KR20140017319A - System and method for preventing phishing - Google Patents

System and method for preventing phishing Download PDF

Info

Publication number
KR20140017319A
KR20140017319A KR1020120084137A KR20120084137A KR20140017319A KR 20140017319 A KR20140017319 A KR 20140017319A KR 1020120084137 A KR1020120084137 A KR 1020120084137A KR 20120084137 A KR20120084137 A KR 20120084137A KR 20140017319 A KR20140017319 A KR 20140017319A
Authority
KR
South Korea
Prior art keywords
web page
phishing
user
input field
content
Prior art date
Application number
KR1020120084137A
Other languages
Korean (ko)
Inventor
강기수
김재룡
박현우
Original Assignee
라온시큐어(주)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 라온시큐어(주) filed Critical 라온시큐어(주)
Priority to KR1020120084137A priority Critical patent/KR20140017319A/en
Publication of KR20140017319A publication Critical patent/KR20140017319A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The present invention relates to a method and apparatus for preventing phishing and more particularly, to a phishing preventing method by checking an input field, a phishing preventing method by adding a nationality checking condition of a server based on the method, a phishing preventing method by comparing domain similarity, a phishing preventing method by detecting a content image, and an active phishing preventing system by comparing and analyzing web page content. According to the embodiment of the present invention, the phishing preventing method prevents a user from accessing an abnormal or new phishing site which is not registered and prevents the leakage of personal financial information like the total numbers of a security card by the phishing. [Reference numerals] (AA) Start; (BB,EE,HH) No; (DD,FF,GG) Yes; (II,CC) End; (S301) Requests a user web page; (S303) Is there an input field?; (S305) Extract input field information; (S307) Security card pattern?; (S309) Input user information; (S311) Extract a transfer data when the transfer data is requested; (S313) Security card pattern?; (S315) Phishing warning/disconnecting/transferring off

Description

Phishing protection system and phishing prevention system {System and method for preventing phishing}

The present invention relates to a phishing prevention method and a phishing prevention system, and more specifically, to a phishing prevention method through input field verification, a phishing prevention method adding a nationality verification condition based on the above method, and a phishing prevention by comparing domain similarity. A method, a phishing prevention method through content image detection, and an active phishing prevention system through web page content comparison analysis.

Phishing means stealing credit card or account information from an associated financial institution by sending false emails to an unspecified number of email users who have problems with their credit card or bank account information and that require enhanced security or security upgrades. . As such, phishing is an Internet financial fraud technique that attempts to steal a person's personal information from fraudulent e-mails using a false e-mail, and then extract and exploit personal credit card and bank account information. .

Phishing technique mainly used to extract personal financial information such as user name, social security number, account number and account password from the user for security promotion and security enhancement.However, recently, the introduction of security card has strengthened the online financial security. More phishing sites are trying to extract numbers.

Conventionally, to protect personal financial information from phishing, a blacklist of sites with a history of phishing is registered to indicate that the site is a phishing site when the user accesses a site on the list, or similarly, the risk of the website is displayed and a phishing site is displayed. There was a way to prevent access to the evaluated areas. These methods have unusual phishing site information and report it to the phishing site if the user matches the site.

However, the above-described conventional phishing protection method cannot cope with access to an abnormal or new phishing site that is not registered, it is necessary to update the phishing site every time, and it is impossible to detect the similar domain phishing site in advance. there was.

An object of the present invention was devised to solve the above problems of the prior art, and proposes a method for preventing phishing by checking an input field of a connected web page.

Based on the above method, a phishing prevention method including the step of confirming country information is proposed.

In addition, as another method for solving the problems of the prior art as described above, a phishing prevention method by comparing the similarity between the access site domain and the normal site domain and the image of the web content provided in the normal web page and the web page provided in the access We propose a phishing prevention method by comparing similarity between images of web content.

In addition, active phishing prevention system that analyzes and extracts the contents of the accessed web page in real time and compares it with the content database of the normal web page that is already in place to prevent phishing, and further induces users to access the normal financial site. Suggest.

The technical objects to be achieved by the present invention are not limited to the above-mentioned technical problems, and other technical subjects which are not mentioned can be understood from the following description, which will be clearly understood by those skilled in the art. It will be possible.

According to an aspect of the present invention, an anti-phishing method through input field verification according to an embodiment of the present invention includes (a) hypertext markup of a web page in response to a request of a web page of a user confirming whether an input field exists by analyzing a language and a Document Object Model (DOM), (b) extracting information of an input field if the input field exists in the web page, and (c) extracting Checking whether the input field is a security card full number input pattern based on information of an input field; (d) in step (c), if the input field corresponds to a security card full number input pattern; And determining the web page as a phishing site.

Here, the step (d) may further include performing at least one of a phishing warning, a user's access blocking, and a data transmission blocking for the user when the web page is determined to be a phishing site.

Meanwhile, in the step (c), if the input field does not correspond to the security card full number input pattern, (e) inputting data according to a user input signal into the input field, and (f) entering the input field. (B) checking whether the data input by the user is a security card full number input pattern based on the extracted transmission data, when the transmission request is made according to a user input signal with respect to the input data; (h) In step (g), if the data input by the user corresponds to the security card full number input pattern, the method may include determining the web page as a phishing site.

Here, the step (h) may further include performing at least one of a phishing warning for the user, an access blocking of the user, and a data transmission blocking when the web page is determined to be a phishing site.

For example, in the step (c), it may be determined whether the text indicating maxlength = "4" exists in a source of the hypertext markup language (HTML) of the web page more than a predetermined reference value.

According to another aspect of the present invention for solving the above problems, a phishing prevention method through input field verification, in the step (c), if the input field corresponds to the security card full number input pattern, the user Checking whether the IP address of the web page server is an overseas IP, and if the Internet search (IP) of the web page server requested by the user is an overseas IP, a phishing warning for the user, and the user The method may further include performing at least one of blocking access and blocking data transmission.

On the other hand, in the step (g), if the data entered by the user corresponds to the security card full number input pattern, checking whether the IP (Internet Protocol) of the IP (Internet Protocol) of the web page server requested by the user; And as a result of the checking, when the IP of the web page server requested by the user is an overseas IP, the method may further include performing at least one of a phishing warning for the user, blocking the user's access, and blocking data transmission. .

In accordance with an aspect of the present invention, an anti-phishing method through domain comparison according to an embodiment of the present invention includes (a) a webpage domain and a previously established financial company domain database according to a user's web page request. Calculating similarity between normal financial web page domains stored in (DB), (b) comparing and analyzing whether the calculated similarity exceeds a predetermined threshold, and (c) similarity calculated in the comparing and analyzing step May exceed at least one of the thresholds, and perform at least one of a phishing alert, a user's access blocking, and a data transmission blocking.

Here, the step (a), (d) in response to the user's web page request, whether the input field exists by analyzing the hypertext markup language (HTML) and the Document Object Model (DOM) of the web page in response to the request; Confirming; (e) extracting information on the input field if the input field exists in the web page; And (f) checking whether the input field is a security card full number input pattern based on the extracted input field information.

On the other hand, as a result of checking in step (f), if the input field corresponds to the security card full number input pattern, step (a) includes the domain of the accessed web page and the previously established financial company domain database (DB). The similarity between the normal financial web page domains stored in can be calculated.

On the other hand, when the check result of the step (f), if the input field does not correspond to the security card full number input pattern, step (a) is the step of inputting data according to the user input signal into the input field, Extracting transmission data upon request for transmission according to a user input signal with respect to the data input in the input field, and checking whether the data input by the user is a security card full number input pattern based on the extracted transmission data; It may further include.

Here, when the data input by the user corresponds to the security card full number input pattern, the similarity between the domain of the accessed web page and the normal financial web page domain stored in the previously established financial company domain database (DB) is calculated. It may further comprise a step.

According to an aspect of the present invention, an anti-phishing method through image detection includes: (a) imaging a content of a web page in response to a request of a web page by a user; (b) comparing a content image of the web page with an image stored in a previously constructed content image DB according to the user's request and calculating a similarity; (c) the calculated similarity exceeds a preset threshold; If it is, the step of verifying that the URL (Uniform Resource Locator) of the accessed web page and the URL of the normal web page is the same, (d) as a result of the URL check, the URL of the accessed web page and the normal web page is not the same If so, the method may include performing at least one of a phishing alert or blocking data transmission to the user.

Here, in step (b), the similarity may be calculated by comparing the images captured by the web browser screens with each other.

Active phishing prevention system through web page content analysis according to another embodiment of the present invention for solving the above problems, the web to extract the web page content data by collecting the content of the web page connected to the user in real time An index DB including a page content extraction unit, a content database (hereinafter referred to as 'DB') constructed based on the web page content data, and an access permission list and an access blocking list constructed based on the URL content of the web page; A DB unit including an index DB, an index DB verification unit for checking whether a URL of a web page accessed by the user is present, and comparing the web page content data with data stored in the content DB to calculate similarity; Content DB verification unit for checking whether or not the predetermined threshold of the calculated similarity, the index DB verification Or it may comprise detection notification unit configured to perform a phishing prevention operation in accordance with the execution result of the content DB verification portion.

The detection notification unit may block access to the web site when the URL of the web page accessed by the user is included in the access block list as a result of checking the index DB verification unit.

The detection notification unit may perform at least one of a phishing warning, a user's access blocking, and a data transmission blocking to the user when the calculated similarity exceeds the threshold.

In addition, the detection notification unit may induce a connection to a site having high connection similarity when the calculated similarity exceeds a threshold as a result of checking the content DB verification unit.

Here, the web page content extraction unit may collect at least one of a text, an image, a flash, and a URL content of the web page.

The web page content extracting unit may extract text-based data from the web page content data using an optical character recognition (OCR) method.

Here, the DB unit may update and store the information according to the result of the verification of the index DB verification unit and the content DB verification unit.

It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to provide further explanation of the present invention by those skilled in the art. And can be understood and understood.

According to an embodiment of the present invention, a user is not registered from a phishing prevention method through input field verification, a phishing prevention method through domain comparison, a phishing prevention method through content image comparison, a phishing prevention system through web page content analysis, and the like. You can also prevent unauthorized access to unusual or new phishing sites, as well as to prevent personal financial information leaks from phishing, including your full security card number.

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention.
1 is a diagram illustrating an example of a phishing web page according to an embodiment of the present invention.
2 illustrates another example of a phishing web page according to an embodiment of the present invention.
3 is a flowchart illustrating an example of a phishing prevention method through input field verification according to an embodiment of the present invention.
4 illustrates the phishing web page source of FIG. 1.
FIG. 5 illustrates the phishing web page source of FIG. 2.
6 is a flowchart illustrating another example of a phishing prevention method through input field verification according to an embodiment of the present invention.
7 is a flowchart illustrating an example of a process of establishing a financial company domain DB associated with an embodiment of the present invention.
8 is a flowchart illustrating an example of a phishing prevention method through domain comparison according to an embodiment of the present invention.
9 is a flowchart illustrating another example of a method for preventing phishing through domain comparison according to an embodiment of the present invention.
10 is a flowchart illustrating an example of a phishing prevention method through image detection according to an embodiment of the present invention.
11 is a diagram illustrating an example of an active phishing prevention system structure through web page content analysis according to an embodiment of the present invention.
12 is a flowchart illustrating an example of a process of an active phishing prevention system through web page content analysis according to an embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail in the detailed description.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

The terms first, second, etc. may be used to describe various components, but the components are not limited by the terms, and the terms are used only for the purpose of distinguishing one component from another Is used.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The following detailed description, together with the accompanying drawings, is intended to illustrate exemplary embodiments of the invention and is not intended to represent the only embodiments in which the invention may be practiced. The following detailed description includes specific details in order to provide a thorough understanding of the present invention. However, those skilled in the art will appreciate that the present invention may be practiced without these specific details.

1 is a diagram illustrating an example of a phishing web page according to an embodiment of the present invention.

The phishing site shown in FIG. 1 simulates an Internet banking service site and inputs personal information, such as a resident registration number, a withdrawal account number, a withdrawal password or a security card serial number, into a personal information input field 101 and a security transaction. It may include a security information input field 102 into which the required information is input. Here, the security information input field 102 is a field for inputting the code information described on the security card provided to the user from the financial company, the phishing site shown in Figure 1 for leaking the entire information of the security card required for financial transactions Form.

2 is a diagram illustrating another example of a phishing web page according to an embodiment of the present invention.

Similarly, the phishing site shown in FIG. 2 may include a security card serial number input field 201 and a code information input field 202 on the security card, so that the user may request input of the entire information of the security card.

The present invention proposes a phishing prevention method and a phishing prevention system in order to reduce the damage caused by the phishing site illustrated in FIG. 1 or FIG. 2.

Specifically, an anti-phishing method through input field verification and a phishing prevention method based on the nationality verification condition of a server based on the method, a phishing prevention method through domain similarity comparison, a phishing prevention method through content image detection, and a web page content We propose various anti-phishing methods and systems such as active anti-phishing system through comparative analysis.

<First Example  -Through input field Phishing  Prevention>

According to an embodiment of the present invention, an anti-phishing method through input field checking may be performed by a predetermined anti-phishing program activated in a user's terminal or an operation server that provides an anti-phishing service to a user terminal. Can be made.

3 is a flowchart illustrating an example of a phishing prevention method through input field verification according to an embodiment of the present invention.

Referring to FIG. 3, a step-by-step example of a method for preventing phishing by checking input fields according to an embodiment of the present invention, a user first enters an address in an internet web browser or clicks a link included in an e-mail message. When the web page is requested (S301), the HTML (hypertext markup language) and the DOM (Document Object Model) of the web page responding to the request are analyzed to determine whether an input field exists (S303).

As a result of the check, if the input field exists, information of the input field is extracted (S305).

The extracted input field information may include the number of input fields, the maximum length that can be input to each input field, and the like.

On the basis of the extracted input field information, it is checked whether the input field is a security card full number input pattern (S307).

Generally, a security card consists of a security card serial number and 30 to 40 codes. Here each code usually consists of a four-digit password. Most of the normal financial sites require the input of some of the security card for identity verification during online card transactions, so the site that requires the full security card number is likely to be a phishing site.

4 and 5, the structure of the web page source will be briefly described with reference to whether the security card full number input pattern in step S307 is described above.

4 illustrates the phishing web page source of FIG. 1, and FIG. 5 illustrates the phishing web page source of FIG. 2.

4 and 5, since each code constituting the security card usually consists of four digit passwords, phishing sites generally limit the maximum length that can be entered in the input field to four digits. As shown in the text, the web document's HTML document has a common restriction format of maxlength = "4".

Here, using the Document Object Model (DOM) supported by the web browser to control the elements of the HTML document, all web content of the web page, such as input fields, images, flashes, etc. It is possible to check the existence of necessary web contents and to extract necessary data.

In the case of 30 or more input fields having a maximum length of 4 from among input field information extracted by focusing on the above-mentioned characteristic, the pattern may require input of the entire security card number.

Referring back to FIG. 3, when the input field corresponds to the security card full number input pattern as a result of checking in the previous step (S307), at least one of a phishing warning, access blocking, and data transmission blocking is performed to the user. It may be (S315).

On the contrary, if the input field does not correspond to the security card full number input pattern, when the user inputs data in the input field (S309) and requests for transmission, the transmission data is extracted before transmission to the server. It may be (S311).

On the basis of the extracted transmission data, it is checked whether the data input by the user is a security card full number input pattern (S313).

If the extracted transmission data is an array of four letters or numbers, and the arrangement is more than 30, the user may have entered the entire security card number.

As a result of the check in the previous step (S313), if the data input by the user corresponds to the security card full number input pattern, the user may perform at least one of a phishing warning, access blocking, data transmission blocking (S315). ).

6 is a flowchart illustrating another example of a phishing prevention method through input field verification according to an embodiment of the present invention.

Specifically, the phishing prevention method through the input field check illustrated in FIG. 6 is a form in which country information is used in addition to the phishing prevention method through the input field check described above with reference to FIG. 3.

In general, the IP of the phishing site is often located overseas in order to circumvent the legal network. The phishing prevention method performs a phishing warning, a connection blocking, a transmission blocking, etc. only when the IP is an overseas IP).

Referring to FIG. 6, a step-by-step example of a method for preventing phishing by checking input fields according to an embodiment of the present invention, first, a user enters an address in an internet web browser or clicks a link included in an e-mail message. When the web page is requested (S601), the hypertext markup language (HTML) and the document object model (DOM) of the web page in response to the request are analyzed to determine whether an input field exists (S603).

As a result of the check in the previous step (S603), if the input field exists, the information of the input field is extracted (S605).

On the basis of the extracted input field information, it is checked whether the input field is a security card full number input pattern (S607).

As a result of the check in the previous step (S607), if the input field corresponds to the security card full number input pattern, it is confirmed whether the currently accessed web page server is an overseas IP (S615), if the check result is an overseas IP, The user may perform at least one of a phishing warning, an access blocking, and a data transmission blocking (S617).

On the contrary, if the input field does not correspond to the security card full number input pattern as a result of the checking, when the user inputs data into the input field (S609) and requests for transmission, the transmission data is extracted before transmission to the server. It may be (S611).

On the basis of the extracted transmission data, it is checked whether the data input by the user is the security card full number input pattern (S613).

As a result of the check in the above-described step (S613), if the data entered by the user corresponds to the security card full number input pattern, check whether the currently accessed web page server is an overseas IP (S615), if the check result is an overseas IP In operation S617, the user may perform at least one of a phishing warning, an access blocking, and a data transmission blocking.

<2nd Example  -Domain comparison Phishing  Prevention>

The anti-phishing method through domain comparison according to an embodiment of the present invention focuses on the fact that most phishing sites use a method similar to the domain of a normal site to mislead users.

The anti-phishing method through domain comparison according to an embodiment of the present invention scores the similarity between the domain of the currently accessed web page and the normal financial web page domain stored in the financial company domain database (DB) previously established on the server. If a predetermined threshold is exceeded according to a predetermined condition, a phishing prevention method for performing a phishing warning, access blocking, data transmission blocking, etc. to a user.

In the phishing prevention method through domain comparison according to an embodiment of the present invention, the following phishing prevention procedure may be performed by an operation server of a phishing prevention system that performs data communication with a user's terminal.

7 is a flowchart illustrating an example of a process of establishing a financial company domain DB associated with an embodiment of the present invention.

Referring to FIG. 7, if a server requests a web page of a trusted financial company other than a phishing site, the server constructs the financial company domain DB by storing the domain of the financial company web page in the financial company domain DB.

8 is a flowchart illustrating an example of a phishing prevention method through domain comparison according to an embodiment of the present invention.

Referring to FIG. 8, a phishing prevention method through domain comparison according to an embodiment of the present invention will be described step by step. First, a user inputs an address in an internet web browser or clicks a link included in an e-mail message to request a web page. In step S801, the similarity is scored between the domain of the currently accessed web page and the normal financial web page domain stored in the previously established financial company domain DB (S803).

The method of scoring the similarity may utilize the Needleman-Wunsch algorithm of the field of Bioinformatics, and the Needleman-Wunsch algorithm is described in Needleman, S.B. and Wunsch, C.D., (1970), Journal of Molecular Biology, 48: 443-453.

In operation S805, the user may determine whether the similarity exceeds a predetermined threshold (S805). If the similarity exceeds the threshold, the user may perform at least one of a phishing warning, an access blocking, and a data transmission blocking (S807).

9 is a flowchart illustrating another example of a phishing prevention method through domain comparison according to an embodiment of the present invention.

Specifically, the anti-phishing method through domain comparison illustrated in FIG. 9 is a phishing prevention method through domain comparison according to the embodiment of the present invention described above with reference to FIG. 8 and the anti-phishing method through the input field check described above with reference to FIG. 3. It is a combination of methods.

Referring to FIG. 9, a step-by-step example of a method for preventing phishing through domain comparison according to an embodiment of the present invention, first, a user enters an address in an internet web browser or clicks a link included in an e-mail message, If a page request is made (S901), the hypertext markup language (HTML) and the DOM (Document Object Model) of the web page responding to the request are analyzed to determine whether an input field exists (S903).

As a result of the checking in the above-described step S903, if the input field exists, the information of the input field is extracted (S905).

On the basis of the extracted input field information, it is checked whether the input field is a security card full number input pattern (S907).

When the input field corresponds to the security card full number input pattern as a result of the checking in the above-described step (S907), the similarity between the domain of the currently accessed web page and the normal financial web page domain stored in the established financial company domain DB is determined. Score (S915).

By checking whether the similarity exceeds a predetermined threshold (S917), if the threshold is exceeded, at least one of a phishing warning, an access blocking, and a data transmission blocking may be performed to the user (S919).

On the contrary, in the above-described step (S907), if the input field does not correspond to the security card full number input pattern, the user inputs data in the input field (S909) and transmits to the server. Before transmission data may be extracted in advance (S911).

On the basis of the extracted transmission data, it is checked whether the data input by the user is a security card full number input pattern (S913).

As a result of the check in the above-described step (S913), if the data entered by the user corresponds to the security card full number input pattern, between the domain of the currently accessed web page and the normal financial web page domain stored in the established financial company domain DB Similarity is scored at (S915).

 By checking whether the similarity exceeds a predetermined threshold (S917), if the threshold is exceeded, at least one of a phishing warning, an access blocking, and a data transmission blocking may be performed to the user (S919).

<Third Example  -Through image detection Phishing  Prevention>

According to an embodiment of the present invention, an anti-phishing method using an image comparison is a method of preventing phishing by comparing an image of normal web page content with an image of a web page content.

In the phishing prevention method through image detection according to an embodiment of the present invention, the following phishing prevention procedure may be performed by an operation server of a phishing prevention system that performs data communication with a user's terminal.

10 is a flowchart illustrating an example of a phishing prevention method through image detection according to an embodiment of the present invention.

Referring to FIG. 10, a step-by-step example of a method for preventing phishing through image detection according to an embodiment of the present invention, a user first enters a URL in an internet web browser or clicks a link included in an e-mail message to display a web page. When the request is made (S1001), the content of the web page in response to the request is imaged (S1003).

Image data obtained by imaging the content of the web page may be an image of a web screen of the accessed web page.

The web content image of the web page in response to the user's request and the image stored in the URL: Image DB previously built in the server is compared with each other to determine whether or not (S1005).

Here, the URL: Image DB of the server can be constructed as follows.

When the server receives a request of a trusted web page (S1011), the server accesses the requested normal site, images the content provided from the normal site (S1013), and corresponds to URL information of the normal site to which the image data is accessed. It can be constructed by storing it in URL: Image DB.

In this case, the content image data of the normal site stored in the URL: Image DB is transmitted to the user when the user requests a specific web page to check whether the image is similar through a comparison process between images.

As a result of checking in the above-described step (S1005), if the images are similar, the URL of the normal site and the URL that the user accesses are compared (S1007).

As a result of the comparison in the above-described step (S1007), if the URLs are different from each other, the user performs at least one of a phishing warning, access blocking, and data transmission blocking (S1009).

<Fourth Example  -Webpage contents  Through analysis Phishing  Prevention>

Active phishing prevention system through web page content analysis according to an embodiment of the present invention, by analyzing and extracting the content of the web page accessed by the user in real time to prevent phishing through comparative analysis with the content database of the normal web page already held Furthermore, it is an active phishing prevention system that induces users to access normal financial sites.

In the active phishing prevention system through web page content analysis according to an embodiment of the present invention, a procedure for preventing phishing is performed by an operation server of a phishing prevention system that performs data communication with a user's terminal.

11 is a diagram illustrating an example of an active phishing prevention system structure through web page content analysis according to an embodiment of the present invention.

Referring to FIG. 11, the active phishing protection system 1100 according to an embodiment of the present invention includes a server 1110 and an agent 1120.

The server 1110 may include a content collecting unit 1111, a content extracting unit 1112, a DB unit 1113, a policy generating unit 1114, and an information receiving unit 1115.

The agent 1120 may include a web page content extraction unit 1121, an index DB verification unit 1122, a content DB verification unit 1123, a policy reflection unit 1124, and a detection notification unit 1125. .

The operation and function of each of the above components will be described below.

The content collector 1111 collects content of a known normal website, and the content extractor 1112 extracts data based on the collected content.

The DB unit 1113 may include an index DB 1113a and a content DB 1113b. The index DB 1113a is constructed by classifying it into a black list or a white list based on the URL content of the web page, and the content DB 1113b is constructed based on data extracted by analyzing the web page content.

The policy generation unit 1114 generates various policies of the system including the threshold based on the data of the DB unit 1113, and applies the policy of the system and the data of the DB unit 1113 such as the generated thresholds to the policy reflecting unit ( 1124).

The policy reflecting unit 1124 reflects the data received from the policy generating unit 1130 to the agent.

The web page content extraction unit 1121 analyzes and extracts all contents of the web page accessed by the user in real time.

The index DB verification unit 1122 checks whether or not the URL of the web page accessed by the user exists in the index DB 1113a of the DB unit 1113 at the agent.

The content DB verification unit 1123 compares the data extracted by the web page content extraction unit 1121 and data stored in the content DB 1113b of the DB unit 1113 to calculate a similarity level, and calculates the similarity degree. It is checked whether a predetermined threshold is exceeded.

The detection notification unit 1125 transmits each verification result of the content DB verification unit 1123 and the index DB verification unit 1122 to the information receiver 1115. In addition, when the similarity calculated as a result of the verification by the content DB verification unit 1123 exceeds a threshold, a phishing warning or a site access blocking or data transmission blocking is performed to the user, and access to a normal financial site having high connection similarity is induced.

The information receiving unit 1115 receives each verification result of the content DB verification unit 1123 or the index DB verification unit 1122 from the detection notification unit 1125 and reflects the verification result to the DB unit.

The processing of the active phishing prevention system 1100 through web page content analysis according to an embodiment of the present invention which can be configured as described above is as follows.

12 is a flowchart illustrating a process of an active phishing prevention system through web page content analysis according to an embodiment of the present invention.

Referring to FIG. 12, a step-by-step process of an active phishing prevention system through web page content analysis according to an embodiment of the present invention, first, a user inputs an address in an internet web browser or links included in an e-mail message. Click to make a web page request and access the corresponding web page (S1201), and the policy and DB unit 1113 of the system, such as a threshold set in advance from the policy generating unit 1114 of the server to the policy reflecting unit 1124 of the agent. The data is sent.

The index DB verification unit 1122 checks whether the URL of the web page accessed by the user exists in the index DB 1113b of the DB unit 1113 (S1203).

As a result of the check in the above-described step (S1203), if the URL of the web page accessed by the user exists in the index DB 1113b, it is checked whether it is classified as a white list of the index DB 1113b (S1215), If classified, the analysis ends, and if classified as a blacklist of the index DB 1113b (S1207), access is blocked without analyzing the content of the web page (S1209).

On the contrary, if the URL of the connected web page does not exist in the index DB 1113b as a result of the checking in the above-described step (S1203), the web page content extraction unit 1121 collects the content of the accessed web page in real time. In operation S1211, the collected content is analyzed to extract data (S1213).

Here, the web page content extraction unit 1121 may collect all contents of the web page accessed by the user in real time, such as text, image, flash, URL information, and the like, based on the collected contents, optical character recognition (OCR, Optical character recognition may be used to extract data in a textual manner.

The content DB verification unit 1123 compares the extracted data with data previously built in the content DB 1113b of the DB unit 1113, calculates a similarity level (S1215), and calculates a predetermined threshold value. Check whether it exceeds (S1217).

Herein, the content DB 1113b of the DB 1113 may be constructed by storing textified data using OCR based on all contents of a normal site such as text, image, flash, and URL information.

In this case, the threshold value may be generated based on the data of the DB unit 1113 in the policy generation unit 1114.

If the calculated similarity exceeds the threshold, the detection notification unit 1125 may perform at least one of a phishing warning, an access blocking, and a data transmission blocking to the user (S1219). Based on the data of the DB unit 1113, the user is induced to access the most similar normal site (S1221).

In addition, the detection notification unit 1125 transmits the confirmation result of the content DB verification unit to the information receiving unit 1115, the information receiving unit 1115 receiving the confirmation result is a DB unit ( The index DB 1113b of 1113 is classified into a black list and stored (S1223).

On the contrary, if the calculated similarity does not exceed the threshold, the detection notification unit 1125 transmits the confirmation result to the information receiver 1115 and receives the confirmation result. The information receiving unit 1115 classifies and stores the URL of the web site to which the user is connected as a white list in the index DB 1113b of the DB unit 1113 (S1225) and ends the analysis.

Through the process of the active phishing prevention system, when the user reconnects to the phishing site, it is possible to prevent the user from accessing the phishing site without analyzing the content of the web page, and further, actively leads phishing by inducing the user to access the normal site. It can be prevented.

The foregoing description is merely illustrative of the technical idea of the present invention and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments described in the present invention are not intended to limit the technical spirit of the present invention but to illustrate the present invention. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents thereof should be construed as being included in the scope of the present invention.

Claims (21)

In the anti-phishing method by checking the input field,
(a) analyzing a hypertext markup language (HTML) and a document object model (DOM) of a web page in response to the request, and checking whether an input field exists according to a user's web page request;
(b) extracting information of the input field when the input field exists in the web page;
(c) checking whether the input field is a security card full number input pattern based on the extracted input field information; And
and (d) in the step (c), if the input field corresponds to a security card full number input pattern, determining the web page as a phishing site. The method of claim 1,
The step (d)
And determining at least one of a phishing warning for a user, a user's access blocking, and a data transmission blocking when the web page is determined to be a phishing site. The method of claim 1,
In the step (c), if the input field does not correspond to the security card full number input pattern,
(e) inputting data according to a user input signal into the input field;
(f) extracting transmission data in response to a transmission request according to a user input signal with respect to the data input in the input field;
(g) checking whether the data input by the user is a security card full number input pattern based on the extracted transmission data; And
(h) in the step (g), if the data input by the user corresponds to the security card full number input pattern, determining the web page as a phishing site, phishing prevention method by checking the input field. The method of claim 3, wherein
(H) step,
And determining at least one of a phishing warning for a user, a user's access blocking, and a data transmission blocking when the web page is determined to be a phishing site. The method of claim 1,
The step (c)
And checking whether or not a text indicating maxlength = "4" exists in a source of a hypertext markup language (HTML) of the web page above a predetermined reference value. The method of claim 1,
In the step (c), if the input field corresponds to the security card full number input pattern,
Checking whether the IP address of the web page server is an overseas IP for the Internet protocol (IP); And
As a result of the check, if the IP (Internet Protocol) of the web page server requested by the user is an overseas IP, the input field further includes performing at least one of a phishing warning for the user, a user's access blocking, and a data transmission blocking. How to prevent phishing by checking. The method of claim 3, wherein
In the step (g)
If the data entered by the user corresponds to the security card full number input pattern,
Checking whether the IP address of the web page server is an overseas IP for the Internet protocol (IP); And
As a result of the above check, if the IP (Internet Protocol) of the web page server requested by the user is an overseas IP,
And performing at least one of a phishing warning for a user, a user's connection blocking, and a data transmission blocking. In the anti-phishing method through domain comparison,
(a) calculating a similarity between the domain of the accessed web page and a normal financial web page domain stored in a previously established financial company domain database (DB) according to a user's web page request;
(b) comparing and analyzing whether the calculated similarity exceeds a predetermined threshold; And
(c) if the similarity calculated in the comparative analysis step exceeds the threshold, performing a phishing warning to the user, blocking the user's access, blocking data transmission; . The method of claim 8,
The step (a)
(d) analyzing a hypertext markup language (HTML) and a document object model (DOM) of the web page in response to the request, and checking whether an input field exists according to the user's web page request;
(e) extracting information on the input field if the input field exists in the web page; And
(f) checking whether the input field is a security card full number input pattern based on the extracted input field information. The method of claim 9,
If the check result of step (f) indicates that the input field corresponds to the security card full number input pattern,
The step (a)
And calculating a similarity between the domain of the accessed web page and a normal financial web page domain stored in a pre-established financial institution domain database (DB). The method of claim 9,
As a result of checking in the step (f), if the input field does not correspond to the security card full number input pattern,
The step (a)
Inputting data according to a user input signal into the input field;
Extracting transmission data when a transmission request is made according to a user input signal with respect to the data input in the input field; And
And determining whether the data input by the user is a security card full number input pattern based on the extracted transmission data. 12. The method of claim 11,
If the data entered by the user corresponds to the security card full number input pattern,
And calculating a similarity between the domain of the accessed web page and a normal financial web page domain stored in a previously established financial company domain database (DB). In the anti-phishing method through image detection,
(a) imaging the content of the web page in response to the web page request of the user;
(b) comparing the content image of the web page according to the user's request with an image stored in a previously constructed content image DB to calculate a similarity;
(c) if the calculated similarity exceeds a predetermined threshold, confirming whether a URL (Uniform Resource Locator) of the accessed web page is the same as a URL of a normal web page; And
and (d) if the URL of the accessed web page and the normal web page are not the same, performing at least one of a phishing warning or data transmission blocking to the user. . 14. The method of claim 13,
The step (b)
A method for preventing phishing through image detection, which compares images captured by a web browser screen with each other to calculate similarity. In the active anti-phishing system through the web page content comparison analysis,
A web page content extraction unit for extracting web page content data by collecting content of a web page accessed by a user in real time;
A DB unit including a content database constructed based on the web page content data (hereinafter referred to as 'DB') and an index DB including an access allow list and an access block list constructed based on URL contents of the web page;
An index DB verification unit which verifies whether a URL of the web page accessed by the user exists based on the index DB;
A content DB verification unit for comparing the web page content data with data stored in the content DB to calculate a similarity level and checking whether the calculated similarity level exceeds a predetermined threshold value; And
And a detection notification unit configured to perform an anti-phishing operation according to an execution result of the index DB verification unit or the content DB verification unit. 16. The method of claim 15,
The detection notification unit,
When the index DB verification unit confirms that the URL of the web page accessed by the user is included in the access block list, blocking the access of the web site, active phishing prevention system through web page content analysis. 16. The method of claim 15,
The detection notification unit,
If the calculated similarity exceeds the threshold value, as a result of checking the content DB verification unit, the user to perform at least one of the phishing warning, the user's access blocking, data transmission blocking, active phishing prevention system through web page content analysis. 16. The method of claim 15,
The web page content extraction unit,
An active phishing prevention system through web page content analysis, which collects at least one of a text, an image, a flash, and a URL content of a web page. 16. The method of claim 15,
The web page content extraction unit,
An active phishing prevention system through web page content analysis, extracting text-based data from the web page content data using optical character recognition (OCR). The method according to any one of claims 15, 16 or 17,
The detection notification unit,
When the calculated similarity exceeds the threshold as a result of checking the content DB verification unit,
Active phishing prevention system through web page content analysis to induce access to sites with high connection similarity. 16. The method of claim 15,
The DB unit,
Active phishing prevention system through the web page content analysis for updating and storing the information according to the results of the check the index DB verification unit and the content DB verification unit.
KR1020120084137A 2012-07-31 2012-07-31 System and method for preventing phishing KR20140017319A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020120084137A KR20140017319A (en) 2012-07-31 2012-07-31 System and method for preventing phishing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020120084137A KR20140017319A (en) 2012-07-31 2012-07-31 System and method for preventing phishing

Publications (1)

Publication Number Publication Date
KR20140017319A true KR20140017319A (en) 2014-02-11

Family

ID=50265992

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120084137A KR20140017319A (en) 2012-07-31 2012-07-31 System and method for preventing phishing

Country Status (1)

Country Link
KR (1) KR20140017319A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101455005B1 (en) * 2013-08-27 2014-11-03 중소기업은행 Terminal for monitoring phishing sites and method thereof
CN105306419A (en) * 2014-06-25 2016-02-03 腾讯科技(深圳)有限公司 Page information interaction method, device and system
WO2016085105A1 (en) * 2014-11-25 2016-06-02 김준모 Advertisement blocking method and device
KR102645870B1 (en) * 2023-07-24 2024-03-12 주식회사 누리랩 Method and apparatus for detecting url associated with phishing site using artificial intelligence algorithm
KR102658869B1 (en) * 2024-01-04 2024-04-18 (주)아톤 Method and system for verifing websites provided to user

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101455005B1 (en) * 2013-08-27 2014-11-03 중소기업은행 Terminal for monitoring phishing sites and method thereof
CN105306419A (en) * 2014-06-25 2016-02-03 腾讯科技(深圳)有限公司 Page information interaction method, device and system
CN105306419B (en) * 2014-06-25 2019-12-13 腾讯科技(深圳)有限公司 Page information interaction method, device and system
WO2016085105A1 (en) * 2014-11-25 2016-06-02 김준모 Advertisement blocking method and device
KR102645870B1 (en) * 2023-07-24 2024-03-12 주식회사 누리랩 Method and apparatus for detecting url associated with phishing site using artificial intelligence algorithm
KR102658869B1 (en) * 2024-01-04 2024-04-18 (주)아톤 Method and system for verifing websites provided to user

Similar Documents

Publication Publication Date Title
RU2744671C2 (en) System and methods for detecting network fraud
US20200042696A1 (en) Dynamic page similarity measurement
RU2607229C2 (en) Systems and methods of dynamic indicators aggregation to detect network fraud
US20130263263A1 (en) Web element spoofing prevention system and method
US10341382B2 (en) System and method for filtering electronic messages
CN103685289B (en) Method and device for detecting phishing website
CN105264537A (en) System and method for biometric authentication with device attestation
CN106789939A (en) A kind of detection method for phishing site and device
JP2006244474A (en) Method and system for safely disclosing distinguishing information through the internet
KR20140017319A (en) System and method for preventing phishing
Deshpande et al. Detection of phishing websites using Machine Learning
WO2019123665A1 (en) Collation server, collation method, and computer program
JP4781922B2 (en) Link information verification method, system, apparatus, and program
Tharani et al. Understanding phishers' strategies of mimicking uniform resource locators to leverage phishing attacks: A machine learning approach
KR101468798B1 (en) Apparatus for tracking and preventing pharming or phishing, method using the same
WO2021050990A1 (en) Data analytics tool
KR20090096922A (en) Pharming attack detection and countermeasure system and its method
Wang et al. A novel method to prevent phishing by using OCR technology
Glăvan et al. Detection of phishing attacks using the anti-phishing framework
WO2020086024A2 (en) A system for enabling device identification
Memon et al. Anti phishing for mid-range mobile phones
KR101611665B1 (en) Method of secure finance transaction and server perfroming the same
GB2616145A (en) Fraud detection device for checking and authenticating person, application fraud detection method, and application fraud detection program
KR101295608B1 (en) System and method for dual authentication of user using position authentication message
Gandhi et al. RSIPS: A Robust System to Identify Phishing Websites using Unique Addressing features of Web

Legal Events

Date Code Title Description
A201 Request for examination
N231 Notification of change of applicant
E902 Notification of reason for refusal
E601 Decision to refuse application