CN103036896A - Method and system for testing malicious links - Google Patents

Method and system for testing malicious links Download PDF

Info

Publication number
CN103036896A
CN103036896A CN2012105601655A CN201210560165A CN103036896A CN 103036896 A CN103036896 A CN 103036896A CN 2012105601655 A CN2012105601655 A CN 2012105601655A CN 201210560165 A CN201210560165 A CN 201210560165A CN 103036896 A CN103036896 A CN 103036896A
Authority
CN
China
Prior art keywords
malice
link
host name
embedded
malicious websites
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012105601655A
Other languages
Chinese (zh)
Other versions
CN103036896B (en
Inventor
李晓波
刘起
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qizhi Business Consulting Co ltd
Beijing Qihoo Technology Co Ltd
360 Digital Security Technology Group Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201210560165.5A priority Critical patent/CN103036896B/en
Publication of CN103036896A publication Critical patent/CN103036896A/en
Priority to PCT/CN2013/090104 priority patent/WO2014094653A1/en
Application granted granted Critical
Publication of CN103036896B publication Critical patent/CN103036896B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method and a system for testing malicious links. The method of testing the malicious links comprises the steps of testing malicious act, testing the malicious act for other embedded links, estimating malicious value for each malicious link and malicious web site host name relevant to each malicious link, updating the malicious value of the relevant malicious links or the malicious web site host name, filtering out dangerous malicious link assembly, informing information of the dangerous malicious web site host name assembly and the dangerous malicious link assembly on a client-side device, obtaining new questionable links, and testing the malicious act of the new questionable links. The other embedded links of the malicious links or the questionable links comprises other links which are automatically conducted when the malicious links or the questionable links are visited.

Description

Method and system for detection of the malice link
Technical field
The present invention relates to the network security technology field, be specifically related to a kind of method and system for detection of the malice link.
Background technology is along with the development of the Internet, and the attack pattern of various computer rogue programs becomes and more and more emerges in an endless stream.Rogue program attack means such as similar extension horse class is varied, such as, comprise SQL(StructuredQuery Language, SQL) injects, website sensitive document scanning, the server leak, the whole bag of tricks such as procedure site 0day obtain webmaster's account, then log in the backstage, website, by database backup/restoration or upload the script attack tool that leak obtains a webshell(web invasion).The webshell that utilize to obtain revises the content of Website page, adds malice in the page to turn to code.Also can directly obtain server or website FTP(File Transfer Protocal, file transfer protocol (FTP) by weak passwurd), then directly Website page is directly made amendment.When access is added into the page of malicious code, will accesses automatically the address that is diverted or download trojan horse.In the defense system that whole extension horse detects, about malice URL(Universal Resource Locator, URL(uniform resource locator)) collection is exactly a very important link, how can collect more comprehensively faster malice URL, to determine whether antivirus software killing extension horse website is timely, whether effective.Horse website scheme is hung in existing a kind of detection, anti-hang the high-risk website that the horse spider collects behind some vulnerability scannings and begin crawl as seed, by the newfound page is done link analysis, therefrom obtain new URL, then new URL is downloaded, the content after the download is submitted to and is hung the horse recognition system.For the detection system that grasps based on seed, only be high-risk website owing to plant subpage frame, but may not be hung the website of horse that hang the horse website so can't detect fast, coverage rate is also just comprehensive not simultaneously.Existing another kind of scheme is that detection system is surveyed by client software and found high-risk website, after the discovery data feedback is arrived the spider system, downloads and submit the subsequent analysis system by the spider system.For this detection system of surveying based on client, because the malicious attack code that embeds after the hacker attacks can stop at any time, so often can't detect malicious act, also just the network address of being attacked can't be passed back to the service end detection system, more passive on the detection gimmick.Therefore, this scheme also can't find to detect extension horse website as much as possible fast, and also can't detect extension horse website as much as possible.
Summary of the invention
In view of the above problems, the present invention has been proposed in order to a kind of system and corresponding method for detection of the malice link for detection of the malice link that overcomes the problems referred to above or address the above problem at least in part is provided.
According to one aspect of the present invention, a kind of system for detection of the malice link is provided, comprise server end equipment and client device;
Described server end equipment comprises network security management equipment, and described client device comprises checkout equipment; Described malice link comprises the chained address of the Internet resources of malice in the Internet, wherein,
Described checkout equipment comprises: the second behavior detector, be configured to the suspicious actions of Internet resources are detected, and detected suspicious link is transferred to server end equipment further detect; The second getter, the dangerous malicious websites host name set that the suspicious link that being configured to obtain described server end equipment provides based on described the second behavior detector is determined and dangerous malice link set, described dangerous malicious websites host name set is the set that malice value that server end equipment filters out is higher than each malicious websites host name of the first preset threshold value, and described dangerous malice link set is under all the other malicious websites host name beyond the described dangerous malicious websites host name set that filters out of server end, the malice value is higher than the set of each malice link of the second preset threshold value; The second link detection device, the dangerous malicious websites host name set and the dangerous malice link set that are configured to obtain according to described the second getter detect new suspicious link, and described new suspicious link is transferred to described server end equipment detect and upgrade relevant malice value, described dangerous malicious websites host name set is hit in other embedded links of described new suspicious link or described dangerous malice link is gathered;
Described network security management equipment comprises: the first behavior detector, being configured at least to client device detected suspicious link carries out malicious act and detects, whether detect is the malice link, and described detection is carried out malicious act for other embedded links of malice link detect, embedded other that detect described malice link maliciously link; The first behavior evaluator, be configured at least according to the embedded relation between detected each the malice link of described the first behavior detector, each is maliciously linked assessment malice value, and each is maliciously linked relevant malicious websites host name assessment malice value, and detected new malice link links relevant malice or the malice value of malicious websites host name is upgraded according to described the first behavior detector; The first screening washer, be configured to the result that assesses out according to described the first behavior evaluator, the dangerous malice link set that filter out under the set of dangerous malicious websites host name and all the other malicious websites host name that malice value is higher than the first preset threshold value, malice value is higher than the second preset threshold value, and notify extremely described client device with the information of described dangerous malicious websites host name set and dangerous malice link set; The first getter, be configured to obtain client device based on described dangerous malicious websites host name set and the detected new suspicious link of described dangerous malice link set, and described new suspicious link is transferred to described the first behavior detector detect, described dangerous malicious websites host name set or described dangerous malice link set are hit in other embedded links of described new suspicious link.
Optionally, the malice of malice value to be assessed is linked as target and maliciously links, target maliciously links, and embedded other maliciously are linked as the embedded malice link that target maliciously links, the outer chain number of the malice of each embedded malice link is specifically with this embedded malice link all sums that maliciously link as embedded link, the first behavior evaluator comprises: the first identification module, embedded relation between being configured to maliciously link identifies all embedded malice links that target maliciously links and the outer chain number of malice of each embedded malice link according to each; The first evaluation module, the up-to-date malice value of the embedded malice link of each that is configured to maliciously link according to the target that the first identification module identifies, and the outer chain number of the malice of each embedded malice link, the malice value that assessment objective maliciously links.
Optionally, the malicious websites main frame of malice value to be assessed is called target malicious websites host name, malicious websites host name under embedded other of each malice link maliciously link under the target malicious websites host name, it is the related malicious websites host name that has incidence relation with target malicious websites host name, the outer chain number of the malice of each related malicious websites host name specifically should association malicious websites host name under the outer chain number sum of all malice that maliciously link, the first evaluator comprises: the second identification module, embedded relation between being configured to maliciously link according to each, identify the relevant malicious websites host name of target malicious websites host name, and the outer chain number of the malice of each related malicious websites host name; The second evaluation module is configured to the up-to-date malice value according to each related malicious websites host name of target malicious websites host name, and the outer chain number of the malice of each related malicious websites host name, the malice value of assessment objective malicious websites host name.
Optionally, the first evaluation module also is configured to obtain the malice value that each target maliciously links by many wheels iterative manner, for each target maliciously links initial malice value is set when processing in the first round; The second evaluation module also is configured to obtain by many wheels iterative manner the malice value of each target malicious websites host name, for each target malicious websites host name initial malice value is set when processing in the first round.
Optionally, other embedded links of malice link or suspicious link comprise: other links that automatically performed when the link of access malice or suspicious link.
Optionally, dangerous malicious websites host name set is hit in other embedded links of new suspicious link or dangerous malice link set comprises: the web host name of other embedded links of new suspicious link is a web host name in the dangerous malicious websites host name set at least; Perhaps, other embedded links of new suspicious link are a link in the dangerous malice link set at least.
Optionally, the first behavior detector is specifically hung horse behavior detector, malicious act detect and specifically to hang the horse malicious act and detect, the concrete malice of malice link is hung the horse link, embedded other of malice link maliciously link and are specially malice and hang embedded other of horse link and maliciously hang the horse link.
According to a further aspect in the invention, a kind of method for detection of the malice link is provided, the malice link comprises the chained address of the Internet resources of various malice in the Internet, comprise: the malicious act detection is carried out in detected suspicious link to client device at least, whether detect is the malice link, and carry out malicious act for other embedded links of malice link and detect detecting, embedded other that detect the malice link maliciously link; At least the embedded relation between maliciously linking according to each, each is maliciously linked assessment malice value, and each is maliciously linked relevant malicious websites host name assessment malice value, and relevant malice is linked or the malice value of malicious websites host name is upgraded according to detected new malice link; The dangerous malice link set that filter out under the set of dangerous malicious websites host name and all the other malicious websites host name that malice value is higher than the first preset threshold value, malice value is higher than the second preset threshold value, and dangerous malicious websites host name set and dangerous malice are linked the information of gathering notify to client device; Obtain client device based on dangerous malicious websites host name set and the detected new suspicious link of dangerous malice link set, and malicious act is carried out in new suspicious link detect, dangerous malicious websites host name set or dangerous malice link set are hit in other embedded links of new suspicious link; Wherein, other embedded links of described malice link or suspicious link comprise: other links that automatically performed when accessing described malice link or suspicious link.
According to the system and method for detection of the malice link of the present invention, can fast detecting link to more suspicious link, malice, solved thus prior art and can't fast detecting arrive the technical problem of malice link as much as possible, obtained and fast detecting to have arrived the beneficial effects that a large amount of malice link.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 shows the system schematic that links for detection of malice according to an embodiment of the invention;
Fig. 2 shows the according to an embodiment of the invention schematic diagram of embedded relation between the malice link;
Fig. 3 shows the according to an embodiment of the invention schematic diagram of incidence relation between the malicious websites host name;
Fig. 4 shows the method flow diagram that links for detection of malice according to an embodiment of the invention; And
Fig. 5 shows the detection method flow chart that links for detection of malice according to an embodiment of the invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
The embodiment of the invention can be applied to computer system/server, and it can be with numerous other universal or special computingasystem environment or configuration operation.The example that is suitable for well-known computing system, environment and/or the configuration used with computer system/server includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, the system based on microprocessor, set-top box, programmable consumer electronics, NetPC Network PC, Xiao type Ji calculate machine Xi Tong ﹑ large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.
Computer system/server can be described under the general linguistic context of the computer system executable instruction (such as program module) of being carried out by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they are carried out specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in the distributed cloud computing environment, task is by carrying out by the teleprocessing equipment of communication network link.In distributed cloud computing environment, program module can be positioned on the Local or Remote computing system storage medium that comprises memory device.
See also Fig. 1, it shows the system schematic that links for detection of malice according to an embodiment of the invention, this system comprises server end equipment 100 and client device 200, wherein, server end equipment comprises the network security management equipment 110 for detection of the malice link at least, particularly, network security management equipment 110 comprises the first behavior detector 112, the first behavior evaluator 114, the first getter 116 and the first screening washer 118; Client device comprises that at least particularly, checkout equipment 210 comprises the second behavior detector 212, the second getter 214 and the second link detection device 216 for detection of the checkout equipment 210 of malice link.
At first, the suspicious actions of the 212 pairs of Internet resources of the second behavior detector in the client-side checkout equipment 200 detect, and Internet resources include but not limited to webpage, video and the audio frequency etc. in the Internet.Client-side is safeguarded a suspicious actions feature database in advance, the feature (feature of suspicious program behavior) that records some suspicious actions in this feature database includes but not limited to call some specific system function in certain webpage process of access, execution has loaded some particular code, distributed suspicious internal memory, some file is stored in suspicious position, or produced internal memory and overflowed etc., these suspicious actions can be that the checkout equipment 200 of client-side is summed up according to the characteristic value of the historical data after the encryption in the past, also can be characteristic value or the program behavior after the encryption of obtaining from server side, the particular content of suspicious actions can be constantly updated, kind also can be enriched constantly, service end can be utilized and be similar to decision tree, bayesian algorithm, the methods such as nerve net territory calculating, perhaps use simple Threshold Analysis to carry out machine learning etc., the various suspicious actions that client-side is known by variety of way and the detection means of various suspicious actions all are suitable in embodiments of the present invention, and the present invention is to this not restriction.
When client-side was accessed the Internet resources of some chained address, the second behavior detector 212 will carry out monitor and detection to current access process, behavior according to known suspicious actions feature database.Because client-side is preserved user's various documentum privatums, and the operating analysis ability of client-side is also limited, therefore the second behavior detector 212 is after detecting suspicious actions, generally after the agreement of obtaining the user, tackled, can not continue again to carry out current operation, prevent from endangering real generation.Such as, calling certain suspicious system function if detect certain web page interlinkage of current login, client generally can not allow this call to continue again so, and then also carried out which program or downloaded which document after also just can't knowing the complete suspicious function of subsequent calls, therefore client can't judge accurately whether this web page interlinkage really is the malice link, only can be defined as suspicious link, the network security management equipment 110 that then will this suspicious link reports to server end is done further detection and is confirmed.Server end and client feedback interlock, and keep a plurality of server cluster parallel connections to carry out the task processing.
Whether after the first behavior detector 112 of network security management equipment 110 receives suspicious link information from client-side, malicious act is carried out in these suspicious links detect, detecting is the malice link.Particularly, because the operating analysis ability of server end is stronger, therefore multiple more advanced, authoritative detection means is arranged in order to further affirmation is done in suspicious link.Such as, in the situation that does not affect server end overall network Environmental security, can in based on running environment such as virtual machines, finish whole access or downloading process to suspicious link, allow program be finished, such as finishing calling of suspicious system function, loaded suspect code, distribute suspicious memory headroom etc., thereby detect in the whole process of this links and accesses or download, downloaded which code actually, downloaded which file, call suspicious system function what has been done, even can also continue to carry out the various codes that this program is downloaded, move file of various downloads etc., and then by these detections and the more powerful feature database of network side, can determine more accurately whether this link is real malice link.For another example, utilize server end to upgrade more timely, comprehensive malice property data base, black and white lists etc. than client and also can do further judgement affirmation to the suspicious link that client reports.Need to prove that server end has is more powerful than client-side, more timely detection means and resource,
Therefore existing and various server ends are in order to confirming whether certain suspicious link is the technology of malice link, all is applicable to the present invention in the future, so the present invention is to this not restriction.
After the first behavior detector 112 further detections of the suspicious link that client-side is informed through server side, may detect all is real malice link, is not real malice link but also might detect some.Therefore the main purpose of the first behavior detector 112 is to detect real malice link from the suspicious link that client-side is informed, so that subsequent operation.
After the first behavior detector 112 detects malice link, further malicious act is carried out in these other embedded links that maliciously link and detect, embedded other that detect that these maliciously link maliciously link.Other embedded links of malice link can be access, carry out other links that automatically perform in this process that maliciously links, in other words automatically other links of redirect access.Particularly, the first behavior detector 112 meeting monitor network ports, after certain maliciously links in access, the data message that can provide by the network port be known this which has automatically opened (or claiming access) when maliciously linking other link of access, and then these other link is exactly this embedded link that maliciously links.And then first behavior detector 112 also can be to these embedded links and accesses, carry out one time, in order to judge which is the link of malice in these embedded links.By above-mentioned operation, the first behavior detector 112 just can detect the link of some malice, and these embedded relations between maliciously linking.
For example, it is the malice link that the first behavior detector 112 at first detects certain A link,
A link: hxxp: //www.cqcmc.cn/xxx/xxx/ list_5.html,
The simultaneously Visitor Logs detection by the monitor network port can link the content of automatically downloading in other words in the B link by automatic access B when this maliciously links A in access,
B link: hxxp: //vma.jkub.com:xx/3/maay.htm,
Can determine that thus the B link is the embedded link of A link, and then first behavior detector 12 whether detect the B link by aforesaid various detection meanss again be the malice link, if so, can determine that then the B link is the embedded malice link that malice links the A link.By that analogy, in this way, the first behavior detector 112 can detect some malice links and the link of their embedded malice, and then has also just known the embedded relation between each malice link.
In one embodiment, the first behavior detector 112 is after detecting each malice link and the embedded relation between them, embedded relation between each malice that the first behavior evaluator 114 provides according to the first behavior detector 112 links maliciously links assessment malice value to each.Particularly, for sake of convenience, the link of the malice of malice value to be assessed is called target maliciously to be linked, embedded other that target is maliciously linked maliciously link and are called the embedded malice link that this target maliciously links, and the outer chain number of the malice of each embedded malice link is with this embedded malice link all sums that maliciously link as embedded link.
Fig. 2 for example, it shows the linking relationship schematic diagram to malice link assessment malice value.Suppose that malice link A among the figure is that the target of malice value to be assessed maliciously links, know that according to the first behavior detector 112 malice links A 3 embedded malice links is arranged, namely linking B, link C and link D is to detect the malice link of confirming through the first behavior detector 112.It can also be seen that from figure in fact linking E also is the embedded link that malice links A, but because link E right and wrong maliciously link, therefore when assessment objective maliciously links the malice value of A, do not give reference;
In addition, can automatically perform redirect when supposing access links A and carry out link F, but link F is and links A and belong to linking in the same website, domain name such as these two links is identical, when assessment objective maliciously linked the malice value of A, whether be malice link, do not consider to link F if no matter linking F so, namely when the malice value of assessment malice link, only consider the embedded relation between the different web sites, do not consider the embedded relation between each link in the same website.Embedded other that are about to that target maliciously links maliciously link the malice link that is defined as non-same website, in other words, and the link of the malice of the embedded non-same website that target maliciously links, the embedded malice link that maliciously links for this target.Although other that maliciously link embedded same website for target maliciously link to be not used in and calculate the malice value that target maliciously links, but the malice link of other websites that further whether this embedded malice link of analysis is also embedded, namely can maliciously link other of the embedded same website of target malicious websites as a new malice link and go to analyze, and assess it and maliciously be worth.Should be noted that, also not exclusively get rid of under certain special applications scene, target maliciously links, and embedded other maliciously link the embedded malice link that needn't be defined as non-same website, the embedded malice link that is same website also participates in calculating the malice value that target maliciously links, in such cases, the embedded various malice links that target maliciously links comprise in the non-same website, also may comprise in the same website, be the embedded malice link that this target maliciously links.Therefore, above two schemes can adopt different schemes to be achieved according to the difference of practical application scene all in protection scope of the present invention.
When the malice value that each target of assessment maliciously links, mainly carry out by the first behavior evaluator 114.Particularly, the first behavior evaluator 114 can comprise the first identification module and the first evaluation module.
At first, the embedded relation between each malice that the first identification module provides according to the first behavior detector 112 links identifies the outer chain number of the malice that all embedded malice link and each embedded malice links that target maliciously links.Still take Fig. 2 as example, the information that the first identification module provides according to the first detector 112 first, identifying all embedded malice links that target maliciously links A is respectively that malice links B, C, D.And then the outer chain number of the malice of adding up again each embedded malice link.As can be seen from Figure 2, malice links B except being that malice links the embedded malice link of A, or malice links the embedded malice link of G, H, I, and the outer chain number of malice of the embedded malice link B of hence one can see that A is 4; In like manner, the outer chain number of malice of knowing the embedded malice link C of A is that the outer chain of 3(malice is respectively link A, J, K), the outer chain number of malice of the embedded malice link D of A is that the outer chain of 1(malice only has link A).
Then, above-mentioned information notification the first evaluation module that the first identification module will count, the up-to-date malice value that each embedded malice that the first evaluation module maliciously links according to target links, and the outer chain number of the malice of each embedded malice link, the malice value that assessment objective maliciously links.In one embodiment, the first evaluation module can comprise: the malice that the first ratio submodule, the up-to-date malice value that be used for to obtain each embedded malice link that target maliciously links and this embedded malice link is the ratio of chain number outward; The first cumulative submodule, the up-to-date malice value of the embedded malice link of each that is used for target is maliciously linked adds up with the ratio of the corresponding outer chain number of malice, obtains the first accumulated value; And the first weighting submodule, be used for described the first accumulated value be multiply by behind the first weights and the second weights addition, obtain the malice value that target maliciously links.Still be elaborated as an example of Fig. 2 example.
In one embodiment, when assessment objective maliciously links the malice value of A, can adopt following formula to assess:
PR (A)=a+b* (PR (B)/links (B)+PR (C)/links (C)+PR (D)/links (D)+...) wherein, PR() the malice value (also can be described as the rank value) of the relevant malice link of expression, links() the outer chain number of malice of the relevant malice link of expression, a is equivalent to aforesaid the first weights, and b is equivalent to aforesaid the second weights.Can compose an initial value to all malice values that maliciously links when initial.Should be noted that this initial value, weights a and weights b, all can different numerical value be set according to practical application scene demand or experience, the embodiment of the invention is to this not restriction.In most cases, can limit weights a and the b sum equals 1.Certainly can the value of practical significance be set for weights a and b in some cases even also.Suppose that in one embodiment, a is set to 0.15, b and is set to 0.85, the initial malice value of each malice link is set to 1.
Description by front the first identification module as can be known, in embodiment corresponding to Fig. 2, links (B)=4, links (C)=3, links (D)=1, when calculating the malice value of each malice link in the first round, the malice value of relevant malice link is all used initial value, such as PR (B)=1, and PR (C)=1, PR (D)=1, and then PR (A)=0.15+0.85* (1/4+1/3+1/1)=1.4958
So when calculating each target and maliciously link in the first round, the malice value that malice links A is 1.4958, in like manner, after the same method, can also assess out other malice values that maliciously link of the first round, links the malice value of B, C, D, G etc. such as malice.
The first evaluation module can obtain the malice value that each target maliciously links by many wheels iterative manner, maliciously link initial malice value is set for each target when processing in the first round, follow-up every relevant malice link malice value of bringing into when processing of taking turns is taken turns the result who calculates on all being; When after too much wheel iteration, under news did not occur the more embedded relation between malice link data amount and each the malice link, the malice value that each target maliciously links can be tending towards constant, namely can draw a comparison close to the malice value of reality.After the malice link that has 112 detections of the first behavior detector to make new advances, the first behavior evaluator just can be in time or is regularly recomputated the malice value that relevant malice links, and namely upgrades.Malice value higher explanation this maliciously to link more might be an extension horse linking sources.This maliciously links and may infect a lot of other link or websites.
In a upper embodiment, the first behavior evaluator 114 maliciously links assessment malice value according to the embedded relation between 112 detected each the malice link of the first behavior detector to each.In another embodiment of the present invention, embedded relation between the first behavior evaluator 114 can also maliciously link according to each, each is maliciously linked relevant malicious websites host name assessment malice value, and 112 detected new malice links are upgraded to the malice value of relevant malice link or malicious websites host name according to the first behavior detector.
Particularly, the first behavior evaluator 114 can comprise the second identification module and the second evaluation module.The malicious websites main frame of malice value to be assessed is called target malicious websites host name, malicious websites host name under embedded other of each malice link maliciously link under the target malicious websites host name is the related malicious websites host name that has incidence relation with target malicious websites host name.Certain embedded other that maliciously link of how to confirm maliciously link and can referring to the associated description in the previous embodiment, repeat no more herein.See also Fig. 3, it is the incidence relation schematic diagram between each malicious websites host name according to an embodiment of the invention.The first behavior evaluator 114 detects the first behavior detector 112 and detects 4 malice links of existence under certain web host name aaa, such as, www.aaa.com/a, www.aaa.com/b, www.aaa.com/c and www.aaa.com/d, wherein, www.aaa.com/a has an embedded malice link www.bbb.com/h, www.aaa.com/c also has an embedded malice link www.ccc.com/g, and www.aaa.com/b and www.aaa.com/d link without embedded malice.Further analyze URL as can be known, web host name under the malice embedded link www.bbb.com/h is bbb, web host name under the embedded malice link www.ccc.com/g is ccc, hence one can see that, and the related malicious websites host name that has incidence relation with target malicious websites host name aaa is respectively " bbb " and " ccc ".
The outer chain number of the malice of each related malicious websites host name specifically should association malicious websites host name under the outer chain number sum of all malice that maliciously link.For example, supposing that " bbb " web host has 3 malice links under one's name, is respectively ww.bbb.com/h, ww.bbb.com/i and ww.bbb.com/k.Wherein, www.bbb.com/h is respectively again that malice links G( Www.aaa.com/a), malice links the embedded malice link of H, illustrates that namely the outer chain number of malice of www.bbb.com/h is 2; In like manner, the outer chain number of the malice of www.bbb.com/i is 3; The outer chain number of the malice of www.bbb.com/k is 0, and the outer chain number of the malice of " bbb " web host name is exactly 2+3+0=5 so.Can count the outer chain number of malice of the related malicious websites host name ccc that is associated with malicious websites host name aaa according to identical mode, such as being 2.
Embedded relation between the second identification module can maliciously link by the way according to each identifies the relevant malicious websites host name of each target malicious websites host name, and the outer chain number of the malice of each related malicious websites host name.Then, the second evaluation module according to the up-to-date malice value of each related malicious websites host name of target malicious websites host name, and the outer chain number of the malice of each related malicious websites host name, is assessed the malice value of described target malicious websites host name.
For example, in one embodiment, the second evaluation module can comprise: the second ratio submodule is used for obtaining the outer ratio of chain number of malice of the related malicious websites host name with this of up-to-date malice value of each related malicious websites host name of described target malicious websites host name; The second cumulative submodule, be used for the up-to-date malice value of each related malicious websites host name of target malicious websites host name and corresponding malice outward each ratio of chain number add up, obtain the second accumulated value; The second weighting submodule is used for the second accumulated value be multiply by behind the 3rd weights and the 4th weights addition, obtains the malice value of target malicious websites host name.The below still in Fig. 3 assessment malicious websites host name aaa be elaborated as example.
When the malice value of assessment malicious websites host name A, can adopt following formula:
PR (a)=A+B* (PR (b)/links (b)+PR (c)/links (c)+PR (d)/links (d)+...) wherein, PR() the malice value (also can be described as the rank value) of the relevant malicious websites host name of expression, links() the outer chain number of the malice of the relevant malicious websites host name of expression, A is equivalent to aforesaid the 3rd weights, and B is equivalent to aforesaid the 4th weights.Compose an initial value can for when initial the malice value of all malicious websites host name.Should be noted that this initial value, weights A and weights B, all can different numerical value be set according to practical application scene demand or experience, the embodiment of the invention is to this not restriction.In most cases, can limit weights A and the B sum equals 1.Certainly can the value of practical significance be set for weights A and B in some cases even also.Suppose that in one embodiment, A is set to 0.15, B and is set to 0.85, the initial malice value of each malicious websites host name is set to 1.
Description by front the second identification module as can be known, in embodiment corresponding to Fig. 3, malicious websites host name aaa always has two related malicious websites host name, is respectively bbb and ccc, and links (bbb)=5, links (ccc)=2, when calculating the malice value of each malice link in the first round, the malice value of related malicious websites host name is all used initial value, such as PR (bbb)=1, PR (ccc)=1, and then
PR(aaa)=0.15+0.85*(1/5+1/2)=0.745
So when calculating each target malicious websites host name in the first round, the malice value of malicious websites host name aaa is 0.745, in like manner, after the same method, can also assess out the malice value of other malicious websites host name of the first round, such as the malice value of malicious websites host name bbb, ccc etc.General web host has the malice link under one's name, just can be called the malicious websites host name, and then can assess its malice value.Under news does not occur more in the embedded relation between the link of malice link data amount and each malice, the malice value of each target malicious websites host name namely can draw a comparison close to the malice value of reality through too much being tending towards constant after the wheel iterative computation.After the malice link that has the first behavior detector 112 to detect to make new advances, the first behavior evaluator just can be in time or is regularly recomputated the malice value of the malicious websites host name of being correlated with, and namely upgrades.The malice higher explanation of value this malicious websites host name more might be one and hang the horse website, may infect much other website or link.
Should be noted that; the first behavior evaluator 114 can be only to malice link assessment malice value; also can also assess malice link and malicious websites host name simultaneously only to malicious websites host name assessment malice value, these several schemes are all in protection scope of the present invention.After the first behavior evaluator 114 is assessed out the malice value of each malice link and/or each malicious websites host name, the result that the first screening washer is assessed out according to the first behavior evaluator 114, the set that screening is relevant.
In one embodiment, if the first evaluator 114 had both been assessed out the malice value of each malice link, assessed out again the malice value of each malicious websites host name, the first screening washer 118 filters out the dangerous malicious websites host name set that malice value is higher than the first preset threshold value so, and under all the other malicious websites host name, the malice value dangerous malice that is higher than the second preset threshold value links and gathers.For example, suppose that the first evaluator assessed out the malice value of 1000 malicious websites host name, wherein the malice value has 700 more than the first preset threshold value, the first screening washer 118 is just gathered these 700 web host names as dangerous malicious websites host name so, then during all under remaining these 300 malicious websites host name maliciously link, those that select that malice value is higher than the second preset threshold value maliciously link, and then these maliciously link and form dangerous malice link and gather.
In yet another embodiment, if the first evaluator 114 has only been assessed out the malice value of each malice link, do not assess the malice value of each malicious websites host name, the first screening washer 118 can filter out the malice link that the malice value is higher than the 3rd preset threshold value so, and then the malice link that these filter out is formed dangerous malice link set.
In like manner, In yet another embodiment, if the first evaluator 114 has only been assessed out the malice value of each malicious websites host name, the malice value that does not have each malice link of assessment, the first screening washer 118 can filter out the malice link that the malice value is higher than the 4th preset threshold value so, and then the malicious websites host name that these filter out is formed dangerous malicious websites host name set.
Should be noted that, more than the concrete numerical value setting of the first, second, third and the 4th preset threshold value, can be rule of thumb, the many factors such as actual demand index considers, these four values may be identical, also may be different, the embodiment of the invention is to these all without limits.Can find out that the various set that filter out of the first screening washer 118 are to come from suspicious link that client-side the second behavior detector 212 reports to carry out gained after the analyzing and processing in essence.
After the first screening washer 118 filters out corresponding set, notify the second getter 214 to client device 100 with the information of the set of dangerous malicious websites host name and/or dangerous malice link set.And then, the dangerous malicious websites host name set that the second getter 214 will obtain and/or dangerous malice link set inform that the second link detection device 216, the second link detection devices 216 detect new suspicious link according to dangerous malicious websites host name set and/or dangerous malice link set.Particularly, other the embedded links (abbreviation embedded link) by the follow-up new urls of monitor network Port detecting of the second link detection device 216 specifically what, and these embedded link and the content that dangerous malicious websites host name set and/or dangerous malice link in the set are compared, hit if detect, then this new url is defined as new suspicious link.
For example, the second link detection device 216 of client-side detects the embedded link that a new url A is arranged and comprises link B, C and D, so the link information that the dangerous malice that embedded link B, C, D and server end are issued links in gathering contrasts, detect the information that link A is also arranged in the dangerous malice link set, be defined as new suspicious link so the second link detection device 216 just will link A.Again for example, the second link detection device 216 detects a new url E, and its embedded link is Www.aaa.com.cn/XXXSo, will Www.aaa.com.cn/XXXThe dangerous malicious websites host name set that issues of host name " aaa " and server end in the information contrast, if comprise " aaa " this web host name in the dangerous web host name set, the embedded link that then shows new url E is hit dangerous web host name set, so new url E is defined as new suspicious link.In other words, the web host name of other embedded links of described suspicious link newly is a web host name in the dangerous malicious websites host name set at least; Perhaps, other embedded links of new suspicious link are a link in the dangerous malice link set at least.
This shows, even if client device 200 can't detect by other means link A and E has aforesaid various suspicious actions, but, dangerous malice link set and/or the set of dangerous malicious websites host name by server end provides also can be defined as suspicious link with these two links.The front was carried; malice link in dangerous malice link set and the set of dangerous malicious websites host name or malicious websites host name all are that the malice value is higher; namely they are likely the real source of infection; such as being real extension horse linking sources or hanging horse source web host name; and be not only infected person; a source of infection can infect a lot of websites usually; therefore; find out the source of infection by the part website; and then just can detect more other infected websites by this source of infection; in this way; enlarged the Websites quantity of the suspicious links of client device 200 detections; therefore also improve the efficient that detects suspicious link, can collect very soon a large amount of malice links or the information of malicious websites, thereby provide better guarantee for network security.
After the second link detection device 216 will detect new suspicious link based on the set of dangerous malicious websites host name and/or dangerous malice link set, be sent to the first getter 116 of server end equipment 100, and then first the getter 116 new suspicious link information that will get access to transfer to the first behavior detector 112 and carry out malicious act and detect, if it is the malice link that the first behavior detector 112 is confirmed as, then inform the first behavior evaluator 114, if detecting former being useful on, the first behavior evaluator 114 do not have this malice link in the database that calculates malice link or malicious websites host name, adding of this malice link causes embedded between original malice link that variation has occured, the first behavior evaluator 114 can recomputate the malice value of relevant malice link and/or malicious websites host name so, thereby can constantly revise according to the increase of data volume the malice value of relevant malicious websites host name or malice link, thereby make their malice value more press close to real situation, can reflect that by the malice value this maliciously links or the malicious websites host name is the source of infection or infected person more accurately, so-called infected person refers to that own website self is no problem, just be infected the malicious attack in source infected virus, such as the normal website that is hung horse, but not real extension Ma Yuan website.
The scheme that each embodiment of front provides can be used for the detection of multiple malice link or malicious websites, such as being the detection of extension horse, accordingly, the first behavior detector is specifically hung horse behavior detector, malicious act detects and specifically hangs the detection of horse malicious act, the concrete malice of malice link is hung the horse link, and embedded other of malice link maliciously link and are specially malice and hang embedded other of horse link and maliciously hang the horse link.Certainly, can also be that other detect with hanging the similar virus of horse, so long as have the viral propagation characteristic that a virus infections source can be infected a collection of normal website usually, substantially can adopt various technical scheme of the present invention.
See also Fig. 4, it shows according to an embodiment of the invention for detection of the method for malice link, and the malice link comprises the chained address of the Internet resources of various malice in the Internet.The method can be achieved at server end.
The method starts from step S410, in step S410, at least the malicious act detection is carried out in detected suspicious link to client device, whether detect is the malice link, and detection is carried out malicious act for other embedded links of malice link detect, embedded other that detect malice link maliciously link, and then enter step S420.
In step S420, at least the embedded relation between maliciously linking according to each, each is maliciously linked assessment malice value and/or each is maliciously linked relevant malicious websites host name assessment malice value, and according to detected new malice link the malice value of relevant malice link or malicious websites host name is upgraded; Then enter step S430.
In S430, the dangerous malice that filter out under the set of dangerous malicious websites host name and all the other malicious websites host name that malice value is higher than the first preset threshold value, malice value is higher than the second preset threshold value links to be gathered, perhaps, only filter out the dangerous malicious websites host name set that the malice value is higher than the 3rd preset threshold value, filter out again or only the dangerous malice link set that the malice value is higher than the 4th preset threshold value, then the information of dangerous malicious websites host name set and/or dangerous malice link set is notified to client device.By this step, can find out relatively may be that malice link or the malice of the source of infection links host name, in order to allow client go to detect other infected link or website according to these most probable virus infections sources again.After this, enter step S440.
In step S440, obtain client device based on dangerous malicious websites host name set and/or the detected new suspicious link of dangerous malice link set, and malicious act is carried out in new suspicious link detect, dangerous malicious websites host name set or dangerous malice link set are hit in other embedded links of new suspicious link.By this step, server end can obtain more suspicious link, and then can obtain after tested more malice link information.
Above step S410 can be carried out by the first behavior detector 112 among aforementioned each embodiment, step S420 can be carried out by the first behavior evaluator 114, step S430 can be carried out by the first screening washer 118, and step S440 can carry out jointly by the first getter 116 and the first behavior detector 112.The specific implementation of each step can referring to the description of front associated components, repeat no more herein.
The method of above detection of malicious link is mainly described from the service end angle, and the below describes from the client angle.See also Fig. 5, it shows the detection method that links for detection of malice according to an embodiment of the invention.
The method starts from step S510, in step S510, at first the malicious act of Internet resources detected, detected suspicious link is transferred to server end equipment further to be detected, then enter step S520, in step S520, obtain dangerous malicious websites host name set and/or dangerous malice link set from server end equipment.In one embodiment, dangerous malicious websites host name set is the set that malice value that server end equipment filters out is higher than each malicious websites host name of the first preset threshold value, set that each malice that dangerous malice link set is under all the other malicious websites host name beyond the dangerous malicious websites host name set that filters out of server end, malice value is higher than the second preset threshold value links.In another embodiment, the set of dangerous malicious websites host name is the set that malice value that server end equipment filters out is higher than each malicious websites host name of the 3rd preset threshold value.In yet another embodiment, dangerous malice link set is the malice link set that malice value that server end equipment filters out is higher than the 4th preset threshold value.Wherein, the first, second, third and the 4th preset threshold value can be according to actual needs or the experience setting, can be the same or different, and the embodiment of the invention is not limited in this respect.
Then enter step S530, detect new suspicious link according to dangerous malicious websites host name set and/or dangerous malice link set, dangerous malicious websites host name set or dangerous malice link set are hit in other embedded links of new suspicious link, and then new suspicious link is transferred to server end equipment detect and upgrade relevant malice value, the for example malice value of relevant malice link, or the malice value of relevant malicious websites host name.Because link or web host name in dangerous malicious websites host name set or the dangerous malice link set all are that the malice value is higher, namely be likely real virus infections source, such as being real extension horse linking sources or website, and the website is generally not only infected one or two in these real virus infections sources, tend to infect a lot of websites, namely can become the embedded link of the normal website of a lot of scripts, therefore can pass through these virus infections sources and other websites, embedded relation between the link, detect how infected website or malice link, thereby enlarged detection efficiency and the quantity of suspicious link.
Above step S510 can be carried out by the second behavior detector 212 among aforementioned each embodiment, and step S520 can be carried out by the second getter 214, and step S530 can be carried out by the second link detection device 118.The specific implementation of each step can referring to the description of front associated components, repeat no more herein.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.In the specification that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this specification (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that can use in practice microprocessor or digital signal processor (DSP) realize according to the embodiment of the invention for detection of some or all some or repertoire of parts in the system of malice link.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.

Claims (10)

1. the system for detection of the malice link comprises server end equipment and client device;
Described server end equipment comprises network security management equipment, and described client device comprises checkout equipment; Described malice link comprises the chained address of the Internet resources of malice in the Internet, wherein,
Described checkout equipment comprises:
The second behavior detector is configured to the suspicious actions of Internet resources are detected, and detected suspicious link is transferred to server end equipment further detect;
The second getter, the dangerous malicious websites host name set that the suspicious link that being configured to obtain described server end equipment provides based on described the second behavior detector is determined and dangerous malice link set, described dangerous malicious websites host name set is the set that malice value that server end equipment filters out is higher than each malicious websites host name of the first preset threshold value, and described dangerous malice link set is under all the other malicious websites host name beyond the described dangerous malicious websites host name set that filters out of server end, the malice value is higher than the set of each malice link of the second preset threshold value;
The second link detection device, the dangerous malicious websites host name set and the dangerous malice link set that are configured to obtain according to described the second getter detect new suspicious link, and described new suspicious link is transferred to described server end equipment detect and upgrade relevant malice value, described dangerous malicious websites host name set is hit in other embedded links of described new suspicious link or described dangerous malice link is gathered;
Described network security management equipment comprises:
The first behavior detector, being configured at least to client device detected suspicious link carries out malicious act and detects, whether detect is the malice link, and described detection is carried out malicious act for other embedded links of malice link detect, embedded other that detect described malice link maliciously link;
The first behavior evaluator, be configured at least according to the embedded relation between detected each the malice link of described the first behavior detector, each is maliciously linked assessment malice value, and each is maliciously linked relevant malicious websites host name assessment malice value, and detected new malice link links relevant malice or the malice value of malicious websites host name is upgraded according to described the first behavior detector;
The first screening washer, be configured to the result that assesses out according to described the first behavior evaluator, the dangerous malice link set that filter out under the set of dangerous malicious websites host name and all the other malicious websites host name that malice value is higher than the first preset threshold value, malice value is higher than the second preset threshold value, and notify extremely described client device with the information of described dangerous malicious websites host name set and dangerous malice link set;
The first getter, be configured to obtain client device based on described dangerous malicious websites host name set and the detected new suspicious link of described dangerous malice link set, and described new suspicious link is transferred to described the first behavior detector detect, described dangerous malicious websites host name set or described dangerous malice link set are hit in other embedded links of described new suspicious link.
2. system according to claim 1, the malice of described malice value to be assessed is linked as target and maliciously links, described target maliciously links, and embedded other maliciously are linked as the embedded malice link that described target maliciously links, specifically with this embedded malice link all sums that maliciously link as embedded link, described the first behavior evaluator comprises the outer chain number of the malice of described each embedded malice link:
The first identification module, the embedded relation between being configured to maliciously link identifies all embedded malice links that described target maliciously links and the outer chain number of malice of each embedded malice link according to each;
The first evaluation module, the up-to-date malice value of the embedded malice link of each that is configured to maliciously link according to the target that described the first identification module identifies, and the outer chain number of the malice of each embedded malice link are assessed the malice value that described target maliciously links.
3. system according to claim 1 and 2, the malicious websites main frame of described malice value to be assessed is called target malicious websites host name, malicious websites host name under embedded other of each malice link maliciously link under the described target malicious websites host name, it is the related malicious websites host name that has incidence relation with described target malicious websites host name, the outer chain number of the malice of described each related malicious websites host name specifically should association malicious websites host name under the outer chain number sum of all malice that maliciously link, described the first evaluator comprises:
The second identification module, the embedded relation between being configured to maliciously link identifies the relevant malicious websites host name of described target malicious websites host name and the outer chain number of the malice of each related malicious websites host name according to each;
The second evaluation module is configured to the up-to-date malice value according to each related malicious websites host name of described target malicious websites host name, and the outer chain number of the malice of each related malicious websites host name, assesses the malice value of described target malicious websites host name.
4. according to claim 2 or 3 described systems,
Described the first evaluation module also is configured to obtain the malice value that each target maliciously links by many wheels iterative manner, for each target maliciously links initial malice value is set when processing in the first round;
Described the second evaluation module also is configured to obtain by many wheels iterative manner the malice value of each target malicious websites host name, for each target malicious websites host name initial malice value is set when processing in the first round.
5. each described system in 4 according to claim 1, other embedded links of described malice link or suspicious link comprise: other links that automatically performed when accessing described malice link or suspicious link.
6. each described system in 5 according to claim 1, described dangerous malicious websites host name set is hit in other embedded links of described new suspicious link or described dangerous malice link set comprises:
The web host name of other embedded links of described suspicious link newly is a web host name in the described dangerous malicious websites host name set at least;
Perhaps,
Other embedded links of described suspicious link newly are a link during described dangerous malice link is gathered at least.
7. each described system in 6 according to claim 1, described the first behavior detector is specifically hung horse behavior detector, described malicious act detects and specifically hangs the detection of horse malicious act, the concrete malice of described malice link is hung the horse link, and embedded other of described malice link maliciously link and are specially malice and hang embedded other of horse link and maliciously hang the horse link.
8. method for detection of malice link, described malice link comprises the chained address of the Internet resources of various malice in the Internet, comprising:
At least the malicious act detection is carried out in detected suspicious link to client device, whether detect is the malice link, and described detection is carried out malicious act for other embedded links of malice link detect, embedded other that detect described malice link maliciously link;
At least the embedded relation between maliciously linking according to each, each is maliciously linked assessment malice value, and each is maliciously linked relevant malicious websites host name assessment malice value, and relevant malice is linked or the malice value of malicious websites host name is upgraded according to detected new malice link;
The dangerous malice link set that filter out under the set of dangerous malicious websites host name and all the other malicious websites host name that malice value is higher than the first preset threshold value, malice value is higher than the second preset threshold value, and notify extremely described client device with the information of described dangerous malicious websites host name set and dangerous malice link set;
Obtain client device based on described dangerous malicious websites host name set and the detected new suspicious link of described dangerous malice link set, and malicious act is carried out in described new suspicious link detect, described dangerous malicious websites host name set is hit in other embedded links of described suspicious link newly or described dangerous malice link is gathered;
Wherein, other embedded links of described malice link or suspicious link comprise: other links that automatically performed when accessing described malice link or suspicious link.
9. method according to claim 8, the malice of described malice value to be assessed is linked as target and maliciously links, described target maliciously links, and embedded other maliciously are linked as the embedded malice link that described target maliciously links, the outer chain number of the malice of described each embedded malice link is specifically with this embedded malice link all sums that maliciously link as embedded link, embedded relation between each the malice link of described basis maliciously links assessment malice value and comprises each:
Embedded relation between maliciously linking identifies all embedded malice links that described target maliciously links and the outer chain number of malice of each embedded malice link according to each;
The up-to-date malice value that each the embedded malice that maliciously links according to described target links, and the outer chain number of the malice of each embedded malice link are assessed the malice value that described target maliciously links.
10. according to claim 8 or 9 described methods, the malicious websites main frame of described malice value to be assessed is called target malicious websites host name, malicious websites host name under embedded other of each malice link maliciously link under the described target malicious websites host name, it is the related malicious websites host name that has incidence relation with described target malicious websites host name, the outer chain number of the malice of described each related malicious websites host name specifically should association malicious websites host name under the outer chain number sum of all malice that maliciously link, embedded relation between each the malice link of described basis maliciously links relevant malicious websites host name assessment malice value and comprises each:
Embedded relation between maliciously linking identifies the relevant malicious websites host name of described target malicious websites host name and the outer chain number of the malice of each related malicious websites host name according to each;
According to the up-to-date malice value of each related malicious websites host name of described target malicious websites host name, and the outer chain number of the malice of each related malicious websites host name, assess the malice value of described target malicious websites host name.
CN201210560165.5A 2012-12-20 2012-12-20 Method and system for testing malicious links Active CN103036896B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201210560165.5A CN103036896B (en) 2012-12-20 2012-12-20 Method and system for testing malicious links
PCT/CN2013/090104 WO2014094653A1 (en) 2012-12-20 2013-12-20 Device, method and system for detecting malicious links

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210560165.5A CN103036896B (en) 2012-12-20 2012-12-20 Method and system for testing malicious links

Publications (2)

Publication Number Publication Date
CN103036896A true CN103036896A (en) 2013-04-10
CN103036896B CN103036896B (en) 2015-07-01

Family

ID=48023379

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210560165.5A Active CN103036896B (en) 2012-12-20 2012-12-20 Method and system for testing malicious links

Country Status (1)

Country Link
CN (1) CN103036896B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014094653A1 (en) * 2012-12-20 2014-06-26 北京奇虎科技有限公司 Device, method and system for detecting malicious links
CN106789958A (en) * 2016-12-01 2017-05-31 张振中 A kind of method and system for detecting link
CN106992975A (en) * 2017-03-21 2017-07-28 腾讯科技(深圳)有限公司 The recognition methods of malice network address and device
CN103685307B (en) * 2013-12-25 2017-08-11 北京奇虎科技有限公司 The method and system of feature based storehouse detection fishing fraud webpage, client, server
CN108306864A (en) * 2018-01-12 2018-07-20 深圳壹账通智能科技有限公司 Network data detection method, device, computer equipment and storage medium
CN109145585A (en) * 2018-08-23 2019-01-04 北京神州绿盟信息安全科技股份有限公司 There are the method and devices of weak passwurd for a kind of detection website
CN114726559A (en) * 2020-12-22 2022-07-08 深信服科技股份有限公司 URL detection method, system, equipment and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100017880A1 (en) * 2008-07-21 2010-01-21 F-Secure Oyj Website content regulation
CN101971591A (en) * 2006-12-01 2011-02-09 网圣公司 System and method of analyzing web addresses
CN102171657A (en) * 2008-06-30 2011-08-31 赛门铁克公司 Simplified communication of a reputation score for an entity
CN102622435A (en) * 2012-02-29 2012-08-01 百度在线网络技术(北京)有限公司 Method and device for detecting black chain
CN102663000A (en) * 2012-03-15 2012-09-12 北京百度网讯科技有限公司 Establishment method for malicious website database, method and device for identifying malicious website

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101971591A (en) * 2006-12-01 2011-02-09 网圣公司 System and method of analyzing web addresses
CN102171657A (en) * 2008-06-30 2011-08-31 赛门铁克公司 Simplified communication of a reputation score for an entity
US20100017880A1 (en) * 2008-07-21 2010-01-21 F-Secure Oyj Website content regulation
CN102622435A (en) * 2012-02-29 2012-08-01 百度在线网络技术(北京)有限公司 Method and device for detecting black chain
CN102663000A (en) * 2012-03-15 2012-09-12 北京百度网讯科技有限公司 Establishment method for malicious website database, method and device for identifying malicious website

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014094653A1 (en) * 2012-12-20 2014-06-26 北京奇虎科技有限公司 Device, method and system for detecting malicious links
CN103685307B (en) * 2013-12-25 2017-08-11 北京奇虎科技有限公司 The method and system of feature based storehouse detection fishing fraud webpage, client, server
CN106789958A (en) * 2016-12-01 2017-05-31 张振中 A kind of method and system for detecting link
CN106992975A (en) * 2017-03-21 2017-07-28 腾讯科技(深圳)有限公司 The recognition methods of malice network address and device
CN108306864A (en) * 2018-01-12 2018-07-20 深圳壹账通智能科技有限公司 Network data detection method, device, computer equipment and storage medium
CN109145585A (en) * 2018-08-23 2019-01-04 北京神州绿盟信息安全科技股份有限公司 There are the method and devices of weak passwurd for a kind of detection website
CN114726559A (en) * 2020-12-22 2022-07-08 深信服科技股份有限公司 URL detection method, system, equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN103036896B (en) 2015-07-01

Similar Documents

Publication Publication Date Title
CN103023905B (en) A kind of equipment, method and system for detection of malicious link
US8997236B2 (en) System, method and computer readable medium for evaluating a security characteristic
US9596255B2 (en) Honey monkey network exploration
CN103036896B (en) Method and system for testing malicious links
US10574695B2 (en) Gateway apparatus, detecting method of malicious domain and hacked host thereof, and non-transitory computer readable medium
CN107241296B (en) Webshell detection method and device
CN102833258B (en) Network address access method and system
US20130167236A1 (en) Method and system for automatically generating virus descriptions
CN103384888A (en) Systems and methods for malware detection and scanning
CN104980309A (en) Website security detecting method and device
CN104363251B (en) Website security detection method and device
CN104378389B (en) Website security detection method and device
CN104363252B (en) Website security detection method and device
CN113408948A (en) Network asset management method, device, equipment and medium
CN104363253A (en) Website security detecting method and device
Marchal et al. On designing and evaluating phishing webpage detection techniques for the real world
KR102424014B1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
Wu et al. Detect repackaged android application based on http traffic similarity
Sommestad et al. Variables influencing the effectiveness of signature-based network intrusion detection systems
CN103440454B (en) A kind of active honeypot detection method based on search engine keywords
CN103561076A (en) Webpage trojan-linking real-time protection method and system based on cloud
Elsabagh et al. Practical and accurate runtime application protection against dos attacks
Bartoš NERD: Network entity reputation database
US10747525B2 (en) Distribution of a software upgrade via a network
Chen et al. Discovering and measuring malicious url redirection campaigns from fake news domains

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Beijing Qizhi Business Consulting Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right

Effective date of registration: 20220330

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Beijing Qizhi Business Consulting Co.,Ltd.

TR01 Transfer of patent right