JP2021051483A - Camouflage site detecting device, camouflage site detecting program, and camouflage site detecting method - Google Patents

Abstract

To provide a camouflage site detecting device which can prevent an access to a camouflage site similar to a normal domain before the camouflage site becomes known.SOLUTION: A camouflage site detecting device for detecting a camouflage site of a first site already registered in a prescribed normal domain name list comprises camouflage site determining means, detection result generating means, and detection result transmitting means. The camouflage site determining means determines whether an entered second site is a risk site which is the camouflage site of the first site or a safe site about a determination object which is an URL of the second site or a character string extracted from a part of the URL on the basis of at least prescribed risk site detection rules. The detection result generating means generates a determination result message when the camouflage site determining means determines that the second site is the risk site. The detection result transmitting means transmits the determination result message to other devices.SELECTED DRAWING: Figure 1

Description

The present invention relates to a fake site detection device, a fake site detection program, and a fake site detection method, and can be applied to, for example, a fake site detection device that detects a fake site (dangerous site) that resembles a legitimate site.

Conventionally, a credit card number is connected to a fake homepage from a fake e-mail, or a URL (Uniform Password) is described in a social networking service (SNS) to connect to a dangerous site. , There are phishing scams that steal important personal information such as account information (user ID, password, etc.).

As a countermeasure against phishing fraud, there is virus detection software that prevents access to the above-mentioned dangerous sites (for example, Non-Patent Document 1).

For example, conventional virus detection software including Non-Patent Document 1 utilizes a database in which information on websites having a high risk of being involved in the transfer of malicious programs or online fraud in the past is accumulated. In Web threat countermeasures, the information of the URL to be accessed is encrypted and sent to the server of a company that provides virus detection software services (Trend Micro in Non-Patent Document 1) to check the safety of the website. To do. If the safety of the website cannot be confirmed, the display of the page is blocked.

Here, as one of the methods of guiding to a phishing site, for example, a host name that resembles the host name of a legitimate secure domain or contains a phrase reminiscent of a legitimate domain is used to make a spoofed site (dangerous site). There is a conventional one to induce.

OfficeScan, "About WEB threat protection function" [Search on September 4, 2019], [Online], INTERNET, <URL: https://esupport.trendmicro.com/support/vb/solution/ja-jp/1313955. aspx>

However, conventional virus detection software including the above-mentioned Non-Patent Document 1 cannot detect a fake site that does not exist in the fake site definition unless the definition of the fake site in the database is updated. Since the definition of a fake site is created from past cases, even if a new fake site is created, it may not be detected immediately. In addition, since the definition of the spoofed site is created for general purposes, the access frequency is high for a specific user, and it may not be possible to deal with the spoofed site targeted to that user.

In other words, if a user specifies a legitimate domain and a new spoofed site that resembles this legitimate domain is created, there is no way to detect it as a dangerous site without accessing it before it becomes known as a spoofed site.

Therefore, a fake site detection device, a fake site detection program, and a fake site detection method that can prevent access to the fake site are desired before the fake site that resembles a legitimate domain becomes known.

The first invention is a spoofed site detection device that detects a spoofed site of the first site registered in a predetermined regular domain name list, and (1) the input second. Regarding the judgment target which is the URL of the site or a character string extracted from a part of the URL, the second site is a dangerous site which is a camouflaged site of the first site, at least based on a predetermined dangerous site detection rule. Alternatively, a fake site search means for determining whether the site is a safe site, (2) a detection result generation means for generating a message of a determination result when the fake site search means determines that the site is a dangerous site, and (3). It is characterized by including a detection result transmitting means for transmitting the determination result message to another device.

The second fake site detection program of the present invention uses a computer mounted on a fake site detection device for detecting a fake site of the first site registered in a predetermined regular domain name list. (1) Regarding the determination target which is the URL of the input second site or a character string extracted from a part of the URL, the second site is the first, based on at least a predetermined danger site detection rule. A fake site search means for determining whether a site is a fake site or a safe site, and (2) a detection that generates a message of a determination result when the fake site search means determines that the site is a dangerous site. It is characterized in that it functions as a result generating means and (3) a detection result transmitting means for transmitting the message of the determination result to another device.

A third aspect of the present invention is a fake site detection method used for a fake site detection device that detects a fake site of the first site registered in a predetermined regular domain name list. 1) The camouflaged site search means is determined by the second site based on at least a predetermined dangerous site detection rule for the determination target which is the URL of the input second site or a character string extracted from a part of the URL. , It is determined whether it is a dangerous site or a safe site which is a fake site of the first site, and (2) a determination result when the detection result generation means is determined to be a dangerous site by the fake site search means. (3) The detection result transmitting means transmits the message of the determination result to another device.

According to the present invention, it is possible to prevent access to a fake site before the fake site that resembles a legitimate domain becomes known.

It is a block diagram which shows the internal structure of the camouflage site detection device which concerns on 1st Embodiment. It is a block diagram which shows the whole structure of the camouflage site detection system which concerns on 1st Embodiment. It is explanatory drawing which shows an example of the camouflage site detection rule which concerns on 1st Embodiment. It is explanatory drawing which shows an example of the regular similar domain name list which concerns on 1st Embodiment. It is explanatory drawing which shows an example of the danger domain name list which concerns on 1st Embodiment. It is explanatory drawing which shows an example of the regular domain name list which concerns on 1st Embodiment. It is a flowchart which shows the camouflage site detection process of the camouflage site detection device which concerns on 1st Embodiment. It is explanatory drawing which shows an example of the camouflage domain determination result screen to be displayed on the terminal when it is determined that it is a camouflage site which concerns on 1st Embodiment. It is a block diagram which shows the internal structure of the camouflage site detection device which concerns on 2nd Embodiment. It is a block diagram which shows the detailed structure of the domain registration part and the periphery which concerns on 2nd Embodiment. It is a flowchart which shows the feature process (mainly the process of the domain registration registration part) of the camouflage site detection system which concerns on 2nd Embodiment. It is explanatory drawing which shows an example of the regular domain registration screen which concerns on 2nd Embodiment. It is explanatory drawing which shows an example of the registration confirmation screen which concerns on 2nd Embodiment.

(A) First Embodiment Hereinafter, the first embodiment of the fake site detection device, the fake site detection program, and the fake site detection method according to the present invention will be described in detail with reference to the drawings.

(A-1) Configuration of First Embodiment (A-1-1) Overall Configuration FIG. 2 is a block diagram showing an overall configuration of a camouflaged site detection system according to the first embodiment.

In FIG. 2, the camouflaged site detection system 1 includes a plurality of terminals 2 (2-1 to 2-N), a local network 4, a security device 3, a camouflaged site detection device 10, and the Internet 30.

In the camouflaged site detection system 1, the terminal 2 and the security device 3 are connected to the local network 4, and the security device 3 is connected to the Internet 30.

The terminal 2 is an information processing terminal capable of accessing the Internet 30 via the security device 3. In addition, the terminal 2 is provided with browsing software for displaying URL information on the Internet 30 on the screen, and displays, for example, a web page (website) created by HTML (HyperText Markup Language) or the like. can do.

The security device 3 is a device having a security function such as a virus detection function and a firewall function. Further, when the security device 3 of this embodiment attempts to browse a website on the Internet 30 from the terminal 2, it sends a URL to the camouflaged site detection device 10 to ensure the safety of the website to be browsed. To confirm.

The camouflage site detection device 10 determines whether or not the website to be browsed by the terminal 2 is a camouflage site (dangerous site), and then controls to access the corresponding site on the Internet 30 if it is safe. On the other hand, if the website determines that the website is a dangerous site, the camouflaged site detection device 10 notifies the terminal 2 of the result (determination result including the ground message for determining the dangerous site).

(A-1-2) Detailed Configuration of the Fake Site Detection Device 10 FIG. 1 is a block diagram showing an internal configuration of the fake site detection device according to the first embodiment. The camouflaged site detection device according to the first embodiment may be configured as hardware such as a dedicated IC chip equipped with each component shown in FIG. 1, or may include a CPU and a program executed by the CPU. It may be configured as software as the center, but functionally, it can be represented by FIG.

In FIG. 1, the camouflaged site detection device 10 includes a target URL input unit 11, a target domain extraction unit 12, a camouflaged site search unit 13, a detection result generation unit 14, a detection result output unit 15, and a storage unit 16.

The target URL input unit 11 receives a fake site determination request by inputting a URL character string from the security device 3. The target URL input unit 11 notifies the target domain extraction unit 12 of the URL character string.

The target domain extraction unit 12 extracts the domain name or FQDN (Fully Qualified Domain Name) to be determined from the URL input to the camouflaged site detection device 10. The target domain extraction unit 12 notifies the camouflaged site search unit 13 of the extracted domain name. As a modification, the camouflaged site detection device 10 may omit this configuration and notify the camouflaged site search unit 13 of the character string (URL) received from the security device 3 as it is.

The spoofed site search unit 13 uses the spoofed site detection rule 17, the legitimate similar domain name list 18, the dangerous domain name list 19, and the legitimate domain name list 20 for the target domain name, and is it a safe site or a dangerous site? Is to be determined.

The detection result generation unit 14 generates a message of a determination result when it is determined to be a dangerous site (danger domain).

The detection result output unit 15 transmits the generated determination result to the terminal 2 via the security device 3.

The storage unit 16 stores various information (spoofed site detection rule 17, regular similar domain name list 18, dangerous domain name list 19, regular domain name list 20, etc.).

The spoofed site detection rule 17 describes a list of character strings that are candidates for spoofed sites using the character strings of the regular domain name in the corresponding characters or regular expressions.

FIG. 3 is an explanatory diagram showing an example of a camouflaged site detection rule according to the first embodiment. In FIG. 3, the camouflaged site detection rule 17 has similar characters 171 and related words 172, and common related words 173.

The similar character 171 in FIG. 3A is a rule for finding a site to be disguised by using characters having a similar shape. The similar character 171 is related to "ID" that identifies each data, "regular" that indicates a regular domain name, "similar" that indicates a character similar to the regular domain name, and data in the regular similar domain name list 18 described later. It is composed of "association" indicating.

The similar character 171 is replaced with a character having a similar shape such as O (o) and 0 (zero), I (eye), l (el) and 1 (ichi), and it is determined whether or not the target URL matches. It is a rule used at the time. Similar characters 171 indicate characters with similar shapes in square brackets [] for "similar" items.

Further, "related" represents an ID in the regular similar domain name list 18 of FIG. 4A, and is used to determine that the site is a safe site even if it matches a similar character (similar character rule).

The related word 172 in FIG. 3B is a rule used when checking whether a word related to the legitimate domain is included in the detection target URL. The related word 172 refers to the "ID" that identifies each data, the "regular" that indicates the canonical domain name, the "association" that indicates the related term of the canonical domain name, and the association with the data in the canonical similar domain name list 18 described later. It consists of the "associations" shown.

In the related word 172, words constituting the name of the site and words and phrases related to the organization of the site, etc., expressed in alphanumeric characters and romaji are registered in advance. For example, in the case of the regular domain "oki.com", the Roman character notation "oki-denki-kougyo" of the name "Oki Electric Industry" and the English notation "oki electric industry" to "denki", "kougyo", "electric", " "Industry" is registered in advance (in FIG. 3B, an example in which "denki" is registered is shown).

Further, "association" represents an ID in the regular similar domain name list 18 of FIG. 4A, and even if a related word is included, it is used to determine that the site is a safe site in the case of the domain.

FIG. 3C shows common related words 173, related words that are commonly handled by all sites, and words and phrases that are easily used in camouflaged sites are registered in advance. For example, as shown in FIG. 3C, words such as "login" and "sign" that are easily used when pretending to be a login page are registered in advance.

FIG. 4 is an explanatory diagram showing an example of a list of canonical similar domain names according to the first embodiment. In FIG. 4, the normal-similar domain name list 18 is composed of an “ID” that identifies each data and a “normal-similar domain” that indicates a normal-similar domain name.

In addition, in the regular similar domain name list 18 of FIG. 4, an example (for example, the data of “oki.com”) in which data of the same domain as the regular domain name list 20 described later is registered in duplicate is shown. However, the data registered in the regular domain name list 20 does not necessarily have to be registered in the regular similar domain name list 18.

The legitimate similar domain name list 18 is determined to be a dangerous domain by using the spoofed site detection rule 17, but is a list of domain names considered to be safe domains. For example, a country-specific site of the same organization is registered. Has been done.

FIG. 5 is an explanatory diagram showing an example of a dangerous domain name list according to the first embodiment. In FIG. 5, the danger domain name list 19 is composed of an “ID” that identifies each data and a “danger domain” that indicates the danger domain name.

The dangerous domain name list 19 is a list of dangerous domains similar to the legitimate domain, and is registered when it is clearly known to be dangerous.

FIG. 6 is an explanatory diagram showing an example of a regular domain name list according to the first embodiment. In FIG. 6, the legitimate domain name list 20 shows an “ID” that identifies each data, a “legitimate domain” that indicates a legitimate domain name, a “spoofed site detection rule” that indicates a correspondence with a spoofed site detection rule 17, and a “spoofed site detection rule”. It is composed of "regularly similar domains" showing the correspondence with the canonical similar domain name list 18.

The legitimate domain name list 20 is a list of secure domains to be processed for spoofing site detection. The fake site detection process of the fake site search unit 13 aims to find a similar domain of the domain (regular domain) in the legitimate domain name list 20. The content to be registered in the regular domain name list 20 is not limited to this, and for example, the official name of the regular domain, the related name, and the like may be included.

(A-2) Operation of the Embodiment Next, the operation of the camouflaged site detection device 10 according to the first embodiment having the above configuration will be described.

FIG. 7 is a flowchart showing a camouflaged site detection process of the camouflaged site detecting device according to the first embodiment. When the URL is input from the security device 3 to the camouflaged site detection device 10, the following processing is started.

When the target URL input unit 11 receives the fake site determination request including the URL, the target domain extraction unit 12 extracts the domain name or the FQDN (which may be both the domain name and the FQDN) of the determination target from the URL (S101). For example, when the URL is "https://www.example.com/index.html", "www.sample.com" is the FQDN and "example.com" is the domain name.

The camouflaged site search unit 13 searches whether the domain name or the FQDN exists in the dangerous domain name list 19 (S102). If the domain name or FQDN exists in the dangerous domain name list 19, the camouflaged site search unit 13 proceeds to the process of step S106 described later, and if it does not exist, performs the process of the next step S104 (S103). ).

The camouflaged site search unit 13 searches whether the domain name or FQDN exists in the safe domain list (regular similar domain name list 18 or legitimate domain name list 20) (S104). If the domain name or FQDN exists in the legitimate similar domain name list 18 or the legitimate domain name list 20, the camouflaged site search unit 13 proceeds to the process of step S108 described later, and if it does not exist, the next step. The process of S105 is performed.

The camouflaged site search unit 13 confirms whether or not the domain name, FQDN, or URL matches the camouflaged site detection rule 17 (S105). If the domain name, FQDN, or URL matches the fake site detection rule 17, the fake site search unit 13 proceeds to the process of the next step S106, and if there is no match, the fake site search unit 13 proceeds to step S108, which will be described later. Move to processing.

Here, the camouflage site search unit 13 may end the process if it matches one of the plurality of rules (similar character 171, related word 172, and common related word 173), or sets the camouflage score in the determination result. It may be provided, all rules may be applied, and the camouflage score may be calculated based on whether or not a plurality of rules are matched. It should be noted that the rule of the related word 172 is likely to match even on an unrelated site with only one word, so if a plurality of words are applicable, they may be matched.

When the camouflaged site search unit 13 determines that the URL notified by the security device 3 is a dangerous site in the above process, the camouflaged site search unit 13 determines that the determination result to be sent to the security device 3 is a "dangerous site" (S106). ..

The detection result generation unit 14 generates a determination result to be returned to the terminal 2 when the processing of the camouflaged site search unit 13 determines that the site is dangerous (S107). The determination result is generated including a rationale sentence so that the user can understand why the site is determined to be a dangerous site.

For example, oki. com is 0k1 (Zero Kaichi) where the legitimate domain is. It is assumed that com is specified (assuming that a camouflage site determination request including a character example of "0k1.com" is received). 0k1.com corresponds to the data of ID1 of the spoofed site detection rule 17 (similar character 171), and the corresponding data does not exist in the regular similar domain name list 18. The legitimate domain (safety site) of "0k1.com" is ID1 (oki.com) of the legitimate domain name list 20. The detection result generation unit 14 generates the contents of these processes (grounds for determining a dangerous site, information on a safety site, etc.) so as to be included in the ground text.

Further, the detection result generation unit 14 prepares a screen display URL, a link URL, and a basis sentence for each of the dangerous site and the safe site so that the user can easily understand them. The screen display URL of the dangerous site is a URL specified by the user. The screen display URL of the legitimate site is the URL of the legitimate site that tried to disguise the camouflaged site that was the basis of the determination in the camouflaged site detection. The link URL is for accessing the URL by clicking the link portion on the screen display.

In addition, the rationale text displays the judgment criteria for detecting a fake site. The rationale is the content such as which characters are judged to be similar, and the characters often used in the fake site of the legitimate site are included. When a score is also used as the judgment result, the camouflaged score is calculated and displayed.

For example, the judgment result when it is judged as a dangerous site and the legitimate site corresponding to the dangerous site are expressed as follows.

Dangerous sites are {URL = "https: // <emphasis> 0 // emphasize> k <emphasis> 1 // emphasize> .com", link = "https: // 0k1.com", rationale 1 = "< Emphasis> Zero </ Emphasis>, Kay, <Emphasis> Ichi </ Emphasis> ”, Evidence 2 =“ ”, Evidence 3 =“ 90 ”}.

The official site is {URL = "https: // <emphasis> o </ emphasis> k <emphasis> i </ emphasis> .com", link = "https: // oki.com", rationale 1 = "< Emphasis> Oh </ Emphasis>, Kay, <Emphasis> Ai </ Emphasis> ”, Grounds 2 =“ Oki Electric Industry ”}.

<Emphasis> and </ Emphasis> of the above URL indicate that the characters solidified from <Emphasis> to </ Emphasis> are highlighted on the terminal 2, and which character of the URL of the camouflaged site is determined is identified. Make it easy. For example, when specifying in HTML, the tag color is changed, emphasized characters are used, and the font size is changed.

Add to the rationale that the URL specified by the user could not be accessed because it was determined to be a dangerous site. If the user determines that there is no problem, a confirmation button may be added so that the page on the Internet 30 can be accessed without passing through the camouflaged site detection device 10.

On the other hand, when the camouflaged site search unit 13 determines that the URL is a safe site in the above process, the camouflaged site search unit 13 determines that the determination result to be sent to the security device 3 is a "safe site" (S108).

When the detection result output unit 15 determines that the site is dangerous, the detection result output unit 15 sends the determination result and the result display contents to the user to the security device 3 (S109). On the other hand, when the detection result output unit 15 determines that the site is a safe site, the detection result output unit 15 downloads the page of the corresponding URL of the Internet 30 and sends the page information of the corresponding URL to the terminal 2 via the security device 3. On the terminal 2, the page content of the corresponding URL is displayed.

Further, in the case of a camouflaged site, the determination result of the camouflaged site is displayed on the terminal 2 so that the access cannot be displayed on the corresponding page (access is disabled).

FIG. 8 is an explanatory diagram showing an example of a camouflaged domain determination result screen displayed on the terminal when it is determined to be a camouflaged site according to the first embodiment.

As shown in FIG. 8, on the camouflage domain determination result screen 50, the URL initially specified by the user is determined to be a camouflage site, and the "danger" and "correct" lines indicate the difference in URL, the basis, and the camouflage score, respectively. indicate.

The URL is different by highlighting similar characters "0 (zero)" and "O", "1 (ichi)" and "I (eye)", and presenting the reading on basis 1. It becomes easier for the user to notice that. In addition, by presenting the legitimate site name to "correct", it becomes easier for the user to notice whether the desired site is "positive". Further, by presenting the camouflage score, it becomes easier for the user to judge the correctness of the URL.

When the user determines that the initially specified URL is incorrect and the correct URL is the desired URL, the user can access and display the corresponding page by clicking the "correct" URL. Further, if the user determines that the initially specified URL is correct, the user may be able to access the corresponding page by clicking the "dangerous" URL. In this case, when the terminal 2 re-accesses from the camouflaged domain determination result screen 50, the corresponding URL on the Internet can be accessed without passing through the camouflaged site detection device 10. At this time, the accessed URL (domain, FQDN) may be registered in the regular similar domain name list 18.

(A-3) Effect of First Embodiment According to the first embodiment, the following effects are exhibited.

The camouflaged site detection device 10 creates in advance a legitimate domain name, FQDN or URL that is frequently accessed, and a detection rule for a domain similar to this legitimate domain, and when the user (terminal 2) accesses the device, the impersonation site detection device 10 becomes a legitimate domain. It was judged whether it was a fake site that was imitated, and if it was a fake site, it could not be accessed immediately. The judgment of the fake site is not related to the content of the site because it is judged by the domain name or URL. Therefore, when a fake site is newly created, it is possible to detect it without accessing it before it becomes known as a fake site.

In addition, when the terminal display of the judgment result of the fake domain, the content of the grounds for judging the fake site is also displayed. The effect is that it is possible to immediately know which character of the URL specified by the user is different from the legitimate site, and it is possible to immediately know whether the specified URL is incorrect or the desired URL.

(B) Second Embodiment Hereinafter, a second embodiment of the camouflaged site detection device, the camouflaged site detection program, and the camouflaged site detection method according to the present invention will be described in detail with reference to the drawings.

(B-1) Configuration of Second Embodiment The configuration of the camouflaged site detection system 1 of the second embodiment can be basically shown with reference to FIG. 2 as in the first embodiment. However, the fake site detection system 1 of the second embodiment is different in that the fake site detection device 10A (FIG. 9) is applied instead of the fake site detection device 10 of the first embodiment.

FIG. 9 is a block diagram showing an internal configuration of the camouflaged site detection device according to the second embodiment. The camouflaged site detection device according to the second embodiment may be configured as hardware such as a dedicated IC chip equipped with each component shown in FIG. 9, or may include a CPU and a program executed by the CPU. It may be configured as software as the center, but functionally, it can be represented by FIG.

In FIG. 9, the camouflaged site detection device 10A includes a target URL input unit 11, a target domain extraction unit 12, a camouflaged site search unit 13, a detection result generation unit 14, a detection result output unit 15, a storage unit 16, and a domain registration unit 40. Has.

In the camouflaged site detection device 10A of the second embodiment, the domain registration unit 40 is newly added in addition to the configuration of the camouflaged site detection device 10 of the first embodiment. The details of the configuration of the domain registration unit 40 will be described below.

FIG. 10 is a block diagram showing a detailed configuration of the domain registration unit and its surroundings according to the second embodiment.

The domain registration unit 40 has a registration screen generation unit 41, a fake site detection rule generation unit 42, a fake site detection rule registration unit 43, and a similar domain extraction rule 44.

The registration screen generation unit 41 generates a registration screen (regular domain registration screen of FIG. 12, which will be described later, registration confirmation screen of FIG. 13) to be displayed on the terminal 2. Details will be described later, but on the regular domain registration screen, you can enter a regular domain, and you can also specify keywords, related domains, dangerous domains, and so on. Then, the registration confirmation screen is a screen for confirming the result generated by the camouflaged site detection rule generation unit 42 based on the content specified on the regular domain registration screen.

The camouflage site detection rule generation unit 42 applies a similar pattern rule of a regular domain (similar domain extraction rule 44) to generate a similar pattern.

The fake site detection rule registration unit 43 registers the fake site detection rule (all or part of the above-mentioned similar pattern) generated by the fake site detection rule generation unit 42 in the fake site detection rule 17. In addition, the fake site detection rule registration unit 43 sets the regular domain name, the regular similar domain name (related domain), and the dangerous domain name specified on the regular domain registration screen as the regular domain name list 20, the regular similar domain name list 18, and so on, respectively. It has a function of registering in the danger domain name list 19.

Similar domain extraction rule 44 describes a rule for determining a dangerous domain without being limited to a specific domain. For example, a conversion formula for characters or character strings having similar shapes such as 0 (zero) and O (o) is described.

(B-2) Operation of the Second Embodiment Next, the operation of the camouflaged site detection system 1 of the second embodiment having the above configuration will be described with reference to the drawings. Since this embodiment has a feature regarding the domain registration process of the fake site detection device 10A constituting the fake site detection system 1, the fake site detection device 10 of the fake site detection device 10A will be described below.

FIG. 11 is a flowchart showing the feature processing (mainly the processing of the domain registration / registration unit) of the camouflaged site detection system 1 according to the second embodiment.

The terminal 2 transmits a registration start request requesting registration of the legitimate domain and information related to the legitimate domain to the camouflaged site detection device 10A by user operation (S201).

Upon receiving the registration start request, the camouflaged site detection device 10A (registration screen generation unit 41) returns information on the regular domain registration screen (for example, screen information in HTML format) to the terminal 2 (S202).

The terminal 2 displays the regular domain registration screen according to the screen information received from the registration screen generation unit 41 (S203).

FIG. 12 is an explanatory diagram showing an example of the regular domain registration screen according to the second embodiment. The regular domain registration screen 100 has a regular domain name input field 101, a site name input field 102, a keyword input field 103, a related domain input field 104, an automatic button 105 (105-1, 105-2), and a similar domain detection rule generation. It has a button 106.

The regular domain name input field 101 is an input field for describing the regular domain name, FQDN, or URL to be detected.

The site name input field 102 is a field for inputting a site name which is a name of a regular domain. The site name may be automatically extracted from the homepage of the legitimate domain. For example, it is possible by extracting the characters between <title> and </ title> of the HTML tag on the top page of the legitimate domain.

The keyword input field 103 is a field for describing related words (keywords) related to the legitimate site. For example, the keyword is a product name or the like handled on the site.

The related domain input field 104 is a field for describing a related domain (regular similar domain) of the regular domain.

The automatic button 105 (105-1, 105-2) automatically extracts each word and phrase instead of the user directly inputting a keyword or a related domain. For example, when the automatic button 105 is pressed by the user, words and phrases that frequently appear on the legitimate site and words and phrases that use emphasized characters are extracted.

The similar domain detection rule generation button 106 requests the domain registration unit 40 to generate a similar pattern including at least information on a character string of a regular domain after inputting to each of the above input fields.

Further, in addition to the above items, the regular domain registration screen 100 may be provided with, for example, a field for inputting a dangerous domain.

When the user presses the similar domain detection rule generation button 106, the terminal 2 transmits a similar pattern generation request to the camouflaged site detection device 10A (domain registration unit 40) (S204).

The domain registration unit 40 (impersonation site detection rule generation unit 42) of the camouflage site detection device 10A generates a similar pattern for the character string of the legitimate domain in the similarity pattern generation request by using the similar domain extraction rule 44 (S205). ..

To generate a similar pattern, a conversion pattern of a regular domain name is generated by using a correspondence table of characters having similar character shapes, words that are prone to typos, and the like in the similar domain extraction rule 44. The similar domain extraction rule 44 is not limited to the above, and various various rules may be retained.

The camouflaged site detection rule generation unit 42 acquires a related word (keyword) of the legitimate domain (S206). The acquisition of the related word of the regular domain may be performed by using the related word information (keyword specified by the user on the regular domain registration screen 100) in the similar pattern generation request received from the terminal 2. On the other hand, it may be acquired automatically (for example, it may be acquired by various methods such as reading the name, dividing the reading into words, translating it into English, etc.). Further, the related word may be obtained from the above-mentioned related word 172.

Then, the camouflaged site detection rule generation unit 42 and the similar domain extraction rule 44 are updated so that URLs including related words can be extracted. Either a URL containing only related words or a URL containing a regular domain name and related words may be configured.

The spoofed site detection rule generation unit 42 acquires a legitimately similar domain related to the legitimate domain (S207). The acquisition of the regular similar domain may be performed by using the information of the regular similar domain (related domain specified by the user on the regular domain registration screen 100) as long as the similarity pattern generation request received from the terminal 2 includes the information of the regular similar domain. On the other hand, it may be acquired automatically (for example, the URL may be collected from the page of the related company of the homepage and the domain name may be acquired).

The spoofing site detection rule generation unit 42 applies the similarity domain extraction rule 44 to the canonical similarity domain to generate one or more canonical similarity domains (hereinafter, referred to as “regular similarity domain candidates”) (S208). The spoofing site detection rule generation unit 42 registers the matched canonical similar domain in the canonical similar domain name list 18 when the canonical similar domain matches (matches) with any of the canonical similar domain candidates, and when it does not match, the canonical similar domain is registered in the canonical similar domain name list 18. Does not register in the regular similar domain name list 18. An example of registering a matched regular similar domain will be described below.

First, the camouflaged site detection rule generation unit 42 searches the dangerous domain name list 19 using the legitimately similar domain as a key. When the legitimately similar domain hits the dangerous domain name list 19, the spoofed site detection rule generation unit 42 does not register the legitimately similar domain in the legitimately similar domain name list 18 because it is a dangerous domain.

Next, the camouflaged site detection rule generation unit 42 searches the legitimate domain name list 20 using the legitimate similar domain as a key. When a legitimate similar domain hits the legitimate domain name list 20, the spoofed site detection rule generator 42 is already registered as a legitimate domain (because it is less necessary to register as a legitimate domain). Do not register in the similar domain name list 18.

Then, the spoofed site detection rule generation unit 42 searches the regular-similar domain name list 18 using the regular-similar domain as a key, and if the regular-similar domain to be registered does not hit, adds it to the regular-similar domain name list 18. register.

The camouflage site detection rule generation unit 42 transmits the generation result of the similar domain generated in each of the above processes to the terminal 2 (S209).

The terminal 2 displays a registration confirmation screen, which is a result of generating a similar domain, according to the information received from the camouflaged site detection rule generation unit 42 (S210).

FIG. 13 is an explanatory diagram showing an example of the registration confirmation screen according to the second embodiment. The registration screen 200 has a regular domain name display column 201, a site name display column 202, a rule confirmation column 203, a related name confirmation column 204, a related domain confirmation column 205, and a registration button 206.

The regular domain name display field 201 is a display field for displaying a regular domain name (may be FQDN or URL).

The site name display field 202 is a display field for displaying the site name.

The rule confirmation column 203 is a column for confirming the contents of the spoofed site detection rule (similar domain extraction rule 44 applied to the legitimate domain name), and the rule to be officially registered can be selected from a plurality of rules. For example, the rule confirmation column 203 includes a rule display column 203A for displaying a rule, a rule explanation column 203B for explaining the displayed rule, and a check box 203C for selecting a rule to be registered.

The related name confirmation column 204 is a column for confirming the related words (keywords) of the regular domain name, and the related words to be officially registered can be selected from a plurality of related words. For example, the related name confirmation column 204 includes a related word display column 204A for displaying the related word, a related word explanation column 204B for explaining the displayed related word, and a check box 204C for selecting the related word to be registered.

The related domain confirmation column 205 is a column for confirming the related domain (regular similar domain name) of the regular domain name, and the related domain to be officially registered can be selected from a plurality of related domains. For example, the related domain confirmation field 205 includes a related domain display field 205A for displaying the related domain and a check box 205C for selecting the related domain to be registered.

The registration button 206 confirms the registration contents based on the checked contents, and makes a registration request to the domain registration unit 40.

When the registration button 206 is pressed by the user, the terminal 2 transmits a registration request to the camouflaged site detection device 10A (domain registration unit 40) (S211).

When the fake site detection rule registration unit 43 receives the registration request from the terminal 2, the fake site detection rule registration unit 43 receives the registration request from the terminal 2, and based on the registration request, the fake site detection rule, the checked fake site detection rule, the regular similar domain name, and the dangerous domain name (regular domain registration screen 100). Register (confirm registration) in the regular domain name list 20, the spoofed site detection rule 17, the regular similar domain name list 18, and the dangerous domain name list 19, respectively (the dangerous domain name entered when it can be entered in) (S212). ). At this time, the camouflaged site detection rule registration unit 43 also registers the related rules and the corresponding ID of the list so that the relationship with the legitimate domain and the relationship between the lists can be understood.

(B-3) Effect of Second Embodiment According to the present invention, the following effects are exhibited in addition to the effect of the first embodiment.

In the camouflaged site detection device 10A of the second embodiment, a similar domain extraction rule is applied to the legitimate domain so that the camouflaged site detection rule 17 is automatically generated. Then, since the similar domain conversion rule is presented to the terminal so that the user can select each rule, the effect that the user can easily create the desired spoofed site detection rule can be obtained.

(C) Other Embodiments The present invention is not limited to the first and second embodiments described above, and modified embodiments as illustrated below can also be mentioned.

(C-1) In each of the above embodiments, the case where the camouflaged site detection devices 10 and 10A are connected to the security device and applied has been described, but the placement position is not limited, for example, by arranging in the terminal 2. Absent.

(C-2) In each of the above embodiments, the determination is made based on the similarity of the domain name, but the determination may include a URL other than the domain name.

(C-3) In the second embodiment described above, an example in which a user creates a fake site detection rule or the like of a legitimate domain using a terminal 2 is shown, but a fake site detection device 10A having an input and display function is used. You may create a camouflaged site detection rule etc. by operating it directly.

(C-4) In the second embodiment, the camouflaged domain determination result screen 50 described above may further include a link function for transitioning to the regular domain registration screen 100.

1 ... Fake site detection system, 2 ... Terminal, 3 ... Security device, 4 ... Local network, 10, 10A ... Fake site detection device, 11 ... Target URL input unit, 12 ... Target domain extraction unit, 13 ... Fake site search unit , 14 ... detection result generation unit, 15 ... detection result output unit, 16 ... storage unit, 17 ... camouflaged site detection rule, 18 ... regular similar domain name list, 19 ... dangerous domain name list, 20 ... regular domain name list, 30 ... Internet, 40 ... Domain registration unit, 41 ... Registration screen generation unit, 42 ... Fake site detection rule generation unit, 43 ... Fake site detection rule registration unit, 44 ... Similar domain extraction rule, 50 ... Fake domain judgment result screen, 100 … Regular domain registration screen, 101… Regular domain name input field, 102… Site name input field, 103… Keyword input field, 104… Related domain input field, 105… Automatic button, 106… Similar domain detection rule generation button, 171… Similar characters, 172 ... Related words, 173 ... Common related words, 200 ... Registration screen, 201 ... Regular domain name display field, 202 ... Site name display field, 203 ... Rule confirmation field, 203A ... Rule display field, 203B ... Rule explanation Column, 203C ... Check box, 204 ... Related name confirmation column, 204A ... Related word display column, 204B ... Related word explanation column, 204C ... Check box, 205 ... Related domain confirmation column, 205A ... Related domain display column, 205C ... Check Box, 206 ... Registration button.

Claims (11)

A spoofed site detection device that detects a spoofed site of the first site registered in a predetermined legitimate domain name list.
Regarding the judgment target which is the URL of the input second site or a character string extracted from a part of the URL, the second site is disguised as the first site based on at least a predetermined danger site detection rule. A fake site search method that determines whether a site is a dangerous site or a safe site,
A detection result generation means for generating a judgment result message when the site is determined to be a dangerous site by the camouflaged site search means, and a detection result generation means.
A camouflaged site detection device including a detection result transmission means for transmitting the determination result message to another device. When the determination target is listed in the canonical domain name list or a predetermined canonical similar domain name list related to the first site, the camouflaged site search means sets the second site as a safe site. The camouflaged site detection device according to claim 1, wherein the determination is made. The camouflaged site according to claim 2, wherein the camouflaged site search means determines the second site as a dangerous site when the determination target is listed in a predetermined dangerous domain name list. Detection device. The camouflaged site detection device according to claim 3, wherein the detection result generation means generates the determination result message including information on a dangerous site and a legitimate site corresponding to the dangerous site. 3. The detection result generation means is characterized in that the determination result message includes the determination result of the second site and the grounds for determining a dangerous site in the camouflaged site search means. Or the camouflaged site detection device according to 4. The dangerous site detection rule is a rule for finding a site to be spoofed using characters similar to the shape of a legitimate domain. A similar character rule, a site to be spoofed using a related word of a legitimate site is found. A claim comprising all or part of a related word rule which is a rule for finding a site to be disguised by using a related word which frequently appears in a spoofed site, and a common related word rule which is a rule for finding a site to be disguised. The camouflaged site detection device according to any one of 3 to 5. The input first site is registered in the canonical domain name list, and a predetermined similar pattern generation rule is applied to the URL of the first site or a part of the character string thereof, and one or two or more. The camouflaged site according to any one of claims 3 to 6, further comprising a domain registration unit that generates a similar pattern and registers all or a part of the generated similar pattern in the camouflaged site detection rule. Detection device. The spoofed site detection device according to claim 7, wherein the domain registration unit registers all or a part of the input domain related to the first site in the regular similar domain name list. The camouflaged site detection device according to claim 8, wherein the input dangerous site of the first site is registered in the dangerous domain name list. For the first site registered in the predetermined legitimate domain name list, the computer mounted on the spoofed site detection device that detects the spoofed site of the first site is used.
Regarding the judgment target which is the URL of the input second site or a character string extracted from a part of the URL, the second site is disguised as the first site based on at least a predetermined danger site detection rule. A fake site search method that determines whether a site is a dangerous site or a safe site,
A detection result generation means for generating a judgment result message when the site is determined to be a dangerous site by the camouflaged site search means, and a detection result generation means.
A camouflaged site detection program characterized in that it functions as a detection result transmission means for transmitting the determination result message to another device. It is a fake site detection method used for a fake site detection device that detects a fake site of the first site registered in a predetermined regular domain name list.
The camouflaged site search means determines that the URL of the input second site or a character string extracted from a part of the URL is determined by the second site based on at least a predetermined danger site detection rule. Determine if it is a dangerous site or a safe site that is a camouflaged site of the first site,
The detection result generating means generates a message of the determination result when it is determined to be a dangerous site by the camouflaged site search means.
The detection result transmitting means is a camouflaged site detection method characterized in that a message of the determination result is transmitted to another device.

Images