KR20140017319A - System and method for preventing phishing - Google Patents
System and method for preventing phishing Download PDFInfo
- Publication number
- KR20140017319A KR20140017319A KR1020120084137A KR20120084137A KR20140017319A KR 20140017319 A KR20140017319 A KR 20140017319A KR 1020120084137 A KR1020120084137 A KR 1020120084137A KR 20120084137 A KR20120084137 A KR 20120084137A KR 20140017319 A KR20140017319 A KR 20140017319A
- Authority
- KR
- South Korea
- Prior art keywords
- web page
- phishing
- user
- input field
- content
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
The present invention relates to a phishing prevention method and a phishing prevention system, and more specifically, to a phishing prevention method through input field verification, a phishing prevention method adding a nationality verification condition based on the above method, and a phishing prevention by comparing domain similarity. A method, a phishing prevention method through content image detection, and an active phishing prevention system through web page content comparison analysis.
Phishing means stealing credit card or account information from an associated financial institution by sending false emails to an unspecified number of email users who have problems with their credit card or bank account information and that require enhanced security or security upgrades. . As such, phishing is an Internet financial fraud technique that attempts to steal a person's personal information from fraudulent e-mails using a false e-mail, and then extract and exploit personal credit card and bank account information. .
Phishing technique mainly used to extract personal financial information such as user name, social security number, account number and account password from the user for security promotion and security enhancement.However, recently, the introduction of security card has strengthened the online financial security. More phishing sites are trying to extract numbers.
Conventionally, to protect personal financial information from phishing, a blacklist of sites with a history of phishing is registered to indicate that the site is a phishing site when the user accesses a site on the list, or similarly, the risk of the website is displayed and a phishing site is displayed. There was a way to prevent access to the evaluated areas. These methods have unusual phishing site information and report it to the phishing site if the user matches the site.
However, the above-described conventional phishing protection method cannot cope with access to an abnormal or new phishing site that is not registered, it is necessary to update the phishing site every time, and it is impossible to detect the similar domain phishing site in advance. there was.
An object of the present invention was devised to solve the above problems of the prior art, and proposes a method for preventing phishing by checking an input field of a connected web page.
Based on the above method, a phishing prevention method including the step of confirming country information is proposed.
In addition, as another method for solving the problems of the prior art as described above, a phishing prevention method by comparing the similarity between the access site domain and the normal site domain and the image of the web content provided in the normal web page and the web page provided in the access We propose a phishing prevention method by comparing similarity between images of web content.
In addition, active phishing prevention system that analyzes and extracts the contents of the accessed web page in real time and compares it with the content database of the normal web page that is already in place to prevent phishing, and further induces users to access the normal financial site. Suggest.
The technical objects to be achieved by the present invention are not limited to the above-mentioned technical problems, and other technical subjects which are not mentioned can be understood from the following description, which will be clearly understood by those skilled in the art. It will be possible.
According to an aspect of the present invention, an anti-phishing method through input field verification according to an embodiment of the present invention includes (a) hypertext markup of a web page in response to a request of a web page of a user confirming whether an input field exists by analyzing a language and a Document Object Model (DOM), (b) extracting information of an input field if the input field exists in the web page, and (c) extracting Checking whether the input field is a security card full number input pattern based on information of an input field; (d) in step (c), if the input field corresponds to a security card full number input pattern; And determining the web page as a phishing site.
Here, the step (d) may further include performing at least one of a phishing warning, a user's access blocking, and a data transmission blocking for the user when the web page is determined to be a phishing site.
Meanwhile, in the step (c), if the input field does not correspond to the security card full number input pattern, (e) inputting data according to a user input signal into the input field, and (f) entering the input field. (B) checking whether the data input by the user is a security card full number input pattern based on the extracted transmission data, when the transmission request is made according to a user input signal with respect to the input data; (h) In step (g), if the data input by the user corresponds to the security card full number input pattern, the method may include determining the web page as a phishing site.
Here, the step (h) may further include performing at least one of a phishing warning for the user, an access blocking of the user, and a data transmission blocking when the web page is determined to be a phishing site.
For example, in the step (c), it may be determined whether the text indicating maxlength = "4" exists in a source of the hypertext markup language (HTML) of the web page more than a predetermined reference value.
According to another aspect of the present invention for solving the above problems, a phishing prevention method through input field verification, in the step (c), if the input field corresponds to the security card full number input pattern, the user Checking whether the IP address of the web page server is an overseas IP, and if the Internet search (IP) of the web page server requested by the user is an overseas IP, a phishing warning for the user, and the user The method may further include performing at least one of blocking access and blocking data transmission.
On the other hand, in the step (g), if the data entered by the user corresponds to the security card full number input pattern, checking whether the IP (Internet Protocol) of the IP (Internet Protocol) of the web page server requested by the user; And as a result of the checking, when the IP of the web page server requested by the user is an overseas IP, the method may further include performing at least one of a phishing warning for the user, blocking the user's access, and blocking data transmission. .
In accordance with an aspect of the present invention, an anti-phishing method through domain comparison according to an embodiment of the present invention includes (a) a webpage domain and a previously established financial company domain database according to a user's web page request. Calculating similarity between normal financial web page domains stored in (DB), (b) comparing and analyzing whether the calculated similarity exceeds a predetermined threshold, and (c) similarity calculated in the comparing and analyzing step May exceed at least one of the thresholds, and perform at least one of a phishing alert, a user's access blocking, and a data transmission blocking.
Here, the step (a), (d) in response to the user's web page request, whether the input field exists by analyzing the hypertext markup language (HTML) and the Document Object Model (DOM) of the web page in response to the request; Confirming; (e) extracting information on the input field if the input field exists in the web page; And (f) checking whether the input field is a security card full number input pattern based on the extracted input field information.
On the other hand, as a result of checking in step (f), if the input field corresponds to the security card full number input pattern, step (a) includes the domain of the accessed web page and the previously established financial company domain database (DB). The similarity between the normal financial web page domains stored in can be calculated.
On the other hand, when the check result of the step (f), if the input field does not correspond to the security card full number input pattern, step (a) is the step of inputting data according to the user input signal into the input field, Extracting transmission data upon request for transmission according to a user input signal with respect to the data input in the input field, and checking whether the data input by the user is a security card full number input pattern based on the extracted transmission data; It may further include.
Here, when the data input by the user corresponds to the security card full number input pattern, the similarity between the domain of the accessed web page and the normal financial web page domain stored in the previously established financial company domain database (DB) is calculated. It may further comprise a step.
According to an aspect of the present invention, an anti-phishing method through image detection includes: (a) imaging a content of a web page in response to a request of a web page by a user; (b) comparing a content image of the web page with an image stored in a previously constructed content image DB according to the user's request and calculating a similarity; (c) the calculated similarity exceeds a preset threshold; If it is, the step of verifying that the URL (Uniform Resource Locator) of the accessed web page and the URL of the normal web page is the same, (d) as a result of the URL check, the URL of the accessed web page and the normal web page is not the same If so, the method may include performing at least one of a phishing alert or blocking data transmission to the user.
Here, in step (b), the similarity may be calculated by comparing the images captured by the web browser screens with each other.
Active phishing prevention system through web page content analysis according to another embodiment of the present invention for solving the above problems, the web to extract the web page content data by collecting the content of the web page connected to the user in real time An index DB including a page content extraction unit, a content database (hereinafter referred to as 'DB') constructed based on the web page content data, and an access permission list and an access blocking list constructed based on the URL content of the web page; A DB unit including an index DB, an index DB verification unit for checking whether a URL of a web page accessed by the user is present, and comparing the web page content data with data stored in the content DB to calculate similarity; Content DB verification unit for checking whether or not the predetermined threshold of the calculated similarity, the index DB verification Or it may comprise detection notification unit configured to perform a phishing prevention operation in accordance with the execution result of the content DB verification portion.
The detection notification unit may block access to the web site when the URL of the web page accessed by the user is included in the access block list as a result of checking the index DB verification unit.
The detection notification unit may perform at least one of a phishing warning, a user's access blocking, and a data transmission blocking to the user when the calculated similarity exceeds the threshold.
In addition, the detection notification unit may induce a connection to a site having high connection similarity when the calculated similarity exceeds a threshold as a result of checking the content DB verification unit.
Here, the web page content extraction unit may collect at least one of a text, an image, a flash, and a URL content of the web page.
The web page content extracting unit may extract text-based data from the web page content data using an optical character recognition (OCR) method.
Here, the DB unit may update and store the information according to the result of the verification of the index DB verification unit and the content DB verification unit.
It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to provide further explanation of the present invention by those skilled in the art. And can be understood and understood.
According to an embodiment of the present invention, a user is not registered from a phishing prevention method through input field verification, a phishing prevention method through domain comparison, a phishing prevention method through content image comparison, a phishing prevention system through web page content analysis, and the like. You can also prevent unauthorized access to unusual or new phishing sites, as well as to prevent personal financial information leaks from phishing, including your full security card number.
BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention.
1 is a diagram illustrating an example of a phishing web page according to an embodiment of the present invention.
2 illustrates another example of a phishing web page according to an embodiment of the present invention.
3 is a flowchart illustrating an example of a phishing prevention method through input field verification according to an embodiment of the present invention.
4 illustrates the phishing web page source of FIG. 1.
FIG. 5 illustrates the phishing web page source of FIG. 2.
6 is a flowchart illustrating another example of a phishing prevention method through input field verification according to an embodiment of the present invention.
7 is a flowchart illustrating an example of a process of establishing a financial company domain DB associated with an embodiment of the present invention.
8 is a flowchart illustrating an example of a phishing prevention method through domain comparison according to an embodiment of the present invention.
9 is a flowchart illustrating another example of a method for preventing phishing through domain comparison according to an embodiment of the present invention.
10 is a flowchart illustrating an example of a phishing prevention method through image detection according to an embodiment of the present invention.
11 is a diagram illustrating an example of an active phishing prevention system structure through web page content analysis according to an embodiment of the present invention.
12 is a flowchart illustrating an example of a process of an active phishing prevention system through web page content analysis according to an embodiment of the present invention.
BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail in the detailed description.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.
The terms first, second, etc. may be used to describe various components, but the components are not limited by the terms, and the terms are used only for the purpose of distinguishing one component from another Is used.
Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The following detailed description, together with the accompanying drawings, is intended to illustrate exemplary embodiments of the invention and is not intended to represent the only embodiments in which the invention may be practiced. The following detailed description includes specific details in order to provide a thorough understanding of the present invention. However, those skilled in the art will appreciate that the present invention may be practiced without these specific details.
1 is a diagram illustrating an example of a phishing web page according to an embodiment of the present invention.
The phishing site shown in FIG. 1 simulates an Internet banking service site and inputs personal information, such as a resident registration number, a withdrawal account number, a withdrawal password or a security card serial number, into a personal
2 is a diagram illustrating another example of a phishing web page according to an embodiment of the present invention.
Similarly, the phishing site shown in FIG. 2 may include a security card serial
The present invention proposes a phishing prevention method and a phishing prevention system in order to reduce the damage caused by the phishing site illustrated in FIG. 1 or FIG. 2.
Specifically, an anti-phishing method through input field verification and a phishing prevention method based on the nationality verification condition of a server based on the method, a phishing prevention method through domain similarity comparison, a phishing prevention method through content image detection, and a web page content We propose various anti-phishing methods and systems such as active anti-phishing system through comparative analysis.
<First Example -Through input field Phishing Prevention>
According to an embodiment of the present invention, an anti-phishing method through input field checking may be performed by a predetermined anti-phishing program activated in a user's terminal or an operation server that provides an anti-phishing service to a user terminal. Can be made.
3 is a flowchart illustrating an example of a phishing prevention method through input field verification according to an embodiment of the present invention.
Referring to FIG. 3, a step-by-step example of a method for preventing phishing by checking input fields according to an embodiment of the present invention, a user first enters an address in an internet web browser or clicks a link included in an e-mail message. When the web page is requested (S301), the HTML (hypertext markup language) and the DOM (Document Object Model) of the web page responding to the request are analyzed to determine whether an input field exists (S303).
As a result of the check, if the input field exists, information of the input field is extracted (S305).
The extracted input field information may include the number of input fields, the maximum length that can be input to each input field, and the like.
On the basis of the extracted input field information, it is checked whether the input field is a security card full number input pattern (S307).
Generally, a security card consists of a security card serial number and 30 to 40 codes. Here each code usually consists of a four-digit password. Most of the normal financial sites require the input of some of the security card for identity verification during online card transactions, so the site that requires the full security card number is likely to be a phishing site.
4 and 5, the structure of the web page source will be briefly described with reference to whether the security card full number input pattern in step S307 is described above.
4 illustrates the phishing web page source of FIG. 1, and FIG. 5 illustrates the phishing web page source of FIG. 2.
4 and 5, since each code constituting the security card usually consists of four digit passwords, phishing sites generally limit the maximum length that can be entered in the input field to four digits. As shown in the text, the web document's HTML document has a common restriction format of maxlength = "4".
Here, using the Document Object Model (DOM) supported by the web browser to control the elements of the HTML document, all web content of the web page, such as input fields, images, flashes, etc. It is possible to check the existence of necessary web contents and to extract necessary data.
In the case of 30 or more input fields having a maximum length of 4 from among input field information extracted by focusing on the above-mentioned characteristic, the pattern may require input of the entire security card number.
Referring back to FIG. 3, when the input field corresponds to the security card full number input pattern as a result of checking in the previous step (S307), at least one of a phishing warning, access blocking, and data transmission blocking is performed to the user. It may be (S315).
On the contrary, if the input field does not correspond to the security card full number input pattern, when the user inputs data in the input field (S309) and requests for transmission, the transmission data is extracted before transmission to the server. It may be (S311).
On the basis of the extracted transmission data, it is checked whether the data input by the user is a security card full number input pattern (S313).
If the extracted transmission data is an array of four letters or numbers, and the arrangement is more than 30, the user may have entered the entire security card number.
As a result of the check in the previous step (S313), if the data input by the user corresponds to the security card full number input pattern, the user may perform at least one of a phishing warning, access blocking, data transmission blocking (S315). ).
6 is a flowchart illustrating another example of a phishing prevention method through input field verification according to an embodiment of the present invention.
Specifically, the phishing prevention method through the input field check illustrated in FIG. 6 is a form in which country information is used in addition to the phishing prevention method through the input field check described above with reference to FIG. 3.
In general, the IP of the phishing site is often located overseas in order to circumvent the legal network. The phishing prevention method performs a phishing warning, a connection blocking, a transmission blocking, etc. only when the IP is an overseas IP).
Referring to FIG. 6, a step-by-step example of a method for preventing phishing by checking input fields according to an embodiment of the present invention, first, a user enters an address in an internet web browser or clicks a link included in an e-mail message. When the web page is requested (S601), the hypertext markup language (HTML) and the document object model (DOM) of the web page in response to the request are analyzed to determine whether an input field exists (S603).
As a result of the check in the previous step (S603), if the input field exists, the information of the input field is extracted (S605).
On the basis of the extracted input field information, it is checked whether the input field is a security card full number input pattern (S607).
As a result of the check in the previous step (S607), if the input field corresponds to the security card full number input pattern, it is confirmed whether the currently accessed web page server is an overseas IP (S615), if the check result is an overseas IP, The user may perform at least one of a phishing warning, an access blocking, and a data transmission blocking (S617).
On the contrary, if the input field does not correspond to the security card full number input pattern as a result of the checking, when the user inputs data into the input field (S609) and requests for transmission, the transmission data is extracted before transmission to the server. It may be (S611).
On the basis of the extracted transmission data, it is checked whether the data input by the user is the security card full number input pattern (S613).
As a result of the check in the above-described step (S613), if the data entered by the user corresponds to the security card full number input pattern, check whether the currently accessed web page server is an overseas IP (S615), if the check result is an overseas IP In operation S617, the user may perform at least one of a phishing warning, an access blocking, and a data transmission blocking.
<2nd Example -Domain comparison Phishing Prevention>
The anti-phishing method through domain comparison according to an embodiment of the present invention focuses on the fact that most phishing sites use a method similar to the domain of a normal site to mislead users.
The anti-phishing method through domain comparison according to an embodiment of the present invention scores the similarity between the domain of the currently accessed web page and the normal financial web page domain stored in the financial company domain database (DB) previously established on the server. If a predetermined threshold is exceeded according to a predetermined condition, a phishing prevention method for performing a phishing warning, access blocking, data transmission blocking, etc. to a user.
In the phishing prevention method through domain comparison according to an embodiment of the present invention, the following phishing prevention procedure may be performed by an operation server of a phishing prevention system that performs data communication with a user's terminal.
7 is a flowchart illustrating an example of a process of establishing a financial company domain DB associated with an embodiment of the present invention.
Referring to FIG. 7, if a server requests a web page of a trusted financial company other than a phishing site, the server constructs the financial company domain DB by storing the domain of the financial company web page in the financial company domain DB.
8 is a flowchart illustrating an example of a phishing prevention method through domain comparison according to an embodiment of the present invention.
Referring to FIG. 8, a phishing prevention method through domain comparison according to an embodiment of the present invention will be described step by step. First, a user inputs an address in an internet web browser or clicks a link included in an e-mail message to request a web page. In step S801, the similarity is scored between the domain of the currently accessed web page and the normal financial web page domain stored in the previously established financial company domain DB (S803).
The method of scoring the similarity may utilize the Needleman-Wunsch algorithm of the field of Bioinformatics, and the Needleman-Wunsch algorithm is described in Needleman, S.B. and Wunsch, C.D., (1970), Journal of Molecular Biology, 48: 443-453.
In operation S805, the user may determine whether the similarity exceeds a predetermined threshold (S805). If the similarity exceeds the threshold, the user may perform at least one of a phishing warning, an access blocking, and a data transmission blocking (S807).
9 is a flowchart illustrating another example of a phishing prevention method through domain comparison according to an embodiment of the present invention.
Specifically, the anti-phishing method through domain comparison illustrated in FIG. 9 is a phishing prevention method through domain comparison according to the embodiment of the present invention described above with reference to FIG. 8 and the anti-phishing method through the input field check described above with reference to FIG. 3. It is a combination of methods.
Referring to FIG. 9, a step-by-step example of a method for preventing phishing through domain comparison according to an embodiment of the present invention, first, a user enters an address in an internet web browser or clicks a link included in an e-mail message, If a page request is made (S901), the hypertext markup language (HTML) and the DOM (Document Object Model) of the web page responding to the request are analyzed to determine whether an input field exists (S903).
As a result of the checking in the above-described step S903, if the input field exists, the information of the input field is extracted (S905).
On the basis of the extracted input field information, it is checked whether the input field is a security card full number input pattern (S907).
When the input field corresponds to the security card full number input pattern as a result of the checking in the above-described step (S907), the similarity between the domain of the currently accessed web page and the normal financial web page domain stored in the established financial company domain DB is determined. Score (S915).
By checking whether the similarity exceeds a predetermined threshold (S917), if the threshold is exceeded, at least one of a phishing warning, an access blocking, and a data transmission blocking may be performed to the user (S919).
On the contrary, in the above-described step (S907), if the input field does not correspond to the security card full number input pattern, the user inputs data in the input field (S909) and transmits to the server. Before transmission data may be extracted in advance (S911).
On the basis of the extracted transmission data, it is checked whether the data input by the user is a security card full number input pattern (S913).
As a result of the check in the above-described step (S913), if the data entered by the user corresponds to the security card full number input pattern, between the domain of the currently accessed web page and the normal financial web page domain stored in the established financial company domain DB Similarity is scored at (S915).
By checking whether the similarity exceeds a predetermined threshold (S917), if the threshold is exceeded, at least one of a phishing warning, an access blocking, and a data transmission blocking may be performed to the user (S919).
<Third Example -Through image detection Phishing Prevention>
According to an embodiment of the present invention, an anti-phishing method using an image comparison is a method of preventing phishing by comparing an image of normal web page content with an image of a web page content.
In the phishing prevention method through image detection according to an embodiment of the present invention, the following phishing prevention procedure may be performed by an operation server of a phishing prevention system that performs data communication with a user's terminal.
10 is a flowchart illustrating an example of a phishing prevention method through image detection according to an embodiment of the present invention.
Referring to FIG. 10, a step-by-step example of a method for preventing phishing through image detection according to an embodiment of the present invention, a user first enters a URL in an internet web browser or clicks a link included in an e-mail message to display a web page. When the request is made (S1001), the content of the web page in response to the request is imaged (S1003).
Image data obtained by imaging the content of the web page may be an image of a web screen of the accessed web page.
The web content image of the web page in response to the user's request and the image stored in the URL: Image DB previously built in the server is compared with each other to determine whether or not (S1005).
Here, the URL: Image DB of the server can be constructed as follows.
When the server receives a request of a trusted web page (S1011), the server accesses the requested normal site, images the content provided from the normal site (S1013), and corresponds to URL information of the normal site to which the image data is accessed. It can be constructed by storing it in URL: Image DB.
In this case, the content image data of the normal site stored in the URL: Image DB is transmitted to the user when the user requests a specific web page to check whether the image is similar through a comparison process between images.
As a result of checking in the above-described step (S1005), if the images are similar, the URL of the normal site and the URL that the user accesses are compared (S1007).
As a result of the comparison in the above-described step (S1007), if the URLs are different from each other, the user performs at least one of a phishing warning, access blocking, and data transmission blocking (S1009).
<Fourth Example -Webpage contents Through analysis Phishing Prevention>
Active phishing prevention system through web page content analysis according to an embodiment of the present invention, by analyzing and extracting the content of the web page accessed by the user in real time to prevent phishing through comparative analysis with the content database of the normal web page already held Furthermore, it is an active phishing prevention system that induces users to access normal financial sites.
In the active phishing prevention system through web page content analysis according to an embodiment of the present invention, a procedure for preventing phishing is performed by an operation server of a phishing prevention system that performs data communication with a user's terminal.
11 is a diagram illustrating an example of an active phishing prevention system structure through web page content analysis according to an embodiment of the present invention.
Referring to FIG. 11, the active
The
The
The operation and function of each of the above components will be described below.
The
The
The
The
The web page
The index
The content
The
The
The processing of the active
12 is a flowchart illustrating a process of an active phishing prevention system through web page content analysis according to an embodiment of the present invention.
Referring to FIG. 12, a step-by-step process of an active phishing prevention system through web page content analysis according to an embodiment of the present invention, first, a user inputs an address in an internet web browser or links included in an e-mail message. Click to make a web page request and access the corresponding web page (S1201), and the policy and
The index
As a result of the check in the above-described step (S1203), if the URL of the web page accessed by the user exists in the index DB 1113b, it is checked whether it is classified as a white list of the index DB 1113b (S1215), If classified, the analysis ends, and if classified as a blacklist of the index DB 1113b (S1207), access is blocked without analyzing the content of the web page (S1209).
On the contrary, if the URL of the connected web page does not exist in the index DB 1113b as a result of the checking in the above-described step (S1203), the web page
Here, the web page
The content
Herein, the content DB 1113b of the
In this case, the threshold value may be generated based on the data of the
If the calculated similarity exceeds the threshold, the
In addition, the
On the contrary, if the calculated similarity does not exceed the threshold, the
Through the process of the active phishing prevention system, when the user reconnects to the phishing site, it is possible to prevent the user from accessing the phishing site without analyzing the content of the web page, and further, actively leads phishing by inducing the user to access the normal site. It can be prevented.
The foregoing description is merely illustrative of the technical idea of the present invention and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments described in the present invention are not intended to limit the technical spirit of the present invention but to illustrate the present invention. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents thereof should be construed as being included in the scope of the present invention.
Claims (21)
(a) analyzing a hypertext markup language (HTML) and a document object model (DOM) of a web page in response to the request, and checking whether an input field exists according to a user's web page request;
(b) extracting information of the input field when the input field exists in the web page;
(c) checking whether the input field is a security card full number input pattern based on the extracted input field information; And
and (d) in the step (c), if the input field corresponds to a security card full number input pattern, determining the web page as a phishing site.
The step (d)
And determining at least one of a phishing warning for a user, a user's access blocking, and a data transmission blocking when the web page is determined to be a phishing site.
In the step (c), if the input field does not correspond to the security card full number input pattern,
(e) inputting data according to a user input signal into the input field;
(f) extracting transmission data in response to a transmission request according to a user input signal with respect to the data input in the input field;
(g) checking whether the data input by the user is a security card full number input pattern based on the extracted transmission data; And
(h) in the step (g), if the data input by the user corresponds to the security card full number input pattern, determining the web page as a phishing site, phishing prevention method by checking the input field.
(H) step,
And determining at least one of a phishing warning for a user, a user's access blocking, and a data transmission blocking when the web page is determined to be a phishing site.
The step (c)
And checking whether or not a text indicating maxlength = "4" exists in a source of a hypertext markup language (HTML) of the web page above a predetermined reference value.
In the step (c), if the input field corresponds to the security card full number input pattern,
Checking whether the IP address of the web page server is an overseas IP for the Internet protocol (IP); And
As a result of the check, if the IP (Internet Protocol) of the web page server requested by the user is an overseas IP, the input field further includes performing at least one of a phishing warning for the user, a user's access blocking, and a data transmission blocking. How to prevent phishing by checking.
In the step (g)
If the data entered by the user corresponds to the security card full number input pattern,
Checking whether the IP address of the web page server is an overseas IP for the Internet protocol (IP); And
As a result of the above check, if the IP (Internet Protocol) of the web page server requested by the user is an overseas IP,
And performing at least one of a phishing warning for a user, a user's connection blocking, and a data transmission blocking.
(a) calculating a similarity between the domain of the accessed web page and a normal financial web page domain stored in a previously established financial company domain database (DB) according to a user's web page request;
(b) comparing and analyzing whether the calculated similarity exceeds a predetermined threshold; And
(c) if the similarity calculated in the comparative analysis step exceeds the threshold, performing a phishing warning to the user, blocking the user's access, blocking data transmission; .
The step (a)
(d) analyzing a hypertext markup language (HTML) and a document object model (DOM) of the web page in response to the request, and checking whether an input field exists according to the user's web page request;
(e) extracting information on the input field if the input field exists in the web page; And
(f) checking whether the input field is a security card full number input pattern based on the extracted input field information.
If the check result of step (f) indicates that the input field corresponds to the security card full number input pattern,
The step (a)
And calculating a similarity between the domain of the accessed web page and a normal financial web page domain stored in a pre-established financial institution domain database (DB).
As a result of checking in the step (f), if the input field does not correspond to the security card full number input pattern,
The step (a)
Inputting data according to a user input signal into the input field;
Extracting transmission data when a transmission request is made according to a user input signal with respect to the data input in the input field; And
And determining whether the data input by the user is a security card full number input pattern based on the extracted transmission data.
If the data entered by the user corresponds to the security card full number input pattern,
And calculating a similarity between the domain of the accessed web page and a normal financial web page domain stored in a previously established financial company domain database (DB).
(a) imaging the content of the web page in response to the web page request of the user;
(b) comparing the content image of the web page according to the user's request with an image stored in a previously constructed content image DB to calculate a similarity;
(c) if the calculated similarity exceeds a predetermined threshold, confirming whether a URL (Uniform Resource Locator) of the accessed web page is the same as a URL of a normal web page; And
and (d) if the URL of the accessed web page and the normal web page are not the same, performing at least one of a phishing warning or data transmission blocking to the user. .
The step (b)
A method for preventing phishing through image detection, which compares images captured by a web browser screen with each other to calculate similarity.
A web page content extraction unit for extracting web page content data by collecting content of a web page accessed by a user in real time;
A DB unit including a content database constructed based on the web page content data (hereinafter referred to as 'DB') and an index DB including an access allow list and an access block list constructed based on URL contents of the web page;
An index DB verification unit which verifies whether a URL of the web page accessed by the user exists based on the index DB;
A content DB verification unit for comparing the web page content data with data stored in the content DB to calculate a similarity level and checking whether the calculated similarity level exceeds a predetermined threshold value; And
And a detection notification unit configured to perform an anti-phishing operation according to an execution result of the index DB verification unit or the content DB verification unit.
The detection notification unit,
When the index DB verification unit confirms that the URL of the web page accessed by the user is included in the access block list, blocking the access of the web site, active phishing prevention system through web page content analysis.
The detection notification unit,
If the calculated similarity exceeds the threshold value, as a result of checking the content DB verification unit, the user to perform at least one of the phishing warning, the user's access blocking, data transmission blocking, active phishing prevention system through web page content analysis.
The web page content extraction unit,
An active phishing prevention system through web page content analysis, which collects at least one of a text, an image, a flash, and a URL content of a web page.
The web page content extraction unit,
An active phishing prevention system through web page content analysis, extracting text-based data from the web page content data using optical character recognition (OCR).
The detection notification unit,
When the calculated similarity exceeds the threshold as a result of checking the content DB verification unit,
Active phishing prevention system through web page content analysis to induce access to sites with high connection similarity.
The DB unit,
Active phishing prevention system through the web page content analysis for updating and storing the information according to the results of the check the index DB verification unit and the content DB verification unit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120084137A KR20140017319A (en) | 2012-07-31 | 2012-07-31 | System and method for preventing phishing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120084137A KR20140017319A (en) | 2012-07-31 | 2012-07-31 | System and method for preventing phishing |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20140017319A true KR20140017319A (en) | 2014-02-11 |
Family
ID=50265992
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120084137A KR20140017319A (en) | 2012-07-31 | 2012-07-31 | System and method for preventing phishing |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20140017319A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101455005B1 (en) * | 2013-08-27 | 2014-11-03 | 중소기업은행 | Terminal for monitoring phishing sites and method thereof |
CN105306419A (en) * | 2014-06-25 | 2016-02-03 | 腾讯科技(深圳)有限公司 | Page information interaction method, device and system |
WO2016085105A1 (en) * | 2014-11-25 | 2016-06-02 | 김준모 | Advertisement blocking method and device |
KR102645870B1 (en) * | 2023-07-24 | 2024-03-12 | 주식회사 누리랩 | Method and apparatus for detecting url associated with phishing site using artificial intelligence algorithm |
KR102658869B1 (en) * | 2024-01-04 | 2024-04-18 | (주)아톤 | Method and system for verifing websites provided to user |
-
2012
- 2012-07-31 KR KR1020120084137A patent/KR20140017319A/en not_active Application Discontinuation
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101455005B1 (en) * | 2013-08-27 | 2014-11-03 | 중소기업은행 | Terminal for monitoring phishing sites and method thereof |
CN105306419A (en) * | 2014-06-25 | 2016-02-03 | 腾讯科技(深圳)有限公司 | Page information interaction method, device and system |
CN105306419B (en) * | 2014-06-25 | 2019-12-13 | 腾讯科技(深圳)有限公司 | Page information interaction method, device and system |
WO2016085105A1 (en) * | 2014-11-25 | 2016-06-02 | 김준모 | Advertisement blocking method and device |
KR102645870B1 (en) * | 2023-07-24 | 2024-03-12 | 주식회사 누리랩 | Method and apparatus for detecting url associated with phishing site using artificial intelligence algorithm |
KR102658869B1 (en) * | 2024-01-04 | 2024-04-18 | (주)아톤 | Method and system for verifing websites provided to user |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
RU2744671C2 (en) | System and methods for detecting network fraud | |
US20200042696A1 (en) | Dynamic page similarity measurement | |
RU2607229C2 (en) | Systems and methods of dynamic indicators aggregation to detect network fraud | |
US20130263263A1 (en) | Web element spoofing prevention system and method | |
US10341382B2 (en) | System and method for filtering electronic messages | |
CN103685289B (en) | Method and device for detecting phishing website | |
CN105264537A (en) | System and method for biometric authentication with device attestation | |
CN106789939A (en) | A kind of detection method for phishing site and device | |
JP2006244474A (en) | Method and system for safely disclosing distinguishing information through the internet | |
KR20140017319A (en) | System and method for preventing phishing | |
Deshpande et al. | Detection of phishing websites using Machine Learning | |
WO2019123665A1 (en) | Collation server, collation method, and computer program | |
JP4781922B2 (en) | Link information verification method, system, apparatus, and program | |
Tharani et al. | Understanding phishers' strategies of mimicking uniform resource locators to leverage phishing attacks: A machine learning approach | |
KR101468798B1 (en) | Apparatus for tracking and preventing pharming or phishing, method using the same | |
WO2021050990A1 (en) | Data analytics tool | |
KR20090096922A (en) | Pharming attack detection and countermeasure system and its method | |
Wang et al. | A novel method to prevent phishing by using OCR technology | |
Glăvan et al. | Detection of phishing attacks using the anti-phishing framework | |
WO2020086024A2 (en) | A system for enabling device identification | |
Memon et al. | Anti phishing for mid-range mobile phones | |
KR101611665B1 (en) | Method of secure finance transaction and server perfroming the same | |
GB2616145A (en) | Fraud detection device for checking and authenticating person, application fraud detection method, and application fraud detection program | |
KR101295608B1 (en) | System and method for dual authentication of user using position authentication message | |
Gandhi et al. | RSIPS: A Robust System to Identify Phishing Websites using Unique Addressing features of Web |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
N231 | Notification of change of applicant | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |