WO2015007231A1 - Method and device for identification of malicious url - Google Patents

Method and device for identification of malicious url Download PDF

Info

Publication number
WO2015007231A1
WO2015007231A1 PCT/CN2014/082468 CN2014082468W WO2015007231A1 WO 2015007231 A1 WO2015007231 A1 WO 2015007231A1 CN 2014082468 W CN2014082468 W CN 2014082468W WO 2015007231 A1 WO2015007231 A1 WO 2015007231A1
Authority
WO
WIPO (PCT)
Prior art keywords
url
address
malicious
blacklist
matching
Prior art date
Application number
PCT/CN2014/082468
Other languages
French (fr)
Chinese (zh)
Inventor
张辉
刘健
申飞龙
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2015007231A1 publication Critical patent/WO2015007231A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/30Managing network names, e.g. use of aliases or nicknames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • the present invention relates to the field of computer security, and more particularly to a method and apparatus for authenticating a malicious URL. Background of the invention
  • a URL (Uniform Resource Locator), also referred to as a web address, referred to as a web address, is the address of a standard resource on the Internet.
  • the URL user can access the corresponding web content in the network.
  • a malicious URL is the URL of a type of fraud, phishing, phishing, or hang-up web page.
  • the user may suffer from, for example, economic loss, disclosure of personal privacy information, or adverse effects such as the current computer infection with a Trojan virus.
  • the identification of a malicious URL is mainly based on the content of the webpage.
  • the webpage content of the webpage can be identified to identify whether the webpage URL is a malicious URL.
  • the hacker can basically display the text content on the webpage through complex coding, page encryption, JS multiple jumps, exploiting the vulnerability of a large website to upload fake phishing pages of QQ space. .
  • malicious URLs are difficult to detect, which reduces the identification of malicious URLs.
  • a method for authenticating a malicious URL comprising the steps of:
  • the IP address of the sender device of the communication message is matched with the preset IP address blacklist; if the IP address matches successfully, a risk prompt is generated.
  • An authentication device for a malicious URL comprising:
  • a URL matching unit configured to match a URL included in the content of the communication message with a preset URL blacklist
  • the IP address matching unit is configured to: when the URL matching fails, match an IP address of the sending end device of the communication message with a preset IP address blacklist; the risk prompting unit is configured to successfully match the URL When the IP address is successfully matched, a risk prompt is generated.
  • the embodiment of the present invention it is possible to identify whether the URL propagated by the communication message is a malicious URL, and make a risk prompt to the user when the authentication result is YES.
  • the embodiment of the present invention can prompt the user before the user accesses the malicious URL, so the webpage content of the malicious URL does not need to be authenticated. Therefore, even if the hacker makes the webpage basically display the text content by technical means, the malicious URL can be identified by using the embodiment of the present invention. That is, with the embodiment of the present invention, the authentication effect of the malicious URL can be effectively improved.
  • FIG. 1 is a flowchart of a method for authenticating a malicious URL according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for authenticating a malicious URL according to another embodiment of the present invention
  • FIG. 3 is a diagram of a malicious URL according to another embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to another embodiment of the present invention
  • FIG. 7 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to another embodiment of the present invention.
  • the embodiment of the present invention provides a method for authenticating a malicious URL, as shown in FIG.
  • step S11 The URL included in the content of the communication message is matched with the preset URL blacklist. If the URL is successfully matched, a risk prompt is generated. Otherwise, the process proceeds to step S12.
  • a hacker After generating a malicious URL, a hacker often needs to add a malicious URL to a communication message through a messaging software such as an instant messaging software or a mail system for widespread malicious transmission. For example, after the hacker generates a malicious URL for QQ hacking: www.xxx.yyy.com/zzl, it will also use a instant messaging software such as QQ to send a large number of instant messages including the malicious URL. User of the communication software. Once the user who received the communication message opens the malicious URL in the communication message: www.xxx.yyy.com/zzl, it is likely to cause the QQ password to be leaked, which may cause economic loss, personal privacy to the user. Information Adverse effects such as leaks. In addition, malicious URLs can be widely maliciously spread by mass mailing. For example, a hacker can send a mail group including the malicious URL to a mail user, thereby threatening the security of the mail user's computer.
  • a batch of malicious domain names will be transmitted for a period of time. These malicious domain names will repeatedly spread maliciously before the security software recognizes these malicious domain names. For example, a malicious URL included in a malicious domain name: www.xxx.yyy.com/zzl will be sent to different user groups A, user group B and user group C in a period of time. That is to say, after the user of user group A is threatened by the malicious URL, other user groups may be threatened by the malicious URL for a period of time.
  • the idea of the embodiment of the present invention is that after obtaining the URL in the communication message received by the user, the URL is authenticated, so that the malicious URL is alarmed during the malicious propagation phase.
  • the URL included in the content of the communication message is first matched with the preset URL blacklist.
  • the authentication of the malicious URL is based on the preset blacklist of the URL and the blacklist of the IP address, that is, whether the URL is a malicious URL by URL matching and IP address matching.
  • the URL blacklist and the IP address blacklist in the embodiment of the present invention may be improved by timely updating and upgrading to identify the newly generated malicious URL.
  • the URL blacklist and IP address Blacklists can be stored on client devices.
  • the update method of the URL blacklist and the IP address blacklist can be upgraded in the same way as the antivirus software virus database upgrade.
  • the remote server is used to complete the update.
  • the URL blacklist and the IP address blacklist are stored in the cloud server, and the cloud URL authentication server authenticates the URL included in the content of the communication message in a manner similar to the antivirus software cloud killing method.
  • the URL included in the content of the communication message may be first matched with the URL blacklist. If the URL exists in the URL blacklist, the match is successful, meaning the URL is a malicious URL. At this point, a risk alert message can be generated to alert the URL in the user communication message that received the communication message that there is a risk.
  • the content of the user communication message can be monitored on the user's client device.
  • the URL is matched with the URL blacklist stored in the client device. For example, when the URL included in the QQ message content: "www.xxx.yyy.com/zzl" matches the URL blacklist successfully, the URL is a malicious URL.
  • a risk alert can be generated for the user. For example, a prompt box can be popped up to remind the user that the URL is risky to avoid the user suffering a loss due to accessing the URL.
  • the IP address of the sending device of the communication message is matched with the IP address of the preset IP address; if the IP address is successfully matched, a risk prompt is generated.
  • the URL matching failure can indicate that the URL is not in the URL blacklist, it does not indicate that the URL is not a malicious URL.
  • a device with an IP address can generate multiple URLs, and malicious URLs may not be included in the URL blacklist. That is to say, if the IP address of the sender device of the communication message is included in the IP address blacklist, even if the URL sent by it is not included in the URL blacklist, the URL is very likely to be a malicious URL. Therefore, the identification rate of malicious URL authentication can be further improved by IP address matching.
  • the URL: www.xxx.yyy.com/zzl has not been forced into the URL
  • the blacklist so the URL: www.xxx.yyy.com/zzl is not identified as a malicious URL.
  • the IP address corresponding to the URL: www.xxx.yyy.com/zzl can be obtained: aaa.bbb.ccc.ddd.
  • the IP address matching in the embodiment of the present invention can identify whether the sending end device of the communication message is a terminal device for sending a malicious URL.
  • the sender device of the sender device is a malicious URL. If a URL is included in the communication message sent by the sender device, the URL may be a malicious URL. By matching IP addresses, you can identify malicious URLs that do not exist in the URL blacklist.
  • a risk prompt can be generated for the user. For example, a prompt box can be popped up to alert the user that the URL is at risk, in order to avoid the user being compromised by accessing the URL.
  • the malicious URL has the feature of propagating through the group communication message, and the URL included in the communication message is authenticated, so that the user can obtain the risk reminder before accessing the malicious URL, thereby avoiding the risk.
  • the method for authenticating a malicious URL shown in FIG. 1 may further include the step of domain name matching. Specifically, after the URL matching fails, the method for authenticating the malicious URL may further include: matching the domain name of the URL with the default suspicious domain name database; if the domain name matches successfully, performing IP address matching.
  • a malicious URL also has a feature that generally generates a large number of malicious URLs through the same domain name.
  • the name of i or www.xxx.yyy.com can include www.xxx.yyy.com/zzl, www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3, Many malicious URLs such as www.xxx.yyy.com/zz4. If the URL: www.xxx.yyy.com/zzl URL has lost 3 ⁇ 4:, the name www.xxx.yyy.com already exists in the suspicious domain name library, then all URLs under the domain name may be malicious URLs. .
  • Fig. 2 is a flow chart showing the method of authenticating the malicious URL in another embodiment of the present invention. As shown in Figure 2, the method includes the following steps:
  • step S22 is performed.
  • step S21 and step S23 are similar to the specific implementation manners of step S11 and step S12 shown in FIG. 1, and details are not described herein again.
  • the method for authenticating the malicious URL may further include an automatic upgrade step of the URL blacklist, the suspicious domain name database, and the IP address blacklist to improve the recognition rate of the malicious URL.
  • FIG. 3 is a flowchart of a method for authenticating a malicious URL according to another embodiment of the present invention. The method includes an upgrade procedure of a URL blacklist, a suspicious domain name database, and an IP address blacklist, as follows.
  • the domain name of the malicious URL may be added to the preset suspicious domain name database, so that the suspicious domain name database may be updated in time, so that other malicious URLs corresponding to the domain name may also be identified in time. come out.
  • Www.xxx.yyy.com joins the suspicious domain name library.
  • the other URLs under the name of the domain name www.xxx.yyy.com, ⁇ mouth www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3 or www.xxx.yyy.com/zz4, etc.
  • these URLs can be identified by domain name matching.
  • the IP address of the device at the sending end of the communication message may be added to the blacklist of the preset IP address, so that the blacklist of the IP address is updated in time, thereby enabling the sending end of the communication message.
  • Other malicious URLs sent by the device's IP address can also be identified in time.
  • the malicious URL can be obtained: IP address corresponding to www.xxx.yyy.com/zzl: aaa. Bbb.ccc.ddd.
  • IP address corresponding to www.xxx.yyy.com/zzl aaa. Bbb.ccc.ddd.
  • ⁇ ⁇ includes evil, meaning URL: www.xxx.yyy.com/zzl, www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3, www.xxx.yyy.
  • the communication messages of com/zz4 are sent through the terminal device with the IP address aaa.bbb.ccc.ddd.
  • the malicious URL authentication method may further include: adding the URL to the URL blacklist after the IP address is successfully matched, so that the URL blacklist can be updated in time.
  • URL matching, IP address matching, and domain name matching in the embodiments of the present invention can be implemented on the receiving end device of the communication message.
  • the user's final list, IP address blacklist, and suspicious domain name library can be upgraded through a remote server.
  • URL matching, IP address matching, and domain name matching in the embodiments of the present invention may be implemented by a server that forwards a communication message. That is, in the process of forwarding the communication message by the server, the server performs URL matching on the URL included in the content of the communication message, and after the URL matching fails, the domain name of the URL is matched with the default suspicious domain name database, and the domain name is matched. After the success, the IP address of the sending device of the communication message is matched with the IP address blacklist. At this point, the URL blacklist, IP address blacklist, and suspicious domain name repository can all be stored in the cloud server.
  • a URL blacklist, a suspicious domain name database, and an IP address blacklist are pre-set.
  • the information can be matched with the pre-set URL blacklist, the suspect domain name pool, and the IP address blacklist. It is identified whether the URL propagated through the communication message is a malicious URL, and the user is prompted for a risk when the URL is a malicious URL. Since the user can prompt the user after obtaining the communication information including the malicious URL, the user does not need to authenticate the webpage content of the malicious URL.
  • the embodiment of the present invention can identify the malicious URL. That is, with the embodiment of the present invention, the authentication effect of the malicious URL can be effectively improved.
  • the embodiment of the present invention by updating the URL blacklist, the IP address blacklist, and the suspicious domain name database, the malicious URL included in other communication information sent by the same domain name or the same IP address can be effectively identified. Thereby, the identification effect of the malicious URL is further improved.
  • FIG. 4 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to an embodiment of the present invention.
  • the device includes: a URL matching unit 01, an IP address matching unit 02, and a risk prompting unit 03.
  • the URL matching unit 01 is configured to match the URL included in the content of the communication message with the preset URL blacklist.
  • the IP address matching unit 02 is configured to match the IP address of the sending end device of the communication message with the preset IP address blacklist when the URL matching fails.
  • the risk prompting unit 03 is configured to generate a risk prompt when the URL matching is successful or the IP address matching is successful.
  • a hacker After generating a malicious URL, a hacker often needs to add a malicious URL to a communication message through a messaging software such as an instant messaging software or a mail system for widespread malicious transmission. For example, after the hacker generates a malicious URL for QQ hacking: www.xxx.yyy.com/zzl, it will also use a instant messaging software such as QQ to send a large number of instant messages including the malicious URL. User of the communication software. Once the user who received the communication message opens the malicious URL in the communication message: www.xxx.yyy.com/zzl, it is likely to cause the QQ password to be leaked, which may cause economic loss, personal privacy to the user. Adverse effects such as leakage of information. In addition, malicious URLs can be spread maliciously through mass mailing. For example, a hacker can send a message group that includes the malicious URL to a mail user, thereby threatening the security of the mail user's computer.
  • a batch of malicious domain names will be transmitted for a period of time. These malicious domain names will repeatedly spread maliciously before the security software recognizes these malicious domain names. For example, a malicious URL included in a malicious domain name: www.xxx.yyy.com/zzl will be sent to different user groups A, user groups B, and user groups C for a period of time. That is to say, after the user of user group A is threatened by the malicious URL, other user groups may also be affected by the user for a certain period of time. The threat of malicious URLs.
  • the idea of the embodiment of the present invention is that after obtaining the URL in the communication message received by the user, the URL is authenticated, so that the malicious URL is alarmed during the malicious propagation phase.
  • the URL included in the content of the communication message is first matched with the preset URL blacklist by the URL matching unit 01.
  • the authentication of the malicious URL is based on the preset blacklist of the URL and the blacklist of the IP address, that is, whether the URL is a malicious URL by URL matching and IP address matching.
  • the blacklist of URLs and the blacklist of IP addresses in the embodiments of the present invention may be improved by timely updating and updating to identify newly generated malicious URLs.
  • a blacklist of URLs and a blacklist of IP addresses can be stored on the client device.
  • the update of the URL blacklist or IP address blacklist can be upgraded in the same way as the antivirus virus database upgrade.
  • the remote server is used to complete the update.
  • the URL blacklist and the IP address blacklist are stored in the cloud server, and the cloud URL authentication server authenticates the URL included in the content of the communication message in a similar manner to the antivirus software cloud killing method.
  • the URL matching unit 01 first matches the URL included in the content of the communication message with the URL blacklist. If the URL exists in the URL blacklist, the match is successful, meaning that the URL is a malicious URL. At this time, the risk prompting unit 03 can generate wind The P ⁇ prompt message is at risk of prompting the URL in the user communication message that received the communication message.
  • the malicious URL authentication apparatus in the embodiment of the present invention can monitor the content of the user communication message, such as the content in the QQ message, on the client device of the user.
  • the URL is matched with the URL blacklist stored in the client device. For example, when the URL included in the QQ message content:
  • the risk prompting unit 03 can generate a risk prompt for the user. For example, the prompt box can be popped up to remind the user.
  • the URL is risky to prevent users from losing money by accessing the URL.
  • the URL matching failure by the URL matching unit 01 indicates that the URL is not in the URL blacklist, it does not indicate that the URL is not a malicious URL. This is because a device with an IP address can generate multiple URLs, and malicious URLs may not be included in the URL blacklist. That is, if the IP address of the sender device of the communication message is included in the blacklist of the IP address, even if the URL it sends is not included in the URL blacklist, the URL is very likely to be a malicious URL. Therefore, IP address matching by the IP address matching unit 02 can further improve the recognition rate of malicious URL authentication.
  • the URL: www.xxx.yyy.com/zzl since the URL: www.xxx.yyy.com/zzl has not been forced into the URL blacklist, the URL: www.xxx.yyy.com/zzl is not identified by the URL matching unit 01 as malicious. URL.
  • the IP address corresponding to the URL: www.xxx.yyy.com/zzl can be obtained: aaa.bbb.cccc.ddd.
  • the IP address matching of the IP address matching unit 02 in the embodiment of the present invention can identify whether the transmitting end device of the communication message is a terminal device for sending a malicious URL.
  • the sender device of the sender device is a malicious URL. If a URL is included in the communication message sent by the sender device, the URL is likely to be a malicious URL.
  • the risk prompting unit 03 can generate a wind P ⁇ prompt for the user. For example, a prompt box may be popped up to alert the user that the URL is risky to avoid the user suffering a loss due to accessing the URL.
  • the malicious URL has the feature of propagating by using a group communication message, and matching and identifying the URL included in the communication message, so that the user can obtain a risk reminder before accessing the malicious URL, thereby avoiding The user's loss due to accessing a malicious URL.
  • the malicious URL authentication apparatus provided by the embodiment of the present invention can identify whether the URL is malicious without identifying the content of the webpage, the hacker cannot pass the loopholes such as complex encoding, page encryption, JS multiple jumps, and utilizing large websites. Upload technical methods such as phishing pages of fake QQ space to prevent malicious URLs from being detected. Therefore, the authentication device for the malicious URL provided by the embodiment of the present invention can effectively improve the authentication effect of the malicious URL.
  • FIG. 5 is a block diagram showing the structure of the authentication device for the malicious URL in another embodiment of the present invention.
  • the apparatus may further include a domain name matching unit 04. Specifically, after the URL matching fails, the domain name matching unit
  • the IP address matching unit 02 performs IP address matching.
  • a malicious URL also has a feature that generally generates a large number of malicious URLs through the same domain name.
  • the name of i or www.xxx.yyy.com can include www.xxx.yyy.com/zzl, www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3, www. Many malicious URLs such as xxx.yyy.com/zz4. If the domain name matching unit 04 fails to match the URL of the URL: www.xxx.yyy.com/zzl, but the i or the name www.xxx.yyy.com already exists in the suspicious domain name database, all the URLs under the domain name are There may be a malicious URL.
  • the URL matching unit 01 matches the URL included in the content of the communication message with the preset URL blacklist.
  • the domain name matching unit 04 matches the domain name of the URL with the preset suspicious domain name database when the URL matching fails.
  • the IP address matching unit 02 matches the IP address of the sending end device of the communication message with the preset IP address blacklist.
  • the risk prompting unit 03 generates a risk prompt when the URL matching is successful or the IP address is successfully matched.
  • the URL matching unit 01 and the IP address matching unit 02 in the embodiment of the present invention are similar to the functions of the URL matching unit 01 and the IP address matching unit 02 shown in FIG. 1, and will not be described again.
  • FIG. 6 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to another embodiment of the present invention.
  • the malicious URL authentication apparatus may further include a URL blacklist updating unit 011, a suspect domain name database updating unit 041, and an IP address blacklist updating unit 021, thereby implementing a URL blacklist, a suspicious domain name database, and an IP address blacklist. Automatic upgrades to increase the recognition rate of malicious URLs.
  • the suspicious domain name database updating unit 041 can also add the domain name of the malicious URL to the preset suspicious domain name database, so that the suspicious domain name database can be updated in time, thereby making the domain name corresponding to the other Malicious URLs can also be identified in a timely manner.
  • the name of the i or name www.xxx.yyy.com is still included, including www.xxx.yyy.com/zzl, www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3, www. Xxx.yyy.com/zz4 and many other malicious URLs. If the URL: www.xxx.yyy.com/zzl is successfully matched by the URL, the URL is a malicious URL. In the implementation of the present invention, the suspicious domain name database is updated in order to prevent other malicious URLs in the name of the domain name www.xxx.yyy.com that the www.xxx.yyy.com/zzl belongs to.
  • Unit 041 can add the domain name www.xxx.yyy.com to the suspect domain name library. In this way, when other URLs under the name of the domain name www.xxx.yyy.com, such as www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3 or www.xxx.yyy.com/zz4, etc. At the time of authentication, even if these URLs are not included in the URL blacklist, they can be identified by domain name matching.
  • the IP address blacklist updating unit 021 can add the IP address of the device of the communication message to the blacklist of the preset IP address, thereby updating the blacklist of the IP address in time, thereby making Other malicious URLs sent from the IP address of the sender device of the communication message can also be identified in time.
  • the malicious URL can be obtained: IP address corresponding to www.xxx.yyy.com/zzl: aaa. Bbb.ccc.ddd.
  • the IP address blacklist update unit 021 adds the IP address: aaa.bbb.ccc.ddd to the blacklist of the IP address, and can identify the communication message sent by the device corresponding to the communication message corresponding to the IP address. All malicious URLs.
  • ⁇ ⁇ includes evil, meaning URL: www.xxx.yyy.com/zzl, www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3, www.xxx.yyy.
  • the communication messages of com/zz4 are sent through the terminal device with the IP address aaa.bbb.ccc.ddd.
  • the malicious URL authentication apparatus may further include a URL blacklist updating unit 011, configured to add the URL to the URL blacklist after the IP address matching unit 02 performs the IP address matching successfully.
  • a URL blacklist updating unit 011 configured to add the URL to the URL blacklist after the IP address matching unit 02 performs the IP address matching successfully.
  • the URL matching unit, the IP address matching unit, and the domain name matching unit in the embodiment of the present invention may be set on the receiving end device of the communication message.
  • it can be set on the user's computer or mobile phone.
  • the URL blacklist, IP address blacklist, and suspicious domain name library stored in these user terminal devices can also be upgraded through a remote server to improve the user's defense against new malicious URLs.
  • the URL matching unit, the IP address matching unit, and the domain name matching unit in the embodiment of the present invention may also be disposed in a server that forwards the communication message.
  • the server may perform URL matching on the URL included in the content of the communication message during the process of forwarding the communication message. After the URL matching fails, the domain name of the URL is matched with the default suspicious domain name database, and the domain name is successfully matched. After that, the IP address of the sending device of the communication message is matched with the IP address blacklist. At this point, the URL blacklist, IP address blacklist, and suspicious domain name store can all be stored in the cloud server.
  • a URL blacklist, a suspicious domain name database, and an IP address blacklist are pre-set.
  • the information can be matched with the pre-set URL blacklist, the suspect domain name library, and the IP address blacklist, thereby It is identified whether the URL propagated through the communication message is a malicious URL, and the user is prompted for a risk when the URL is a malicious URL. Since the user can prompt the user after obtaining the communication information including the malicious URL, the user does not need to authenticate the webpage content of the malicious URL.
  • the embodiment of the present invention can identify the malicious URL. That is, with the embodiment of the present invention, the authentication effect of the malicious URL can be effectively improved.
  • the embodiment of the present invention by updating the URL blacklist, the IP address blacklist, and the suspicious domain name database, the malicious URL included in other communication information sent by the same domain name or the same IP address can be effectively identified. Thereby, the identification effect of the malicious URL is further improved.
  • FIG. 7 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to another embodiment of the present invention.
  • the authentication device includes at least: a memory 71 and a processor 72 in communication with the memory 71, wherein the memory 71 includes URL matching instructions, IP address matching instructions, and risk alert instructions executable by the processor 72.
  • the memory 71 can be a non-volatile computer readable storage medium, and the URL matching instructions, IP address matching instructions, and risk alert instructions can be machine readable instructions stored in the memory 71.
  • Processor 72 can execute machine readable instructions stored in memory 71.
  • the URL matching command is used to match the URL included in the content of the communication message with the preset URL blacklist.
  • the IP address matching command is configured to match the IP address of the sending end device of the communication message with the preset IP address blacklist when the URL matching fails.
  • the risk alert command is used to generate a risk alert when the URL match is successful or the IP address matches successfully.
  • the memory 71 also stores a domain name matching command, configured to match the domain name of the URL with a preset suspicious domain name domain after the URL matching fails. If the domain name matches successfully, the IP address matching command performs the IP address matching.
  • the suspicious domain name database update instruction is also stored in the memory 71 for adding the domain name of the URL to the suspicious domain name library after the URL matching is successful.
  • the memory 71 also stores an IP address blacklist update command for adding the IP address of the sender device of the communication message to the IP address blacklist after the URL is successfully matched.
  • the memory 71 also stores a URL blacklist update command for adding the URL to the URL blacklist when the IP address matches successfully.
  • the URL matching instruction, the IP address matching instruction, and the domain name matching instruction are set in the receiving end device of the communication message.
  • the URL matching instruction, the IP address matching instruction, and the domain name matching instruction are set to a server that forwards the communication message.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method and device for identification of a malicious URL. The method comprises: a URL that is comprised in the content of a communication message is matched with URLs in a predetermined URL blacklist; if the URL match is successful, a risk warning is generated, otherwise, an IP address of a transmitting-end device of the communication message is matched with IP addresses in a predetermined IP address blacklist; and if the IP address match is successful, then a risk warning is generated.

Description

一种恶意 URL的鉴定方法及装置  Method and device for identifying malicious URL
技术领域 Technical field
本发明涉及计算机安全领域, 更具体地说, 涉及一种恶意 URL的鉴 定方法及装置。 发明背景  The present invention relates to the field of computer security, and more particularly to a method and apparatus for authenticating a malicious URL. Background of the invention
URL(Uniform Resource Locator,统一资源定位符),也被称为网页地 址, 简称网址, 是因特网上标准资源的地址。 通过 URL用户可以访问 网络中对应的网页内容。 恶意 URL是指各类欺诈、 仿冒、 钓鱼或挂马 网页的网址。 当用户不慎访问此类网页时, 就可能对用户造成诸如经济 上的损失、 个人隐私信息的泄露或是使当前电脑感染木马病毒等不利影 响。  A URL (Uniform Resource Locator), also referred to as a web address, referred to as a web address, is the address of a standard resource on the Internet. The URL user can access the corresponding web content in the network. A malicious URL is the URL of a type of fraud, phishing, phishing, or hang-up web page. When a user visits such a webpage inadvertently, the user may suffer from, for example, economic loss, disclosure of personal privacy information, or adverse effects such as the current computer infection with a Trojan virus.
目前的安全软件可以对恶意 URL进行鉴定, 并在识别出恶意 URL 后警示用户, 从而保护用户的信息和财产安全。  Current security software can authenticate malicious URLs and alert users after identifying malicious URLs to protect user information and property.
在现有技术中, 对恶意 URL进行鉴定主要 ^^于网页内容的。 比 如, 可以通过对网页的文本内容进行鉴定来识别该网页的网址是否为恶 意 URL。 在此方式中, 需要预先搜集恶意特征的关键词, 然后与被鉴定 网址的网页的文本内容进行匹配, 并将符合设定匹配规则的 URL识别 为恶意 URL。 但是, 在这种方式中, 黑客可以通过复杂的编码、 对页面 加密、 JS多次跳转、 利用大型网站的漏洞上传仿冒 QQ空间的钓鱼页面 等技术手段, 使得网页页面基本上不显示文本内容。 这样, 恶意 URL 就很难被检测出来, 从而降低了对恶意 URL的鉴定效果。 发明内容 本发明实施例提供了恶意 URL的鉴定方法及装置,以提高恶意 URL 的鉴定效果。 In the prior art, the identification of a malicious URL is mainly based on the content of the webpage. For example, the webpage content of the webpage can be identified to identify whether the webpage URL is a malicious URL. In this manner, it is necessary to collect keywords of malicious features in advance, then match the text content of the webpage of the authenticated URL, and identify the URL that meets the matching matching rule as a malicious URL. However, in this way, the hacker can basically display the text content on the webpage through complex coding, page encryption, JS multiple jumps, exploiting the vulnerability of a large website to upload fake phishing pages of QQ space. . In this way, malicious URLs are difficult to detect, which reduces the identification of malicious URLs. SUMMARY OF THE INVENTION Embodiments of the present invention provide a method and an apparatus for authenticating a malicious URL to improve the authentication effect of a malicious URL.
一种恶意 URL的鉴定方法, 包括步骤:  A method for authenticating a malicious URL, comprising the steps of:
将通讯消息的内容所包括的 URL与预设的 URL黑名单进行 URL 匹配; 若所述 URL匹配成功, 则生成风险提示, 否则:  Matching the URL included in the content of the communication message with the preset URL blacklist; if the URL matches successfully, a risk prompt is generated, otherwise:
将所述通讯消息的发送端设备的 IP地址与预设的 IP地址黑名单进 行 IP地址匹配; 若所述 IP地址匹配成功, 则生成风险提示。  The IP address of the sender device of the communication message is matched with the preset IP address blacklist; if the IP address matches successfully, a risk prompt is generated.
一种恶意 URL的鉴定装置, 包括:  An authentication device for a malicious URL, comprising:
URL 匹配单元, 用于将通讯消息的内容所包括的 URL 与预设的 URL黑名单进行 URL匹配;  a URL matching unit, configured to match a URL included in the content of the communication message with a preset URL blacklist;
IP地址匹配单元, 用于当所述 URL匹配失败时, 将所述通讯消息 的发送端设备的 IP地址与预设的 IP地址黑名单进行 IP地址匹配; 风险提示单元, 用于在 URL匹配成功或 IP地址匹配成功时, 生成 风险提示。  The IP address matching unit is configured to: when the URL matching fails, match an IP address of the sending end device of the communication message with a preset IP address blacklist; the risk prompting unit is configured to successfully match the URL When the IP address is successfully matched, a risk prompt is generated.
利用本发明的实施例, 可以鉴定通过通讯消息所传播的 URL是否 为恶意 URL, 并在鉴定结果为是时向用户进行风险提示。 本发明实施例 可以在用户访问恶意 URL前提示用户, 因此不需要对恶意 URL的网页 内容进行鉴定。 所以, 即使黑客通过技术手段使得网页页面基本上不显 示文本内容, 利用本发明实施例也可以将恶意 URL鉴定出来。 即, 通 过本发明实施例, 可以有效地提高恶意 URL的鉴定效果。 附图简要说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将 对实施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见 地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技 术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得 其他的附图。 With the embodiment of the present invention, it is possible to identify whether the URL propagated by the communication message is a malicious URL, and make a risk prompt to the user when the authentication result is YES. The embodiment of the present invention can prompt the user before the user accesses the malicious URL, so the webpage content of the malicious URL does not need to be authenticated. Therefore, even if the hacker makes the webpage basically display the text content by technical means, the malicious URL can be identified by using the embodiment of the present invention. That is, with the embodiment of the present invention, the authentication effect of the malicious URL can be effectively improved. BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art description will be briefly described below, and obviously, in the following description The drawings are only some embodiments of the invention, and are common to the art. For the sake of the technicians, other drawings can be obtained from these drawings without any creative work.
图 1为本发明一实施例中恶意 URL的鉴定方法的流程图; 图 2为本发明另一实施例中恶意 URL的鉴定方法的流程图; 图 3为本发明另一实施例中恶意 URL的鉴定方法的流程图; 图 4为本发明一实施例中恶意 URL的鉴定装置的结构示意图; 图 5为本发明另一实施例中恶意 URL的鉴定装置的结构示意图; 图 6为本发明另一实施例中恶意 URL的鉴定装置的结构示意图。 图 7为本发明另一实施例中恶意 URL的鉴定装置的结构示意图。 实施本发明的方式 下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案 进行清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实 施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术 人员在没有作出创造性劳动前提下所获得的所有其他实施例, 都属于本 发明保护的范围。  1 is a flowchart of a method for authenticating a malicious URL according to an embodiment of the present invention; FIG. 2 is a flowchart of a method for authenticating a malicious URL according to another embodiment of the present invention; FIG. 3 is a diagram of a malicious URL according to another embodiment of the present invention; FIG. 4 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to an embodiment of the present invention; FIG. 5 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to another embodiment of the present invention; A schematic structural diagram of an authentication device for a malicious URL in an embodiment. FIG. 7 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to another embodiment of the present invention. The embodiments of the present invention will be described clearly and completely in conjunction with the drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of them. An embodiment. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
为了解决现有技术中恶意 URL 的鉴定效果不佳的问题, 本发明实 施例提供了一种恶意 URL的鉴定方法, 如图 1所示, 包括步骤:  In order to solve the problem that the authentication of the malicious URL is not good in the prior art, the embodiment of the present invention provides a method for authenticating a malicious URL, as shown in FIG.
Sll、 将通讯消息的内容所包括的 URL与预设的 URL黑名单进行 URL匹配; 若 URL匹配成功, 则生成风险提示, 否则转入步骤 S12。  S11. The URL included in the content of the communication message is matched with the preset URL blacklist. If the URL is successfully matched, a risk prompt is generated. Otherwise, the process proceeds to step S12.
黑客在生成恶意 URL后, 往往需要通过即时通讯软件或邮件系统 等消息发送软件将恶意 URL加入通讯消息内进行广泛的恶意传播。 比 如, 黑客在生成了用于进行 QQ盗号的恶意 URL: www.xxx.yyy.com/zzl 后,还会利用如 QQ等即时通讯软件将包括了该恶意 URL的通讯消息群 发给数量众多的即时通讯软件的用户。 收到了该通讯消息的用户一旦打 开了通讯消息中的恶意 URL: www.xxx.yyy.com/zzl , 就很可能造成 QQ 密码的泄露, 进而很可能对用户造成诸如经济上的损失、 个人隐私信息 的泄露等不利影响。 此外, 恶意 URL还可以通过群发邮件的方式被广 泛地恶意传播。 例如, 黑客可以将包括了该恶意 URL 的邮件群发给邮 件用户, 从而威胁邮件用户的计算机安全。 After generating a malicious URL, a hacker often needs to add a malicious URL to a communication message through a messaging software such as an instant messaging software or a mail system for widespread malicious transmission. For example, after the hacker generates a malicious URL for QQ hacking: www.xxx.yyy.com/zzl, it will also use a instant messaging software such as QQ to send a large number of instant messages including the malicious URL. User of the communication software. Once the user who received the communication message opens the malicious URL in the communication message: www.xxx.yyy.com/zzl, it is likely to cause the QQ password to be leaked, which may cause economic loss, personal privacy to the user. Information Adverse effects such as leaks. In addition, malicious URLs can be widely maliciously spread by mass mailing. For example, a hacker can send a mail group including the malicious URL to a mail user, thereby threatening the security of the mail user's computer.
恶意 URL的恶意传播一般具有以下的特点:  Malicious propagation of malicious URLs generally has the following characteristics:
第一, 在一段时间内会传播一批恶意域名, 在安全软件识别出这些 恶意域名前, 这些恶意域名会重复的恶意传播。 比如, 恶意域名所包括 的一个恶意 URL: www.xxx.yyy.com/zzl会在一段时间内, 分别群发给 不同的用户群 A、 用户群 B和用户群 C等。 也就是说, 用户群 A的用 户受到该恶意 URL 的威胁后, 一段时间内其他用户群也有可能受到该 恶意 URL的威胁。  First, a batch of malicious domain names will be transmitted for a period of time. These malicious domain names will repeatedly spread maliciously before the security software recognizes these malicious domain names. For example, a malicious URL included in a malicious domain name: www.xxx.yyy.com/zzl will be sent to different user groups A, user group B and user group C in a period of time. That is to say, after the user of user group A is threatened by the malicious URL, other user groups may be threatened by the malicious URL for a period of time.
第二, 当一个 IP地址发送的 URL为恶意 URL时 , 在一段时间内 , 从该 IP地址发出的通讯消息中所包括的 URL大多都为恶意 URL。 由于 一般情况下, 黑客所拥有的硬件设备是有限的,这些硬件设备的 IP地址 也就相对比较固定, 所以, 生成恶意 URL的 IP地址也就比较固定。 为 了使恶意 URL能够广泛的传播, 可以通过一个 IP地址来生成多个恶意 URL。 也就是说, 生成了一个恶意 URL的 IP地址所生成的其他的 URL 可能也是恶意 URL。  Second, when the URL sent by an IP address is a malicious URL, most of the URLs included in the communication message sent from the IP address are malicious URLs for a period of time. Since the hardware devices owned by hackers are limited in general, the IP addresses of these hardware devices are relatively fixed, so the IP address for generating malicious URLs is relatively fixed. In order to spread malicious URLs widely, multiple malicious URLs can be generated by one IP address. That is, other URLs generated by the IP address that generated a malicious URL may also be malicious URLs.
基于以上特点, 本发明实施例的思路为, 在获取用户所接收到的通 讯消息内的 URL后, 对 URL进行鉴定, 从而在恶意 URL的恶意传播 阶段即对其进行报警提示。 为此, 在本发明实施例中, 首先将通讯消息 的内容所包括的 URL与预设的 URL黑名单进行 URL匹配。  Based on the above features, the idea of the embodiment of the present invention is that after obtaining the URL in the communication message received by the user, the URL is authenticated, so that the malicious URL is alarmed during the malicious propagation phase. To this end, in the embodiment of the present invention, the URL included in the content of the communication message is first matched with the preset URL blacklist.
在本发明实施例中, 对于恶意 URL的鉴定是基于预设的 URL黑名 单和 IP地址黑名单的, 即, 通过 URL匹配和 IP地址匹配来鉴定 URL 是否为恶意 URL。  In the embodiment of the present invention, the authentication of the malicious URL is based on the preset blacklist of the URL and the blacklist of the IP address, that is, whether the URL is a malicious URL by URL matching and IP address matching.
在实际应用中, 本发明实施例中的 URL黑名单和 IP地址黑名单可 以通过及时的更新升级来进行完善, 以鉴定新生成的恶意 URL。 比如, 当对 URL进行鉴定的过程在客户端设备实施时, URL黑名单和 IP地址 黑名单可以存储在客户端设备。 URL黑名单和 IP地址黑名单的更新升 级的方式可以与杀毒软件病毒库的升级方式类似, 通过远程的服务器来 完成更新升级。 或是, URL黑名单和 IP地址黑名单存储于云端的服务 器中, 云端的 URL鉴定服务器釆用与杀毒软件的云查杀方式类似的方 式对通讯消息的内容所包括的 URL进行鉴定。 In a practical application, the URL blacklist and the IP address blacklist in the embodiment of the present invention may be improved by timely updating and upgrading to identify the newly generated malicious URL. For example, when the process of authenticating a URL is implemented on a client device, the URL blacklist and IP address Blacklists can be stored on client devices. The update method of the URL blacklist and the IP address blacklist can be upgraded in the same way as the antivirus software virus database upgrade. The remote server is used to complete the update. Alternatively, the URL blacklist and the IP address blacklist are stored in the cloud server, and the cloud URL authentication server authenticates the URL included in the content of the communication message in a manner similar to the antivirus software cloud killing method.
具体的, 可以先将通讯消息的内容所包括的 URL与 URL黑名单进 行 URL 匹配。 如果该 URL存在于 URL黑名单中, 则匹配成功, 意味 着该 URL为恶意 URL。 此时, 可生成风险提示信息以提示接收到该通 讯消息的用户通讯消息中的 URL存在风险。  Specifically, the URL included in the content of the communication message may be first matched with the URL blacklist. If the URL exists in the URL blacklist, the match is successful, meaning the URL is a malicious URL. At this point, a risk alert message can be generated to alert the URL in the user communication message that received the communication message that there is a risk.
在实际应用中, 可以在用户的客户端设备监测该用户通讯消息的内 容,如 QQ消息中的内容。当用户接收的 QQ消息的内容包括有 URL时, 将该 URL与客户端设备中存储的 URL黑名单进行 URL 匹配。 比如, 当 QQ消息内容中包括的 URL: "www.xxx.yyy.com/zzl " 与 URL黑名 单匹配成功, 则说明该 URL为恶意 URL。 URL匹配成功后, 可以为用 户生成风险提示。 比如, 可以跳出提示框来提醒用户该 URL具有风险, 以避免用户因为访问该 URL而遭受损失。  In practical applications, the content of the user communication message, such as the content in the QQ message, can be monitored on the user's client device. When the content of the QQ message received by the user includes a URL, the URL is matched with the URL blacklist stored in the client device. For example, when the URL included in the QQ message content: "www.xxx.yyy.com/zzl" matches the URL blacklist successfully, the URL is a malicious URL. After the URL is successfully matched, a risk alert can be generated for the user. For example, a prompt box can be popped up to remind the user that the URL is risky to avoid the user suffering a loss due to accessing the URL.
S12、若 URL匹配失败,则将通讯消息的发送端设备的 IP地址与预 设的 IP地址黑名单进行 IP地址匹配; 若所述 IP地址匹配成功, 则生成 风险提示。  S12. If the URL matching fails, the IP address of the sending device of the communication message is matched with the IP address of the preset IP address; if the IP address is successfully matched, a risk prompt is generated.
虽然 URL匹配失败可以表明该 URL并不在 URL黑名单中, 但是 并不能表明该 URL就不是恶意 URL。 这是因为一个 IP地址的设备可以 生成多个 URL, 而其中的恶意 URL可能还未包括在 URL黑名单中。 也 就是说,如果通讯消息的发送端设备的 IP地址包括于 IP地址黑名单中, 即使其所发送的 URL还没有包括在 URL黑名单中, 但是这个 URL也 非常有可能为恶意 URL。 所以, 通过 IP地址匹配可以进一步提高恶意 URL鉴定的识别率。  Although the URL matching failure can indicate that the URL is not in the URL blacklist, it does not indicate that the URL is not a malicious URL. This is because a device with an IP address can generate multiple URLs, and malicious URLs may not be included in the URL blacklist. That is to say, if the IP address of the sender device of the communication message is included in the IP address blacklist, even if the URL sent by it is not included in the URL blacklist, the URL is very likely to be a malicious URL. Therefore, the identification rate of malicious URL authentication can be further improved by IP address matching.
举例说明, 由于 URL: www.xxx.yyy.com/zzl还没有被力口入到 URL 黑名单中, 所以该 URL: www. xxx. yyy.com/zzl 没有被鉴定出来是恶意 URL。但是,根据 IP协议的特性,可以获得该 URL: www.xxx.yyy.com/zzl 所对应的 IP地址: aaa.bbb.ccc.ddd。通过本发明实施例中的 IP地址匹配, 可以鉴定该通讯消息的发送端设备是否为用于发送恶意 URL 的终端设 备。 即, 当 IP地址: aaa.bbb.ccc.ddd存在于 IP地址黑名单中, 即可说明 该发送端设备为恶意 URL 的发送端设备。 通过该发送端设备发送的通 讯消息中如果包括有 URL, 则该 URL就艮可能为恶意 URL。 通过 IP 地址匹配, 可以识别出不存在于 URL黑名单中的恶意 URL。 For example, since the URL: www.xxx.yyy.com/zzl has not been forced into the URL The blacklist, so the URL: www.xxx.yyy.com/zzl is not identified as a malicious URL. However, according to the characteristics of the IP protocol, the IP address corresponding to the URL: www.xxx.yyy.com/zzl can be obtained: aaa.bbb.ccc.ddd. The IP address matching in the embodiment of the present invention can identify whether the sending end device of the communication message is a terminal device for sending a malicious URL. That is, when the IP address: aaa.bbb.ccc.ddd exists in the blacklist of the IP address, the sender device of the sender device is a malicious URL. If a URL is included in the communication message sent by the sender device, the URL may be a malicious URL. By matching IP addresses, you can identify malicious URLs that do not exist in the URL blacklist.
同样的, IP地址匹配成功后, 可以为用户生成风险提示。 比如, 可 以跳出提示框来提醒用户该 URL具有风险,以避免用户因为访问该 URL 而遭受损失。  Similarly, after the IP address is successfully matched, a risk prompt can be generated for the user. For example, a prompt box can be popped up to alert the user that the URL is at risk, in order to avoid the user being compromised by accessing the URL.
在本发明实施例中, 利用恶意 URL 具有通过群发通讯消息来进行 传播的特性, 对通讯消息中包括的 URL 进行鉴定, 可以使用户在对恶 意 URL 进行访问前即可获得风险提醒, 进而避免了用户由于访问恶意 URL所可能造成的损失。 由于本发明实施例提供的恶意 URL的鉴定方 法不需要鉴定网页内容就能识别 URL是否为恶意, 所以黑客也就无法 通过诸如复杂的编码、 对页面加密、 JS多次跳转、 利用大型网站的漏洞 上传仿冒 QQ空间的钓鱼页面等技术手段来避免恶意 URL被检测出。因 此, 通过本发明实施例提供的恶意 URL 的鉴定方法, 可以有效地提高 恶意 URL的鉴定效果。  In the embodiment of the present invention, the malicious URL has the feature of propagating through the group communication message, and the URL included in the communication message is authenticated, so that the user can obtain the risk reminder before accessing the malicious URL, thereby avoiding the risk. The user's loss due to accessing a malicious URL. Since the method for authenticating a malicious URL provided by the embodiment of the present invention does not need to identify the content of the webpage to identify whether the URL is malicious, the hacker cannot pass the complicated coding, the page encryption, the JS multiple jump, and the use of the large website. Vulnerabilities upload technical methods such as phishing pages of fake QQ space to prevent malicious URLs from being detected. Therefore, the method for authenticating a malicious URL provided by the embodiment of the present invention can effectively improve the authentication effect of a malicious URL.
在本发明的另一实施例中, 图 1所示的恶意 URL的鉴定方法还可 以进一步包括域名匹配这一步骤。 具体的, 在 URL 匹配失败后, 该恶 意 URL的鉴定方法还可以进一步包括: 将该 URL的域名与预设的可疑 域名库进行域名匹配; 若域名匹配成功, 再进行 IP地址匹配。  In another embodiment of the present invention, the method for authenticating a malicious URL shown in FIG. 1 may further include the step of domain name matching. Specifically, after the URL matching fails, the method for authenticating the malicious URL may further include: matching the domain name of the URL with the default suspicious domain name database; if the domain name matches successfully, performing IP address matching.
恶意 URL还具有一个特性, 就是一般会通过同一域名衍生出众多 的恶意 URL。 比如, i或名 www.xxx.yyy.com 的名下, 可以包括 www.xxx.yyy.com/zzl、 www.xxx.yyy.com/zz2、 www.xxx.yyy.com/zz3、 www.xxx.yyy.com/zz4 等 众 多 的 恶 意 URL 。 如 果 URL : www.xxx.yyy.com/zzl URL匹西己失¾:, 名 www.xxx.yyy.com已 经存在于可疑域名库, 则说明该域名名下的所有 URL 均有可能为恶意 URL。 为此, 需要进一步的对该 URL: www.xxx.yyy.com/zzl进行鉴定, 即, 域名匹配成功后, 通过进行 IP 地址匹配来确定该 URL : www.xxx.yyy.com/zzl是否为恶意 URL„ A malicious URL also has a feature that generally generates a large number of malicious URLs through the same domain name. For example, the name of i or www.xxx.yyy.com can include www.xxx.yyy.com/zzl, www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3, Many malicious URLs such as www.xxx.yyy.com/zz4. If the URL: www.xxx.yyy.com/zzl URL has lost 3⁄4:, the name www.xxx.yyy.com already exists in the suspicious domain name library, then all URLs under the domain name may be malicious URLs. . To do this, you need to further authenticate the URL: www.xxx.yyy.com/zzl, that is, after the domain name is successfully matched, determine the URL by matching the IP address: www.xxx.yyy.com/zzl is Malicious URL
基于图 1所示的恶意 URL的鉴定方法, 图 2示出了本发明另一实 施例中恶意 URL的鉴定方法的流程图。 如图 2所示, 该方法包括如下 步骤:  Based on the authentication method of the malicious URL shown in Fig. 1, Fig. 2 is a flow chart showing the method of authenticating the malicious URL in another embodiment of the present invention. As shown in Figure 2, the method includes the following steps:
521、 将通讯消息的内容所包括的 URL与预设的 URL黑名单进行 URL匹配; 若 URL匹配成功, 则生成风险提示, 否则执行步骤 S22。  521. The URL included in the content of the communication message is matched with the preset URL blacklist. If the URL is successfully matched, a risk prompt is generated. Otherwise, step S22 is performed.
522、 将 URL的域名与预设的可疑域名库进行域名匹配; 若域名匹 配成功, 则执行步骤 S23。  522. Match the domain name of the URL with the default suspicious domain name database. If the domain name matches successfully, go to step S23.
523、将通讯消息的发送端设备的 IP地址与预设的 IP地址黑名单进 行 IP地址匹配; 若 IP地址匹配成功, 则生成风险提示。  523. Match the IP address of the device at the sending end of the communication message with the blacklist of the preset IP address; if the IP address is successfully matched, a risk prompt is generated.
本发明实施例中, 步骤 S21和步骤 S23的具体实施方式与图 1所示 的步骤 S11和步骤 S12的具体实施方式类似, 在此就不再赘述。  In the embodiment of the present invention, the specific implementation manners of step S21 and step S23 are similar to the specific implementation manners of step S11 and step S12 shown in FIG. 1, and details are not described herein again.
在本发明实施例中, 该恶意 URL的鉴定方法还可以包括 URL黑名 单、 可疑域名库和 IP地址黑名单的自动升级步骤, 以提高恶意 URL的 识别率。 图 3为本发明另一实施例中恶意 URL的鉴定方法的流程图。 该方法包括 URL黑名单、 可疑域名库和 IP地址黑名单的升级步骤, 具 体为如下。  In the embodiment of the present invention, the method for authenticating the malicious URL may further include an automatic upgrade step of the URL blacklist, the suspicious domain name database, and the IP address blacklist to improve the recognition rate of the malicious URL. FIG. 3 is a flowchart of a method for authenticating a malicious URL according to another embodiment of the present invention. The method includes an upgrade procedure of a URL blacklist, a suspicious domain name database, and an IP address blacklist, as follows.
当识别出恶意 URL后, 可以推断该恶意 URL的域名所对应的其他 URL也有可能为恶意 URL。 为此, 在本发明实施例中, 还可以将该恶 意 URL 的域名加入预设的可疑域名库, 从而可以及时的更新可疑域名 库, 进而使得该域名对应的其他恶意 URL也可以被及时的识别出来。  When a malicious URL is identified, it can be inferred that other URLs corresponding to the domain name of the malicious URL may also be malicious URLs. Therefore, in the embodiment of the present invention, the domain name of the malicious URL may be added to the preset suspicious domain name database, so that the suspicious domain name database may be updated in time, so that other malicious URLs corresponding to the domain name may also be identified in time. come out.
仍 然 艮 设 域 名 www.xxx.yyy.com 的 名 下 包 括 有 www.xxx.yyy.com/zzl、 www.xxx.yyy.com/zz2、 www.xxx.yyy.com/zz3、 www.xxx.yyy.com/zz4 等等众多 的 恶 意 URL。 如果 URL: www.xxx.yyy.com/zzl经 URL匹配成功, 说明该 URL为恶意 URL。 在 针对该恶意 URL 对用户进行风险提示的同时, 为 了 防范 www.xxx.yyy.com/zzl所属的域名 www.xxx.yyy.com名下的其他的 URL, 在本发明实施中,可以将域名 www.xxx.yyy.com加入可疑域名库。这样, 当对域名 www.xxx.yyy.com名下的其他 URL, ^口 www.xxx.yyy.com/zz2、 www.xxx.yyy.com/zz3或 www.xxx. yyy.com/zz4等进行鉴定时, 即使这些 URL没有包括在 URL黑名单中, 也可以通过域名匹配来识别。 The name of the domain name www.xxx.yyy.com is still included. Www.xxx.yyy.com/zzl, www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3, www.xxx.yyy.com/zz4 and many other malicious URLs. If the URL: www.xxx.yyy.com/zzl is successfully matched by the URL, the URL is a malicious URL. In the implementation of the present invention, in order to prevent other users from the URL of the domain name www.xxx.yyy.com to which the www.xxx.yyy.com/zzl belongs, while the risk is prompted for the malicious URL, Www.xxx.yyy.com joins the suspicious domain name library. Thus, when the other URLs under the name of the domain name www.xxx.yyy.com, ^ mouth www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3 or www.xxx.yyy.com/zz4, etc. When performing authentication, even if these URLs are not included in the URL blacklist, they can be identified by domain name matching.
类似的, 当识别出恶意 URL后, 就可以确定发送该恶意 URL的通 讯消息发送端设备为恶意 URL 的发送源。 所以, 从该通讯消息发送端 设备的 IP地址发出的其他 URL也可以鉴定为恶意 URL。 所以, 进一步 的,在本发明实施例中,还可以将该通讯消息发送端设备的 IP地址加入 预设的 IP地址黑名单, 从而及时的更新 IP地址黑名单, 进而使得从该 通讯消息发送端设备的 IP地址所发出的其他恶意 URL也可以被及时的 识别出来。  Similarly, when a malicious URL is identified, it can be determined that the sender of the communication message transmitting the malicious URL is the source of the malicious URL. Therefore, other URLs sent from the IP address of the device of the communication message can also be identified as malicious URLs. Therefore, in the embodiment of the present invention, the IP address of the device at the sending end of the communication message may be added to the blacklist of the preset IP address, so that the blacklist of the IP address is updated in time, thereby enabling the sending end of the communication message. Other malicious URLs sent by the device's IP address can also be identified in time.
举例说明, 当恶意 URL: www.xxx.yyy.com/zzl被鉴定出来以后, 根据 IP协议的特性, 可以获得该恶意 URL: www.xxx.yyy.com/zzl所对 应的 IP地址: aaa.bbb.ccc.ddd。 通过将 IP地址: aaa.bbb.ccc.ddd加入 IP 地址黑名单,可以鉴定出该 IP地址对应的通讯消息发送端设备发送的通 讯消息所包括的所有的恶意 URL。  For example, after the malicious URL: www.xxx.yyy.com/zzl is identified, according to the characteristics of the IP protocol, the malicious URL can be obtained: IP address corresponding to www.xxx.yyy.com/zzl: aaa. Bbb.ccc.ddd. By adding the IP address: aaa.bbb.ccc.ddd to the IP address blacklist, all malicious URLs included in the communication message sent by the sender device of the communication message corresponding to the IP address can be identified.
比 ^口 , "叚设 包括 了 恶、 意 URL: www.xxx.yyy.com/zzl 、 www.xxx.yyy.com/zz2、 www.xxx.yyy.com/zz3、 www.xxx.yyy.com/zz4 的 通讯消息均通过 IP地址为 aaa.bbb.ccc.ddd的终端设备来发送。 当恶意 URL: www.xxx.yyy.com/zzl 被鉴定出来并将 IP地址: aaa.bbb.ccc.ddd 加入 IP地址黑名单后, 如果此时再对 URL: www.xxx.yyy.com/zz4进行 鉴定, 就可以根据 URL: www.xxx.yyy.com/zz4 所对应的 IP 地址: aaa.bbb.ccc.ddd 已经存在于 IP 地址黑名单而识别该 URL: www.xxx.yyy.com/zz4为恶意 URL。 Than ^ mouth, "叚 包括 includes evil, meaning URL: www.xxx.yyy.com/zzl, www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3, www.xxx.yyy. The communication messages of com/zz4 are sent through the terminal device with the IP address aaa.bbb.ccc.ddd. When the malicious URL: www.xxx.yyy.com/zzl is identified and the IP address is: aaa.bbb.ccc After .ddd is added to the IP address blacklist, if the URL: www.xxx.yyy.com/zz4 is authenticated at this time, the IP address corresponding to the URL: www.xxx.yyy.com/zz4 can be used: Aaa.bbb.ccc.ddd already exists in the IP address blacklist and identifies the URL: www.xxx.yyy.com/zz4 is a malicious URL.
此外, 在对 URL进行鉴定时, 即使 URL匹配失败, 但是基于后续 的 IP地址匹配该 URL很有可能被鉴定为恶意 URL。 所以, 在本发明实 施例中, 该恶意 URL鉴定方法还可以包括, 在 IP地址匹配成功后, 将 该 URL加入 URL黑名单, 从而可以及时的更新 URL黑名单。  In addition, when authenticating a URL, even if the URL match fails, matching the URL based on the subsequent IP address is likely to be identified as a malicious URL. Therefore, in the embodiment of the present invention, the malicious URL authentication method may further include: adding the URL to the URL blacklist after the IP address is successfully matched, so that the URL blacklist can be updated in time.
在实际应用中, 本发明实施例中的 URL匹配、 IP地址匹配和域名 匹配均可以在通讯消息的接收端设备上实施。 也就是说, 可以在用户终 名单、 IP地址黑名单和可疑域名库均可以通过远程的服务器来升级。  In practical applications, URL matching, IP address matching, and domain name matching in the embodiments of the present invention can be implemented on the receiving end device of the communication message. In other words, the user's final list, IP address blacklist, and suspicious domain name library can be upgraded through a remote server.
此外, 本发明实施例中的 URL匹配、 IP地址匹配和域名匹配均可 以由转发通讯消息的服务器来实施。 即, 在服务器转发通讯消息的过程 中, 服务器对通讯消息的内容所包含的 URL进行 URL 匹配, 在 URL 匹配失败后, 将 URL 的域名与预设的可疑域名库进行域名匹配, 并在 域名匹配成功后, 将通讯消息的发送端设备的 IP地址与 IP地址黑名单 进行 IP地址匹配。 此时, URL黑名单、 IP地址黑名单和可疑域名库均 可以存储于云端的服务器中。  In addition, URL matching, IP address matching, and domain name matching in the embodiments of the present invention may be implemented by a server that forwards a communication message. That is, in the process of forwarding the communication message by the server, the server performs URL matching on the URL included in the content of the communication message, and after the URL matching fails, the domain name of the URL is matched with the default suspicious domain name database, and the domain name is matched. After the success, the IP address of the sending device of the communication message is matched with the IP address blacklist. At this point, the URL blacklist, IP address blacklist, and suspicious domain name repository can all be stored in the cloud server.
综上所述, 在本发明实施例中, 根据恶意 URL 的传播特性, 预先 设有 URL黑名单、 可疑域名库和 IP地址黑名单。 通过获取通讯消息的 内容所包含的 URL、 URL的域名、 通讯消息发送端设备的 IP地址, 可 以将这些信息分别与预先设有的 URL黑名单、 可疑域名库和 IP地址黑 名单进行匹配,从而鉴定出通过通讯消息传播的 URL是否为恶意 URL, 并在 URL为恶意 URL时向用户进行风险提示。 由于本发明实施例在用 户获取到包括了恶意 URL 的通讯信息后即可提示用户, 因此不需要对 恶意 URL 的网页内容进行鉴定。 所以, 即使黑客通过技术手段使得网 页页面基本上不显示文本内容, 本发明实施例也可以将恶意 URL鉴定 出来。 即, 通过本发明实施例, 可以有效地提高恶意 URL的鉴定效果。 此外, 在本发明实施例中, 通过对 URL黑名单、 IP地址黑名单以 及可疑域名库的及时更新, 可以有效地识别通过同一域名或是同一 IP 地址发出的其它通讯信息中包括的恶意 URL, 从而进一步提高了恶意 URL的鉴定效果。 In summary, in the embodiment of the present invention, according to the propagation characteristics of the malicious URL, a URL blacklist, a suspicious domain name database, and an IP address blacklist are pre-set. By obtaining the URL of the content of the communication message, the domain name of the URL, and the IP address of the device of the communication message, the information can be matched with the pre-set URL blacklist, the suspect domain name pool, and the IP address blacklist. It is identified whether the URL propagated through the communication message is a malicious URL, and the user is prompted for a risk when the URL is a malicious URL. Since the user can prompt the user after obtaining the communication information including the malicious URL, the user does not need to authenticate the webpage content of the malicious URL. Therefore, even if the hacker makes the webpage basically display the text content by technical means, the embodiment of the present invention can identify the malicious URL. That is, with the embodiment of the present invention, the authentication effect of the malicious URL can be effectively improved. In addition, in the embodiment of the present invention, by updating the URL blacklist, the IP address blacklist, and the suspicious domain name database, the malicious URL included in other communication information sent by the same domain name or the same IP address can be effectively identified. Thereby, the identification effect of the malicious URL is further improved.
图 4为本发明一实施例中恶意 URL的鉴定装置的结构示意图。 如 图 4所示, 该装置包括: URL匹配单元 01、 IP地址匹配单元 02、 风险 提示单元 03。 URL 匹配单元 01用于将通讯消息的内容所包括的 URL 与预设的 URL黑名单进行 URL匹配。 IP地址匹配单元 02,用于当 URL 匹配失败时, 将通讯消息的发送端设备的 IP地址与预设的 IP地址黑名 单进行 IP地址匹配。 风险提示单元 03 , 用于在 URL 匹配成功或 IP地 址匹配成功时生成风险提示。  FIG. 4 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to an embodiment of the present invention. As shown in FIG. 4, the device includes: a URL matching unit 01, an IP address matching unit 02, and a risk prompting unit 03. The URL matching unit 01 is configured to match the URL included in the content of the communication message with the preset URL blacklist. The IP address matching unit 02 is configured to match the IP address of the sending end device of the communication message with the preset IP address blacklist when the URL matching fails. The risk prompting unit 03 is configured to generate a risk prompt when the URL matching is successful or the IP address matching is successful.
黑客在生成恶意 URL后, 往往需要通过即时通讯软件或邮件系统 等消息发送软件将恶意 URL加入通讯消息内进行广泛的恶意传播。 比 如, 黑客在生成了用于进行 QQ盗号的恶意 URL: www.xxx.yyy.com/zzl 后,还会利用如 QQ等即时通讯软件将包括了该恶意 URL的通讯消息群 发给数量众多的即时通讯软件的用户。 收到了该通讯消息的用户一旦打 开了通讯消息中的恶意 URL: www.xxx.yyy.com/zzl , 就很可能造成 QQ 密码的泄露, 进而很可能对用户造成诸如经济上的损失、 个人隐私信息 的泄露等不利影响。 此外, 恶意 URL还可以通过群发邮件的方式被广 泛地恶意传播。 例如, 黑客可以将包括了该恶意 URL 的邮件群发给邮 件用户, 从而威胁邮件用户的计算机安全。  After generating a malicious URL, a hacker often needs to add a malicious URL to a communication message through a messaging software such as an instant messaging software or a mail system for widespread malicious transmission. For example, after the hacker generates a malicious URL for QQ hacking: www.xxx.yyy.com/zzl, it will also use a instant messaging software such as QQ to send a large number of instant messages including the malicious URL. User of the communication software. Once the user who received the communication message opens the malicious URL in the communication message: www.xxx.yyy.com/zzl, it is likely to cause the QQ password to be leaked, which may cause economic loss, personal privacy to the user. Adverse effects such as leakage of information. In addition, malicious URLs can be spread maliciously through mass mailing. For example, a hacker can send a message group that includes the malicious URL to a mail user, thereby threatening the security of the mail user's computer.
恶意 URL的恶意传播一般具有以下的特点:  Malicious propagation of malicious URLs generally has the following characteristics:
第一, 在一段时间内会传播一批恶意域名, 在安全软件识别出这些 恶意域名前, 这些恶意域名会重复的恶意传播。 比如, 恶意域名所包括 的一个恶意 URL: www.xxx.yyy.com/zzl会在一段时间内, 分别群发给 不同的用户群 A、 用户群 B和用户群 C等。 也就是说, 用户群 A的用 户受到该恶意 URL 的威胁后, 一段时间内其他用户群也有可能受到该 恶意 URL的威胁。 First, a batch of malicious domain names will be transmitted for a period of time. These malicious domain names will repeatedly spread maliciously before the security software recognizes these malicious domain names. For example, a malicious URL included in a malicious domain name: www.xxx.yyy.com/zzl will be sent to different user groups A, user groups B, and user groups C for a period of time. That is to say, after the user of user group A is threatened by the malicious URL, other user groups may also be affected by the user for a certain period of time. The threat of malicious URLs.
第二, 当一个 IP地址发送的 URL为恶意 URL时 , 在一段时间内 , 从该 IP地址发出的通讯消息中所包括的 URL大多都为恶意 URL。 由于 一般情况下, 黑客所拥有的硬件设备是有限的,这些硬件设备的 IP地址 也就相对比较固定, 所以, 生成恶意 URL的 IP地址也就比较固定。 为 了使恶意 URL能够广泛的传播, 可以通过一个 IP地址来生成多个恶意 URL。 也就是说, 生成了一个恶意 URL的 IP地址所生成的其他的 URL 可能也是恶意 URL。  Second, when the URL sent by an IP address is a malicious URL, most of the URLs included in the communication message sent from the IP address are malicious URLs for a period of time. Since the hardware devices owned by hackers are limited in general, the IP addresses of these hardware devices are relatively fixed, so the IP address for generating malicious URLs is relatively fixed. In order to spread malicious URLs widely, multiple malicious URLs can be generated by one IP address. That is, other URLs generated by the IP address that generated a malicious URL may also be malicious URLs.
基于以上特点, 本发明实施例的思路为, 在获取用户所接收到的通 讯消息内的 URL后, 对 URL进行鉴定, 从而在恶意 URL的恶意传播 阶段即对其进行报警提示。 为此, 在本发明实施例中, 首先通过 URL 匹配单元 01将通讯消息的内容所包括的 URL与预设的 URL黑名单进 行 URL匹配。  Based on the above features, the idea of the embodiment of the present invention is that after obtaining the URL in the communication message received by the user, the URL is authenticated, so that the malicious URL is alarmed during the malicious propagation phase. To this end, in the embodiment of the present invention, the URL included in the content of the communication message is first matched with the preset URL blacklist by the URL matching unit 01.
在本发明实施例中, 对于恶意 URL的鉴定是基于预设的 URL黑名 单和 IP地址黑名单的, 即, 通过 URL匹配和 IP地址匹配来鉴定 URL 是否为恶意 URL。  In the embodiment of the present invention, the authentication of the malicious URL is based on the preset blacklist of the URL and the blacklist of the IP address, that is, whether the URL is a malicious URL by URL matching and IP address matching.
在实际应用中, 本发明实施例中的 URL黑名单和 IP地址黑名单可 以通过及时的更新升级来进行完善, 以鉴定新生成的恶意 URL。 比如, 当对 URL进行鉴定的过程在客户端设备实施时, URL黑名单和 IP地址 黑名单可以存储在客户端设备。 URL黑名单或 IP地址黑名单的更新升 级的方式可以与杀毒软件病毒库的升级方式类似, 通过远程的服务器来 完成更新升级。 或是, URL黑名单和 IP地址黑名单存储于云端的服务 器中, 云端的 URL鉴定服务器釆用与杀毒软件的云查杀方式类似的方 式对通讯消息的内容所包括的 URL进行鉴定。  In practical applications, the blacklist of URLs and the blacklist of IP addresses in the embodiments of the present invention may be improved by timely updating and updating to identify newly generated malicious URLs. For example, when the process of authenticating a URL is implemented on a client device, a blacklist of URLs and a blacklist of IP addresses can be stored on the client device. The update of the URL blacklist or IP address blacklist can be upgraded in the same way as the antivirus virus database upgrade. The remote server is used to complete the update. Alternatively, the URL blacklist and the IP address blacklist are stored in the cloud server, and the cloud URL authentication server authenticates the URL included in the content of the communication message in a similar manner to the antivirus software cloud killing method.
具体的, URL 匹配单元 01先将通讯消息的内容所包括的 URL与 URL黑名单进行 URL匹配。 如果该 URL存在于 URL黑名单中, 则匹 配成功, 意味着该 URL为恶意 URL。 此时, 风险提示单元 03可生成风 P佥提示信息以提示接收到该通讯消息的用户通讯消息中的 URL存在风 险。 Specifically, the URL matching unit 01 first matches the URL included in the content of the communication message with the URL blacklist. If the URL exists in the URL blacklist, the match is successful, meaning that the URL is a malicious URL. At this time, the risk prompting unit 03 can generate wind The P佥 prompt message is at risk of prompting the URL in the user communication message that received the communication message.
在实际应用中, 本发明实施例中的恶意 URL鉴定装置可以在用户 的客户端设备上监测该用户通讯消息的内容, 如 QQ消息中的内容。 当 用户接收的 QQ消息的内容包括有 URL时, 将该 URL与客户端设备中 存储的 URL黑名单进行 URL匹配。比如,当 QQ消息内容中包括的 URL:  In a practical application, the malicious URL authentication apparatus in the embodiment of the present invention can monitor the content of the user communication message, such as the content in the QQ message, on the client device of the user. When the content of the QQ message received by the user includes a URL, the URL is matched with the URL blacklist stored in the client device. For example, when the URL included in the QQ message content:
WWW. XXX. yyy.com/zzl " 与 URL黑名单匹配成功, 则说明该 URL为恶 意 URL。 URL匹配成功后,风险提示单元 03可以为用户生成风险提示。 比如, 可以跳出提示框来提醒用户该 URL具有风险, 以避免用户因为 访问该 URL而遭受损失。  WWW. XXX. yyy.com/zzl " If the URL blacklist is successfully matched, the URL is a malicious URL. After the URL is successfully matched, the risk prompting unit 03 can generate a risk prompt for the user. For example, the prompt box can be popped up to remind the user. The URL is risky to prevent users from losing money by accessing the URL.
虽然 URL匹配单元 01进行的 URL匹配失败可以表明该 URL并不 在 URL黑名单中, 但是并不能表明该 URL就不是恶意 URL。 这是因为 一个 IP地址的设备可以生成多个 URL , 而其中的恶意 URL可能还未包 括在 URL黑名单中。 也就是说, 如果通讯消息的发送端设备的 IP地址 包括于 IP地址黑名单中,即使其所发送的 URL还没有包括在 URL黑名 单中, 但是这个 URL也非常有可能为恶意 URL。 所以, 通过 IP地址匹 配单元 02进行 IP地址匹配可以进一步提高恶意 URL鉴定的识别率。  Although the URL matching failure by the URL matching unit 01 indicates that the URL is not in the URL blacklist, it does not indicate that the URL is not a malicious URL. This is because a device with an IP address can generate multiple URLs, and malicious URLs may not be included in the URL blacklist. That is, if the IP address of the sender device of the communication message is included in the blacklist of the IP address, even if the URL it sends is not included in the URL blacklist, the URL is very likely to be a malicious URL. Therefore, IP address matching by the IP address matching unit 02 can further improve the recognition rate of malicious URL authentication.
举例说明, 由于 URL: www.xxx.yyy.com/zzl还没有被力口入到 URL 黑名单中,所以该 URL: www.xxx. yyy.com/zzl没有被 URL匹配单元 01 鉴定出来是恶意 URL。 但是, 根据 IP协议的特性, 可以获得该 URL: www.xxx.yyy.com/zzl所对应的 IP地址: aaa.bbb.ccc.ddd。 通过本发明实 施例中的 IP地址匹配单元 02的 IP地址匹配,可以鉴定该通讯消息的发 送端设备是否为用于发送恶意 URL 的终端设备。 即, 当 IP 地址: aaa.bbb.ccc.ddd存在于 IP地址黑名单中, 即可说明该发送端设备为恶意 URL 的发送端设备。 通过该发送端设备发送的通讯消息中如果包括有 URL , 则该 URL就很可能为恶意 URL。 通过 IP地址匹配单元 02的 IP 地址匹配, 可以识别出不存在于 URL黑名单中的恶意 URL。 同样的, IP地址匹配成功后, 风险提示单元 03可以为用户生成风 P佥提示。 比如, 可以跳出提示框来提醒用户该 URL具有风险, 以避免 用户因为访问该 URL而遭受损失。 For example, since the URL: www.xxx.yyy.com/zzl has not been forced into the URL blacklist, the URL: www.xxx.yyy.com/zzl is not identified by the URL matching unit 01 as malicious. URL. However, according to the characteristics of the IP protocol, the IP address corresponding to the URL: www.xxx.yyy.com/zzl can be obtained: aaa.bbb.ccc.ddd. The IP address matching of the IP address matching unit 02 in the embodiment of the present invention can identify whether the transmitting end device of the communication message is a terminal device for sending a malicious URL. That is, when the IP address: aaa.bbb.ccc.ddd exists in the blacklist of the IP address, the sender device of the sender device is a malicious URL. If a URL is included in the communication message sent by the sender device, the URL is likely to be a malicious URL. By matching the IP address of the IP address matching unit 02, a malicious URL that does not exist in the URL blacklist can be identified. Similarly, after the IP address is successfully matched, the risk prompting unit 03 can generate a wind P佥 prompt for the user. For example, a prompt box may be popped up to alert the user that the URL is risky to avoid the user suffering a loss due to accessing the URL.
在本发明实施例中, 利用恶意 URL 具有通过群发通讯消息来进行 传播的特性, 对通讯消息中包括的 URL 进行匹配鉴定, 可以使用户在 对恶意 URL进行访问前即可获得风险提醒, 进而避免了用户由于访问 恶意 URL所可能造成的损失。 由于本发明实施例提供的恶意 URL鉴定 装置不需要鉴定网页内容就能识别 URL是否为恶意, 所以黑客也就无 法通过诸如复杂的编码、 对页面加密、 JS多次跳转、 利用大型网站的漏 洞上传仿冒 QQ空间的钓鱼页面等技术手段来避免恶意 URL被检测出。 因此, 通过本发明实施例提供的恶意 URL 的鉴定装置, 可以有效地提 高恶意 URL的鉴定效果。  In the embodiment of the present invention, the malicious URL has the feature of propagating by using a group communication message, and matching and identifying the URL included in the communication message, so that the user can obtain a risk reminder before accessing the malicious URL, thereby avoiding The user's loss due to accessing a malicious URL. Since the malicious URL authentication apparatus provided by the embodiment of the present invention can identify whether the URL is malicious without identifying the content of the webpage, the hacker cannot pass the loopholes such as complex encoding, page encryption, JS multiple jumps, and utilizing large websites. Upload technical methods such as phishing pages of fake QQ space to prevent malicious URLs from being detected. Therefore, the authentication device for the malicious URL provided by the embodiment of the present invention can effectively improve the authentication effect of the malicious URL.
基于图 4所示的恶意 URL的鉴定装置, 图 5示出了本发明另一实 施例中恶意 URL的鉴定装置的结构示意图。 如图 5所示, 该装置还可 以包括域名匹配单元 04。 具体的, 在 URL匹配失败后, 域名匹配单元  Based on the authentication device of the malicious URL shown in FIG. 4, FIG. 5 is a block diagram showing the structure of the authentication device for the malicious URL in another embodiment of the present invention. As shown in FIG. 5, the apparatus may further include a domain name matching unit 04. Specifically, after the URL matching fails, the domain name matching unit
IP地址匹配单元 02再进行 IP地址匹配。 The IP address matching unit 02 performs IP address matching.
恶意 URL还具有一个特性, 就是一般会通过同一域名衍生出众多 的恶意 URL。 比如, i或名 www.xxx.yyy.com 的名下, 可以包括 www.xxx.yyy.com/zzl、 www.xxx.yyy.com/zz2、 www.xxx.yyy.com/zz3、 www.xxx.yyy.com/zz4等等众多的恶意 URL。 如果域名匹配单元 04对 URL: www.xxx.yyy.com/zzl 的 URL 匹 配失败, 但是 i或名 www.xxx.yyy.com 已经存在于可疑域名库, 则说明该域名名下的所有 URL 均有可能为恶意 URL。 为此, 需要进一步的对该 URL : www.xxx. yyy.com/zzl进行鉴定, 即, 域名匹配单元 04匹配成功后, IP 地址匹配单元 02 需要进行 IP 地址匹配来确定该 URL: www.xxx.yyy.com/zzl是否为恶意 URL„ 图 5所示的实施例提供的恶意 URL的鉴定装置所包括的单元的功 能如下。 A malicious URL also has a feature that generally generates a large number of malicious URLs through the same domain name. For example, the name of i or www.xxx.yyy.com can include www.xxx.yyy.com/zzl, www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3, www. Many malicious URLs such as xxx.yyy.com/zz4. If the domain name matching unit 04 fails to match the URL of the URL: www.xxx.yyy.com/zzl, but the i or the name www.xxx.yyy.com already exists in the suspicious domain name database, all the URLs under the domain name are There may be a malicious URL. To this end, it is necessary to further authenticate the URL: www.xxx.yyy.com/zzl, that is, after the domain name matching unit 04 is successfully matched, the IP address matching unit 02 needs to perform IP address matching to determine the URL: www.xxx Is .yyy.com/zzl a malicious URL? The function of the unit included in the authentication device of the malicious URL provided by the embodiment shown in FIG. 5 is as follows.
URL匹配单元 01将通讯消息的内容所包括的 URL与预设的 URL 黑名单进行 URL匹配。  The URL matching unit 01 matches the URL included in the content of the communication message with the preset URL blacklist.
域名匹配单元 04在 URL匹配失败时, 将 URL的域名与预设的可 疑域名库进行域名匹配。  The domain name matching unit 04 matches the domain name of the URL with the preset suspicious domain name database when the URL matching fails.
IP地址匹配单元 02在域名匹配成功时, 将通讯消息的发送端设备 的 IP地址与预设的 IP地址黑名单进行 IP地址匹配。  When the domain name matching succeeds, the IP address matching unit 02 matches the IP address of the sending end device of the communication message with the preset IP address blacklist.
风险提示单元 03在 URL匹配成功或 IP地址匹配成功时,生成风险 提示。  The risk prompting unit 03 generates a risk prompt when the URL matching is successful or the IP address is successfully matched.
本发明实施例中的 URL匹配单元 01和 IP地址匹配单元 02 ,与图 1 所示的 URL匹配单元 01和 IP地址匹配单元 02的功能类似 , 在此就不 再赘述。  The URL matching unit 01 and the IP address matching unit 02 in the embodiment of the present invention are similar to the functions of the URL matching unit 01 and the IP address matching unit 02 shown in FIG. 1, and will not be described again.
图 6为本发明另一实施例中恶意 URL的鉴定装置的结构示意图。 如图 6所示,该恶意 URL鉴定装置还可以包括 URL黑名单更新单元 011、 可疑域名库更新单元 041和 IP地址黑名单更新单元 021 ,从而实现 URL 黑名单、 可疑域名库和 IP地址黑名单的自动升级, 进而提高恶意 URL 的识别率。  FIG. 6 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to another embodiment of the present invention. As shown in FIG. 6, the malicious URL authentication apparatus may further include a URL blacklist updating unit 011, a suspect domain name database updating unit 041, and an IP address blacklist updating unit 021, thereby implementing a URL blacklist, a suspicious domain name database, and an IP address blacklist. Automatic upgrades to increase the recognition rate of malicious URLs.
当识别出恶意 URL后, 可以推断该恶意 URL的域名所对应的其他 URL也有可能为恶意 URL。 为此, 在本发明实施例中, 还可以通过可 疑域名库更新单元 041 , 将该恶意 URL的域名加入预设的可疑域名库, 从而可以及时的更新可疑域名库,进而使得该域名对应的其他恶意 URL 也可以被及时的识别出来。  When a malicious URL is identified, it can be inferred that other URLs corresponding to the domain name of the malicious URL may also be malicious URLs. To this end, in the embodiment of the present invention, the suspicious domain name database updating unit 041 can also add the domain name of the malicious URL to the preset suspicious domain name database, so that the suspicious domain name database can be updated in time, thereby making the domain name corresponding to the other Malicious URLs can also be identified in a timely manner.
仍 然 艮 设 i或 名 www.xxx.yyy.com 的 名 下 包 括 有 www.xxx.yyy.com/zzl、 www.xxx.yyy.com/zz2、 www.xxx.yyy.com/zz3、 www.xxx.yyy.com/zz4 等等众多 的 恶 意 URL。 如果 URL: www.xxx.yyy.com/zzl经 URL匹配成功, 说明该 URL为恶意 URL。 在 针对该恶意 URL 对用户进行风险提示的同时, 为 了 防范 www.xxx.yyy.com/zzl所属的域名 www.xxx.yyy.com名下的其他的 URL, 在本发明实施中,可疑域名库更新单元 041可以将域名 www.xxx.yyy.com 加入可疑域名库。 这样, 当对域名 www.xxx.yyy.com名下的其他 URL , 如 www.xxx.yyy.com/zz2、 www.xxx.yyy.com/zz3或 www.xxx.yyy.com/zz4 等进行鉴定时, 即使这些 URL没有包括在 URL黑名单中, 也可以通过 域名匹配来识别。 The name of the i or name www.xxx.yyy.com is still included, including www.xxx.yyy.com/zzl, www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3, www. Xxx.yyy.com/zz4 and many other malicious URLs. If the URL: www.xxx.yyy.com/zzl is successfully matched by the URL, the URL is a malicious URL. In In the implementation of the present invention, the suspicious domain name database is updated in order to prevent other malicious URLs in the name of the domain name www.xxx.yyy.com that the www.xxx.yyy.com/zzl belongs to. Unit 041 can add the domain name www.xxx.yyy.com to the suspect domain name library. In this way, when other URLs under the name of the domain name www.xxx.yyy.com, such as www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3 or www.xxx.yyy.com/zz4, etc. At the time of authentication, even if these URLs are not included in the URL blacklist, they can be identified by domain name matching.
类似的, 当 URL匹配单元 01识别出恶意 URL后, 就可以确定发 送该恶意 URL的通讯消息发送端设备为恶意 URL的发送源。 所以 , 从 该通讯消息发送端设备的 IP地址发出的其他 URL 也可以鉴定为恶意 URL。所以,进一步的,在本发明实施例中, IP地址黑名单更新单元 021 可以将该通讯消息发送端设备的 IP地址加入预设的 IP地址黑名单, 从 而及时的更新 IP地址黑名单, 进而使得从该通讯消息发送端设备的 IP 地址所发出的其他恶意 URL也可以被及时的识别出来。  Similarly, when the URL matching unit 01 identifies the malicious URL, it can determine that the communication message sending device that sent the malicious URL is the source of the malicious URL. Therefore, other URLs sent from the IP address of the messaging device can also be identified as malicious URLs. Therefore, in the embodiment of the present invention, the IP address blacklist updating unit 021 can add the IP address of the device of the communication message to the blacklist of the preset IP address, thereby updating the blacklist of the IP address in time, thereby making Other malicious URLs sent from the IP address of the sender device of the communication message can also be identified in time.
举例说明, 当恶意 URL: www.xxx.yyy.com/zzl被鉴定出来以后, 根据 IP协议的特性, 可以获得该恶意 URL: www.xxx.yyy.com/zzl所对 应的 IP地址: aaa.bbb.ccc.ddd„ 通过 IP地址黑名单更新单元 021将 IP 地址: aaa.bbb.ccc.ddd加入 IP地址黑名单,可以鉴定出该 IP地址对应的 通讯消息发送端设备发送的通讯消息所包括的所有的恶意 URL。  For example, after the malicious URL: www.xxx.yyy.com/zzl is identified, according to the characteristics of the IP protocol, the malicious URL can be obtained: IP address corresponding to www.xxx.yyy.com/zzl: aaa. Bbb.ccc.ddd„ The IP address blacklist update unit 021 adds the IP address: aaa.bbb.ccc.ddd to the blacklist of the IP address, and can identify the communication message sent by the device corresponding to the communication message corresponding to the IP address. All malicious URLs.
比 ^口 , "叚设 包括 了 恶、 意 URL: www.xxx.yyy.com/zzl 、 www.xxx.yyy.com/zz2、 www.xxx.yyy.com/zz3、 www.xxx.yyy.com/zz4 的 通讯消息均通过 IP地址为 aaa.bbb.ccc.ddd的终端设备来发送。 当恶意 URL: www.xxx.yyy.com/zzl 被鉴定出来并将 IP地址: aaa.bbb.ccc.ddd 加入 IP地址黑名单后, 如果此时再对 URL: www.xxx.yyy.com/zz4进行 鉴定, 就可以根据 URL: www.xxx.yyy.com/zz4 所对应的 IP 地址: aaa.bbb.ccc.ddd 已经存在于 IP 地址黑名单而识别该 URL: www.xxx.yyy.com/zz4为恶意 URL。 在本发明实施例中, 该恶意 URL鉴定装置还可以包括 URL黑名单 更新单元 011 , 用于在 IP地址匹配单元 02进行 IP地址匹配成功后, 将 URL加入所述 URL黑名单。 在对 URL进行鉴定时 , 即使 URL匹配失 败, 但是基于后续的 IP地址匹配该 URL很有可能被鉴定为恶意 URL。 所以, 通过 URL黑名单更新单元 011 , 可以及时的更新 URL黑名单。 Than ^ mouth, "叚 包括 includes evil, meaning URL: www.xxx.yyy.com/zzl, www.xxx.yyy.com/zz2, www.xxx.yyy.com/zz3, www.xxx.yyy. The communication messages of com/zz4 are sent through the terminal device with the IP address aaa.bbb.ccc.ddd. When the malicious URL: www.xxx.yyy.com/zzl is identified and the IP address is: aaa.bbb.ccc After .ddd is added to the blacklist of IP addresses, if the URL: www.xxx.yyy.com/zz4 is authenticated at this time, it can be based on the IP address corresponding to the URL: www.xxx.yyy.com/zz4: aaa. Bbb.ccc.ddd already exists in the IP address blacklist and identifies the URL: www.xxx.yyy.com/zz4 is a malicious URL. In the embodiment of the present invention, the malicious URL authentication apparatus may further include a URL blacklist updating unit 011, configured to add the URL to the URL blacklist after the IP address matching unit 02 performs the IP address matching successfully. When the URL is authenticated, even if the URL match fails, matching the URL based on the subsequent IP address is likely to be identified as a malicious URL. Therefore, the URL blacklist can be updated in time by the URL blacklist updating unit 011.
在实际应用中, 本发明实施例中的 URL匹配单元、 IP地址匹配单 元和域名匹配单元, 均可以设置于通讯消息的接收端设备上。 比如, 可 以设置在用户的计算机或手机中。 而这些用户终端设备中存储的 URL 黑名单、 IP地址黑名单和可疑域名库还可以通过远程的服务器来升级, 以提高用户对新生恶意 URL的防御能力。  In an actual application, the URL matching unit, the IP address matching unit, and the domain name matching unit in the embodiment of the present invention may be set on the receiving end device of the communication message. For example, it can be set on the user's computer or mobile phone. The URL blacklist, IP address blacklist, and suspicious domain name library stored in these user terminal devices can also be upgraded through a remote server to improve the user's defense against new malicious URLs.
此外, 本发明实施例中的 URL 匹配单元、 IP地址匹配单元和域名 匹配单元还可以设置于转发通讯消息的服务器中。 该服务器可以在转发 通讯消息的过程中 , 对通讯消息的内容所包括的 URL进行 URL匹配 , 在 URL匹配失败后,将 URL的域名与预设的可疑域名库进行域名匹配, 并在域名匹配成功后, 将通讯消息的发送端设备的 IP地址与 IP地址黑 名单进行 IP地址匹配。 此时, URL黑名、 IP地址黑名单和可疑域名库 均可以存储于云端的服务器中。  In addition, the URL matching unit, the IP address matching unit, and the domain name matching unit in the embodiment of the present invention may also be disposed in a server that forwards the communication message. The server may perform URL matching on the URL included in the content of the communication message during the process of forwarding the communication message. After the URL matching fails, the domain name of the URL is matched with the default suspicious domain name database, and the domain name is successfully matched. After that, the IP address of the sending device of the communication message is matched with the IP address blacklist. At this point, the URL blacklist, IP address blacklist, and suspicious domain name store can all be stored in the cloud server.
综上所述, 在本发明实施例中, 根据恶意 URL 的传播特性, 预先 设有 URL黑名单、 可疑域名库和 IP地址黑名单。 通过获取通讯消息的 内容所包括的 URL、 URL的域名、 通讯消息发送端设备的 IP地址, 可 以将这些信息分别与预先设有的 URL黑名单、 可疑域名库和 IP地址黑 名单进行匹配,从而鉴定出通过通讯消息传播的 URL是否为恶意 URL, 并在 URL为恶意 URL时向用户进行风险提示。 由于本发明实施例在用 户获取到包括了恶意 URL 的通讯信息后即可提示用户, 因此不需要对 恶意 URL 的网页内容进行鉴定。 所以, 即使黑客通过技术手段使得网 页页面基本上不显示文本内容, 本发明实施例也可以将恶意 URL鉴定 出来。 即, 通过本发明实施例, 可以有效地提高恶意 URL的鉴定效果。 此外, 在本发明实施例中, 通过对 URL黑名单、 IP地址黑名单以 及可疑域名库的及时更新, 可以有效地识别通过同一域名或是同一 IP 地址发出的其它通讯信息中包括的恶意 URL, 从而进一步提高了恶意 URL的鉴定效果。 In summary, in the embodiment of the present invention, according to the propagation characteristics of the malicious URL, a URL blacklist, a suspicious domain name database, and an IP address blacklist are pre-set. By obtaining the URL included in the content of the communication message, the domain name of the URL, and the IP address of the device of the communication message sending device, the information can be matched with the pre-set URL blacklist, the suspect domain name library, and the IP address blacklist, thereby It is identified whether the URL propagated through the communication message is a malicious URL, and the user is prompted for a risk when the URL is a malicious URL. Since the user can prompt the user after obtaining the communication information including the malicious URL, the user does not need to authenticate the webpage content of the malicious URL. Therefore, even if the hacker makes the webpage basically display the text content by technical means, the embodiment of the present invention can identify the malicious URL. That is, with the embodiment of the present invention, the authentication effect of the malicious URL can be effectively improved. In addition, in the embodiment of the present invention, by updating the URL blacklist, the IP address blacklist, and the suspicious domain name database, the malicious URL included in other communication information sent by the same domain name or the same IP address can be effectively identified. Thereby, the identification effect of the malicious URL is further improved.
图 7为本发明另一实施例中恶意 URL的鉴定装置的结构示意图。 该鉴定装置至少包括: 存储器 71以及与存储器 71通信的处理器 72, 其 中该存储器 71中包括可由处理器 72执行的 URL匹配指令、 IP地址匹 配指令和风险提示指令。 该存储器 71 可以是非易失计算机可读存储介 质, URL匹配指令、 IP地址匹配指令和风险提示指令可以是存储在存储 器 71 中的机器可读指令。 处理器 72可以执行存储在存储器 71 中的机 器可读指令。  FIG. 7 is a schematic structural diagram of an apparatus for authenticating a malicious URL according to another embodiment of the present invention. The authentication device includes at least: a memory 71 and a processor 72 in communication with the memory 71, wherein the memory 71 includes URL matching instructions, IP address matching instructions, and risk alert instructions executable by the processor 72. The memory 71 can be a non-volatile computer readable storage medium, and the URL matching instructions, IP address matching instructions, and risk alert instructions can be machine readable instructions stored in the memory 71. Processor 72 can execute machine readable instructions stored in memory 71.
其中, URL匹配指令用于将通讯消息的内容所包括的 URL与预设 的 URL黑名单进行 URL匹配。 IP地址匹配指令用于当所述 URL匹配 失败时, 将所述通讯消息的发送端设备的 IP地址与预设的 IP地址黑名 单进行 IP地址匹配。风险提示指令用于在 URL匹配成功或 IP地址匹配 成功时生成风险提示。  The URL matching command is used to match the URL included in the content of the communication message with the preset URL blacklist. The IP address matching command is configured to match the IP address of the sending end device of the communication message with the preset IP address blacklist when the URL matching fails. The risk alert command is used to generate a risk alert when the URL match is successful or the IP address matches successfully.
存储器 71中还存储域名匹配指令, 用于当所述 URL匹配失败后, 将所述 URL 的域名与预设的可疑域名库进行域名匹配。 若所述域名匹 配成功, 则所述 IP地址匹配指令进行所述 IP地址匹配。  The memory 71 also stores a domain name matching command, configured to match the domain name of the URL with a preset suspicious domain name domain after the URL matching fails. If the domain name matches successfully, the IP address matching command performs the IP address matching.
存储器 71中还存储可疑域名库更新指令, 用于在所述 URL匹配成 功后将所述 URL的域名加入所述可疑域名库。  The suspicious domain name database update instruction is also stored in the memory 71 for adding the domain name of the URL to the suspicious domain name library after the URL matching is successful.
存储器 71中还存储 IP地址黑名单更新指令,用于在所述 URL匹配 成功后将所述通讯消息的发送端设备的 IP地址加入所述 IP地址黑名单。  The memory 71 also stores an IP address blacklist update command for adding the IP address of the sender device of the communication message to the IP address blacklist after the URL is successfully matched.
存储器 71中还存储 URL黑名单更新指令,用于在所述 IP地址匹配 成功时将所述 URL加入所述 URL黑名单。  The memory 71 also stores a URL blacklist update command for adding the URL to the URL blacklist when the IP address matches successfully.
URL 匹配指令、 所述 IP地址匹配指令和所述域名匹配指令设置于 所述通讯消息的接收端设备。 URL 匹配指令、 所述 IP地址匹配指令和所述域名匹配指令设置于 转发所述通讯消息的服务器。 The URL matching instruction, the IP address matching instruction, and the domain name matching instruction are set in the receiving end device of the communication message. The URL matching instruction, the IP address matching instruction, and the domain name matching instruction are set to a server that forwards the communication message.
本说明书中各个实施例釆用递进的方式描述, 每个实施例重点说明 的都是与其他实施例的不同之处, 各个实施例之间相同或相似部分互相 参见即可。  The various embodiments in the specification are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same or similar parts of the various embodiments may be referred to each other.
对所公开的实施例的上述说明, 使本领域专业技术人员能够实现或 使用本发明。 对这些实施例的多种修改对本领域的专业技术人员来说将 是显而易见的, 本文中所定义的一般原理可以在不脱离本发明的精神或 范围的情况下, 在其它实施例中实现。 因此, 本发明将不会被限制于本 文所示的这些实施例, 而是要符合与本文所公开的原理和新颖特点相一 致的最宽的范围。  The above description of the disclosed embodiments enables those skilled in the art to make or use the invention. Various modifications to these embodiments are obvious to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the present invention is not intended to be limited to the embodiments shown herein.

Claims

权利要求书 claims
1、 一种恶意 URL鉴定方法, 其特征在于, 包括步骤: 1. A malicious URL identification method, characterized by including the steps:
将通讯消息的内容所包括的 URL与预设的 URL黑名单进行 URL 匹配; 若所述 URL匹配成功, 则生成风险提示, 否则: URL matching is performed between the URL included in the content of the communication message and the preset URL blacklist; if the URL is successfully matched, a risk prompt is generated, otherwise:
将所述通讯消息的发送端设备的 IP地址与预设的 IP地址黑名单进 行 IP地址匹配; 若所述 IP地址匹配成功, 则生成风险提示。 The IP address of the sending device of the communication message is matched with the preset IP address blacklist; if the IP address is successfully matched, a risk prompt is generated.
2、 根据权利要求 1所述的鉴定方法, 其特征在于, 在所述 URL匹 配失败后, 还包括: 若所述域名匹配成功, 进行所述 IP地址匹配。 2. The identification method according to claim 1, characterized in that, after the URL matching fails, further comprising: if the domain name matching is successful, performing the IP address matching.
3、 根据权利要求 1所述的鉴定方法, 其特征在于, 在所述 URL匹 配成功后, 还包括: 3. The identification method according to claim 1, characterized in that, after the URL is successfully matched, it further includes:
将所述 URL的域名加入所述可疑域名库。 Add the domain name of the URL to the suspicious domain name database.
4、 根据权利要求 1所述的鉴定方法, 其特征在于, 在所述 URL匹 配成功后, 还包括: 4. The identification method according to claim 1, characterized in that, after the URL is successfully matched, it further includes:
将所述通讯消息的发送端设备的 IP地址加入所述 IP地址黑名单。 Add the IP address of the sending device of the communication message to the IP address blacklist.
5、 根据权利要求 1所述的鉴定方法, 其特征在于, 在所述 IP地址 匹配成功后, 还包括: 5. The identification method according to claim 1, characterized in that, after the IP address is successfully matched, it further includes:
将所述 URL加入所述 URL黑名单。 Add the URL to the URL blacklist.
6、 根据权利要求 2所述的鉴定方法, 其特征在于, 6. The identification method according to claim 2, characterized in that,
所述 URL匹配、 所述 IP地址匹配和所述域名匹配由所述通讯消息 的接收端设备实施。 The URL matching, the IP address matching and the domain name matching are implemented by the receiving end device of the communication message.
7、 根据权利要求 2所述的鉴定方法, 其特征在于, 7. The identification method according to claim 2, characterized in that,
所述 URL匹配、 所述 IP地址匹配和所述域名匹配由转发所述通讯 消息的服务器来实施。 The URL matching, the IP address matching and the domain name matching are implemented by the server that forwards the communication message.
8、 一种恶意 URL鉴定装置, 其特征在于, 包括: URL 匹配单元, 用于将通讯消息的内容所包括的 URL 与预设的 URL黑名单进行 URL匹配; 8. A malicious URL identification device, characterized by including: URL matching unit, used to URL match the URL included in the content of the communication message with the preset URL blacklist;
IP地址匹配单元, 用于当所述 URL匹配失败时, 将所述通讯消息 的发送端设备的 IP地址与预设的 IP地址黑名单进行 IP地址匹配; 风险提示单元, 用于在 URL匹配成功或 IP地址匹配成功时生成风 险提示。 The IP address matching unit is used to match the IP address of the sending device of the communication message with the preset IP address blacklist when the URL matching fails; the risk warning unit is used to perform IP address matching when the URL matching is successful. Or a risk prompt will be generated when the IP address is successfully matched.
9、 根据权利要求 8所述的鉴定装置, 其特征在于, 还包括: 域名匹配单元, 用于当所述 URL匹配失败后, 将所述 URL的域名 与预设的可疑域名库进行域名匹配; 9. The identification device according to claim 8, further comprising: a domain name matching unit, configured to match the domain name of the URL with a preset suspicious domain name database when the URL matching fails;
若所述域名匹配成功, 则所述 IP地址匹配单元进行所述 IP地址匹 配。 If the domain name is matched successfully, the IP address matching unit performs the IP address matching.
10、 根据权利要求 8所述的鉴定装置, 其特征在于, 还包括: 可疑域名库更新单元, 用于在所述 URL匹配成功后将所述 URL的 域名加入所述可疑域名库。 10. The identification device according to claim 8, further comprising: a suspicious domain name database update unit, configured to add the domain name of the URL to the suspicious domain name database after the URL is successfully matched.
11、 根据权利要求 8所述的鉴定装置, 其特征在于, 还包括: 11. The identification device according to claim 8, further comprising:
IP地址黑名单更新单元, 用于在所述 URL匹配成功后将所述通讯 消息的发送端设备的 IP地址加入所述 IP地址黑名单。 The IP address blacklist update unit is configured to add the IP address of the sending device of the communication message to the IP address blacklist after the URL is successfully matched.
12、 根据权利要求 8所述的鉴定装置, 其特征在于, 还包括: 12. The identification device according to claim 8, further comprising:
URL黑名单更新单元, 用于在所述 IP地址匹配成功时将所述 URL 加入所述 URL黑名单。 A URL blacklist update unit, configured to add the URL to the URL blacklist when the IP address is successfully matched.
13、 根据权利要求 9所述的鉴定装置, 其特征在于, 13. The identification device according to claim 9, characterized in that,
所述 URL匹配单元、 所述 IP地址匹配单元和所述域名匹配单元设 置于所述通讯消息的接收端设备。 The URL matching unit, the IP address matching unit and the domain name matching unit are provided at the receiving end device of the communication message.
14、 根据权利要求 9所述的鉴定装置, 其特征在于, 14. The identification device according to claim 9, characterized in that,
所述 URL匹配单元、 所述 IP地址匹配单元和所述域名匹配单元设 置于转发所述通讯消息的服务器。 The URL matching unit, the IP address matching unit and the domain name matching unit are configured on a server that forwards the communication message.
PCT/CN2014/082468 2013-07-19 2014-07-18 Method and device for identification of malicious url WO2015007231A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310306434XA CN103338211A (en) 2013-07-19 2013-07-19 Malicious URL (unified resource locator) authenticating method and device
CN201310306434.X 2013-07-19

Publications (1)

Publication Number Publication Date
WO2015007231A1 true WO2015007231A1 (en) 2015-01-22

Family

ID=49246308

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/082468 WO2015007231A1 (en) 2013-07-19 2014-07-18 Method and device for identification of malicious url

Country Status (2)

Country Link
CN (1) CN103338211A (en)
WO (1) WO2015007231A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10212175B2 (en) 2015-11-30 2019-02-19 International Business Machines Corporation Attracting and analyzing spam postings
WO2021051533A1 (en) * 2019-09-19 2021-03-25 平安科技(深圳)有限公司 Address information-based blacklist identification method, apparatus, device, and storage medium
WO2022035981A1 (en) * 2020-08-12 2022-02-17 NortonLifeLock Inc. Systems and methods for protecting against misleading clicks on websites
US11363060B2 (en) * 2019-10-24 2022-06-14 Microsoft Technology Licensing, Llc Email security in a multi-tenant email service
US11777908B1 (en) 2021-06-24 2023-10-03 Gen Digital Inc. Protecting against a tracking parameter in a web link

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103338211A (en) * 2013-07-19 2013-10-02 腾讯科技(深圳)有限公司 Malicious URL (unified resource locator) authenticating method and device
CN103530562A (en) * 2013-10-23 2014-01-22 腾讯科技(深圳)有限公司 Method and device for identifying malicious websites
CN104679798B (en) * 2013-12-03 2018-04-27 腾讯科技(深圳)有限公司 Page detection method and device
CN104811418B (en) * 2014-01-23 2019-04-12 腾讯科技(深圳)有限公司 The method and device of viral diagnosis
CN104301205B (en) * 2014-09-25 2018-06-19 广州华多网络科技有限公司 Interactive bootstrap technique and device
US9264399B1 (en) * 2015-08-18 2016-02-16 Farsight Security, Inc. Lock-free updates to a domain name blacklist
CN105429980B (en) * 2015-11-17 2018-10-30 中国联合网络通信集团有限公司 network security processing method and device
CN106899711A (en) * 2017-05-09 2017-06-27 南京赢纳信息科技有限公司 A kind of dynamic territory analyzing module and its black and white lists implementation method based on Linux
CN107181758A (en) * 2017-06-30 2017-09-19 微梦创科网络科技(中国)有限公司 Recognize the method and system of hacker's behavior
CN109802919B (en) * 2017-11-16 2021-06-29 中移(杭州)信息技术有限公司 Web page access intercepting method and device
CN109104429B (en) * 2018-09-05 2021-09-28 广东石油化工学院 Detection method for phishing information
CN109729098A (en) * 2019-03-01 2019-05-07 国网新疆电力有限公司信息通信公司 Automatically the method for malice port scan is blocked in dns server

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1588879A (en) * 2004-08-12 2005-03-02 复旦大学 Internet content filtering system and method
CN102118326A (en) * 2011-01-27 2011-07-06 郭少方 Method for processing E-mail
CN102638448A (en) * 2012-02-27 2012-08-15 珠海市君天电子科技有限公司 Method for judging phishing websites based on non-content analysis
CN102724187A (en) * 2012-06-06 2012-10-10 奇智软件(北京)有限公司 Method and device for safety detection of universal resource locators
CN103338211A (en) * 2013-07-19 2013-10-02 腾讯科技(深圳)有限公司 Malicious URL (unified resource locator) authenticating method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7854007B2 (en) * 2005-05-05 2010-12-14 Ironport Systems, Inc. Identifying threats in electronic messages
CN102158568A (en) * 2011-04-20 2011-08-17 北京蓝汛通信技术有限责任公司 Method and device for banning IP (Internet Protocol) addresses and content distribution network server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1588879A (en) * 2004-08-12 2005-03-02 复旦大学 Internet content filtering system and method
CN102118326A (en) * 2011-01-27 2011-07-06 郭少方 Method for processing E-mail
CN102638448A (en) * 2012-02-27 2012-08-15 珠海市君天电子科技有限公司 Method for judging phishing websites based on non-content analysis
CN102724187A (en) * 2012-06-06 2012-10-10 奇智软件(北京)有限公司 Method and device for safety detection of universal resource locators
CN103338211A (en) * 2013-07-19 2013-10-02 腾讯科技(深圳)有限公司 Malicious URL (unified resource locator) authenticating method and device

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10212175B2 (en) 2015-11-30 2019-02-19 International Business Machines Corporation Attracting and analyzing spam postings
WO2021051533A1 (en) * 2019-09-19 2021-03-25 平安科技(深圳)有限公司 Address information-based blacklist identification method, apparatus, device, and storage medium
US11363060B2 (en) * 2019-10-24 2022-06-14 Microsoft Technology Licensing, Llc Email security in a multi-tenant email service
WO2022035981A1 (en) * 2020-08-12 2022-02-17 NortonLifeLock Inc. Systems and methods for protecting against misleading clicks on websites
US11595420B2 (en) 2020-08-12 2023-02-28 Gen Digital Inc. Systems and methods for protecting against misleading clicks on websites
US11777908B1 (en) 2021-06-24 2023-10-03 Gen Digital Inc. Protecting against a tracking parameter in a web link
US12107838B1 (en) 2021-06-24 2024-10-01 Gen Digital Inc. Protecting against a tracking parameter in a web link

Also Published As

Publication number Publication date
CN103338211A (en) 2013-10-02

Similar Documents

Publication Publication Date Title
WO2015007231A1 (en) Method and device for identification of malicious url
USRE49634E1 (en) System and method for determining the risk of vulnerabilities on a mobile communications device
CN105207774B (en) The cryptographic key negotiation method and device of verification information
CA2689847C (en) Network transaction verification and authentication
US9003519B2 (en) Verifying transactions using out-of-band devices
US11354438B1 (en) Phone number alias generation
WO2019062666A1 (en) System, method, and apparatus for securely accessing internal network
US11770385B2 (en) Systems and methods for malicious client detection through property analysis
US10348701B2 (en) Protecting clients from open redirect security vulnerabilities in web applications
CN108234439B (en) Attack protection for network real-time communication providers
US11558365B1 (en) Multi-second factor authentication
WO2016188335A1 (en) Access control method, apparatus and system for user data
US9577948B2 (en) Method and apparatus for connecting to server using trusted IP address of domain
WO2012094040A1 (en) Limiting virulence of malicious messages using a proxy server
US11729192B2 (en) Malware detection using document object model inspection
CN112565156B (en) Information registration method, device and system
Hyun et al. Design and Analysis of Push Notification‐Based Malware on Android
US20160366172A1 (en) Prevention of cross site request forgery attacks
US9143510B2 (en) Secure identification of intranet network
US8800033B2 (en) Rotation of web site content to prevent E-mail spam/phishing attacks
CN115603974A (en) Network security protection method, device, equipment and medium
CN114079573B (en) Router access method and router
JP2021117596A (en) Information processing system, information processing method, and information processing program
KR102148189B1 (en) Apparatus and method for protecting malicious site
Armin Mobile threats and the underground marketplace

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14826152

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC ( EPO FORM 1205A DATED 02/05/2016 )

122 Ep: pct application non-entry in european phase

Ref document number: 14826152

Country of ref document: EP

Kind code of ref document: A1