CN110213211B

CN110213211B - Method, device, terminal and storage medium for identifying secure download link

Info

Publication number: CN110213211B
Application number: CN201810496352.9A
Authority: CN
Inventors: 全永春; 弓弢; 刘涛; 程虎
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2018-05-22
Filing date: 2018-05-22
Publication date: 2021-08-20
Anticipated expiration: 2038-05-22
Also published as: CN110213211A

Abstract

The application discloses a method, a device, a terminal and a storage medium for identifying a secure download link, wherein in the method, when a terminal detects that a user triggers a browser to display a webpage, a link element in the webpage is positioned, and the link element is an element of a download address linked in the webpage; extracting a key attribute of the link element in the webpage, wherein the key attribute is used for identifying a download address of the link element link; detecting whether the key attribute of the link element belongs to a safety key attribute for identifying a safety download address or not so as to identify the safety link element of which the key attribute belongs to the safety key attribute; prompt information indicating the identified secure link element is presented in the web page. The scheme can reduce the risk that a user clicks a link element pointing to an unsafe download address in the software download webpage.

Description

Method, device, terminal and storage medium for identifying secure download link

Technical Field

The present application relates to the field of network technologies, and in particular, to a method, an apparatus, a terminal, and a storage medium for identifying a secure download link.

Background

In the process of downloading software through a browser, some unreliable software such as malicious software or bundled software is often induced to be downloaded. For example, a plurality of link elements are presented in a website page presented by a browser, each link element points to a download address (also referred to as a link address of downloaded software), and some unsafe download addresses may exist in the plurality of download addresses, and these unsafe download addresses generally point to unreliable software such as malicious software and promotion software, and if a user clicks the unsafe download addresses, the unreliable software is downloaded.

However, the user cannot recognize the unsafe download address in the website page, so that the user can easily click the unsafe download address, and thus the user can easily download unreliable software such as malicious software. In particular, in the case where an unsafe download address in a website page is maliciously labeled as "local download", etc., it is easier to induce users to download such unreliable software. Therefore, how to reduce the risk of downloading unreliable software in the process of downloading the software by a user through a browser is a technical problem which needs to be solved urgently by a person skilled in the art.

Disclosure of Invention

In view of this, the present application provides a method, an apparatus, a terminal and a storage medium for identifying a secure download link, so as to reduce a risk that a user clicks a link element pointing to an insecure download address in a software download webpage, and reduce a risk that the user downloads unreliable software.

To achieve the above object, in one aspect, the present application provides a method for identifying a secure download link, including:

when detecting that a user triggers the browser to display a webpage, positioning a link element in the webpage, wherein the link element is an element of a webpage linked with a download address;

extracting key attributes of the link elements in the webpage, wherein the key attributes are used for identifying download addresses of the links of the link elements;

detecting whether the key attribute of the link element belongs to a safety key attribute for identifying a safety download address;

obtaining at least one link element of the webpage, wherein the key attribute belongs to the safety key attribute;

prompt information is presented in the web page to prompt the at least one link element to be identified as a secure download link.

In one possible implementation, the displaying, in the web page, prompt information for prompting that the at least one link element is identified as a secure download link includes:

injecting a drawing script into the code of the webpage through a browser plug-in injected into the browser;

and drawing a prompt identifier for prompting that the at least one link element is identified as the safe download link in the webpage through the drawing script.

In another possible implementation manner, before the detecting, by the browser plug-in injected into the browser, that the browser presents the web page, the method further includes:

running a security monitoring application;

and injecting a browser plug-in into the browser through the security monitoring application.

In another aspect, the present application further provides an apparatus for identifying a secure download link, including:

the link positioning unit is used for positioning link elements in the webpage when detecting that a user triggers the browser to display the webpage, wherein the link elements are elements linked with a download address in the webpage;

the attribute extraction unit is used for extracting key attributes of the link elements in the webpage, and the key attributes are used for identifying download addresses of the links of the link elements;

the attribute detection unit is used for detecting whether the key attribute of the link element belongs to the safety key attribute for identifying the safety download address;

the safety identification unit is used for obtaining at least one link element of the webpage, wherein the key attribute of the link element belongs to the safety key attribute;

and the link marking unit is used for displaying prompt information for prompting that the at least one link element is identified as the safe download link in the webpage.

In another aspect, the present application further provides a terminal, including:

a processor and a memory;

wherein the processor is configured to execute a program stored in the memory;

the memory is to store a program to at least:

In another aspect, the present application further provides a storage medium, where computer-executable instructions are stored, and when the computer-executable instructions are loaded and executed by a processor, the method for identifying a secure download link according to any one of the embodiments of the present application is implemented.

It can be seen that, in the embodiment of the present application, when the terminal detects that the browser displays the web page, the key attribute of the link element in the web page is obtained, and whether the key attribute of the link element belongs to the security attribute that identifies the secure download address is detected, so as to analyze the link element linked to the secure download address in the web page, so as to timely mark the link element pointing to the secure download address in the web page, so that the user can timely know the link element pointing to the secure download address in the web page, thereby reducing the situation that the user clicks the link element with download risk in the web page due to misleading, further reducing the probability that the user downloads the unreliable software and other risk content through the web page, and improving the security of downloading the content through the web page.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on the provided drawings without creative efforts.

FIG. 1 is a schematic diagram illustrating a composition architecture of a scenario to which a method for identifying a secure download link is applied in an embodiment of the present application;

fig. 2 is a schematic diagram illustrating a component architecture of a terminal in an embodiment of the present application;

FIG. 3 is a flow chart illustrating a method of identifying a secure download link in an embodiment of the present application;

FIG. 4 is a schematic diagram illustrating elements in a download webpage for downloading software in a terminal according to an embodiment of the application;

FIG. 5 shows an example of a link element linked with a secure download address in a webpage according to an embodiment of the present application;

FIG. 6 is a schematic diagram illustrating a component architecture of another scenario in which a method for identifying a secure download link is applied in the embodiment of the present application;

FIG. 7 is a flow chart of an interaction diagram of a method for identifying a secure download link in an embodiment of the present application;

FIG. 8 shows a schematic of an interface of a downloader;

FIG. 9 shows an example of a terminal indicating a secure link element in a web page in an embodiment of the present application;

fig. 10 is a schematic diagram illustrating an interface of the terminal feeding back a link identification error to the application server in the embodiment of the present application;

FIG. 11 is a schematic diagram illustrating an exemplary configuration of an apparatus for identifying a secure download link in an embodiment of the present application;

fig. 12 is a schematic diagram illustrating another structure of an apparatus for identifying a secure download link in the embodiment of the present application.

Detailed Description

The scheme of the embodiment of the application can be used for a scene that a terminal downloads contents such as software and the like through the browser, so that after a page displayed by the browser, a safe downloading address contained in the webpage is identified and marked, and the risk that a user downloads unreliable software such as malicious software or binding software is reduced.

For ease of understanding, a description will be given of a scenario in which the scheme of the present application is applied. For example, referring to fig. 1, a schematic diagram of a composition structure of a scene to which the scheme of the present application is applicable is shown.

As can be seen from fig. 1, the scenario includes: a terminal 11 and at least one web server 12. The terminal 11 and the site server 12 communicate with each other via a network 13.

The terminal 11 is installed with a browser, and the terminal 11 can monitor the download address in the web page displayed by the browser of the terminal and identify the secure download address in the web page.

In one implementation, the terminal 11 has a browser installed therein and a security monitoring application for identifying a download address, for example, the security monitoring application may be an application such as a computer administrator. The terminal monitors the browser through the safety monitoring application and acquires the related information of the webpage displayed in the browser.

As can be seen from fig. 1, the terminal 11 may establish a communication connection with the website server 12 through a browser, and present a webpage returned from the website server 12 in the browser of the terminal 11.

The web server may be another server capable of returning a web page to the browser of the terminal, and fig. 1 illustrates only the web server as an example.

In the embodiment of the present application, the secure download address (also referred to as a secure download address or a secure download link) means that the file pointed by the download address matches the file described by the webpage containing the download address. For example, for a download address of the downloaded software, the software pointed by the secure download address does not include unreliable software such as pushed software, bundled software, and malicious software, where the software pointed by the secure download address may be software linked to the secure download address, or software that is downloaded by a downloader pointed by the secure download address. The downloader is an auxiliary downloading program, and a link address for linking the downloader is set in a plurality of webpages for providing software downloading so as to start the downloader to complete downloading of corresponding software.

Accordingly, an unsecure download address (also referred to as an unsecure download address) means that the file pointed by the download address is not the same as the file described by the web page. For example, still taking the unsafe download address of the downloaded software as an example, if the webpage is described as a download address for downloading the software a, but actually the download address points to another piece of software B; or the software pointed by the download address comprises some recommended software or other software bound with the software A besides the software A, and the download address is an unsafe download address; or, the downloader pointed by the download address is used for downloading another piece of software C or other bundled software besides the download software a, and the download address is an unsafe download address.

In this embodiment, a web page displayed by the browser may also be referred to as a web page, or the like.

It is understood that, in the embodiment of the present application, the terminal 11 may be a computer device such as a mobile phone, a tablet computer, and a desktop computer. For example, referring to fig. 2, a schematic diagram of a terminal according to an embodiment of the present application is shown; as shown in fig. 2, the terminal 200 may include: a processor 201 and a memory 202.

In the embodiment of the present application, the processor 201 may be a Central Processing Unit (CPU), an application-specific integrated circuit (ASIC), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic devices.

The processor may call a program stored in the memory 202, and in particular, the processor may perform the following operations performed by the terminal side in the embodiments of fig. 3-10.

The memory 202 is used for storing one or more programs, which may include program codes including computer operation instructions, and in the embodiment of the present application, the memory stores at least the programs for implementing the following functions:

when detecting that a user triggers a browser to display a webpage, positioning a link element in the webpage, wherein the link element is an element of the webpage linked with a download address;

In one possible implementation, the memory 202 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as an image playing function, etc.), and the like; the storage data area may store data created according to the use of the computer, such as user data and audio data, etc.

Further, the memory 202 may include high speed random access memory and may also include non-volatile memory.

The terminal may further include: a communication interface 203, an input unit 204, and a display 205 and a communication bus 206. The processor 201, the memory 202, the communication interface 203, the input unit 204, and the display 205 all communicate with each other through the communication bus 206.

The display 204 includes a display panel, such as a touch display panel; the input unit may be a touch sensing unit, a keyboard, or the like.

Of course, the terminal structure shown in fig. 2 does not constitute a limitation of the terminal in the embodiment of the present application, and in practical applications, the terminal may include more or less components than those shown in fig. 2, or some components may be combined.

With the above generality, a method for identifying a secure download link according to the embodiment of the present application is introduced from the terminal side. For example, referring to fig. 3, a flow diagram of a method for identifying a secure download link according to the present application is shown, where the method may include:

s301, when detecting that a user triggers the browser to display a webpage through the browser plug-in injected into the browser, positioning a link element in the webpage through the browser plug-in.

For example, after a user requests to access the web server through the browser of the terminal, the web server may return the requested web page to the browser, and since the browser plug-in is injected into the browser, the terminal may detect that the web page is displayed in the browser in time through the browser plug-in, so as to analyze whether the download link in the web page currently displayed by the browser is safe in time.

The browser plug-in is a section of code injected into the browser by the terminal, and can be run when the browser runs. The running state of the browser, the related data of the webpage running by the browser and the like can be obtained through the browser plug-in.

Optionally, the security monitoring application may be run in the terminal, and a browser plug-in may be injected into the browser through the security monitoring application. Therefore, after the browser runs, the terminal can monitor the condition that the browser displays the webpage through the browser plug-in. The terminal only needs to inject the browser plug-in into the browser once through the safety monitoring application, and if the browser plug-in is injected into the browser, the browser plug-in does not need to be injected into the browser repeatedly in the follow-up process. For example, a security monitoring application is run on a terminal, a security link indicating function is configured in the security monitoring application, and if the security monitoring application detects that a user opens the security link indicating function, whether a browser plug-in is injected into the browser can be detected; and if the browser plug-in is not injected into the browser, injecting the browser plug-in into the browser through the safety monitoring application.

The web page of the present application refers to a web page for downloading software or other content, and the web page may include an element linked with a download address, where the download address may be a link address for downloading object content such as software and files.

In the embodiment of the present application, an element linked to a download address in a web page is referred to as a link element. The link element may be an icon or an image for linking the download address, or may be a link address for directly pointing to the download file.

In particular, considering that the terminal may include elements linking other types of network addresses in addition to the link elements pointing to the download address, in this case, the terminal may obtain, through the browser plug-in, the characteristics of each element linked to a network address in the web page to locate, from among the elements of the web page, each link element belonging to the link pointing to the download address.

Optionally, in consideration that a link element linked to a download address in a download page of object content such as downloaded software generally has a relatively fixed position in a web page, the terminal may first determine, through a browser plug-in, at least one element associated with a network address (also referred to as a link address) in the web page, and locate the link element from the at least one element according to the position of the at least one element in the web page.

For example, referring to FIG. 4, a diagram of link elements in a web page is shown. As can be seen from fig. 4, fig. 4 shows a download web page for downloading software a, which includes, in addition to a plurality of link elements 401 for downloading the software a, other elements 402 linking non-downloaded software, where the elements 402 are typically linked with network addresses for recommending information related to software. As can be seen in fig. 4, the link element is located at a position above the center of the downloaded web page. Meanwhile, the link elements linked with the download address all have obvious display characteristics, such as the characteristics marked as local download, high-speed download and the like, so that the link elements can be positioned from a plurality of elements linked with the network address in the download webpage according to the position or the display characteristics of the elements linked with the network address in the download webpage. S302, extracting key attributes of the link elements in the webpage through the browser plug-in.

Wherein the key attribute is used to identify the download address linked to the link element.

For example, the key attribute of the link element may be a class attribute (also referred to as a class tag) of the link element, or an ID attribute (also referred to as an ID tag) or the like, and both the class attribute and the ID attribute of the link element may identify the download address linked by the link element. If the link element does not have a class attribute or an ID attribute, etc., a style attribute, etc., that can identify the download address linked by the link element may also be used as a key attribute.

Optionally, the source code of the web page may be acquired through a browser plug-in, and the attribute set of the link element is extracted from the source code of the web page through the browser plug-in, and then one or more key attributes of the link element that are specified in advance are extracted from the attribute set.

It can be understood that detecting whether the web page is presented in the browser through the browser plug-in, locating the link element in the web page, and acquiring the key attribute of the link element is merely an implementation manner, and this embodiment is only for convenience of understanding, and the example of monitoring the web page and acquiring the data of the link element in the web page by the browser plug-in is taken as an example for description. However, in practical applications, there may be other ways to monitor whether the browser presents the web page and obtain the data related to the link elements in the web page, which is not limited in this application.

S303, detecting whether the key attribute of the link element belongs to the safety key attribute for identifying the safe download address.

For example, in one implementation, the key attribute for identifying the secure download address may be predetermined, and for convenience of distinction, the key attribute for identifying the secure download address is referred to as a security key attribute. Correspondingly, the key attribute of each link element in the webpage can be matched with each predetermined safety key attribute in sequence. If the key attribute of the matched link element belongs to the safety key attribute, the link element is the link element for linking the safe download address; otherwise, the link element link download address is not considered to belong to the safe download address.

The predetermined security key attribute for identifying the secure download address can be stored in the terminal or the cloud server. If the safety list records a plurality of safety key attributes, the safety list can be stored in the cloud server, the safety list is updated by the cloud server at regular time, and correspondingly, the terminal can inquire the safety list in the cloud server to judge whether the key attributes of the link elements belong to the safety key attributes in the safety list. Of course, the terminal may also download the security list at regular time, so that the terminal may directly query whether the key attribute of the link element belongs to the security key attribute in the security list stored by the terminal.

It can be understood that, in the embodiment of the present application, for example, the key attribute of the link element is extracted to analyze whether the download address linked by the link element belongs to the secure download address, and since the key attribute of the link element is easy to extract and has strong identification, the timeliness and convenience of information extraction can be improved by using the method of the present embodiment. However, in practical applications, other information of the download address linked by the link element may also be acquired, and the information of the download address linked by the link element may also be acquired and matched with the information of the pre-stored secure download address to analyze whether the download address linked by the link element belongs to the secure download address. For example, a download address of the link element link is obtained, and the download address of the link element link is matched with a predetermined secure download address to analyze whether the download address of the link element link belongs to the secure download address.

S304, at least one link element of the key attribute belonging to the safety key attribute in the webpage is obtained.

In step S303, at least one link element of the web page whose key attribute belongs to the security key attribute, that is, the link element of the web page whose link is linked to the security download address, may be determined, that is, the link element of the web page whose link is linked to the security download address is identified.

S305, displaying prompt information for prompting that the at least one link element is identified as the safe download link in the webpage.

In order to facilitate the user to identify the secure download address in the web page, it is necessary to mark a link element linking the secure download address in the web page, that is, prompt information for prompting that the at least one link element is identified as the secure download link is displayed in the web page, so that the user can identify the link element linking the secure download address in the web page before clicking the link element. The specific implementation manner of the link element for marking the link secure download address in the web page may be various, for example, a prompt box may be displayed on the upper layer of the web page through a browser plug-in.

Optionally, the terminal may inject a drawing script into the code of the webpage through the browser plug-in, for example, the drawing script may be at least one JS code. Correspondingly, the terminal of at least one link element with the security attribute in the webpage can draw a prompt identifier for prompting that the at least one link element is identified as a secure download link in the webpage through the drawing script. Specifically, after determining that the key attribute belongs to the link element of the safety key attribute, the terminal acquires the position area of the link element with the safety key attribute in the webpage through the browser plug-in; and then running the drawing script injected into the webpage through the browser plug-in so as to mark the link element in the specified position range of the position area corresponding to the link element in the webpage through the drawing script.

The method for indicating the link element in the web page may also be of various manners, for example, an indication frame or a prompt banner may be added above the link element, and a prompt statement of the secure download link is displayed in the indication frame or the prompt banner, for example, "the link element points to the secure download address", and the like; as another example, the color presented by the link element may also be adjusted, e.g., the color deepens, or a particular color is presented, etc. Of course, there may be other possibilities for marking the link element corresponding to the secure download address, as long as the user can recognize that the marked link element is the link element linking the secure download address.

For ease of understanding, the following is presented with an example of marking a link element linked with a secure download address in a web page, as seen in fig. 5. As can be seen from fig. 5, a prompt box 503 pointing to the link element 502 is displayed above the position area of the link element 502 in the web page 501, and the prompt box 503 is drawn by the terminal above the link element in the web page after determining that the link element 502 is linked with the secure download address. As can be seen from fig. 5, the prompt "identified as the secure download address" is displayed in the prompt box, so that the user can determine the link element linking the secure download address before clicking the link element in the web page, which is beneficial to reducing the link to the insecure download address, thereby reducing the risk of downloading the unreliable software.

Therefore, in the embodiment of the application, when the terminal detects that the browser displays the webpage, the key attribute of the link element in the webpage is obtained, whether the key attribute of the link element belongs to the security attribute for identifying the secure download address is detected, the link element linked with the secure download address in the webpage is analyzed, and therefore, the link element pointing to the secure download address can be timely marked in the webpage after the browser displays the webpage, so that a user can timely know the link element pointing to the secure download address in the webpage, the situation that the user clicks the link element with download risk in the webpage due to misleading is reduced, the probability that the user downloads the unreliable software and other risk information through the webpage is reduced, and the security of downloading contents through the webpage is improved.

It can be understood that, because the amount of information of the predetermined secure download address or the key attribute of the secure download address is large, if the key attribute of each link element in the web page or the information of other download addresses is matched with the predetermined key attribute of the secure download address, etc., a large amount of data processing may be required. Therefore, in order to reduce the data processing amount, a prejudgment can be performed according to the webpage address of the webpage to judge whether the webpage belongs to a risk webpage with a download risk, and only when the webpage belongs to the webpage with the download risk, the link element linked with the secure download address in the webpage is identified. Wherein, the risk web page with the download risk is the risk web page with the link having the unsafe download address.

In view of the fact that information of a webpage with a download risk can be stored in a terminal or a cloud server, in order to assist the terminal in identifying link elements of a link secure download address in the webpage, the secure identification system can include the cloud server in addition to the terminal. For example, referring to fig. 6, a schematic diagram of an application scenario to which the method for identifying a secure download link of the present application is applied is shown.

As can be seen from fig. 6, a secure identification system 60 is included in the application scenario, where the secure identification system 60 includes a terminal 61 and at least one cloud server 62. The application scene also comprises the following steps: a web server 63.

The terminal 61 and the cloud server 62 may be connected through a network, and the terminal 61 may establish a communication connection with the web server 63 through the network.

A browser is installed in the terminal 61 to display a web page fed back to the terminal by the web server 63 through the browser.

A security list is maintained in the cloud server 62, in which security critical attributes identifying secure download addresses are recorded. If so, the cloud server can receive the security key attribute which is uploaded by any terminal and identifies the security downloading address and store the security key attribute in a security list; or the cloud server determines the security key attribute for identifying the secure download address through big data statistics; or the cloud server stores the security key attributes configured by the user and the like.

Meanwhile, the cloud server can update the security key attributes in the security list according to the latest security key attributes and the like provided by network data or the terminal. Of course, using a safety list is only one form of storage for storing the safety-critical attributes, and using other forms of storage for storing the safety-critical attributes is equally applicable to the present application.

Optionally, the cloud server 62 stores a risk address set, where the risk address set includes web addresses of multiple risk webpages with download risks, for example, the web addresses of the risk webpages are stored in a risk website list.

Further, the cloud server 62 may further store a risk domain name set, where a plurality of top-level domain names with risks are stored in the risk domain name set.

The terminal 62 may obtain one or more of the security list, the risk address set, and the risk domain name set from the cloud server, and store the obtained security list, risk address set, and risk domain name set locally in the terminal, so that the terminal marks a secure link element in a web page based on the security lists or sets; or, in the process of identifying the safe link elements in the web page, the terminal queries a safety list, a risk address set or a risk domain name set in the cloud server to finally identify the safe link elements in the web page.

For convenience of understanding, referring to fig. 6, a security monitoring application is run on the terminal, and the terminal interacts with the cloud server through the security monitoring application, so as to identify a secure link element in the web page. For example, referring to fig. 7, which shows a schematic flowchart interaction of a method for identifying a secure download link according to an embodiment of the present application, the method of the present embodiment may include:

and S701, the terminal runs a safety monitoring application.

S702, when the safety monitoring application detects that the user starts the safety link indicating function, the safety monitoring application injects a browser plug-in into the browser so as to run the browser plug-in the browser.

The safety link indicating function is an option which is arranged in the safety monitoring application and used for triggering the safety monitoring application to identify a safe link element in a webpage displayed in the browser and mark the safe link element.

For example, the security monitoring application may be a computer steward, a function option may be set in the computer steward, and after the user clicks and opens the function option, the computer steward injects a browser plug-in into the browser to monitor the condition that the browser displays a page and acquire data in the page for analysis.

It will be appreciated that if the security monitoring application has injected a browser plug-in into the browser plug-in before the current time, then there is no need to repeat the injection.

In the embodiment of the present application, there may be a plurality of injection techniques for injecting the browser plug-in into the browser, which is not limited in this application.

It will be appreciated that in the case of a terminal having multiple browsers, the security monitoring application may also choose which browser or browsers to open the secure link indication function. However, the processing procedure of the security monitoring application for the web page displayed in each browser is the same, and the embodiment of the present application is described later by taking a case where a web page is displayed in one browser as an example.

It should be noted that the above steps S701 and S702 are only for facilitating understanding of the injection process of the browser plug-in injected into the browser, but the steps S701 and S702 are not operations that need to be executed each time the security monitoring application is executed and the browser is executed.

And S703, when the browser of the terminal receives the page data returned by the website server, the browser of the terminal displays the webpage according to the page data.

For example, after a user requests access to a web server through a browser of a terminal, the web server may return page data requested by the browser. For example, when a user wishes to download a piece of software, the user may input a corresponding network address in an address bar of the browser, or click a corresponding page link in a page displayed by the browser, so as to display a webpage containing the download address of the piece of software in the browser.

S704, when the security monitoring application detects that the browser shows a webpage, the webpage characteristics of the webpage are obtained through the browser plug-in.

S705, when detecting that the page characteristics of the webpage accord with the page characteristics with the link elements, the security monitoring application acquires the page address of the webpage through the browser plug-in.

Wherein the linking element links elements of the download address. The download address is a link address pointing to a file to be downloaded, and the file to be downloaded may be a software package, a document, or the like, which is not limited herein.

The page features of the web page may be the composition of elements in the page and the arrangement features of the elements, and may also include features such as attributes of the elements in the page. Whether the webpage is in a download page (i.e. a page with link elements) for downloading software, files and other objects can be reflected by the page characteristics of the webpage. If the page characteristics of the downloaded page according to the object such as the downloaded software and the like are met, the link elements in the webpage need to be positioned, and the safety of the download addresses linked by the link elements is identified; otherwise, the processing procedure can be directly ended without identifying the elements in the webpage.

For example, a web page containing a download address generally has special indication information such as "local download", "official download", etc., and if the special indication information is displayed in the web page, the web page can be indicated as a web page containing a link element. For another example, the source code of the web page may be analyzed to determine whether the page shows a link element based on the source code, e.g., if the source code includes a download address, then the target web page is declared to include a link element. Of course, there may be other ways to detect whether the web page is a web page with a link element, and the application is not limited thereto.

As can be seen from the above steps S703 to S705, the security monitoring application of the terminal actually needs to obtain the web page address of the web page and perform subsequent identification of the link element when detecting that the user presents the web page with the link element through the browser plug-in, so as to finally identify the link element of the link secure download address in the web page.

It is understood that the steps S704 and S705 of obtaining the page characteristics of the web page and detecting whether the page characteristics of the web page conform to the page characteristics having the link elements are merely a preferred embodiment, and the purpose thereof is only to determine whether the web page belongs to a downloaded web page for downloading software or other contents, and in the case of confirming the data of the downloaded web page requested by the browser and presenting the downloaded web page, the operation of determining whether the web page characteristics of the web page conform to the page characteristics having the link elements may not be performed.

The web page address of the web page may be a Uniform Resource Locator (URL) corresponding to the web page.

S706, the safety monitoring application detects whether the webpage address of the webpage belongs to a preset webpage address with a downloading risk in the terminal, and if so, the step S708 is executed; if not, step S707 is executed.

The webpage address with downloading risk preset by the terminal can be configured on the terminal side in advance; the webpage address configuration method may also be that the webpage address configuration method acquires information from the cloud server, for example, the terminal queries a risk address set stored in the cloud server according to a fixed period, so as to configure or update the webpage address of the risk webpage stored in the terminal, where the risk webpage has a download risk, by using the webpage address having the download risk in the risk address set. For the sake of easy distinction, the web page where the download risk exists is referred to as a risk web page.

It can be understood that the risk web page with a risk may cause the user to download an unreliable file, such as an unreliable software, e.g., a malicious software, a bundled software, etc., in this embodiment, the risk web page with a download risk in the cloud server or the terminal may be a web page that is analyzed in advance and meets a specific condition.

For example, in one possible scenario, the risk web pages with download risk can be divided into two categories, one category is that the link address pointed by the link element in the web page cannot be reliably linked to the file; the other type is that the downloader pointed by the link element in the webpage has malicious downloading behaviors.

Wherein, for the condition that the link address pointed by the link element in the web page can not be reliably linked to the file, the web page can satisfy the following one or more characteristics:

1. in the link addresses linked to the link elements of the web page, there are risk link addresses that do not belong to the file or downloader described in the web page, and the link elements associated with the risk link addresses are identified in the web page as inducing identifiers for inducing user clicks, such as "local download", "telecom download", "high speed download", and the like. For example, the link element M is described in the web page as a "local download" address for downloading the software S (or a downloader for downloading the software S), but the link element M is actually linked to a download address (or a downloader) for downloading other software.

2. There is link stealing behavior in web pages. That is, the link element in the web page originally links to the correct download address, but is randomly or regularly switched to the link address of another promotion file (e.g., promotion software) or switched to the link address of the download address for downloading the promotion file by the web server.

3. There are multiple binding behaviors in the web page. That is, the parent-child relationship between the downloader pointed to by the link element of the web page and the file (e.g., software installation package) described by the web page exceeds one level. For example, a link element of a web page points to downloader a, which activates downloader B, which activates downloader C, and downloader C can download the software described in the web page.

Wherein, for the condition that the downloader pointed by the link element in the webpage has malicious downloading behavior, the downloader linked to by the link element of the webpage satisfies one or more of the following conditions:

1. and malicious popularization behaviors exist in the downloader. For example, a virus, a trojan horse exists in the software popularized by the downloader or the popularized software cannot be uninstalled.

2. The downloader has silent install behavior. For example, when the downloader populates the software, the interface has no surface; alternatively, the software installation of the downloader cannot be suspended by "ending the process" or the like.

3. The downloader has rogue promotion behavior, that is, promotion software (or other files) promoted by the downloader cannot be selected to cancel the downloading of the software. For example, the interface of the downloader does not present a checkbox cancellation corresponding to the promotion software, or there are situations that the checkbox color is faded, or the checkbox is not displayed by default, and the like.

To facilitate understanding of the malicious downloading behavior of the downloader, refer to fig. 8, which shows a schematic diagram of an interface of the downloader.

As can be seen from fig. 8, in addition to the information of the software to be installed, the interface of the downloader also shows the information of the name of the software downloaded by the downloader, the size of the software, and the like, on the left side of the interface of the downloader. Meanwhile, a list of some promotion software is displayed on the right side of the interface of the downloader, and a checkable or checkable box 802 is displayed on each promotion software icon 801, so that a user can download some promotion software selectively while downloading the software through the downloader.

However, if the promotion software is not displayed in the interface of the downloader, the promotion software is directly downloaded after the downloader is started; or, although promotion software is displayed in the interface of the downloader, the candidate box corresponding to the promotion selection is not provided, so that the user cannot cancel the downloading of the promotion software, and the downloader belongs to a downloader with malicious downloading behaviors.

It should be understood that the above is described by taking the preset webpage address with the download risk as an example, but it should be understood that the preset webpage address with the download risk may be the entire domain name of the risk webpage, or may be other forms of information that characterize the webpage address of the risk webpage, and is not limited herein.

S707, when the security monitoring application detects that the web page address of the web page does not belong to the web page address with the download risk, detecting whether the top-level domain name in the web page address of the web page belongs to the top-level domain name with the risk, if so, executing the step S708; if not, the process is ended.

It can be understood that, because the number of the pre-analyzed web page addresses with the download risk is relatively limited, whether the target web page has the download risk or not is analyzed only according to the preset web page addresses with the download risk, which may cause some web pages with the download risk to be missed.

Considering the top-level domain name in the web page address of the web page, the country and region of the website to which the web page belongs can be reflected, and the top-level domain names applied by some websites providing malicious files (such as malicious software) are generally relatively special domain names, so some top-level domain names with risks can be pre-configured according to the commonality of the top-level domain names in the websites with risks of downloading. For example, the top-level domain name with risk may be configured at the terminal, or the terminal may previously acquire the top-level domain name with risk from the server and store the top-level domain name with risk in the terminal.

Correspondingly, in order to further reliably identify the webpage with the download risk, the top-level domain name in the webpage address of the webpage needs to be extracted, and whether the top-level domain name belongs to the preset top-level domain name with the risk needs to be detected. And if the top-level domain name in the webpage address of the target webpage belongs to the top-level domain name with the risk, determining the target webpage as the webpage with the risk of downloading.

It should be noted that, in steps S706 and S707, before identifying the secure link element in the web page, it is determined in advance whether the web page belongs to the web page with the download risk, so as to identify the link element linked with the secure download address in the web page subsequently for the web page with the download risk. However, it is understood that in practical applications, only one of the steps S706 and S707 may be executed, or neither step may be executed, and the subsequent step S708 may be directly executed.

S708, the safety monitoring application positions the link elements in the webpage through the browser plug-in and extracts key attributes of the link elements in the webpage.

And S709, the security monitoring application compares the key attribute of each link element with the security key attribute of the identification security download address recorded in the security list of the cloud server in sequence to determine at least one link element of which the key attribute is the security key attribute in the webpage.

In this embodiment, the security list is stored in the cloud server as an example, but the embodiment is also applicable to the case where the security list is stored in the terminal.

The above steps S708 and S709 can refer to the related description of the previous embodiments, and are not described herein again.

S710, the safety monitoring application determines at least one link element with the safety key attribute as a safety link element, and indicates the identified safety link element to the browser plug-in.

And S711, the security monitoring application determines the position area of each security link element in the webpage through the browser plug-in.

Wherein the secure link element is the identified link element linking the secure download address. After the safety monitoring application determines the safety link element, the browser plug-in is required to be informed of information such as the identification of the identified safety link element, so that the browser plug-in can locate the position of the safety link element in the webpage, and prompt marks can be drawn at corresponding positions subsequently.

S712, the safety monitoring application injects at least one section of drawing script into the code of the webpage.

And S712, aiming at each safe link element, the safety monitoring application positions the position area of the safe link element in the webpage through the drawing script, and draws a marking frame pointing to the safe link element above the position area of the safe link element in the webpage.

And prompt information for prompting that the safe link element is linked with the safe download address can be displayed in the mark frame.

In this embodiment, the description is given by taking an example of drawing a mark frame above a link element linking a secure download address in a web page, but in practical application, a mark frame may be drawn on the left side, the right side, or the lower side of the link element; the indication may also be performed by changing the display effect of the link element, which is not limited herein.

It can be understood that, in any embodiment of the present application, if the terminal detects that the key attribute of each link element of the web page does not belong to the security key attribute for identifying the secure download address, it is determined that no link element linking the secure download address exists in the web page. In this case, the terminal may further display a risk prompt in the web page, where the risk prompt is used to indicate that no link element linking the secure download address exists in the web page. For example, the terminal injects a drawing script into the code of the webpage, and draws a prompt bar of the risk prompt in the webpage through the drawing script. Of course, displaying the risk hint in the web page in other ways is equally applicable.

Optionally, before the terminal marks the secure link element in the web page, the terminal may further output an inquiry box in the web page through a browser plug-in or a drawing script, where the inquiry box is used to prompt whether an insecure download address exists in the web page and whether the secure link element needs to be marked. Correspondingly, after the terminal detects that the user clicks the link element which agrees to be marked in the query box through the browser plug-in, the safe link element is marked in the webpage through the drawing script.

To facilitate understanding of the solution of the present application, the following description is made in conjunction with a specific application scenario. For example, referring to FIG. 9, an example of a link element in a web page that a terminal identifies and marks is shown for linking to a secure download address. In this example, the security monitoring application is taken as the computer administrator, and the class attribute of the extracted link element is taken as the key attribute of the link element.

Fig. 9 shows a schematic view of a change of the browser interface of the terminal, and a first image from left to right in fig. 9 presents a download page 901 for downloading the software M in the browser of the terminal. As can be seen from the first image, the download page 901 displayed by the terminal includes a plurality of link elements 902, each link element is used for linking a download address of the downloaded software M, and the download address may be an address of a downloader for downloading the software M, or a download network address corresponding to the software M.

Correspondingly, when the computer manager of the terminal detects that the browser shows the download page, the computer manager obtains the webpage address of the download page through the browser plug-in and matches the webpage address with the webpage address stored in the terminal and having the download risk. If the webpage address of the download page is determined to belong to the webpage address with the download risk, the computer administrator extracts the class attribute of each of the plurality of link elements in the download page through injecting the extracted class attribute into the browser plug-in, and compares the class attribute of each link element with the class attribute of the identification safe download address stored in the cloud server. If the computer administrator detects that the class attribute of at least one link element in the webpage does not belong to the class attribute for identifying the safe download address, the class attribute for identifying the safe download address in the calls attributes of the link elements is determined, and meanwhile, a drawing script is injected into the code of the webpage to draw an inquiry box in the webpage, for example, see a second image from left to right in fig. 9. An inquiry box 903 is displayed on a download page 901, which is shown in the second image by the browser of the terminal. The query box displays "there are more misleading links to the current website! The concierge may mark you a safe link "prompt and have two choices in the query box, one for" temporarily not needed "and the other for" view immediately ".

If the computer administrator detects that the user clicks the 'view immediately' option through the browser plug-in, the class attribute which is determined by the computer administrator and used for identifying the safe download address is returned to the browser plug-in, so that the computer administrator can locate the safe link element corresponding to the class attribute for identifying the safe download address from the download page through the browser plug-in. Meanwhile, the computer manager can generate at least one drawing script according to the number and the positions of the located link elements, and inject the at least one drawing script into the codes of the webpage through the browser plug-in, wherein each drawing script is responsible for marking one safe link element. Correspondingly, the computer administrator draws a mark frame above each determined safety link element through the drawing script, for example, see the third image from left to right in fig. 9.

In fig. 9, the third image is a schematic diagram of a link element marked as secure in the download page 901, and as can be seen from the third image, the link element 902 "download by way 1" is determined as the secure link element in the download page 901. Correspondingly, the link element 902 of the "download by way 1" is marked by a thick line in the download page by the computer administrator, the characters are displayed in italics, meanwhile, a prompt box 904 is drawn above the link element 902 of the "download by way 1", and a "safe download address identified by the computer administrator" is displayed in the prompt box, so that the user can select the safe download address to download the software M from the download page according to the prompt of the computer administrator.

Optionally, in any embodiment of the present application, in order to facilitate a user to more intuitively see the link element marked as the corresponding secure download address, the security monitoring application may further control and adjust a display area of the download page through the browser plug-in, and display the marked link element in a central area of the browser window. As can be seen by comparing the second image and the third image in fig. 9, the location area in the download page at the center of the window of the browser is found to be changed, and the link element 904 indicated in the third image is in the center area of the window.

It can be understood that, considering that the predetermined key attribute for identifying the secure download address, some web page addresses with download risk, and the like may have errors, for example, the key attribute corresponding to the insecure download address is identified as the secure key attribute, or the key attribute of some secure download addresses is identified as the insecure key attribute, and the like. In order to correct errors in time, in this embodiment of the application, the user may further send error reporting information to the designated server through the terminal, where the error reporting information may include a download address identified with an error, and may further include a specific reason why the download address is identified with an error.

Wherein the designated server may be a server of the security monitoring application. The security monitoring application can receive an error reporting request of a user and display an error reporting page.

For example, a station length feedback option may be set in the security monitoring application, and after the user clicks the station length feedback option, an error reporting request may be triggered to be sent to the security monitoring application, so that the security monitoring application shows an error reporting page. For example, referring to fig. 10, which shows an example of an error reporting page in the terminal of the present application, a first diagram in fig. 10 is a schematic diagram of the error reporting page, the error reporting page is a "station leader feedback" page in the security monitoring application, and a website address filling column 1001, a problem description column 1002, and a contact information filling column 1003 are in the "station leader feedback" page.

In the website address filling column 1001, a website address which is considered to have an identification error may be filled; accordingly, a specific error cause and the like of the website address identified as an error can be specifically described in the problem description field 1002. The filling column of the contact information can be filled in the mailbox and the contact telephone of the user reporting the error.

When the safety monitoring application detects that the sending option in the station length feedback page is clicked, error reporting information is generated based on the content input by the user in the station length feedback page, and the error reporting information is reported to a server of the safety monitoring application.

Correspondingly, after receiving the error reporting information, the security monitoring application server may return an indication that the feedback is successful to the security monitoring application in the terminal. The security monitoring application will output the indication returned by the server. As shown in the second diagram of fig. 10, a prompt bar 1004 for successful feedback is displayed on the error reporting page.

On the other hand, the application also provides a device for identifying the secure download link. For example, referring to fig. 11, a schematic block diagram of an embodiment of an apparatus for identifying a secure download link according to the present application, which may be applied to the aforementioned terminal, is shown, and the apparatus may include:

the link positioning unit 1101 is configured to, when it is detected that the browser is triggered by a user to display a webpage, position a link element in the webpage, where the link element is an element linked with a download address in the webpage;

an attribute extracting unit 1102, configured to extract a key attribute of the link element in the web page, where the key attribute is used to identify a download address of the link element link;

an attribute detection unit 1103 configured to detect whether a key attribute of the link element belongs to a security key attribute that identifies a secure download address;

a security identification unit 1104, configured to obtain at least one link element in the web page, where a key attribute belongs to the security key attribute;

a link marking unit 1105, configured to display prompt information in the web page for prompting that the at least one link element is identified as a secure download link.

In one possible implementation manner, the link indicating unit may include:

the script injection subunit is used for injecting a drawing script into the code of the webpage through a browser plug-in injected into the browser;

and the link marking subunit is used for drawing a prompt identifier for prompting that the at least one link element is identified as the safe download link in the webpage through the drawing script.

In a possible implementation manner, the link positioning unit is specifically configured to, when it is detected that a user triggers a browser to display a web page through a browser plug-in injected into the browser, position a link element in the web page through the browser plug-in;

correspondingly, the attribute extraction unit specifically extracts the key attribute of the link element in the webpage through the browser plug-in.

Optionally, as shown in fig. 12, a schematic diagram of another possible component structure of an apparatus for identifying a secure download link according to the present application is shown, where the apparatus includes, in addition to the aforementioned link positioning unit 1101, the attribute extracting unit 1102, the attribute detecting unit 1103, the secure identifying unit 1104, and the link marking unit 1105:

an application running unit 1106, configured to run a security monitoring application before the link positioning unit detects that the browser displays a web page;

a plug-in injection unit 1107, configured to inject a browser plug-in into the browser through the security monitoring application.

As an alternative, in any of the above embodiments of the apparatus for identifying a secure download link, the link locating unit may include:

the address acquisition subunit is used for acquiring a webpage address of a webpage when detecting that a user triggers the browser to display the webpage;

the address detection subunit is used for detecting whether the webpage address of the webpage belongs to a webpage address with a downloading risk;

and the link positioning subunit is used for positioning the link elements in the webpage when the webpage address of the webpage belongs to the webpage address with the downloading risk.

Further, the apparatus may further include:

and the domain name detection unit is used for detecting whether a top-level domain name in the webpage address of the webpage belongs to a top-level domain name with a risk when the address detection unit detects that the webpage address of the webpage does not belong to a webpage address with a download risk, and triggering the link positioning subunit to execute the operation of positioning the link element in the webpage when the top-level domain name in the webpage address of the webpage belongs to the top-level domain name with the risk.

In one possible implementation manner, the link positioning unit includes:

the element positioning subunit is used for positioning at least one element linked with a network address in the webpage when detecting that a user triggers the browser to display the webpage;

and the element screening subunit is used for positioning the link element from the at least one element according to the position of the at least one element in the webpage.

