Method, system, client and server for processing webpage access behavior

[0027] Hereinafter, exemplary embodiments of the present disclosure will be described in more detail with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure can be implemented in various forms and should not be limited by the embodiments set forth herein. On the contrary, these embodiments are provided to enable a more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

[0028] Aiming at the technical problem that the existing technology using a single URL for detection cannot effectively detect malicious websites, and therefore cannot quickly and effectively protect the client's web browsing safety in real time, the present invention provides a method of using a refer The plan for processing the access behavior. For the page that the current user is visiting, the refer information is the URL of the parent page of the current page, that is, the URL of the previous page that links to the current page. The present invention obtains the refer chain according to the URLs of several levels of pages linked to the current page, and uses the refer chain to process web page access behaviors.

[0029] figure 1 A flowchart of a method 100 for processing webpage access behaviors according to an embodiment of the present invention is shown. In this embodiment, the current page is called the i-th level page, i≥2, and the i-th level page is the page opened by the i-th level link of the initial page. Usually, after the user opens the browser, the browser visits the default initial page or triggers the access request of the initial page through the user’s input in the address bar. The user clicks on the link on the initial page or other links from the initial page to the second page. Level pages are linked from level 2 pages to level 3 pages by users clicking links on level 2 pages or other linking methods, and so on, and finally from level i-1 pages to level i pages. For example, after the user opens the browser and enters www.so.com in the address bar, this page is the initial page (the URL is represented by A below); then, the user enters "call charge recharge" in the search bar and clicks the search button. The browser will jump to http://www.so.com/s?ie=utf-8&src=360sou_home&q=%E8%AF%9D%E8%B4%B9%E5%85%85%E5%80%BC, This page is a second-level page (the URL is denoted by B below); the second-level page provides many links. When the user clicks one of the links, the browser will jump to the page corresponding to this link http://chongzhi.360. cn/mobile/, this page is the third-level page (C is used below to represent its URL); the user clicks the "online game card" link on the third-level page, and the browser will jump to http://chongzhi.360. cn/GameCard/index, this page is the 4th level page (the URL is represented by D below).

[0030] Such as figure 1 As shown, the method 100 starts at step S101, in which the browser of the client monitors the access request of the i-th level page. The request to access the i-th level page is triggered by the user clicking a link or other link methods on the i-1 level page. In the above example, the user clicks the "Online Game Point Card" link on the third level page, and the browser will monitor the access request of the fourth level page: http://chongzhi.360.cn/GameCard/index.

[0031] After monitoring the access request of the i-th level page, the browser will load the i-th level page, and in the process of loading the i-th level page, obtain the refer chain containing the page ID of the i-th level page, that is, step S102. The refer chain contains the page ID and URL from the initial page to the i-th level page. The page ID of the page at all levels is the unique ID generated for the page by the browser in the process of loading the page. It is used as the URL of the page in the refer chain. The index value of. The browser queries the URL of the i-th level page through the page ID of the i-th level page and the i-th level page is the refer chain of the last level page. For example, the refer chain is A(ID1)-> B(ID2)-> C(ID3)-> D(ID4), where A, B, C, and D are the URLs of the pages at all levels, and ID1, ID2, ID3, and ID4 are the page IDs of the pages at all levels. When the browser loads page D, the above-mentioned refer chain can be found according to the page ID4 of page D.

[0032] In the above example, in the process of loading the 4th level page, the following refer chain will be obtained:

[0033] A(ID1)-> B(ID2)-> C(ID3)-> D(ID4)

[0034] After step S102, the method 100 proceeds to step S103, in which the client sends all URLs included in the refer chain to the server. The client can only report the URLs of the pages at all levels contained in the refer chain to the server, without reporting the page IDs of the pages at all levels. For refer chain: A(ID1)-> B(ID2)-> C(ID3)-> D(ID4), the client will A-> B-> C-> D is sent to the server. Optionally, according to the cloud query protocol with the server, this method can encrypt all URLs included in the refer chain into cipher text and send it to the server. Here, the present invention can use a reversible encryption method to encrypt all URLs, or use an irreversible encryption method to encrypt all URLs. For example, the feature value of each URL contained in the refer chain is calculated as the ciphertext. Optionally, the characteristic value may be a hash value calculated according to MD5 (Message Digest Algorithm, the fifth edition of the message digest algorithm), or SHA1 (Secure Hash Algorithm) code, or CRC (Cyclic Redundancy Check, Cyclic Redundancy Check) codes and other feature codes that can uniquely identify the original information. It should be noted that when uploading the ciphertext of the URL to the cloud security server, you need to block the URL string that may contain the user password first, and do not upload such URLs to ensure the security of user information

[0035] After step S103, the method 100 proceeds to step S104, in which the server queries whether all URLs included in the refer chain belong to a blacklist and/or whitelist database saved by the server, and obtains the query result. If on the client side, all URLs included in the refer chain are encrypted by reversible encryption, the server first decrypts the received ciphertext to obtain all URLs included in the refer chain; correspondingly, the blacklist saved by the server And/or the whitelist database stores URLs. After the server obtains all the URLs included in the refer chain, it queries the blacklist and/or whitelist database to obtain the query result of whether these URLs belong to the blacklist or whether they belong to the whitelist. If on the client side, the URL contained in the refer chain is encrypted by irreversible encryption. Correspondingly, the characteristic value of the corresponding URL is stored in the blacklist and/or whitelist database saved by the server, and the refer chain is obtained from the server After the feature values ​​of all URLs included, the blacklist and/or whitelist database is queried to obtain the query result of whether these URLs belong to the blacklist or whether they belong to the whitelist.

[0036] After step S104, the method 100 proceeds to step S105, where the server matches the query result with a preset rule to obtain a matching result. Among them, the preset rules are set according to actual needs, which specifically stipulate the situations that require risk warning. The following uses two preset rules as examples:

[0037] Rule 1: Jump to malicious pages or dangerous pages or unknown pages through search engines

[0038] If the query result shows that the URL of the i-th level page belongs to the blacklist database, that is, the i-th level page is a malicious or dangerous page; or, the URL of the i-th level page does not belong to the whitelist database, that is, the i-th level page is an unknown page; And it is determined that any page from the initial page to the i-1 level page is a search page, that is, the i level page is jumped from the search engine, indicating that the query result matches the rule 1, and the matching result is a risk warning information.

[0039] Optionally, the server also saves a list of search page URLs. In this step, it is determined whether the URL of any page from the initial page to the i-1 level page belongs to the search page URL list, and if so, it is determined that any page from the initial page to the i-1 level page is a search page. It should be noted that other methods can also be used to determine the search page, not limited to this method.

[0040] Rule 2: Jump to the payment page through malicious or dangerous pages or unknown pages

[0041] If the query result shows that the URL of any page from the initial page to the i-1 level page belongs to the blacklist database, that is, the page is a malicious or dangerous page; or, any one of the initial page to the i-1 level page The URL of the page does not belong to the whitelist database, that is, the page is an unknown page; and it is determined that the i-th level page is a payment page, indicating that the query result matches the second rule, and the matching result is risk warning information.

[0042] Optionally, the server also stores a list of payment page URLs. In this step, it is judged whether the URL of the i-th level page belongs to the payment page URL list, and if so, it is judged that the i-th level page is a payment page. It should be noted that other methods can also be used to determine the payment page, not limited to this method.

[0043] The above-mentioned rule 1 and rule 2 are only two specific examples. The present invention is not limited to these two rules. According to actual needs, the server can preset a variety of rules for matching query results.

[0044] After step S105, the method 100 proceeds to step S106, where the client receives the matching result returned by the server.

[0045] Subsequently, the method 100 proceeds to step S107, and the browser of the client terminal processes the access behavior of the i-th level page according to the matching result. If the received matching result is a risk warning message, the browser prompts the user of the risk. Optionally, the browser can provide the user with options to intercept the current page and continue to access the current page. If the user chooses to intercept the current page, the browser intercepts the access behavior of the current page. The risk to the user here can be specifically: mark the page with the problem on the user interface; or prompt the floating window when the mouse is moved on the page; if it is determined to block the access behavior of the page, you can directly block or cover Question page.

[0046] According to the method for processing web page access behaviors provided by the embodiment of the present invention, every time a request for access to a new page through the links of the initial page is monitored, the refer chain corresponding to the new page is obtained, and all the refer chain included The URL is reported to the server, and the server detects the matching result based on these URLs, and the client processes the access behavior of the new page according to the matching result. Compared with the prior art only using the URL of the new page for detection, because the refer chain provides more URLs and covers a wider area, the detection efficiency is higher, and the security of client web browsing can be more effectively protected.

[0047] Further, on the basis of the foregoing embodiment, a process of creating a refer chain is also included before step S102. Existing browsers provide an interface for obtaining the refer information of a URL, namely the get_refer interface. However, the refer information obtained through the get_refer interface only contains the URL of the page visited last time before visiting the current page, that is, the URL of the previous page linked to the current page; and it can be used from a page opened to the get_refer interface It takes a long time. If you wait until the get_refer interface can be used, it will take too long to check. In order to obtain the refer chain composed of URLs of all levels of pages in real time, the present invention provides a method of creating a refer chain. The method is specifically as follows: whenever a new page is opened through the links of all levels of the initial page, the process of maintaining the refer chain is responsible Get the page ID and URL of the new page and the page ID or URL of the upper-level page of the new page, query the corresponding refer chain based on the page ID or URL of the upper-level page, and create the corresponding node of the refer chain.

[0048] figure 2 A flowchart of a method 200 for creating a refer chain according to an embodiment of the present invention is shown. Such as figure 2 As shown, the method 200 starts with the first level node creation step S201. In the first-level node creation step S201, after the access request of the initial page is monitored, the page ID of the initial page is generated, the URL of the initial page is obtained, the first-level node of the refer chain is created, and the page ID and URL of the initial page The information of the first-level node is written into the refer chain. For the default page accessed by the browser or the page triggered by the user's input in the address bar, use it as the initial page to create a new referral chain. Specifically, after the browser monitors the access request of the initial page, it will load the initial page. In the process of loading the initial page, the browser generates a unique ID as the page ID of the initial page, and obtains the URL of the initial page. The URL of the initial page can be obtained by specifying the response event interface, for example, by implementing the specified response event interface of the standard plug-in mechanism.

[0049] Use the Browser Helper Object (BHO) plug-in mechanism in the IE (Internet Explorer) browser to obtain the URL currently loaded by IE by responding to the "BeforeNavigate2" event. Use the specified response event interface provided by the Firefox extension mechanism in the Firefox browser to obtain the URL currently loaded by the Firefox browser. Use the Netscape Plugin Application Programming Interface (NPAPI) plug-in mechanism in the Google (chrome) browser to obtain the URL currently loaded by the Google browser. After obtaining the page ID (such as ID1) and URL (such as A) of the initial page, use ID1 and A as the information of the first level node of the refer chain, and create the refer chain as: A(ID1). Among them, ID1 is index information.

[0050] It should be noted that, in actual applications, the application environments of people using computers, such as operating systems, browser types, etc., are different. Therefore, the execution body of the foregoing steps may also have multiple implementation methods. For example, it may be a browser with a function of identifying and adding a mark, where the browser may be Internet Explorer (IE for short) that comes with the Windows operating system, or other third-party browsers. The so-called third-party browsers usually refer to non-IE browser software running on the Windows operating system. Such third-party browsers usually provide users with rich and unique feature designs and personalized extensions for users. Many convenient applications. For example, the same plug-in mechanism can run on multiple types of browsers, for example, the browsers are IE, firefox, google chrome, safari, opera, QQ browser, travel browser, Sogou browser or Cheetah browser, etc.

[0051] After the step S201 of creating a level 1 node, the method 200 enters a process of creating an i-th level node in a loop. Starting from i=2, the method 200 proceeds to step S202, where after the access request of the i-th level page is monitored, the page ID of the i-th level page is generated, and the URL of the i-th level page and the page of the i-1 level page are obtained ID or URL, the i-th level page is the page-level jump page of the i-1 level page. This article refers to linking from the i-1 level page to the i level page through the user clicking a link on the i-1 level page or other user behavior triggers as a page level jump. After the browser monitors the access request of the i-th level page that has passed the page-level jump, it will load the i-th level page. In the process of loading the i-th level page, the browser generates a unique ID as the page ID of the i-th level page, and obtains the URL of the i-th level page. The URL of the i-th level page can be obtained by specifying the response event interface, for example, by implementing the specified response event interface of the standard plug-in mechanism. For details, please refer to the previous description on how to obtain the URL of the initial page.

[0052] In order to find the corresponding refer chain and continue to create nodes on it, it is also necessary to obtain the page ID or URL of the i-1th level page in step S202. The present invention provides two different ways to obtain the information of the i-1th level page according to the different situations of the browser accessing the new page. One way (namely the following way 1) is suitable for using a new window or a new tab (tab) The case where the page opens the i-th level page; the other method (namely the second method below) is suitable for the case where the i-th level page is still opened through the current window or the current tab.

[0053] method one:

[0054] First, after monitoring the access request of the i-th level page, the interface object pointer of the i-th level page is obtained, and the interface object of the i-th level page is written to the interface object of the i-th level page according to the interface object pointer. The page ID of the page at level i-1. Then, in the process of loading the i-th level page, the page ID of the i-1th level page is obtained by reading the information provided by the interface object of the i-th level page.

[0055] The above method 1 is suitable for opening the i-th level page through a new window or a new tab page. Taking IE browser as an example, by analyzing the implementation principle of IE browser opening a new window or new tab page, I found the relevant processing function called by the IE browser internal module to create a new window or new tab page, and capture (Hook) this function , Use the return value of this function to get the interface object pointer of the new window or new tab page (the window or tab page that will load the i-th level page), such as the IWEBBROWSER2 pointer; because the browser has not yet started to load the i-level page, The page ID of the current page recorded by the browser is still the page ID of the i-1 level page obtained during the loading of the i-1 level page. Therefore, at this time, the browser can refer to the IWEBBROWSER2 object according to the interface object pointer Write the page ID of the i-1th level page. After starting to load the i-th level page, by reading the information provided by the IWEBBROWSER2 object of the i-th level page, the page ID of the i-1 level page can be obtained.

[0056] Way two:

[0057] After the access request of the i-th level page is monitored and before the i-th level page is loaded, the URL of the i-1 level page is obtained through the get_locationURL interface provided by the browser.

[0058] The second method above is applicable to the situation where the i-th level page is still opened through the current window or current tab. In this case, since no new window or new tab page is opened, it is impossible to obtain the page ID of the i-1th level page in a manner similar to the method one. In response to this situation, after monitoring the access request of the i-th level page, but before the "BeforeNavigate2" event of the i-th level page, the get_locationURL interface still provides the URL of the i-1 level page, so the get_locationURL interface is used You can get the URL of the i-1 level page.

[0059] However, after the step of obtaining the URL of the i-1th level page through the get_locationURL interface provided by the browser, it is also necessary to determine whether the opening of the i-th level page is triggered by the input behavior of the browser address bar. Specifically, you can use the browser address Click and input the column to determine; if the result of the determination is yes, clear the URL of the i-1th level page obtained through the get_locationURL interface provided by the browser, and process the i-th level page as the initial page, and execute step S201 ; If the judgment result is no, step S203 is executed.

[0060] The above method 1 and method 2 respectively address different situations. If the i-th level page is opened through a new window or a new tab, step S202 obtains the page ID of the i-1th level page through the above method 1; if the i-th level page is opened through the current window or the current tab, Then, in step S202, the URL of the i-1th level page is obtained through the second method described above. If the page ID obtained in step S202 is the page ID of the i-1th level page, then the corresponding refer chain will be queried according to the page ID; if the URL of the i-1th level page is obtained in step S202, then the URL will be followed Query the corresponding refer chain.

[0061] After step S202, the method 200 proceeds to step S203, in which the refer chain containing the page ID or URL of the i-1 level page is searched, the i level node of the refer chain is created, and the page ID and URL of the i level page are used as Information of the i-th level node.

[0062] Specifically, if in step S202, the page ID of the i-1th level page is obtained by using the above-mentioned method 1, then the refer chain containing the page ID of the i-1th level page can be directly searched. For example, if it is obtained through step S202 that the page ID of the second-level page is ID2, the URL is B, and the page ID of the first-level page (that is, the initial page) is ID1, then in this step, query the refer chain containing ID1, And the index information of the last level node of the refer chain is ID1, that is, A(ID1); create the second level node of the refer chain, use ID2 and B as the information of the second level node, and get the refer chain as A(ID1 )-> B(ID2). If in step S202, the URL of the i-1th level page is obtained by the above-mentioned method two, then it is necessary to query the refer chain containing the URL of the i-1th level page. Since the process of maintaining the refer chain may maintain multiple refer chains containing the same URL, this step may query multiple refer chains containing the URL of the i-1th level page. However, because the above method 2 applies to the situation that the i-th level page is still opened through the current window or the current tab, the page jumps are well-ordered, so you can choose the most recently updated refer chain as the i-th level node to be created The refer chain.

[0063] Optionally, in the first mode of step S202, it is also possible to write the URL of the i-1th level page to the interface object of the i-th level page only, by reading the information provided by the interface object of the i-th level page, Get the URL of the i-1 level page. Next, in step S203, query the refer chain containing the URL of the i-1th level page, and if multiple refer chains are found, the most recently updated refer chain is selected as the refer chain of the i-th level node to be created. However, due to the poor timing of page jumps when the i-th page is opened through a new window or a new tab page, which is applicable to the above method 1, the accuracy of the method of finding the refer chain according to the page ID Will be higher than the method of finding the refer chain based on the URL.

[0064] The above steps S202 and S203 are executed cyclically, thereby creating a complete refer chain. For the above example, the refer chain created is: A(ID1)-> B(ID2)-> C(ID3)-> D(ID4).

[0065] In the process of creating a refer chain, you also need to consider a special situation, that is, when you visit certain pages, the page will automatically jump multiple times, such as 3xx jumps. This article will use this kind of jump. Referred to as jumping between pages. In IE browser, the BHO mechanism provides three events when visiting the same page, namely BeforeNavigate2, NavigateComplete2 and DocumentComplete2. Under normal circumstances, the URLs corresponding to the three events are the same, but if there are multiple 302 jumps, the following will happen: (BeforeNavigate2)url0-> (302)url1-> (302)url2-> (NavigateComplete2)url2-> (DocumentComplete2)url2. If the above example is still taken as an example, when page C is accessed, page C may automatically jump multiple times, and jump to C1 and C2 in turn. Therefore, if a jump occurs between pages, the URLs of all jumped pages may not be captured by the above methods.

[0066] In view of the above special circumstances, the embodiment of the present invention further includes the step of creating at least one i-th level child node after the above step S203, namely step S204, which is executed when a page jump occurs on the i-th level page. At least one i-th level child node corresponds to at least one page jump page of the i-th level page. In step S204, the function called during the redirection process is captured, and the URL of at least one inter-page jump page of the i-th level page is obtained from the input parameters of the function called during the redirection process; and the query includes the i-th level The refer chain of the page ID of the page, create at least one i-th level child node of the refer chain, and use the page ID of the i-th level page and the URL of the page to jump between at least one page of the i-th level page as at least one i-th level Information about child nodes. Specifically, when a redirection such as 3xx occurs, the browser will perform redirection processing. During the redirection processing, the browser will call the "Urlmon!CINet::OnRedirect" function, and the input parameters of this function record the page jump The URL of the redirected page. By capturing this function, the URL of the redirected page between at least one page of the i-th page can be obtained. The URL of the jump page between pages obtained by this method is used as the information of the i-th level child node, and the index ID of the jump page between the pages is the same as the page ID of the i-th level page. For the above example, the refer chain created is: A(ID1)-> B(ID2)-> C(ID3)-> C1(ID3)-> C2(ID3)-> D(ID4).

[0067] According to the method for processing web page access behaviors provided by the embodiment of the present invention, every time a request for access to a new page through the links of the initial page is monitored, the refer chain corresponding to the new page is obtained, and all the refer chain included The URL is reported to the server, and the server detects the matching result based on these URLs, and the client processes the access behavior of the new page according to the matching result. Compared with the prior art only using the URL of the new page for detection, because the refer chain provides more URLs and covers a wider area, the detection efficiency is higher, and the security of client web browsing can be more effectively protected. Further, the embodiment of the present invention also provides a method for creating a refer chain. According to this method, the refer chain composed of URLs of all levels of pages can be obtained in real time, so that the client can also send all URLs contained in the refer chain to As a result, the server can obtain comprehensive URL information in a timely manner. According to the URL information, the server can return the matching result to the client in time, thereby realizing the real-time and rapid protection of the security of the client's web browsing.

[0068] image 3 It shows a structural block diagram of a client according to an embodiment of the present invention. The client is used to detect the i-th level page opened by the i-th level link of the initial page, i≥2. Such as image 3 As shown, the client terminal includes: a monitoring module 31, a query interface 32, and a protection module 33. Optionally, the client terminal may also include an encryption module 34.

[0069] The monitoring module 31 is adapted to obtain the refer chain containing the page ID of the i-th level page after monitoring the access request of the i-th level page. The request to access the i-th level page is triggered by the user clicking a link or other link methods on the i-1 level page. After the monitoring module 31 monitors the access request of the i-th level page, the browser will load the i-th level page. During the loading of the i-th level page, the monitoring module 31 obtains the refer chain containing the page ID of the i-th level page. The refer chain contains the page ID and URL from the initial page to the i-th level page. The page ID of the page at all levels is the unique ID generated for the page by the browser in the process of loading the page. It is used as the URL of the page in the refer chain. The index value of. The browser queries the URL of the i-th level page through the page ID of the i-th level page and the i-th level page is the refer chain of the last level page.

[0070] The query interface 32 is adapted to send all URLs included in the refer chain to the server, so that the server can query whether all URLs included in the refer chain belong to the blacklist and/or whitelist database saved by the server, and then compare the query result with the preset The rule is matched to obtain a matching result; and, the matching result returned by the server is received. Optionally, according to the cloud query protocol with the server, the encryption module 34 encrypts all URLs contained in the refer chain into cipher text (for a description of the encryption method, please refer to the method embodiment), and sends it to the query interface 32, and the query The interface 32 sends the ciphertext to the server. The query interface 32 may only report the cipher text of the URLs of the pages at all levels included in the refer chain to the server, without reporting the page IDs of the pages at all levels.

[0071] The protection module 33 is adapted to process the access behavior of the i-th page according to the matching result. If the matching result is risk prompt information, the protection module 33 prompts the user of the risk. Optionally, the protection module 33 may provide the user with options to intercept the current page and continue to access the current page. If the user chooses to intercept the current page, the protection module 33 intercepts the access behavior of the current page.

[0072] Further, the client can also include a refer chain creation module 35. The refer chain creation module 35 includes: a first node creation unit 36 ​​and a second node creation unit 37.

[0073] The first node creation unit 36 ​​is adapted to generate the page ID of the initial page after monitoring the access request of the initial page, obtain the URL of the initial page, create the first level node of the refer chain, and use the page ID and URL of the initial page as the first The information of level 1 nodes is written into the refer chain. Further, the first node creating unit 36 ​​includes: a page ID generating unit 361 of the initial page, a URL obtaining unit 362 of the initial page, and a first node creating subunit 363. The page ID generating unit 361 of the initial page is adapted to generate the page ID of the initial page after monitoring the access request of the initial page. The URL obtaining unit 362 of the initial page is adapted to obtain the URL of the initial page currently loaded through a designated response event interface during the process of loading the initial page. For example, it can be obtained by implementing the specified response event interface of the standard plug-in mechanism. Using the browser auxiliary object BHO plug-in mechanism in IE browser, the URL currently loaded by IE can be obtained by responding to the "BeforeNavigate2" event. Use the specified response event interface provided by the Firefox extension mechanism in the Firefox browser to obtain the URL currently loaded by the Firefox browser. Use the NPAPI plug-in mechanism in the Google (chrome) browser to obtain the URL currently loaded by the Google browser. The first node creation subunit 363 is adapted to create the first-level node of the refer chain, and write the page ID and URL of the initial page as the first-level node information into the refer chain.

[0074] The second node creation unit 37, i≥2, is adapted to generate the page ID of the i-th level page after monitoring the access request of the i-th level page, and obtain the URL of the i-th level page and the page of the i-1th level page ID or URL, the i-th level page is the page-level jump page of the i-1 level page; and, query the refer chain containing the page ID or URL of the i-1 level page, and create the i-th level node of the refer chain , The page ID and URL of the i-th level page are used as the information of the i-th level node; the second node creation unit 37 is adapted to create all levels of nodes in the refer chain. Further, the second node creation unit 37 includes: a page ID generating unit 371 of the i-th level page, a URL obtaining unit 372 of the i-th level page, a page ID or URL obtaining unit 373 of the i-1 level page, and a second node Create subunit 374. The page ID generating unit 371 of the i-th level page is adapted to generate the page ID of the i-th level page after monitoring the access request of the i-th level page. The URL obtaining unit 372 of the i-th level page is adapted to obtain the URL of the i-th level page currently loaded through a designated response event interface during the loading of the i-th level page. For the specific method of obtaining the URL of the currently loaded i-th level page, refer to the related description of obtaining the URL of the initial page. The page ID or URL obtaining unit 373 of the i-1 level page is adapted to obtain the page ID or URL of the i-1 level page after monitoring the access request of the i level page. The second node creation subunit 374 is adapted to query the refer chain containing the page ID or URL of the i-1th level page, create the i-th level node of the refer chain, and use the page ID and URL of the i-th level page as the i-th level Information about the node.

[0075] Optionally, the second node creation unit 37 of the client terminal further includes: a capturing unit 375 and a writing unit 376. The capturing unit 375 is adapted to obtain the interface object pointer of the i-th level page after monitoring the access request of the i-th level page. The writing unit 376 is adapted to write the page ID of the i-1th level page obtained in the process of loading the i-1th level page to the interface object of the ith level page according to the interface object pointer. This implementation method is suitable for opening the i-th level page through a new window or a new tab page. Taking IE browser as an example, the capturing unit 375 is further adapted to capture the function called by the browser to create a new window or new tab after monitoring the access request of the i-th level page, and use the return value of the function to obtain the i-th level The interface object pointer of the page, such as the IWEBBROWSER2 pointer. Since the browser has not yet started to load the i-th level page at this time, the page ID of the current page recorded by the browser is still the page ID of the i-1 level page obtained during the loading of the i-1 level page, so At this time, the writing unit 376 can write the page ID of the i-1th level page to the IWEBBROWSER2 object according to the interface object pointer. The page ID or URL obtaining unit 373 of the i-1 level page is specifically adapted to: in the process of loading the i level page, obtain the i-1 level page by reading the information provided by the interface object of the i level page The page ID. Optionally, the writing unit 376 is adapted to write the URL of the i-1th level page obtained in the process of loading the i-1th level page to the interface object of the ith level page according to the interface object pointer.

[0076] Optionally, the page ID or URL obtaining unit 373 of the i-1 level page is further adapted to: after monitoring the access request of the i level page and before loading the i level page, obtain it through the get_locationURL interface provided by the browser The URL of the i-1 level page. The second node creation unit 37 further includes: a judgment unit 377 and an empty unit 378. Wherein, the judging unit 377 is adapted to judge whether the opening of the i-th level page is triggered by the input behavior of the browser address bar, specifically, it can be judged by clicking and inputting actions in the browser address bar; the clearing unit 378 is suitable for the judging unit If the judgment result of 377 is yes, the page ID of the i-1 level page or the URL of the i-1 level page acquired by the URL obtaining unit 373 is cleared, and the first node creation unit 36 ​​is triggered to set the i level The page is processed as the initial page; if the judgment result of the judgment unit 377 is no, the judgment unit 377 triggers the second node creation subunit 374 to create the i-th level node of the refer chain.

[0077] If the page ID or URL obtaining unit 373 of the i-1 level page obtains the page ID of the i-1 level page, the second node creation subunit 374 directly queries the refer chain containing the page ID of the i-1 level page , Create the i-th level node of the refer chain, and use the page ID and URL of the i-th level page as the information of the i-th level node. If the page ID or URL acquisition unit 373 of the i-1 level page obtains the URL of the i-1 level page, the second node creation subunit 374 queries the refer chain containing the URL of the i-1 level page, and If multiple referral chains are found, the most recently updated refer chain is selected, the i-th level node of the refer chain is created, and the page ID and URL of the i-th level page are used as the information of the i-th level node.

[0078] In the process of creating the refer chain, considering that the page has multiple automatic jumps, the refer chain creation module 35 also includes: a second child node creation unit 38, adapted to capture the function called during the redirection Obtain the URL of the jump page between at least one page of the i-th level page from the input parameters of the function called during processing; and, query the refer chain containing the page ID of the i-th level page, and create at least one i-th page of the refer chain Level child node, using the page ID of the i-th level page and the URL of the jump page between at least one page of the i-th level page as the information of at least one i-th level child node.

[0079] Figure 4 It shows a structural block diagram of a server according to an embodiment of the present invention. The server is used to detect the i-th level page opened through the i-th level link of the initial page, i≥2. Such as Figure 4 As shown, the server includes a blacklist and/or whitelist database 41 and a query interface 42. among them,

[0080] The blacklist and/or whitelist database 41 is suitable for storing URLs belonging to the blacklist and/or whitelist. The server pre-collects the identified safe webpages and dangerous/malicious webpages, saves the URLs of the safe webpages in the whitelist database, and saves the URLs of the dangerous/malicious webpages in the blacklist database. Optionally, the feature value of the URL may also be stored in the blacklist and/or whitelist database 41.

[0081] Preferably, the blacklist and/or whitelist database 41 in the embodiment of the present invention may include, but is not limited to, a phishing website database, an advertisement fraud website database, or any other type of malicious website database.

[0082] The query interface 42 is adapted to receive all URLs included in the refer chain sent by the client, query whether all URLs included in the refer chain belong to the blacklist and/or whitelist database, and then match the query results with preset rules to obtain a match As a result, the matching result is returned to the client. If on the client side, all URLs contained in the refer chain are encrypted by reversible encryption, then the query interface 42 contains a module that decrypts the received encrypted ciphertext, and after the module is decrypted, the refer chain is obtained All URLs.

[0083] The preset rules are set according to actual needs, and they specify the circumstances under which risk warnings are required. The following uses two preset rules as examples:

[0084] Rule 1: Jump to malicious pages or dangerous pages or unknown pages through search engines

[0085] For this rule 1, the query interface 42 is further adapted: if the query result shows that the URL of the i-th level page belongs to the blacklist database, that is, the i-th level page is a malicious or dangerous page; or the URL of the i-th level page is not white List database, that is, the i-th level page is an unknown page; and it is determined that any page from the initial page to the i-1th level page is a search page, that is, the i-th level page is jumped from the search engine, indicating the query result When the rule is matched, the matching result is the risk warning message.

[0086] Rule 2: Jump to the payment page through malicious or dangerous pages or unknown pages

[0087] For the second rule, the query interface 42 is further adapted to: if the query result shows that the URL of any page from the initial page to the i-1th level page belongs to the blacklist database, that is, the page is a malicious page or a dangerous page; or The URL of any page from the page to the i-1 level page does not belong to the whitelist database, that is, the page is an unknown page; and it is determined that the i level page is a payment page, indicating that the query result matches the rule two, and the match is obtained The result is a risk warning message.

[0088] The above-mentioned rule 1 and rule 2 are only two specific examples. The present invention is not limited to these two rules. According to actual needs, the server can preset a variety of rules for matching query results.

[0089] Further, the server may further include: a search page URL database 43, which is suitable for storing a search page URL list; and a payment page URL database 44, which is suitable for storing a payment page URL list. The query interface 42 determines that any page from the initial page to the i-1 level page is a search page by judging that the URL of any page from the initial page to the i-1 level page belongs to the preset search page URL list; and, through It is determined that the URL of the i-th level page belongs to the preset payment page URL list, and the i-th level page is determined to be a payment page.

[0090] Figure 5 It shows a structural block diagram of a system for processing webpage access behaviors according to an embodiment of the present invention. Such as Figure 5 As shown, the system includes a client 30 and a server 40. For specific structures and functions of the client 30 and the server 40, refer to the description of the foregoing embodiment, which is not repeated here.

[0091] According to the client, server, and system for processing web page access behaviors provided by the embodiments of the present invention, each time the client monitors a request for access to a new page through links at all levels of the initial page, it obtains the referral chain corresponding to the new page , Report all URLs contained in the refer chain to the server, the server will detect the matching results based on these URLs, and the client will process the access behavior of the new page based on the matching results. Compared with the prior art only using the URL of the new page for detection, because the refer chain provides more URLs and covers a wider area, the detection efficiency is higher, and the security of client web browsing can be more effectively protected. Further, the client in the embodiment of the present invention also has the function of creating a refer chain. According to this function, the refer chain composed of URLs of all levels of pages can be obtained in real time, so that the client can also timely update all URLs contained in the refer chain. Send to the server, the server can obtain comprehensive URL information in time. According to the URL information, the server can return the matching result to the client in time, thus realizing the real-time and fast protection of the security of the client's web browsing.

[0092] According to the method provided by the embodiment of the present invention, after the step of obtaining the page ID and URL of the i-1th level page through the get_locationURL interface provided by the browser, the method further includes:

[0093] Determine whether it is triggered by the input behavior of the browser address bar to open the i-th page;

[0094] If the judgment result is yes, the URL of the i-1 level page obtained through the get_locationURL interface provided by the browser is cleared, and the i level page is processed as the initial page;

[0095] If the judgment result is no, execute the step of creating the i-th level node of the refer chain.

[0096] According to the method provided by the embodiment of the present invention, after the i-th level node creation step, it further includes: at least one i-th level child node creation step, and the at least one i-th level child node corresponds to at least one of the i-th level page Jump pages between pages: capture the function called during redirection processing, and obtain the URL of at least one page jumped between pages of the i-th level page from the input parameters of the function called during redirection processing; and, query A refer chain containing the page ID of the i-th level page, create at least one i-th level child node of the refer chain, and jump between the page ID of the i-th level page and at least one page of the i-th level page The URL of the redirected page is used as the information of at least one i-th level child node.

[0097] The client provided according to the embodiment of the present invention is used to detect the i-th level page opened through the i-th level link of the initial page, i≥2; the client includes:

[0098] The monitoring module is adapted to obtain the refer chain containing the page ID of the i-th level page after monitoring the access request of the i-th level page, and the refer chain contains the page ID and URL of the initial page to the i-th level page;

[0099] The query interface is adapted to send all URLs included in the refer chain to the server, so that the server can query whether all URLs included in the refer chain belong to the blacklist and/or whitelist database saved by the server, and then send Matching the query result with the preset rule to obtain the matching result; and receiving the matching result returned by the server;

[0100] The protection module is adapted to process the access behavior of the i-th level page according to the matching result.

[0101] According to the client according to the embodiment of the present invention, if the matching result received by the query interface is risk alert information, the protection module is further adapted to: prompt the user of the risk according to the risk alert information, and according to the user's selection Intercept the access behavior of the i-th level page.

[0102] The client according to the embodiment of the present invention further includes: an encryption module, adapted to encrypt all URLs contained in the refer chain into ciphertexts, and send them to the query interface, and the query interface converts the ciphertext The text is sent to the server.

[0103] The client according to the embodiment of the present invention further includes: a refer chain creation module;

[0104] The refer chain creation module includes:

[0105] The first node creation unit is adapted to generate the page ID of the initial page after monitoring the access request of the initial page, obtain the URL of the initial page, create the first-level node of the refer chain, and combine the page ID and URL of the initial page Write the information of the first-level node into the refer chain;

[0106] The second node creation unit, i≥2, is suitable for generating the page ID of the i-th level page after monitoring the access request of the i-th level page, and obtaining the URL of the i-th level page and the page ID of the i-1 level page Or URL, the i-th level page is the page-level jump page of the i-1 level page; and, querying the refer chain containing the page ID or URL of the i-1 level page, and creating the first page of the refer chain i-level node, using the page ID and URL of the i-th level page as the information of the i-th level node;

[0107] The second node creating unit is adapted to create nodes at all levels of the refer chain.

[0108] According to the client according to the embodiment of the present invention,

[0109] The first node creation unit includes:

[0110] The page ID generating unit of the initial page is adapted to generate the page ID of the initial page after monitoring the access request of the initial page;

[0111] The URL obtaining unit of the initial page is adapted to obtain the URL of the initial page currently loaded through a designated response event interface during the process of loading the initial page;

[0112] The first node creation subunit is adapted to create the first-level node of the refer chain, and write the page ID and URL of the initial page as the first-level node information into the refer chain;

[0113] The second node creation unit includes:

[0114] The page ID generating unit of the i-th level page is adapted to generate the page ID of the i-th level page after monitoring the access request of the i-th level page;

[0115] The URL obtaining unit of the i-th level page is adapted to obtain the URL of the i-th level page currently loaded through the designated response event interface during the loading of the i-th level page;

[0116] The page ID or URL obtaining unit of the i-1 level page is adapted to obtain the page ID or URL of the i-1 level page after monitoring the access request of the i level page;

[0117] The second node creation subunit is adapted to query the refer chain containing the page ID or URL of the i-1 level page, create the i level node of the refer chain, and combine the page ID and URL of the i level page As the information of the i-th node.

[0118] According to the client of the embodiment of the present invention, the second node creation unit further includes: a capturing unit adapted to obtain the interface object pointer of the i-th page after monitoring the access request of the i-th page; and, The writing unit is adapted to write the page ID of the i-1 level page obtained during the loading of the i-1 level page to the interface object of the i level page according to the interface object pointer;

[0119] The page ID or URL obtaining unit of the i-1 level page is specifically adapted to: in the process of loading the i level page, obtain the i-1 level page by reading the information provided by the interface object of the i level page The page ID of the page.

[0120] According to the client according to the embodiment of the present invention, the capture unit is further adapted to: after monitoring the access request of the i-th page, capture the function called by the browser to create a new window or new tab, and use the function The return value gets the interface object pointer of the i-th page.

[0121] According to the client according to the embodiment of the present invention, the page ID or URL obtaining unit of the i-1 level page is further adapted to: after monitoring the access request of the i level page and before loading the i level page, Get the URL of the i-1 level page through the get_locationURL interface provided by the browser.

[0122] According to the client according to the embodiment of the present invention, the second node creation unit further includes:

[0123] The judging unit is adapted to judge whether the opening of the i-th level page is triggered by the input behavior of the browser address bar;

[0124] The clearing unit is adapted to clear the page ID of the i-1th level page or the URL of the i-1th level page obtained by the URL obtaining unit when the judgment result of the judgment unit is yes, and trigger The first node creation unit processes the i-th level page as the initial page;

[0125] In a case where the judgment result of the judgment unit is no, the judgment unit triggers the second node creation subunit to create the i-th level node of the refer chain.

[0126] According to the client according to the embodiment of the present invention, the refer chain creation module further includes: a second child node creation unit, adapted to capture the function called during the redirection process, from the function called during the redirection process To obtain the URL of the jump page between at least one page of the i-th level page from the input parameters of the i-th level page; and, query the refer chain containing the page ID of the i-th level page, and create at least one i-th level child node of the refer chain, The page ID of the i-th level page and the URL of the jump page between at least one page of the i-th level page are used as the information of at least one i-th level child node.

[0127] The server according to the embodiment of the present invention is configured to detect the i-th level page opened through the i-th level link of the initial page, i≥2; the server includes:

[0128] The blacklist and/or whitelist database is suitable for storing URLs belonging to the blacklist and/or whitelist;

[0129] The query interface is suitable for receiving all URLs included in the refer chain sent by the client, querying whether all URLs included in the refer chain belong to the blacklist and/or whitelist database, and then comparing the query results with preset rules Perform matching to obtain a matching result, and return the matching result to the client.

[0130] According to the server according to the embodiment of the present invention, the query interface is further adapted to:

[0131] If the query result shows that the URL of the i-th level page belongs to the blacklist database or does not belong to the whitelist database, and it is judged that any page from the initial page to the i-1th level page is a search page, the matching result is risk warning information;

[0132] Or, if the query result shows that the URL of any page from the initial page to the i-1 level page belongs to the blacklist database or does not belong to the whitelist database, and it is determined that the i level page is a payment page, the matching result is a risk alert information.

[0133] The server according to the embodiment of the present invention further includes:

[0134] Search page URL database, suitable for saving search page URL list;

[0135] Payment page URL database, suitable for saving a list of payment page URLs;

[0136] The query interface determines that any page from the initial page to the i-1 level page is a search page by determining that the URL of any page from the initial page to the i-1 level page belongs to a preset search page URL list Page; and, by determining that the URL of the i-th level page belongs to a preset payment page URL list, it is determined that the i-th level page is a payment page.

[0137] The system for processing web page access behaviors according to the embodiment of the present invention includes the above-mentioned client and the above-mentioned server.

[0138] The algorithms and displays provided here are not inherently related to any particular computer, virtual system or other equipment. Various general-purpose systems can also be used with the teaching based on this. From the above description, the structure required to construct this type of system is obvious. In addition, the present invention is not directed to any specific programming language. It should be understood that various programming languages ​​can be used to implement the content of the present invention described herein, and the above description of a specific language is to disclose the best embodiment of the present invention.

[0139] In the instructions provided here, a lot of specific details are explained. However, it can be understood that the embodiments of the present invention can be practiced without these specific details. In some instances, well-known methods, structures and technologies are not shown in detail, so as not to obscure the understanding of this specification.

[0140] Similarly, it should be understood that in order to simplify the present disclosure and help understand one or more of the various inventive aspects, in the above description of the exemplary embodiments of the present invention, the various features of the present invention are sometimes grouped together into a single embodiment, Figure, or its description. However, the disclosed method should not be interpreted as reflecting the intention that the claimed invention requires more features than those explicitly stated in each claim. More precisely, as reflected in the following claims, the inventive aspect lies in less than all the features of a single embodiment disclosed previously. Therefore, the claims following the specific embodiment are thus explicitly incorporated into the specific embodiment, wherein each claim itself serves as a separate embodiment of the present invention.

[0141] Those skilled in the art can understand that it is possible to adaptively change the modules in the device in the embodiment and set them in one or more devices different from the embodiment. The modules or units or components in the embodiments can be combined into one module or unit or component, and in addition, they can be divided into multiple sub-modules or sub-units or sub-components. Except that at least some of such features and/or processes or units are mutually exclusive, any combination of all features disclosed in this specification (including the accompanying claims, abstract, and drawings) and any method or method disclosed in this manner can be adopted. All the processes or units of the equipment are combined. Unless expressly stated otherwise, each feature disclosed in this specification (including the accompanying claims, abstract and drawings) may be replaced by an alternative feature providing the same, equivalent or similar purpose.

[0142] In addition, those skilled in the art can understand that although some embodiments described herein include certain features included in other embodiments but not other features, the combination of features of different embodiments means that they are within the scope of the present invention. Within and form different embodiments. For example, in the following claims, any one of the claimed embodiments can be used in any combination.

[0143] The various component embodiments of the present invention may be implemented by hardware, or by software modules running on one or more processors, or by their combination. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all of the client, the server, and the system for processing webpage access behaviors according to the embodiments of the present invention. Some or all of the functions of the component. The present invention can also be implemented as a device or device program (for example, a computer program and a computer program product) for executing part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may have the form of one or more signals. Such signals can be downloaded from Internet websites, or provided on carrier signals, or provided in any other form.

[0144] It should be noted that the above-mentioned embodiments illustrate rather than limit the present invention, and those skilled in the art can design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses should not be constructed as a limitation to the claims. The word "comprising" does not exclude the presence of elements or steps not listed in the claims. The word "a" or "an" preceding an element does not exclude the presence of multiple such elements. The invention can be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In the unit claims enumerating several devices, several of these devices may be embodied in the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.