CN111970262B - Method and device for detecting third-party service enabling state of website and electronic device - Google Patents

Method and device for detecting third-party service enabling state of website and electronic device Download PDF

Info

Publication number
CN111970262B
CN111970262B CN202010787288.7A CN202010787288A CN111970262B CN 111970262 B CN111970262 B CN 111970262B CN 202010787288 A CN202010787288 A CN 202010787288A CN 111970262 B CN111970262 B CN 111970262B
Authority
CN
China
Prior art keywords
domain name
website
address
party service
weight value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010787288.7A
Other languages
Chinese (zh)
Other versions
CN111970262A (en
Inventor
薛磊
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202010787288.7A priority Critical patent/CN111970262B/en
Publication of CN111970262A publication Critical patent/CN111970262A/en
Application granted granted Critical
Publication of CN111970262B publication Critical patent/CN111970262B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Abstract

The application relates to a method, a device, an electronic device and a storage medium for detecting a third-party service enabling state of a website, wherein the method comprises the steps of obtaining a first domain name address of the website to be detected; analyzing the first domain name address at a plurality of nodes by using the same operator line to obtain a first domain name analysis record; determining a first weight value according to the number of the IP addresses in the first domain name resolution record; selecting a first IP address from the first domain name resolution record, and accessing the first IP address; and under the condition that the first IP address is redirected to a second domain name address, determining a second weight value according to the association degree of the webpage content information corresponding to the second domain name address and the third-party service, and determining the probability value of the third-party service starting of the website to be tested at least according to the first weight value and the second weight value. By the method and the device, the problem of low accuracy of detecting the third-party service starting state of the website in the related technology is solved, and the technical effect of improving the detection accuracy is achieved.

Description

Method and device for detecting third-party service enabling state of website and electronic device
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting a third-party service enablement status of a website, an electronic apparatus, and a storage medium.
Background
The Content Delivery Network (CDN) is intended to deliver Content of a website to a Network edge closest to a user by adding a new Network architecture to the existing Internet, so that the user can obtain required Content nearby, the problem of Internet Network congestion is solved, and the response speed of the user accessing the website is increased. The problem of low response speed of the user to visit the website caused by small network bandwidth, large user visit amount, uneven distribution of network points and the like is technically solved comprehensively.
Web Application defense (WAF) systems represent an emerging class of information security technologies to address Web Application security issues that are not mandated by traditional devices, such as firewalls. The cloud WAF is a cloud mode of the Web application protection system, and the mode enables a user to implement security protection on a website without installing software programs or deploying hardware equipment in the network of the user.
With the continuous occurrence of new threats and network attacks mainly based on APT, malicious mining, lessovirus and the like, the number of the threats continuously rises, the network threats are rapidly and maliciously evolved, meanwhile, means and channels of the network attacks are also diversified, and higher requirements are provided for the analysis and processing capabilities of network security personnel. Therefore, how to ensure the security of the website assets becomes an important issue in the technical field of network security.
The CDN acceleration and the cloud WAF are used as third-party services enabled by the website, so that the important role is played in knowing the performance speed and the safety of the website assets.
At present, in the related art, a CDN manufacturer library is often established to identify whether a website uses CDN acceleration, and whether the website uses cloud WAF protection cannot be identified. Meanwhile, some small vendors are often missed by establishing a CDN vendor library to identify whether the website uses CDN acceleration, which causes an identification error when the website uses CDN acceleration provided by the small vendors, and a situation of false alarm and missed report occurs.
At present, no effective solution is provided aiming at the problem of low accuracy rate of detecting the third-party service starting state of a website in the related technology.
Disclosure of Invention
The embodiment of the application provides a method and a device for detecting the third-party service enabling state of a website, an electronic device and a storage medium, so as to at least solve the problem that the accuracy rate of detecting the third-party service enabling state of the website in the related technology is low.
In a first aspect, an embodiment of the present application provides a method for detecting a third-party service enablement state of a website, including: acquiring a first domain name address of a website to be detected; analyzing the first domain name address at a plurality of nodes by using the same operator line to obtain a first domain name analysis record; determining a first weight value according to the number of the IP addresses in the first domain name resolution record; selecting a first IP address from the first domain name resolution record, and accessing the first IP address; under the condition that the first IP address is redirected to a second domain name address, determining a second weight value according to the association degree of webpage content information corresponding to the second domain name address and a third-party service, wherein the third-party service comprises at least one of the following: CDN acceleration service and cloud WAF protection service; determining a probability value that the third party service is started by the website to be tested according to at least the first weight value and the second weight value; and determining that the third-party service is started by the website to be tested under the condition that the probability value is higher than a preset threshold value.
In some embodiments, after obtaining the first domain name address of the website to be tested, the method further includes: sending an access request to the first domain name address and receiving a response message in response to the access request; extracting response head information of the response message, and judging whether the response head information carries mark information meeting a preset rule or not; and under the condition that the response header information carries mark information which accords with the preset rule, determining that the to-be-tested website starts CDN acceleration service.
In some embodiments, after obtaining the first domain name address of the website to be tested, the method further includes: performing domain name resolution on the first domain name address to obtain a second domain name resolution record; judging whether a CNAME analysis record exists in the second domain name analysis record or not; under the condition that a CNAME resolution record exists in the second domain name resolution record, extracting a third domain name address pointed by the first domain name address from the CNAME resolution record; matching the third domain name address in a preset domain name feature library, wherein the preset domain name feature library comprises domain name feature information of the domain name address associated with the third-party service; and determining that the third party service is started by the website to be tested under the condition that the third domain name address is matched in the preset domain name feature library.
In some embodiments, determining, according to at least the first weight value and the second weight value, a probability value that the third-party service is enabled by the website to be tested comprises: performing domain name resolution on the first domain name address to obtain a second domain name resolution record; judging whether a CNAME analysis record exists in the second domain name analysis record or not; under the condition that a CNAME resolution record exists in the second domain name resolution record, extracting a third domain name address pointed by the first domain name address from the CNAME resolution record; determining a third weight value according to a domain name level to which the position of a preset keyword in the third domain name address belongs, wherein the preset keyword is a keyword associated with a third-party service; and determining a probability value of the to-be-tested website for enabling the third-party service according to the first weight value, the second weight value and the third weight value.
