CN107800686B - Phishing website identification method and device - Google Patents
Phishing website identification method and device Download PDFInfo
- Publication number
- CN107800686B CN107800686B CN201710873546.1A CN201710873546A CN107800686B CN 107800686 B CN107800686 B CN 107800686B CN 201710873546 A CN201710873546 A CN 201710873546A CN 107800686 B CN107800686 B CN 107800686B
- Authority
- CN
- China
- Prior art keywords
- website
- detected
- websites
- phishing
- resources
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention relates to a phishing website identification method and device. The method comprises the following steps: detecting whether resources of other websites are embedded in the website to be detected; if the resources of other websites are not embedded, judging that the website to be detected is a non-phishing website; if resources of other websites are embedded, judging whether the domain names of the other websites intersect with the white list; if the intersection does not exist, judging that the website to be detected is a non-phishing website; if the intersection exists, the website to be detected is judged to be a highly suspected phishing website; and carrying out validity judgment and domain name credit evaluation on the highly suspected phishing websites to determine whether the website to be detected is a phishing website. The invention can make up the defect that the blacklist technology cannot filter newly appeared phishing websites, efficiently identify the phishing websites embedded with brand website elements and resources, and improve the performance of phishing filtering.
Description
Technical Field
The invention belongs to the technical field of information technology and network security, and particularly relates to a phishing website identification method and device.
Background
The term Phishing (Phishing) was generated in 1996 and evolved from the term Fishing (Fishing). In the process of phishing, an attacker uses baits (such as e-mails and mobile phone short messages) to send to a large number of users, and expects a small number of users to 'catch up', so that the aim of 'phishing' (such as stealing privacy information of the users) is fulfilled. The international anti-phishing working group (APWG) gives phishing the definition: phishing is a network attack that uses social engineering and technical means to steal the personal identity data and financial account credentials of consumers. Phishing attacks using social engineering means often send deceptive emails, short messages and the like seemingly from legitimate enterprises or institutions to users, induce the users to reply personal sensitive information or click links therein to access forged websites, and further reveal credential information (such as user names and passwords) or download malicious software. Phishing seriously threatens the property and privacy safety of netizens and becomes one of the biggest potential safety hazards of the current internet.
The blacklist technology is widely applied and is one of the main phishing filtering technologies. For example, the Google Safe API used in Google Chrome, Mozilla Firefox, and Apple Safai is to determine whether a URL is a phishing web page or a malicious web page by verifying whether the URL is in a blacklist based on a continuously updated blacklist provided by Google. Blacklist techniques are simple and easy to use, but have significant disadvantages: there is no way to find phishing websites that are not included in the list, in other words, newly appearing phishing websites cannot be filtered.
Disclosure of Invention
Aiming at the problems, the invention provides a phishing website identification method and device, which can make up the defect that a blacklist technology cannot filter newly-appeared phishing websites, efficiently identify phishing websites embedded with brand website elements and resources, and improve the performance of phishing filtering.
According to the invention, by analyzing phishing reporting data of the phishing website alliance and the China anti-phishing website alliance, the fact that most of phishing websites are more vivid in imitation and often directly use resources (Logo, CSS and the like) of brand websites is discovered; when the user accesses the phishing websites through the browser, a query request for the domain name of the brand website is then initiated. The present invention utilizes the above-described characteristics of phishing websites to identify these phishing websites by analyzing Domain Name System (DNS) resolution data.
The technical scheme adopted by the invention is as follows:
a phishing website identification method comprises the following steps:
detecting whether resources of other websites are embedded in the website to be detected;
if the resources of other websites are not embedded in the website to be detected, judging that the website to be detected is a non-phishing website;
if resources of other websites are embedded in the website to be detected, judging whether the domain names of the other websites intersect with the white list; if the intersection does not exist, judging that the website to be detected is a non-phishing website; if the intersection exists, the website to be detected is judged to be a highly suspected phishing website;
and carrying out validity judgment and domain name credit evaluation on the highly suspected phishing website to determine whether the website to be detected is a phishing website.
Further, before detecting whether the resources of other websites are embedded in the website to be detected, judging whether the domain name of the website to be detected is in a white list, and if the domain name of the website to be detected is in the white list, directly judging that the website to be detected is a non-phishing website.
Further, whether the resources of other websites are embedded in the website to be detected is judged by detecting whether links of the resources of other websites are embedded in the webpage source code of the website to be detected or detecting whether a DNS query request for other domain names is initiated in the process that the browser accesses the website to be detected.
Further, the network behavior of the browser is monitored in real time through the browser plug-in to capture a network resource query request initiated in the process that the browser loads the page of the website to be detected, and the queried domain name is compared with the domain name of the website to be detected, so that whether a DNS query request for other domain names is initiated or not is judged.
Further, whether DNS query requests for other domain names are initiated in the process that the browser accesses the website to be detected is judged by building a local DNS recursive server and analyzing DNS query request logs.
Further, by disabling the computer DNS client cache and setting the DNS client to perform DNS query only by using the built local DNS recursive server, the DNS query request log is ensured to completely record the DNS query request initiated when the browser loads the page.
Further, a non-existing domain name is selected, and the DNS query request record for the domain name is used as a separation identifier between different web page query request records in the DNS query request log.
A phishing website identification apparatus comprising:
the detection unit is used for detecting whether resources of other websites are embedded in the website to be detected;
the first judging unit is used for judging that the website to be detected is a non-phishing website when the resources of other websites are not embedded in the website to be detected;
the white list comparison unit is used for judging whether the domain names of other websites embedded in the website to be detected are intersected with the white list;
the second judging unit is used for judging the website to be detected as a non-phishing website when the domain names of the other websites are not intersected with the white list; when the domain names of the other websites intersect with the white list, the website to be detected is judged to be a highly suspected phishing website;
the evaluation unit is used for carrying out validity judgment and domain name credit evaluation on the highly suspected phishing website;
and the third judging unit is used for judging whether the website to be detected is a phishing website or not according to the result obtained by the evaluating unit.
Further, the detection unit judges whether the resources of other websites are embedded in the website to be detected by detecting whether the links of the resources of other websites are embedded in the webpage source code of the website to be detected; or, the detection unit is a browser plug-in, captures a network resource query request initiated in the process that the browser loads the page of the website to be detected by monitoring the network behavior of the browser in real time, and compares the queried domain name with the domain name of the website to be detected to judge whether to initiate a DNS query request for other domain names, thereby judging whether to embed resources of other websites in the website to be detected.
Further, the detection unit is a local DNS recursive server, and determines whether to initiate DNS query requests for other domain names in a process of the browser accessing the website to be detected by analyzing the DNS query request log, thereby determining whether to embed resources of other websites in the website to be detected.
Compared with the prior art, the invention has the following beneficial effects:
1. the method is convenient to realize in a browser plug-in mode, so that online real-time identification is realized, results can be fed back in time to remind a user, and the user is prevented from being cheated.
2. May be used in conjunction with blacklisting techniques, in addition to each other. Before the method is used for phishing identification, the domain name of the URL to be detected is matched with the blacklist, if the domain name exists in the blacklist, the URL can be determined as phishing, further identification is not needed, and therefore the identification efficiency is effectively improved. On the other hand, if the domain name is not successfully matched with the blacklist and is identified as fishing after the identification is carried out by using the method, the domain name corresponding to the domain name can be added into the blacklist, so that the extension of the blacklist is realized.
3. The expansion is convenient. Aiming at the new brand of fishing, the domain name of the brand resource is added to the white list. The key of the invention is to maintain a white list with integrity and effectiveness, and compared with a black list, the white list formed by legal brand domain names is relatively more stable and is easier to maintain and update.
4. Language independent. All steps of the invention do not relate to the language type of the phishing website, and can identify the global brand counterfeiting. Therefore, the invention is not restricted by the language type of the website, and has wider application range compared with other phishing identification methods.
Drawings
FIG. 1 is a schematic diagram of a phishing website.
Fig. 2 is a screenshot of a source code snippet for the phishing website of fig. 1.
FIG. 3 is a flowchart of a phishing website identification method in an embodiment.
FIG. 4 is a schematic diagram illustrating components of the phishing website identification apparatus in one embodiment.
Detailed Description
The present invention will be described in further detail below with reference to specific examples and the accompanying drawings.
Phishing is essentially a brand counterfeit, and phishers send false information in the modes of mails, instant messaging and the like to induce users to visit a counterfeit website built in advance so as to cheat the privacy and property of the users. The counterfeit website is often highly similar to the real brand website in vision as the most important criminal place, so as to deceive the user into believing true. Today, websites (especially large brand websites) are not simply words and pictures, but contain a large number of elements and resources of unique brand styles, including Logo pictures, Favicon pictures, CSS files, JS files, etc.; phishing websites often directly use these resources of branded websites, i.e. links of these resources are embedded in the webpage source code, in order to be spurious. For example: https:// wvw. PayPal-limited. com-webpps-security. com is a website that phishes PayPal (http:// www.paypal.com), the effect of which is shown in fig. 1.
The landing page is almost the same as that of paypal official website, and the screenshot of the source code fragment of the website is shown in fig. 2. As can be seen from the screenshot, the phishing website uses the Favicon picture, CSS file and JS file of PayPal (note: the resources of PayPal are all placed at www.paypalobjects.com). Thus, when the user accesses https:// wvw. paypal-limited. com-webapps-security. com/through the browser, the browser first initiates a query request for the domain name "com-webapps-security. com", and then initiates a query request for the domain name "paypal objects. com". The method of the invention is to efficiently identify the phishing website by fully mining the characteristic of the phishing website.
The flow of the phishing website identification method of the present invention is shown in fig. 3. For each website input by the user, the following process is executed:
judging whether the domain name corresponding to the URL to be detected is in a white list or not according to an existing white list library, if so, indicating that the URL is not a phishing website, and ending the identification process; otherwise, the second step is executed.
Secondly, initiating a query request for the Domain by using a browser, accessing a server where the Domain is located, loading a page, judging whether to initiate a query request for other Domain names (newNomains) or not in the process, if not, considering the URL non-phishing website, and ending the process; otherwise, the next step of identification is carried out.
Judging whether a domain name exists in a white list in newDomains (namely whether the domain name has intersection with the white list), and if not, considering the URL non-phishing website; otherwise, the URL is regarded as a highly suspected phishing website, and further judgment is carried out.
And fourthly, further carrying out validity judgment and domain name credit evaluation on the highly suspected phishing website, and finally determining whether the website is phishing. And the legality judgment is to judge whether the domain name of the corresponding brand in the white list used by the suspected phishing website is legal or not, and the domain name credit evaluation is to score the domain name and judge whether the domain name of the website is credible or not.
In the last step, for the highly suspected phishing websites, whether the Domain is indexed in the search engine or not can be further analyzed, and if the search engine has the index, the Domain is not phishing; and whether the same person is registered with a domain name (whiteDomain) matched in the white list, and if so, not phishing; and whether the resolved IP of Domain and whiteDomain is in an as (autonomous system) Domain, and if so, not phishing; if the above condition is not satisfied, fishing is determined.
The key point of the invention is to confirm whether the web page source code of the URL to be detected is embedded with elements and resource links of the brand website, namely whether a query request for other domain names (newDomains) is initiated when the browser accesses the URL. The present invention is not limited to a specific implementation manner, and may be implemented in various manners, such as page content analysis, browser query monitoring, recursive DNS resolution analysis, and the like, and embodiments will be given below.
1. By analysing web page source code
The most direct embodiment of using brand website resources in phishing counterfeiting websites is to embed links of the resources in webpage source codes. In the source code of the web page, the invocation of resources such as a Logo picture, a Favicon picture, a CSS file, a JS file and the like is generally realized through two attributes of "href" and "src".
Therefore, the method comprises the steps of grabbing the webpage source code of the URL to be detected, analyzing the source code, and extracting values of two attributes of href and src in code segments for calling resources such as Logo, Favicon, CSS and JS in the source code by using a regular expression, wherein the values are links for calling corresponding resources, and further obtaining the domain name corresponding to the links. And then, comparing the domain name of the link for calling the resource in the source code with the domain name of the URL to be detected, and if the domain name of the URL to be detected is different, considering that the resource of other brand websites is embedded in the URL, namely judging that the possibility of brand counterfeiting exists.
2. Browser plug-in form (capturing DNS query request)
When a webpage is loaded, the browser needs to request a server side for resources such as JS, CSS, Image and the like to download, and a series of actions such as DNS query, request sending, redirection and the like are generated in the process. Referring to Chrome DevTools, a browser plug-in can be developed, the network behavior of the browser is monitored in real time, so that a network resource query request initiated in the process that the browser loads a URL page to be detected is captured, query requests for three categories of JS, CSS and Images are screened out, the queried domain name is compared with the domain name of the URL to be detected, whether the query request of newDomains is initiated or not is judged, and whether phishing is possible or not is judged.
3. And building a local DNS recursive server and analyzing a DNS query request log.
And building a local DNS recursive server, and performing corresponding configuration to enable the local DNS recursive server to record the received DNS query request. In order to ensure that the DNS query request log completely records the DNS query request initiated when the browser loads a page, the cache of the computer DNS client is forbidden, and the DNS client is set to perform DNS query only by using the built local DNS recursive server.
In a DNS query request log, information of only three fields, that is, query time, user IP, and query domain name, is often recorded, and a recording range of a DNS query request initiated when a browser loads one web page cannot be distinguished. For this purpose, the invention selects a non-existent domain name in advance, and uses the DNS query request record of the domain name as the separation mark between different web page query request records in the log. Before and after one URL to be detected is accessed each time, the selected domain name is accessed, so that the DNS query request records initiated in the loading process of the webpage to be detected can be accurately and completely obtained when the DNS query request logs are analyzed.
And matching the DNS query request logs by using a regular expression to obtain DNS query request records initiated by a URL page to be detected, wherein the first row of records are the domain name query request records of the URL, the rest of records are the DNS query records initiated when the page calls resources including but not limited to Logo pictures, Favicon pictures, CSS files, JS files and the like, and further comparing whether the domain names related to the queries are in a white list to judge whether counterfeiting is possible.
Another embodiment of the present invention provides a phishing website identification apparatus, as shown in fig. 4, including:
the detection unit is used for detecting whether resources of other websites are embedded in the website to be detected;
the first judging unit is used for judging that the website to be detected is a non-phishing website when the resources of other websites are not embedded in the website to be detected;
the white list comparison unit is used for judging whether the domain names of other websites embedded in the website to be detected are intersected with the white list;
the second judging unit is used for judging the website to be detected as a non-phishing website when the domain names of the other websites are not intersected with the white list; when the domain names of the other websites intersect with the white list, the website to be detected is judged to be a highly suspected phishing website;
the evaluation unit is used for carrying out validity judgment and domain name credit evaluation on the highly suspected phishing website;
and the third judging unit is used for judging whether the website to be detected is a phishing website or not according to the result obtained by the evaluating unit.
The detection unit is used for judging whether the resources of other websites are embedded in the website to be detected by detecting whether the links of the resources of other websites are embedded in the webpage source code of the website to be detected; or, the detection unit is a browser plug-in, captures a network resource query request initiated in the process that the browser loads the page of the website to be detected by monitoring the network behavior of the browser in real time, and compares the queried domain name with the domain name of the website to be detected to judge whether to initiate a DNS query request for other domain names, thereby judging whether to embed resources of other websites in the website to be detected.
The detection unit may also be a built local DNS recursive server, which determines whether to initiate DNS query requests for other domain names in the process of the browser accessing the website to be detected by analyzing the DNS query request log, thereby determining whether to embed resources of other websites in the website to be detected.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.
Claims (11)
1. A phishing website identification method is characterized by comprising the following steps:
detecting whether resources of other websites are embedded in the website to be detected;
if the resources of other websites are not embedded in the website to be detected, judging that the website to be detected is a non-phishing website;
if resources of other websites are embedded in the website to be detected, judging whether the domain names of the other websites are intersected with a white list formed by legal brand domain names; if the intersection does not exist, judging that the website to be detected is a non-phishing website; if the intersection exists, the website to be detected is judged to be a highly suspected phishing website;
and carrying out validity judgment and domain name credit evaluation on the highly suspected phishing website to determine whether the website to be detected is a phishing website.
2. The method of claim 1, wherein before detecting whether the resources of other websites are embedded in the website to be detected, it is determined whether the domain name of the website to be detected is in a white list, and if so, it is directly determined that the website to be detected is a non-phishing website.
3. The method according to claim 1 or 2, characterized in that whether the resources of other websites are embedded in the website to be detected is determined by detecting whether the links of the resources of other websites are embedded in the webpage source code of the website to be detected or detecting whether a DNS query request for other domain names is initiated during the process of the browser accessing the website to be detected.
4. The method of claim 3, wherein the method for determining whether the resources of other websites are embedded in the website to be detected by detecting the webpage source code comprises the following steps: capturing a webpage source code of a website to be detected, extracting values of two attributes href and src in a code segment for calling resources in the source code by using a regular expression, namely a link for calling the corresponding resource, and further obtaining a domain name corresponding to the link; and then comparing the domain name corresponding to the link for calling the resource in the source code with the domain name of the website to be detected, and if the domain name is different from the domain name of the website to be detected, determining that the resource of other websites is embedded in the website to be detected.
5. The method of claim 3, wherein the network behavior of the browser is monitored in real time through a browser plug-in to capture a network resource query request initiated in the process that the browser loads the page of the website to be detected, and the queried domain name is compared with the domain name of the website to be detected, so as to determine whether to initiate a DNS query request for other domain names.
6. The method according to claim 3, wherein whether to initiate DNS query requests for other domain names in the process of the browser accessing the website to be detected is judged by building a local DNS recursive server and analyzing a DNS query request log.
7. The method of claim 6, wherein the DNS query request initiated when the browser loads the page is guaranteed to be completely recorded in the DNS query request log by disabling the computer DNS client cache and setting the DNS client to perform DNS queries only using the built local DNS recursive server.
8. The method of claim 7, wherein a non-existent domain name is selected, and the DNS query request record for the domain name is used as a separation identifier between different web page query request records in the DNS query request log.
9. A phishing website identification apparatus, comprising:
the detection unit is used for detecting whether resources of other websites are embedded in the website to be detected;
the first judging unit is used for judging that the website to be detected is a non-phishing website when the resources of other websites are not embedded in the website to be detected;
the white list comparison unit is used for judging whether the domain names of other websites embedded in the website to be detected are intersected with a white list formed by legal brand domain names;
the second judging unit is used for judging the website to be detected as a non-phishing website when the domain names of the other websites are not intersected with the white list; when the domain names of the other websites intersect with the white list, the website to be detected is judged to be a highly suspected phishing website;
the evaluation unit is used for carrying out validity judgment and domain name credit evaluation on the highly suspected phishing website;
and the third judging unit is used for judging whether the website to be detected is a phishing website or not according to the result obtained by the evaluating unit.
10. The apparatus according to claim 9, wherein the detecting unit determines whether the resources of other websites are embedded in the website to be detected by detecting whether the links of the resources of other websites are embedded in the webpage source code of the website to be detected; or, the detection unit is a browser plug-in, captures a network resource query request initiated in the process that the browser loads the page of the website to be detected by monitoring the network behavior of the browser in real time, and compares the queried domain name with the domain name of the website to be detected to judge whether to initiate a DNS query request for other domain names, thereby judging whether to embed resources of other websites in the website to be detected.
11. The apparatus according to claim 9, wherein the detecting unit is a local DNS recursive server, which determines whether to initiate DNS query requests for other domain names during the process of the browser accessing the website to be detected by analyzing the DNS query request log, so as to determine whether to embed resources of other websites in the website to be detected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710873546.1A CN107800686B (en) | 2017-09-25 | 2017-09-25 | Phishing website identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710873546.1A CN107800686B (en) | 2017-09-25 | 2017-09-25 | Phishing website identification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107800686A CN107800686A (en) | 2018-03-13 |
| CN107800686B true CN107800686B (en) | 2020-06-12 |
Family
ID=61532401
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710873546.1A Active CN107800686B (en) | 2017-09-25 | 2017-09-25 | Phishing website identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107800686B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108804919A (en) * | 2018-05-03 | 2018-11-13 | 上海交通大学 | The homologous determination method of malicious code based on deep learning |
| CN109670279A (en) * | 2018-11-30 | 2019-04-23 | 成都知道创宇信息技术有限公司 | A kind of method of website flexible configuration webpage insertion permission |
| CN111556036A (en) * | 2020-04-20 | 2020-08-18 | 杭州安恒信息技术股份有限公司 | Detection method, device and equipment for phishing attack |
| CN113163234B (en) * | 2021-04-02 | 2022-10-14 | 中国科学院信息工程研究所 | Pirate video website detection method and system based on third-party service |
| CN113225343B (en) * | 2021-05-10 | 2022-09-20 | 广州掌动智能科技有限公司 | Risk website identification method and system based on identity characteristic information |
| CN113556347B (en) * | 2021-07-22 | 2023-04-07 | 深信服科技股份有限公司 | Detection method, device and equipment for phishing mails and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102082792A (en) * | 2010-12-31 | 2011-06-01 | 成都市华为赛门铁克科技有限公司 | Phishing webpage detection method and device |
| US8079087B1 (en) * | 2005-05-03 | 2011-12-13 | Voltage Security, Inc. | Universal resource locator verification service with cross-branding detection |
| CN102902917A (en) * | 2011-07-29 | 2013-01-30 | 国际商业机器公司 | Method and system for preventing phishing attacks |
| CN103428186A (en) * | 2012-05-24 | 2013-12-04 | ***通信集团公司 | Method and device for detecting phishing website |
| CN103544436A (en) * | 2013-10-12 | 2014-01-29 | 深圳先进技术研究院 | System and method for distinguishing phishing websites |
| CN106357682A (en) * | 2016-10-26 | 2017-01-25 | 华中科技大学 | Phishing website detecting method |
-
2017
- 2017-09-25 CN CN201710873546.1A patent/CN107800686B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8079087B1 (en) * | 2005-05-03 | 2011-12-13 | Voltage Security, Inc. | Universal resource locator verification service with cross-branding detection |
| CN102082792A (en) * | 2010-12-31 | 2011-06-01 | 成都市华为赛门铁克科技有限公司 | Phishing webpage detection method and device |
| CN102902917A (en) * | 2011-07-29 | 2013-01-30 | 国际商业机器公司 | Method and system for preventing phishing attacks |
| CN103428186A (en) * | 2012-05-24 | 2013-12-04 | ***通信集团公司 | Method and device for detecting phishing website |
| CN103544436A (en) * | 2013-10-12 | 2014-01-29 | 深圳先进技术研究院 | System and method for distinguishing phishing websites |
| CN106357682A (en) * | 2016-10-26 | 2017-01-25 | 华中科技大学 | Phishing website detecting method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107800686A (en) | 2018-03-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107800686B (en) | Phishing website identification method and device | |
| US11019094B2 (en) | Methods and systems for malicious message detection and processing | |
| US20210058354A1 (en) | Determining Authenticity of Reported User Action in Cybersecurity Risk Assessment | |
| US10102372B2 (en) | Behavior profiling for malware detection | |
| Wu et al. | Effective defense schemes for phishing attacks on mobile computing platforms | |
| CA2859126C (en) | Online fraud detection dynamic scoring aggregation systems and methods | |
| EP3125147B1 (en) | System and method for identifying a phishing website | |
| US9191411B2 (en) | Protecting against suspect social entities | |
| US9215242B2 (en) | Methods and systems for preventing unauthorized acquisition of user information | |
| Amrutkar et al. | Detecting mobile malicious webpages in real time | |
| CN104954372B (en) | A kind of evidence obtaining of fishing website and verification method and system | |
| US9055097B1 (en) | Social network scanning | |
| Maggi et al. | Two years of short urls internet measurement: security threats and countermeasures | |
| CN103368957B (en) | Method and system that web page access behavior is processed, client, server | |
| US9147067B2 (en) | Security method and apparatus | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| US20210006592A1 (en) | Phishing Detection based on Interaction with End User | |
| Kaur et al. | Browser fingerprinting as user tracking technology | |
| Apruzzese et al. | Spacephish: The evasion-space of adversarial attacks against phishing website detectors using machine learning | |
| US11303670B1 (en) | Pre-filtering detection of an injected script on a webpage accessed by a computing device | |
| Roopak et al. | On effectiveness of source code and SSL based features for phishing website detection | |
| Thaker et al. | Detecting phishing websites using data mining | |
| EP3195140A1 (en) | Malicious message detection and processing | |
| Rahman et al. | Classification of spamming attacks to blogging websites and their security techniques | |
| Patil | Request dependency integrity: validating web requests using dependencies in the browser environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |