WO2015188604A1 - Procede et dispositif de detection de page web de filoutage - Google Patents

Procede et dispositif de detection de page web de filoutage Download PDF

Info

Publication number
WO2015188604A1
WO2015188604A1 PCT/CN2014/094147 CN2014094147W WO2015188604A1 WO 2015188604 A1 WO2015188604 A1 WO 2015188604A1 CN 2014094147 W CN2014094147 W CN 2014094147W WO 2015188604 A1 WO2015188604 A1 WO 2015188604A1
Authority
WO
WIPO (PCT)
Prior art keywords
webpage
detected
information
summary information
phishing
Prior art date
Application number
PCT/CN2014/094147
Other languages
English (en)
Chinese (zh)
Inventor
梅银明
邹荣新
刘军
Original Assignee
百度国际科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 百度国际科技(深圳)有限公司 filed Critical 百度国际科技(深圳)有限公司
Publication of WO2015188604A1 publication Critical patent/WO2015188604A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Definitions

  • the present invention relates to the field of Internet technologies, and in particular, to a method and an apparatus for detecting a phishing webpage.
  • the related technologies can be prevented in two ways: one is network protection products, such as online shopping bodyguards, account protection products, etc. These network protection products provide users with a secure portal, so that users can The security portal is logged in, but the problem with this approach is that the phishing website cannot be detected at all, and only a specific web page can be protected.
  • the other is to collect the phishing webpage to form a phishing webpage library.
  • the phishing webpage library is used to determine whether the webpage visited by the user is a phishing webpage, but the problem in this way is that the timeliness of the phishing webpage is very Short, usually a few hours, some even less than an hour, in many cases the phishing page has not expired.
  • the object of the present invention is to solve at least one of the above technical problems to some extent.
  • a first object of the present invention is to provide a method for detecting a phishing web page.
  • the method can avoid the problem that the domain name of the phishing webpage has timeliness, improve the accuracy of the detection, and can fundamentally detect the phishing website, thereby improving the feasibility and usability.
  • a second object of the present invention is to provide a device for detecting a phishing web page.
  • a third object of the present invention is to provide a detecting device.
  • a fourth object of the present invention is to provide a non-volatile computer storage medium.
  • a method for detecting a phishing webpage includes: extracting a webpage template feature of a webpage to be detected, and acquiring first summary information of the webpage template feature; determining the first Whether the summary information belongs to the second summary information in the preset database, the second summary information is summary information acquired according to the webpage template feature of the target webpage; and determining that the first summary information belongs to the preset database And determining, by the second information, whether the domain name of the to-be-detected webpage and the domain name of the target webpage are consistent; and determining the webpage to be detected when determining that the domain name of the to-be-detected webpage and the domain name of the target webpage are inconsistent It is a phishing page that spoofs the target webpage.
  • the method for detecting a phishing webpage may extract a webpage template feature of the webpage to be detected and obtain the first digest information thereof, and further determine the to-be-determined information when the first digest information belongs to the second digest information in the preset database. Check whether the domain name of the webpage and the domain name of the target webpage are consistent. When the domain name is inconsistent, it is determined that the webpage to be detected is a phishing webpage of the counterfeit target webpage, which avoids the problem that the domain name of the phishing webpage has timeliness characteristics, improves the accuracy of detection, and can Fundamentally detecting phishing sites increases the viability and usability.
  • the phishing webpage detecting apparatus of the second aspect of the present invention includes: an obtaining module, configured to extract a webpage template feature of the webpage to be detected, and obtain first summary information of the webpage template feature; a determining module, configured to determine whether the first summary information belongs to second summary information in a preset database, the second summary information is summary information acquired according to a webpage template feature of the target webpage; and the second determining module uses When the first determining module determines that the first summary information belongs to the second summary information in the preset database, further determining whether the domain name of the to-be-detected webpage and the domain name of the target webpage are consistent; and determining third The module is configured to determine that the to-be-detected webpage is a phishing webpage that spoofs the target webpage when the second determining module determines that the domain name of the to-be-detected webpage is inconsistent with the domain name of the target webpage.
  • the acquiring module may extract the webpage template feature of the webpage to be detected and obtain the first digest information thereof, and the second determining module determines, in the first determining module, that the first digest information belongs to the preset database.
  • the second summary information further determines whether the domain name of the to-be-detected webpage and the domain name of the target webpage are consistent.
  • the third determining module determines that the webpage to be detected is a phishing webpage of the phishing target webpage, and avoids the aging of the domain name of the phishing webpage.
  • the problem of sexual characteristics improves the accuracy of detection and can fundamentally detect phishing websites, thereby improving the feasibility and usability.
  • a detecting apparatus includes: one or more processors; a memory; one or more modules, the one or more modules being stored in the memory, when When one or more processors are executed, the method for detecting a phishing webpage according to the first aspect of the present invention is executed.
  • a nonvolatile computer storage medium of a fourth aspect of the present invention the computer storage medium storing one or more modules, when the one or more modules are executed by a detecting device,
  • the detecting device is configured to execute the method for detecting a phishing webpage according to the embodiment of the first aspect of the present invention.
  • FIG. 1 is a flow chart of a method for detecting a phishing webpage according to an embodiment of the present invention
  • FIG. 2 is a flow chart of a method for detecting a phishing webpage according to another embodiment of the present invention.
  • FIG. 3 is a flowchart of a method for detecting a phishing webpage according to still another embodiment of the present invention.
  • FIG. 4 is a flowchart of a method for detecting a phishing webpage according to still another embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a device for detecting a phishing webpage according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a device for detecting a phishing webpage according to another embodiment of the present invention.
  • the invention provides a method for detecting a phishing webpage, comprising: extracting a webpage template feature of a webpage to be detected, and acquiring first summary information of the webpage template feature; determining whether the first summary information belongs to the second summary information in the preset database.
  • the second summary information is the summary information obtained according to the webpage template feature of the target webpage; when determining that the first summary information belongs to the second summary information in the preset database, further determining whether the domain name of the to-be-detected webpage and the domain name of the target webpage are Consistent; and inconsistent in determining the domain name of the web page to be detected and the domain name of the landing page
  • the webpage to be detected is a phishing webpage that spoofs the target webpage.
  • FIG. 1 is a flow chart of a method of detecting a phishing webpage according to an embodiment of the present invention.
  • the method for detecting the phishing webpage includes:
  • the web page to be detected may be a user login page. It should be understood that the current number of web pages is very large, and it is unrealistic and unnecessary to protect each webpage. The ultimate purpose of the phishing website is to steal useful information of the user (such as account number, password, etc.), so that it is only necessary to detect The user login page can effectively protect the user information, which greatly reduces the scope of protection, and turns a non-convergence problem into a convergence problem, which improves the feasibility.
  • the webpage template feature may include a webpage title, description information of the webpage, copyright information of the webpage, content information of the ⁇ h1> ⁇ h2> ⁇ h3> ⁇ h4> tag of the webpage, and webpage information ⁇ p> At least one of content information of a tag, style sheet information of a web page, form information of a web page, navigation information of a web page, tag frame information of a web page, display icon information of a web page, and the like.
  • the first summary information may be information of an HTML (Hyper Text Markup Language) file.
  • HTML Hyper Text Markup Language
  • the URL of the phishing webpage Uniform Resource Locator
  • the page template of the phishing webpage is basically similar to the template of the phishing webpage, it is determined whether the webpage to be detected is phishing.
  • the HTML file information corresponding to the webpage to be detected needs to be obtained, so that the automatically generated phishing webpage identification and the phishing website that randomly updates the domain name can be effectively dealt with.
  • the webpage template feature may be extracted from the webpage to be detected (ie, the user login page), and then the information of the HTML file in the webpage may be obtained from the webpage template feature.
  • S102 Determine whether the first summary information belongs to the second summary information in the preset database, where the second summary information is the summary information obtained according to the webpage template feature of the target webpage.
  • the second summary information may be information of the HTML file.
  • the first summary information may be sent to the cloud according to the local preset database; and/or the first summary information may be sent to the cloud, so that the cloud determines whether the first summary information is determined according to the cloud database.
  • the second summary information in the preset database can store the second summary information corresponding to some relatively hot web pages, and the local preset database can be scanned by the local engine first, if the local engine pre-localizes according to the first summary information. If the corresponding second summary information is not detected in the database, the first summary information may be sent to the cloud, and the cloud determines, according to the cloud database, whether the first summary information belongs to the second summary information in the preset database. As a result, the availability of both the local engine and the cloud engine is combined.
  • the method for detecting the phishing webpage may further include: establishing Preset the database.
  • the target webpage may be obtained first, and whether the visit amount of the target webpage exceeds the preset visit amount, and/or the number of counterfeit times of the target webpage exceeds the preset counterfeit number. Then, when it is determined that the amount of access to the target webpage exceeds the preset amount of access, and/or the number of counterfeit times of the target webpage exceeds the preset number of counterfeit times, the webpage template feature of the target webpage is extracted, and the second webpage template feature of the target webpage is obtained. Summary information to create a default database.
  • the unknown information when it is determined that the first summary information does not belong to the second summary information in the preset database, the unknown information may be returned, and whether the to-be-detected webpage is a detection of the phishing webpage is ended.
  • the webpage template feature of the webpage may be extracted by manually analyzing whether the webpage to be detected is a phishing webpage, and if not, the second digest information of the webpage template feature is obtained and saved in a preset database. As a result, the default database can be expanded and improved.
  • the to-be-detected webpage is Secure web page, not a phishing page.
  • the method for detecting a phishing webpage may extract a webpage template feature of the webpage to be detected and obtain the first digest information thereof, and further determine the to-be-determined information when the first digest information belongs to the second digest information in the preset database. Check whether the domain name of the webpage and the domain name of the target webpage are consistent. When the domain name is inconsistent, it is determined that the webpage to be detected is a phishing webpage of the counterfeit target webpage, which avoids the problem that the domain name of the phishing webpage has timeliness characteristics, improves the accuracy of detection, and can Fundamentally detecting phishing sites increases the viability and usability.
  • FIG. 2 is a flow chart of a method of detecting a phishing webpage according to another embodiment of the present invention.
  • the warning information may be sent to the user and the target webpage may be provided.
  • the method for detecting the phishing webpage may include:
  • S202 Determine whether the first summary information belongs to the second summary information in the preset database, where the second summary information is the summary information obtained according to the webpage template feature of the target webpage.
  • the user may send a warning message to prompt the webpage that the user is opening or viewing as a phishing webpage, and present the correct URL of the phishing target webpage to the user. So that users can go to the landing page to log in.
  • the method for detecting a phishing webpage after determining that the webpage to be detected is a phishing webpage of a counterfeit target webpage, may send a warning message to the user and provide a target webpage, so that the user can log in to the target webpage, thereby improving the user experience.
  • FIG. 3 is a flow chart of a method for detecting a phishing webpage according to still another embodiment of the present invention.
  • the method for detecting the phishing webpage may include:
  • the webpage of the webpage to be detected may be obtained first, and then the webpage of the webpage to be detected may be determined to be in the whitelisted webpage list.
  • S303 Determine whether the first summary information belongs to the second summary information in the preset database, where the second summary information is the summary information obtained according to the webpage template feature of the target webpage.
  • the webpage to be detected when determining that the webpage of the webpage to be detected is in the whitelist webpage list, it may be determined that the webpage to be detected accessed by the user is a normal webpage, and whether the webpage to be detected is a detection of the phishing webpage may be omitted, and the subsequent detection process is omitted. Thereby, the detection efficiency is improved and the detection accuracy is improved.
  • the method for detecting a phishing webpage may determine whether the webpage of the webpage to be detected is in the whitelisted webpage list before extracting the webpage template feature of the webpage to be detected, and if so, whether the webpage to be detected is a phishing webpage
  • the detection eliminates the subsequent detection process, improves the detection efficiency, and improves the detection accuracy.
  • FIG. 4 is a flow chart of a method of detecting a phishing webpage according to still another embodiment of the present invention.
  • the method for detecting the phishing webpage may include:
  • S404 Determine whether the first summary information belongs to the second summary information in the preset database, where the second summary information is the summary information obtained according to the webpage template feature of the target webpage.
  • the to-be-detected webpage when it is determined that the to-be-detected webpage does not include the login label information, it may be determined that the to-be-detected webpage accessed by the user does not include the login page, that is, the user does not need to input information about the privacy information (such as account number, password, etc.) to access the webpage.
  • the webpage such that the phishing webpage is greatly reduced to the user, can end the detection of the webpage to be detected as a phishing webpage, and the subsequent detection process is omitted. Thereby, the detection efficiency is improved.
  • step S401 determining whether the web address of the web page to be detected is in the whitelist web address list
  • step S402 may also be performed prior to step S401. That is to say, it may be determined whether the login tag information is included in the to-be-detected webpage; if yes, it is determined whether the URL of the to-be-detected webpage is in the whitelisted URL list.
  • the method for detecting a phishing webpage may determine whether the webpage of the webpage to be detected includes the login label information before extracting the webpage template feature of the webpage to be detected, and if not, whether the webpage to be detected is a phishing webpage.
  • the detection eliminates the subsequent detection process and further improves the detection efficiency.
  • an embodiment of the present invention further provides a device for detecting a phishing webpage, including: An obtaining module, configured to extract a webpage template feature of the webpage to be detected, and obtain first summary information of the webpage template feature; the first determining module is configured to determine whether the first summary information belongs to the second summary information in the preset database, The second summary information is the summary information obtained according to the webpage template feature of the target webpage. The second determining module is configured to further determine the to-be-detected when the first determining module determines that the first summary information belongs to the second summary information in the preset database.
  • the third determining module is configured to determine that the domain name of the webpage to be detected and the domain name of the target webpage are inconsistent, and determine that the webpage to be detected is a phishing webpage of the counterfeit target webpage.
  • FIG. 5 is a schematic structural diagram of a device for detecting a phishing webpage according to an embodiment of the present invention.
  • the detecting device of the phishing webpage includes: an obtaining module 10, a first determining module 20, a second determining module 30, and a third determining module 40.
  • the obtaining module 10 may be configured to extract a webpage template feature of the webpage to be detected, and obtain first summary information of the webpage template feature.
  • the web page to be detected may be a user login page. It should be understood that the current number of web pages is very large, and it is unrealistic and unnecessary to protect each webpage. The ultimate purpose of the phishing website is to steal useful information of the user (such as account number, password, etc.), so that it is only necessary to detect The user login page can effectively protect the user information, which greatly reduces the scope of protection, and turns a non-convergence problem into a convergence problem, which improves the feasibility.
  • the webpage template feature may include a webpage title, description information of the webpage, copyright information of the webpage, content information of the ⁇ h1> ⁇ h2> ⁇ h3> ⁇ h4> tag of the webpage, and webpage information ⁇ p> At least one of content information of a tag, style sheet information of a web page, form information of a web page, navigation information of a web page, tag frame information of a web page, display icon information of a web page, and the like.
  • the first summary information may be information of an HTML file. It should be understood that, since the URL of the phishing webpage is time-sensitive, and the page template of the phishing webpage is substantially similar to the template of the phishing webpage, it is necessary to obtain the corresponding webpage to be detected when determining whether the webpage to be detected is a phishing webpage. HTML file information, which can effectively deal with automatically generated phishing webpages and phishing websites that randomly update domain names.
  • the obtaining module 10 may first extract the webpage template feature from the webpage to be detected (ie, the user login page), and then obtain the information of the HTML file in the webpage from the webpage template feature.
  • the first determining module 20 is configured to determine whether the first summary information belongs to the second summary information in the preset database, and the second summary information is the summary information obtained according to the webpage template feature of the target webpage.
  • the second summary information may be information of the HTML file.
  • the first determining module 20 may determine, according to the locally preset database, whether the first summary information belongs to the second summary information; and/or, the first summary information may be sent to the cloud, so that the cloud determines according to the cloud database. Whether the first summary information belongs to the second summary information in the preset database. . That is, local presets
  • the database may store the second summary information corresponding to the relatively hot webpage, and the first determining module 20 may first scan the local preset database by using the local engine, if the local engine is in the local preset database according to the first summary information.
  • the first summary information may be sent to the cloud, and the cloud determines, according to the cloud database, whether the first summary information belongs to the second summary information in the preset database. As a result, the availability of both the local engine and the cloud engine is combined.
  • the unknown information when it is determined that the first summary information does not belong to the second summary information in the preset database, the unknown information may be returned, and whether the to-be-detected webpage is a detection of the phishing webpage is ended.
  • the webpage template feature of the webpage may be extracted by manually analyzing whether the webpage to be detected is a phishing webpage, and if not, the second digest information of the webpage template feature is obtained and saved in a preset database. As a result, the default database can be expanded and improved.
  • the second determining module 30 is configured to further determine, when the first determining module 20 determines that the first summary information belongs to the second summary information in the preset database, whether the domain name of the to-be-detected webpage and the domain name of the target webpage are consistent.
  • the third determining module 40 is configured to determine, by the second determining module, that the domain name of the to-be-detected webpage and the domain name of the target webpage are inconsistent, and determine that the webpage to be detected is a phishing webpage of the counterfeit target webpage.
  • the to-be-detected webpage is Secure web page, not a phishing page.
  • the acquiring module may extract the webpage template feature of the webpage to be detected and obtain the first digest information thereof, and the second determining module determines, in the first determining module, that the first digest information belongs to the preset database.
  • the second summary information further determines whether the domain name of the to-be-detected webpage and the domain name of the target webpage are consistent.
  • the third determining module determines that the webpage to be detected is a phishing webpage of the phishing target webpage, and avoids the aging of the domain name of the phishing webpage.
  • the problem of sexual characteristics improves the accuracy of detection and can fundamentally detect phishing websites, thereby improving the feasibility and usability.
  • FIG. 6 is a schematic structural diagram of a device for detecting a phishing webpage according to another embodiment of the present invention.
  • the detecting device of the phishing webpage may include: an obtaining module 10, a first determining module 20, a second determining module 30, a third determining module 40, and a sending module 50.
  • the sending module 50 is configured to send the warning information to the user and provide the target webpage after the third determining module 40 determines that the webpage to be detected is the phishing webpage of the phishing target webpage. More specifically, after the third determining module 40 determines that the webpage to be detected is a phishing webpage of the counterfeit target webpage, the sending module 50 may send a warning message to the user to prompt the webpage that the user is opening or viewing as a phishing webpage, and will be counterfeited. The correct URL of the landing page is presented to the user so that the user can log in to the landing page. This improves the user experience.
  • the detecting device of the phishing webpage may further A fourth determination module 60 and an exit module 70 are included.
  • the fourth determining module 60 is configured to determine whether the web address of the web page to be detected is in the whitelist web address list before the obtaining module 10 extracts the webpage template feature of the webpage to be detected.
  • the exiting module 70 is configured to, when the fourth determining module 60 determines that the webpage of the webpage to be detected is in the whitelisted webpage list, end whether the webpage to be detected is a phishing webpage.
  • the fourth determining module 60 may first obtain the web address of the web page to be detected, and then determine whether the web address of the web page to be detected is in the white list web address list.
  • the exiting module 70 may determine that the webpage to be detected accessed by the user is a normal webpage, and may end whether the webpage to be detected is a detection of the phishing webpage, and the omitting is omitted. After the detection process. Thereby, the detection efficiency is improved and the detection accuracy is improved.
  • the detecting device of the phishing webpage may further include a fifth determining module 80, where the fifth determining module 80 is configured to extract, at the acquiring module 10, the webpage to be detected. Before the webpage template feature, it is determined whether the login tag information is included in the webpage to be detected.
  • the exiting module 70 is further configured to: when the fifth determining module 80 determines that the webpage to be detected does not include the login label information, end whether the webpage to be detected is a phishing webpage.
  • the exiting module 70 may determine that the webpage to be detected accessed by the user does not include the login page, that is, the user does not need to input relevant privacy information (such as an account number, a password, etc.). Information) can access the webpage, so that the phishing webpage will greatly reduce the harm to the user. At this time, it can end whether the webpage to be detected is the detection of the phishing webpage, and the subsequent detection process is omitted. Thereby, the detection efficiency is improved.
  • the detecting device of the phishing webpage may further include an establishing module 90, and the establishing module 90 may be configured to establish a preset database.
  • the establishing module 90 may include an obtaining unit 91, a determining unit 92, and an establishing unit 93.
  • the obtaining unit 91 can be used to acquire a target webpage.
  • the determining unit 92 can be configured to determine whether the amount of access of the target webpage exceeds a preset amount of access, and/or whether the number of spoofing of the target webpage exceeds a preset number of counterfeit times.
  • the establishing unit 93 can be configured to: when the determining unit 92 determines that the amount of access to the target webpage exceeds the preset amount of access, and/or, if the number of counterfeit times of the target webpage exceeds the preset number of counterfeit, extract the webpage template feature of the target webpage, and obtain the target webpage.
  • the second summary information of the web page template feature to establish a preset database. Therefore, it is convenient to determine whether the first summary information belongs to the second summary information in the preset database according to the preset database, thereby improving the usability.
  • an embodiment of the present invention further provides a detecting apparatus, including: one or more processors; a memory; one or more modules, one or more modules stored in the memory when being one or more
  • a detecting apparatus including: one or more processors; a memory; one or more modules, one or more modules stored in the memory when being one or more
  • the processor executes, the method for detecting the phishing webpage according to any of the above embodiments of the present invention is executed. I will not repeat them here.
  • embodiments of the present invention also provide a non-volatile computer storage medium storing one or more modules when the one or more modules are executed by a detecting device And the detecting device performs the method for detecting the phishing webpage according to any one of the foregoing embodiments of the present invention. I will not repeat them here.
  • first and second are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated.
  • features defining “first” or “second” may include at least one of the features, either explicitly or implicitly.
  • the meaning of "a plurality" is at least two, such as two, three, etc., unless specifically defined otherwise.
  • a "computer-readable medium” can be any apparatus that can contain, store, communicate, propagate, or transport a program for use in an instruction execution system, apparatus, or device, or in conjunction with the instruction execution system, apparatus, or device.
  • computer readable media include the following: electrical connections (electronic devices) having one or more wires, portable computer disk cartridges (magnetic devices), random access memory (RAM), Read only memory (ROM), erasable editable read only memory (EPROM or flash memory), fiber optic devices, and portable compact disk read only memory (CDROM).
  • the computer readable medium may even be a paper or other suitable medium on which the program can be printed, as it may be optically scanned, for example by paper or other medium, followed by editing, interpretation or, if appropriate, other suitable The method is processed to obtain the program electronically and then stored in computer memory.
  • portions of the invention may be implemented in hardware, software, firmware or a combination thereof.
  • multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system.
  • a suitable instruction execution system For example, if implemented in hardware, as in another embodiment, it can be implemented by any one of the following techniques known in the art or a combination thereof: having logic for implementing data signals A discrete logic circuit of a functional logic gate circuit, an application specific integrated circuit with a suitable combination of logic gate circuits, a programmable gate array (PGA), a field programmable gate array (FPGA), and the like.
  • each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules, if implemented in the form of software functional modules and sold or used as stand-alone products, may also be stored in a computer readable storage medium.
  • the above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

La présente invention concerne un procédé de détection de page Web de filoutage, comprenant les étapes suivantes: l'extraction des caractéristiques de modèle de page Web d'une page Web à vérifier et l'acquisition d'un premier résumé des caractéristiques de modèle de la page Web; la détermination de l'appartenance du premier résumé à un second résumé dans une base de données préétablie, le second résumé étant un résumé acquis en fonction des caractéristiques de modèle de page Web d'une page Web cible; lorsqu'il est déterminé que le premier résumé appartient au second résumé dans la base de données préétablie, la détermination également de la cohérence du nom de domaine de la page Web à vérifier avec le nom de domaine de la page Web cible; et lorsqu'il est déterminé que le nom de domaine de la page Web à vérifier est incompatible avec le nom de domaine de la page Web cible, la détermination que la page Web à vérifier est une page Web de filoutage contrefaisant la page Web cible. Selon un mode de réalisation de la présente invention, le procédé évite le problème qu'un nom de domaine d'une page Web de filoutage présente la caractéristique d'une durée limitée, permettant d'améliorer la précision de détection, et permet la détection d'une page Web de filoutage à un niveau élémentaire, améliorant ainsi la faisabilité et l'applicabilité. L'invention concerne également un dispositif de détection de pages Web de filoutage.
PCT/CN2014/094147 2014-06-13 2014-12-17 Procede et dispositif de detection de page web de filoutage WO2015188604A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410265323.3 2014-06-13
CN201410265323.3A CN104050257A (zh) 2014-06-13 2014-06-13 钓鱼网页的检测方法和装置

Publications (1)

Publication Number Publication Date
WO2015188604A1 true WO2015188604A1 (fr) 2015-12-17

Family

ID=51503089

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/094147 WO2015188604A1 (fr) 2014-06-13 2014-12-17 Procede et dispositif de detection de page web de filoutage

Country Status (2)

Country Link
CN (1) CN104050257A (fr)
WO (1) WO2015188604A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110740117A (zh) * 2018-10-31 2020-01-31 哈尔滨安天科技集团股份有限公司 仿冒域名检测方法、装置、电子设备及存储介质

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104050257A (zh) * 2014-06-13 2014-09-17 百度国际科技(深圳)有限公司 钓鱼网页的检测方法和装置
CN105187415A (zh) * 2015-08-24 2015-12-23 成都秋雷科技有限责任公司 钓鱼网页检测方法
CN107370719B (zh) * 2016-05-13 2021-02-05 阿里巴巴集团控股有限公司 异常登录识别方法、装置及系统
CN111224923B (zh) * 2018-11-26 2022-07-22 阿里巴巴集团控股有限公司 一种仿冒网站的检测方法、装置及系统
CN114285627B (zh) * 2021-12-21 2023-12-22 安天科技集团股份有限公司 流量检测方法及装置、电子设备和计算机可读存储介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102737183A (zh) * 2012-06-12 2012-10-17 腾讯科技(深圳)有限公司 网页安全访问的方法及装置
CN103179095A (zh) * 2011-12-22 2013-06-26 阿里巴巴集团控股有限公司 一种检测钓鱼网站的方法及客户端装置
CN103685307A (zh) * 2013-12-25 2014-03-26 北京奇虎科技有限公司 基于特征库检测钓鱼欺诈网页的方法及系统、客户端、服务器
CN103685308A (zh) * 2013-12-25 2014-03-26 北京奇虎科技有限公司 一种钓鱼网页的检测方法及系统、客户端、服务器
CN104050257A (zh) * 2014-06-13 2014-09-17 百度国际科技(深圳)有限公司 钓鱼网页的检测方法和装置

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8640231B2 (en) * 2006-02-23 2014-01-28 Microsoft Corporation Client side attack resistant phishing detection
CN102082792A (zh) * 2010-12-31 2011-06-01 成都市华为赛门铁克科技有限公司 钓鱼网页检测方法及设备
CN103268442B (zh) * 2013-05-14 2015-12-23 北京奇虎科技有限公司 一种实现安全访问视频网站的方法和装置
CN103425736B (zh) * 2013-06-24 2016-02-17 腾讯科技(深圳)有限公司 一种网页信息识别方法、装置及系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103179095A (zh) * 2011-12-22 2013-06-26 阿里巴巴集团控股有限公司 一种检测钓鱼网站的方法及客户端装置
CN102737183A (zh) * 2012-06-12 2012-10-17 腾讯科技(深圳)有限公司 网页安全访问的方法及装置
CN103685307A (zh) * 2013-12-25 2014-03-26 北京奇虎科技有限公司 基于特征库检测钓鱼欺诈网页的方法及系统、客户端、服务器
CN103685308A (zh) * 2013-12-25 2014-03-26 北京奇虎科技有限公司 一种钓鱼网页的检测方法及系统、客户端、服务器
CN104050257A (zh) * 2014-06-13 2014-09-17 百度国际科技(深圳)有限公司 钓鱼网页的检测方法和装置

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110740117A (zh) * 2018-10-31 2020-01-31 哈尔滨安天科技集团股份有限公司 仿冒域名检测方法、装置、电子设备及存储介质
CN110740117B (zh) * 2018-10-31 2022-03-04 安天科技集团股份有限公司 仿冒域名检测方法、装置、电子设备及存储介质

Also Published As

Publication number Publication date
CN104050257A (zh) 2014-09-17

Similar Documents

Publication Publication Date Title
US11727114B2 (en) Systems and methods for remote detection of software through browser webinjects
US9223977B2 (en) Detection of DOM-based cross-site scripting vulnerabilities
WO2015188604A1 (fr) Procede et dispositif de detection de page web de filoutage
US8943588B1 (en) Detecting unauthorized websites
US9251282B2 (en) Systems and methods for determining compliance of references in a website
JP5497173B2 (ja) Xss検出方法および装置
KR101001132B1 (ko) 웹 어플리케이션의 취약성 판단 방법 및 시스템
US9747441B2 (en) Preventing phishing attacks
US20180084003A1 (en) Method and system for injecting javascript into a web page
CN112703496B (zh) 关于恶意浏览器插件对应用用户的基于内容策略的通知
US10645117B2 (en) Systems and methods to detect and notify victims of phishing activities
CN106548075B (zh) 漏洞检测方法和装置
CN102664872B (zh) 用于检测和防止对计算机网络中服务器攻击的方法
CN113190838A (zh) 一种基于表达式的web攻击行为检测方法及系统
CN107103243B (zh) 漏洞的检测方法及装置
US11005877B2 (en) Persistent cross-site scripting vulnerability detection
CN104375935A (zh) Sql注入攻击的测试方法和装置
US10581878B2 (en) Detection of cross-site attacks using runtime analysis
US9398041B2 (en) Identifying stored vulnerabilities in a web service
CN103390129A (zh) 检测统一资源定位符安全性的方法和装置
US9396170B2 (en) Hyperlink data presentation
JP6258189B2 (ja) 特定装置、特定方法および特定プログラム
KR20150024044A (ko) 피싱 탐지 시스템 및 방법
JP5421950B2 (ja) ページ変化判定装置
CN118101251A (zh) 访问控制方法及装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14894592

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC ( EPO FORM 1205A DATED 22/05/2017 )

122 Ep: pct application non-entry in european phase

Ref document number: 14894592

Country of ref document: EP

Kind code of ref document: A1