In some embodiments, determining, according to the first weight value, the second weight value, and the third weight value, a probability value that the third-party service is enabled by the website to be tested comprises: determining an average weight value of the first weight value, the second weight value and the third weight value, and dividing the average weight value by one hundred to obtain a probability value that the third-party service is started by the website to be tested.
In some embodiments, determining the second weight value according to the degree of association between the web content information corresponding to the second domain name address and the third-party service includes: and determining the second weighted value according to the number of preset keywords in the webpage content information corresponding to the second domain name address, wherein the preset keywords are keywords associated with third-party services.
In some embodiments, determining the second weight value according to the degree of association between the web content information corresponding to the second domain name address and the third-party service includes: judging whether the webpage content information corresponding to the second domain name address is consistent with preset webpage content information or not, wherein the preset webpage content information is webpage content information associated with the third-party service; and determining that the second weight value is the weight value corresponding to the preset webpage content information under the condition that the webpage content information corresponding to the second domain name address is judged to be consistent with the preset webpage content information.
In a second aspect, an embodiment of the present application provides an apparatus for detecting a third-party service enablement status of a website, including: the acquisition module is used for acquiring a first domain name address of a website to be detected; the resolution module is used for resolving the first domain name address at a plurality of nodes by using the same operator line to obtain a first domain name resolution record; the first determining module is used for determining a first weight value according to the number of the IP addresses in the first domain name resolution record; the access module is used for selecting a first IP address from the first domain name resolution record and accessing the first IP address; a second determining module, configured to determine a second weighted value according to a degree of association between web content information corresponding to a second domain name address and a third-party service when the first IP address is redirected to the second domain name address, where the third-party service includes at least one of: CDN acceleration service and cloud WAF protection service; a third determining module, configured to determine, according to at least the first weight value and the second weight value, a probability value that the third-party service is enabled by the website to be tested; and the output module is used for determining that the third-party service is started by the website to be tested under the condition that the probability value is higher than a preset threshold value.
In a third aspect, an embodiment of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor, when executing the computer program, implements the method for detecting the third-party service enablement status of the website according to the first aspect.
In a fourth aspect, the present application provides a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for detecting the third-party service enablement status of the website according to the first aspect.
Compared with the related art, the method, the device, the electronic device and the storage medium for detecting the third-party service enabling state of the website provided by the embodiment of the application solve the problem that the accuracy rate of detecting the third-party service enabling state of the website in the related art is low, and achieve the technical effect of improving the accuracy rate of detecting the third-party service enabling state of the website.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more concise and understandable description of the application, and features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow chart of a method for detecting a third party service enablement status of a website according to an embodiment of the present application;
FIG. 2 is a flow chart of a method for detecting a third party service enablement status of a website in accordance with a preferred embodiment of the present application;
FIG. 3 is a block diagram of an apparatus for detecting a third-party service enablement status of a website according to an embodiment of the present application;
fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that such a development effort might be complex and tedious, but would nevertheless be a routine undertaking of design, fabrication, and manufacture for those of ordinary skill having the benefit of this disclosure, given the benefit of this disclosure, without departing from the scope of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of describing the invention (including a single reference) are to be construed in a non-limiting sense as indicating either the singular or the plural. The use of the terms "including," "comprising," "having," and any variations thereof herein, is meant to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
Fig. 1 is a flowchart of a method for detecting a third-party service enablement state of a website according to an embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps:
step S101, a first domain name address of a website to be detected is obtained.
Step S102, the same operator line is used for resolving the first domain name address at a plurality of nodes to obtain a first domain name resolution record.
In this embodiment, the first domain name address may be subjected to national IP resolution of multiple nodes and multiple operator lines, and the first weight value may be determined by obtaining the first domain name resolution record and summarizing the first domain name resolution record.
Step S103, determining a first weight value according to the number of IP addresses in the first domain name resolution record.
In this embodiment, according to the number of IP addresses analyzed by the same operator line at different nodes in the first domain name analysis record, the criterion for determining the first weight value may be: if the number N of IP addresses analyzed by the same operator line at different nodes in the first domain name analysis record is less than or equal to 2, the first weight value is 0; if N is greater than or equal to 5, the first weight value = (N-5) × 10+60,; if N is greater than 2 and less than 5, the first weight value = ((N-2) × 20)/100.
And under the condition that a plurality of operator lines analyze the IP at different nodes in the first domain name analysis record, selecting the number of the IP analyzed at different nodes by the operator line with the maximum first weight value as a judgment reference of the first weight value.
Step S104, selecting a first IP address from the first domain name resolution record, and accessing the first IP address.
In this embodiment, for example, the first domain name address is xxx.com, the first IP address is 192.168.X.x, http://192.168. X.x.x is accessed to obtain response data returned by the website, and the returned response data may be analyzed to obtain the second weight value.
Step S105, determining a second weight value according to the association degree between the web content information corresponding to the second domain name address and a third party service when the first IP address is redirected to the second domain name address, where the third party service includes at least one of the following: CDN acceleration service and WAF protection service.
In some embodiments, determining the second weight value according to the degree of association between the web page content information corresponding to the second domain name address and the third-party service includes: and determining a second weighted value according to the number of preset keywords in the webpage content information corresponding to the second domain name address, wherein the preset keywords are keywords associated with the third-party service.
In some embodiments, determining the second weight value according to the degree of association between the web page content information corresponding to the second domain name address and the third-party service includes: judging whether the webpage content information corresponding to the second domain name address is consistent with preset webpage content information or not, wherein the preset webpage content information is webpage content information associated with third-party services; and under the condition that the webpage content information corresponding to the second domain name address is consistent with the preset webpage content information, determining the second weight value as the weight value corresponding to the preset webpage content information.
In this embodiment, if the first IP address is redirected to the second domain name address, and the web content information corresponding to the second domain name address includes a preset keyword, such as a CDN, a WAF, or the like, the second weight value is 20; or the second weighted value is 20 × S according to the number S of the preset keywords. .
The preset web content information may be web content information associated with a third party service, such as a fixed page of a vendor providing CDN acceleration or cloud WAF protection. If the web page content information corresponding to the second domain name address is a fixed page of a vendor providing CDN acceleration or cloud WAF protection, for example, a cloud WAF fixed page or a CDN fixed page, the second weight value is 100.
And step S106, determining the probability value of the to-be-tested website for enabling the third-party service at least according to the first weight value and the second weight value.
In this embodiment, the probability value may be directly the sum of the first weight value and the second weight value divided by 200, and then the probability value = (80 + 20)/200 =0.5.
And step S107, determining that the third-party service is started by the website to be tested under the condition that the probability value is higher than a preset threshold value.
In this embodiment, the preset threshold may be 0.8, that is, when the probability value is higher than 0.8, it is determined that the website to be tested enables the third-party service. The preset threshold may also be other values, such as 0.6, 0.9.
In the related technology, a CDN manufacturer library is often established to identify whether a website uses CDN acceleration, and whether the website uses cloud WAF protection cannot be identified. Meanwhile, some small vendors are often missed by establishing a CDN vendor library to identify whether the website uses CDN acceleration, which causes an identification error when the website uses CDN acceleration provided by the small vendors and causes a situation of false alarm and missed report
Through the steps S101 to S107, the first domain name address is subjected to IP resolution, the first weight value is determined according to the first domain name resolution record, the second weight value is determined according to the association degree between the webpage content information corresponding to the second domain name address redirected by the first IP address and the third-party service by accessing the first IP address selected in the first domain name resolution record, the probability value is determined according to the first weight value and the second weight value, and the third-party service is enabled by the website to be tested when the probability value is higher than the preset threshold value. According to the method and the device, whether the website starts the third-party service is judged according to various conditions, the problem that the accuracy rate of detecting the starting state of the third-party service of the website in the related technology is low is solved, and the technical effect of improving the accuracy rate of detecting the starting state of the third-party service of the website is achieved.
FIG. 2 is a flow chart of a method for detecting a third party service enablement status of a website according to a preferred embodiment of the present application, as shown in FIG. 2, which in some embodiments includes the steps of:
step S201, performing domain name resolution on the first domain name address to obtain a second domain name resolution record.
In this embodiment, taking http:// www.xxx.com as the website to be tested as an example, a domain name information searcher (DIG) tool or a nslookup tool is used to perform domain name resolution on the first domain name address xxx.com, and obtain a second domain name resolution record. In other embodiments, the first domain name may also be resolved by other domain name resolution tools, such as DNSLA.
Step S202, determine whether there is a CNAME resolution record in the second domain name resolution record.
In this embodiment, the second domain name resolution record includes, but is not limited to, at least one of: a analytic record, CNAME analytic record, MX analytic record and NS analytic record. The CNAME resolution record is an IP record of which the first domain name address points to a corresponding domain name address. After the CDN acceleration service is started, an IP record that a first domain name address points to a corresponding acceleration domain name address exists, so that whether the CDN acceleration is started in a website to be tested can be judged by judging whether a CNAME analysis record exists in a domain name analysis record; similarly, after the cloud WAF protection service is started, an IP record in which the first domain name address points to the corresponding protection domain name address exists, so that whether the cloud WAF acceleration is started in the website to be tested can be judged by judging whether a CNAME resolution record exists in the domain name resolution record.
In step S203, when the second domain name resolution record includes the CNAME resolution record, a third domain name address pointed to by the first domain name address is extracted from the CNAME resolution record.
In this embodiment, the third domain name address is a domain name address corresponding to the first domain name address pointed to by the first domain name in the CNAME resolution record. The third domain name address can be an acceleration domain name address, a protection domain name address, or other sub-domain name addresses.
Step S204, a third domain name address is matched in a preset domain name feature library, wherein the preset domain name feature library comprises domain name feature information of the domain name address associated with the third-party service.
In this embodiment, the preset domain name feature library includes domain name feature information of a domain name address associated with the third-party service and vendor information corresponding to the domain name address and providing the third-party service, and if the third domain name address is matched in the preset domain name feature library, the to-be-tested website determines to enable the third-party service according to the relevant information of the third domain name address in the preset domain name feature library, and provides the vendor information providing the third-party service.
Step S205, determining that the website to be tested starts a third party service under the condition that a third domain name address is matched in the preset domain name feature library.
Step S206, when the third domain name address is not matched in the preset domain name feature library, sending an access request to the first domain name address, and receiving a response message responding to the access request.
Step S207, extracting response header information of the response message, and determining whether the response header information carries flag information meeting a preset rule.
In this embodiment, the response header information of the response message may be matched in a preset tag information base including tag information for tagging the website to enable CDN acceleration, for example, the tag information exists in the response header information in the response information returned by the first domain name address: if the information of the response header returned by the first domain name address is BJ-H-NX-116, the CDN acceleration mark via exists, and the mark value is BJ-H-NX-116, and the mark value and the acceleration mark may be matched in a preset mark information base, so as to provide vendor information corresponding to the mark value and the acceleration mark, which provides the CDN acceleration service.
And when the response header information returned by the first domain name address only has an acceleration mark, such as via and cache, and no mark value exists, only determining that the to-be-tested website enables the CDN acceleration service, and failing to provide vendor information for providing the CDN acceleration service.
Step S208, determining that the to-be-tested website enables CDN acceleration service when the response header information carries the marker information that meets the preset rule.
Through steps S201 to S208, the determination of whether the to-be-tested website enables the third-party service is implemented by combining multiple evidences, for example, the determination of whether the to-be-tested website enables the third-party service is performed by matching a preset domain name feature library with a third domain name address in the second domain name resolution record, and the determination of whether the to-be-tested website enables the CDN service is performed by determining whether response header information in response to the access request of the first domain name address carries flag information that meets a preset rule. The method and the device can judge whether the to-be-detected website starts CDN acceleration or not, can judge whether the to-be-detected website starts cloud WAF protection or not, and are high in detection accuracy.
The present embodiment further provides a device for detecting a third-party service enabled state of a website, where the device is used to implement the foregoing embodiments and preferred embodiments, and details are not repeated after the description is given. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 3 is a block diagram of a device for detecting a third-party service enablement status of a website according to an embodiment of the application, and as shown in fig. 3, the device includes: the acquiring module 30 is configured to acquire a first domain name address of a website to be detected; the resolution module 31 is configured to use the same operator line to resolve the first domain name address at multiple nodes to obtain a first domain name resolution record; a first determining module 32, configured to determine a first weight value according to the number of IP addresses in the first domain name resolution record; the access module 33 is configured to select a first IP address from the first domain name resolution record and access the first IP address; a second determining module 34, configured to determine a second weight value according to a degree of association between the web content information corresponding to the second domain name address and a third-party service when the first IP address is redirected to the second domain name address, where the third-party service includes at least one of the following: CDN acceleration service and WAF protection service; a third determining module 35, configured to determine, according to at least the first weight value and the second weight value, a probability value that the third-party service is enabled by the website to be tested; and the output module 36 is configured to determine that the website to be tested enables the third-party service when the probability value is higher than a preset threshold value.
In one embodiment, the apparatus further includes a fourth determining module, configured to send an access request to the first domain name address, and receive a response message in response to the access request; extracting response head information of the response message, and judging whether the response head information carries mark information meeting a preset rule or not; and under the condition that the response header information carries the mark information which accords with the preset rule, determining that the CDN acceleration service is started by the website to be tested.
In one embodiment, the apparatus further includes a fifth determining module, configured to perform domain name resolution on the first domain name address to obtain a second domain name resolution record; judging whether a CNAME analysis record exists in the second domain name analysis record or not; under the condition that the second domain name resolution record has the CNAME resolution record, extracting a third domain name address pointed to by the first domain name address from the CNAME resolution record; matching a third domain name address in a preset domain name feature library, wherein the preset domain name feature library comprises domain name feature information of the domain name address associated with the third-party service; and under the condition that the third domain name address is matched in the preset domain name feature library, determining that the third-party service is started by the website to be tested.
In one embodiment, the third determining module 35 is further configured to perform domain name resolution on the first domain name address, so as to obtain a second domain name resolution record; judging whether a CNAME analysis record exists in the second domain name analysis record or not; under the condition that the second domain name resolution record has the CNAME resolution record, extracting a third domain name address pointed to by the first domain name address from the CNAME resolution record; determining a third weight value according to a domain name level to which the position of a preset keyword in the third domain name address belongs, wherein the preset keyword is a keyword associated with a third-party service; and determining the probability value of the to-be-tested website for enabling the third-party service according to the first weight value, the second weight value and the third weight value.
In one embodiment, the third determining module 35 is further configured to determine an average weight value of the first weight value, the second weight value and the third weight value, and divide the average weight value by one hundred to obtain a probability value that the website to be tested enables the third party service.
In one embodiment, the second determining module 34 is further configured to determine the second weight value according to the number of preset keywords in the web page content information corresponding to the second domain name address, where the preset keywords are keywords associated with the third party service.
In one embodiment, the second determining module 34 is further configured to determine whether the web content information corresponding to the second domain name address is consistent with preset web content information, where the preset web content information is web content information associated with a third-party service; and under the condition that the webpage content information corresponding to the second domain name address is consistent with the preset webpage content information, determining the second weight value as the weight value corresponding to the preset webpage content information.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory 404 and a processor 402, wherein the memory 404 stores a computer program, and the processor 402 is configured to execute the computer program to perform the steps of any of the above method embodiments.
Specifically, the processor 402 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 404 may include, among other things, mass storage 404 for data or instructions. By way of example, and not limitation, memory 404 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 404 may include removable or non-removable (or fixed) media, where appropriate. The memory 404 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 404 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, memory 404 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory 404 (FPMDRAM), an Extended data output Dynamic Random-Access Memory (eddram), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
Memory 404 may be used to store or cache various data files for processing and/or communication use, as well as possibly computer program instructions for execution by processor 402.
The processor 402 reads and executes the computer program instructions stored in the memory 404 to implement the method for detecting the third-party service enablement status of any one of the websites in the above embodiments.
Optionally, the electronic apparatus may further include a transmission device 406 and an input/output device 408, where the transmission device 406 is connected to the processor 402, and the input/output device 408 is connected to the processor 402.
Optionally, in this embodiment, the processor 402 may be configured to execute the following steps by a computer program:
s1, acquiring a first domain name address of a website to be detected.
And S2, resolving the first domain name address at a plurality of nodes by using the same operator line to obtain a first domain name resolution record.
And S3, determining a first weight value according to the number of the IP addresses in the first domain name resolution record.
And S4, selecting a first IP address from the first domain name resolution record and accessing the first IP address.
S5, under the condition that the first IP address is redirected to the second domain name address, determining a second weight value according to the association degree of the webpage content information corresponding to the second domain name address and a third-party service, wherein the third-party service comprises at least one of the following components: CDN acceleration service and WAF protection service.
And S6, determining the probability value of the third-party service starting of the website to be tested at least according to the first weight value and the second weight value.
And S7, determining that the third-party service is started by the website to be tested under the condition that the probability value is higher than a preset threshold value.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, in combination with the method for detecting the third-party service enabling state of the website in the above embodiment, the embodiment of the present application may provide a storage medium to implement. The storage medium has a computer program stored thereon; the computer program, when executed by a processor, implements a method for detecting a third party service enablement status of any of the above embodiments.
It should be understood by those skilled in the art that various features of the above embodiments can be combined arbitrarily, and for the sake of brevity, all possible combinations of the features in the above embodiments are not described, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the features.
The above examples are merely illustrative of several embodiments of the present application, and the description is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (10)

1. A method for detecting a third-party service enabling state of a website is characterized by comprising the following steps:
acquiring a first domain name address of a website to be detected;
sending an access request to the first domain name address and receiving a response message in response to the access request;
extracting response head information of the response message, and judging whether the response head information carries mark information meeting a preset rule or not;
under the condition that the response header information carries mark information which accords with the preset rule, determining that the to-be-tested website starts CDN acceleration service;
analyzing the first domain name address at a plurality of nodes by using the same operator line to obtain a first domain name analysis record;
determining a first weight value according to the number of the IP addresses in the first domain name resolution record;
selecting a first IP address from the first domain name resolution record, and accessing the first IP address;
under the condition that the first IP address is redirected to a second domain name address, determining a second weight value according to the association degree of webpage content information corresponding to the second domain name address and a third-party service, wherein the third-party service comprises at least one of the following: the CDN acceleration service and the cloud WAF protection service are provided;
determining a probability value of the to-be-tested website for enabling the third-party service according to at least the first weight value and the second weight value;
and determining that the third-party service is started by the website to be tested under the condition that the probability value is higher than a preset threshold value.
2. The method for detecting the third party service enablement status of a website according to claim 1, wherein after obtaining the first domain name address of the website to be tested, the method further comprises:
performing domain name resolution on the first domain name address to obtain a second domain name resolution record;
judging whether a CNAME analysis record exists in the second domain name analysis record or not;
under the condition that the second domain name resolution record has the CNAME resolution record, extracting a third domain name address pointed by the first domain name address from the CNAME resolution record;
matching the third domain name address in a preset domain name feature library, wherein the preset domain name feature library comprises domain name feature information of the domain name address associated with the third-party service;
and determining that the third-party service is started by the website to be tested under the condition that the third domain name address is matched in the preset domain name feature library.
3. The method of claim 2, wherein performing domain name resolution on the first domain name address to obtain a second domain name resolution record comprises:
and performing domain name resolution on the first domain name address to obtain a second domain name resolution record, wherein the second domain name resolution record comprises an A resolution record, the CNAME resolution record, an MX resolution record and an NS resolution record.
4. The method of claim 1, wherein determining the probability value of the third-party service enablement by the website to be tested according to at least the first weight value and the second weight value comprises:
performing domain name resolution on the first domain name address to obtain a second domain name resolution record;
judging whether a CNAME analysis record exists in the second domain name analysis record or not;
under the condition that the second domain name resolution record has the CNAME resolution record, extracting a third domain name address pointed by the first domain name address from the CNAME resolution record;
determining a third weight value according to a domain name level to which a position of a preset keyword in the third domain name address belongs, wherein the preset keyword is a keyword associated with the third-party service;
determining the probability value that the third-party service is started by the website to be tested according to the first weight value, the second weight value and the third weight value.
5. The method of claim 4, wherein determining the probability value that the third-party service is enabled by the website to be tested according to the first weight value, the second weight value and the third weight value comprises:
determining an average weight value of the first weight value, the second weight value and the third weight value, and dividing the average weight value by one hundred to obtain the probability value that the third-party service is enabled by the website to be tested.
6. The method of claim 1, wherein determining the second weight value according to the degree of association between the web page content information corresponding to the second domain name address and the third-party service comprises:
and determining the second weighted value according to the number of preset keywords in the webpage content information corresponding to the second domain name address, wherein the preset keywords are keywords associated with the third-party service.
7. The method of claim 1, wherein determining the second weight value according to the degree of association between the web page content information corresponding to the second domain name address and the third-party service comprises:
judging whether the webpage content information corresponding to the second domain name address is consistent with preset webpage content information or not, wherein the preset webpage content information is webpage content information associated with the third-party service;
and determining that the second weight value is the weight value corresponding to the preset webpage content information under the condition that the webpage content information corresponding to the second domain name address is judged to be consistent with the preset webpage content information.
8. An apparatus for detecting a third-party service enablement status of a website, comprising:
the acquisition module is used for acquiring a first domain name address of a website to be detected;
the response module is used for sending an access request to the first domain name address and receiving a response message responding to the access request;
the judging module extracts the response head information of the response message and judges whether the response head information carries the mark information which accords with the preset rule;
the starting module is used for determining that the CDN acceleration service is started by the website to be tested under the condition that the response header information carries the mark information which accords with the preset rule;
the resolution module is used for resolving the first domain name address at a plurality of nodes by using the same operator line to obtain a first domain name resolution record;
the first determining module is used for determining a first weight value according to the number of the IP addresses in the first domain name resolution record;
the access module is used for selecting a first IP address from the first domain name resolution record and accessing the first IP address;
a second determining module, configured to determine a second weighted value according to a degree of association between web content information corresponding to a second domain name address and a third-party service when the first IP address is redirected to the second domain name address, where the third-party service includes at least one of: the CDN acceleration service and the cloud WAF protection service are provided;
the third determining module is used for determining a probability value that the third party service is started by the website to be tested according to at least the first weight value and the second weight value;
and the output module is used for determining that the third-party service is started by the website to be tested under the condition that the probability value is higher than a preset threshold value.
9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the method for detecting the third-party service enablement status of the website according to any one of claims 1 to 7.
10. A storage medium having stored thereon a computer program, wherein the computer program is configured to execute the method for detecting a third party service enablement status of a website of any of claims 1 to 7 when executed.
CN202010787288.7A 2020-08-07 2020-08-07 Method and device for detecting third-party service enabling state of website and electronic device Active CN111970262B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010787288.7A CN111970262B (en) 2020-08-07 2020-08-07 Method and device for detecting third-party service enabling state of website and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010787288.7A CN111970262B (en) 2020-08-07 2020-08-07 Method and device for detecting third-party service enabling state of website and electronic device

