CN116032508A - Automatic whitelist phishing attack detection method based on process control - Google Patents
Automatic whitelist phishing attack detection method based on process control Download PDFInfo
- Publication number
- CN116032508A CN116032508A CN202111255230.9A CN202111255230A CN116032508A CN 116032508 A CN116032508 A CN 116032508A CN 202111255230 A CN202111255230 A CN 202111255230A CN 116032508 A CN116032508 A CN 116032508A
- Authority
- CN
- China
- Prior art keywords
- phishing
- web page
- hyperlinks
- legal
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004886 process control Methods 0.000 title claims abstract description 24
- 238000001514 detection method Methods 0.000 title claims abstract description 20
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000012790 confirmation Methods 0.000 claims abstract description 10
- 238000005516 engineering process Methods 0.000 claims abstract description 7
- 238000000605 extraction Methods 0.000 claims description 6
- 230000000007 visual effect Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 230000033001 locomotion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for detecting phishing attacks by an automatic white list based on process control, which is characterized by comprising a matching module, a user confirmation module and a white list database updating module, wherein the anti-reconnaissance technology is used in the process control; the matching module comprises a URL matching sub-module and a DNS matching sub-module; the user confirmation module confirms whether the web page has phishing attack or not by extracting the hyperlink and then applying a phishing detection algorithm, wherein the phishing detection algorithm comprises an algorithm 1 for checking whether the hyperlink is legal or phishing type, if the hyperlink is in the latter state, the system will send out a warning to the user, and if the hyperlink is in the former state, the system will update the white list database; and the white list updating database module writes legal hyperlinks of the first access webpage into a white list database, wherein the legal hyperlinks comprise an IP address and a DNS domain name. The invention can improve the detection rate of the phishing attack, thereby reducing network crimes, avoiding property loss, disclosing confidential information to the public and the like.
Description
Technical Field
The invention relates to the technical fields of network security, SOC (Security operation center), phishing, trusted centralized management and control, data acquisition, an operating system, a file system and data encryption, in particular to a method for detecting phishing attacks based on an automatic white list of process management and control.
Background
The use of network space is increasing as it plays an important role in today's business and business activities, providing a number of online services that tend to simplify people's daily lives. These services enable people to obtain information everywhere. For example, online banking via the internet has become very popular, as well as online shopping, as many people have become accustomed to it. The internet information sharing technology is ubiquitous, and undoubtedly brings about various forms of attacks. Most prominent among these is phishing (phishing).
Phishing can be defined concisely as fraudulent and malicious activity, often used by hackers to scout target networks. Following the process control model (fig. 2), scouting is the first step in the attack by a hacker. If the anti-phishing attack technology exists, a hacker can be blocked outside the target network, so that the hacker cannot attack the gate, and no damage or loss is caused to the enterprise network, thereby ensuring the normal operation order of the enterprise network. Therefore, it is important to study anti-phishing attack techniques.
Several existing anti-phishing techniques have the defect of low detection rate. Blacklists are the most common detection method for phishing. The blacklist contains phishing websites; however, maintaining a blacklist requires a significant amount of resources to report and verify suspicious websites. In addition, it is difficult to maintain a global blacklist as new phishing websites continue to emerge. On the other hand, the whitelist contains legitimate websites; however, like the blacklist, the global whitelist is also difficult to maintain; it is not possible to develop a database for a whitelist containing all available real legitimate sites because of the huge and growing size of these sites.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method for detecting phishing attacks based on an automatic whitelist of process control, which adopts an algorithm for detecting the phishing attacks by adopting the automatic whitelist to improve the detection rate of the phishing attacks, thereby reducing network crimes, avoiding property loss, disclosing confidential information to the public and the like.
A method for detecting phishing attacks based on an automatic whitelist of process control is characterized in that an anti-reconnaissance technology used in the process control comprises a matching module, a user confirmation module and a whitelist updating database module; the matching module comprises a URL matching sub-module and a DNS matching sub-module; the user confirmation module confirms whether the web page has phishing attack or not by extracting the hyperlink and then applying a phishing detection algorithm, wherein the phishing detection algorithm comprises an algorithm 1 for checking whether the hyperlink is legal or phishing type, if the hyperlink is in the latter state, the system will send out a warning to the user, and if the hyperlink is in the former state, the system will update the white list database; the updating white list database module writes legal hyperlinks of the first access webpage into a white list database, wherein the legal hyperlinks comprise an IP address and a DNS domain name; the method further comprises the following steps:
(1) If the user accesses the web page for the first time, based on the algorithm 1, the user confirms to determine whether the web page has phishing, if the web page has phishing, the system will send a warning to the user, and if the web page is legal, the system will update the white list database;
(2) If the user does not access the webpage for the first time, the URL is matched, if the DNS is matched, the website is legal, otherwise, the website is phishing website, and a warning is sent to the user;
the algorithm 1 determines the whitelist by comprehensively analyzing the actual links and visual links, calculates the similarity of the known trusted websites, and makes the final decision on the information extracted from the hyperlinks, which can also be obtained from the web site provided by the user, the reason behind the extraction of the hyperlinks is that the phishing website replicates the content of the page content from the target original or legal web page, which may have many fake and simulated hyperlinks pointing to the target legal page, some available URLs in the phishing database will be redirected to their corresponding original or legal web sites, but if the web page is a genuine web page, will not point to the phishing web page, and the algorithm for detecting phishing decides the status of any URL based on three criteria: null links present in the source code, web pages that do not contain any hyperlinks, and external links present in the source code.
Further, the null link present in the source code, that is to say the web page containing the null pointer, is referred to as a null link or null pointer when the link does not point to any web page or document, and is generally denoted by < a href= "#" >, each time the link is clicked, it returns a link on the same page, and an attacker uses the null pointer for its useful purpose.
Further, the web page that does not contain any hyperlinks is easily extracted on at least one hyperlink if the web site is legal, and is regarded as a phishing web site if the total number of extracted links is zero, but is also regarded as a phishing type if there is no hyperlink extraction.
Further, the external links existing in the source code are determined by algorithm 1 according to the result of the extracted hyperlinks, if the hyperlinks are legal, most of the hyperlinks are directed to the same domain, and for phishing websites, most of the hyperlinks are directed to respective target or external domains, this algorithm 1 is capable of calculating the total number of links extracted from the web page source code and the total number of links directed to the external domain, and selecting an appropriate threshold value of the ratio, the determination of the nature of the hyperlinks being determined by the following equation:
wherein ,NDi =total number of links pointing to own domain Σl=total number of links extracted from the web page source of the suspicious web page.
The invention has the technical effects that:
the invention provides a method for detecting phishing attacks based on an automatic whitelist of process control, which is characterized by comprising a counterreconnaissance technology used in the process control, a matching module, a user confirmation module and a whitelist updating database module, wherein the matching module is used for matching the whitelist of the process control; the matching module comprises a URL matching sub-module and a DNS matching sub-module; the user confirmation module confirms whether the web page has phishing attack or not by extracting the hyperlink and then applying a phishing detection algorithm, wherein the phishing detection algorithm comprises an algorithm 1 for checking whether the hyperlink is legal or phishing type, if the hyperlink is in the latter state, the system will send out a warning to the user, and if the hyperlink is in the former state, the system will update the white list database; and the white list updating database module writes legal hyperlinks of the first access webpage into a white list database, wherein the legal hyperlinks comprise an IP address and a DNS domain name. The invention can improve the detection rate of the phishing attack, thereby reducing network crimes, avoiding property loss, disclosing confidential information to the public and the like.
Drawings
FIG. 1 is a schematic illustration of a phishing attack lifecycle of a method of detecting phishing attacks based on a process-controlled automatic whitelist;
FIG. 2 is a process control schematic diagram of a method of automatically whitelist detection of phishing attacks based on process control;
FIG. 3 is a schematic diagram of a method of automatically whitelisting detection of phishing attacks based on process control;
fig. 4 is an algorithm 1 schematic of a method of detecting phishing attacks based on an automatic white list.
Detailed Description
The invention is described in further detail below, with reference to the attached drawings and examples:
FIG. 1 is a schematic diagram of a phishing attack lifecycle of a method of detecting a phishing attack based on a process-controlled automatic whitelist. The camouflaged web page typically contains a Trojan horse program or the like. Phishing attacks involve the following steps:
1. an attacker copies content from the website of a well-known company or bank and creates a phishing website. The attacker keeps the visual similarity of phishing websites similar to the corresponding legitimate websites to attract more users.
2. An attacker composes links, such as e-mail, including phishing websites, and sends them to a large number of users or selected target users.
3. When a user opens an email and accesses a disguised website, a Trojan program and the like embedded in the disguised website are activated; the method and the system detect the website before the user accesses the disguised website, if the website is legal, the user is allowed to access, otherwise, the network phishing website is given out an alarm.
4. An attacker delivers the trojan program to the target network through a disguised website, or alternatively, the attacker delivers the weapons to the target network through a disguised website, and then installs, improves the rights, and ….
FIG. 2 is a process control schematic diagram of a method of automatically whitelist detection of phishing attacks based on process control. The process control comprises three stages:
the first stage: the network stage (including reconnaissance and delivery) of the process control model is that the enterprise network system normally operates without any invasion; at this stage, a hacker or attacker would employ, for example, a phishing attack to scout the target network; the application provides an anti-reconnaissance technology for detecting the phishing attack.
And a second stage: for the endpoint stage of the process control model (including: installation, rights promotion), the system is always compromised since its beginning, and an attacker is within the enterprise network but does not have complete control of the enterprise network.
And a third stage: for the domain phase or evacuation phase of the process control model (including: lateral movement, operation targets and evacuation), an attacker lifts the rights and fully controls the machine, and the attacker can delete and manipulate the log to make the attack trace disappear.
Specifically, the scout phase involves the hacker actively or passively collecting information that can be used to support target localization. Such information may include detailed information of the victim's enterprise, critical infrastructure, or staff. The hacker may use this information to provide assistance at other stages of the hacker's lifecycle, such as using the collected information to plan and perform the delivery, to determine the scope and priority of the target after intrusion, or to push and lead further scout work.
Fig. 3 is a schematic diagram of a method for detecting phishing attacks based on automatic whitelisting of process control. The method for detecting the phishing attack on the basis of the automatic white list of the process control is characterized by comprising a matching module, a user confirmation module and a white list database updating module; the matching module comprises a URL matching sub-module and a DNS matching sub-module; the user confirmation module confirms whether the web page has phishing attack or not by extracting the hyperlink and then applying a phishing detection algorithm, wherein the phishing detection algorithm comprises an algorithm 1 for checking whether the hyperlink is legal or phishing type, if the hyperlink is in the latter state, the system will send out a warning to the user, and if the hyperlink is in the former state, the system will update the white list database; the updating white list database module writes legal hyperlinks of the first access webpage into a white list database, wherein the legal hyperlinks comprise an IP address and a DNS domain name; the method further comprises the following steps:
(1) If the user accesses the web page for the first time, based on the algorithm 1, the user confirms to determine whether the web page has phishing, if the web page has phishing, the system will send a warning to the user, and if the web page is legal, the system will update the white list database;
(2) If the user does not access the web page for the first time, the URL is matched, if DNS is also matched, the web site is a legitimate web site, otherwise it is a phishing web site, and a warning is issued to the user.
Fig. 4 is an algorithm 1 schematic of a method of detecting phishing attacks based on an automatic white list. The algorithm 1 determines the whitelist by comprehensively analyzing the actual links and visual links, calculates the similarity of the known trusted websites, and makes the final decision on the information extracted from the hyperlinks, which can also be obtained from the web site provided by the user, the reason behind the extraction of the hyperlinks is that the phishing website replicates the content of the page content from the target original or legal web page, which may have many fake and simulated hyperlinks pointing to the target legal page, some available URLs in the phishing database will be redirected to their corresponding original or legal web sites, but if the web page is a genuine web page, will not point to the phishing web page, and the algorithm for detecting phishing decides the status of any URL based on three criteria: null links present in the source code, web pages that do not contain any hyperlinks, and external links present in the source code.
Further, the null link present in the source code, that is to say the web page containing the null pointer, is referred to as a null link or null pointer when the link does not point to any web page or document, and is generally denoted by < a href= "#" >, each time the link is clicked, it returns a link on the same page, and an attacker uses the null pointer for its useful purpose.
Further, the web page that does not contain any hyperlinks is easily extracted on at least one hyperlink if the web site is legal, and is regarded as a phishing web site if the total number of extracted links is zero, but is also regarded as a phishing type if there is no hyperlink extraction. An attacker creates a null pointer in a fake web page for two reasons:
1. the first reason is to create real-time hyperlinks where nothing is. A real web site contains many web pages, but a false web site contains very limited web pages. Thus, to masquerade as a legitimate web page, an attacker creates a fake web page and places the null value in the hyperlink. When the user scrolls the mouse onto the empty link, they appear to be active.
2. Hackers attack vulnerabilities of web browsers using javascript with null links. The attacker creates the hyperlink in such a way that when the user scrolls the mouse onto the hyperlink, it will display other content than the actual hyperlink. In the example (shown below), the link looks like www.example1.org, but in reality the true field is http:// example2.Org. By using href= "#", the link is activated and points to the same location, so onClick properties can be activated.
Further, the external links existing in the source code are determined by algorithm 1 according to the result of the extracted hyperlinks, if the hyperlinks are legal, most of the hyperlinks are directed to the same domain, and for phishing websites, most of the hyperlinks are directed to respective target or external domains, this algorithm 1 is capable of calculating the total number of links extracted from the web page source code and the total number of links directed to the external domain, and selecting an appropriate threshold value of the ratio, the determination of the nature of the hyperlinks being determined by the following equation:
wherein ,NDi =total number of links pointing to own domain Σl=total number of links extracted from the web page source of the suspicious web page.
The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the invention; all changes and modifications that come within the meaning and range of equivalency of the invention are to be embraced within their scope.
Claims (4)
1. A method for detecting phishing attacks based on an automatic whitelist of process control is characterized in that an anti-reconnaissance technology used in the process control comprises a matching module, a user confirmation module and a whitelist updating database module; the matching module comprises a URL matching sub-module and a DNS matching sub-module; the user confirmation module confirms whether the web page has phishing attack or not by extracting the hyperlink and then applying a phishing detection algorithm, wherein the phishing detection algorithm comprises an algorithm 1 for checking whether the hyperlink is legal or phishing type, if the hyperlink is in the latter state, the system will send out a warning to the user, and if the hyperlink is in the former state, the system will update the white list database; the updating white list database module writes legal hyperlinks of the first access webpage into a white list database, wherein the legal hyperlinks comprise an IP address and a DNS domain name; the method further comprises the following steps:
(1) If the user accesses the web page for the first time, based on the algorithm 1, the user confirms to determine whether the web page has phishing, if the web page has phishing, the system will send a warning to the user, and if the web page is legal, the system will update the white list database;
(2) If the user does not access the webpage for the first time, the URL is matched, if the DNS is matched, the website is legal, otherwise, the website is phishing website, and a warning is sent to the user;
the algorithm 1 determines the whitelist by comprehensively analyzing the actual links and visual links, calculates the similarity of the known trusted websites, and makes the final decision on the information extracted from the hyperlinks, which can also be obtained from the web site provided by the user, the reason behind the extraction of the hyperlinks is that the phishing website replicates the content of the page content from the target original or legal web page, which may have many fake and simulated hyperlinks pointing to the target legal page, some available URLs in the phishing database will be redirected to their corresponding original or legal web sites, but if the web page is a genuine web page, will not point to the phishing web page, and the algorithm for detecting phishing decides the status of any URL based on three criteria: null links present in the source code, web pages that do not contain any hyperlinks, and external links present in the source code.
2. A method of detecting phishing attacks based on a process-managed automatic whitelist according to claim 1 characterized in that the null link present in the source code, that is to say a web page containing a null pointer, is called a null link or null pointer when the link does not point to any web page or document, which is generally indicated by < a href= "#", and returns a link on the same page whenever the link is clicked, the attacker uses the null pointer for its own purpose.
3. The method for detecting phishing attacks based on process-controlled automatic whitelists of claim 1 wherein the web page that does not contain any hyperlinks is easily extracted on at least one hyperlink if the web site is legitimate, the web site is considered a phishing web site if the total number of extracted links is zero, but is also considered a phishing type if there is no hyperlink extraction.
4. The method for detecting phishing attacks based on process-managed automatic whitelists according to claim 1, characterized in that the external links present in the source code are determined by algorithm 1 based on the result of the extracted hyperlinks, if the hyperlinks are legal, most of the hyperlinks are directed to the same domain, whereas for phishing websites, most of the hyperlinks are directed to respective target or external domains, this algorithm 1 is able to calculate the total number of links extracted from the web page source code and the total number of links directed to the external domain, and to select an appropriate threshold value of the ratio, the determination of the nature of the hyperlinks being determined by the following equation:
ratio =
wherein ,
total number of links pointing to own domain, +.>
=total number of links extracted from web page source of suspicious web page. />
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111255230.9A CN116032508A (en) | 2021-10-27 | 2021-10-27 | Automatic whitelist phishing attack detection method based on process control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111255230.9A CN116032508A (en) | 2021-10-27 | 2021-10-27 | Automatic whitelist phishing attack detection method based on process control |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116032508A true CN116032508A (en) | 2023-04-28 |
Family
ID=86076370
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111255230.9A Pending CN116032508A (en) | 2021-10-27 | 2021-10-27 | Automatic whitelist phishing attack detection method based on process control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116032508A (en) |
-
2021
- 2021-10-27 CN CN202111255230.9A patent/CN116032508A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Jain et al. | A novel approach to protect against phishing attacks at client side using auto-updated white-list | |
| US10523609B1 (en) | Multi-vector malware detection and analysis | |
| Lee et al. | CloudRPS: a cloud analysis based enhanced ransomware prevention system | |
| US11212305B2 (en) | Web application security methods and systems | |
| US9817969B2 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
| Patil et al. | Survey on malicious web pages detection techniques | |
| Le et al. | Anatomy of drive-by download attack | |
| US20130263263A1 (en) | Web element spoofing prevention system and method | |
| US11552988B2 (en) | Creating malware prevention rules using malware detection and prevention system | |
| WO2013109156A1 (en) | Online fraud detection dynamic scoring aggregation systems and methods | |
| CN101816148A (en) | Be used to verify, data transmit and the system and method for protection against phishing | |
| CN111786966A (en) | Method and device for browsing webpage | |
| US11611583B2 (en) | System and method for detection of malicious interactions in a computer network | |
| US11503072B2 (en) | Identifying, reporting and mitigating unauthorized use of web code | |
| CN113408948A (en) | Network asset management method, device, equipment and medium | |
| EP3987728B1 (en) | Dynamically controlling access to linked content in electronic communications | |
| US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
| Stiawan | Phishing detection system using machine learning classifiers | |
| Mishra et al. | Intelligent phishing detection system using similarity matching algorithms | |
| Khade et al. | Detection of phishing websites using data mining techniques | |
| Roopak et al. | On effectiveness of source code and SSL based features for phishing website detection | |
| Nadar et al. | A defensive approach for CSRF and broken authentication and session management attack | |
| Mun et al. | Secure short url generation method that recognizes risk of target url | |
| Suriya et al. | An integrated approach to detect phishing mail attacks: a case study | |
| Gan et al. | A Review on detection of cross-site scripting attacks (XSS) in web security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |