CN109413045A - A kind of access control system and method - Google Patents
A kind of access control system and method Download PDFInfo
- Publication number
- CN109413045A CN109413045A CN201811124052.4A CN201811124052A CN109413045A CN 109413045 A CN109413045 A CN 109413045A CN 201811124052 A CN201811124052 A CN 201811124052A CN 109413045 A CN109413045 A CN 109413045A
- Authority
- CN
- China
- Prior art keywords
- domain name
- blacklist
- network address
- checked
- frequency distribution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a kind of access control system and methods, are related to the communications field.Terminal of the present invention judges whether the network address domain name that will access of user's input is malice domain name according to the blacklist that domain name analysis platform issues, however, it is determined that is malice domain name, carries out pop-up alarm;If uncertain, it is reported to domain name analysis platform, carries out further words-frequency feature analysis to it by domain name analysis platform, and then blacklist is updated and is issued based on the analysis results.By the phase mutual feedback of terminal and domain name analysis platform, blacklist can be constantly updated and improved, and then in time and accurately malicious websites can be alerted and be defendd.
Description
Technical field
The present invention relates to the communications field more particularly to a kind of terminal accesses based on website domain name word frequency distribution statistical analysis
Control system and method.
Background technique
Currently, diversification can be used in the diversified development and increasingly stronger convenience, user with terminal function
The progress such as terminal, such as mobile phone, tablet computer, laptop website visiting anywhere or anytime, and malicious websites are always all
It is one of the main path that wooden horse, viral transmission and porns, gambling and drugs are propagated, malicious websites are leaked using the safety of operating system or software
Hole, it is webpage embedded enter malice virus, worm and wooden horse etc., when user accesses these webpages, embedded rogue program
The configuration information of operating system of user and application software can be modified by force in the unwitting situation of user, cause to become corpse
System.
For terminal when carrying out security protection, what is relied primarily on is setting firewall, such as installs gas defence at the terminal at present
Software or secure browser, by being parsed and being determined to data, have determined if after receiving the data of website
Security risk, if so, starting defense technique carries out killing to it, in order to avoid terminal is impacted.Alternatively, to promote identification effect
Rate increases the recall rate of malicious websites, using the corresponding IP address of the domain name of the malicious websites identified, to belonging to the IP
All websites of location carry out batch identification, judge whether there is malicious websites.
However, the prior art is when carrying out security protection using antivirus software or secure browser, terminal needs to install soft
Part simultaneously can only carry out security protection by corresponding software, use to user and installation brings inconvenience, in addition use this protection
Method, which only has been downloaded into terminal local in virus, just will do it analysis and alarm, can not be on the defensive in advance.And it utilizes
The corresponding IP address of the domain name of the malicious websites identified carries out batch identification to malicious websites, then it is inaccurate to intercept result,
The website not threatened at all can be intercepted, in addition, then can not for the corresponding IP address of domain name of unidentified malicious websites out
Accomplish to protect.
Summary of the invention
The present embodiment provides a kind of access control system and method, in time and accurately to malicious websites carry out alarm and
Defence.
In order to achieve the above objectives, in a first aspect, the embodiment of the present invention provides a kind of terminal, the terminal includes acquisition mould
Block, analysis module, reporting module and access modules;
The acquisition module, for acquiring the website information of user's input, the website information includes network address domain name;
The analysis module, for judging the network address domain name whether in blacklist;Wherein, the blacklist includes:
Malice domain-name information;
The reporting module, if for the network address domain name not in the blacklist, by the network address labeled as to be checked
Network address is reported to domain name analysis platform;
The access modules, if accessing the network address domain name not in the blacklist for the network address domain name.
Second aspect, the embodiment of the present invention provide a kind of domain name analysis platform, and domain name analysis platform includes receiving
Module, domain name crawl module, words-frequency feature analysis module, analysis module and sending module;
The receiving module, the network address to be checked reported for receiving terminal;
Domain name crawls module, crawls for the domain name to the network address to be checked, obtains the network address to be checked
The domain name marks at different levels of the network address to be checked are domain name to be checked by domain names at different levels;
The words-frequency feature analysis module obtains described to be checked for carrying out words-frequency feature analysis to the domain name to be checked
The word frequency distribution feature of domain name;
The analysis module, for judging the word frequency distribution feature of the domain name to be checked whether in malice domain name word frequency distribution
In feature database, if it is determined that the word frequency distribution feature of the domain name to be checked, will be described in malice domain name word frequency distribution feature database
Blacklist is written in domain name to be checked;
The sending module, for the blacklist to be sent to terminal.
In second aspect in the first possible implementation, with reference to first aspect, domain name analysis platform further includes,
Malicious websites information management module, for obtaining malicious websites information;
Domain name crawls module, is also used to crawl the domain name of the malicious websites in the malicious websites information,
Malicious websites domain name library is written in the domain names at different levels of the malicious websites by the domain names at different levels for obtaining the malicious websites;
The words-frequency feature analysis module is also used to analyze the domain names at different levels of the malicious websites, described in acquisition
Malice domain name word frequency distribution feature database is written in the word frequency distribution feature by the word frequency distribution feature of malicious websites domain names at different levels
In;
Domain name analysis platform further includes blacklist management module, for synchronizing in malicious websites domain name library
Malice domain name.