In one possible implementation manner, the link positioning unit includes:

the characteristic acquiring subunit is used for acquiring the page characteristics of the webpage when detecting that a user triggers the browser to display the webpage;

the characteristic detection subunit is used for detecting whether the page characteristics of the webpage accord with the page characteristics with the link elements;

and the positioning triggering subunit is used for positioning the link elements in the webpage when the page characteristics of the webpage accord with the page characteristics with the link elements.

Optionally, the apparatus may further include:

and the risk prompt unit is used for displaying a risk prompt in the webpage when detecting that the key attributes of all the link elements in the webpage do not belong to the key attribute for identifying the safe download address, wherein the risk prompt is used for indicating that the safe download address does not exist in the webpage.

Optionally, the attribute detecting unit includes:

and the attribute query subunit is used for querying whether the key attribute of the link element belongs to a safety key attribute which is recorded in a safety list and used for identifying a safety download address, wherein the safety list is stored in a terminal where the browser is located or a cloud server.

In another aspect, the present application further provides a storage medium having a computer program stored therein, where the computer program is loaded by a processor and executed to implement the method for identifying a secure download link as described in any of the above embodiments.

It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

The foregoing is only a preferred embodiment of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.

Claims

1. A method of identifying a secure download link, comprising:

when detecting that a user triggers a browser to display a webpage, acquiring a webpage address of the webpage;

detecting whether the webpage address of the webpage belongs to a webpage address with a downloading risk;

when the webpage address of the webpage belongs to a webpage address with a downloading risk, locating a link element in the webpage, wherein the link element is an element of the webpage linked with the downloading address;

when the webpage address of the webpage does not belong to the webpage address with the downloading risk, detecting whether a top-level domain name in the webpage address of the webpage belongs to the top-level domain name with the downloading risk;

when the top-level domain name in the webpage address of the webpage belongs to the top-level domain name with risk, executing the operation of positioning the link element in the webpage;

2. The method for identifying a secure download link according to claim 1, wherein the displaying prompt information in the web page for prompting the at least one link element to be identified as a secure download link comprises:

3. The method for identifying a secure download link as in claim 1, wherein said locating a link element in said web page comprises:

when detecting that a user triggers a browser to display a webpage through a browser plug-in injected into the browser, positioning a link element in the webpage through the browser plug-in;

the extracting key attributes of the link elements in the webpage comprises the following steps:

and extracting key attributes of the link elements in the webpage through the browser plug-in.

4. The method for identifying a secure download link according to claim 2 or 3, further comprising, before the detecting that the user triggers the browser to render the web page:

running a security monitoring application;

5. The method for identifying a secure download link according to claim 1, wherein the acquiring the web page address of the web page when detecting that the user triggers the browser to present the web page comprises:

when the safety monitoring application detects that the browser shows a webpage, acquiring page characteristics of the webpage through a browser plug-in;

and when detecting that the page characteristics of the webpage accord with the page characteristics with the link elements, the safety monitoring application acquires the webpage address of the webpage through a browser plug-in.

6. The method for identifying a secure download link according to claim 5, wherein the detecting whether the web page address of the web page belongs to a web page address at which a download risk exists, and when the web page address of the web page belongs to a web page address at which a download risk exists, the locating the link element in the web page comprises:

the safety monitoring application detects whether the webpage address of the webpage belongs to a webpage address with a downloading risk preset in a terminal;

and when the webpage address of the webpage belongs to a webpage address with a downloading risk, the safety monitoring application positions a link element in the webpage through a browser plug-in.

7. The method for identifying a secure download link as in claim 1, wherein said locating a link element in said web page comprises:

locating at least one element of the web page linked to a network address;

and positioning a link element from the at least one element according to the position of the at least one element in the webpage.

8. The method for identifying a secure download link as in claim 1, further comprising, prior to said locating a link element in said web page:

acquiring page characteristics of the webpage;

detecting whether the page features of the webpage accord with the page features with the link elements;

and when the page characteristics of the webpage accord with the page characteristics with the link elements, executing the operation of positioning the link elements in the webpage.

9. The method for identifying a secure download link as in claim 1, further comprising:

and when detecting that the key attributes of all the link elements in the webpage do not belong to the key attribute for identifying the safe download address, displaying a risk prompt in the webpage, wherein the risk prompt is used for indicating that the safe download address does not exist in the webpage.

10. The method for identifying a secure download link according to claim 1, wherein said detecting whether a key attribute of the link element belongs to a security key attribute identifying a secure download address comprises:

and inquiring whether the key attribute of the link element belongs to a safety key attribute which is recorded in a safety list and used for identifying a safety downloading address, wherein the safety list is stored in a terminal where the browser is located or a cloud server.

11. An apparatus for identifying a secure download link, comprising:

the link positioning unit is used for acquiring a webpage address of a webpage when detecting that a user triggers a browser to display the webpage; detecting whether the webpage address of the webpage belongs to a webpage address with a downloading risk; when the webpage address of the webpage belongs to a webpage address with a downloading risk, locating a link element in the webpage, wherein the link element is an element of the webpage linked with the downloading address; when the webpage address of the webpage does not belong to the webpage address with the downloading risk, detecting whether a top-level domain name in the webpage address of the webpage belongs to the top-level domain name with the downloading risk; when the top-level domain name in the webpage address of the webpage belongs to the top-level domain name with risk, executing the operation of positioning the link element in the webpage;

12. The apparatus for identifying a secure download link of claim 11, wherein the link indicating unit comprises:

a script injection subunit, configured to inject a drawing script into the code of the web page through a browser plug-in injected into the browser;

13. The apparatus for identifying a secure download link according to claim 11, wherein the link positioning unit is specifically configured to, when detecting that the browser is triggered to display the web page by the user through a browser plug-in injected into the browser, position the link element in the web page through the browser plug-in;

the attribute extraction unit is specifically configured to extract key attributes of the link elements in the web page through the browser plug-in.

14. A terminal, comprising:

a processor and a memory;

wherein the processor is configured to execute a program stored in the memory;

the memory is to store a program to at least:

extracting key attributes of the link elements in the webpage, wherein the key attributes are used for identifying download addresses of the links of the link elements; detecting whether the key attribute of the link element belongs to a safety key attribute for identifying a safety download address;

15. A storage medium having stored thereon computer-executable instructions which, when loaded and executed by a processor, carry out a method of identifying a secure download link according to any one of the preceding claims 1 to 10.