CN102833258B

CN102833258B - Network address access method and system

Info

Publication number: CN102833258B
Application number: CN201210320707.1A
Authority: CN
Inventors: 肖鹏; 李晓波; 宋申雷; 刘起
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qizhi Business Consulting Co ltd; Beijing Qihoo Technology Co Ltd; 360 Digital Security Technology Group Co Ltd
Priority date: 2012-08-31
Filing date: 2012-08-31
Publication date: 2015-09-23
Anticipated expiration: 2032-08-31
Also published as: WO2014032619A1; CN102833258A

Abstract

The invention discloses a kind of network address access method and system, wherein method comprises: client obtains website information corresponding to the network address of request access; Described client, according to described website information, extracts network address ciphertext; Described network address ciphertext is submitted to server by described client; Network address ciphertext is mated with the ciphertext stored in database by described server; If network address ciphertext is mated with the ciphertext being labeled as malice network address in database, then return malice Web site query result to described client; Described client, according to described malice Web site query result, blocks the access behavior to described network address; If network address ciphertext is not mated with the ciphertext being labeled as malice network address in database, then return normal Web site query result to described client; Described client, according to described normal Web site query result, proceeds the access behavior to described network address.The network address access method provided according to the present embodiment and system, thus fast and effeciently can tackle malicious websites.

Description

Network address access method and system

Technical field

The present invention relates to networking technology area, be specifically related to a kind of network address access method and system.

Background technology

URL(uniform resource locator) (Uniform Resource Locator, hereinafter referred to as: URL) be a kind of identification method of address for intactly describing webpage and other resources on the Internet.In the Internet, each webpage has a unique URL, and this address can be local disk, and also can be a certain computer on local area network (LAN), be more the website on the Internet.Briefly, URL is exactly web page address, is commonly called as " network address ".

In the approach that all wooden horses, Malware are propagated, the security threat of more than 70% is had to derive from network browsing, main mode comprises web page horse hanging, phishing, malicious downloading etc., malicious websites miscellaneous serious threat develops in a healthy way to userspersonal information's safety, national information safety and the Internet, is therefore the Core Feature of information security manufacturer indispensability for the real-time blocking of malicious websites.

By building the malice URL library comprising malice URL, prior art safeguards that the safety of webpage is browsed, this malice URL library is all present in local client, and the malicious websites on the Internet is in continuous renewal change, the generation of malice URL library also needs to constantly update, prior art needs the interception result of this locality malice URL library guarantee malice network address relying on local client constantly to upgrade new, but the update time excessive cycle of local malice network address, often there is hysteresis quality, cannot be upgraded in time all kinds of malice network address that the Internet emerges in an endless stream, cause fast and effeciently to tackle malicious websites.

Summary of the invention

In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or the network address access method solved the problem at least in part and corresponding network address access system.

According to an aspect of the present invention, provide a kind of network address access method, comprising:

Client obtains website information corresponding to the network address of request access;

Described client, according to described website information, extracts network address ciphertext;

Described network address ciphertext is submitted to server by described client;

Network address ciphertext is mated with the ciphertext stored in database by described server;

If network address ciphertext is mated with the ciphertext being labeled as malice network address in database, then return malice Web site query result to described client; Described client, according to described malice Web site query result, blocks the access behavior to described network address;

If network address ciphertext is not mated with the ciphertext being labeled as malice network address in database, then return normal Web site query result to described client; Described client, according to described normal Web site query result, proceeds the access behavior to described network address.

Alternatively, described website information is specially at least one URL.

Alternatively, the ciphertext being labeled as malice network address in described database comprises one or more of following information: the characteristic value of the characteristic value of malice URL, the characteristic value of the host name of malice URL and the subdomain name of malice URL.

Alternatively, at least one URL described comprises: any combination of the URL linked in the URL of the webpage corresponding to network address of described request access or web page contents corresponding to the network address of described request access or the URL of download file or more information.

Alternatively, the website information that the network address of described client acquisition request access is corresponding comprises:

By specified response event interface, obtain the URL of the webpage corresponding to network address of described client-requested access.

Obtain the page object of the browser inside of client;

By calling the method for described page object, obtain the URL linked in the web page contents corresponding to network address of described client-requested access.

Monitor the inner function relevant with download of browser of described client;

When described browser generation download behavior, obtain the URL of described download file.

Alternatively, in described client according to described website information, also comprise before extracting network address ciphertext: described client carries out standardization processing at least one URL described.

Alternatively, described client is carried out standardization processing at least one URL described and is comprised:

Alphabet size in a described URL is write into row unified;

Remove path symbol and the parameter of redundance in a described URL.

Alternatively, described client, according to described website information, is extracted network address ciphertext and is comprised:

Obtain the host name of a described URL and the first domain name section of a described URL;

Calculate the characteristic value of a described URL, the characteristic value of host name of a described URL and the characteristic value of the first domain name section of a described URL respectively;

The characteristic value of the characteristic value of a described URL, the characteristic value of the host name of a described URL and the first domain name section of a described URL is described network address ciphertext.

Alternatively, if the host name dextrosinistral first order rhizosphere of a described URL is called international TLD, then the first domain name section of a described URL is the first order subdomain name of the host name of a described URL; If the dextrosinistral first order rhizosphere of host name of a described URL is called countries and regions' TLD, first order subdomain name comprises international TLD, then the first domain name section of a described URL is the second level subdomain name of the host name of a described URL; If the host name of a described URL employs DDNS, then the first domain name section of a described URL be the host name of a URL from DDNS, the next stage subdomain name extracted to the right.

Alternatively, if described network address ciphertext is mated with the ciphertext being labeled as malice network address in database, then return malice Web site query result to described client to be specially: if at least one URL described in the characteristic value of an arbitrary URL, at least one URL described in the characteristic value of the host name of an arbitrary URL and at least one URL described the first domain name section of an arbitrary URL characteristic value in any one mate with the ciphertext being labeled as malice network address in database, then return maliciously Web site query result to described client.

Alternatively, network address ciphertext and the ciphertext stored in database carry out mating comprising by described server:

The characteristic value of an arbitrary URL at least one URL described is mated with the ciphertext being labeled as malice network address in database; If the characteristic value of an arbitrary URL is mated with the ciphertext being labeled as malice network address in database at least one URL described, then return malice Web site query result to described client;

If the characteristic value of an arbitrary URL is not mated with the ciphertext being labeled as malice network address in database at least one URL described, then the characteristic value of the host name of an arbitrary URL at least one URL described is mated with the ciphertext being labeled as malice network address in database; If the characteristic value of the host name of an arbitrary URL is mated with the ciphertext being labeled as malice network address in database at least one URL described, then return malice Web site query result to described client;

If the characteristic value of the host name of an arbitrary URL is not mated with the ciphertext being labeled as malice network address in database at least one URL described, then the characteristic value of the first domain name section of an arbitrary URL at least one URL described is mated with the ciphertext being labeled as malice network address in database; If the characteristic value of the first domain name section of an arbitrary URL is mated with the ciphertext being labeled as malice network address in database at least one URL described, then return malice Web site query result to described client; If the characteristic value of the first domain name section of an arbitrary URL is not mated with the ciphertext being labeled as malice network address in database at least one URL described, then return normal Web site query result to described client.

Alternatively, the step building described database is also comprised;

The step of described structure database comprises:

Obtain and be known as malice network address and identical at least one the 2nd URL of the first domain name section;

Obtain at least one the 2nd URL described and comprise the 3rd the highest URL of subdomain name progression, review the subdomain name that the 3rd URL comprises from right to left step by step, extract at least one-level subdomain name;

If the first domain name section of described 2nd URL belongs to default credible list, the characteristic value of the characteristic value of described each 2nd URL and the host name of each 2nd URL is labeled as the ciphertext of malice network address, stores in a database;

If the first domain name section of described 2nd URL belongs to default insincere list, obtain at least one the 2nd URL and comprise the 4th minimum URL of subdomain name progression, by the characteristic value of the characteristic value of described each 2nd URL, the host name of each 2nd URL and review progression at least one-level subdomain name of extraction to be labeled as malice network address ciphertext higher than the characteristic value of the subdomain name of the 4th URL except the host name of each the 2nd URL, store in a database.

Alternatively, the progression reviewing at least one-level subdomain name of extraction described in is setting threshold.

According to a further aspect in the invention, provide a kind of network address access system, comprising: client and server;

Described client comprises:

Monitoring module, the website information that the network address for obtaining request access is corresponding;

Extraction module, for according to described website information, extracts network address ciphertext;

Communication module, for submitting to server by described network address ciphertext;

Protection module, for the malice Web site query result returned according to server, blocks the access behavior to described network address;

Access modules, for the normal Web site query result returned according to server, proceeds the access behavior to described network address.

Described server comprises:

Database, for storing ciphertext;

Enquiry module, for mating network address ciphertext with the ciphertext stored in database; If network address ciphertext is mated with the ciphertext being labeled as malice network address in database, then return malice Web site query result to described client; If network address ciphertext is not mated with the ciphertext being labeled as malice network address in database, then return normal Web site query result to described client.

Alternatively, described monitoring module is specifically for obtaining at least one URL corresponding to the network address of request access, and at least one URL described comprises: any combination of the URL linked in the URL of the webpage that the network address of described request access is corresponding or web page contents corresponding to the network address of described request access or the URL of download file or more information;

The ciphertext being labeled as malice network address in described database comprises one or more of following information: the characteristic value of the characteristic value of malice URL, the characteristic value of the host name of malice URL and the subdomain name of malice URL.

Alternatively, described monitoring module comprises:

First monitoring unit, for by specified response event interface, obtains the URL of webpage corresponding to the network address of described client-requested access.

Alternatively, described monitoring module comprises:

Second monitoring unit, for obtaining the page object of the browser inside of client; By calling the method for described page object, obtain the URL linked in the web page contents corresponding to network address of described client-requested access.

Alternatively, described monitoring module comprises:

3rd monitoring unit, the inner function relevant with download of the browser for monitoring described client; When described browser generation download behavior, obtain the URL of described download file.

Alternatively, described client also comprises: processing module, for carrying out standardization processing at least one URL described.

Alternatively, described processing module comprises:

Unified Element is unified for the alphabet size in a described URL being write into row;

Removal unit, for removing path symbol and the parameter of redundance in a described URL.

Alternatively, described extraction module comprises:

Acquiring unit, for the first domain name section of the host name and a described URL that obtain a described URL;

Computing unit, for calculating the characteristic value of the characteristic value of a described URL, the characteristic value of the host name of a described URL and the first domain name section of a described URL respectively;

Alternatively, if the host name dextrosinistral first order rhizosphere of a described URL is called international TLD, then described acquiring unit is called the first domain name section of a described URL specifically for the first order subdomain of the host name obtaining a described URL; If the dextrosinistral first order rhizosphere of host name of a described URL is called countries and regions' TLD, first order subdomain name comprises international TLD, then described acquiring unit is called the first domain name section of a described URL specifically for the second level subdomain of the host name obtaining a described URL; If a described URL employs DDNS, then described acquiring unit is specifically for obtaining from DDNS, and the next stage subdomain extracted to the right is called the first domain name section of a described URL.

Alternatively, described enquiry module is specifically for mating network address ciphertext with the ciphertext stored in database; If at least one URL described in the characteristic value of an arbitrary URL, at least one URL described in the characteristic value of the host name of an arbitrary URL and at least one URL described the first domain name section of an arbitrary URL characteristic value in any one mate with the ciphertext being labeled as malice network address in database, then return maliciously Web site query result to described client.

Alternatively, described enquiry module specifically for:

Alternatively, described server also comprises: build module, for building described database;

Described structure module comprises:

First acquiring unit, is known as malice network address and identical at least one the 2nd URL of the first domain name section for obtaining;

Second acquisition unit, comprising the 3rd the highest URL of subdomain name progression for obtaining at least one the 2nd URL described, reviewing the subdomain name that the 3rd URL comprises from right to left step by step, extracting at least one-level subdomain name;

First indexing unit, if belong to default credible list for the first domain name section of described 2nd URL, is labeled as the ciphertext of malice network address, stores in a database by the characteristic value of the characteristic value of described each 2nd URL and the host name of each 2nd URL;

Second indexing unit, if belong to default insincere list for the first domain name section of described 2nd URL, obtain at least one the 2nd URL and comprise the 4th minimum URL of subdomain name progression, by the characteristic value of the characteristic value of described each 2nd URL, the host name of each 2nd URL and review progression at least one-level subdomain name of extraction to be labeled as malice network address ciphertext higher than the characteristic value of the subdomain name of the 4th URL except the host name of each the 2nd URL, store in a database.

The network address access method provided according to the present embodiment and system, when client-requested access network address, network address ciphertext is extracted from website information, network address ciphertext is submitted to server, network address ciphertext is mated with the ciphertext stored in database by server, complete Safety query and the checking of network address, client determines the access behavior whether continued network address according to the result of server.The method does not rely on the database of client this locality, the Safety query of network address and checking is placed on server side and completes.Database due to server side can upgrade all kinds of malice network address on the Internet timely, its upgrade cycle is significantly shorter than the database of client this locality, and the information storage of malice network address is very large in the database of server side, coverage rate is very wide, thus fast and effeciently can tackle malicious websites.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.

Accompanying drawing explanation

By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:

Fig. 1 shows the flow chart of network address access method according to an embodiment of the invention;

Fig. 2 shows the flow chart of network address access method according to an embodiment of the invention;

Fig. 3 shows the flow chart of network address ciphertext matching process in the embodiment of the present invention;

Fig. 4 shows the structural representation of network address access system according to an embodiment of the invention.

Embodiment

Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.

Fig. 1 shows the flow chart of network address access method according to an embodiment of the invention.In the present embodiment, with the network address of client-access for URL(uniform resource locator) (Universal Resource Locator, hereinafter referred to as: URL) for example is introduced.As shown in Figure 1, the method comprises the steps:

Step 101, client obtain website information corresponding to the network address of request access.

The web page access behavior of the various types of browser of monitor client, the website information of institute's request access is called a URL.One URL can comprise several as follows:

I. the URL of the webpage that the network address of request access is corresponding;

Such as, client-requested access " Sina " homepage, the URL of this webpage is: http://www.sina.com.cn/.

Ii. the URL linked in the web page contents that the network address of request access is corresponding;

In the content of the webpage of client-requested access, likely there are some link network address, the URL of these link network address also belongs to the scope of monitoring.

Iii. the URL of download file.

Client-requested download file, the URL of this download file also belongs to the scope of monitoring.

The a certain web page access behavior of client may relate in above three kinds of URL one or more, namely a URL comprises any one or the combinations several arbitrarily in above three kinds of URL.

Step 102, client, according to website information, extract network address ciphertext.

The information that client comprises according to a URL, extracts the network address ciphertext that a URL is corresponding.

Network address ciphertext is submitted to server by step 103, client.

Network address ciphertext is mated with the ciphertext stored in database by step 104, server, and the ciphertext stored in database comprises the ciphertext being marked as malice network address; If network address ciphertext is mated with the ciphertext being labeled as malice network address in database, perform step 105; Otherwise, perform step 107.

The present embodiment constructs database in advance at server side, at least stores the ciphertext being marked as malice network address in this database.These ciphertexts all obtain according to the URL being known as malice network address in a large number.

Step 105, server return malice Web site query result to client, perform step 106.

The network address ciphertext that client is submitted to mate with the ciphertext being labeled as malice network address in database and is shown that a URL that client will access is for maliciously network address, and in such cases, server returns maliciously Web site query result to client.

Step 106, client, according to malice Web site query result, block the access behavior to network address, terminate.

Step 107, server return normal Web site query result to client, perform step 108.

The URL that the bright client of ciphertext unmatch list being labeled as maliciously network address in network address ciphertext and database that client is submitted to will be accessed is normal network address, and in such cases, server returns normal Web site query result to client.

Step 108, client, according to normal Web site query result, proceed the access behavior to network address, terminate.

According to the network address access method that the present embodiment provides, when client-requested access network address, network address ciphertext is extracted from website information, network address ciphertext is submitted to server, network address ciphertext is mated with the ciphertext stored in database by server, complete Safety query and the checking of network address, client determines the access behavior whether continued network address according to the result of server.The method does not rely on the database of client this locality, the Safety query of network address and checking is placed on server side and completes.Database due to server side can upgrade all kinds of malice network address on the Internet timely, its upgrade cycle is significantly shorter than the database of client this locality, and the information storage of malice network address is very large in the database of server side, coverage rate is very wide, thus fast and effeciently can tackle malicious websites.

Fig. 2 shows the flow chart of network address access method according to an embodiment of the invention.Present embodiments provide a kind of network address access method based on cloud security, do not rely on the network address database of client this locality, the Safety query of network address and checking are placed on server side and complete.As shown in Figure 2, the method comprises the steps:

Step 201, client obtain at least one URL of request access.

At least one URL of the present embodiment can comprise any one or combinations several arbitrarily in three kinds of URL described in above-described embodiment.

The acquisition methods of above-mentioned three kinds of URL is described below respectively:

By specified response event interface, such as, by realizing the specified response event interface of standard plug-in unit mechanism, obtain the URL of the webpage corresponding to network address of client-requested access.Such as, at IE(InternetExplorer) (Browser Helper Object, is called for short: BHO) Plugin Mechanism, can be obtained the URL of the current loading of IE by response " BeforeNavigate2 " event to use browser auxiliary object in browser.The specified response event interface using red fox extension mechanism to provide in red fox (Firefox) browser, obtains the URL of the current loading of red fox browser.In Google (chrome) browser, using Netscape plug-in applications DLL (dynamic link library), (Netscape Plugin Application Programming Interface, is called for short: NPAPI) Plugin Mechanism, obtains the URL of the current loading of Google's browser.

From browser environment, obtain the link URL in the web page contents of browser access, include but not limited to the hyperlink address in the page.Concrete grammar is, obtains the page object of browser inside, then passes through the method for invoking page object, obtains the link URL in web page contents.Wherein, the standard plug-in unit mechanism that can be provided by browser obtains the page object of browser inside.

Browser is obtained just at the URL of download file from browser environment.Concrete grammar is, the inner function relevant with download of monitoring browser, when finding browser generation download behavior, can analyze the URL obtaining download file.Wherein, the inner function relevant with download of hook (HOOK) mechanism monitors browser can be used.

Step 202, client carry out standardization processing at least one URL.

This standardization processing process can comprise: the alphabet size in a URL is write into row unified, comprise the information such as agreement, host name, pathname, filename and parameter; Remove path symbol and the parameter of redundance in a URL.

Such as, a URL is: HTTp: //www.A.com//aBc/abc.Php A=1.

Upper and lower case letter is wherein unified for small letter: http://www.a.com//abc/abc.php a=1;

Remove the path symbol of wherein redundance: http://www.a.com/abc/abc.php a=1.

Step 203, client, according to a URL, extract network address ciphertext.

For a URL, the host name (host) of a URL itself (url), a URL and the first domain name section (domain) of a URL are three sections of key messages.After obtaining a URL, obtain the host name of a URL and the first domain name section of a URL.Wherein, the host name of a URL is the host machine part after the information such as path symbol, protocol header and the port numbers got rid of in a URL; The first domain name section of the one URL reviews step by step from right to left according to the host name of a URL to obtain.Preferably, when the first domain name section of acquisition the one URL, the highlyest from right to left review 7 grades.

If the host name dextrosinistral first order rhizosphere of a URL is called international TLD, then the first domain name section of a URL is the first order subdomain name of the host name of a URL.Wherein international TLD refers to the common TLD such as " com ", " net ", " org ", " edu ", " gov ".Such as, the main frame of a URL is called www.a.com, and its dextrosinistral first order rhizosphere is called " com ", and the first order subdomain name " a.com " so extracting it is the first domain name section of a URL.

If the dextrosinistral first order rhizosphere of the host name of a URL is called countries and regions' TLD, first order subdomain name comprises international TLD, then the first domain name section of a URL is the second level subdomain name of the host name of a URL.Wherein countries and regions' TLD refers to the special TLD such as " cn ", " hk ".Such as, the main frame of a URL is called www.a.com.cn, and its dextrosinistral first order rhizosphere is called " cn ", and first order subdomain is called " com.cn ", and the second level subdomain name " a.com.cn " so extracting it is the first domain name section of a URL.

If the host name of a URL employs DDNS, then the first domain name section of a URL be the host name of a URL from DDNS, the next stage subdomain name extracted to the right.Wherein DDNS refers to some secondarys or three grades of DDNSs, as the DDNS such as " 3322.org ", " s.3322.org ", " s.3322.net ".Such as, the main frame of a URL is called www.a.3322.org, it uses DDNS " 3322.org ", so from DDNS, extracts the first domain name section that next stage subdomain name " a.3322.org " is a URL to the right.

The present embodiment calculates the characteristic value of above-mentioned three sections of key messages respectively as network address ciphertext.Described characteristic value can be specially cryptographic Hash, preferably, described characteristic value can be according to Message Digest Algorithm 5 (Message Digest Algorithm, hereinafter referred to as: cryptographic Hash md5) calculated, or SHA1 code, or CRC (Cyclic Redundancy Check, cyclic redundancy check (CRC)) code etc. can the condition code of unique identification original program.In example below, be that 32 md5 cryptographic Hash are described for characteristic value.

Such as, a URL is: http://www.a.com/abc/abc.php a=1; According to said method, the main frame obtaining a URL is called: www.a.com; The the first domain name section obtaining a URL is: a.com.

32 the md5 cryptographic Hash calculating a URL itself are:

md5(http://www.a.com/abc/abc.php?a=1,32)=e2a6b69ff15c6a8e276f089250ab3f7d

32 the md5 cryptographic Hash calculating the host name of a URL are:

md5(www.a.com,32)=30f4a7bbefe70d75616707c80921a7e8

32 the md5 cryptographic Hash calculating the first domain name section of a URL are:

md5(a.com,32)=b3655bd7aad56513fcdacbd4254ed6b7

For the situation with a URL, 32 md5 cryptographic Hash of above-mentioned 32 md5 cryptographic Hash of the URL calculated, 32 md5 cryptographic Hash of the host name of a URL and the first domain name section of a URL are the network address ciphertext of a URL.For the situation of a multiple URL, calculate 32 md5 cryptographic Hash of above-mentioned three sections of key messages of each URL respectively, 32 md5 cryptographic Hash of above-mentioned three sections of key messages of each URL are formed one group, thus obtains the network address ciphertext including but not limited to one group of 32 md5 cryptographic Hash.

Be: in the example of http://www.a.com/abc/abc.php a=1 that a networking location ciphertext of the URL obtained is as follows at an above-mentioned URL:

domain|host|url

a.com|www.a.com|http://www.a.com/abc/abc.php?a=1

b3655bd7aad56513fcdacbd4254ed6b7|30f4a7bbefe70d75616707c80921a7e8|e2a6b69ff15c6a8e276f089250ab3f7d

Network address ciphertext is submitted to server by step 204, client.

Network address ciphertext is mated with the ciphertext stored in database by step 205, server, and the ciphertext stored in database at least comprises the ciphertext being marked as malice network address; If network address ciphertext is mated with the ciphertext being labeled as malice network address in database, perform step 206; Otherwise, perform step 208.

The present embodiment constructs network address database in advance at server side, at least stores the ciphertext being marked as malice network address in this network address database.Particularly, the data key values in network address database stores according to the characteristic value of network address url, network address host and network address domain tri-kinds of key messages, and the key assignments of three kinds of key messages can mark according to normal network address and malice network address respectively.Particularly, the ciphertext being labeled as malice network address comprises one or more of following information: the characteristic value of the characteristic value of malice URL, the characteristic value of the host name of malice URL and the subdomain name of malice URL.

Ciphertext in network address database all obtains according to the URL being known as malice network address in a large number.

In the present embodiment, building network address database can comprise the following steps:

A () obtains and is known as malice network address and identical at least one the 2nd URL of the first domain name section.

After getting the URL being known as malice network address in a large number, extract the method for host name and the first domain name section according to client, obtain host name and the first domain name section of the URL of these malice network address.In the URL of these malice network address, often there will be the URL that the first domain name section is identical.Such as, for the URL of following malice network address:

http://a.b.c.d.e.f.g.com/abc/abc1.php?a=1

http://b.c.d.e.f.g.com/abc/abc.php?a=1

http://d.e.f.g.com/abc/abc.php?a=1

Its first domain name section is g.com.Here, above three URL are called as the 2nd URL.

B () obtains at least one the 2nd URL and comprises the 3rd the highest URL of subdomain name progression, review the subdomain name that the 3rd URL comprises from right to left step by step, extract at least one-level subdomain name;

In the above example, the 3rd URL comprising subdomain name progression the highest in three the 2nd URL is: http://a.b.c.d.e.f.g.com/abc/abc1.php a=1, and it comprises 7 grades of subdomain names altogether.Review the subdomain name that the 3rd URL comprises from right to left step by step, extract following 7 grades of subdomain names:

First order subdomain name: g.com

Second level subdomain name: f.g.com

Third level subdomain name: e.f.g.com

Fourth stage subdomain name: d.e.f.g.com

Level V subdomain name: c.d.ef.g.com

6th grade of subdomain name: b.c.d.e.f.g.com

7th grade of subdomain name: a.b.c.d.e.f.g.com

Preferably, this step reviews the progression of at least one-level subdomain name of extraction is setting threshold N.Because malice network address existing in the multiple subdomain names in a domain name also has normal network address, general less than 6 grades all can there is this situation, so preferably, N is more than or equal to 6.

If (c) the 2nd the first domain name section of URL belong to default credible list, such as, white list, be then labeled as the ciphertext of malice network address by the characteristic value of the host name of the characteristic value of each 2nd URL, each 2nd URL, store in a database.

For the normal website that some visit capacities are larger, such as: the websites such as sina.com.cn, sohu.com, the credible list they writes can preset.If the first domain name section of the 2nd URL belongs to so credible list, so the characteristic value of the host name of the characteristic value of each 2nd URL and each 2nd URL is labeled as the ciphertext of malice network address, stores in a database.

In the above example, if g.com belongs to default credible list, the ciphertext being so marked as malice network address comprises the characteristic value of following information:

Each the 2nd URL:

http://a.b.c.d.e.f.g.com/abc/abc1.php?a=1

http://b.c.d.e.f.g.com/abc/abc.php?a=1

http://d.e.f.g.com/abc/abc.php?a=1

The host name of each the 2nd URL:

a.b.c.d.e.f.g.com

b.c.d.e.f.g.com

d.e.f.g.com

The characteristic value of above-mentioned information is stored in the network address database of high in the clouds, and is marked as the ciphertext of malice network address.But, there is not the characteristic value of other subdomain names of malice network address, normal network address can be marked as and be stored in the network address database of high in the clouds yet, comprise:

g.com

f.g.com

e.f.g.com

c.d.e.f.g.com

If (d) the 2nd the first domain name section of URL belong to default insincere list, such as, blacklist, then obtain at least one the 2nd URL and comprise the 4th minimum URL of subdomain name progression, by the characteristic value of the host name of the characteristic value of each 2nd URL, each 2nd URL and review progression at least one-level subdomain name of extraction to be labeled as malice network address ciphertext higher than the characteristic value of the subdomain name of the 4th URL except the host name of each the 2nd URL, store in a database.

For the website that some visit capacities are very little, they can be write insincere list.If the first domain name section of the 2nd URL belongs to so insincere list, so obtain at least one the 2nd URL and comprise the 4th minimum URL of subdomain name progression, by the characteristic value of the host name of the characteristic value of each 2nd URL, each 2nd URL and review progression at least one-level subdomain name of extraction to be labeled as malice network address ciphertext higher than the characteristic value of the subdomain name of the 4th URL except the host name of each the 2nd URL, store in a database.

In the above example, if g.com belongs to default insincere list, obtaining the 4th URL wherein comprising subdomain name progression minimum is: http://www.d.e.f.g.com/abc/abc.php a=1, it comprises 4 grades of subdomain names altogether, and the ciphertext being so marked as malice network address comprises the characteristic value of following information:

Each the 2nd URL:

http://a.b.c.d.e.f.g.com/abc/abc1.php?a=1

http://b.c.d.e.f.g.com/abc/abc.php?a=1

http://d.e.f.g.com/abc/abc.php?a=1

The host name of each the 2nd URL:

a.b.c.d.e.f.g.com

b.c.d.e.f.g.com

d.e.f.g.com

Describedly review progression at least one-level subdomain name of extraction and comprise higher than the subdomain name of the 4th URL: a.b.c.d.e.f.g.com, b.c.d.e.f.g.com, c.d.e.f.g.com, wherein a.b.c.d.e.f.g.com and b.c.d.e.f.g.com is the host name of the 2nd URL, and the progression at least one-level subdomain name of extraction reviewed so except the host name of each the 2nd URL higher than the subdomain name of the 4th URL is exactly:

c.d.e.f.g.com

g.com

f.g.com

e.f.g.com

The characteristic value that this step is mentioned should be the characteristic value submitted to client is identical type.This characteristic value can be specially cryptographic Hash, and preferably, this characteristic value can for the cryptographic Hash calculated according to md5 algorithm.

The network address ciphertext that client is submitted to by server is mated with the ciphertext being labeled as malice network address in the network address database of high in the clouds, and concrete matching process is as follows:

If at least one URL in the characteristic value of an arbitrary URL, at least one URL in the characteristic value of the host name of an arbitrary URL and at least one URL the first domain name section of an arbitrary URL characteristic value in any one mate with the ciphertext being labeled as malice network address in the network address database of high in the clouds, then execution step 206; Otherwise, perform step 208.

Fig. 3 shows the flow chart of network address ciphertext matching process in the embodiment of the present invention.Matching process shown in Fig. 3 be embodiment of the present invention one preferred embodiment, but the present invention is not limited only to this.As shown in Figure 3, the process that server network address ciphertext client submitted to and the ciphertext stored in database carries out mating can also comprise the steps:

Step 301, by the characteristic value of a URL arbitrary at least one URL be labeled as in database malice network address ciphertext mate; If coupling, perform step 206; Otherwise, perform step 302;

Step 302, by the characteristic value of the host name of a URL arbitrary at least one URL be labeled as in database malice network address ciphertext mate; If coupling, perform step 206; Otherwise, perform step 303;

Step 303, by the characteristic value of the first domain name section of a URL arbitrary at least one URL be labeled as in database malice network address ciphertext mate; If coupling, perform step 206; Otherwise, perform step 208.

In sum, above-mentioned matching process comprises following three kinds of situations:

(1) the arbitrary characteristic value in the characteristic value of three sections of key messages of at least one URL mate with the ciphertext being labeled as malice network address in the network address database of high in the clouds, execution step 206;

(2) characteristic value of three sections of key messages of at least one URL is not mated with the ciphertext being labeled as malice network address in the network address database of high in the clouds, performs step 208;

(3) a wherein characteristic value of three sections of key messages of at least one URL is mated with the ciphertext being labeled as normal network address in the network address database of high in the clouds, and other characteristic values are not mated with the ciphertext being labeled as malice network address in the network address database of high in the clouds, perform step 208.

Step 206, server return malice Web site query result to client, perform step 207.

Step 207, client, according to malice Web site query result, block the access behavior to network address, terminate.

Client, according to malice Web site query result, blocks the access behavior to network address, and points out user.

Step 208, server return normal Web site query result to client, perform step 209.

Step 209, client, according to normal Web site query result, proceed the access behavior to network address, terminate.

Fig. 4 shows the structural representation of network address access system according to an embodiment of the invention.As shown in Figure 4, this network address access system comprises: client 1 and server 2.

Client 1 comprises: monitoring module 10, extraction module 11, communication module 12, protection module 13 and access modules 14.Wherein, monitoring module 10 is for website information corresponding to the network address that obtains request access; Extraction module 11, for according to website information, extracts network address ciphertext; Communication module 12 is for submitting to server 2 by network address ciphertext; Protection module 13, for the malice Web site query result returned according to server 2, blocks the access behavior to network address; Access modules 14, for the normal Web site query result returned according to server 2, proceeds the access behavior to network address.

Server 2 comprises: database 20 and enquiry module 21.Wherein, database 20 is for storing ciphertext; Enquiry module 21 is for mating network address ciphertext with the ciphertext stored in database 20; If network address ciphertext is mated with the ciphertext being labeled as malice network address in database 20, then return malice Web site query result to client 1; If network address ciphertext is not mated with the ciphertext being labeled as malice network address in database 20, then return normal Web site query result to client 1.

Further, monitoring module 10 is specifically for obtaining at least one URL corresponding to the network address of request access, and at least one URL described comprises: any combination of the URL linked in the URL of the webpage that the network address of request access is corresponding or web page contents corresponding to the network address of request access or the URL of download file or more information.The ciphertext being labeled as malice network address in described database comprises one or more of following information: the characteristic value of the characteristic value of malice URL, the characteristic value of the host name of malice URL and the subdomain name of malice URL.

Monitoring module 10 can comprise: the first monitoring unit 10a, for by specified response event interface, obtains the URL of webpage corresponding to the network address of client 1 request access.

Monitoring module 10 also can comprise: the second monitoring unit 10b, for obtaining the page object of the browser inside of client 1; By the method for invoking page object, obtain the URL linked in web page contents corresponding to the network address of client 1 request access.

Monitoring module 10 can also comprise: the 3rd monitoring unit 10c, the inner function relevant with download of the browser for monitor client 1; When browser generation download behavior, obtain the URL of download file.

Client 1 can also comprise: processing module 15, for carrying out standardization processing at least one URL.Further, processing module 15 can comprise: Unified Element 15a and removal unit 15b, and it is unified that Unified Element 15a is used for the alphabet size in a URL being write into row; Removal unit 15b is for removing path symbol and the parameter of redundance in a URL.

Extraction module 11 can comprise: acquiring unit 11a and computing unit 11b.Wherein, acquiring unit 11a is for the first domain name section of the host name and a URL that obtain a URL; Computing unit 11b, for calculating the characteristic value of the characteristic value of a URL, the characteristic value of the host name of a URL and the first domain name section of a URL respectively; The characteristic value of the characteristic value of a described URL, the characteristic value of the host name of a described URL and the first domain name section of a described URL is described network address ciphertext.

If the host name dextrosinistral first order rhizosphere of a URL is called international TLD, then acquiring unit 11a is called the first domain name section of a URL specifically for the first order subdomain of the host name obtaining a URL;

If the dextrosinistral first order rhizosphere of the host name of a URL is called countries and regions' TLD, first order subdomain name comprises international TLD, then acquiring unit 11a is called the first domain name section of a URL specifically for the second level subdomain of the host name obtaining a URL;

If a URL employs DDNS, then acquiring unit 11a is specifically for obtaining from DDNS, and the next stage subdomain extracted to the right is called the first domain name section of a URL.

Enquiry module 21 is specifically for mating network address ciphertext with the ciphertext stored in database 20; If at least one URL in the characteristic value of an arbitrary URL, at least one URL in the characteristic value of the host name of an arbitrary URL and at least one URL the first domain name section of an arbitrary URL characteristic value in any one mate with the ciphertext being labeled as malice network address in database 20, then return maliciously Web site query result to client 1.

As one preferred embodiment, this enquiry module 21 can be specifically for:

Server 2 also comprises structure module 22, and this structure module 22 can comprise: the first acquiring unit 22a, second acquisition unit 22b, the first indexing unit 22c and the second indexing unit 22d.Wherein, the first acquiring unit 22a is known as malice network address and identical at least one the 2nd URL of the first domain name section for obtaining; Second acquisition unit 22b comprises the 3rd the highest URL of subdomain name progression for obtaining at least one the 2nd URL, reviews the subdomain name that the 3rd URL comprises from right to left step by step, extracts at least one-level subdomain name; If the first indexing unit 22c is used for the first domain name section of the 2nd URL belong to default credible list, the characteristic value of the host name of the characteristic value of each 2nd URL and each 2nd URL is labeled as the ciphertext of malice network address, is stored in database 20; Second indexing unit 22d, if belong to default insincere list for the first domain name section of the 2nd URL, obtain at least one the 2nd URL and comprise the 4th minimum URL of subdomain name progression, by the characteristic value of the host name of the characteristic value of each 2nd URL, each 2nd URL and review progression at least one-level subdomain name of extraction to be labeled as malice network address ciphertext higher than the characteristic value of the subdomain name of the 4th URL except the host name of each the 2nd URL, be stored in database 20.

According to the network address access system that the present embodiment provides, when client-requested access network address, network address ciphertext is extracted from website information, network address ciphertext is submitted to server, network address ciphertext is mated with the ciphertext stored in database by server, complete Safety query and the checking of network address, client determines the access behavior whether continued network address according to the result of server.The method does not rely on the database of client this locality, the Safety query of network address and checking is placed on server side and completes.Database due to server side can upgrade all kinds of malice network address on the Internet timely, its upgrade cycle is significantly shorter than the database of client this locality, and the information storage of malice network address is very large in the database of server side, coverage rate is very wide, thus fast and effeciently can tackle malicious websites.

Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.

In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.

In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.

All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the network address access system of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.

The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.

Claims

1. a network address access method, comprising:

Database is built in advance at server side, data key values in described database stores according to the characteristic value of network address URL, network address host and network address domain tri-kinds of key messages, and the key assignments of three kinds of key messages marks according to normal network address and malice network address respectively;

Client obtains website information corresponding to the network address of request access; Described website information is specially at least one URL, and at least one URL described comprises: any combination of the URL linked in the URL of the webpage corresponding to network address of described request access or web page contents corresponding to the network address of described request access or the URL of download file or more information;

If network address ciphertext is not mated with the ciphertext being labeled as malice network address in database, then return normal Web site query result to described client; Described client, according to described normal Web site query result, proceeds the access behavior to described network address;

Wherein, described client, according to described website information, is extracted network address ciphertext and is comprised:

2. method according to claim 1, the ciphertext being labeled as malice network address in described database comprises one or more of following information: the characteristic value of the characteristic value of malice URL, the characteristic value of the host name of malice URL and the subdomain name of malice URL.

3. method according to claim 1, the website information that the network address of described client acquisition request access is corresponding comprises:

4. method according to claim 1, the website information that the network address of described client acquisition request access is corresponding comprises:

Obtain the page object of the browser inside of client;

5. method according to claim 1, the website information that the network address of described client acquisition request access is corresponding comprises:

6. the method according to any one of claim 1 to 5, in described client according to described website information, also comprises before extracting network address ciphertext: described client carries out standardization processing at least one URL described.

7. method according to claim 6, described client is carried out standardization processing at least one URL described and is comprised:

Alphabet size in a described URL is write into row unified;

Remove path symbol and the parameter of redundance in a described URL.

8. method according to claim 1, if the host name dextrosinistral first order rhizosphere of a described URL is called international TLD, then the first domain name section of a described URL is the first order subdomain name of the host name of a described URL;

If the dextrosinistral first order rhizosphere of host name of a described URL is called countries and regions' TLD, first order subdomain name comprises international TLD, then the first domain name section of a described URL is the second level subdomain name of the host name of a described URL;

If the host name of a described URL employs DDNS, then the first domain name section of a described URL be the host name of a URL from DDNS, the next stage subdomain name extracted to the right.

9. method according to claim 1, if described network address ciphertext is mated with the ciphertext being labeled as malice network address in database, then return malice Web site query result to described client to be specially: if at least one URL described in the characteristic value of an arbitrary URL, at least one URL described in the characteristic value of the host name of an arbitrary URL and at least one URL described the first domain name section of an arbitrary URL characteristic value in any one mate with the ciphertext being labeled as malice network address in database, then return maliciously Web site query result to described client.

10. method according to claim 9, network address ciphertext and the ciphertext stored in database carry out mating comprising by described server:

11. methods according to claim 2, also comprise the step building described database;

The step of described structure database comprises:

If the first domain name section of described 2nd URL belongs to default credible list, the characteristic value of the host name of the characteristic value of each 2nd URL and each 2nd URL is labeled as the ciphertext of malice network address, stores in a database;

12. methods according to claim 11, described in review at least one-level subdomain name of extraction progression be setting threshold.

13. 1 kinds of network address access system, comprising: client and server;

Described client comprises:

Monitoring module, the website information that the network address for obtaining request access is corresponding; Described website information is specially at least one URL, and at least one URL described comprises: any combination of the URL linked in the URL of the webpage corresponding to network address of described request access or web page contents corresponding to the network address of described request access or the URL of download file or more information;

Access modules, for the normal Web site query result returned according to server, proceeds the access behavior to described network address;

Wherein, extraction module comprises:

The characteristic value of the characteristic value of a described URL, the characteristic value of the host name of a described URL and the first domain name section of a described URL is described network address ciphertext;

Described server comprises:

Database, for storing ciphertext, the data key values in described database stores according to the characteristic value of network address URL, network address host and network address domain tri-kinds of key messages, and the key assignments of three kinds of key messages marks according to normal network address and malice network address respectively;

14. systems according to claim 13, the ciphertext being labeled as malice network address in described database comprises one or more of following information: the characteristic value of the characteristic value of malice URL, the characteristic value of the host name of malice URL and the subdomain name of malice URL.

15. systems according to claim 14, described monitoring module comprises:

16. systems according to claim 14, described monitoring module comprises:

17. systems according to claim 14, described monitoring module comprises:

18. according to claim 14 to the system described in 17 any one, and described client also comprises: processing module, for carrying out standardization processing at least one URL described.

19. systems according to claim 18, described processing module comprises:

20. systems according to claim 13, if the host name dextrosinistral first order rhizosphere of a described URL is called international TLD, then described acquiring unit is called the first domain name section of a described URL specifically for the first order subdomain of the host name obtaining a described URL;

If the dextrosinistral first order rhizosphere of host name of a described URL is called countries and regions' TLD, first order subdomain name comprises international TLD, then described acquiring unit is called the first domain name section of a described URL specifically for the second level subdomain of the host name obtaining a described URL;

If a described URL employs DDNS, then described acquiring unit is specifically for obtaining from DDNS, and the next stage subdomain extracted to the right is called the first domain name section of a described URL.

21. systems according to claim 13, described enquiry module is specifically for mating network address ciphertext with the ciphertext stored in database; If at least one URL described in the characteristic value of an arbitrary URL, at least one URL described in the characteristic value of the host name of an arbitrary URL and at least one URL described the first domain name section of an arbitrary URL characteristic value in any one mate with the ciphertext being labeled as malice network address in database, then return maliciously Web site query result to described client.

22. systems according to claim 21, described enquiry module specifically for:

23. systems according to claim 14, described server also comprises: build module, for building described database;

Described structure module comprises:

First indexing unit, if belong to default credible list for the first domain name section of described 2nd URL, is labeled as the ciphertext of malice network address, stores in a database by the characteristic value of the host name of the characteristic value of each 2nd URL and each 2nd URL;