Corresponding with first aspect, the embodiment of the invention also provides a kind of access control methods, are applied to terminal, described
Method includes:
Terminal acquires the website information of user's input, and the website information includes network address domain name;
Judge the network address domain name whether in blacklist;Wherein, the blacklist includes: malice domain-name information;
If the network address domain name not in the blacklist, accesses the network address domain name, and by the network address be labeled as to
It looks into network address and is reported to domain name analysis platform;
Corresponding with second aspect, the embodiment of the invention also provides a kind of access control methods, are applied to domain name and analyze
Platform, which comprises
Receive the network address to be checked that terminal reports;
The domain name of the network address to be checked is crawled, the domain names at different levels of the network address to be checked are obtained, by the net to be checked
The domain name marks at different levels of location are domain name to be checked;
Words-frequency feature analysis is carried out to the domain name to be checked, obtains the word frequency distribution feature of the domain name to be checked;
Judge the word frequency distribution feature of the domain name to be checked whether in malice domain name word frequency distribution feature database, if it is determined that
Black name is written in malice domain name word frequency distribution feature database, by the domain name to be checked in the word frequency distribution feature of the domain name to be checked
It is single;
The blacklist is sent to terminal.
The first possible implementation is corresponding with second aspect, the method also includes,
Obtain malicious websites information;
The domain name of malicious websites in the malicious websites information is crawled, the domains at different levels of the malicious websites are obtained
Malicious websites domain name library is written in the domain names at different levels of the malicious websites by name;
The domain names at different levels of the malicious websites are analyzed, the word frequency distribution for obtaining malicious websites domain names at different levels is special
The word frequency distribution feature is written in malice domain name word frequency distribution feature database sign;
Malice domain name in malicious websites domain name library is synchronized in the blacklist.
The present invention is by judging the network address domain name that user inputs according to blacklist, however, it is determined that the network address domain name exists
In blacklist, then pop-up alarm is carried out, abandons accessing so that user can choose;If it is determined that the network address domain name is not in blacklist
In, then the normal access of next step is carried out, and be marked as network address to be checked, is reported to domain name analysis platform.Domain name analysis is flat
Domain name crawls platform and words-frequency feature is analyzed by carrying out to malicious websites and network address to be checked, and generation includes malice domain name
Blacklist is handed down to terminal, by the phase mutual feedback of terminal and domain name analysis platform, can constantly update and improve black name
It is single, and then in time and accurately malicious websites can be alerted and be defendd.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the access control system structural schematic diagram of the embodiment of the present invention;
Fig. 2 is the terminal structure schematic diagram of the embodiment of the present invention;
Fig. 3 is the domain name analysis platform structural schematic diagram of the embodiment of the present invention;
Fig. 4 is the access control method terminal side flow chart of the embodiment of the present invention;
Fig. 5 is the access control method network side flow chart of the embodiment of the present invention
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
As shown in Figure 1, showing the structure of access control system of the invention.The access control system is by terminal 10 and domain
Name analysis platform 20 forms.
The embodiment of the present invention provides a kind of terminal, as shown in Fig. 2, terminal structure schematic diagram of the invention is shown, it is described
Terminal 10 has increased acquisition module 110, analysis module 130, reporting module 140, the original newly on the basis of original module 300
Having module 300 includes access modules 310.Shown in Fig. 2 is only schematic diagram, not to other modules of the terminal and each
The structural relation of module, which is constituted, to be limited.
The acquisition module 110, for acquiring the website information of user's input, the website information includes network address domain name.
The network address domain name may include top level domain, top-level domain, second level domain, three-level domain name and level Four domain name,
It may include the domain name of other grades, specifically, depending on the network address domain name name specific rules of user's input.Acquisition module 110
All grades of domain names of the network address can be collected.
Specifically, the acquisition module can be obtained user and be searched in browser by interior of mobile phone interface access browser
The website information of rope column input, can also be acquired with method, the embodiment of the present invention is to website information by other means
Acquisition method is without limiting.
The analysis module 130, for judging the network address domain name whether in blacklist;Wherein, the blacklist packet
It includes: malice domain-name information.
The malice domain-name information may include malice top level domain, malice top-level domain, malice second level domain, malice
Three-level domain name and malice level Four domain name, also may include the domain name of other grades.The embodiment of the present invention is to this without limiting.
The malice domain-name information can be present in blacklist in table form, can also be present in otherwise
In blacklist, the embodiment of the present invention is without limiting, and following table 1 is only illustrated with a kind of form, and table is also possible to
Other forms, the embodiment of the present invention is to the form of table without limiting.