Publications (2)

Publication Number Publication Date
CN111970262A CN111970262A (en) 2020-11-20
CN111970262B true CN111970262B (en) 2023-02-28

Family

ID=73365172

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010787288.7A Active CN111970262B (en) 2020-08-07 2020-08-07 Method and device for detecting third-party service enabling state of website and electronic device

Country Status (1)

Country Link
CN (1) CN111970262B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333299B (en) * 2021-01-04 2021-12-28 观脉科技(北京)有限公司 Domain name resolution method, configuration method and equipment
CN114448849B (en) * 2021-12-17 2023-12-05 北京邮电大学 Method for detecting supporting mode of IPv6 network of website and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8938526B1 (en) * 2010-09-28 2015-01-20 Amazon Technologies, Inc. Request routing management based on network components
CN107342913A (en) * 2017-05-24 2017-11-10 恒安嘉新(北京)科技股份公司 The detection method and device of a kind of CDN node
CN107347015A (en) * 2016-05-06 2017-11-14 阿里巴巴集团控股有限公司 A kind of recognition methods of content distributing network, apparatus and system
CN109040052A (en) * 2018-07-26 2018-12-18 平安科技(深圳)有限公司 A kind of information processing method, terminal and computer-readable medium
CN109165334A (en) * 2018-09-20 2019-01-08 恒安嘉新(北京)科技股份公司 A method of establishing CDN producer primary knowledge base

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546774A (en) * 2011-12-27 2012-07-04 厦门市美亚柏科信息股份有限公司 CDN (content distribution network) routing method for secondary redirection and system
CN103716398B (en) * 2013-12-30 2017-11-24 北京奇虎科技有限公司 The monitoring method and monitoring system of CDN server
CN103873604B (en) * 2014-03-24 2017-03-22 成都博宇科技有限公司 Network access method based on analysis of CDN data
CN106603734B (en) * 2015-10-16 2019-08-02 任子行网络技术股份有限公司 CDN service IP detection method and system
CN106230782A (en) * 2016-07-20 2016-12-14 腾讯科技(深圳)有限公司 A kind of information processing method based on content distributing network and device
CN106686020A (en) * 2017-03-29 2017-05-17 北京奇虎科技有限公司 Detection method, device and system for safety of domain names
CN109543118B (en) * 2018-11-12 2020-06-12 中国人民解放军战略支援部队信息工程大学 Web landmark reliability assessment method and device based on multi-layer decision

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8938526B1 (en) * 2010-09-28 2015-01-20 Amazon Technologies, Inc. Request routing management based on network components
CN107347015A (en) * 2016-05-06 2017-11-14 阿里巴巴集团控股有限公司 A kind of recognition methods of content distributing network, apparatus and system
CN107342913A (en) * 2017-05-24 2017-11-10 恒安嘉新(北京)科技股份公司 The detection method and device of a kind of CDN node
CN109040052A (en) * 2018-07-26 2018-12-18 平安科技(深圳)有限公司 A kind of information processing method, terminal and computer-readable medium
CN109165334A (en) * 2018-09-20 2019-01-08 恒安嘉新(北京)科技股份公司 A method of establishing CDN producer primary knowledge base

Also Published As

Publication number Publication date
CN111970262A (en) 2020-11-20

Similar Documents

Publication Publication Date Title
CN110099059B (en) Domain name identification method and device and storage medium
KR101781450B1 (en) Method and Apparatus for Calculating Risk of Cyber Attack
US9531734B2 (en) Method and apparatus for intercepting or cleaning-up plugins
WO2015051720A1 (en) Method and device for detecting suspicious dns, and method and system for processing suspicious dns
CN112019519B (en) Method and device for detecting threat degree of network security information and electronic device
CN111970262B (en) Method and device for detecting third-party service enabling state of website and electronic device
CN107992738B (en) Account login abnormity detection method and device and electronic equipment
CN107342913B (en) Detection method and device for CDN node
CN107239701B (en) Method and device for identifying malicious website
CN111092881B (en) Access interception method, device, equipment and readable storage medium
CN112468364B (en) CIP asset detection method and device, computer equipment and readable storage medium
CN108900554B (en) HTTP asset detection method, system, device and computer medium
CN107395553B (en) Network attack detection method, device and storage medium
CN111756724A (en) Detection method, device and equipment for phishing website and computer readable storage medium
CN110995684B (en) Vulnerability detection method and device
CN109067794B (en) Network behavior detection method and device
CN104219230A (en) Method and device for identifying malicious websites
CN115190108B (en) Method, device, medium and electronic equipment for detecting monitored equipment
CN114003794A (en) Asset collection method, device, electronic equipment and medium
CN110619022B (en) Node detection method, device, equipment and storage medium based on block chain network
JP6162021B2 (en) Analysis device, malicious communication destination registration method, and malicious communication destination registration program
CN111106983A (en) Method and device for detecting network connectivity
CN108810947B (en) Server for identifying real flow based on IP address
CN110392032B (en) Method, device and storage medium for detecting abnormal URL
CN111953638A (en) Network attack behavior detection method and device and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant