet does not include domain name information, the transmission processing operation performed on the IP packet may be: and directly writing the IP data packet into a virtual network card, so that the IP data packet is transmitted to the corresponding application through the virtual network card.

For the third specific example described above, in the present embodiment, when it is determined that the IP packet does not include domain name information, the transmission processing operation performed on the IP packet may be: at the proxy server, the payload of the TCP packet is transmitted over a socket connection based on the proxy server and the destination device (for distinction from other socket connections, this socket connection is referred to as a second socket connection in the following description). It should be noted that, in this embodiment, when a second socket connection is not established yet for the IP data packet, a second socket connection is established first, and then a payload of the TCP data packet is transmitted (for example, after a socket connection request is sent and an agreed response is made by a peer to the connection request, the second socket connection is successfully established), and then, the payload of the TCP data packet is transmitted by using the currently established second socket connection; however, in this embodiment, when the second socket connection has been successfully established for the IP data packet, the payload of the TCP data packet may be directly transmitted by using the second socket connection. The payload of the TCP data packet sent to the destination device is usually processed by the protocol stack corresponding to the physical network card, such as IP data packet encapsulation, and the encapsulated IP data packet is sent to the destination device.

For the fourth specific example described above, in the present embodiment, when it is determined that the IP packet does not include domain name information, the transmission processing operation performed on the IP packet may be: and respectively modifying the source IP address, the source port and the destination IP address of the IP data packet into the IP address of destination equipment, the port of the destination equipment and the IP address of a virtual network card, writing the modified IP data packet into the virtual network card, and transmitting the modified IP data packet to corresponding application through the virtual network card.

The destination IP address and the destination port of the IP packet finally sent to the destination device (such as a remote server) in this embodiment are the same as the destination IP address and the destination port of the IP packet when the IP packet is read out from the virtual network card, and the source IP address and the source port are the IP address of the proxy server and the port of the proxy server.

Table 1(Local-Remote table)

Local port information	Remote server information
		LocalPort_1	RemoteIp_1，RemotePort_1
LocalPort_2	RemoteIp_2，RemotePort_2
		……	……
LocalPort_N	RemoteIp_N，RemotePort_N

In table 1, the local port information is the source port (port of the application) of the IP packet, and the remote server information is the destination IP address (i.e. original destination IP address) and the destination port (i.e. original destination port) of the IP packet.

It should be particularly noted that the first, second, and third socket connections in this embodiment are mainly used for IP packet interaction between an application in an intelligent electronic device and an external destination device (e.g., a remote server, etc.), and the first, second, and third socket connections are usually deleted when the application no longer needs to perform IP packet interaction with the external destination device (e.g., the remote server, etc.) or due to an interception operation in this embodiment.

As an example, in the present embodiment, when it is determined that the IP data packet includes domain name information, a domain name information extraction operation should be performed, and when information stored in a malicious website set (such as a malicious website library) locally set in the intelligent electronic device is an MD5 value of the malicious domain name information, the present embodiment may convert the extracted domain name information into an MD5 value, and then compare the converted MD5 value with each MD5 value in the malicious website set to determine whether an MD5 value matching the converted MD5 value exists in the malicious website set.

As an example, the malicious website set in this embodiment may be updated at any time according to a requirement, for example, when a malicious website library in the cloud server changes, the malicious website library in the intelligent electronic device is updated.

And S120, intercepting the IP data packet under the condition that the comparison result is that the domain name information is matched with the information in the malicious website set.

Specifically, the intercepting process performed on the IP data packet in this embodiment may be: for an IP data packet of which the payload sent to the application in the intelligent electronic device is a UDP data packet based on a DNS response, the IP data packet is marked, so that corresponding operation can be executed according to the mark subsequently.

In this embodiment, the intercepting process performed on the IP data packet whose domain name information matches with the information in the malicious website set may also be: for an IP data packet with a TCP data packet as a payload of an application in the intelligent electronic device, the connection between the application and a destination device (such as a remote server) to be accessed by the application is disconnected, so that the IP data packet interaction between the application and the destination device with a malicious website is avoided.

As an example, for an IP packet whose payload sent to an application in the intelligent electronic device is a UDP packet based on a DNS response, the foregoing process of performing the marking process on the IP packet may specifically be: modifying a DNS query result in a payload of a UDP data packet into a preset IP address representing a malicious website, performing operations such as IP encapsulation processing on the modified payload of the UDP data packet to form a new IP data packet (the destination IP address of the new IP data packet is the IP address of a virtual network card, the destination port is a port corresponding to application, the source IP address is the IP address of destination equipment, and the source port is a port (such as 53 ports and the like) used for DNS response of the destination equipment), and then writing the new IP data packet into a virtual network card, so that the IP data packet can be transmitted to corresponding application through the virtual network card.