Table 1
Malice domain name | Rank |
virus.cn | Second level |
a1aa.com.cn | Three-level |
Specifically, analysis module 130 can be judged according to the interception rule of user setting, set for example, intercepting rule
It is set to and matches domain name reaching or above grade two, then the network address domain name virus.cn of user's input is in blacklist, then it is assumed that
The domain name is malice domain name.Wherein, blacklist is stored in blacklist library, analysis module 130 can at any time to blacklist library into
Row inquiry and calling.
The malice domain-name information can be stored in table form in the blacklist library, can also be otherwise
It is stored in the blacklist library, the embodiment of the present invention is without limiting.
Further, the terminal 10 further includes blacklist management module, is sent for receiving domain name analysis platform
Blacklist;And
It modifies to the blacklist.
Specifically, the blacklist pair that the blacklist management module 120 can be sent by receiving domain name analysis platform 20
Local blacklist library is updated, and the transmission of the blacklist can be periodically, is also possible to by event triggering, example
Such as, the corresponding website of malice domain name is restored normally after a period of time, and trigger field name analysis platform 20 is updated blacklist
After be sent to terminal 10, the embodiment of the present invention is not limited the transmission mechanism of blacklist.Blacklist management module 120 can also
To be updated by the customized modification of user to blacklist library, the embodiment of the present invention is to the update mode of blacklist without limit
System.
The reporting module 140, if for the network address domain name not in the blacklist, by the network address be labeled as to
It looks into network address and is reported to domain name analysis platform.
The access modules 310, if accessing the network address domain name not in the blacklist for the network address domain name.
Further, the terminal 10 further includes,
Alarm module 150, for if it is determined that the network address domain name in the blacklist, carries out pop-up alarm.
Specifically, user option can be provided with pop-up, access is also to give up so that user's selection continues to access the network address
The network address.
Further, the terminal 10 further includes,
Log module 160, for generating log, the log includes but is not limited to: the judging result of the network address domain name,
The user for the pop-up alert processing record, the network address to be checked report record and the blacklist update remember
Record.
Terminal of the present invention is by judging the network address domain name that user inputs according to blacklist, however, it is determined that the network address domain
Name then carries out pop-up alarm, abandons accessing so that user can choose in blacklist;If it is determined that the network address domain name is not black
In list, then the normal access of next step is carried out, and be marked as network address to be checked, domain name analysis platform is reported to, so as to domain
Domain name crawls name analysis platform and words-frequency feature is analyzed by carrying out to the network address to be checked, and generation includes the black of malice domain name
List is handed down to terminal, by the phase mutual feedback of terminal and domain name analysis platform, can constantly update and improve blacklist,
And then can in time and accurately malicious websites are alerted and are defendd.
The embodiment of the invention also provides a kind of domain name analysis platforms, as shown in figure 3, showing domain name analysis of the invention
Platform 20, domain name analysis platform 20 include receiving module 210, domain name crawl module 230, words-frequency feature analysis module 240,
Analysis module 260 and sending module 270.Shown in Fig. 3 is only schematic diagram, not to other modules of the domain name analysis platform,
And the structural relation of modules is constituted and is limited.
Receiving module 210, the network address to be checked reported for receiving terminal.
Domain name crawls module 230, crawls for the domain name to the network address to be checked, obtains each of the network address to be checked
Grade domain name, it is domain name to be checked by the domain name marks at different levels of the network address to be checked.
Specifically, domain name, which crawls module 230, can integrate web crawlers software, pass through the web crawlers software pair
The domain names at different levels of the network address to be checked are crawled, and submit to words-frequency feature point for the domain names at different levels crawled out as domain name to be checked
Analyse module 240.The domain name at different levels may include top level domain, second level domain, three-level domain name and level Four domain name, can also include
The domain name of other grades, specifically, depending on the setting of the domain name of network address to be checked.Domain name crawls module 230 can also be by its other party
Method carries out domain name and crawls, and the method that the embodiment of the present invention crawls domain name is without limiting.
Words-frequency feature analysis module 240 obtains the domain to be checked for carrying out words-frequency feature analysis to the domain name to be checked
The word frequency distribution feature of name.
Analysis module 260, for judging the word frequency distribution feature of the domain name to be checked whether in malice domain name word frequency distribution
In feature database, if it is determined that the word frequency distribution feature of the domain name to be checked, will be described in malice domain name word frequency distribution feature database
Blacklist is written in domain name to be checked.
For example, domain name to be checked is virus.net, words-frequency feature analysis module 240 carries out words-frequency feature analysis to it, obtains
Its word frequency distribution feature is virus;Analysis module 260 determines the word frequency point by searching for malice domain name word frequency distribution feature database
Cloth feature is in the malice domain name word frequency distribution feature database, if can find, can determine that the domain name to be checked is malice domain
Blacklist is written in the domain name to be checked by name, analysis module 260.
Sending module 270, for the blacklist to be sent to terminal.
The transmission of blacklist can be periodically, be also possible to by event triggering, for example, the corresponding net of malice domain name
It stands and is restored normal after a period of time, trigger field name analysis platform 20 is sent out after being updated to blacklist by sending module 270
Terminal 10 is given, the embodiment of the present invention is not limited the transmission mechanism of blacklist.
Further, domain name analysis platform 20 further includes,
Malicious websites information management module 220, for obtaining malicious websites information.
Specifically, the malicious websites information can be obtained by access third party's security threat information platform.
Domain name crawls module 230, is also used to climb the domain name of the malicious websites in the malicious websites information
It takes, obtains the domain names at different levels of the malicious websites, malicious websites domain name library is written into the domain names at different levels of the malicious websites.
Specifically, domain name, which crawls module 230, can integrate web crawlers software, pass through the web crawlers software pair
The domain names at different levels of the malice network address are crawled, and submit to words-frequency feature point for the domain names at different levels crawled out as domain name to be checked
Analyse module 240.The domain name at different levels may include top level domain, second level domain, three-level domain name and level Four domain name, can also include
The domain name of other grades, specifically, depending on the setting of the domain name of malice network address.Domain name crawls module 230 can also be by its other party
Method carries out domain name and crawls, and the method that the embodiment of the present invention crawls domain name is without limiting.
Domain name analysis platform 20 can also include storage unit, and malicious websites domain name library can store in domain name
The storage unit of analysis platform 20.
The words-frequency feature analysis module 240 is also used to analyze the domain names at different levels of the malicious websites, obtains institute
Malice domain name word frequency distribution feature database is written in the word frequency distribution feature by the word frequency distribution feature for stating malicious websites domain names at different levels
In.
Further, domain name analysis platform 20 further includes word frequency distribution feature database management module 250, for described
Word frequency distribution feature database carries out customized modification, and obtains word frequency distribution feature from third-party platform.The malice domain name word
Frequency distribution characteristics library can be stored in the word frequency distribution feature database management module 250, also can store flat in domain name analysis
Other separate storage modules of platform 20, for the storage location of the malice domain name word frequency distribution feature database, the embodiment of the present invention
Without limiting.
Domain name analysis platform 20 further includes blacklist management module 290, for synchronizing malicious websites domain name library
In malice domain name.
Specifically, described synchronize can be periodic synchronization, can also be synchronized according to other synchronization mechanisms, this hair
Bright embodiment is to synchronous mechanism without limiting.
The blacklist management module 290 is also used to, and is modified to the blacklist, and is obtained from third-party platform
Black list information is updated the blacklist.The black list information obtained from third-party platform may include that malice is pushed up
Grade domain name, malice top-level domain, malice second level domain, malice three-level domain name and malice level Four domain name, also may include other grades
Domain name, specifically, depending on the specific black list information of third-party platform.
Further, domain name analysis platform 20 further includes log module 280, for generating log, the log packet
Include but be not limited to: domain name crawls record, words-frequency feature distribution record, blacklist more new record and blacklist and sends record.
Domain name analysis platform of the present invention is crawled and words-frequency feature by carrying out domain name to malicious websites and network address to be checked
Analysis, generation includes the blacklist of malice domain name, terminal is issued, so that terminal is defeated to user according to the blacklist of continuous renewal
Whether the network address entered is that malice network address is detected, can constantly more by the phase mutual feedback of terminal and domain name analysis platform
It is new and improve blacklist, and then in time and accurately malicious websites can be alerted and be defendd.
The embodiment of the present invention provides a kind of access control method, as shown in figure 4, showing access control side of the invention
Method, the method are applied to terminal, and the method specifically includes:
The website information that S101, terminal acquisition user input, the website information includes network address domain name.
Specifically, the net that user inputs on browser searches column can be obtained by interior of mobile phone interface access browser
Location information can also be acquired with method by other means, the embodiment of the present invention to the acquisition method of website information not into
Row limits.
S102, judge the network address domain name whether in blacklist;Wherein, the blacklist includes: malice domain-name information.
Wherein, blacklist is stored in blacklist library, can receive inquiry and calling to blacklist library at any time.
The malice domain-name information may include malice top level domain, malice top-level domain, malice second level domain, malice
Three-level domain name and malice level Four domain name, also may include the domain name of other grades.The embodiment of the present invention is to this without limiting.
The malice domain-name information can be present in blacklist in table form, can also be present in otherwise
In blacklist, the embodiment of the present invention is without limiting.
Further, the method also includes,
Receive the blacklist that domain name analysis platform is sent;And
It modifies to the blacklist.
Specifically, local blacklist library can be updated by receiving the blacklist that domain name analysis platform is sent,
The transmission of the blacklist can be periodically, be also possible to by event triggering, for example, the corresponding website warp of malice domain name
Restore normal after a period of time, trigger field name analysis platform is sent to terminal, the embodiment of the present invention after being updated to blacklist
The transmission mechanism of blacklist is not limited.Terminal can also be updated blacklist library by the customized modification of user,
The embodiment of the present invention is not limited the update mode of blacklist.
The malice domain-name information can be stored in table form in the blacklist library, can also be otherwise
It is stored in the blacklist library, the embodiment of the present invention is without limiting.
If S103, the network address domain name access the network address domain name not in the blacklist, and the network address is marked
Domain name analysis platform is reported to for network address to be checked.
Further, the method also includes:
S104, if it is determined that the network address domain name in the blacklist, carry out pop-up alarm.
Specifically, user option can be provided with pop-up, access is also to give up so that user's selection continues to access the network address
The network address.
Further, the method also includes,
Generate log, the log includes but is not limited to: the judging result of the network address domain name, the user are for described
The more new record for reporting record and the blacklist for handling record, the network address to be checked of pop-up alarm.
Terminal of the present invention is by judging the network address domain name that user inputs according to blacklist, however, it is determined that the network address domain
Name then carries out pop-up alarm, abandons accessing so that user can choose in blacklist;If it is determined that the network address domain name is not black
In list, then the normal access of next step is carried out, and be marked as network address to be checked, domain name analysis platform is reported to, so as to domain
Domain name crawls name analysis platform and words-frequency feature is analyzed by carrying out to the network address to be checked, and generation includes the black of malice domain name
List is handed down to terminal, so that the blacklist to terminal is updated, by the phase mutual feedback of terminal and domain name analysis platform,
It can constantly update and improve blacklist, and then in time and accurately malicious websites can be alerted and be defendd.
The embodiment of the present invention provides a kind of access control method, as shown in figure 5, showing access control side of the invention
Method, the method are applied to domain name analysis platform, and the method specifically includes:
S201, the network address to be checked that terminal reports is received;And obtain malicious websites information.
S202, the network address domain name of the network address to be checked and the malicious websites is crawled, obtains the network address to be checked
Domain names at different levels, by the domain name marks at different levels of the network address to be checked be domain name to be checked;By the domains at different levels of the malicious websites network address
Malicious websites domain name library is written as malice domain name in name.
Specifically, 230 integrated network crawler software of module can be crawled in the domain name of domain name analysis platform 20, by described
Web crawlers software crawls the domain names at different levels of the network address to be checked, and the domain names at different levels crawled out are mentioned as domain name to be checked
Give words-frequency feature analysis module 240.The domain name at different levels may include top level domain, second level domain, three-level domain name and level Four
Domain name can also include the domain name of other grades, specifically, depending on the setting of the domain name of network address to be checked and malice network address.It can be with
It carries out domain name by other methods to crawl, the method that the embodiment of the present invention crawls domain name is without limiting.
Wherein, malicious websites domain name library can store the storage unit in domain name analysis platform 20.
S203, words-frequency feature analysis is carried out to the domain name to be checked and the malice domain name, obtains the domain name to be checked
Word frequency distribution feature;It will be in the word frequency distribution feature write-in malice domain name word frequency distribution feature database of the malice domain name.
Further, the method also includes carrying out customized modification to the word frequency distribution feature database, and from third
Fang Pingtai obtains word frequency distribution feature.The malice domain name word frequency distribution feature database can be stored in the word frequency distribution feature database
In management module 250, it also can store other separate storage modules in domain name analysis platform 20, for the malice domain name word
The storage location in frequency distribution characteristics library, the embodiment of the present invention is without limiting.
Further, the method also includes,
Malice domain name in malicious websites domain name library is synchronized in the blacklist.
Specifically, described synchronize can be periodic synchronization, can also be synchronized according to other synchronization mechanisms, this hair
Bright embodiment is to synchronous mechanism without limiting.
S204, judge the word frequency distribution feature of the domain name to be checked whether in malice domain name word frequency distribution feature database, such as
Fruit determines that in malice domain name word frequency distribution feature database, the domain name to be checked is written for the word frequency distribution feature of the domain name to be checked
Blacklist.
For example, domain name to be checked is virus.net, by the words-frequency feature analysis module 240 of domain name analysis platform 20 to it
Words-frequency feature analysis is carried out, obtaining its word frequency distribution feature is virus;By analysis module 260 by searching for malice domain name word frequency
Distribution characteristics library determines the word frequency distribution feature in the malice domain name word frequency distribution feature database, can be with if can find
Determine that the domain name to be checked is malice domain name, which is written blacklist by analysis module 260.
S205, the blacklist is sent to terminal.
The transmission of blacklist can be periodically, be also possible to by event triggering, for example, the corresponding net of malice domain name
It stands and is restored normal after a period of time, trigger field name analysis platform 20 can be sent to terminal after being updated to blacklist
10, the embodiment of the present invention is not limited the transmission mechanism of blacklist.
Further, the method also includes modifying to the blacklist, and obtain black name from third-party platform
Single information is updated the blacklist.The black list information obtained from third-party platform may include malice top level domain
Name, malice top-level domain, malice second level domain, malice three-level domain name and malice level Four domain name, also may include the domain of other grades
Name, specifically, depending on the specific black list information of third-party platform.
Further, the method also includes generating log, the log includes but is not limited to: domain name crawls record, word
Frequency feature distribution record, blacklist more new record and blacklist send record.
Domain name analysis platform of the present invention is crawled and words-frequency feature by carrying out domain name to malicious websites and network address to be checked
Analysis, generation includes the blacklist of malice domain name, terminal is issued, so that terminal is defeated to user according to the blacklist of continuous renewal
Whether the network address entered is that malice network address is detected, can constantly more by the phase mutual feedback of terminal and domain name analysis platform
It is new and improve blacklist, and then in time and accurately malicious websites can be alerted and be defendd.
Claims (15)
1. a kind of terminal, which is characterized in that the terminal includes:
Acquisition module, for acquiring the website information of user's input, the website information includes network address domain name;
Analysis module, for judging the network address domain name whether in blacklist;Wherein, the blacklist includes: malice domain name
Information;
Reporting module, if reporting the network address labeled as network address to be checked for the network address domain name not in the blacklist
Give domain name analysis platform;
Access modules, if accessing the network address domain name not in the blacklist for the network address domain name.
2. terminal according to claim 1, which is characterized in that the terminal further includes,
Alarm module, for if it is determined that the network address domain name in the blacklist, carries out pop-up alarm.
3. terminal according to claim 1, which is characterized in that the terminal further includes,
Blacklist management module, for receiving the blacklist of domain name analysis platform transmission;And
It modifies to the blacklist.
4. a kind of domain name analysis platform, which is characterized in that domain name analysis platform includes:
Receiving module, the network address to be checked reported for receiving terminal;
Domain name crawls module, crawls for the domain name to the network address to be checked, obtains the domain names at different levels of the network address to be checked,
It is domain name to be checked by the domain name marks at different levels of the network address to be checked;
Words-frequency feature analysis module obtains the word of the domain name to be checked for carrying out words-frequency feature analysis to the domain name to be checked
Frequency distribution characteristics;
Analysis module, for judging the word frequency distribution feature of the domain name to be checked whether in malice domain name word frequency distribution feature database
In, if it is determined that the word frequency distribution feature of the domain name to be checked is in malice domain name word frequency distribution feature database, by the domain to be checked
Name write-in blacklist;
Sending module, for the blacklist to be sent to terminal.
5. domain name analysis platform according to claim 4, which is characterized in that domain name analysis platform further includes,
Malicious websites information management module, for obtaining malicious websites information;
Domain name crawls module, is also used to crawl the domain name of the malicious websites in the malicious websites information, obtains
Malicious websites domain name library is written in the domain names at different levels of the malicious websites by the domain names at different levels of the malicious websites;
The words-frequency feature analysis module is also used to analyze the domain names at different levels of the malicious websites, obtains the malice
The word frequency distribution feature is written in malice domain name word frequency distribution feature database the word frequency distribution feature of website domain names at different levels;
Domain name analysis platform further includes blacklist management module, for synchronizing the malice in malicious websites domain name library
Domain name.
6. domain name analysis platform according to claim 5, which is characterized in that the acquisition malicious websites information includes:
The malicious websites information is obtained by access third party's security threat information platform.
7. domain name analysis platform according to claim 5, which is characterized in that domain name analysis platform further includes,
Word frequency distribution feature database management module, for carrying out customized modification to the word frequency distribution feature database, and from third
Fang Pingtai obtains word frequency distribution feature.
8. a kind of access control method, which is characterized in that the described method includes:
Terminal acquires the website information of user's input, and the website information includes network address domain name;
Judge the network address domain name whether in blacklist;Wherein, the blacklist includes: malice domain-name information;
If the network address domain name not in the blacklist, accesses the network address domain name, and the network address is labeled as net to be checked
Location is reported to domain name analysis platform.
9. access control method according to claim 8, which is characterized in that the method also includes,
If it is determined that the network address domain name in the blacklist, carries out pop-up alarm.
10. access control method according to claim 8, which is characterized in that the method also includes,
Receive the blacklist that domain name analysis platform is sent;And
It modifies to the blacklist.
11. a kind of access control method is applied to domain name analysis platform, which is characterized in that the described method includes:
Receive the network address to be checked that terminal reports;
The domain name of the network address to be checked is crawled, the domain names at different levels of the network address to be checked are obtained, by the network address to be checked
Domain name marks at different levels are domain name to be checked;
Words-frequency feature analysis is carried out to the domain name to be checked, obtains the word frequency distribution feature of the domain name to be checked;
Judge the word frequency distribution feature of the domain name to be checked whether in malice domain name word frequency distribution feature database, if it is determined that described
Blacklist is written in malice domain name word frequency distribution feature database, by the domain name to be checked in the word frequency distribution feature of domain name to be checked;
The blacklist is sent to terminal.
12. access control method according to claim 11, which is characterized in that the method also includes,
Obtain malicious websites information;
The domain name of malicious websites in the malicious websites information is crawled, the domain names at different levels of the malicious websites are obtained,
Malicious websites domain name library is written into the domain names at different levels of the malicious websites;
The domain names at different levels of the malicious websites are analyzed, the word frequency distribution feature of malicious websites domain names at different levels is obtained,
The word frequency distribution feature is written in malice domain name word frequency distribution feature database;
Malice domain name in malicious websites domain name library is synchronized in the blacklist.
13. access control method according to claim 12, which is characterized in that the acquisition malicious websites information includes:
The malicious websites information is obtained by access third party's security threat information platform.
14. the described in any item access control methods of 1-13 according to claim 1, which is characterized in that the method also includes right
The word frequency distribution feature database carries out customized modification, and obtains word frequency distribution feature from third-party platform.
15. a kind of access control system, which is characterized in that the access control system includes described in claim any one of 1-3
Terminal and the described in any item domain name analysis platforms of claim 4-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811124052.4A CN109413045A (en) | 2018-09-26 | 2018-09-26 | A kind of access control system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811124052.4A CN109413045A (en) | 2018-09-26 | 2018-09-26 | A kind of access control system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109413045A true CN109413045A (en) | 2019-03-01 |
Family
ID=65465280
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811124052.4A Pending CN109413045A (en) | 2018-09-26 | 2018-09-26 | A kind of access control system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109413045A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109951469A (en) * | 2019-03-12 | 2019-06-28 | 中国平安人寿保险股份有限公司 | A kind of method, apparatus, storage medium and server creating domain name black and white lists |
CN110278271A (en) * | 2019-06-24 | 2019-09-24 | 厦门美图之家科技有限公司 | Network request control method, device and terminal device |
CN110519221A (en) * | 2019-07-12 | 2019-11-29 | 苏州浪潮智能科技有限公司 | A kind of pair of host carries out the method, apparatus and management system of safeguard protection |
CN111030979A (en) * | 2019-06-20 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Malicious domain name detection method and device and storage device |
CN112910879A (en) * | 2021-01-28 | 2021-06-04 | 河北研云科技有限公司 | Malicious domain name analysis method and system |
CN112953911A (en) * | 2021-01-28 | 2021-06-11 | 河北研云科技有限公司 | Network security analysis processing method and system |
CN113221106A (en) * | 2021-05-25 | 2021-08-06 | 杭州安恒信息安全技术有限公司 | Vehicle protection method and device and computer readable storage medium |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060059092A1 (en) * | 2004-09-16 | 2006-03-16 | Burshan Chen Y | Method and apparatus for user domain based white lists |
US20120084423A1 (en) * | 2010-10-04 | 2012-04-05 | Openwave Systems Inc. | Method and system for domain based dynamic traffic steering |
CN104021143A (en) * | 2014-05-14 | 2014-09-03 | 北京网康科技有限公司 | Method and device for recording webpage access behavior |
CN104077396A (en) * | 2014-07-01 | 2014-10-01 | 清华大学深圳研究生院 | Method and device for detecting phishing website |
CN104217160A (en) * | 2014-09-19 | 2014-12-17 | 中国科学院深圳先进技术研究院 | Method and system for detecting Chinese phishing website |
CN104333558A (en) * | 2014-11-17 | 2015-02-04 | 广州华多网络科技有限公司 | Website detection method and device |
CN104468551A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Method and device for saving traffic based on advertisement blocking |
CN104717226A (en) * | 2012-06-06 | 2015-06-17 | 北京奇虎科技有限公司 | Method and device for detecting website address |
CN105635126A (en) * | 2015-12-24 | 2016-06-01 | 北京奇虎科技有限公司 | Malicious URL access protection method, client side, security server and system |
CN106326455A (en) * | 2016-08-26 | 2017-01-11 | 乐视控股(北京)有限公司 | Web page browsing filtering processing method and system, terminal and cloud acceleration server |
CN106603490A (en) * | 2016-11-10 | 2017-04-26 | 上海斐讯数据通信技术有限公司 | Phishing website detecting method and system |
CN107666490A (en) * | 2017-10-18 | 2018-02-06 | 中国联合网络通信集团有限公司 | A kind of suspicious domain name detection method and device |
CN107872452A (en) * | 2017-10-25 | 2018-04-03 | 东软集团股份有限公司 | A kind of recognition methods of malicious websites, device, storage medium and program product |
-
2018
- 2018-09-26 CN CN201811124052.4A patent/CN109413045A/en active Pending
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060059092A1 (en) * | 2004-09-16 | 2006-03-16 | Burshan Chen Y | Method and apparatus for user domain based white lists |
US20120084423A1 (en) * | 2010-10-04 | 2012-04-05 | Openwave Systems Inc. | Method and system for domain based dynamic traffic steering |
CN104717226A (en) * | 2012-06-06 | 2015-06-17 | 北京奇虎科技有限公司 | Method and device for detecting website address |
CN104021143A (en) * | 2014-05-14 | 2014-09-03 | 北京网康科技有限公司 | Method and device for recording webpage access behavior |
CN104077396A (en) * | 2014-07-01 | 2014-10-01 | 清华大学深圳研究生院 | Method and device for detecting phishing website |
CN104217160A (en) * | 2014-09-19 | 2014-12-17 | 中国科学院深圳先进技术研究院 | Method and system for detecting Chinese phishing website |
CN104333558A (en) * | 2014-11-17 | 2015-02-04 | 广州华多网络科技有限公司 | Website detection method and device |
CN104468551A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Method and device for saving traffic based on advertisement blocking |
CN105635126A (en) * | 2015-12-24 | 2016-06-01 | 北京奇虎科技有限公司 | Malicious URL access protection method, client side, security server and system |
CN106326455A (en) * | 2016-08-26 | 2017-01-11 | 乐视控股(北京)有限公司 | Web page browsing filtering processing method and system, terminal and cloud acceleration server |
CN106603490A (en) * | 2016-11-10 | 2017-04-26 | 上海斐讯数据通信技术有限公司 | Phishing website detecting method and system |
CN107666490A (en) * | 2017-10-18 | 2018-02-06 | 中国联合网络通信集团有限公司 | A kind of suspicious domain name detection method and device |
CN107872452A (en) * | 2017-10-25 | 2018-04-03 | 东软集团股份有限公司 | A kind of recognition methods of malicious websites, device, storage medium and program product |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109951469A (en) * | 2019-03-12 | 2019-06-28 | 中国平安人寿保险股份有限公司 | A kind of method, apparatus, storage medium and server creating domain name black and white lists |
CN109951469B (en) * | 2019-03-12 | 2023-02-03 | 中国平安人寿保险股份有限公司 | Method, device, storage medium and server for creating domain name black and white list |
CN111030979A (en) * | 2019-06-20 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Malicious domain name detection method and device and storage device |
CN110278271A (en) * | 2019-06-24 | 2019-09-24 | 厦门美图之家科技有限公司 | Network request control method, device and terminal device |
CN110519221A (en) * | 2019-07-12 | 2019-11-29 | 苏州浪潮智能科技有限公司 | A kind of pair of host carries out the method, apparatus and management system of safeguard protection |
CN112910879A (en) * | 2021-01-28 | 2021-06-04 | 河北研云科技有限公司 | Malicious domain name analysis method and system |
CN112953911A (en) * | 2021-01-28 | 2021-06-11 | 河北研云科技有限公司 | Network security analysis processing method and system |
CN112910879B (en) * | 2021-01-28 | 2023-10-13 | 河北研云科技有限公司 | Malicious domain name analysis method and system |
CN112953911B (en) * | 2021-01-28 | 2023-10-13 | 河北研云科技有限公司 | Network security analysis and disposal method and system |
CN113221106A (en) * | 2021-05-25 | 2021-08-06 | 杭州安恒信息安全技术有限公司 | Vehicle protection method and device and computer readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109413045A (en) | A kind of access control system and method | |
CN110719291B (en) | Network threat identification method and identification system based on threat information | |
US9838419B1 (en) | Detection and remediation of watering hole attacks directed against an enterprise | |
US8839440B2 (en) | Apparatus and method for forecasting security threat level of network | |
US10033746B2 (en) | Detecting unauthorised changes to website content | |
CN102045319B (en) | Method and device for detecting SQL (Structured Query Language) injection attack | |
CN108460278A (en) | A kind of threat information processing method and device | |
KR101619414B1 (en) | System for detecting abnomal behaviors using personalized early use behavior pattern analsis | |
CN104767757A (en) | Multiple-dimension security monitoring method and system based on WEB services | |
CN103428186A (en) | Method and device for detecting phishing website | |
CN103929440A (en) | Web page tamper prevention device based on web server cache matching and method thereof | |
WO2009039434A2 (en) | System and method for detecting security defects in applications | |
CN101816148A (en) | Be used to verify, data transmit and the system and method for protection against phishing | |
CN106330849A (en) | Method and device for preventing domain name hijack | |
US11336676B2 (en) | Centralized trust authority for web application components | |
CN111556037A (en) | Method and device for evaluating security index of website system | |
CN101901232A (en) | Method and device for processing webpage data | |
CN107395593A (en) | A kind of leak automation means of defence, fire wall and storage medium | |
CN102841990A (en) | Method and system for detecting malicious codes based on uniform resource locator | |
CN107276986B (en) | Method, device and system for protecting website through machine learning | |
CN102567546A (en) | Structured query language (SQL) injection detection method and SQL injection detection device | |
CN103220277B (en) | The monitoring method of cross-site scripting attack, Apparatus and system | |
CN104038488A (en) | System network safety protection method and device | |
CN107888601A (en) | A kind of cloud platform server Intelligent Measurement poisoning intrusion system and method | |
CN109474601A (en) | A kind of scanning class attack method of disposal of Behavior-based control identification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190301 |