CN101539936A - Detecting method for sham websites and device thereof - Google Patents
Detecting method for sham websites and device thereof Download PDFInfo
- Publication number
- CN101539936A CN101539936A CN200910083086A CN200910083086A CN101539936A CN 101539936 A CN101539936 A CN 101539936A CN 200910083086 A CN200910083086 A CN 200910083086A CN 200910083086 A CN200910083086 A CN 200910083086A CN 101539936 A CN101539936 A CN 101539936A
- Authority
- CN
- China
- Prior art keywords
- visitor
- information
- network address
- website
- extracting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the invention provides a detecting method for sham websites and a device thereof. The method comprises the steps as follows: source access information of the website is acquired from log records of the website; visitor information is extracted from the source access information; the extracted visitor information is compared with pre-stored visitor information; the extracted visitor information are output if no accordance exists, thereby effectively detecting the sham websites.
Description
Technical field
The present invention is a kind of detecting method for sham websites and equipment about the fake site detection technique in the computer network communication concretely.
Background technology
Along with popularizing of internet, applications, various online transactions emerge in an endless stream.And fake site (Phishing) is the public hazards in internet business field always.For example, the Web bank website is one of object of fake site, and the fake site of this Web bank often makes the client's of Web bank important information be stolen, and then causes the fund loss.
The fake site is a purpose to steal network user's information, is means with info webs such as phisher content, sign and domain names, works the mischief for the application of internet.
At present, mainly by the mode of manual detection report and internet mass search, the detection mode efficient of these two kinds of fake sites is not high in the detection of fake site, and it is bigger to delay time, and can not prevent and treat the threat of fake site effectively.
Summary of the invention
In order to overcome the defective of prior art, the embodiment of the invention provides a kind of detecting method for sham websites and equipment, effectively to detect the fake site.
One of purpose of the embodiment of the invention is: a kind of detecting method for sham websites is provided, and this method may further comprise the steps: the resource access information of obtaining described website from the log record of website; From described resource access information, extract visitor information; The visitor information of extracting is carried out the consistance comparison with the visitor information of pre-stored, if inconsistent then the visitor information of extracting is exported.
A kind of fake site checkout equipment, this equipment comprises: the log information acquiring unit is used for obtaining from the log record of website the resource access information of described website; The visitor information extraction unit is used for extracting visitor information from described resource access information; Visitor information contrast unit, the visitor information that is used for extracting is carried out the consistance contrast with the visitor information of pre-stored, if inconsistent then the visitor information of extracting is exported.
The embodiment of the invention will be palmed off the scope of network address fast and dwindle, so that further find out the fake site in visitor information among a small circle by to the collection of access log, the extraction and the contrast of visitor information.The present invention has increased substantially the discovery speed of fake site, has reduced user profile and has been falsely used the risk stolen with account funds.
Description of drawings
Fig. 1 is the embodiment of the invention 1 a detecting method for sham websites process flow diagram;
Fig. 2 is the embodiment of the invention 1 a fake site assay device structures block diagram;
Fig. 3 is the embodiment of the invention 2 fake site assay device structures block diagrams;
Fig. 4 is embodiment of the invention visitor information contrast cellular construction block diagram;
Fig. 5 is an embodiment of the invention visitor information memory cell structure block diagram;
Fig. 6 is the embodiment of the invention 1 a fake site testing process flow diagram;
Fig. 7 is the embodiment of the invention 2 fake site testing process flow diagrams;
Fig. 8 is the embodiment of the invention 3 fake site testing process flow diagrams.
Embodiment
Below in conjunction with description of drawings the specific embodiment of the present invention.
Embodiment 1
As shown in Figure 1, the detecting method for sham websites of present embodiment may further comprise the steps: the resource access information (step S101) of obtaining described website from the log record of website; From described resource access information, extract visitor information (step S102); The visitor information of extracting is carried out the consistance comparison with the visitor information of pre-stored, if inconsistent then the visitor information of extracting is exported (step S103).
As shown in Figure 2, the fake site checkout equipment of present embodiment comprises: log information acquiring unit 101 is used for obtaining from the log record of website the resource access information of described website; Visitor information is extracted single 102 and is used for extracting visitor information from described resource access information; The visitor information that visitor information contrast unit 103 is used for extracting is carried out the consistance contrast with the visitor information of pre-stored, if inconsistent then the visitor information of extracting is exported.The fake site checkout equipment of present embodiment can be a kind of in server, PC or other computer equipments.
Now present embodiment is specified as follows in conjunction with Fig. 6:
Website A is the licit traffic website, and website A server provides the web interface that comprises enterprise's icon for its visitor.And website A server stores has Lawful access person's white list, this white list can comprise: visitor's title, visitor's network address and/or visitor IP address etc.The white list of table 1 for example.
Table 1
When the webpage icon of visitor 1 access websites A, the access log of website A server carries out record to the information of this time visit.The log information acquiring unit of website A server obtains the resource access information of website A from the log record of website A, the content of log record can comprise: visitor 1 visit date and time (as: 2009-02-16,09:53:00), access stencil, the title of accessed website (as: website A), the IP address (as: 10.1.1.1) of accessed website, accessed resource (as: GET/ enterprise icon), visitor 1 IP address (as: 111.111.111.111), visitor 1 browser parameters and visitor's 1 network address (as: http://www.fangwenzhe1.com).
The visitor information extraction unit of website A server extracts visitor 1 network address (as: http://www.fangwenzhe1.com) from resource access information; The network address http://www.fangwenzhe1.com that visitor information contrast unit is used for the visitor 1 that will extract carries out consistance with the network address of table 1 pre-stored and contrasts, the result is inconsistent, so with the visitor's 1 that extracts network address http://www.fangwenzhe1.com output.Because visitor 1 network address not in white list, is one of suspicion object of fake site therefore.The visitor's 1 of output network address can be used as the Back ground Information that further judges whether the fake site.
The embodiment of the invention will be palmed off the scope of network address fast and dwindle, so that further find out the fake site in visitor information among a small circle by to the collection of access log, the extraction and the contrast of visitor information.The present invention has increased substantially the discovery speed of fake site, has reduced user profile and has been falsely used the risk stolen with account funds.
Embodiment 2
As shown in Figure 3, the fake site checkout equipment of present embodiment comprises: log information acquiring unit 101 is used for obtaining from the log record of website the resource access information of described website; Visitor information is extracted single 102 and is used for extracting visitor information from described resource access information; The visitor information that visitor information contrast unit 103 is used for extracting is carried out the consistance contrast with the visitor information of pre-stored, if inconsistent then the visitor information of extracting is exported; Visitor information storage unit 104 is used for memory access person's information; Fake site judging unit 105 is used for obtaining visitor's web site contents according to visitor's network address of extracting, if described visitor's web site contents meets the condition of fake site, confirms that then described visitor website is the fake site.The fake site checkout equipment of present embodiment can be a kind of in server, PC or other computer equipments.
As shown in Figure 4, visitor information contrast unit 103 comprises: network address contrast module 1031 is used for the visitor's network address that will extract and carries out the consistance comparison with the visitor's network address that prestores; Network address output module 1032 is used for and will exports with visitor's network address of the described inconsistent extraction of visitor's network address that prestores.
As shown in Figure 5, visitor information storage unit 104 comprises: person's network address that Lawful access person information storage module 1041 is used to store the Lawful access; Unauthorized access person's information storage module 1042 is used to store the network address of the fake site of having determined.
Now present embodiment is specified as follows in conjunction with Fig. 7:
Website A is the licit traffic website, and website A server provides the web interface that comprises enterprise's icon for its visitor.And website A server stores has Lawful access person's white list and confirm as the unauthorized access person's of fake site blacklist, this white list can comprise: visitor's title, visitor's network address and/or visitor IP address etc., for example white list of table 1.This blacklist can comprise: visitor's title, visitor's network address and/or visitor IP address etc.The blacklist of table 2 for example.
Table 2
When the webpage icon of visitor 1 access websites A, the access log of website A server carries out record to the information of this time visit.The log information acquiring unit of website A server obtains the resource access information of website A from the log record of website A, the content of log record can comprise: visitor 1 visit date and time (as: 2009-02-16,09:53:00), access stencil, the title of accessed website (as: website A), the IP address (as: 10.1.1.1) of accessed website, accessed resource (as: GET/ enterprise icon), visitor 1 IP address (as: 111.111.111.111), visitor 1 browser parameters and visitor's 1 network address (as: http://www.fangwenzhe1.com).
The single network address (as: http://www.fangwenzhe1.com) of from resource access information, extracting visitor 1 of log access person's information extraction of website A server; The network address http://www.fangwenzhe1.com that visitor information contrast unit is used for the visitor 1 that will extract carries out consistance with the network address of table 1 and table 2 pre-stored and contrasts, the result is inconsistent, so with the visitor's 1 that extracts network address http://www.fangwenzhe1.com output.Because visitor 1 network address not in white list and blacklist, is one of suspicion object of fake site therefore.The visitor's 1 of output network address can be used as the Back ground Information that further judges whether the fake site.If comparing result visitor 1 network address http://www.fangwenzhe1.com is consistent with the network address comparing result of pre-stored in the table 1, then belong to Lawful access; If comparing result visitor 1 network address http://www.fangwenzhe1.com is consistent with the network address comparing result of pre-stored in the table 2, then this fake site be recorded and this fake site still the operation.
The fake site judging unit of website A server if web site contents meets the condition of fake site, confirms then that visitor 1 website is the fake site according to the web site contents that the visitor's network address http://www.fangwenzhe1.com that extracts obtains visitor 1.The condition of fake site can comprise: (1) web site contents is to identical or similar by counterfeit object web site contents, and purpose is to steal user profile; (2) web site contents exist to mislead visitor's possibility, and institute's domain name of using and same or similar by domain name that counterfeit object uses, and purpose is to steal user profile; (3) web site contents exist to mislead visitor's possibility, and domain name that use the website for by the trading company of counterfeit object, sign or other with by the counterfeit object existence content of corresponding relation highly, purpose is to steal user profile.
The embodiment of the invention will be palmed off the scope of network address fast and dwindle by to the collection of access log, the extraction and the contrast of visitor information, and according to the contrast of visitor information and fake site condition, determine the fake site.The present invention has increased substantially the discovery speed of fake site, has reduced user profile and has been falsely used the risk stolen with account funds.
Embodiment 3
Now present embodiment is specified as follows in conjunction with Fig. 8:
Website A is the licit traffic website, and website A server provides the web interface that comprises user profile typing frame for its visitor.And website A server stores has Lawful access person's white list and confirm as the unauthorized access person's of fake site blacklist, this white list can comprise: visitor's title, visitor's network address and/or visitor IP address etc.
The payment page of client access website X; The payment page of website X guides user capture by user's typing frame resource of counterfeit website A, and is being stayed access log by counterfeit website A.
As shown in Figure 8, gathered access log, extract the content (as: the IP address 111.111.111.111 of website X) of critical field in the access log by the keeper of counterfeit website A.The log information acquiring unit of website A server obtains the resource access information of website A from the log record of website A, the content of log record can comprise: the visit date and time (as: 2009-02-16 of website X, 09:53:00), access stencil, the title of accessed website (as: website A), the IP address (as: 10.1.1.1) of accessed website, accessed resource (as: GET/ enterprise icon), the IP address (as: 111.111.111.111) of website X, the browser parameters of website X and website X network address (as: http://www.fangwenzhe1.com).
The single IP address (as: 111.111.111.111) of from resource access information, extracting website X of log access person's information extraction of website A server; The IP address that visitor information contrast unit is used for the IP address (as: 111.111.111.111) of the website X that will extract and pre-stored is carried out consistance and is contrasted, the result is inconsistent, so with IP address (as: 111.111.111.111) output of the website X that extracts.The IP address (as: 111.111.111.111) of the website X of output can be used as the Back ground Information that further judges whether the fake site.The fake site judging unit of website A server if web site contents meets the condition of fake site, confirms then that website X is the fake site according to the web site contents of IP address (as: 111.111.111.111) the extracting website X of the website X of output.The condition of fake site can comprise: (1) web site contents is to identical or similar by counterfeit object web site contents, and purpose is to steal user profile; (2) web site contents exist to mislead visitor's possibility, and institute's domain name of using and same or similar by domain name that counterfeit object uses, and purpose is to steal user profile; (3) web site contents exist to mislead visitor's possibility, and domain name that use the website for by the trading company of counterfeit object, sign or other with by the counterfeit object existence content of corresponding relation highly, purpose is to steal user profile.
The embodiment of the invention will be palmed off the scope of network address fast and dwindle by to the collection of access log, the extraction and the contrast of visitor information, and according to the contrast of visitor information and fake site condition, determine the fake site.The present invention has increased substantially the discovery speed of fake site, has reduced user profile and has been falsely used the risk stolen with account funds.
Below only be preferred embodiment of the present invention, non-so limit to claim of the present invention, the equivalent structure that uses instructions of the present invention and diagramatic content to do changes, all in like manner within the scope of the present invention.
Claims (14)
1. a detecting method for sham websites is characterized in that, described method may further comprise the steps:
From the log record of website, obtain the resource access information of described website;
From described resource access information, extract visitor information;
The visitor information of extracting is carried out the consistance comparison with the visitor information of pre-stored, if inconsistent then the visitor information of extracting is exported.
2. the method for claim 1 is characterized in that, described resource access information comprises: visitor IP address, visitor's network address and/or accessed resource content.
3. method as claimed in claim 2 is characterized in that, described visitor information comprises: visitor IP address or visitor's network address.
4. method as claimed in claim 3 is characterized in that, described visitor information with extraction is carried out the consistance comparison with the visitor information that prestores and comprised: the visitor's network address extracted and the visitor's network address that prestores are carried out consistance compare.
5. method as claimed in claim 4 is characterized in that, if visitor's network address of extracting is inconsistent with the visitor's network address that prestores, then with visitor's network address output of extracting; And,
Obtain visitor's web site contents according to visitor's network address of extracting,, confirm that then described visitor website is the fake site if described visitor's web site contents meets the condition of fake site.
6. method as claimed in claim 5 is characterized in that, the network address of confirming as the fake site is stored as the visitor information of pre-stored.
7. the method for claim 1 is characterized in that, the visitor information of described pre-stored comprises: the network address of Lawful access person network address and/or the fake site determined.
8. a fake site checkout equipment is characterized in that, described equipment comprises:
The log information acquiring unit is used for obtaining from the log record of website the resource access information of described website;
The visitor information extraction unit is used for extracting visitor information from described resource access information;
Visitor information contrast unit, the visitor information that is used for extracting is carried out the consistance contrast with the visitor information of pre-stored, if inconsistent then the visitor information of extracting is exported.
9. equipment as claimed in claim 8 is characterized in that, described resource access information comprises: visitor IP address, visitor's network address and/or accessed resource content.
10. equipment as claimed in claim 9 is characterized in that, described visitor information comprises: visitor IP address or visitor's network address.
11. equipment as claimed in claim 10 is characterized in that, described visitor information contrast unit comprises: network address contrast module is used for the visitor's network address that will extract and carries out the consistance comparison with the visitor's network address that prestores;
The network address output module is used for and will exports with visitor's network address of the described inconsistent extraction of visitor's network address that prestores.
12. equipment as claimed in claim 11, it is characterized in that, described equipment comprises: the fake site judging unit, be used for obtaining visitor's web site contents according to visitor's network address of extracting, if described visitor's web site contents meets the condition of fake site, confirm that then described visitor website is the fake site.
13. as claim 8 or 12 described equipment, it is characterized in that described equipment comprises: the visitor information storage unit is used for memory access person's information.
14. equipment as claimed in claim 13 is characterized in that, described visitor information storage unit comprises: Lawful access person information storage module, the person's network address that is used to store the Lawful access;
Unauthorized access person's information storage module is used to store the network address of the fake site of determining.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910083086A CN101539936A (en) | 2009-04-30 | 2009-04-30 | Detecting method for sham websites and device thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910083086A CN101539936A (en) | 2009-04-30 | 2009-04-30 | Detecting method for sham websites and device thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101539936A true CN101539936A (en) | 2009-09-23 |
Family
ID=41123125
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910083086A Pending CN101539936A (en) | 2009-04-30 | 2009-04-30 | Detecting method for sham websites and device thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101539936A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045348A (en) * | 2010-12-01 | 2011-05-04 | 北京迅捷英翔网络科技有限公司 | Link stealing prevention system and method |
| CN102075365A (en) * | 2011-02-15 | 2011-05-25 | 中国工商银行股份有限公司 | Method and device for locating and protecting network attack source |
| CN102546618A (en) * | 2011-12-29 | 2012-07-04 | 北京神州绿盟信息安全科技股份有限公司 | Method, device, system and website for detecting fishing website |
| CN102571783A (en) * | 2011-12-29 | 2012-07-11 | 北京神州绿盟信息安全科技股份有限公司 | Phishing website detection method, device and system as well as website |
| CN103428186A (en) * | 2012-05-24 | 2013-12-04 | ***通信集团公司 | Method and device for detecting phishing website |
| CN103685157A (en) * | 2012-09-04 | 2014-03-26 | 珠海市君天电子科技有限公司 | Method and system for collecting phishing websites based on payment |
| CN103870554A (en) * | 2009-12-11 | 2014-06-18 | 北京奇虎科技有限公司 | Method for realizing browser address bar nameplate |
| CN104079531A (en) * | 2013-03-26 | 2014-10-01 | ***通信集团公司 | Hotlinking detection method, system and device |
| CN104580230A (en) * | 2015-01-15 | 2015-04-29 | 广州唯品会信息科技有限公司 | Website attack verification method and device |
| CN106130960A (en) * | 2016-06-12 | 2016-11-16 | 微梦创科网络科技(中国)有限公司 | Judgement system, load dispatching method and the device of steal-number behavior |
| CN108664584A (en) * | 2018-05-07 | 2018-10-16 | 秦德玉 | Infringement site search recognition methods and device |
-
2009
- 2009-04-30 CN CN200910083086A patent/CN101539936A/en active Pending
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103870554A (en) * | 2009-12-11 | 2014-06-18 | 北京奇虎科技有限公司 | Method for realizing browser address bar nameplate |
| CN102045348B (en) * | 2010-12-01 | 2013-08-07 | 北京迅捷英翔网络科技有限公司 | Link stealing prevention system and method |
| CN102045348A (en) * | 2010-12-01 | 2011-05-04 | 北京迅捷英翔网络科技有限公司 | Link stealing prevention system and method |
| CN102075365A (en) * | 2011-02-15 | 2011-05-25 | 中国工商银行股份有限公司 | Method and device for locating and protecting network attack source |
| CN102075365B (en) * | 2011-02-15 | 2012-12-26 | 中国工商银行股份有限公司 | Method and device for locating and protecting network attack source |
| CN102546618A (en) * | 2011-12-29 | 2012-07-04 | 北京神州绿盟信息安全科技股份有限公司 | Method, device, system and website for detecting fishing website |
| CN102571783A (en) * | 2011-12-29 | 2012-07-11 | 北京神州绿盟信息安全科技股份有限公司 | Phishing website detection method, device and system as well as website |
| CN103428186A (en) * | 2012-05-24 | 2013-12-04 | ***通信集团公司 | Method and device for detecting phishing website |
| CN103685157A (en) * | 2012-09-04 | 2014-03-26 | 珠海市君天电子科技有限公司 | Method and system for collecting phishing websites based on payment |
| CN104079531A (en) * | 2013-03-26 | 2014-10-01 | ***通信集团公司 | Hotlinking detection method, system and device |
| CN104580230A (en) * | 2015-01-15 | 2015-04-29 | 广州唯品会信息科技有限公司 | Website attack verification method and device |
| CN104580230B (en) * | 2015-01-15 | 2017-12-08 | 广州品唯软件有限公司 | Verification method and device are attacked in website |
| CN106130960A (en) * | 2016-06-12 | 2016-11-16 | 微梦创科网络科技(中国)有限公司 | Judgement system, load dispatching method and the device of steal-number behavior |
| CN106130960B (en) * | 2016-06-12 | 2019-08-09 | 微梦创科网络科技(中国)有限公司 | Judgement system, load dispatching method and the device of steal-number behavior |
| CN108664584A (en) * | 2018-05-07 | 2018-10-16 | 秦德玉 | Infringement site search recognition methods and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101539936A (en) | Detecting method for sham websites and device thereof | |
| Blum et al. | Lexical feature based phishing URL detection using online learning | |
| EP3125147B1 (en) | System and method for identifying a phishing website | |
| CN104954372B (en) | A kind of evidence obtaining of fishing website and verification method and system | |
| CN102624713B (en) | The method of website tamper Detection and device | |
| US8745151B2 (en) | Web page protection against phishing | |
| US20130086677A1 (en) | Method and device for detecting phishing web page | |
| CN102739653B (en) | Detection method and device aiming at webpage address | |
| KR100848319B1 (en) | Harmful web site filtering method and apparatus using web structural information | |
| CN103209177B (en) | The detection method of phishing attacks and device | |
| CN102594934A (en) | Method and device for identifying hijacked website | |
| CN103281320A (en) | Website icon matching-based detection method for brand counterfeit websites | |
| CN102622553A (en) | Method and device for detecting webpage safety | |
| CN104486140A (en) | Device and method for detecting hijacking of web page | |
| US8141150B1 (en) | Method and apparatus for automatic identification of phishing sites from low-level network traffic | |
| CN102129528A (en) | WEB page tampering identification method and system | |
| CN104580230B (en) | Verification method and device are attacked in website | |
| CN104899508A (en) | Multistage phishing website detecting method and system | |
| CN111541672A (en) | Method and system for detecting security of HTTP (hyper text transport protocol) request | |
| Geng et al. | RRPhish: Anti-phishing via mining brand resources request | |
| KR100819030B1 (en) | Method for deterrence of personal information using server registration and apparatus thereof | |
| CN102891861A (en) | Client-based phishing website detecting method and device | |
| CN108270754B (en) | Detection method and device for phishing website | |
| CN104717226A (en) | Method and device for detecting website address | |
| CN107566371B (en) | WebShell mining method for massive logs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20090923 |