As an example, after receiving an IP packet transmitted by a virtual network card and containing modified DNS query result information, an application in the intelligent electronic device extracts the modified DNS query result information from a payload of a UDP packet in the IP packet, and performs a network access request operation by using a predetermined IP address in the DNS query result information, that is, an IP packet whose payload is a TCP packet is formed, where a destination IP address of the IP packet is the predetermined IP address, a destination port of the IP packet is a port (e.g., an 80 port or an 8080 port) for a network access request (e.g., an HTTP/HTTPs request), a source IP address of the IP packet is an IP address of the virtual network card, and a source port of the IP packet is a port corresponding to the application. After reading the IP data packet from the virtual network card, modifying a destination IP address and a destination port of the IP data packet into an IP address and a port of a proxy server, and establishing a first socket connection for the modified IP data packet, then transmitting a payload in a TCP data packet of the IP data packet to the proxy server through the first socket connection, and at the proxy server, under the condition that it is determined that an original destination IP address corresponding to the payload in the TCP data packet is a predetermined IP address, prohibiting a continuous transmission of the payload of the TCP data packet (i.e., performing an interception process for the IP data packet), if the payload of the TCP data packet is discarded, and if the embodiment does not establish a second socket connection for the payload of the TCP data packet, only disconnecting the first socket connection corresponding to the payload of the TCP data packet; if the second socket connection has already been established for the payload of the TCP data packet, the first socket connection and the second socket connection corresponding to the payload of the TCP data packet should be disconnected. In addition, the embodiment may also return HTML data containing the alert page to the application.

As an example, in this embodiment, when the comparison result is that the domain name information is not matched with the information in the malicious website set, the transmission processing may be performed on the IP data packet.

Specifically, in this embodiment, when it is determined that the IP packet does not include domain name information, transmission processing should be performed on the IP packet, for example, when the IP packet is from an application in the intelligent electronic device, the IP packet is continuously sent to the destination device, and for example, when the IP packet is an IP packet sent to an application in the intelligent electronic device, the IP packet is continuously sent to a corresponding application.

As an example, the present embodiment transmits, for a payload of a TCP packet among IP packets from an application, the payload of the TCP packet through a second socket connection established for a sender and a receiver of the IP packet, in a case where a proxy server is provided. It should be noted that, in this embodiment, when a second socket connection is not established yet for the sender and the receiver of the IP data packet, a second socket connection should be established first and then the payload of the TCP data packet is transmitted (for example, after a socket connection request is sent and an agreed response is made by the other party to the connection request, the second socket connection is successfully established). The payload transmitted through the second socket connection performs processing such as IP packet encapsulation at the protocol stack corresponding to the physical network card (in the encapsulation process, the stored record is used as the record in table 1), and transmits the encapsulated IP packet to the external destination device. In this embodiment, a destination IP address and a destination port of an encapsulated IP packet sent to an external destination device are an IP address and a port of the destination device, and a source IP address and a source port are an IP address and a port of a proxy server.

Embodiment two, intercept malicious website access method. The flow of the method is shown in fig. 2-4.

In fig. 2, S200, starting a VPN service supported by an android operating system in the intelligent electronic device, setting relevant parameters of a virtual network card, and setting an IP address of the virtual network card as VirtualIP; the method comprises the steps of setting a proxy server in the intelligent electronic equipment, and setting the IP address and the port of the proxy server to be ProxyIP and ProxyPort respectively. To S210.

The proxy server in the embodiment is mainly used for monitoring the socket connection request, and when the socket connection request is monitored, the proxy server responds to the socket connection request by agreeing to the socket connection or rejecting the socket connection; the proxy server is further configured to establish a TCPsession (TCP session) for the socket connection after the socket connection is agreed, so that the TCPsession performs operations such as domain name information judgment for an IP packet whose payload is a TCP type.

S210, the IP data packet sent by each application in the intelligent electronic device to the remote server is first transmitted to the virtual network card, and the IP data packet sent by the remote server to each application in the intelligent electronic device is also first transmitted to the virtual network card. The embodiment can continuously read the IP data packet from the virtual network card. To S220.

S220, the IP data packet is analyzed to obtain a source IP address, a source port, a destination IP address, a destination port, payload type information and the like of the IP data packet.

S230, determining the payload type information obtained by the above analysis to determine whether the payload in the IP data packet is a TCP data packet or a UDP data packet, if the payload is a TCP data packet, going to S240, and if the payload is a UDP data packet, going to S231.

S231, judging the source IP address and the destination IP address of the IP data packet obtained by analyzing to determine the transmission direction of the IP data packet, and if the source IP address of the IP data packet is the IP address of the virtual network card, determining that the IP data packet is the IP data packet from the application, and going to S232; if the destination IP address is the IP address of the virtual network card, it is determined that the IP packet is an IP packet sent to the application, and S233.

S232, the payload of the UDP data packet is transmitted by using a socket connection based on the virtual network card and the target equipment, so that the payload of the UDP data packet can be subjected to operations such as IP encapsulation and the like by a protocol stack corresponding to the physical network card, and the IP data packet formed after encapsulation is sent to the target equipment (such as a remote server).

S233, performing an operation of determining whether the UDP packet is a UDP packet based on the DNS response and determining a DNS query result, please refer to the following description of fig. 3.

S240, judging the source IP address and the destination IP address of the IP data packet obtained by analyzing to determine the transmission direction of the IP data packet, and if the source IP address of the IP data packet is the IP address of the virtual network card, determining that the IP data packet is the IP data packet from the application, and going to S241; if the destination IP address is the IP address of the proxy server, it is determined that the IP packet is an IP packet transmitted to the application, and S243.

And S241, transmitting the payload of the TCP data packet by using the socket connection based on the virtual network card and the proxy server, so that the payload of the TCP data packet is transmitted to the proxy server. That is, the present embodiment modifies the destination IP address and the destination port of the IP packet to the IP address of the proxy server and the port of the proxy server, so as to facilitate the transmission of the IP packet to the proxy server. To S242.

S242, whether the domain name information is included and the matching operation between the domain name information and the information in the malicious website collection are performed, please refer to the following description of fig. 4.

S243, modify the destination IP address of the IP data packet into the IP address of the virtual network card, modify the source IP address into the IP address of the external destination device (such as a remote server), modify the source port into the port of the external destination device, and then write the IP data packet with the modified receiver information and sender information into the virtual network card.

In fig. 3, S300 starts processing for the UDP packet.

S310, obtaining a source port corresponding to the UDP data packet.

S320, determine whether the source port of the UDP packet is a port (e.g., 53 port) for DNS reply, if so, go to S330, and if not, go to S360.

S330, obtaining a DNS query result, that is, domain name information, in the UDP packet, and converting the obtained domain name information into an MD5 value when information stored in a malicious website set (e.g., a malicious website library) locally set in the intelligent electronic device is the MD5 value of the malicious domain name information.

And S340, judging whether the domain name information is matched with the information in the malicious website set, if so, comparing the converted MD5 value with each MD5 value in the malicious website set to determine whether an MD5 value matched with the converted MD5 value exists in the malicious website set, if so, going to S350, and if not, going to S360.

S350, modifying the query result in the payload into a preset IP address (such as redirect IP) representing the malicious website.

And S360, forming an IP data packet aiming at the payload.

S370, writing the formed IP data packet into a virtual network card, so that the IP data packet can be transmitted to a corresponding application via the virtual network card.

In fig. 4, S400, at the proxy server, the TCP packet is processed.

And S410, acquiring a destination IP address corresponding to the UDP data packet, for example, acquiring the destination IP address by looking up a table 1.

S420, judging whether the destination IP address is a preset IP address (such as redirect IP), if so, going to S480, and if not, going to S430.

And S430, acquiring a destination port corresponding to the TCP data packet.

S440, judging whether the TCP data packet is a TCP data packet based on the HTTP/HTTPS network access request according to the destination port, if the TCP data packet is the TCP data packet based on the HTTP/HTTPS network access request, going to S450, and if the TCP data packet is not the TCP data packet based on the HTTP/HTTPS network access request, going to S470.

S450, extracting the domain name information from the payload, and calculating the MD5 value of the domain name information.

And S460, judging whether an MD5 value matched with the MD5 value exists in the malicious website library, if so, going to S480, and if not, going to S470, wherein the MD5 value is matched with the MD5 value.

And S470, transmitting the payload of the TCP data packet based on the socket connection between the proxy server and the destination device.

And S480, disconnecting the socket connection between the virtual network card and the proxy server, and sending an alarm page to the application to prompt the user that the security problem exists in the current network access.

And the third embodiment is a device for intercepting malicious website access.

The structure of the implementation apparatus for intercepting malicious website access according to this embodiment is shown in fig. 5 to 12.

The apparatus in fig. 5 mainly comprises: a domain name information comparison module 540 of the resolution module 510 and an interception processing module 550. Optionally, the apparatus may further include: any one or more of the reading module 500, the first judging module 520, the first transmission processing module 530, the second transmission processing module 560, and the third judging module 570.

The parsing module 510 is mainly used for parsing the IP data packet. The parsing module 510 in this embodiment may be independently arranged from the virtual network card packet processing module in fig. 12, and of course, may also be arranged in the virtual network card packet processing module in fig. 12.

Specifically, the IP packet analyzed by the analysis module 510 is an IP packet at a Virtual Network card, and more specifically, the IP packet analyzed by the analysis module 510 is an IP packet at a Virtual Network card based on a VPN (Virtual Private Network).

As an example, the parsing module 510 parses the IP packet read by the reading module 500.

The reading module 500 is mainly used for reading an IP data packet from a virtual network card based on a virtual private network VPN in an intelligent electronic device. The reading module 500 in this embodiment may be disposed in the virtual network card packet processing module in fig. 12.

As an example, in an implementation process of this embodiment, if the VPN function provided by the operating system of the intelligent electronic device is not in an open state, the VPN service control module may first perform an operation of opening the VPN function provided by the operating system of the intelligent electronic device, and in the process of opening the VPN function, the VPN service control module should set a corresponding IP address for the virtual network card, for example, the VPN service control module sets the IP address of the virtual network card to 192.168.1.8. Under the condition that information interaction between the virtual network card and the target device is realized by adopting a proxy server transfer mode, the VPN service control module is also required to set a proxy server in the intelligent electronic device, for example, the VPN service control module sets an IP address of the proxy server and a port of the proxy server. Of course, the information interaction between the virtual network card and the destination device may also be implemented by other means besides the proxy server, for example, by setting a corresponding protocol stack between the virtual network card and the destination device, the information interaction between the virtual network card and the destination device is implemented.

After a VPN function provided by an operating system of the intelligent electronic equipment is successfully started by a VPN service control module, the virtual network card is arranged in the intelligent electronic equipment, all IP data packets sent to the outside by each application in the intelligent electronic equipment are transmitted to the virtual network card, and all IP data packets sent to each application in the intelligent electronic equipment from the outside are also transmitted to the virtual network card; that is to say, all the applications in the intelligent electronic device need to interact with the external IP data packets through the virtual network card, and therefore, the IP data packets read by the reading module 500 from the virtual network card may be the IP data packets from the applications in the intelligent electronic device, or the IP data packets transmitted to the applications in the intelligent electronic device.

The parsing module 510 parses the IP packet, and is mainly used to obtain information about a receiver of the IP packet (i.e., a destination IP address and a destination port), information about a sender of the IP packet (i.e., a source IP address and a source port), and information about a payload type of the IP packet (e.g., content in an upper layer protocol field). The embodiment does not limit the specific implementation manner of the parsing module 510 parsing the IP data packet read by the reading module 500.

The first determining module 520 is mainly configured to determine whether the IP data packet includes domain name information according to the IP data packet parsing result information of the parsing module 510.

The first determining sub-module 521 (shown in fig. 6) in the first determining module 520 is mainly configured to determine that the IP data packet comes from an application in the intelligent electronic device and when the payload of the IP data packet is a UDP data packet, it does not include domain name information according to the IP data packet payload type information in the IP data packet parsing result information and the IP data packet sender information. The first determining submodule 521 in this embodiment may be disposed in the virtual network interface card packet processing module in fig. 12.

The second determining sub-module 522 (shown in fig. 7) in the first determining module 520 is mainly configured to determine that the IP data packet includes domain name information when the IP data packet is an IP data packet sent to an application in the intelligent electronic device and the payload of the IP data packet is a UDP data packet based on a domain name system DNS response according to the IP data packet payload type information and the IP data packet sender information in the IP data packet parsing result information. The second determining sub-module 522 in this embodiment may be disposed in the virtual network card packet processing module in fig. 12. Of course, the part of the second determination sub-module 522 that determines whether the payload of the IP packet is a UDP packet of the DNS response may be disposed in the UDP processing module, and the part that determines the other content may be disposed in the virtual network interface card packet processing module.

The first transmission sub-module 523 (as shown in fig. 8) in the first determining module 520 is mainly configured to transmit the payload of the TCP data packet by using a socket connection based on a virtual network card and a proxy server, which is established for a sender and a receiver of the IP data packet, when it is determined that the IP data packet is from an application in the intelligent electronic device according to the IP data packet payload type information and the IP data packet sender information in the IP data packet parsing result information, and the payload of the IP data packet is a TCP data packet. The first transmission submodule 523 in this embodiment may be disposed in the virtual network card packet processing module in fig. 12. As another possibility, a part of the first transmission sub-module 523 that performs the determination operation may be disposed in the virtual network card packet processing module in fig. 12, and a part that performs the establishment of the socket connection based on the virtual network card and the proxy server and the transmission of the payload may be disposed in the TCP processing module.

The third determining sub-module 524 (shown in fig. 8) in the first determining module 520 is mainly configured to determine whether the IP data packet includes domain name information for the payload transmitted to the proxy server; the third determining submodule 524 mainly includes an obtaining submodule and a fourth determining submodule; the obtaining submodule is mainly used for obtaining an original destination port corresponding to a payload of the TCP data packet according to a source port of the IP data packet; the fourth judging submodule is mainly used for determining that the IP data packet does not contain domain name information when the original destination port is judged not to be the port for the network access request, and determining that the IP data packet contains the domain name information when the original destination port is judged to be the port for the network access request. The third determining sub-module 524 in this embodiment may be disposed in the TCP processing module in fig. 12.

The operation performed by the first determining module 520 and its sub-modules is described in the above S120, and detailed description thereof is not repeated here.

The first transmission processing module 530 is mainly configured to perform transmission processing on the IP data packet when the first determining module 520 determines that the IP data packet does not include domain name information.

The transmission submodule 531 (shown in fig. 9) in the first transmission processing module 530 is mainly used for transmitting the payload of the UDP data packet by using a socket connection based on a virtual network card and a destination device, which is established for the sender and the receiver of the IP data packet. The transmission submodule 531 in this embodiment may be disposed in the UDP processing module in fig. 12.

Specifically, the first transmission processing module 530 performs transmission processing on the IP data packet when the first determining module 520 determines that the IP data packet does not include domain name information, for example, when the IP data packet is an IP data packet from an application in the intelligent electronic device, the first transmission processing module 530 (e.g., a transmission sub-module) sends the IP data packet to a destination device, and when the IP data packet is an IP data packet sent to the application in the intelligent electronic device, the first transmission processing module 530 writes the IP data packet into a virtual network card to send the IP data packet to the application.

In a specific example, the first transmission processing module 530 transmits the payload of the TCP packet transmitted to the proxy server through a socket connection (i.e., a second socket connection) based on the proxy server and the destination device. It should be noted that, in the case that the second socket connection is not established yet for the IP data packet, the first transmission processing module 530 should establish the second socket connection first and then transmit the payload of the TCP data packet (for example, the first transmission processing module 530 sends a socket connection request, and after an agreed response is made by the other party to the connection request, the second socket connection is successfully established), and then, the first transmission processing module 530 transmits the payload of the TCP data packet by using the currently established second socket connection; and the first transmission processing module 530 may directly transmit the payload of the TCP packet by using the second socket connection when the second socket connection has been successfully established for the IP packet. The content of the first transmission processing module 530 performing this part of the operation may be provided in the TCP processing module in fig. 12.

For another specific example, in the case that the first determining module 520 determines that the IP data packet does not include domain name information, the first transmission processing module 530 may perform, for the IP data packet, the transmission processing operation of: the first transmission processing module 530 modifies the source IP address, the source port, and the destination IP address of the IP data packet into the IP address of the destination device, the port of the destination device, and the IP address of the virtual network card, and writes the modified IP data packet into the virtual network card, so that the modified IP data packet is transmitted to the corresponding application via the virtual network card. The content of the first transport processing module 530 for performing this operation may be provided in the virtual network card packet processing module in fig. 12.

The domain name information comparing module 540 is mainly used for comparing the domain name information with information in the malicious website set when the first determining module 530 determines that the IP data packet contains the domain name information. The domain name information comparing module 540 in this embodiment may be disposed in the detecting module in fig. 12.

Specifically, the domain name information comparing module 540 should perform a domain name information extracting operation when the first determining module 530 determines that the IP data packet includes domain name information, and the domain name information comparing module 540 may convert the extracted domain name information into an MD5 value when information stored in a malicious website set (such as a malicious website library) locally set by the domain name information comparing module 540 is an MD5 value of the malicious domain name information, and then the domain name information comparing module 540 compares the converted MD5 value with each MD5 value in the malicious website set to determine whether an MD5 value matching the converted MD5 value exists in the malicious website set.

As an example, the malicious website set in the domain name information comparison module 540 may be updated at any time according to a requirement, for example, when the malicious website library in the cloud server changes, the malicious website library in the domain name information comparison module 540 is updated.

The interception processing module 550 is mainly configured to intercept the IP data packet when the result of the comparison operation performed by the domain name information comparison module 540 is that the domain name information matches with information in the malicious website set. The interception processing module 550 in this embodiment may be disposed in the blocking module in fig. 12.

Specifically, the intercepting process performed by the intercepting process module 550 on the IP data packet may be: for an IP packet whose payload sent to the application in the intelligent electronic device is a UDP packet based on a DNS response, the interception processing module 550 performs a marking process on the IP packet, so that a corresponding operation can be subsequently performed according to the marking. It is also fully feasible that the part of the operations performed by the interception processing module 550 is arranged in the UDP processing module and the virtual network card packet processing module in fig. 12.

The query result modification sub-module 551 (shown in fig. 10) in the interception processing module 550 is mainly used to modify the DNS query result in the UDP packet to a predetermined IP address representing a malicious website. The query result modification sub-module 551 in this embodiment may be disposed in the UDP processing module in fig. 12.

The virtual network card writing sub-module 552 (as shown in fig. 10) in the interception processing module 550 is mainly used for writing the IP data packet with the modified DNS query result into the virtual network card, so that the IP data packet with the modified DNS query result is transmitted to the corresponding application through the virtual network card. The query result modification sub-module 551 in this embodiment may be disposed in the virtual network card packet processing module in fig. 12.

As an example, for an IP data packet whose payload sent to an application in the intelligent electronic device is a UDP data packet based on a DNS response, the process of the interception processing module 550 performing the marking processing on the IP data packet may specifically be: the query result modification submodule 551 modifies the DNS query result in the UDP packet payload to a predetermined IP address representing a malicious website, the virtual network card writing submodule 552 performs operations such as IP encapsulation on the modified UDP packet payload to form a new IP packet (the destination IP address of the new IP packet is the IP address of the virtual network card, the destination port is a port corresponding to an application, the source IP address is the IP address of a destination device, and the source port is a port (such as 53 ports) of the destination device for DNS response), and then the virtual network card writing submodule 552 writes the new IP packet into the virtual network card, so that the IP packet can be transmitted to a corresponding application via the virtual network card.

The intercepting process performed by the intercepting process module 550 on the IP packet whose domain name information matches with the information in the malicious website set may also be: for an IP data packet with a TCP data packet as a payload of an application in the intelligent electronic device, the connection between the application and a destination device (such as a remote server) to be accessed by the application is disconnected, so that the interaction of the IP data packet between the application and the destination device with a malicious website is avoided. The part of the operations performed by the interception processing module 550 may be provided in the blocking module in fig. 12.

As an example, after receiving an IP packet transmitted by a virtual network card and containing modified DNS query result information, an application in the intelligent electronic device extracts the modified DNS query result information from a payload of a UDP packet in the IP packet, and performs a network access request operation by using a predetermined IP address in the DNS query result information, that is, an IP packet whose payload is a TCP packet is formed, where a destination IP address of the IP packet is the predetermined IP address, a destination port of the IP packet is a port (e.g., an 80 port or an 8080 port) for a network access request (e.g., an HTTP/HTTPs request), a source IP address of the IP packet is an IP address of the virtual network card, and a source port of the IP packet is a port corresponding to the application. After the reading module 500 reads the IP data packet from the virtual network card, the parsing module 510 parses the IP data packet, the first transmission sub-module 523 modifies the destination IP address and the destination port of the IP data packet into the IP address and the port of the proxy server, and cooperates with the proxy server to establish a first socket connection for the modified IP data packet, then the first transmission sub-module 523 transmits the payload in the TCP data packet of the IP data packet to the proxy server through the first socket connection, the third determination module 570 should notify the blocking module (e.g. the interception processing module 550) to prohibit the continuous transmission of the payload of the TCP data packet (i.e. perform the interception processing for the IP data packet) if the original destination IP address corresponding to the payload in the TCP data packet is determined to be the predetermined IP address, e.g. the blocking module (e. the interception processing module 550) discards the payload of the TCP data packet, if the second socket connection is not established for the payload of the TCP data packet, the blocking module (for example, the interception processing module 550) may only disconnect the first socket connection corresponding to the payload of the TCP data packet; if the proxy server has already established the second socket connection for the TCP packet payload, the blocking module (for example, the interception processing module 550) should disconnect both the first socket connection and the second socket connection corresponding to the TCP packet payload. In addition, the blocking module (e.g., the interception processing module 550) may also return HTML data containing the alert page to the application (e.g., return HTML data containing the alert page to the application via the first socket connection).

The second transmission processing module 560 is mainly used for performing transmission processing on the IP data packet when the comparison result of the domain name information comparison module 540 is that the domain name information is not matched with the information in the malicious website set. The second transmission processing module 560 in this embodiment may be disposed in the TCP processing module and the UDP processing module in fig. 12.

The second transmission submodule 561 (shown in fig. 11) in the second transmission processing module 560 is mainly used for transmitting the payload of the TCP data packet by using a packet connection based on a proxy server and a destination device, which is established for the sender and the receiver of the IP data packet. This part of the operations performed by the second transmission processing module 560 may be provided in the TCP processing module in fig. 12.

Specifically, for the payload of the TCP packet in the IP packet from the application, the second transmission sub-module 561 transmits the payload of the TCP packet through the second socket connection established for the transmitting side and the receiving side of the IP packet. It should be noted that, in the case that the second socket connection is not established yet for the sender and the receiver of the IP data packet, the second transmission submodule 561 should establish the second socket connection first and then transmit the payload of the TCP data packet (for example, after a socket connection request is sent and an agreed response is made by the other party to the connection request, the second socket connection is successfully established), in this embodiment, in the case that the second socket connection is established successfully for the sender and the receiver of the IP data packet, the second transmission submodule 561 may directly transmit the payload of the TCP data packet by using the second socket connection. The payload transmitted through the second socket connection performs processing such as IP packet encapsulation at the protocol stack corresponding to the physical network card (in the encapsulation process, the stored record is used as the record in table 1), and transmits the encapsulated IP packet to the external destination device. In this embodiment, a destination IP address and a destination port of an encapsulated IP packet sent to an external destination device are an IP address and a port of the destination device, and a source IP address and a source port are an IP address and a port of a proxy server.

The third determining module 570 is mainly configured to intercept an IP data packet when it is determined that a destination IP address corresponding to a payload of the TCP data packet transmitted to the proxy server based on the socket connection between the virtual network card and the proxy server is a predetermined IP address. The operations executed by the third determining module 570 refer to the relevant parts in the description of the interception processing module 550 in this embodiment.

It is noted that parts of the present invention may be applied as a computer program product, such as computer program instructions, which, when executed by an intelligent electronic device (e.g. a smart mobile phone or a tablet computer, etc.), may invoke or provide the method and/or solution according to the present invention through the operation of the intelligent electronic device. The program instructions that invoke the methods of the present invention may be stored on a fixed or removable recording medium and/or transmitted via a data stream over a broadcast or other signal-bearing medium and/or stored in a working memory of an intelligent electronic device operating in accordance with the program instructions. An embodiment according to the invention herein comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or solution according to embodiments of the invention as described above.

It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the system claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.

Claims

1. A method for intercepting malicious website access comprises the following steps:

parsing IP data packets, the IP data packets including IP data packets at a virtual network card, wherein

Reading an IP data packet from a virtual network card based on a Virtual Private Network (VPN) in the intelligent electronic equipment;

comparing the domain name information with information in a malicious website set under the condition that the IP data packet is determined to contain the domain name information, wherein the domain name information is compared with the information in the malicious website set

Judging whether the IP data packet contains domain name information according to IP data packet analysis result information, wherein the IP data packet analysis result information comprises IP data packet receiver information, IP data packet sender information and payload type information of the IP data packet, and the method comprises the following steps:

determining that the IP data packet comes from application in the intelligent electronic equipment and the payload of the IP data packet is a User Datagram Protocol (UDP) data packet according to IP data packet payload type information in IP data packet analysis result information and IP data packet sender information, and determining that the IP data packet does not contain domain name information;

carrying out transmission processing on the IP data packet under the condition that the IP data packet does not contain domain name information;

and intercepting the IP data packet under the condition that the comparison result is that the domain name information is matched with the information in the malicious website set.

2. The method according to claim 1, wherein the performing transmission processing on the IP packet, in a case where it is determined that the IP packet does not include domain name information, includes:

and transmitting the payload of the UDP data packet by utilizing a socket connection which is established aiming at the sender and the receiver of the IP data packet and is based on a virtual network card and a destination device.

3. The method according to claim 1, wherein the determining whether the IP packet includes domain name information according to the IP packet parsing result information includes:

and determining that the IP data packet contains domain name information when the IP data packet is determined to be the IP data packet sent to the application in the intelligent electronic equipment according to the IP data packet payload type information in the IP data packet analysis result information and the IP data packet sender information and the payload of the IP data packet is a UDP data packet based on domain name system DNS response.

4. The method according to claim 3, wherein, in the case that the comparison result is that the domain name information matches with information in the malicious website set, the intercepting the IP packet comprises:

modifying the DNS query result in the UDP data packet into a preset IP address representing a malicious website;

and writing the IP data packet with the modified DNS query result into the virtual network card, so that the IP data packet with the modified DNS query result is transmitted to the corresponding application through the virtual network card.

5. The method of claim 4, wherein the method further comprises:

and when determining that the target IP address corresponding to the payload of the TCP data packet transmitted to the proxy server based on the socket connection of the virtual network card and the proxy server is the preset IP address, intercepting the IP data packet.

6. The method according to claim 1, wherein the determining whether the IP packet includes domain name information according to the IP packet parsing result information includes:

when the IP data packet comes from the application of the intelligent electronic equipment and the payload of the IP data packet is determined to be a Transmission Control Protocol (TCP) data packet according to the IP data packet payload type information and the IP data packet sender information in the IP data packet analysis result information, the payload of the TCP data packet is transmitted by using a socket connection which is established for the IP data packet sender and receiver and is based on a virtual network card and a proxy server;

and judging whether the IP data packet contains domain name information or not according to the payload transmitted to the proxy server.

7. The method of claim 6, wherein the determining whether domain name information is included in the IP data packet for the payload transmitted to the proxy server comprises:

acquiring an original destination port corresponding to a payload of the TCP data packet according to the source port of the IP data packet;

when the original destination port is judged not to be the port for the network access request, determining that the IP data packet does not contain domain name information;

and when the original destination port is judged to be the port for the network access request, determining that the IP data packet contains domain name information.

8. The method of claim 6, wherein the method further comprises:

and under the condition that the comparison result is that the domain name information is not matched with the information in the malicious website set, carrying out transmission processing on the IP data packet.

9. The method according to claim 8, wherein, in the case that the comparison result is that the domain name information is not matched with information in the malicious website set, performing transmission processing on the IP data packet includes:

and transmitting the payload of the TCP data packet by utilizing a socket connection which is established for the sender and the receiver of the IP data packet and is based on a proxy server and a destination device.

10. The method according to any one of claims 2 or 5 to 9, wherein the intercepting process for the IP data packet comprises:

and disconnecting the socket connection based on the virtual network card and the destination equipment, the socket connection based on the virtual network card and the proxy server and/or the socket connection based on the proxy server and the destination equipment.

11. An implementation apparatus for intercepting malicious website access, wherein the apparatus comprises:

the analysis module is used for analyzing the IP data packet, the IP data packet comprises an IP data packet at the virtual network card, and the analysis module comprises:

the reading module is used for reading an IP data packet from a virtual network card based on a virtual private network VPN in the intelligent electronic equipment;

a domain name information comparison module, configured to compare, when it is determined that the IP data packet includes domain name information, the domain name information with information in a malicious website set, where the comparison module includes:

the first judging module is used for judging whether the IP data packet contains domain name information according to IP data packet analysis result information, wherein the IP data packet analysis result information comprises IP data packet receiver information, IP data packet sender information and payload type information of the IP data packet, and the first judging module comprises the following steps:

the first judgment submodule is used for determining that the IP data packet comes from application in the intelligent electronic equipment and the payload of the IP data packet is a User Datagram Protocol (UDP) data packet according to the IP data packet payload type information and the IP data packet sender information in the IP data packet analysis result information, and determining that the IP data packet does not contain domain name information;

the first transmission processing module is used for performing transmission processing on the IP data packet under the condition that the IP data packet does not contain domain name information;

and the interception processing module is used for intercepting the IP data packet under the condition that the comparison result is that the domain name information is matched with the information in the malicious website set.

12. The apparatus of claim 11, wherein the first transmission processing module comprises:

and the transmission sub-module is used for transmitting the payload of the UDP data packet by utilizing the socket connection which is established aiming at the sender and the receiver of the IP data packet and is based on the virtual network card and the destination equipment.

13. The apparatus of claim 11, wherein the first determining means comprises:

and the second judgment sub-module is used for determining that the IP data packet comprises domain name information when the IP data packet is determined to be the IP data packet sent to the application in the intelligent electronic equipment according to the IP data packet payload type information in the IP data packet analysis result information and the IP data packet sender information and the payload of the IP data packet is a UDP data packet based on domain name system DNS response.

14. The apparatus of claim 13, wherein the intercept processing module comprises:

a query result modification submodule, configured to modify a DNS query result in the UDP packet to a predetermined IP address representing a malicious website;

and the virtual network card writing sub-module is used for writing the IP data packet with the modified DNS query result into the virtual network card so that the IP data packet with the modified DNS query result is transmitted to the corresponding application through the virtual network card.

15. The apparatus of claim 14, wherein the apparatus further comprises:

and the third judging module is used for informing the interception processing module to carry out interception processing on the IP data packet when the target IP address corresponding to the payload of the TCP data packet transmitted to the proxy server based on the socket connection of the virtual network card and the proxy server is determined to be the preset IP address.

16. The apparatus of claim 11, wherein the first determining means comprises:

the first transmission submodule is used for transmitting the payload of the TCP data packet by using socket connection which is established aiming at the sender and the receiver of the IP data packet and is based on a virtual network card and a proxy server when the IP data packet comes from the application of the intelligent electronic equipment and the payload of the IP data packet is determined according to the IP data packet payload type information and the IP data packet sender information in the IP data packet analysis result information;

and the third judging submodule is used for judging whether the IP data packet contains domain name information or not according to the payload transmitted to the proxy server.

17. The apparatus of claim 16, wherein the third determination submodule comprises:

the obtaining submodule is used for obtaining an original destination port corresponding to a payload of the TCP data packet according to the source port of the IP data packet;

and the fourth judging submodule is used for determining that the IP data packet does not contain domain name information when the original destination port is judged not to be the port for the network access request, and determining that the IP data packet contains the domain name information when the original destination port is judged to be the port for the network access request.

18. The apparatus of claim 16, wherein the apparatus further comprises:

and the second transmission processing module is used for carrying out transmission processing on the IP data packet under the condition that the comparison result is that the domain name information is not matched with the information in the malicious website set.

19. The apparatus of claim 18, wherein the second transmission processing module comprises:

and the second transmission sub-module is used for transmitting the payload of the TCP data packet by using the socket connection which is established for the sender and the receiver of the IP data packet and is based on the proxy server and the destination device.

20. The apparatus according to any one of claims 12 or 15 to 19, wherein the interception processing module is specifically configured to: