WO2015058640A1 - Secure access method, system and apparatus - Google Patents

Secure access method, system and apparatus Download PDF

Info

Publication number
WO2015058640A1
WO2015058640A1 PCT/CN2014/088614 CN2014088614W WO2015058640A1 WO 2015058640 A1 WO2015058640 A1 WO 2015058640A1 CN 2014088614 W CN2014088614 W CN 2014088614W WO 2015058640 A1 WO2015058640 A1 WO 2015058640A1
Authority
WO
WIPO (PCT)
Prior art keywords
webpage
users
information
interception
user
Prior art date
Application number
PCT/CN2014/088614
Other languages
French (fr)
Chinese (zh)
Inventor
刘健
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2015058640A1 publication Critical patent/WO2015058640A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • the present invention relates to the field of Internet security technologies, and in particular, to a secure access method, system, and apparatus.
  • Cloud-based security systems while reducing the load on the client device, also pose a huge challenge to the authentication capabilities of the server.
  • the server authentication logic When the server authentication logic is modified, it will immediately affect all user groups that use this system, without requiring the user to perform any client device software upgrade operations. For example, based on the cloud technology-based URL security authentication service, when the cloud determines that a website http://www.example.com/ is a malicious website, the client device intercepts all users' access to the website.
  • the invention provides a security access method, which can timely detect and correct false alarms occurring in the security protection process and improve the accuracy of the security service.
  • the invention also provides a security access system and device, which can timely detect and correct false alarms occurring in the security protection process, and improve the accuracy of the security service.
  • a secure access method comprising:
  • the computing device receives the user's access request to the webpage, queries the security status of the webpage, and returns the webpage interception information when the query result is unsafe;
  • the computing device receives the user's operation for intercepting the information on the webpage, performs statistics on the operation, determines whether the statistical result satisfies a preset false alarm condition, and if so, prompts to change the security state of the page.
  • a secure access system that includes:
  • the security client device is configured to report the user's access request to the webpage, and report the user's operation for intercepting the webpage;
  • a security server configured to receive a user's access request for a webpage, query a security status of the webpage, and when the query result is insecure, feedback the webpage interception information; and further, receive an operation of the user intercepting the webpage for the webpage, The operation performs statistics to determine whether the statistical result satisfies a preset false alarm condition, and if so, prompts to change the security state of the page.
  • a secure server for secure access including:
  • One or more processors are One or more processors;
  • a secure client device for secure access including:
  • One or more processors are One or more processors;
  • a computer readable storage medium storing one or more programs executed by a computer system, the one or more programs comprising instructions to perform the steps of:
  • the security access method, system and device provided by the present invention can perform statistics and judgment on the operation of the user for intercepting information on the webpage, determine a webpage that may have a false positive report, and give a prompt, thereby realizing timely detection and correcting the security protection process.
  • the occurrence of false positives improves the accuracy of security services.
  • FIG. 1 is a flowchart of implementing a secure access method according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of an interface display of a webpage interception page according to an embodiment of the present invention
  • FIG. 3 is a flowchart of implementing a secure access method according to an embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a security server for implementing secure access according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a secure client device for implementing secure access according to an embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of a security server for implementing secure access according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a secure client device for implementing secure access according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of the method, including:
  • Step 201 The computing device receives the user's access request for the webpage, queries the security state of the webpage, and returns the webpage interception information when the query result is insecure;
  • Step 202 The computing device receives the user's operation for intercepting the information on the webpage, performs statistics on the operation, determines whether the statistical result reaches a preset requirement, and if so, prompts to change the security state of the page.
  • the computing device is, for example, a secure server.
  • the security state of the webpage may be directly changed by the security server, that is, the security state of the webpage is changed from "unsafe" to "security”; After confirming and confirming, change the security status of the web page.
  • the user's access request to the webpage or the user's operation of intercepting the webpage may be reported by the secure client device.
  • the manner in which the webpage intercepts the information may be: redirecting the user's access request to the webpage interception page.
  • the method for performing statistics on the operation and determining whether the statistical result meets the preset requirement may be:
  • the security client device After the security client software is installed on the client device and the real-time protection function is enabled, the security client device first intercepts each Uniform Resource Locator (URL, Uniform Resource Locator) accessed by the user in the browser. The URL is sent to the security server for query. If the query result is secure, the security server allows the user to browse the webpage content normally; otherwise, the security server redirects the user's webpage access request to the webpage interception page, prompting the user to visit cautiously.
  • URL Uniform Resource Locator
  • FIG. 2 is a schematic diagram of an interface display of a webpage interception page according to an embodiment of the present invention.
  • the webpage blocking page provides some common options for the user to further operate, such as closing the current webpage, ignoring the warning to continue accessing the current webpage, and not blocking the current webpage next time.
  • the webpage blocking page provides some common options for the user to further operate, such as closing the current webpage, ignoring the warning to continue accessing the current webpage, and not blocking the current webpage next time.
  • the webpage blocking page provides some common options for the user to further operate, such as closing the current webpage, ignoring the warning to continue accessing the current webpage, and not blocking the current webpage next time.
  • the webpage blocking page provides some common options for the user to further operate, such as closing the current webpage, ignoring the warning to continue accessing the current webpage, and not blocking the current webpage next time.
  • Step 301 The user browses the webpage, and the security client device intercepts the user's access request for the webpage, and sends the access request to the security server.
  • Step 302 The security server queries whether the webpage is a secure webpage, and if yes, proceeds to step 308 to allow the user to browse normally; if not, proceeds to step 303.
  • Step 303 The security server redirects the user's access request to the webpage interception page.
  • Step 304 The security client device intercepts the operation of the user on the webpage intercepting page (such as clicking the "close webpage” button, clicking the “continue to visit webpage” button, etc.), and reporting the operation to the security server.
  • Step 305 The security server calculates the interception amount for each webpage in a preset time period in real time, clicks the “continue to visit webpage” button amount, clicks the “no longer intercept webpage” button amount, clicks the “appeal” button or the link amount, and the like. .
  • Step 306 The security server determines whether the statistical result meets the pre-set false alarm condition. If the false alarm condition is met, the process proceeds to step 307, and the false alarm processing is performed, and the relevant person in charge may be notified by email or short message to confirm and process in time.
  • the security status of the web page can be directly changed by the security server; if the false alarm condition is not met, step 305 is re-executed.
  • the false positive conditions can be set according to the statistics. Common ones include but are not limited to:
  • Total interception amount on the day How many users have encountered intercepting the specific webpage for a particular webpage on the same day;
  • No more interception on the day How many users choose not to intercept the interception page that appears on a particular webpage on the same day (for example, by clicking the “No longer block webpage” button on the interception page);
  • the cumulative amount of appeals on the day How many users choose to appeal for the interception page that appears on a particular webpage on the day (for example, by clicking the “Appeal” button or link on the interception page);
  • the date of appeal For a particular webpage, the cumulative amount of appeals on that day is divided by the cumulative interception of the day.
  • a false alarm is generated when the accumulated interception amount in the past hour is greater than the threshold value 1000, or when the continued access rate in the past hour is greater than the threshold value of 50%.
  • the threshold setting is larger, the accuracy of the anti-false alarm method is higher, but the coverage rate is reduced, and some web pages that are false positives may be missed; otherwise, the smaller the threshold setting is, the accuracy of the false alarm prevention method is The lower, However, the coverage rate is increased, and more manpower is needed for manual review; in actual applications, the threshold can be adjusted according to the actual situation.
  • the embodiment of the invention further provides a security access system, comprising: a security client device and a security server.
  • the security client device is used to report the user's access request to the webpage and report the user's operation for intercepting the webpage.
  • a security server configured to receive a user's access request for a webpage, query a security status of the webpage, and when the query result is insecure, feedback the webpage interception information; and further, receive an operation of the user intercepting the webpage for the webpage, The operation performs statistics to determine whether the statistical result satisfies a preset false alarm condition, and if so, prompts to change the security state of the page.
  • the security server After the security server prompts to change the security state of the page, it can directly change the security status of the page, or manually confirm and process the prompt.
  • the manner in which the security server feeds back the webpage interception information may be: redirecting the user's access request to the webpage interception page.
  • the way the security server counts the operation and determines whether the statistical result meets the pre-set false alarm condition is:
  • FIG. 4 is a schematic structural diagram of the security server 400, including: a security control module 401, a statistics module 402, and a false positive audit module 403.
  • the security control module 401 is configured to receive a user access request for a webpage, query a security status of the webpage, and feed back the webpage interception information when the query result is unsafe.
  • the statistics module 402 is configured to receive an operation of the user for intercepting information on the webpage, and perform statistics on the operation.
  • the false positive review module 403 is configured to determine whether the statistical result satisfies a preset false alarm condition, and if yes, prompt to change the security state of the page.
  • the security status of the service can be directly changed from "unsafe” to "secure", and the prompt can be confirmed and processed manually.
  • the manner in which the security control module 401 feeds back the webpage interception information may be: redirecting the user's access request to the webpage interception page.
  • the statistics module 402 can count, for each webpage, the number of users who receive the webpage interception information within a preset time period; the false positives auditing module 403 determines whether the number of the users reaches a preset threshold, and if so, prompts to change the location. The security status of the page;
  • the statistic module 402 may count, for each webpage, the number of users who continue to access the webpage within a preset time period; the false positive auditing module 403 determines whether the number of the users reaches a preset threshold, and if so, prompts Changing the security status of the page;
  • the statistics module 402 may count, for each webpage, the number of users who receive the webpage interception information within a preset time period and the number of users who continue to access the webpage; the false positive auditing module 403 determines the number of users who continue to access the webpage. Whether the ratio of the number of users receiving the webpage interception information reaches a preset threshold, and if so, prompting to change the security state of the page;
  • the statistic module 402 may count, for each webpage, the number of users that are required to not intercept the webpage within a preset time period; the false positive auditing module determines whether the number of users reaches a preset threshold, and if so, Prompting to change the security status of the page;
  • the statistics module 402 may count, for each webpage, the number of users who receive the webpage interception information within a preset time period and the number of users who request that the webpage no longer be intercepted; the false positive auditing module determines that the webpage is no longer intercepted. Whether the ratio of the number of users to the number of users receiving the webpage interception information reaches a preset threshold, and if so, prompting to change the security state of the page;
  • the statistics module 402 may count, for each webpage, the number of users who appeal the webpage interception information within a preset time period; the false positive auditing module determines whether the number of the users reaches a preset threshold, and if so, prompts Changing the security status of the page;
  • the statistics module 402 may count, for each webpage, the number of users who receive the webpage interception information within a preset time period and the number of users who appeal the webpage interception information; the false positives auditing module judges the user who appeals the webpage interception information Whether the ratio of the number of users receiving the webpage interception information reaches a preset threshold, and if so, prompts to change the security state of the page.
  • FIG. 5 is a schematic structural diagram of the secure client device 500, including: a reporting module 501 and a receiving module 502.
  • the reporting module 501 is configured to report the user's access request to the webpage, and is also used to report the user's operation for intercepting the webpage.
  • the receiving module 502 is configured to receive webpage interception information.
  • FIG. 6 is a schematic structural diagram of the security server 600, including one or more processors 601, a memory 602, and one or more stored in the memory 602.
  • the application 603 includes, for example, instructions for performing the steps in the method embodiment shown in FIG. 1. For details, refer to the description in the method embodiment, and details are not described herein again.
  • FIG. 7 is a schematic structural diagram of the secure client device 700, including one or more processors 701, a memory 702, and one or more storage devices.
  • the application 703 includes, for example, an instruction to: report a user's access request to the webpage, and also report the user's operation of intercepting the webpage; and receive the webpage interception information.
  • the client device mentioned in the foregoing embodiment may be a fixed terminal or a mobile terminal, such as a desktop computer, a mobile phone, a tablet computer, or the like, which is not specifically limited in the present invention.
  • the memory 602 mentioned in FIG. 6 and the memory 702 mentioned in FIG. 7 include, but are not limited to, various non-volatile memories, for example, a USB flash drive, a mobile hard disk, and a read-only memory.
  • ROM read-only memory
  • RAM random access memory
  • EPROM erasable programmable read only memory
  • EEPROM electrically erasable programmable read only memory
  • flash memory or other solid state memory technology CD-ROM, digital A function disk (DVD), HD-DVD, Blu-Ray or other optical storage device, magnetic tape, disk storage or other magnetic storage device, or any other medium that can be used to store the required information and that can be accessed by a computer.
  • the security access method, system, and device provided by the embodiment of the present invention can perform statistics and judgment on the operation of the user for the webpage interception information, determine a webpage that may have a false alarm, and give a prompt, which is determined by the server or the manual.
  • the prompt changes the security status of the webpage, thereby realizing timely detection and correcting false alarms occurring in the security protection process, and improving the accuracy of the security service.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Provided in the present invention are a secure access method, system and apparatus. The method comprises: a computing device receiving an access request of a user for a webpage, querying the secure state of the webpage, and feeding back webpage blocking information if the result of query shows that the webpage is unsecure; and the computing device receiving operations of the user for the webpage blocking information, making a statistic of the operations, judging whether or not the result of statistics satisfies a preset misreport condition, and giving a prompt that the secure state of the webpage is changed if the result of statistics satisfies the preset misreport condition.

Description

安全访问方法、系统及装置Security access method, system and device
本申请要求于2013年10月24日提交中国专利局、申请号为201310506492.7、发明名称为“安全访问方法、系统及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201310506492.7, the entire disclosure of which is hereby incorporated by reference in its entirety in its entirety in .
技术领域Technical field
本发明涉及互联网安全技术领域,尤其涉及安全访问方法、系统及装置。The present invention relates to the field of Internet security technologies, and in particular, to a secure access method, system, and apparatus.
背景技术Background technique
互联网技术的快速发展给人们生活带来越来越多的便利。人们通过互联网可以方便地分享和下载各类资料、获取各类重要信息、在线支付账单等。与此同时,互联网的安全形势也不容乐观,各类木马病毒伪装成正常文件肆意传播,钓鱼网站模仿正常网站盗取用户帐号密码愈演愈烈。The rapid development of Internet technology has brought more and more convenience to people's lives. People can easily share and download all kinds of information, get all kinds of important information, and pay bills online through the Internet. At the same time, the security situation of the Internet is not optimistic. All kinds of Trojan viruses are disguised as normal files and spread, and phishing websites imitate normal websites to steal user account passwords.
近年来,随着云技术的不断发展,各大安全厂商纷纷推出基于云技术的安全软件。采用云技术架构后,安装在用户侧客户端设备的安全软件客户端在判断用户操作是否安全时,只需提交查询请求到位于云端的服务器,由服务器完成复杂的鉴定逻辑后将判定结果返回给客户端设备,客户端设备消耗资源很少。相比之下,传统的基于本地特征库的安全软件在鉴定用户操作是否安全时需要在用户侧做大量匹配运算,消耗大量硬件资源,容易导致用户电脑“假死”,影响用户的正常使用。In recent years, with the continuous development of cloud technology, major security vendors have launched security software based on cloud technology. After adopting the cloud technology architecture, the security software client installed on the user side client device only needs to submit the query request to the server located in the cloud when the user operation is safe. After the server completes the complex authentication logic, the judgment result is returned to the server. Client devices, client devices consume very little resources. In contrast, the traditional security software based on the local signature database needs to perform a large number of matching operations on the user side when it is safe to identify the user operation, which consumes a large amount of hardware resources, which may easily cause the user computer to "fake death" and affect the normal use of the user.
基于云技术的安全系统(简称云安全系统)在降低客户端设备负载的同时,也给服务端的鉴定能力带来了巨大的挑战。当服务端鉴定逻辑的修改后,会即时影响到所有使用此系统的用户群,而不需要用户进行任何客户端设备软件的升级操作。例如基于云技术的网址安全鉴定服务,当云端判定某网址http://www.example.com/为恶意网址后,客户端设备会拦截全体用户对此网址的访问。Cloud-based security systems (referred to as cloud security systems), while reducing the load on the client device, also pose a huge challenge to the authentication capabilities of the server. When the server authentication logic is modified, it will immediately affect all user groups that use this system, without requiring the user to perform any client device software upgrade operations. For example, based on the cloud technology-based URL security authentication service, when the cloud determines that a website http://www.example.com/ is a malicious website, the client device intercepts all users' access to the website.
但是,使用程序自动鉴定网址是否安全时,有很多误报。误报是指将正常 的网页地址判为恶意而进行拦截。However, there are many false positives when using a program to automatically verify that a URL is safe. False positive means that it will be normal The page address was judged malicious and intercepted.
发明内容Summary of the invention
本发明提供了一种安全访问方法,能够及时发现并纠正安全防护过程中出现的误报,提高安全服务的准确率。The invention provides a security access method, which can timely detect and correct false alarms occurring in the security protection process and improve the accuracy of the security service.
本发明还提出一种安全访问系统及装置,能够及时发现并纠正安全防护过程中出现的误报,提高安全服务的准确率。The invention also provides a security access system and device, which can timely detect and correct false alarms occurring in the security protection process, and improve the accuracy of the security service.
本发明的技术方案是这样实现的:The technical solution of the present invention is implemented as follows:
一种安全访问方法,所述方法包括:A secure access method, the method comprising:
计算设备接收用户对网页的访问请求,查询所述网页的安全状态,当查询结果为不安全时,反馈网页拦截信息;The computing device receives the user's access request to the webpage, queries the security status of the webpage, and returns the webpage interception information when the query result is unsafe;
计算设备接收用户针对所述网页拦截信息的操作,对所述操作进行统计,判断统计结果是否满足预先设定的误报条件,如果满足,则提示改变所述页面的安全状态。The computing device receives the user's operation for intercepting the information on the webpage, performs statistics on the operation, determines whether the statistical result satisfies a preset false alarm condition, and if so, prompts to change the security state of the page.
一种安全访问系统,包括:A secure access system that includes:
安全客户端设备,用于上报用户对网页的访问请求,并上报用户针对网页拦截信息的操作;The security client device is configured to report the user's access request to the webpage, and report the user's operation for intercepting the webpage;
安全服务器,用于接收用户对网页的访问请求,查询所述网页的安全状态,当查询结果为不安全时,反馈网页拦截信息;还用于接收用户针对所述网页拦截信息的操作,对所述操作进行统计,判断统计结果是否满足预先设定的误报条件,如果满足,则提示改变所述页面的安全状态。a security server, configured to receive a user's access request for a webpage, query a security status of the webpage, and when the query result is insecure, feedback the webpage interception information; and further, receive an operation of the user intercepting the webpage for the webpage, The operation performs statistics to determine whether the statistical result satisfies a preset false alarm condition, and if so, prompts to change the security state of the page.
一种用于实现安全访问的安全服务器,包括:A secure server for secure access, including:
存储器;Memory
一个或多个处理器;One or more processors;
存储在所述存储器上、由所述一个或多个处理器执行的一个或多个程序,该一个或多个程序包括执行下列操作的指令:One or more programs stored on the memory and executed by the one or more processors, the one or more programs including instructions to:
接收用户对网页的访问请求,查询所述网页的安全状态,当查询结果为不安全时,反馈网页拦截信息;Receiving a user's access request to the webpage, querying the security status of the webpage, and feeding back the webpage interception information when the query result is insecure;
接收用户针对所述网页拦截信息的操作,对所述操作进行统计;Receiving, by the user, an operation of intercepting information on the webpage, and performing statistics on the operation;
判断统计结果是否满足预先设定的误报条件,如果满足,则提示改变所述 页面的安全状态。Determining whether the statistical result satisfies a preset false alarm condition, and if so, prompting to change the said The security status of the page.
一种用于实现安全访问的安全客户端设备,包括:A secure client device for secure access, including:
存储器;Memory
一个或多个处理器;One or more processors;
存储在所述存储器上、由所述一个或多个处理器执行的一个或多个程序,该一个或多个程序包括执行下列操作的指令:One or more programs stored on the memory and executed by the one or more processors, the one or more programs including instructions to:
上报用户对网页的访问请求,还用于上报用户针对网页拦截信息的操作;Reporting the user's access request to the webpage, and also reporting the user's operation of intercepting the information for the webpage;
接收网页拦截信息。Receive webpage blocking information.
一种计算机可读存储介质,存储有由计算机系统执行的一个或多个程序,该一个或多个程序包括执行下列步骤的指令:A computer readable storage medium storing one or more programs executed by a computer system, the one or more programs comprising instructions to perform the steps of:
接收用户对网页的访问请求,查询所述网页的安全状态,当查询结果为不安全时,反馈网页拦截信息;Receiving a user's access request to the webpage, querying the security status of the webpage, and feeding back the webpage interception information when the query result is insecure;
接收用户针对所述网页拦截信息的操作,对所述操作进行统计,判断统计结果是否满足预先设定的误报条件,如果满足,则提示改变所述页面的安全状态。Receiving, by the user, the operation of intercepting the information on the webpage, performing statistics on the operation, determining whether the statistical result satisfies a preset false alarm condition, and if yes, prompting to change the security state of the page.
可见,本发明提出的安全访问方法、系统及装置,能够对用户针对网页拦截信息的操作进行统计和判断,确定可能出现误报的网页并给出提示,从而实现及时发现并纠正安全防护过程中出现的误报,提高安全服务的准确率。It can be seen that the security access method, system and device provided by the present invention can perform statistics and judgment on the operation of the user for intercepting information on the webpage, determine a webpage that may have a false positive report, and give a prompt, thereby realizing timely detection and correcting the security protection process. The occurrence of false positives improves the accuracy of security services.
附图简要说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below.
图1为本发明实施例提出的安全访问方法实现流程图;FIG. 1 is a flowchart of implementing a secure access method according to an embodiment of the present invention;
图2为本发明实施例中的网页拦截页面的界面显示示意图;2 is a schematic diagram of an interface display of a webpage interception page according to an embodiment of the present invention;
图3为本发明实施例提出的安全访问方法实现流程图;FIG. 3 is a flowchart of implementing a secure access method according to an embodiment of the present invention;
图4为本发明实施例提出的用于实现安全访问的安全服务器结构示意图;4 is a schematic structural diagram of a security server for implementing secure access according to an embodiment of the present invention;
图5为本发明实施例提出的用于实现安全访问的安全客户端设备结构示意图;FIG. 5 is a schematic structural diagram of a secure client device for implementing secure access according to an embodiment of the present invention;
图6为本发明实施例提出的用于实现安全访问的安全服务器结构示意图;FIG. 6 is a schematic structural diagram of a security server for implementing secure access according to an embodiment of the present invention;
图7为本发明实施例提出的用于实现安全访问的安全客户端设备结构示意 图。FIG. 7 is a schematic structural diagram of a secure client device for implementing secure access according to an embodiment of the present invention; Figure.
实施本发明的方式Mode for carrying out the invention
为使本发明的技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步地详细描述。In order to make the technical solutions and advantages of the present invention more clear, the embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.
本发明实施例提出一种安全访问方法,如图1为该方法实现流程图,包括:The embodiment of the present invention provides a secure access method, and FIG. 1 is a flowchart of the method, including:
步骤201:计算设备接收用户对网页的访问请求,查询所述网页的安全状态,当查询结果为不安全时,反馈网页拦截信息;Step 201: The computing device receives the user's access request for the webpage, queries the security state of the webpage, and returns the webpage interception information when the query result is insecure;
步骤202:计算设备接收用户针对所述网页拦截信息的操作,对所述操作进行统计,判断统计结果是否达到预先设定的要求,如果达到,则提示改变所述页面的安全状态。Step 202: The computing device receives the user's operation for intercepting the information on the webpage, performs statistics on the operation, determines whether the statistical result reaches a preset requirement, and if so, prompts to change the security state of the page.
在上述步骤中,计算设备例如为安全服务器。上述步骤202中的提示改变网页的安全状态之后,可以由安全服务器直接改变网页的安全状态,即,将该网页的安全状态由“不安全”改变为“安全”;也可以由人工对该提示进行确认,确认之后,再改变该网页的安全状态。In the above steps, the computing device is, for example, a secure server. After the prompt in step 202 changes the security state of the webpage, the security state of the webpage may be directly changed by the security server, that is, the security state of the webpage is changed from "unsafe" to "security"; After confirming and confirming, change the security status of the web page.
上述方法中,用户对网页的访问请求或用户针对网页拦截信息的操作可以由安全客户端设备上报。In the above method, the user's access request to the webpage or the user's operation of intercepting the webpage may be reported by the secure client device.
上述步骤201中,反馈网页拦截信息的方式可以为:将用户的访问请求重定向至网页拦截页面。In the foregoing step 201, the manner in which the webpage intercepts the information may be: redirecting the user's access request to the webpage interception page.
上述步骤202中,对操作进行统计并判断统计结果是否达到预先设定的要求的方式可以为:In the foregoing step 202, the method for performing statistics on the operation and determining whether the statistical result meets the preset requirement may be:
针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量,判断所述用户数量是否达到预先设定的阈值;For each webpage, count the number of users who receive the webpage interception information within a preset time period, and determine whether the number of the users reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内继续访问所述网页的用户数量,判断所述用户数量是否达到预先设定的阈值;Or, for each webpage, counting the number of users who continue to access the webpage within a preset time period, and determining whether the number of the users reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及继续访问所述网页的用户数量,判断继续访问所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值;Or, for each webpage, count the number of users who receive the webpage interception information in the preset time period and the number of users who continue to access the webpage, and determine the number of users who continue to access the webpage as the number of users who receive the webpage interception information. Whether the ratio reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内要求不再拦截所述网页的用户数量,判断所述用户数量是否达到预先设定的阈值; Or, for each webpage, counting the number of users who are required to not intercept the webpage in a predetermined period of time, and determining whether the number of the users reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及要求不再拦截所述网页的用户数量,判断要求不再拦截所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值;Or, for each webpage, count the number of users who receive the webpage interception information within a preset time period and the number of users who request that the webpage is no longer intercepted, and determine the number of users who request to stop intercepting the webpage as a result of receiving the webpage interception. Whether the ratio of the number of users of the information reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内对网页拦截信息提出申诉的用户数量,判断所述用户数量是否达到预先设定的阈值;Or, for each webpage, counting the number of users who appealed to the webpage interception information within a preset time period, and determining whether the number of the users reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及对网页拦截信息提出申诉的用户数量,判断对网页拦截信息提出申诉的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值。Or, for each webpage, count the number of users who receive the webpage interception information within the preset time period and the number of users who appeal the webpage interception information, and determine the number of users who appeal the webpage interception information to the interception information of the webpage. Whether the ratio of the number of users reaches a preset threshold.
以下举具体的实施例详细介绍。The specific embodiments are described in detail below.
当用户在其客户端设备上安装了安全客户端软件并开启实时防护功能后,对于用户在浏览器中访问的每一条统一资源定位符(URL,Uniform Resource Locator),安全客户端设备会首先截获此URL并发往安全服务器进行查询,如果查询结果为安全,则安全服务器允许用户正常浏览网页内容;否则,安全服务器将用户的网页访问请求重定向到网页拦截页面,提示用户谨慎访问。After the security client software is installed on the client device and the real-time protection function is enabled, the security client device first intercepts each Uniform Resource Locator (URL, Uniform Resource Locator) accessed by the user in the browser. The URL is sent to the security server for query. If the query result is secure, the security server allows the user to browse the webpage content normally; otherwise, the security server redirects the user's webpage access request to the webpage interception page, prompting the user to visit cautiously.
图2为本发明实施例中的网页拦截页面的界面显示示意图。如图2所示,网页拦截页面提供了一些常见选项供用户进一步操作,例如关闭当前网页、忽略警告继续访问当前网页、下次不再拦截当前网页等。对于恶意网站,当出现拦截页面时,绝大多数用户都会选择关闭当前网页,防止访问恶意网页造成损失;而对于用户比较信任的网站,即使用户遇到拦截页面,也会有很大可能选择忽略警告继续访问当前网页。也就是说,对于的确为恶意的网站,在出现拦截页面时,选择继续访问当前网页的用户数量应该维持在一个较低的水平;如果某网页被云安全系统鉴定为恶意后,发现仍然有大量用户坚持访问该网页,这表明此网页很可能是被误判为恶意,需要云安全系统管理员及时处理,将该网页的状态设置为安全,以尽量降低误报给用户带来的负面影响。FIG. 2 is a schematic diagram of an interface display of a webpage interception page according to an embodiment of the present invention. As shown in Figure 2, the webpage blocking page provides some common options for the user to further operate, such as closing the current webpage, ignoring the warning to continue accessing the current webpage, and not blocking the current webpage next time. For malicious websites, when there is an interception page, most users will choose to close the current webpage to prevent loss of access to malicious webpages. For websites that users trust, even if users encounter intercepted pages, they will most likely choose to ignore them. Warning Continue to access the current web page. That is to say, for a website that is indeed malicious, when the interception page appears, the number of users who choose to continue to access the current webpage should be kept at a low level; if a webpage is identified as malicious by the cloud security system, it is still found that there are still a large number of The user insists on accessing the webpage, which indicates that the webpage is likely to be misidentified as malicious, and needs to be processed by the cloud security system administrator in time to set the state of the webpage to be secure, so as to minimize the negative impact of the false positive report on the user.
具体流程如图3所示,包括以下步骤:The specific process is shown in Figure 3, including the following steps:
步骤301:用户浏览网页,安全客户端设备截获用户对该网页的访问请求,将该访问请求发送至安全服务器。Step 301: The user browses the webpage, and the security client device intercepts the user's access request for the webpage, and sends the access request to the security server.
步骤302:安全服务器查询该网页是否为安全网页,如果是,则进入步骤308,允许用户正常浏览;如果不是,则继续执行步骤303。Step 302: The security server queries whether the webpage is a secure webpage, and if yes, proceeds to step 308 to allow the user to browse normally; if not, proceeds to step 303.
步骤303:安全服务器将用户的访问请求重定向至网页拦截页面。 Step 303: The security server redirects the user's access request to the webpage interception page.
步骤304:安全客户端设备截获用户在网页拦截页面的操作(如点击“关闭网页”按钮、点击“继续访问网页”按钮等),将该操作上报至安全服务器。Step 304: The security client device intercepts the operation of the user on the webpage intercepting page (such as clicking the "close webpage" button, clicking the "continue to visit webpage" button, etc.), and reporting the operation to the security server.
步骤305:安全服务器实时统计预先设定的时间段内针对每个网页的拦截量、点击“继续访问网页”按钮量、点击“不再拦截网页”按钮量、点击“申诉”按钮或链接量等。Step 305: The security server calculates the interception amount for each webpage in a preset time period in real time, clicks the “continue to visit webpage” button amount, clicks the “no longer intercept webpage” button amount, clicks the “appeal” button or the link amount, and the like. .
步骤306:安全服务器判断统计结果是否满足预先设定的误报条件,如果满足误报条件,则进入步骤307,进行误报处理,可以通过邮件或短信方式通知相关负责人及时确认并处理,也可以由安全服务器直接改变该网页的安全状态;如果不满足误报条件,则重新执行步骤305。Step 306: The security server determines whether the statistical result meets the pre-set false alarm condition. If the false alarm condition is met, the process proceeds to step 307, and the false alarm processing is performed, and the relevant person in charge may be notified by email or short message to confirm and process in time. The security status of the web page can be directly changed by the security server; if the false alarm condition is not met, step 305 is re-executed.
误报条件可以根据统计数据自行设定,常见的包括但不限于:The false positive conditions can be set according to the statistics. Common ones include but are not limited to:
a).当日累计拦截量:当天对于某特定网页,有多少用户遇到过拦截该特定网页;a). Total interception amount on the day: How many users have encountered intercepting the specific webpage for a particular webpage on the same day;
b).当日累计继续访问量:当天对于某特定网页出现的拦截页面,有多少用户选择继续访问该特定网页(例如通过点击拦截页面上的“继续访问网页”按钮);b). Cumulative visits on the current day: How many users choose to continue to visit the specific webpage for the interception page that appears on a particular webpage (for example, by clicking the "Continue to Visit Webpage" button on the interception page);
c).当日继续访问率:对于某特定网页,其当日累计继续访问量除以当日累计拦截量;c). Continued access rate for the day: For a particular webpage, the cumulative number of visits on that day is divided by the cumulative interception amount of the day;
d).当日累计不再拦截量:当天对于某特定网页出现的拦截页面,有多少用户选择不再拦截(例如通过点击拦截页面上的“不再拦截网页”按钮);d). No more interception on the day: How many users choose not to intercept the interception page that appears on a particular webpage on the same day (for example, by clicking the “No longer block webpage” button on the interception page);
e).当日不再拦截率:对于某特定网页,其当日累计不再拦截量除以当日累计拦截量;e). No interception rate for the day: for a particular webpage, the cumulative interception amount on that day is divided by the cumulative interception amount of the day;
f).当日累计申诉量:当天对于某特定网页出现的拦截页面,有多少用户选择进行申诉(例如通过点击拦截页面上的“申诉”按钮或链接);f). The cumulative amount of appeals on the day: How many users choose to appeal for the interception page that appears on a particular webpage on the day (for example, by clicking the “Appeal” button or link on the interception page);
g).当日申诉率:对于某特定网页,其当日累计申诉量除以当日累计拦截量。g). The date of appeal: For a particular webpage, the cumulative amount of appeals on that day is divided by the cumulative interception of the day.
如果希望防误报方法更加灵敏,还可以设定更小的时间范围,比如统计过去一小时或十分钟上面各项指标的量,而不是当天的统计值。If you want the anti-false positive method to be more sensitive, you can also set a smaller time range, such as counting the amount of the above indicators in the past hour or ten minutes, instead of the current day's statistics.
例如,可以设定过去一小时累计拦截量大于阈值1000时,或者过去一小时继续访问率大于阈值50%时,认为是发生误报。For example, it may be considered that a false alarm is generated when the accumulated interception amount in the past hour is greater than the threshold value 1000, or when the continued access rate in the past hour is greater than the threshold value of 50%.
当阈值设定越大时,防误报方法的准确性越高,但覆盖率降低,可能漏过一些确为误报的网页;反之,当阈值设定越小时,防误报方法的准确性越低, 但覆盖率提高,需要更多人力进行人工审核;实际应用中阈值可以根据实际情况做合理调整。When the threshold setting is larger, the accuracy of the anti-false alarm method is higher, but the coverage rate is reduced, and some web pages that are false positives may be missed; otherwise, the smaller the threshold setting is, the accuracy of the false alarm prevention method is The lower, However, the coverage rate is increased, and more manpower is needed for manual review; in actual applications, the threshold can be adjusted according to the actual situation.
本发明实施例还提出一种安全访问系统,包括:安全客户端设备和安全服务器。The embodiment of the invention further provides a security access system, comprising: a security client device and a security server.
安全客户端设备,用于上报用户对网页的访问请求,并上报用户针对网页拦截信息的操作。The security client device is used to report the user's access request to the webpage and report the user's operation for intercepting the webpage.
安全服务器,用于接收用户对网页的访问请求,查询所述网页的安全状态,当查询结果为不安全时,反馈网页拦截信息;还用于接收用户针对所述网页拦截信息的操作,对所述操作进行统计,判断统计结果是否满足预先设定的误报条件,如果满足,则提示改变所述页面的安全状态。a security server, configured to receive a user's access request for a webpage, query a security status of the webpage, and when the query result is insecure, feedback the webpage interception information; and further, receive an operation of the user intercepting the webpage for the webpage, The operation performs statistics to determine whether the statistical result satisfies a preset false alarm condition, and if so, prompts to change the security state of the page.
安全服务器提示改变页面的安全状态后,可以由其直接改变该页面的安全状态,也可以由人工对该提示进行确认和处理。After the security server prompts to change the security state of the page, it can directly change the security status of the page, or manually confirm and process the prompt.
上述系统中,安全服务器反馈网页拦截信息的方式可以为:将用户的访问请求重定向至网页拦截页面。In the above system, the manner in which the security server feeds back the webpage interception information may be: redirecting the user's access request to the webpage interception page.
安全服务器对操作进行统计并判断统计结果是否满足预先设定的误报条件的方式为:The way the security server counts the operation and determines whether the statistical result meets the pre-set false alarm condition is:
针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量,判断所述用户数量是否达到预先设定的阈值;For each webpage, count the number of users who receive the webpage interception information within a preset time period, and determine whether the number of the users reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内继续访问所述网页的用户数量,判断所述用户数量是否达到预先设定的阈值;Or, for each webpage, counting the number of users who continue to access the webpage within a preset time period, and determining whether the number of the users reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及继续访问所述网页的用户数量,判断继续访问所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值;Or, for each webpage, count the number of users who receive the webpage interception information in the preset time period and the number of users who continue to access the webpage, and determine the number of users who continue to access the webpage as the number of users who receive the webpage interception information. Whether the ratio reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内要求不再拦截所述网页的用户数量,判断所述用户数量是否达到预先设定的阈值;Or, for each webpage, counting the number of users who are required to not intercept the webpage in a predetermined period of time, and determining whether the number of the users reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及要求不再拦截所述网页的用户数量,判断要求不再拦截所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值;Or, for each webpage, count the number of users who receive the webpage interception information within a preset time period and the number of users who request that the webpage is no longer intercepted, and determine the number of users who request to stop intercepting the webpage as a result of receiving the webpage interception. Whether the ratio of the number of users of the information reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内对网页拦截信息提出申诉的用户数量,判断所述用户数量是否达到预先设定的阈值; Or, for each webpage, counting the number of users who appealed to the webpage interception information within a preset time period, and determining whether the number of the users reaches a preset threshold;
或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及对网页拦截信息提出申诉的用户数量,判断对网页拦截信息提出申诉的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值。Or, for each webpage, count the number of users who receive the webpage interception information within the preset time period and the number of users who appeal the webpage interception information, and determine the number of users who appeal the webpage interception information to the interception information of the webpage. Whether the ratio of the number of users reaches a preset threshold.
本发明实施例还提出一种用于实现安全访问的安全服务器,如图4为该安全服务器400的结构示意图,包括:安全控制模块401、统计模块402和误报审核模块403。The embodiment of the present invention further provides a security server for implementing secure access. FIG. 4 is a schematic structural diagram of the security server 400, including: a security control module 401, a statistics module 402, and a false positive audit module 403.
安全控制模块401,用于接收用户对网页的访问请求,查询所述网页的安全状态,当查询结果为不安全时,反馈网页拦截信息。The security control module 401 is configured to receive a user access request for a webpage, query a security status of the webpage, and feed back the webpage interception information when the query result is unsafe.
统计模块402,用于接收用户针对所述网页拦截信息的操作,对所述操作进行统计。The statistics module 402 is configured to receive an operation of the user for intercepting information on the webpage, and perform statistics on the operation.
误报审核模块403,用于判断统计结果是否满足预先设定的误报条件,如果满足,则提示改变所述页面的安全状态。The false positive review module 403 is configured to determine whether the statistical result satisfies a preset false alarm condition, and if yes, prompt to change the security state of the page.
误报审核模块403提示改变页面的安全状态后,可以由其直接将该业务的安全状态由“不安全”改变为“安全”,也可以由人工对该提示进行确认和处理。After the false positive review module 403 prompts to change the security state of the page, the security status of the service can be directly changed from "unsafe" to "secure", and the prompt can be confirmed and processed manually.
上述安全服务器中,安全控制模块401反馈网页拦截信息的方式可以为:将用户的访问请求重定向至网页拦截页面。In the foregoing security server, the manner in which the security control module 401 feeds back the webpage interception information may be: redirecting the user's access request to the webpage interception page.
上述安全服务器中,In the above security server,
统计模块402可以针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量;误报审核模块403判断所述用户数量是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态;The statistics module 402 can count, for each webpage, the number of users who receive the webpage interception information within a preset time period; the false positives auditing module 403 determines whether the number of the users reaches a preset threshold, and if so, prompts to change the location. The security status of the page;
或者,统计模块402可以针对各个网页,统计预先设定的时间段内继续访问所述网页的用户数量;误报审核模块403判断所述用户数量是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态;Alternatively, the statistic module 402 may count, for each webpage, the number of users who continue to access the webpage within a preset time period; the false positive auditing module 403 determines whether the number of the users reaches a preset threshold, and if so, prompts Changing the security status of the page;
或者,统计模块402可以针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及继续访问所述网页的用户数量;误报审核模块403判断继续访问所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态;Alternatively, the statistics module 402 may count, for each webpage, the number of users who receive the webpage interception information within a preset time period and the number of users who continue to access the webpage; the false positive auditing module 403 determines the number of users who continue to access the webpage. Whether the ratio of the number of users receiving the webpage interception information reaches a preset threshold, and if so, prompting to change the security state of the page;
或者,统计模块402可以针对各个网页,统计预先设定的时间段内要求不再拦截所述网页的用户数量;误报审核模块判断所述用户数量是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态; Alternatively, the statistic module 402 may count, for each webpage, the number of users that are required to not intercept the webpage within a preset time period; the false positive auditing module determines whether the number of users reaches a preset threshold, and if so, Prompting to change the security status of the page;
或者,统计模块402可以针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及要求不再拦截所述网页的用户数量;误报审核模块判断要求不再拦截所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态;Alternatively, the statistics module 402 may count, for each webpage, the number of users who receive the webpage interception information within a preset time period and the number of users who request that the webpage no longer be intercepted; the false positive auditing module determines that the webpage is no longer intercepted. Whether the ratio of the number of users to the number of users receiving the webpage interception information reaches a preset threshold, and if so, prompting to change the security state of the page;
或者,统计模块402可以针对各个网页,统计预先设定的时间段内对网页拦截信息提出申诉的用户数量;误报审核模块判断所述用户数量是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态;Alternatively, the statistics module 402 may count, for each webpage, the number of users who appeal the webpage interception information within a preset time period; the false positive auditing module determines whether the number of the users reaches a preset threshold, and if so, prompts Changing the security status of the page;
或者,统计模块402可以针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及对网页拦截信息提出申诉的用户数量;误报审核模块判断对网页拦截信息提出申诉的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态。Alternatively, the statistics module 402 may count, for each webpage, the number of users who receive the webpage interception information within a preset time period and the number of users who appeal the webpage interception information; the false positives auditing module judges the user who appeals the webpage interception information Whether the ratio of the number of users receiving the webpage interception information reaches a preset threshold, and if so, prompts to change the security state of the page.
本发明实施例还提出一种用于实现安全访问的安全客户端设备,如图5为该安全客户端设备500的结构示意图,包括:上报模块501和接收模块502。The embodiment of the present invention further provides a secure client device for implementing secure access. FIG. 5 is a schematic structural diagram of the secure client device 500, including: a reporting module 501 and a receiving module 502.
上报模块501,用于上报用户对网页的访问请求,还用于上报用户针对网页拦截信息的操作。The reporting module 501 is configured to report the user's access request to the webpage, and is also used to report the user's operation for intercepting the webpage.
接收模块502,用于接收网页拦截信息。The receiving module 502 is configured to receive webpage interception information.
另外,本发明实施例提出了一种实现安全访问的安全服务器,如图6为该安全服务器600的结构示意图,包括一个或多个处理器601、存储器602以及一个或多个存储在存储器602上用来由一个或多个处理器601来执行的应用程序603。应用程序603例如包括执行图1所示的方法实施例中各步骤的指令,详细过程见方法实施例中的描述,此处不再赘述。In addition, the embodiment of the present invention provides a security server for implementing secure access. FIG. 6 is a schematic structural diagram of the security server 600, including one or more processors 601, a memory 602, and one or more stored in the memory 602. An application 603 for execution by one or more processors 601. The application 603 includes, for example, instructions for performing the steps in the method embodiment shown in FIG. 1. For details, refer to the description in the method embodiment, and details are not described herein again.
本发明实施例还提出了一种实现安全访问的安全客户端设备,如图7为该安全客户端设备700的结构示意图,包括一个或多个处理器701、存储器702以及一个或多个存储在存储器702上用来由一个或多个处理器701来执行的应用程序703。应用程序703例如包括执行下列操作的指令:上报用户对网页的访问请求,还用于上报用户针对网页拦截信息的操作;接收网页拦截信息。The embodiment of the present invention further provides a secure client device for implementing secure access. FIG. 7 is a schematic structural diagram of the secure client device 700, including one or more processors 701, a memory 702, and one or more storage devices. An application 703 on the memory 702 for execution by one or more processors 701. The application 703 includes, for example, an instruction to: report a user's access request to the webpage, and also report the user's operation of intercepting the webpage; and receive the webpage interception information.
在上述实施例中提到的客户端设备可以为固定终端或移动终端,例如为台式电脑、手机、平板电脑、等等,本发明对此不做具体限定。The client device mentioned in the foregoing embodiment may be a fixed terminal or a mobile terminal, such as a desktop computer, a mobile phone, a tablet computer, or the like, which is not specifically limited in the present invention.
本领域普通技术人员可以理解,图6提到的存储器602和图7提到的存储器702包括但不限于各种非易失性存储器,例如,U盘、移动硬盘、只读存储 器(ROM)、随机存取存储器(RAM)、可擦除可编程只读存储器(EPROM)、电可擦可编程只读存储器(EEPROM)、闪存或其他固态存储器技术、CD-ROM、数字多功能盘(DVD)、HD-DVD、蓝光(Blue-Ray)或其他光存储设备、磁带、磁盘存储或其他磁性存储设备、或能用于存储所需信息且可以由计算机访问的任何其他介质。It will be understood by those skilled in the art that the memory 602 mentioned in FIG. 6 and the memory 702 mentioned in FIG. 7 include, but are not limited to, various non-volatile memories, for example, a USB flash drive, a mobile hard disk, and a read-only memory. (ROM), random access memory (RAM), erasable programmable read only memory (EPROM), electrically erasable programmable read only memory (EEPROM), flash memory or other solid state memory technology, CD-ROM, digital A function disk (DVD), HD-DVD, Blu-Ray or other optical storage device, magnetic tape, disk storage or other magnetic storage device, or any other medium that can be used to store the required information and that can be accessed by a computer.
综上所述,本发明实施例提出的安全访问方法、系统及装置,能够对用户针对网页拦截信息的操作进行统计和判断,确定可能出现误报的网页并给出提示,由服务器或人工根据该提示改变网页的安全状态,从而实现及时发现并纠正安全防护过程中出现的误报,提高安全服务的准确率。In summary, the security access method, system, and device provided by the embodiment of the present invention can perform statistics and judgment on the operation of the user for the webpage interception information, determine a webpage that may have a false alarm, and give a prompt, which is determined by the server or the manual. The prompt changes the security status of the webpage, thereby realizing timely detection and correcting false alarms occurring in the security protection process, and improving the accuracy of the security service.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明保护的范围之内。 The above are only the preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalents, improvements, etc., which are made within the spirit and principles of the present invention, should be included in the present invention. Within the scope of protection.

Claims (12)

  1. 一种安全访问方法,其特征在于,所述方法包括:A secure access method, the method comprising:
    计算设备接收用户对网页的访问请求,查询所述网页的安全状态,当查询结果为不安全时,反馈网页拦截信息;The computing device receives the user's access request to the webpage, queries the security status of the webpage, and returns the webpage interception information when the query result is unsafe;
    计算设备接收用户针对所述网页拦截信息的操作,对所述操作进行统计,判断统计结果是否满足预先设定的误报条件,如果满足,则提示改变所述页面的安全状态。The computing device receives the user's operation for intercepting the information on the webpage, performs statistics on the operation, determines whether the statistical result satisfies a preset false alarm condition, and if so, prompts to change the security state of the page.
  2. 根据权利要求1所述的方法,其特征在于,所述用户对网页的访问请求或用户针对网页拦截信息的操作由安全客户端设备上报。The method according to claim 1, wherein the user's access request to the webpage or the user's operation for intercepting the webpage is reported by the secure client device.
  3. 根据权利要求1所述的方法,其特征在于,反馈网页拦截信息的方式为:将用户的访问请求重定向至网页拦截页面。The method according to claim 1, wherein the feedback webpage intercepts the information by redirecting the user's access request to the webpage interception page.
  4. 根据权利要求1、2或3所述的方法,其特征在于,对操作进行统计并判断统计结果是否满足预先设定的误报条件的方式为:The method according to claim 1, 2 or 3, characterized in that the manner of counting the operation and determining whether the statistical result satisfies the preset false alarm condition is:
    针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量,判断所述用户数量是否达到预先设定的阈值;For each webpage, count the number of users who receive the webpage interception information within a preset time period, and determine whether the number of the users reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内继续访问所述网页的用户数量,判断所述用户数量是否达到预先设定的阈值;Or, for each webpage, counting the number of users who continue to access the webpage within a preset time period, and determining whether the number of the users reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及继续访问所述网页的用户数量,判断继续访问所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值;Or, for each webpage, count the number of users who receive the webpage interception information in the preset time period and the number of users who continue to access the webpage, and determine the number of users who continue to access the webpage as the number of users who receive the webpage interception information. Whether the ratio reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内要求不再拦截所述网页的用户数量,判断所述用户数量是否达到预先设定的阈值;Or, for each webpage, counting the number of users who are required to not intercept the webpage in a predetermined period of time, and determining whether the number of the users reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及要求不再拦截所述网页的用户数量,判断要求不再拦截所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值;Or, for each webpage, count the number of users who receive the webpage interception information within a preset time period and the number of users who request that the webpage is no longer intercepted, and determine the number of users who request to stop intercepting the webpage as a result of receiving the webpage interception. Whether the ratio of the number of users of the information reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内对网页拦截信息提出申诉的用户数量,判断所述用户数量是否达到预先设定的阈值;Or, for each webpage, counting the number of users who appealed to the webpage interception information within a preset time period, and determining whether the number of the users reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及对网页拦截信息提出申诉的用户数量,判断对网页拦截信息提出申诉的 用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值。Or, for each webpage, count the number of users who receive the webpage interception information within a preset time period and the number of users who appeal the webpage interception information, and judge the appeal of the webpage interception information. Whether the ratio of the number of users to the number of users receiving the webpage interception information reaches a preset threshold.
  5. 一种安全访问系统,其特征在于,所述系统包括:A secure access system, characterized in that the system comprises:
    安全客户端设备,用于上报用户对网页的访问请求,并上报用户针对网页拦截信息的操作;The security client device is configured to report the user's access request to the webpage, and report the user's operation for intercepting the webpage;
    安全服务器,用于接收用户对网页的访问请求,查询所述网页的安全状态,当查询结果为不安全时,反馈网页拦截信息;还用于接收用户针对所述网页拦截信息的操作,对所述操作进行统计,判断统计结果是否满足预先设定的误报条件,如果满足,则提示改变所述页面的安全状态。a security server, configured to receive a user's access request for a webpage, query a security status of the webpage, and when the query result is insecure, feedback the webpage interception information; and further, receive an operation of the user intercepting the webpage for the webpage, The operation performs statistics to determine whether the statistical result satisfies a preset false alarm condition, and if so, prompts to change the security state of the page.
  6. 根据权利要求5所述的系统,其特征在于,所述安全服务器反馈网页拦截信息的方式为:将用户的访问请求重定向至网页拦截页面。The system according to claim 5, wherein the security server feeds back the webpage interception information by redirecting the user's access request to the webpage interception page.
  7. 根据权利要求5或6所述的系统,其特征在于,所述安全服务器对操作进行统计并判断统计结果是否满足预先设定的误报条件的方式为:The system according to claim 5 or 6, wherein the manner in which the security server performs statistics on the operation and determines whether the statistical result satisfies a preset false alarm condition is:
    针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量,判断所述用户数量是否达到预先设定的阈值;For each webpage, count the number of users who receive the webpage interception information within a preset time period, and determine whether the number of the users reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内继续访问所述网页的用户数量,判断所述用户数量是否达到预先设定的阈值;Or, for each webpage, counting the number of users who continue to access the webpage within a preset time period, and determining whether the number of the users reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及继续访问所述网页的用户数量,判断继续访问所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值;Or, for each webpage, count the number of users who receive the webpage interception information in the preset time period and the number of users who continue to access the webpage, and determine the number of users who continue to access the webpage as the number of users who receive the webpage interception information. Whether the ratio reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内要求不再拦截所述网页的用户数量,判断所述用户数量是否达到预先设定的阈值;Or, for each webpage, counting the number of users who are required to not intercept the webpage in a predetermined period of time, and determining whether the number of the users reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及要求不再拦截所述网页的用户数量,判断要求不再拦截所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值;Or, for each webpage, count the number of users who receive the webpage interception information within a preset time period and the number of users who request that the webpage is no longer intercepted, and determine the number of users who request to stop intercepting the webpage as a result of receiving the webpage interception. Whether the ratio of the number of users of the information reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内对网页拦截信息提出申诉的用户数量,判断所述用户数量是否达到预先设定的阈值;Or, for each webpage, counting the number of users who appealed to the webpage interception information within a preset time period, and determining whether the number of the users reaches a preset threshold;
    或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及对网页拦截信息提出申诉的用户数量,判断对网页拦截信息提出申诉的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值。Or, for each webpage, count the number of users who receive the webpage interception information within the preset time period and the number of users who appeal the webpage interception information, and determine the number of users who appeal the webpage interception information to the interception information of the webpage. Whether the ratio of the number of users reaches a preset threshold.
  8. 一种用于实现安全访问的安全服务器,其特征在于,所述安全服务器包 括:存储器;A secure server for implementing secure access, characterized in that the secure server package Includes: memory;
    一个或多个处理器;One or more processors;
    存储在所述存储器上、由所述一个或多个处理器执行的一个或多个程序,该一个或多个程序包括执行下列操作的指令:One or more programs stored on the memory and executed by the one or more processors, the one or more programs including instructions to:
    接收用户对网页的访问请求,查询所述网页的安全状态,当查询结果为不安全时,反馈网页拦截信息;Receiving a user's access request to the webpage, querying the security status of the webpage, and feeding back the webpage interception information when the query result is insecure;
    接收用户针对所述网页拦截信息的操作,对所述操作进行统计;Receiving, by the user, an operation of intercepting information on the webpage, and performing statistics on the operation;
    判断统计结果是否满足预先设定的误报条件,如果满足,则提示改变所述页面的安全状态。It is judged whether the statistical result satisfies the preset false alarm condition, and if it is satisfied, prompts to change the security state of the page.
  9. 根据权利要求8所述的安全服务器,其特征在于,反馈网页拦截信息的方式为:将用户的访问请求重定向至网页拦截页面。The security server according to claim 8, wherein the feedback webpage intercepts the information by redirecting the user's access request to the webpage interception page.
  10. 根据权利要求8或9所述的安全服务器,其特征在于,所述一个或多个程序包括执行下列操作的指令:A security server according to claim 8 or 9, wherein said one or more programs comprise instructions for:
    针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量;判断所述用户数量是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态;For each webpage, counting the number of users who have received the webpage interception information within a preset time period; determining whether the number of the users reaches a preset threshold, and if so, prompting to change the security state of the webpage;
    或者,针对各个网页,统计预先设定的时间段内继续访问所述网页的用户数量;判断所述用户数量是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态;Or, for each webpage, counting the number of users who continue to access the webpage in a preset time period; determining whether the number of users reaches a preset threshold, and if so, prompting to change the security state of the webpage;
    或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及继续访问所述网页的用户数量;判断继续访问所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态;Or, for each webpage, count the number of users who receive the webpage interception information within a preset time period and the number of users who continue to access the webpage; and determine the number of users who continue to access the webpage as the number of users who receive the webpage interception information. Whether the ratio reaches a preset threshold, and if so, prompts to change the security state of the page;
    或者,针对各个网页,统计预先设定的时间段内要求不再拦截所述网页的用户数量;判断所述用户数量是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态;Or, for each webpage, counting the number of users who are required to no longer intercept the webpage within a preset time period; determining whether the number of users reaches a preset threshold, and if so, prompting to change the security state of the page. ;
    或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及要求不再拦截所述网页的用户数量;判断要求不再拦截所述网页的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态; Or, for each webpage, count the number of users who receive the webpage interception information within a preset time period and the number of users who request that the webpage is no longer intercepted; the number of users who request that the webpage is no longer intercepted accounts for the interception of the received webpage. Whether the ratio of the number of users of the information reaches a preset threshold, and if so, prompting to change the security state of the page;
    或者,针对各个网页,统计预先设定的时间段内对网页拦截信息提出申诉的用户数量;判断所述用户数量是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态;Or, for each webpage, counting the number of users who appealed to the webpage interception information within a preset time period; determining whether the number of the users reaches a preset threshold, and if so, prompting to change the security state of the webpage;
    或者,针对各个网页,统计预先设定的时间段内收到网页拦截信息的用户数量及对网页拦截信息提出申诉的用户数量;判断对网页拦截信息提出申诉的用户数量占收到网页拦截信息的用户数量的比值是否达到预先设定的阈值,如果达到,则提示改变所述页面的安全状态。Or, for each webpage, count the number of users who receive the webpage interception information within the preset time period and the number of users who appeal the webpage interception information; the number of users who judge the appeal of the webpage interception information accounts for the interception information of the webpage received. Whether the ratio of the number of users reaches a preset threshold, and if so, prompts to change the security state of the page.
  11. 一种用于实现安全访问的安全客户端设备,其特征在于,所述安全客户端设备包括:A secure client device for implementing secure access, characterized in that the secure client device comprises:
    存储器;Memory
    一个或多个处理器;One or more processors;
    存储在所述存储器上、由所述一个或多个处理器执行的一个或多个程序,该一个或多个程序包括执行下列操作的指令:One or more programs stored on the memory and executed by the one or more processors, the one or more programs including instructions to:
    上报用户对网页的访问请求,还用于上报用户针对网页拦截信息的操作;Reporting the user's access request to the webpage, and also reporting the user's operation of intercepting the information for the webpage;
    接收网页拦截信息。Receive webpage blocking information.
  12. 一种计算机可读存储介质,存储有由计算机系统执行的一个或多个程序,该一个或多个程序包括执行下列步骤的指令:A computer readable storage medium storing one or more programs executed by a computer system, the one or more programs comprising instructions to perform the steps of:
    接收用户对网页的访问请求,查询所述网页的安全状态,当查询结果为不安全时,反馈网页拦截信息;Receiving a user's access request to the webpage, querying the security status of the webpage, and feeding back the webpage interception information when the query result is insecure;
    接收用户针对所述网页拦截信息的操作,对所述操作进行统计,判断统计结果是否满足预先设定的误报条件,如果满足,则提示改变所述页面的安全状态。 Receiving, by the user, the operation of intercepting the information on the webpage, performing statistics on the operation, determining whether the statistical result satisfies a preset false alarm condition, and if yes, prompting to change the security state of the page.
PCT/CN2014/088614 2013-10-24 2014-10-15 Secure access method, system and apparatus WO2015058640A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310506492.7 2013-10-24
CN201310506492.7A CN103546470A (en) 2013-10-24 2013-10-24 Safe access method, system and device

Publications (1)

Publication Number Publication Date
WO2015058640A1 true WO2015058640A1 (en) 2015-04-30

Family

ID=49969518

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/088614 WO2015058640A1 (en) 2013-10-24 2014-10-15 Secure access method, system and apparatus

Country Status (2)

Country Link
CN (1) CN103546470A (en)
WO (1) WO2015058640A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760121A (en) * 2022-03-31 2022-07-15 腾讯科技(深圳)有限公司 Method for controlling access frequency and access frequency control system

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103546470A (en) * 2013-10-24 2014-01-29 腾讯科技(武汉)有限公司 Safe access method, system and device
CN105791253B (en) * 2014-12-26 2020-04-21 腾讯科技(深圳)有限公司 Method and device for acquiring authentication information of website
CN104967616A (en) * 2015-06-05 2015-10-07 北京安普诺信息技术有限公司 WebShell file detection method in Web server
CN105468993A (en) * 2015-11-25 2016-04-06 北京金山安全软件有限公司 Information processing method and device
CN105592105B (en) * 2016-02-26 2018-12-25 北京奇虎科技有限公司 Guarantee the asynchronous system Network Access Method and device of safety
CN106357603A (en) * 2016-08-18 2017-01-25 乐视控股(北京)有限公司 Web page security detection processing method and device
CN108282446B (en) * 2017-01-06 2021-01-29 阿里巴巴集团控股有限公司 Method and apparatus for identifying scanner
CN107766551A (en) * 2017-10-31 2018-03-06 广东小天才科技有限公司 A kind of network address examination & verification management-control method and terminal device based on big data analysis

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231745A (en) * 2011-07-08 2011-11-02 盛大计算机(上海)有限公司 Safety system and method for network application
CN102402620A (en) * 2011-12-26 2012-04-04 余姚市供电局 Method and system for defending malicious webpage
CN102724190A (en) * 2012-06-11 2012-10-10 腾讯科技(深圳)有限公司 Method and device for blocking and prompting malicious URL (uniform resource locator)
CN102957694A (en) * 2012-10-25 2013-03-06 北京奇虎科技有限公司 Method and device for judging phishing websites
CN103546470A (en) * 2013-10-24 2014-01-29 腾讯科技(武汉)有限公司 Safe access method, system and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007117613A2 (en) * 2006-04-06 2007-10-18 Ferguson Kenneth H Media content programming control method and apparatus
US7873656B1 (en) * 2007-09-25 2011-01-18 Trend Micro Incorporated Apparatus and methods to reduce proxy overhead in a gateway
CN101478540B (en) * 2008-12-31 2012-04-25 成都市华为赛门铁克科技有限公司 Method and apparatus for defending and challenge collapsar attack
CN102541891A (en) * 2010-12-14 2012-07-04 深圳市金蝶中间件有限公司 Browser error reporting method and browser error reporting device based on interceptor
CN103116723A (en) * 2013-02-06 2013-05-22 北京奇虎科技有限公司 Method, device and system of web site interception process

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231745A (en) * 2011-07-08 2011-11-02 盛大计算机(上海)有限公司 Safety system and method for network application
CN102402620A (en) * 2011-12-26 2012-04-04 余姚市供电局 Method and system for defending malicious webpage
CN102724190A (en) * 2012-06-11 2012-10-10 腾讯科技(深圳)有限公司 Method and device for blocking and prompting malicious URL (uniform resource locator)
CN102957694A (en) * 2012-10-25 2013-03-06 北京奇虎科技有限公司 Method and device for judging phishing websites
CN103546470A (en) * 2013-10-24 2014-01-29 腾讯科技(武汉)有限公司 Safe access method, system and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760121A (en) * 2022-03-31 2022-07-15 腾讯科技(深圳)有限公司 Method for controlling access frequency and access frequency control system
CN114760121B (en) * 2022-03-31 2023-08-01 腾讯科技(深圳)有限公司 Access frequency control method and access frequency control system

Also Published As

Publication number Publication date
CN103546470A (en) 2014-01-29

Similar Documents

Publication Publication Date Title
WO2015058640A1 (en) Secure access method, system and apparatus
US11790112B1 (en) Systems and methods of identity protection and management
US10984095B2 (en) Methods and apparatus to manage password security
EP2990982B1 (en) Unstructured security threat information analysis
US10223524B1 (en) Compromised authentication information clearing house
US9800594B2 (en) Method and system for detecting unauthorized access attack
EP2755157B1 (en) Detecting undesirable content
US9544295B2 (en) Login method for client application and corresponding server
US8776196B1 (en) Systems and methods for automatically detecting and preventing phishing attacks
US20170346805A1 (en) Login method and apparatus, and open platform system
US9838384B1 (en) Password-based fraud detection
US11394739B2 (en) Configurable event-based compute instance security assessments
WO2015169158A1 (en) Information protection method and system
WO2020000723A1 (en) Ultra vires vulnerability detection method and device
WO2015096528A1 (en) Method and device for detecting security of online shopping environment
US9824207B1 (en) Authentication information update based on fraud detection
US11831617B2 (en) File upload control for client-side applications in proxy solutions
US11386181B2 (en) Detecting a change to the content of information displayed to a user of a website
CN103139138A (en) Application layer denial of service (DoS) protective method and system based on client detection
WO2020000749A1 (en) Method and apparatus for detecting unauthorized vulnerabilities
CN111711617A (en) Method and device for detecting web crawler, electronic equipment and storage medium
US11494511B2 (en) Data processing methods, apparatuses, and devices
US20150066763A1 (en) Method and apparatus for cross channel monitoring
US11049207B1 (en) Early fraud detection system
US11736512B1 (en) Methods for automatically preventing data exfiltration and devices thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14856168

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 06.09.16)

122 Ep: pct application non-entry in european phase

Ref document number: 14856168

Country of ref document: EP

Kind code of ref document: A1