WO2015003627A1 - Method and device for detecting malicious uniform resource locator (url) - Google Patents

Method and device for detecting malicious uniform resource locator (url) Download PDF

Info

Publication number
WO2015003627A1
WO2015003627A1 PCT/CN2014/081861 CN2014081861W WO2015003627A1 WO 2015003627 A1 WO2015003627 A1 WO 2015003627A1 CN 2014081861 W CN2014081861 W CN 2014081861W WO 2015003627 A1 WO2015003627 A1 WO 2015003627A1
Authority
WO
WIPO (PCT)
Prior art keywords
score
url
detected
domain name
preset
Prior art date
Application number
PCT/CN2014/081861
Other languages
French (fr)
Chinese (zh)
Inventor
申飞龙
张辉
刘健
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2015003627A1 publication Critical patent/WO2015003627A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • the present invention relates to the field of information processing technologies, and in particular, to a method and a device for detecting a malicious website.
  • a user accesses a web server by using a client
  • the client generally inputs a server URL such as a Uniform Resource Locator (URL), and connects to the server through the web address.
  • a server URL such as a Uniform Resource Locator (URL)
  • URL Uniform Resource Locator
  • Embodiments of the present invention provide a method and device for detecting a malicious website, which improves the detection efficiency of a malicious website.
  • the embodiment of the invention provides a method for detecting a malicious website, which includes:
  • the to-be-detected web address is a malicious web address.
  • the embodiment of the invention provides a detection device for a malicious website, which includes:
  • a dividing unit configured to divide the to-be-detected web address into multiple components, where the plurality of component parts include any combination of a domain name, a port, a path, a file name, a data parameter, and an anchor point;
  • Each component of the plurality of components divided by the dividing unit is assigned a corresponding detection score;
  • a total score determining unit configured to determine an overall score of the to-be-detected web address according to a detection score of each component part allocated by the score distribution unit;
  • the malicious website determining unit is configured to determine that the to-be-detected website is a malicious website if the overall score determined by the overall score determining unit is within a first score range of the preset malicious website.
  • the detecting device of the malicious website divides the to-be-detected URL into multiple components, assigns corresponding detection scores to each component of the multiple components, and determines the total number of the detected URLs according to the detection scores of the respective components. The score, if the overall score is within the first score range of the preset malicious URL, it is determined that the to-be-detected URL is a malicious URL.
  • the operation of detecting the web address can be directly detected to detect whether it is a malicious web address, and the content corresponding to the detected web address is detected to detect whether it is a malicious web address, which saves the time for obtaining the content corresponding to the website to be detected, thereby improving the detection efficiency. Failure to detect due to failure to obtain the content of the URL to be detected is also avoided.
  • FIG. 1 is a schematic diagram of a network environment in an embodiment of the present invention.
  • FIG. 2 is a flowchart of a method for detecting a malicious web address according to an embodiment of the present invention.
  • FIG. 3A and FIG. 3B are schematic diagrams of dividing a website to be detected in an embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a device for detecting a malicious website according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a terminal applied to a method for detecting a malicious website according to an embodiment of the present invention. detailed description
  • FIG. 1 is a schematic diagram of a network environment applied by a malicious website detection method according to an embodiment of the present invention.
  • the user can access the network 110 through the terminal 120, thereby accessing the web server 130 by inputting a web address on the terminal 120.
  • the terminal 120 may include a smartphone, a tablet, an e-book reader, a Moving Picture Experts Group Audio Layer III (MP3) player, and a motion picture expert to compress a standard audio layer 4 (Moving Picture Experts Group Audio Layer IV, MP4) Players, laptops and desktop computers, etc.
  • MP3 Moving Picture Experts Group Audio Layer III
  • MP4 Motion Picture Experts Group Audio Layer IV
  • the terminal 120 can be connected to the network through a wired or wireless link. 110.
  • the wireless link may use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), and code division multiple access ( Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), E-mail, Short Messaging Service (SMS), etc.
  • GSM Global System of Mobile communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • E-mail Short Messaging Service
  • the detecting device 140 of the malicious website provided by the embodiment of the present invention is included in the terminal 120.
  • the detection device 140 includes computer readable instructions stored in the terminal 120.
  • the detecting device 140 of the malicious website divides the website into multiple components, and the plurality of components may include a domain name, a port, and a path. , any combination of file names, data parameters, and anchor points.
  • the detecting device 140 of the malicious website allocates a corresponding detection score to each component of the plurality of components, and determines the overall score of the to-be-detected URL according to the detection score of each component, if the overall score is in the preset malicious URL. When the first score is within the range, it is determined that the URL to be detected is a malicious web address.
  • FIG. 2 is a flowchart of a method for detecting a malicious website according to an embodiment of the present invention. The method can be performed by the detecting device 140 of the malicious web address shown in FIG. As shown in Figure 2, the method includes the following steps.
  • Step 201 The website to be detected is divided into multiple components, and the plurality of component parts may be any combination of a domain name, a port, a path, a file name, a data parameter, and an anchor point.
  • URLs can be distinguished by domain name ( Domain Name ), port ( ort ), path ( path ), file name ( filename ), data parameter ( query ) , and anchor point . ( anchor ) and other components.
  • the multiple components may include any combination of a domain name, a port, a path, a file name, a data parameter, and an anchor point.
  • the plurality of components can include a domain name, a port, a path, and a file name.
  • a domain name is the name of a computer or group of computers in a network consisting of a series of dot-separated names that identify the electronic location of the computer during data transmission, and sometimes the geographic location. Domain names can have multiple levels. Each level of a domain name is "., separated. In short, how many points are several levels of domain names, and the word on the far right is a top-level domain.
  • a port is an outlet for communication between a computer and the outside world; a path usually refers to a file or a location on a network server; a file name is used to indicate a specific file on the accessed server; the data parameter is mainly started with a question mark (?) to (& ) Separated information; An anchor is a string or a command anchor chain, which refers to a partial fragment in the content corresponding to the URL to be detected.
  • a URL can be divided into more components. In practical applications, values may also be further assigned to these components as a basis for determining whether the URL is a malicious web address.
  • Step 202 Assign a corresponding detection score to each component of the plurality of components.
  • the characteristics of the malicious web address preset in the detection device of the malicious website can be compared with the characteristics of the corresponding components, if If there is a match or match, a negative detection score is assigned to a component.
  • the feature of the domain name of the preset malicious website is compared with the feature of the domain name obtained in step 201, so that the detection score is assigned to the component of the "domain name”.
  • Step 203 Determine an overall score of the to-be-detected web address according to the detection scores of the respective components.
  • the detection scores of the respective components may be added to obtain an overall score; or the importance of each component in the entire malicious website may be considered, and the detection scores of the respective components are weighted to obtain a weighted value. And adding the weighted values to obtain a total score, wherein, when the weighted value is obtained, the detected score is multiplied by the weighting coefficient, and the weighting coefficient used when the more important components are weighted is relatively large.
  • Step 204 Determine whether the total score obtained in step 203 is within the score range of the preset malicious web address. If yes, execute step 205, that is, determine that the to-be-detected web address is a malicious web address, and if not, the to-be-detected web address. Not a malicious URL.
  • the value range of the preset malicious web address may be preset by the user in the detecting device of the malicious website according to actual needs, for example, when the overall score is lower than the preset first threshold, it is a malicious website.
  • the method may further include steps 206-207, as shown in FIG.
  • Step 206 When it is determined that the overall score is not within the first score range of the preset malicious website, the detecting device of the malicious website may continue to determine whether the total score is within the second score range of the preset suspicious website.
  • Step 207 If the total score is within the second score, determining that the to-be-detected web address is a suspicious web address, that is, a malicious web address.
  • the detecting device of the malicious website divides the to-be-detected web address into multiple components, and assigns corresponding detection scores to each component of the plurality of component parts, and according to the detection scores of the respective component parts.
  • the overall score of the to-be-detected URL is determined. If the overall score is within the first score range of the preset malicious URL, it is determined that the to-be-detected URL is a malicious URL.
  • the operation of detecting the web address can be directly detected to detect whether it is a malicious web address, and the content corresponding to the detected web address is detected to detect whether it is a malicious web address, which saves the time for obtaining the content corresponding to the website to be detected, thereby improving the detection efficiency. Failure to detect due to failure to obtain the content of the URL to be detected is also avoided.
  • the detection scores need to be allocated according to different policies for different components, as follows: (1)
  • the component is a domain name.
  • the domain name is given a negative score, and as the number of stages increases, the given score is lower, wherein each level is ".,, Separately, in short, how many points are several levels of domain names.
  • the domain name is given a negative score.
  • the spelling logic of the domain name is ABC, abl2, and 12ab, that is, only letters, or letters and numbers are not mixed. If the letters and numbers are mixed, such as a lb2, it does not match the spelling logic; in another case, the detection device of the malicious URL can also determine whether the domain name is compared by comparing the domain name with the preset features that do not match the spelling logic. Matches spelling logic.
  • the domain name is given a negative score, and the domain name that is easily spoofed may be preset, and the similarity refers to the domain name and the preset domain name.
  • the domain name is a free domain name outside of China, you can also give the domain name a negative score.
  • the component is the file name. If the file name contains special characters, the file name is given a negative score. If the spelling of the file name does not match the spelling logic, a negative value is given for the file name.
  • the component is a port. If the port does not match the preset port, the port is given a negative score.
  • the commonly used common ports are 80, 8080, and 8081.
  • the component is a data parameter. If the data parameter is not in the form of kv, ie, the data parameter name and the data parameter value, the data parameter is given a negative score; if the data parameter value contains a "/", that is, a slash , then give the data parameter a negative score.
  • the component is an anchor. If the anchor contains " /", the anchor is given a negative score.
  • the features of the components may be matched with the spelling logic. Features are compared, if they match, they match the spelling logic, otherwise they don't match the spelling logic. In another case, the components of the mixed arrangement of letters and numbers can be directly determined to be inconsistent with the spelling logic.
  • the detection device of the malicious website when the detection device of the malicious website gives a score value according to the characteristics of each component, it can be given according to the importance degree of the feature, if more important features such as The spelling logic, when the spelling logic is not met, the given negative score is lower. Further, after detecting the different scores according to the multiple features of each component, the detecting device of the malicious website may select the lowest score as the detection score of the component.
  • FIG. 3A is a schematic diagram of dividing a to-be-detected web address according to an embodiment of the present invention.
  • the URL after the partition is shown in Figure 3A Shown in 320.
  • the domain name is zh.wikipedia.org (see 321 in Figure 3A), the domain name level is less than 4, the domain name is assigned a score of "0"; the port is 80 (see 322 in Figure 3A), which is a common port of the server.
  • the path is a wiki/TCP/UDP port list (see 323 in Figure 3A).
  • the data parameter is assigned a score "0"; the head in the anchor point (see 326 in Fig. 3A) indicates that after opening the page corresponding to the URL, it automatically scrolls to the anchor name as The position of the head, assigning a score of "0" to the anchor.
  • the calculation method of the overall score is as follows: The scores of the respective parts are added.
  • the pre-set malicious URL has a width of -10. Since the total score of the to-be-detected web site 310 is greater than the threshold value, it is determined that the to-be-detected web address 310 is a non-malicious web address.
  • FIG. 3B is another schematic diagram of dividing a to-be-detected web address according to an embodiment of the present invention. As shown in Figure 3B, for the URL 330 to be detected:
  • the domain name is assigned a score of "-10"; the port is 6799 (see 342 in Figure 3B), which is not a port of a common server, and the port is assigned a score "-5"; the path is s3u/ a (see 343 in Figure 3B), s3u does not have any meaning, does not match the user's naming, assigns a score "-5" to the path; the file name is q.asp (see 344 in Figure 3B); the data parameter is 2121 & 1312 (see 345 in Figure 3B), does not conform to the data parameter name and data parameter value form, assigns the score parameter "-3" to the data parameter; the anchor point contains the special character " ⁇ " (see Figure 3 ⁇ 346), Assign the score "-5" to the anchor.
  • the calculation method of the overall score is as follows: weighting the scores of the respective parts to obtain weighted values, and adding the weighted values to obtain the overall score. Assume that the weighting coefficients of each part are as follows: The domain name has a weight of 3, the port has a weight of 2, and the remaining other parts have a weight of 1.
  • the pre-set malicious URL has a width of -10. Since the total score of the to-be-detected web address 330 is less than the score threshold, it is determined that the to-be-detected web address 330 is a malicious web address.
  • FIG. 4 is a schematic structural diagram of a malicious website detecting device according to an embodiment of the present invention. As shown in FIG. 4, the malicious website detecting device 400 includes:
  • the dividing unit 410 is configured to divide the to-be-detected web address into multiple components, and the multiple components may include any combination of a domain name, a port, a path, a file name, a data parameter, and an anchor point.
  • the score distribution unit 411 is configured to allocate a corresponding detection score to each component of the plurality of component parts divided by the division unit 410.
  • the overall score determining unit 412 is configured to determine, according to the detected scores of the respective components allocated by the score assigning unit 411, the overall score of the to-be-detected webpage, specifically, the overall The score determining unit 412 may add the detected scores of the respective constituents to obtain the overall score; or, add the weighted values of the detected scores of the respective constituents to obtain the overall score or the like.
  • the malicious URL determining unit 413 is configured to determine that the to-be-detected web address is a malicious web address, for example, when the overall score determined by the overall score determining unit 412 is within a first score range of the preset malicious web address. When the score is lower than the preset first threshold, it is determined to be a malicious URL.
  • the device 400 may further include a suspicious URL determining unit 414, configured to: if the overall score determined by the overall score determining unit 412 is in a preset suspicious URL When the score is in the range of two points, it is determined that the to-be-detected web address is a suspicious web address, for example, when the overall score is higher than the preset first threshold and lower than the preset second threshold, the suspicious URL is determined. .
  • score distribution unit 411 may specifically allocate detection scores to different components according to different strategies, specifically:
  • the score assigning unit 411 is configured to: if the number of levels of the domain name exceeds the preset level, give a negative score for the domain name; or If the similarity between the domain name and the preset domain name is higher than a preset similarity; or, if the spelling of the domain name does not conform to spelling logic, a negative score or the like is given for the domain name.
  • the score assigning unit 411 is specifically configured to: if the file name includes a special character, give the file name a negative score; or If the spelling of the file name does not match the spelling logic, the file name is given a negative score.
  • the score assigning unit 411 is specifically configured to: if the path contains a special character, give the path a negative score; or, The path is symbol-divided, and if the spelling of the two or more divided parts does not match the spelling logic, the path is given a negative score; or, the path is performed Number division, if the length of two or more divided parts is less than the preset length, the path is given a negative score.
  • the score assigning unit 411 is specifically configured to: if the data parameter is not in the form of a data parameter name and a data parameter value, The parameter gives a negative score; or, if the data parameter value includes a slash, the data parameter is given a negative score.
  • the score assigning unit 411 is specifically configured to give the port a negative score if the port does not match the preset port. .
  • the score assigning unit 411 is specifically configured to: if the anchor point includes a slash, give the anchor point a negative score .
  • the dividing unit 410 divides the to-be-detected web address into a plurality of component parts, and the score-allocating unit 411 assigns a corresponding detection score to each component of the plurality of component parts.
  • the overall score determining unit 412 determines the overall score of the to-be-detected web address according to the detected scores of the respective components. If the overall score is within the first score range of the preset malicious web address, the malicious web address determining unit 413 determines that the to-be-detected web address is a malicious web address.
  • FIG. 5 is a schematic diagram of a user terminal according to an embodiment of the present invention.
  • the user terminal 500 includes a processor 510, a memory 520, a communication unit 530, and an input/output unit 540.
  • the computer readable instructions are stored in the memory 520.
  • the processor 510 executes the partitioning unit 410 of FIG. 4 by running computer readable instructions stored in the memory 520, The functions of the score assignment unit 411, the overall score determination unit 412, the malicious URL determination unit 413, and the suspicious URL determination unit 414.
  • the specific functions and operations have been described in detail in the foregoing embodiments with reference to FIG. 2 and FIG. 4, and details are not described herein again.
  • the memory 520 may be a read only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, or the like.
  • Communication unit 530 is for communicating with the network over a wired link or a wireless link.
  • communication unit 530 can include a radio frequency (RF) circuit.
  • RF radio frequency
  • the input/output unit 540 is connected to the input/output device through an interface, receives numeric or character information input by the user, and displays information to the user.
  • the terminal 500 may further include other components, such as a camera, a Bluetooth module, and the like, and details are not described herein again.

Abstract

In an embodiment of the present invention, a device for detecting a malicious uniform resource locator (URL) divides a URL to be detected into several parts, allocates a corresponding detection score to each part, and according to the detection score of each part, determines an overall score of the URL to be detected; if the overall score is within a predetermined first score range for a malicious URL, then the URL to be detected is identified as a malicious URL.

Description

一种恶意网址的检测方法和设备 技术领域 本发明涉及信息处理技术领域, 特别涉及恶意网址的检测方法和设 备。  TECHNICAL FIELD The present invention relates to the field of information processing technologies, and in particular, to a method and a device for detecting a malicious website.
发明背景 用户在使用客户端在访问网络服务器时, 一般是在客户端输入服务 器的网址比如统一资源定位符 ( Uniform Resource Locator, URL ), 并通 过该网址连接服务器, 如果客户端输入恶意网址的话, 就有可能对用户 信息造成威胁, 因此需要对恶意网址进行检测。 BACKGROUND OF THE INVENTION When a user accesses a web server by using a client, the client generally inputs a server URL such as a Uniform Resource Locator (URL), and connects to the server through the web address. If the client inputs a malicious web address, It is possible to pose a threat to user information, so it is necessary to detect malicious URLs.
现有技术中, 在进行恶意网址的检测时, 需要检测设备先通过网址 连接服务器, 获得该网址的服务器提供的内容即页面内容, 并通过页面 内容的匹配或页面截图的匹配来确定该网址对应的内容是否是恶意的, 如果是, 则该网址是恶意网址。 可见, 现有技术中都需要先获取网址对 应的内容, 使得检测恶意网址的效率比较低。 且在实际应用过程中, 恶 意网址对应的服务器会对有安全软件系统的检测设备的地址进行屏蔽, 导致检测设备无法获取网址对应的内容, 从而使得检测失败。 发明内容 本发明实施例提供恶意网址的检 'J方法和设备, 提高恶意网址的检 测效率。 本发明实施例提供一种恶意网址的检测方法, 包括:  In the prior art, when detecting a malicious website, the detecting device first needs to connect to the server through the website address, obtain the content provided by the server of the website, that is, the content of the page, and determine the corresponding address by matching the content of the page or matching the screenshot of the page. Whether the content is malicious, and if so, the URL is a malicious URL. It can be seen that in the prior art, it is necessary to obtain the content corresponding to the URL first, so that the efficiency of detecting the malicious website is relatively low. In the actual application process, the server corresponding to the malicious website shields the address of the detecting device with the security software system, so that the detecting device cannot obtain the content corresponding to the website, and the detection fails. SUMMARY OF THE INVENTION Embodiments of the present invention provide a method and device for detecting a malicious website, which improves the detection efficiency of a malicious website. The embodiment of the invention provides a method for detecting a malicious website, which includes:
将待检测网址划分为多个组成部分,所述的多个组成部分包括域名、 端口、 路径、 文件名、 数据参数和锚点的任意组合;  Divide the to-be-detected URL into multiple components, including the domain name, port, path, file name, data parameter, and any combination of anchor points;
为所述多个组成部分中各个组成部分分配对应的检测分值; 根据所述各个组成部分的检测分值确定所述待检测网址的总体分 值; Assigning a corresponding detection score to each component of the plurality of components; determining an overall score of the to-be-detected URL according to the detection score of each component Value
如果所述总体分值在预置的恶意网址的第一分值范围内, 则确定所 述待检测网址为恶意网址。  If the overall score is within the first score range of the preset malicious web address, it is determined that the to-be-detected web address is a malicious web address.
本发明实施例提供一种恶意网址的检测设备, 包括:  The embodiment of the invention provides a detection device for a malicious website, which includes:
划分单元, 用于将待检测网址划分为多个组成部分, 所述的多个组 成部分包括域名、 端口、 路径、 文件名、 数据参数和锚点的任意组合; 分值分配单元, 用于为所述划分单元划分成的多个组成部分中各个 组成部分分配对应的检测分值;  a dividing unit, configured to divide the to-be-detected web address into multiple components, where the plurality of component parts include any combination of a domain name, a port, a path, a file name, a data parameter, and an anchor point; Each component of the plurality of components divided by the dividing unit is assigned a corresponding detection score;
总体分值确定单元, 用于根据所述分值分配单元分配的各个组成部 分的检测分值确定所述待检测网址的总体分值;  a total score determining unit, configured to determine an overall score of the to-be-detected web address according to a detection score of each component part allocated by the score distribution unit;
恶意网址确定单元, 用于如果所述总体分值确定单元确定的总体分 值在预置的恶意网址的第一分值范围内, 则确定所述待检测网址为恶意 网址。  The malicious website determining unit is configured to determine that the to-be-detected website is a malicious website if the overall score determined by the overall score determining unit is within a first score range of the preset malicious website.
可见, 恶意网址的检测设备会将待检测网址划分为多个组成部分, 为多个组成部分中各个组成部分分配对应的检测分值, 并根据各个组成 部分的检测分值确定待检测网址的总体分值, 如果总体分值在预置的恶 意网址的第一分值范围内时, 则确定待检测网址为恶意网址。 这样可以 直接通过对待检测网址的操作来检测是否是恶意网址, 而不用对待检测 网址对应的内容进行操作来检测是否是恶意网址, 节省了获取待检测网 址对应的内容的时间, 可以提高检测效率, 也避免了由于获取待检测网 址的内容失败而导致检测的失败。 附图简要说明  It can be seen that the detecting device of the malicious website divides the to-be-detected URL into multiple components, assigns corresponding detection scores to each component of the multiple components, and determines the total number of the detected URLs according to the detection scores of the respective components. The score, if the overall score is within the first score range of the preset malicious URL, it is determined that the to-be-detected URL is a malicious URL. In this way, the operation of detecting the web address can be directly detected to detect whether it is a malicious web address, and the content corresponding to the detected web address is detected to detect whether it is a malicious web address, which saves the time for obtaining the content corresponding to the website to be detected, thereby improving the detection efficiency. Failure to detect due to failure to obtain the content of the URL to be detected is also avoided. BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将 对实施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见 地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技 术人员来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获 得其他的附图。 In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following is a brief description of the drawings used in the embodiments or the prior art description. The drawings in the following description are only some embodiments of the present invention, and those skilled in the art can obtain other drawings according to the drawings without any inventive labor.
图 1是本发明实施例中一种网络环境示意图。  FIG. 1 is a schematic diagram of a network environment in an embodiment of the present invention.
图 2是本发明实施例提供的一种恶意网址的检测方法的流程图。 图 3A和图 3B是本发明实施例中划分待检测网址的示意图。  FIG. 2 is a flowchart of a method for detecting a malicious web address according to an embodiment of the present invention. FIG. 3A and FIG. 3B are schematic diagrams of dividing a website to be detected in an embodiment of the present invention.
图 4 是本发明实施例提供的一种恶意网址的检测设备的结构示意 图。  FIG. 4 is a schematic structural diagram of a device for detecting a malicious website according to an embodiment of the present invention.
图 5是本发明实施例提供的一种恶意网址的检测方法应用于的终端 的结构示意图。 具体实施方式  FIG. 5 is a schematic structural diagram of a terminal applied to a method for detecting a malicious website according to an embodiment of the present invention. detailed description
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案 进行清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实 施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术 人员在没有做出创造性劳动前提下所获得的所有其他实施例, 都属于本 发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
图 1为本发明实施例提供的恶意网址检测方法所应用的网络环境的 示意图。 如图 1所示, 用户可以通过终端 120接入网络 110, 从而通过 在终端 120上输入网址来访问网络服务器 130。 其中, 终端 120可以包 括智能手机、 平板电脑、 电子书阅读器、 动态影像专家压缩标准音频层 面 3 ( Moving Picture Experts Group Audio Layer III, MP3 )播放器、 动 态影像专家压缩标准音频层面 4 ( Moving Picture Experts Group Audio Layer IV, MP4 )播放器、 膝上型便携计算机和台式计算机等等。  FIG. 1 is a schematic diagram of a network environment applied by a malicious website detection method according to an embodiment of the present invention. As shown in FIG. 1, the user can access the network 110 through the terminal 120, thereby accessing the web server 130 by inputting a web address on the terminal 120. The terminal 120 may include a smartphone, a tablet, an e-book reader, a Moving Picture Experts Group Audio Layer III (MP3) player, and a motion picture expert to compress a standard audio layer 4 (Moving Picture Experts Group Audio Layer IV, MP4) Players, laptops and desktop computers, etc.
如图 1所示, 所述终端 120可以通过有线或者无线链路连接到网络 110。 所述无线链路可以使用任一通信标准或协议, 包括但不限于全球 移动通讯系统 (Global System of Mobile communication, GSM), 通用分 组无线服务 (General Packet Radio Service , GPRS) , 码分多址 (Code Division Multiple Access , CDMA)、 宽带码分多址 (Wideband Code Division Multiple Access, WCDMA)、 长期演进 (Long Term Evolution, LTE)、 电子邮件、 短消息服务 (Short Messaging Service, SMS)等。 As shown in FIG. 1, the terminal 120 can be connected to the network through a wired or wireless link. 110. The wireless link may use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), and code division multiple access ( Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), E-mail, Short Messaging Service (SMS), etc.
终端 120中包括本发明实施例提供的恶意网址的检测设备 140。 该 检测设备 140包括存储在终端 120中的计算机可读指令。  The detecting device 140 of the malicious website provided by the embodiment of the present invention is included in the terminal 120. The detection device 140 includes computer readable instructions stored in the terminal 120.
当用户访问某个网址时(例如在浏览器中输入该网址),该恶意网址 的检测设备 140会将该网址划分为多个组成部分, 所述的多个组成部分 可以包括域名、 端口、 路径、 文件名、 数据参数和锚点的任意组合。 恶 意网址的检测设备 140为多个组成部分中各个组成部分分配对应的检测 分值, 并根据各个组成部分的检测分值确定待检测网址的总体分值, 如 果总体分值在预置的恶意网址的第一分值范围内时, 则确定待检测网址 为恶意网址。 这样可以直接通过对待检测网址的操作来检测是否是恶意 网址, 而不用对待检测网址对应的内容进行操作来检测是否是恶意网 址, 节省了获取待检测网址对应的内容的时间, 可以提高检测效率, 也 图 2为本发明实施例提供的一种恶意网址的检测方法的流程图。 该 方法可以由图 1所示的恶意网址的检测设备 140执行。 如图 2所示, 该 方法包括以下步骤。  When the user accesses a certain website (for example, the website is entered in the browser), the detecting device 140 of the malicious website divides the website into multiple components, and the plurality of components may include a domain name, a port, and a path. , any combination of file names, data parameters, and anchor points. The detecting device 140 of the malicious website allocates a corresponding detection score to each component of the plurality of components, and determines the overall score of the to-be-detected URL according to the detection score of each component, if the overall score is in the preset malicious URL. When the first score is within the range, it is determined that the URL to be detected is a malicious web address. In this way, the operation of detecting the web address can be directly detected to detect whether it is a malicious web address, and the content corresponding to the detected web address is detected to detect whether it is a malicious web address, which saves the time for obtaining the content corresponding to the website to be detected, thereby improving the detection efficiency. FIG. 2 is a flowchart of a method for detecting a malicious website according to an embodiment of the present invention. The method can be performed by the detecting device 140 of the malicious web address shown in FIG. As shown in Figure 2, the method includes the following steps.
步骤 201, 将待检测网址划分为多个组成部分, 所述的多个组成部 分可以是域名、 端口、 路径、 文件名、 数据参数和锚点的任意组合。  Step 201: The website to be detected is divided into multiple components, and the plurality of component parts may be any combination of a domain name, a port, a path, a file name, a data parameter, and an anchor point.
一般情况下, 网址特别是 URL可以由域名 ( Domain Name )、 端口 ( ort )、 路径 ( path )、 文件名 ( filename )、 数据参数( query )和锚点 ( anchor )等组成。 In general, URLs, especially URLs, can be distinguished by domain name ( Domain Name ), port ( ort ), path ( path ), file name ( filename ), data parameter ( query ) , and anchor point . ( anchor ) and other components.
在本发明实施例中, 所述的多个组成部分可以包括域名、 端口、 路 径、 文件名、 数据参数和锚点的任意组合。 例如, 所述多个组成部分可 以包括域名、 端口、 路径、 文件名。  In the embodiment of the present invention, the multiple components may include any combination of a domain name, a port, a path, a file name, a data parameter, and an anchor point. For example, the plurality of components can include a domain name, a port, a path, and a file name.
其中:  among them:
域名是由一串用点分隔的名字组成的网络中某一台计算机或计算机 组的名称, 用于在数据传输时标识计算机的电子方位, 有时也指地理位 置。 域名可以有多个级别, 域名的各个级别被".,,分开, 简而言之, 有多 少个点就是几级域名, 其中在最右边的词为顶级域名。  A domain name is the name of a computer or group of computers in a network consisting of a series of dot-separated names that identify the electronic location of the computer during data transmission, and sometimes the geographic location. Domain names can have multiple levels. Each level of a domain name is "., separated. In short, how many points are several levels of domain names, and the word on the far right is a top-level domain.
端口是一台计算机与外界通信的出口; 路径通常是指一个文件或网 络服务器上的一个位置; 文件名用来表示访问的服务器上具体的文件; 数据参数主要是以问号 (? )开始, 以 (& ) 隔开的信息; 锚点是一个 字符串或一个命令锚链, 是指该待检测网址对应的内容中的部分片段。  A port is an outlet for communication between a computer and the outside world; a path usually refers to a file or a location on a network server; a file name is used to indicate a specific file on the accessed server; the data parameter is mainly started with a question mark (?) to (& ) Separated information; An anchor is a string or a command anchor chain, which refers to a partial fragment in the content corresponding to the URL to be detected.
例 口, 对于网址:  Example, for the URL:
http:〃 video. google. co.uk:80/videoplay/index.html?docid=10086&hl=en #00h02m30s来说, 域名为 google.co.uk, 端口为 80, 路径为 /videoplay, 文件名为 index.html, 数据参数名字为 docid, 数据参数的值为 10086, 锚点为 #00h02m30s。  Http:〃 video. google. co.uk:80/videoplay/index.html?docid=10086&hl=en #00h02m30s, the domain name is google.co.uk, the port is 80, the path is /videoplay, and the file name is index .html, the data parameter name is docid, the value of the data parameter is 10086, and the anchor point is #00h02m30s.
此外, 除了上述的域名、 端口、 路径、 文件名、 数据参数和锚点之 外, 也可以把一个 URL划分成更多的组成部分。 在实际应用中, 可以 进一步为这些组成部分也分配数值, 作为判断该 URL是否是恶意网址 的依据。  In addition, in addition to the above mentioned domain names, ports, paths, file names, data parameters, and anchor points, a URL can be divided into more components. In practical applications, values may also be further assigned to these components as a basis for determining whether the URL is a malicious web address.
步骤 202, 为多个组成部分中各个组成部分分配对应的检测分值。 在为各个组成部分分配检测分值时, 可以将恶意网址的检测设备中 预置的恶意网址的特征与相应的各个组成部分的特征进行比较, 如果相 似或相匹配, 则为某一组成部分分配一个负的检测分值。 比如将预置的 恶意网址的域名的特征与步骤 201中得到的域名的特征进行比较, 从而 为该 "域名 "的组成部分分配检测分值。 Step 202: Assign a corresponding detection score to each component of the plurality of components. When assigning a detection score to each component, the characteristics of the malicious web address preset in the detection device of the malicious website can be compared with the characteristics of the corresponding components, if If there is a match or match, a negative detection score is assigned to a component. For example, the feature of the domain name of the preset malicious website is compared with the feature of the domain name obtained in step 201, so that the detection score is assigned to the component of the "domain name".
步骤 203, 根据各个组成部分的检测分值确定待检测网址的总体分 值。  Step 203: Determine an overall score of the to-be-detected web address according to the detection scores of the respective components.
具体地, 可以将各个组成部分的检测分值相加得到总体分值; 或需 要考虑各个组成部分在整个恶意网址中所占的重要程度, 将各个组成部 分的检测分值进行加权后得到加权值, 并将这些加权值相加得到总体分 值, 其中, 在得到加权值时具体是将检测分值与加权系数相乘得到, 且 比较重要的组成部分进行加权时使用的加权系数比较大。  Specifically, the detection scores of the respective components may be added to obtain an overall score; or the importance of each component in the entire malicious website may be considered, and the detection scores of the respective components are weighted to obtain a weighted value. And adding the weighted values to obtain a total score, wherein, when the weighted value is obtained, the detected score is multiplied by the weighting coefficient, and the weighting coefficient used when the more important components are weighted is relatively large.
步骤 204, 判断步骤 203中得到的总体分值是否在预置的恶意网址 的分值范围内, 如果在, 则执行步骤 205, 即确定待检测网址为恶意网 址, 如果不在, 则该待检测网址不是恶意网址。  Step 204: Determine whether the total score obtained in step 203 is within the score range of the preset malicious web address. If yes, execute step 205, that is, determine that the to-be-detected web address is a malicious web address, and if not, the to-be-detected web address. Not a malicious URL.
具体地, 预置的恶意网址的分值范围可以是用户根据实际需要预置 在恶意网址的检测设备中的, 比如总体分值低于预置的第一阔值时, 则 为恶意网址等。  Specifically, the value range of the preset malicious web address may be preset by the user in the detecting device of the malicious website according to actual needs, for example, when the overall score is lower than the preset first threshold, it is a malicious website.
进一步地, 在一个具体的实施例中, 所述方法可以进一步包括步骤 206 - 207, 如图 2所示。  Further, in a specific embodiment, the method may further include steps 206-207, as shown in FIG.
步骤 206, 当判断总体分值不在预置的恶意网址的第一分值范围内 时, 恶意网址的检测设备可以继续判断该总体分值是否在预置的可疑网 址的第二分值范围内。  Step 206: When it is determined that the overall score is not within the first score range of the preset malicious website, the detecting device of the malicious website may continue to determine whether the total score is within the second score range of the preset suspicious website.
步骤 207, 如果该总体分值在第二分值内, 确定该待检测网址为可 疑网址, 即可能是恶意网址。  Step 207: If the total score is within the second score, determining that the to-be-detected web address is a suspicious web address, that is, a malicious web address.
这样就可以对可疑网址进行相应的处理。 比如总体分值高于预置的 第一阔值, 且低于预置的第二阔值时, 则为可疑网址。 可见, 在本实施例中, 恶意网址的检测设备会将待检测网址划分为 多个组成部分, 为多个组成部分中各个组成部分分配对应的检测分值, 并根据各个组成部分的检测分值确定待检测网址的总体分值, 如果总体 分值在预置的恶意网址的第一分值范围内时, 则确定待检测网址为恶意 网址。 这样可以直接通过对待检测网址的操作来检测是否是恶意网址, 而不用对待检测网址对应的内容进行操作来检测是否是恶意网址, 节省 了获取待检测网址对应的内容的时间, 可以提高检测效率, 也避免了由 于获取待检测网址的内容失败而导致检测的失败。 This will allow suspicious URLs to be processed accordingly. For example, if the overall score is higher than the preset first threshold and lower than the preset second threshold, it is a suspicious URL. It can be seen that, in this embodiment, the detecting device of the malicious website divides the to-be-detected web address into multiple components, and assigns corresponding detection scores to each component of the plurality of component parts, and according to the detection scores of the respective component parts. The overall score of the to-be-detected URL is determined. If the overall score is within the first score range of the preset malicious URL, it is determined that the to-be-detected URL is a malicious URL. In this way, the operation of detecting the web address can be directly detected to detect whether it is a malicious web address, and the content corresponding to the detected web address is detected to detect whether it is a malicious web address, which saves the time for obtaining the content corresponding to the website to be detected, thereby improving the detection efficiency. Failure to detect due to failure to obtain the content of the URL to be detected is also avoided.
在具体的实施例中, 恶意网址的检测设备在执行上述步骤 202时, 对于不同的组成部分需要根据不同的策略来分配检测分值, 具体如下: ( 1 )组成部分为域名  In a specific embodiment, when the detecting device of the malicious website performs the foregoing step 202, the detection scores need to be allocated according to different policies for different components, as follows: (1) The component is a domain name.
如果域名的级数超过预置级数(比如 4 ), 则为该域名给定负分值, 且随着级数的增加, 给定的分值越低, 其中, 各个级别被".,,分开, 简而 言之, 有多少个点就是几级域名。  If the number of levels of the domain name exceeds the preset level (for example, 4), the domain name is given a negative score, and as the number of stages increases, the given score is lower, wherein each level is ".,, Separately, in short, how many points are several levels of domain names.
如果域名的拼写不符合拼写逻辑时, 则为该域名给定负分值, 其中 一般情况下, 域名的拼写逻辑为 ABC、 abl2和 12ab等, 即只有字母, 或字母和数字不会混合排列, 如果字母和数字混合排列时比如 alb2, 则 不符合拼写逻辑; 在另一种情况下, 恶意网址的检测设备还可以通过将 域名与预置的不符合拼写逻辑的特征进行比较, 确定域名是否符合拼写 逻辑。 If the spelling of the domain name does not match the spelling logic, the domain name is given a negative score. In general, the spelling logic of the domain name is ABC, abl2, and 12ab, that is, only letters, or letters and numbers are not mixed. If the letters and numbers are mixed, such as a lb2, it does not match the spelling logic; in another case, the detection device of the malicious URL can also determine whether the domain name is compared by comparing the domain name with the preset features that do not match the spelling logic. Matches spelling logic.
如果域名与预置的域名的相似度高于预置的相似度, 则为该域名给 定负分值, 具体可以预置一些容易被仿冒的域名, 且相似度是指域名与 预置的域名进行匹配后, 相匹配的字符的百分比。  If the similarity between the domain name and the preset domain name is higher than the preset similarity, the domain name is given a negative score, and the domain name that is easily spoofed may be preset, and the similarity refers to the domain name and the preset domain name. The percentage of characters that match after matching.
如果域名是中国境外的免费域名, 也可以给该域名为负分值。  If the domain name is a free domain name outside of China, you can also give the domain name a negative score.
( 2 )组成部分为路径 如果路径中包含特殊字符, 则为该路径给定负分值, 其中特殊字符 是指除了字母和数字及有限个标点 (%, ? , /, =, #, ., -, _ )之外的 字符。 (2) The component is the path If the path contains special characters, the path is given a negative score, where the special characters are in addition to letters and numbers and a limited number of punctuation (%, ?, /, =, #, ., -, _ ) character.
对路径进行符号分割, 如果两个以上的分割部分的拼写不符合拼写 逻辑, 则为该路径给定负分值。  Perform symbol segmentation on the path. If the spelling of more than two split parts does not match the spelling logic, give the path a negative score.
对路径进行符号分割, 如果累计两个以上的分割部分的长度小于预 置的长度(比如 2 ), 则为该路径给定负分值。 其中符号是指除了数字和 字母的字符, 比如 /, ? 等。  Perform symbol segmentation on the path. If the length of more than two divided parts is less than the preset length (such as 2), the path is given a negative score. Where symbols are characters other than numbers and letters, such as /, ? Wait.
( 3 )组成部分为文件名, 如果文件名中包含特殊字符, 则为文件名 给定负分值。 如果文件名的拼写不符合拼写逻辑, 则为文件名给定负分 值。  (3) The component is the file name. If the file name contains special characters, the file name is given a negative score. If the spelling of the file name does not match the spelling logic, a negative value is given for the file name.
( 4 )组成部分为端口, 如果该端口与预置的端口不相匹配, 则为该 端口给定负分值, 一般预置的常用端口为 80、 8080和 8081等。  (4) The component is a port. If the port does not match the preset port, the port is given a negative score. The commonly used common ports are 80, 8080, and 8081.
( 5 )组成部分为数据参数, 如果数据参数不是 k-v形式即数据参数 名称和数据参数数值的形式, 则为该数据参数给定负分值; 如果数据参 数值中包含了 "/"即斜杠, 则为该数据参数给定负分值。  (5) The component is a data parameter. If the data parameter is not in the form of kv, ie, the data parameter name and the data parameter value, the data parameter is given a negative score; if the data parameter value contains a "/", that is, a slash , then give the data parameter a negative score.
( 6 )组成部分为锚点, 如果锚点中包含了" /", 则为该锚点给定负 分值。  (6) The component is an anchor. If the anchor contains " /", the anchor is given a negative score.
需要说明的是, 上述在为各个组成部分分配检测分值的过程中, 有 可能需要判断某些组成部分的拼写是否符合拼写逻辑, 在具体实现时, 可以将组成部分的特征与符合拼写逻辑的特征进行比较, 如果相匹配, 则符合拼写逻辑, 否则不符合拼写逻辑。 在另一种情况下, 可以直接将 字母和数字混合排列的组成部分确定为不符合拼写逻辑。  It should be noted that, in the process of assigning the detection scores to the respective components, it may be necessary to determine whether the spelling of some components conforms to the spelling logic. In the specific implementation, the features of the components may be matched with the spelling logic. Features are compared, if they match, they match the spelling logic, otherwise they don't match the spelling logic. In another case, the components of the mixed arrangement of letters and numbers can be directly determined to be inconsistent with the spelling logic.
另外, 恶意网址的检测设备在根据各个组成部分的特征给定分值的 分值时, 可以根据该特征的重要程度来给定, 如果比较重要的特征比如 拼写逻辑, 则在不符合拼写逻辑时, 给定的负分值比较低。 进一步地, 恶意网址的检测设备在根据各组成部分的多项特征分别给定不同的分 值后, 可以选择其中最低的分值作为该组成部分的检测分值。 In addition, when the detection device of the malicious website gives a score value according to the characteristics of each component, it can be given according to the importance degree of the feature, if more important features such as The spelling logic, when the spelling logic is not met, the given negative score is lower. Further, after detecting the different scores according to the multiple features of each component, the detecting device of the malicious website may select the lowest score as the detection score of the component.
图 3A为本发明实施例中划分待检测网址的示意图。 如图 3A所示, 对于待检测的 URL 310: htt ://zh. wikipedia.org: 80/wiki/TCP/UDP端口列 表 /index.html?uid=1212#head, 划分之后的网址如图 3A中 320所示。 其 域名为 zh.wikipedia.org (见图 3A中 321 ), 域名级数少于 4, 为该域名 分配分值" 0"; 端口为 80 (见图 3A中 322 ), 是服务器的常用端口, 为 该端口分配分值" 0";路径为 wiki/TCP/UDP端口列表(见图 3A中 323 ), 每一个分割部分的名称都是常用的命名, 且具有一定的语义, 为该路径 分配分值" 0"; 文件名称为 index.html (见图 3A中 324 ), 是默认的网址 首页,为该文件名称分配分值" 0";数据参数为 uid=1212(见图 3A中 325 ), 符合数据参数名称和数据参数值的形式, 为该数据参数分配分值" 0"; 锚 点中 head (见图 3A中 326 )表示打开该网址对应的页面后, 会自动滚 动到锚点名称为 head的位置, 为该锚点分配分值" 0"。  FIG. 3A is a schematic diagram of dividing a to-be-detected web address according to an embodiment of the present invention. As shown in Figure 3A, for the URL to be detected 310: htt ://zh. wikipedia.org: 80/wiki/TCP/UDP port list/index.html?uid=1212#head, the URL after the partition is shown in Figure 3A Shown in 320. The domain name is zh.wikipedia.org (see 321 in Figure 3A), the domain name level is less than 4, the domain name is assigned a score of "0"; the port is 80 (see 322 in Figure 3A), which is a common port of the server. Assign the port a score of "0"; the path is a wiki/TCP/UDP port list (see 323 in Figure 3A). The name of each partition is a common name and has a certain semantics. The value is "0"; the file name is index.html (see 324 in Figure 3A), which is the default URL home page, assigning a score "0" to the file name; the data parameter is uid=1212 (see 325 in Figure 3A). In the form of the data parameter name and the data parameter value, the data parameter is assigned a score "0"; the head in the anchor point (see 326 in Fig. 3A) indicates that after opening the page corresponding to the URL, it automatically scrolls to the anchor name as The position of the head, assigning a score of "0" to the anchor.
在本发明实施例中, 4叚设总体分值的计算方法为: 将各个部分的分 值相加。 这样, 根据上述各个组成部分的分值, 可以得到该待检测网址 310的总体分值为 0+0+0+0+0=0。假设预先设置的恶意网址的阔值为 -10。 由于待检测网址 310的总体分值大于该阔值, 则确定待检测网址 310为 非恶意网址。  In the embodiment of the present invention, the calculation method of the overall score is as follows: The scores of the respective parts are added. Thus, according to the scores of the respective components, the total score of the to-be-detected web address 310 can be obtained as 0+0+0+0+0=0. Assume that the pre-set malicious URL has a width of -10. Since the total score of the to-be-detected web site 310 is greater than the threshold value, it is determined that the to-be-detected web address 310 is a non-malicious web address.
图 3B为本发明实施例中划分待检测网址的另一示意图。如图 3B所 示, 对于待检测的 URL 330:  FIG. 3B is another schematic diagram of dividing a to-be-detected web address according to an embodiment of the present invention. As shown in Figure 3B, for the URL 330 to be detected:
http:〃 qz0ne.qq.com.8866.org:6799/s3u/a/q.asp?2121&1312#AAAAA, 划 分之后的网址如图 3B中 340所示, 其域名为 qz0ne.qq.com.8866.org (见 图 3B中 341 ), 域名级数大于 4, 且釆用免费的顶级域名 8866.org, 且 与预置的域名 qzone.qq.com的相似度较高, 因此该网址中域名的检测分 值较低。 在本实施例中, 为该域名分配分值" -10"; 端口为 6799 (见图 3B中 342 ), 不是常用的服务器的端口, 为该端口分配分值" -5"; 路径为 s3u/a (见图 3B中 343 ), s3u没有任何的寓意, 不符合用户的命名, 为 该路径分配分值" -5"; 文件名为 q.asp (见图 3B 中 344 ); 数据参数为 2121&1312 (见图 3B中 345 ), 不符合数据参数名称和数据参数值的形 式, 为该数据参数分配分值" -3"; 锚点中包含有特殊字符" ΛΛΛΛΛ" (见图 3Β中 346 ), 为该锚点分配分值" -5"。 Http:〃 qz0ne.qq.com.8866.org:6799/s3u/a/q.asp?2121&1312# AAAAA , the URL after the partition is shown as 340 in Figure 3B, and its domain name is qz0ne.qq.com.8866. Org (see 341 in Figure 3B), with a domain name level greater than 4, and the free top-level domain name 8866.org, and The similarity with the preset domain name qzone.qq.com is higher, so the detection score of the domain name in the URL is lower. In this embodiment, the domain name is assigned a score of "-10"; the port is 6799 (see 342 in Figure 3B), which is not a port of a common server, and the port is assigned a score "-5"; the path is s3u/ a (see 343 in Figure 3B), s3u does not have any meaning, does not match the user's naming, assigns a score "-5" to the path; the file name is q.asp (see 344 in Figure 3B); the data parameter is 2121 & 1312 (see 345 in Figure 3B), does not conform to the data parameter name and data parameter value form, assigns the score parameter "-3" to the data parameter; the anchor point contains the special character " ΛΛΛΛΛ " (see Figure 3Β 346), Assign the score "-5" to the anchor.
在本发明实施例中, 4叚设总体分值的计算方法为: 将各个部分的分 值进行加权后得到加权值, 并将这些加权值相加得到总体分值。 假设各 个部分的加权系数如下: 域名的权值为 3, 端口的权值为 2, 剩余的其 他部分的权值都为 1。  In the embodiment of the present invention, the calculation method of the overall score is as follows: weighting the scores of the respective parts to obtain weighted values, and adding the weighted values to obtain the overall score. Assume that the weighting coefficients of each part are as follows: The domain name has a weight of 3, the port has a weight of 2, and the remaining other parts have a weight of 1.
这样, 根据上述各个组成部分的分值, 可以得到该待检测网址 330 的总体分值为 3* ( -10 ) +2* ( -5 ) + ( -5 ) + ( -3 ) + ( -5 ) =-53。 假设预 先设置的恶意网址的阔值为 -10。由于待检测网址 330的总体分值小于该 分值阔值, 则确定待检测网址 330为恶意网址。  Thus, according to the scores of the above components, the total score of the to-be-detected web address 330 can be obtained as 3*( -10) +2* ( -5 ) + ( -5 ) + ( -3 ) + ( -5 ) =-53. Assume that the pre-set malicious URL has a width of -10. Since the total score of the to-be-detected web address 330 is less than the score threshold, it is determined that the to-be-detected web address 330 is a malicious web address.
图 4为本发明实施例提供的一种恶意网址检测设备的结构示意图。 如图 4所示, 该恶意网址检测设备 400包括:  FIG. 4 is a schematic structural diagram of a malicious website detecting device according to an embodiment of the present invention. As shown in FIG. 4, the malicious website detecting device 400 includes:
划分单元 410, 用于将待检测网址划分为多个组成部分, 所述的多 个组成部分可以包括域名、 端口、 路径、 文件名、 数据参数和锚点的任 意组合。  The dividing unit 410 is configured to divide the to-be-detected web address into multiple components, and the multiple components may include any combination of a domain name, a port, a path, a file name, a data parameter, and an anchor point.
分值分配单元 411, 用于为所述划分单元 410划分成的多个组成部 分中各个组成部分分配对应的检测分值。  The score distribution unit 411 is configured to allocate a corresponding detection score to each component of the plurality of component parts divided by the division unit 410.
总体分值确定单元 412, 用于根据所述分值分配单元 411分配的各 个组成部分的检测分值确定所述待检测网址的总体分值, 具体地, 总体 分值确定单元 412可以将所述各个组成部分的检测分值相加得到所述总 体分值; 或, 将所述各个组成部分的检测分值的加权值相加得到所述总 体分值等。 The overall score determining unit 412 is configured to determine, according to the detected scores of the respective components allocated by the score assigning unit 411, the overall score of the to-be-detected webpage, specifically, the overall The score determining unit 412 may add the detected scores of the respective constituents to obtain the overall score; or, add the weighted values of the detected scores of the respective constituents to obtain the overall score or the like.
恶意网址确定单元 413, 用于如果所述总体分值确定单元 412确定 的总体分值在预置的恶意网址的第一分值范围内, 则确定所述待检测网 址为恶意网址, 比如当总体分值低于预置的第一阔值时, 则确定为恶意 网址。  The malicious URL determining unit 413 is configured to determine that the to-be-detected web address is a malicious web address, for example, when the overall score determined by the overall score determining unit 412 is within a first score range of the preset malicious web address. When the score is lower than the preset first threshold, it is determined to be a malicious URL.
进一步地, 在本发明另一实施例中, 上述的设备 400中还可以包括 可疑网址确定单元 414, 用于如果所述总体分值确定单元 412确定的总 体分值在预置的可疑网址的第二分值范围内时, 则确定所述待检测网址 为可疑网址, 比如当总体分值高于预置的第一阔值, 且低于预置的第二 阔值时, 则确定为可疑网址。  Further, in another embodiment of the present invention, the device 400 may further include a suspicious URL determining unit 414, configured to: if the overall score determined by the overall score determining unit 412 is in a preset suspicious URL When the score is in the range of two points, it is determined that the to-be-detected web address is a suspicious web address, for example, when the overall score is higher than the preset first threshold and lower than the preset second threshold, the suspicious URL is determined. .
需要说明的是, 上述分值分配单元 411具体可以对不同组成部分按 照不同的策略来进行分配检测分值, 具体地:  It should be noted that the above-mentioned score distribution unit 411 may specifically allocate detection scores to different components according to different strategies, specifically:
当划分单元 410在所述待检测网址中划分出域名, 则分值分配单元 411, 用于如果所述域名的级数超过预置级数, 则为所述域名给定负分 值; 或, 如果所述域名与预置的域名的相似度高于预置的相似度; 或, 如果所述域名的拼写不符合拼写逻辑, 则为所述域名给定负分值等。 当 划分单元 410在所述待检测网址中划分出文件名,则分值分配单元 411, 具体用于如果所述文件名中包含特殊字符, 则为所述文件名给定负分 值; 或, 如果所述文件名的拼写不符合拼写逻辑, 则为所述文件名给定 负分值。 当划分单元 410在所述待检测网址中划分出路径, 则分值分配 单元 411, 具体用于如果所述路径中包含特殊字符, 则为所述路径给定 负分值; 或, 对所述路径进行符号分割, 如果两个以上的分割部分的拼 写不符合拼写逻辑, 则为所述路径给定负分值; 或, 对所述路径进行符 号分割, 如果两个以上的分割部分的长度小于预置的长度, 则为所述路 径给定负分值。 When the dividing unit 410 divides the domain name in the to-be-detected web address, the score assigning unit 411 is configured to: if the number of levels of the domain name exceeds the preset level, give a negative score for the domain name; or If the similarity between the domain name and the preset domain name is higher than a preset similarity; or, if the spelling of the domain name does not conform to spelling logic, a negative score or the like is given for the domain name. When the dividing unit 410 divides the file name in the to-be-detected web address, the score assigning unit 411 is specifically configured to: if the file name includes a special character, give the file name a negative score; or If the spelling of the file name does not match the spelling logic, the file name is given a negative score. When the dividing unit 410 divides the path in the to-be-detected web address, the score assigning unit 411 is specifically configured to: if the path contains a special character, give the path a negative score; or, The path is symbol-divided, and if the spelling of the two or more divided parts does not match the spelling logic, the path is given a negative score; or, the path is performed Number division, if the length of two or more divided parts is less than the preset length, the path is given a negative score.
当划分单元 410, 在所述待检测网址中划分出数据参数, 则所述分 值分配单元 411, 具体用于如果所述数据参数不是数据参数名称和数据 参数数值的形式, 则为所述数据参数给定负分值; 或, 如果所述数据参 数值中包含了斜杠, 则为所述数据参数给定负分值。 当划分单元 410在 所述待检测网址中划分出端口, 则所述分值分配单元 411, 具体用于如 果所述端口与预置的端口不相匹配, 则给所述端口给定负分值。 当划分 单元 410在所述待检测网址中划分出锚点, 则所述分值分配单元 411, 具体用于如果所述锚点中包含了斜杠, 则为所述锚点给定负分值。  When the dividing unit 410 divides the data parameter in the to-be-detected web address, the score assigning unit 411 is specifically configured to: if the data parameter is not in the form of a data parameter name and a data parameter value, The parameter gives a negative score; or, if the data parameter value includes a slash, the data parameter is given a negative score. When the dividing unit 410 divides the port in the to-be-detected web address, the score assigning unit 411 is specifically configured to give the port a negative score if the port does not match the preset port. . When the dividing unit 410 divides the anchor point in the to-be-detected web address, the score assigning unit 411 is specifically configured to: if the anchor point includes a slash, give the anchor point a negative score .
可见, 在本实施例的恶意网址的检测设备 400中, 划分单元 410会 将待检测网址划分为多个组成部分, 分值分配单元 411为多个组成部分 中各个组成部分分配对应的检测分值, 并由总体分值确定单元 412根据 各个组成部分的检测分值确定待检测网址的总体分值, 如果总体分值在 预置的恶意网址的第一分值范围内时, 则恶意网址确定单元 413确定待 检测网址为恶意网址。 这样可以直接通过对待检测网址的操作来检测是 否是恶意网址, 而不用对待检测网址对应的内容进行操作来检测是否是 恶意网址, 节省了获取待检测网址对应的内容的时间, 可以提高检测效 本发明实施例提供的恶意网址的检测方法和设备可以应用于用户终 端中。 图 5为本发明实施例提供的一种用户终端的示意图。如图 5所示, 该用户终端 500包括: 处理器 510、 存储器 520、 通信单元 530、 以及输 入 /输出单元 540。  It can be seen that, in the detecting device 400 of the malicious website of the embodiment, the dividing unit 410 divides the to-be-detected web address into a plurality of component parts, and the score-allocating unit 411 assigns a corresponding detection score to each component of the plurality of component parts. And the overall score determining unit 412 determines the overall score of the to-be-detected web address according to the detected scores of the respective components. If the overall score is within the first score range of the preset malicious web address, the malicious web address determining unit 413 determines that the to-be-detected web address is a malicious web address. In this way, the operation of the website to be detected can be detected directly to detect whether it is a malicious website, and the content corresponding to the detected website is operated to detect whether it is a malicious website, which saves time for obtaining the content corresponding to the website to be detected, and can improve the detection effect. The method and device for detecting a malicious website provided by the embodiment of the present invention can be applied to a user terminal. FIG. 5 is a schematic diagram of a user terminal according to an embodiment of the present invention. As shown in FIG. 5, the user terminal 500 includes a processor 510, a memory 520, a communication unit 530, and an input/output unit 540.
其中, 存储器 520中存储有计算机可读指令。 处理器 510通过运行 存储在存储器 520的计算机可读指令, 从而执行图 4中划分单元 410、 分值分配单元 411、 总体分值确定单元 412、 恶意网址确定单元 413、 可 疑网址确定单元 414的功能。 具体的功能和操作已经结合图 2和图 4在 前面的实施例中进行了详细的描述, 在此不再赘述。 The computer readable instructions are stored in the memory 520. The processor 510 executes the partitioning unit 410 of FIG. 4 by running computer readable instructions stored in the memory 520, The functions of the score assignment unit 411, the overall score determination unit 412, the malicious URL determination unit 413, and the suspicious URL determination unit 414. The specific functions and operations have been described in detail in the foregoing embodiments with reference to FIG. 2 and FIG. 4, and details are not described herein again.
存储器 520可以是只读存储器(ROM )、 随机存取存储器(RAM )、 磁盘或光盘等。  The memory 520 may be a read only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, or the like.
通信单元 530用于通过有线链路或者无线链路与网络进行通信。 例如通信单元 530可以包括射频( Radio Frequency, RF ) 电路。 从 而, 终端 500可以通过无线链路连接到网络。  Communication unit 530 is for communicating with the network over a wired link or a wireless link. For example, communication unit 530 can include a radio frequency (RF) circuit. Thus, the terminal 500 can be connected to the network via a wireless link.
输入 /输出单元 540通过接口与输入 /输出设备连接,接收用户输入的 数字或者字符信息, 以及向用户显示信息。  The input/output unit 540 is connected to the input/output device through an interface, receives numeric or character information input by the user, and displays information to the user.
此外, 终端 500还可以包括其他组件, 例如摄像头、 蓝牙模块等, 在此不再赘述。  In addition, the terminal 500 may further include other components, such as a camera, a Bluetooth module, and the like, and details are not described herein again.
以上对本发明实施例所提供的恶意网址的检测方法和设备进行了详 述, 以上实施例的说明只是用于帮助理解本发明的方法及其核心思想; 同时, 对于本领域的一般技术人员, 依据本发明的思想, 在具体实施方 式及应用范围上均会有改变之处, 综上所述, 本说明书内容不应理解为 对本发明的限制。  The method and device for detecting a malicious website provided by the embodiment of the present invention are described in detail above. The description of the above embodiment is only for helping to understand the method and core idea of the present invention. Meanwhile, for those skilled in the art, The present invention is not limited by the scope of the present invention.

Claims

权利要求书 claims
1、 一种恶意网址的检测方法, 其特征在于, 包括: 1. A method for detecting malicious URLs, which is characterized by including:
将待检测网址划分为多个组成部分,所述的多个组成部分包括域名、 端口、 路径、 文件名、 数据参数和锚点的任意组合; Divide the URL to be detected into multiple components, and the multiple components include any combination of domain name, port, path, file name, data parameter and anchor point;
为所述多个组成部分中各个组成部分分配对应的检测分值; 根据所述各个组成部分的检测分值确定所述待检测网址的总体分 值; Assigning a corresponding detection score to each component among the plurality of components; Determining the overall score of the URL to be detected based on the detection score of each component;
如果所述总体分值在预置的恶意网址的第一分值范围内, 则确定所 述待检测网址为恶意网址。 If the overall score is within the first score range of the preset malicious URL, it is determined that the URL to be detected is a malicious URL.
2、如权利要求 1所述的方法,其特征在于,所述组成部分包括域名, 则所述为所述多个组成部分中各个组成部分分配对应的检测分值, 具体 包括: 2. The method of claim 1, wherein the component includes a domain name, and then assigning a corresponding detection score to each of the plurality of components, specifically including:
如果所述域名的级数超过预置级数, 则为所述域名给定负分值; 或, 如果所述域名与预置的域名的相似度高于预置的相似度; 或, 如果所述域名的拼写不符合拼写逻辑, 则为所述域名给定负分值。 If the level of the domain name exceeds the preset level, a negative score is given to the domain name; or, if the similarity between the domain name and the preset domain name is higher than the preset similarity; or, if the similarity between the domain name and the preset domain name is higher than the preset similarity, If the spelling of the domain name does not comply with the spelling logic, a negative score will be given to the domain name.
3、 如权利要求 1所述的方法, 其特征在于, 所述组成部分包括文件 名, 则所述为所述多个组成部分中各个组成部分分配对应的检测分值, 具体包括: 3. The method of claim 1, wherein the component includes a file name, and then assigning a corresponding detection score to each of the multiple components, specifically including:
如果所述文件名中包含特殊字符, 则为所述文件名给定负分值; 或, 如果所述文件名的拼写不符合拼写逻辑, 则为所述文件名给定负分 值。 If the file name contains special characters, a negative score is given to the file name; or, if the spelling of the file name does not comply with the spelling logic, a negative score is given to the file name.
4、如权利要求 1所述的方法,其特征在于,所述组成部分包括路径, 则所述为所述多个组成部分中各个组成部分分配对应的检测分值, 具体 包括: 4. The method of claim 1, wherein the component includes a path, and then assigning a corresponding detection score to each of the plurality of components, specifically including:
如果所述路径中包含特殊字符, 则为所述路径给定负分值; 或, 对所述路径进行符号分割, 如果两个以上的分割部分的拼写不符合 拼写逻辑, 则为所述路径给定负分值; 或, If the path contains special characters, the path is given a negative score; or, Perform symbol splitting on the path, and if the spelling of more than two split parts does not comply with the spelling logic, give the path a negative score; or,
对所述路径进行符号分割, 如果两个以上的分割部分的长度小于预 置的长度, 则为所述路径给定负分值。 The path is symbolically divided, and if the length of more than two divided parts is less than a preset length, a negative score is given to the path.
5、 如权利要求 1所述的方法, 其特征在于, 如果所述组成部分包括 数据参数, 则所述为所述多个组成部分中各个组成部分分配对应的检测 分值, 具体包括: 如果所述数据参数不是数据参数名称和数据参数数值 的形式, 则为所述数据参数给定负分值; 或, 如果所述数据参数值中包 含了斜杠, 则为所述数据参数给定负分值; 5. The method of claim 1, wherein if the component includes a data parameter, then assigning a corresponding detection score to each of the multiple components, specifically including: if the component If the data parameter is not in the form of a data parameter name and a data parameter value, a negative score is given to the data parameter; or, if the data parameter value contains a slash, a negative score is given to the data parameter. value;
如果所述组成部分包括端口, 则所述为所述多个组成部分中各个组 成部分分配对应的检测分值, 具体包括: 如果所述端口与预置的端口不 相匹配, 则给所述端口给定负分值; If the component includes a port, assigning a corresponding detection score to each of the multiple components, specifically including: if the port does not match a preset port, assigning the port to Given a negative score;
如果所述组成部分包括锚点, 则所述为所述多个组成部分中各个组 成部分分配对应的检测分值, 具体包括: 如果所述锚点中包含了斜杠, 则为所述锚点给定负分值。 If the component includes an anchor point, assigning a corresponding detection score to each of the multiple components, specifically including: If the anchor point includes a slash, then assigning a corresponding detection score to the anchor point Given a negative score.
6、 如权利要求 1至 5任一项所述的方法, 其特征在于, 所述根据所 述各个组成部分的检测分值确定所述待检测网址的总体分值, 具体包 括: 6. The method according to any one of claims 1 to 5, wherein determining the overall score of the website to be detected based on the detection scores of each component specifically includes:
将所述各个组成部分的检测分值相加得到所述总体分值; 或, 将所述各个组成部分的检测分值的加权值相加得到所述总体分值。 The overall score is obtained by adding the detection scores of each component; or, the overall score is obtained by adding the weighted values of the detection scores of each component.
7、 如权利要求 1至 5任一项所述的方法, 其特征在于, 所述方法还 包括: 7. The method according to any one of claims 1 to 5, characterized in that the method further includes:
如果所述总体分值在预置的可疑网址的第二分值范围内时, 则确定 所述待检测网址为可疑网址。 If the overall score is within the preset second score range of the suspicious URL, it is determined that the URL to be detected is a suspicious URL.
8、 一种恶意网址的检测设备, 其特征在于, 包括: 划分单元, 用于将待检测网址划分为多个组成部分, 所述的多个组 成部分包括域名、 端口、 路径、 文件名、 数据参数和锚点的任意组合; 分值分配单元, 用于为所述划分单元划分成的多个组成部分中各个 组成部分分配对应的检测分值; 8. A malicious website detection device, characterized by including: The dividing unit is used to divide the URL to be detected into multiple components, and the multiple components include any combination of domain name, port, path, file name, data parameter and anchor point; the score allocation unit is used to Each component of the plurality of components divided by the dividing unit is assigned a corresponding detection score;
总体分值确定单元, 用于根据所述分值分配单元分配的各个组成部 分的检测分值确定所述待检测网址的总体分值; An overall score determination unit, configured to determine the overall score of the website to be detected based on the detection scores of each component assigned by the score allocation unit;
恶意网址确定单元, 用于如果所述总体分值确定单元确定的总体分 值在预置的恶意网址的第一分值范围内, 则确定所述待检测网址为恶意 网址。 A malicious URL determination unit, configured to determine that the URL to be detected is a malicious URL if the overall score determined by the overall score determination unit is within the first score range of the preset malicious URL.
9、 如权利要求 8所述的设备, 其特征在于, 9. The device according to claim 8, characterized in that,
所述划分单元, 具体用于在所述待检测网址中划分出域名; 所述分值分配单元, 具体用于如果所述域名的级数超过预置级数, 则为所述域名给定负分值; 或, 如果所述域名与预置的域名的相似度高 于预置的相似度; 或, 如果所述域名的拼写不符合拼写逻辑, 则为所述 域名给定负分值。 The dividing unit is specifically used to divide domain names in the website to be detected; the score allocation unit is specifically used to assign a negative value to the domain name if the level of the domain name exceeds a preset level. score; or, if the similarity between the domain name and the preset domain name is higher than the preset similarity; or, if the spelling of the domain name does not comply with the spelling logic, a negative score is given to the domain name.
10、 如权利要求 8所述的设备, 其特征在于, 10. The device according to claim 8, characterized in that,
所述划分单元, 具体用于在所述待检测网址中划分出文件名; 所述分值分配单元, 具体用于如果所述文件名中包含特殊字符, 则 为所述文件名给定负分值;或,如果所述文件名的拼写不符合拼写逻辑, 则为所述文件名给定负分值。 The dividing unit is specifically used to divide the file name in the URL to be detected; the score allocation unit is specifically used to give a negative score to the file name if the file name contains special characters. value; or, if the spelling of the file name does not follow spelling logic, give the file name a negative score.
11、 如权利要求 8所述的设备, 其特征在于, 11. The device according to claim 8, characterized in that,
所述划分单元, 具体用于在所述待检测网址中划分出路径; 所述分值分配单元, 具体用于如果所述路径中包含特殊字符, 则为 所述路径给定负分值; 或, 对所述路径进行符号分割, 如果两个以上的 分割部分的拼写不符合拼写逻辑, 则为所述路径给定负分值; 或, 对所 述路径进行符号分割, 如果两个以上的分割部分的长度小于预置的长 度, 则为所述路径给定负分值。 The dividing unit is specifically used to divide a path in the URL to be detected; the score allocation unit is specifically used to give a negative score to the path if the path contains special characters; or , perform symbolic segmentation on the path, and if the spelling of more than two segmented parts does not comply with the spelling logic, a negative score is given to the path; or, for all The path is symbolically divided. If the length of more than two divided parts is less than the preset length, a negative score is given to the path.
12、 如权利要求 8所述的设备, 其特征在于, 12. The device according to claim 8, characterized in that,
所述划分单元, 具体用于在所述待检测网址中划分出数据参数; 则 所述分值分配单元, 具体用于如果所述数据参数不是数据参数名称和数 据参数数值的形式, 则为所述数据参数给定负分值; 或, 如果所述数据 参数值中包含了斜杠, 则为所述数据参数给定负分值; 或, The dividing unit is specifically used to divide the data parameters in the URL to be detected; the score allocation unit is specifically used to divide the data parameters into data parameters if the data parameters are not in the form of data parameter names and data parameter values. Give a negative score to the data parameter; or, if the data parameter value contains a slash, give a negative score to the data parameter; or,
所述划分单元, 具体用于在所述待检测网址中划分出端口; 则所述 分值分配单元, 具体用于如果所述端口与预置的端口不相匹配, 则给所 述端口给定负分值; 或, The dividing unit is specifically used to divide ports in the URL to be detected; the score allocation unit is specifically used to give a given value to the port if the port does not match the preset port. Negative score; or,
所述划分单元, 具体用于在所述待检测网址中划分出锚点; 则所述 分值分配单元, 具体用于如果所述锚点中包含了斜杠, 则为所述锚点给 定负分值。 The dividing unit is specifically used to divide anchor points in the URL to be detected; then the score allocation unit is specifically used to if the anchor point contains a slash, then the anchor point is given Negative score.
13、 如权利要求 8至 12任一项所述的设备, 其特征在于, 所述总体分值确定单元, 具体用于将所述各个组成部分的检测分值 相加得到所述总体分值; 或, 将所述各个组成部分的检测分值的加权值 相加得到所述总体分值。 13. The device according to any one of claims 8 to 12, wherein the overall score determination unit is specifically configured to add the detection scores of each component to obtain the overall score; Or, the weighted values of the detection scores of each component are added to obtain the overall score.
14、 如权利要求 8至 12任一项所述的设备, 其特征在于, 还包括: 可疑网址确定单元, 用于如果所述总体分值在预置的可疑网址的第 二分值范围内时, 则确定所述待检测网址为可疑网址。 14. The device according to any one of claims 8 to 12, further comprising: a suspicious URL determination unit, configured to determine if the overall score is within the preset second score range of the suspicious URL , then it is determined that the URL to be detected is a suspicious URL.
PCT/CN2014/081861 2013-07-09 2014-07-09 Method and device for detecting malicious uniform resource locator (url) WO2015003627A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310286619.9A CN103327029B (en) 2013-07-09 2013-07-09 A kind of detection method of malice network address and equipment
CN201310286619.9 2013-07-09

Publications (1)

Publication Number Publication Date
WO2015003627A1 true WO2015003627A1 (en) 2015-01-15

Family

ID=49195559

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/081861 WO2015003627A1 (en) 2013-07-09 2014-07-09 Method and device for detecting malicious uniform resource locator (url)

Country Status (2)

Country Link
CN (1) CN103327029B (en)
WO (1) WO2015003627A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103327029B (en) * 2013-07-09 2015-09-09 腾讯科技(深圳)有限公司 A kind of detection method of malice network address and equipment
CN104125209B (en) 2014-01-03 2015-09-09 腾讯科技(深圳)有限公司 Malice website prompt method and router
CN104333558B (en) * 2014-11-17 2018-02-23 广州华多网络科技有限公司 A kind of network address detection method and network address detection means
CN105791236B (en) * 2014-12-23 2019-03-12 北京网御星云信息技术有限公司 A kind of wooden horse communication channel detection method and system
CN107547552B (en) * 2017-09-07 2020-02-21 杭州安恒信息技术股份有限公司 Website reputation degree evaluation method and device based on website feature identification and relationship topology
CN114650158A (en) * 2020-12-21 2022-06-21 深信服科技股份有限公司 HTTP detection method, system, equipment and computer storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7590707B2 (en) * 2006-08-07 2009-09-15 Webroot Software, Inc. Method and system for identifying network addresses associated with suspect network destinations
CN103077349A (en) * 2013-01-05 2013-05-01 北京奇虎科技有限公司 Method and device for prompting access safety information on browser side
CN103327029A (en) * 2013-07-09 2013-09-25 腾讯科技(深圳)有限公司 Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102096683A (en) * 2009-12-11 2011-06-15 奇智软件(北京)有限公司 Method for realizing nameplate at browser address bar
CN102045360B (en) * 2010-12-27 2014-04-02 华为数字技术(成都)有限公司 Method and device for processing baleful website library
CN102622435B (en) * 2012-02-29 2017-12-12 百度在线网络技术(北京)有限公司 A kind of method and apparatus for detecting black chain

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7590707B2 (en) * 2006-08-07 2009-09-15 Webroot Software, Inc. Method and system for identifying network addresses associated with suspect network destinations
CN103077349A (en) * 2013-01-05 2013-05-01 北京奇虎科技有限公司 Method and device for prompting access safety information on browser side
CN103327029A (en) * 2013-07-09 2013-09-25 腾讯科技(深圳)有限公司 Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device

Also Published As

Publication number Publication date
CN103327029B (en) 2015-09-09
CN103327029A (en) 2013-09-25

Similar Documents

Publication Publication Date Title
WO2015003627A1 (en) Method and device for detecting malicious uniform resource locator (url)
US10474817B2 (en) Dynamically optimizing performance of a security appliance
US10484424B2 (en) Method and system for security protection of account information
JP5976020B2 (en) System and method for performing anti-malware metadata lookup
CN111355721B (en) Access control method, device, equipment and system and storage medium
US9231972B2 (en) Malicious website identifying method and system
CN109768992B (en) Webpage malicious scanning processing method and device, terminal device and readable storage medium
WO2018113730A1 (en) Method and apparatus for detecting network security
US20130145466A1 (en) System And Method For Detecting Malware In Documents
CN107395553B (en) Network attack detection method, device and storage medium
CN106534268B (en) Data sharing method and device
US20140337536A1 (en) Method and apparatus for data communication
WO2014114127A1 (en) Method, apparatus and system for webpage access control
US10313369B2 (en) Blocking malicious internet content at an appropriate hierarchical level
US9985980B1 (en) Entropy-based beaconing detection
CN109981533B (en) DDoS attack detection method, device, electronic equipment and storage medium
TW201822054A (en) Network attack pattern determination apparatus, determination method, and computer program product thereof
CN102333123B (en) File storage method and device, searching method and device and network device
CN109450853B (en) Malicious website determination method and device, terminal and server
JP6708575B2 (en) Classification device, classification method, and classification program
WO2023029486A1 (en) Site evaluation method and apparatus, and electronic device, storage medium and program product
US20220200941A1 (en) Reputation Clusters for Uniform Resource Locators
CN110147654B (en) Security detection method, device and system based on iOS application
JP5684842B2 (en) Malignant site detection apparatus, malignant site detection method and program
US11777908B1 (en) Protecting against a tracking parameter in a web link

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14822540

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205N DATED 17/03/2016)

122 Ep: pct application non-entry in european phase

Ref document number: 14822540

Country of ref document: EP

Kind code of ref document: A1