Malicious website prompt method and router

[0021] The present invention detects malicious web addresses on the router and prompts the user terminal according to the detection results. The user terminal does not need to install malicious web address blocking software, and solves the problem that the user terminal cannot be installed or the user does not install the malicious web address blocking software. Safety of surfing.

[0022] The technical solutions of the present invention will be described in detail below with specific embodiments.

[0023] figure 1 It is a schematic diagram of the application scenario of the malicious website prompt of the present invention, such as figure 1 As shown, the application scenario of each embodiment of the present invention includes at least one user terminal 1, such as a personal computer (Personal Computer, hereinafter referred to as PC), mobile phone, tablet computer, etc., and at least one router 2. And the Internet 3, where each user terminal 1 accesses the Internet 3 through a router 2. The information sent by the user terminal 1 to the Internet 3 or the information received from the Internet 3 must pass through the router 2. Therefore, the present invention can prompt the user terminal according to the detection result by detecting the malicious website on the router.

[0024] figure 2 It is a schematic diagram of the structure of the malicious website prompt system of the present invention, such as figure 2 As shown, the router contains a network address translation (Network Address Translation, hereinafter referred to as: NAT) interface, which is used to convert the private network protocol (Internet Protocol, hereinafter referred to as: IP) address of each user terminal in the LAN into a legal external network The IP address enables multiple user terminals in the local area network to share a legal external IP address to access the Internet. The URL sent by the Internet URL access server is intercepted when passing through the NAT interface of the router. The URL acquisition module of the router obtains the target URL in the network access request, and then passes the whitelist of domain names and/or file name extensions stored in the router. The list is filtered to determine whether the target URL is a potentially malicious URL. If the target URL is a potentially malicious URL, then further determine whether the target URL is a malicious URL based on the malicious URL database stored in the router's local cache (cache), and if the target URL is not a malicious URL The URL in the database is further used to determine whether the target URL is a malicious URL by other means, for example, a butler server that sends the acquired target URL to query. In the foregoing embodiment, the domain name whitelist and malicious website database stored in the router can be updated periodically according to the website addresses sent by the housekeeper server.

[0025] In the following embodiments, the network access request includes, but is not limited to, a Hypertext transfer protocol (Hypertext transfer protocol, hereinafter referred to as HTTP) request, and the URL includes but is not limited to the first Uniform Resource Locator (Uniform Resource Locator, hereinafter referred to as URL). ).

[0026] image 3 It is a schematic flowchart of Embodiment 1 of the method for prompting malicious web addresses of the present invention, see Figure 1 ~ Figure 3 , The method of this embodiment includes:

[0027] S301: The router obtains the target website address in the network protocol request accessed by the user terminal.

[0028] Specifically, the router uses NAT technology to convert the private network protocol (Internet Protocol, hereinafter referred to as: IP) address of each user terminal in the local area network into a legal external network IP address, so that multiple user terminals in the local area network share a legal Access the Internet from the external IP address. The user terminal in the local area network can be, for example: PC, mobile phone, tablet computer, etc., set the router of the wireless local area access network (Wireless Local Access Network, hereinafter referred to as WLAN) as the default gateway. When the router receives the user in the local area network When the terminal accesses the first data packet, modify the first data packet, modify the source IP address in the original first data packet to the router’s first IP (one of the router’s multiple IP addresses), and change the source Modify the port number to the router's first port number (one of the router's multiple ports), send the modified first data packet to the external network, and record the source IP address and source port number and the router's first IP address Correspondence with the first port number; when the router receives the second data packet sent by the external network with the destination IP address as the first IP address and the destination port number as the first port number, according to the recorded source IP address and source port number Correspondence with the router’s first IP address and first port number, replace the destination IP address and destination port number of the second data packet with the corresponding source IP address and source port number, and send the second data packet to the user terminal.

[0029] From the working principle of the above router, it can be known that the router can obtain all the data packets that interact with the internal and external networks. Using this feature, when the user terminal requests to access a certain website on the external network, it will first send a network access request to the external network. , The router can extract the host (HOST) and query (QUERY) strings in the network access request packet, thereby obtaining the target URL in the network access request accessed by the user terminal.

[0030] S302: The router determines whether the target website is a malicious website.

[0031] Specifically, the router can determine whether the target website is a malicious website according to some specific rules.

[0032] First, determine whether the target URL is a potentially malicious URL, which means that the probability of the target URL being a malicious URL is greater than a preset value. If the target URL is a potentially malicious URL, it is further determined whether the target URL is a malicious URL.

[0033] S303: If the router determines that the target website is a malicious website, it sends a prompt message to the user terminal to intercept the above-mentioned target website.

[0034] By sending a prompt message for intercepting the above-mentioned target web address to the user terminal, the user is notified that the website visited is at risk, so that the user can determine whether to continue the visit according to the prompt.

[0035] In this embodiment, the router obtains the target URL in the network access request accessed by the user terminal to determine whether the target URL is a malicious URL. If it is determined that the target URL is a malicious URL, a prompt message to intercept the target URL is sent to the user terminal without the need for user terminal installation Malicious website interception software solves the problem that the user terminal cannot be installed or the user does not install the malicious website interception software, and improves the safety of users surfing the Internet.

[0036] in image 3 In step S302 of the illustrated embodiment, the router determines whether the target website is a malicious website, and one of the implementation methods is as follows: Figure 4 As shown, Figure 4 It is a schematic flowchart of the second embodiment of the method for prompting malicious web addresses of the present invention.

[0037] S401: The router determines whether the target website is a potentially malicious website based on the domain name and/or file name extension in the target website.

[0038] The router locally stores a whitelist of domain names and/or file name extensions.

[0039] If the target URL contains a domain name in the domain name whitelist, it can be determined that the target URL is a safe URL. The domain names in the domain name whitelist are for example: "qq.com", "baidu.com", and "sina.com". If the destination URL contains files with extensions in the whitelist of filename extensions, it can be determined that the destination URL is a safe URL, for example: "*.css", "*.jpg", "*.js" or "*. png" etc.

[0040] You can determine whether the target URL is a potentially malicious URL based on the domain name in the target URL alone, or you can determine whether the target URL is a potentially malicious URL based on the extension of the file name in the target URL alone, or you can combine the domain name and file name in the target URL. The extension determines whether the destination URL is a potentially malicious URL.

[0041] The first implementation method is to determine whether the target URL is a potentially malicious URL based solely on the domain name in the target URL: matching the domain name in the target URL with the domain name in the domain name whitelist, if the domain name in the target URL belongs to the aforementioned domain name For domain names in the whitelist, the target URL is determined to be a safe URL, and if the domain name in the target URL does not belong to the domain name in the domain name whitelist, the target URL is determined to be a potentially malicious URL.

[0042] The second implementation method is to determine whether the target URL is a potentially malicious URL based solely on the extension of the file name in the target URL. The specific method is to combine the file name extension in the target URL with the extension in the file name extension whitelist. Perform matching. If the extension of the file name in the target URL belongs to the extension in the file name extension whitelist, the target URL is determined to be a safe URL. If the extension of the file name in the target URL does not belong to the file name extension white list The extension in the list is determined to be a potentially malicious URL.

[0043] The third implementation method, which combines the domain name and file name in the target URL to determine whether the target URL is a potentially malicious URL is specifically:

[0044] When the target URL contains the domain name and file name extension, if the domain name in the target URL belongs to the domain name in the domain name whitelist, or the file name extension in the target URL belongs to the file name extension white list, The target URL is determined to be a secure URL; the domain name in the target URL is matched with the domain name in the domain name whitelist, and if the domain name included in the target URL does not belong to the domain name in the domain name whitelist, then the target URL is further determined Whether the extension of the file name belongs to the extension in the file name extension, if the extension of the file name included in the target URL does not belong to the extension of the file name extension whitelist, the target URL is determined to be a potentially malicious URL.

[0045] When the target URL does not include the file name extension, the method of determining whether the target URL is a potentially malicious URL is determined based on the domain name in the target URL alone, which will not be repeated here.

[0046] It is worth noting that the whitelist of domain names and/or file name extensions stored by the router can be updated regularly. Specifically, it can be synchronized to the whitelist of the router's domain name by means of dynamic incremental delivery by the server. The router can Periodically send the version number of the local domain name whitelist and/or file name extension whitelist to the server to ask whether there is an incremental update through a heartbeat method, and the server returns whether the version sent by the router has an incremental update, and will update the incremental update The number informs the router that the router obtains incremental updates from the server, updates it to the cache of the local storage domain name whitelist and/or file name extension whitelist, and updates the domain name whitelist and/or file name whitelist version number.

[0047] If any one of the above three implementation methods is adopted to determine whether the target website is a potentially malicious website, if the target website is not a potentially malicious website, execute S402, and if the target website is a potentially malicious website, execute S403.

[0048] S402: Determine that the above-mentioned target website is a safe website.

[0049] S403: Determine whether there is a reference URL that matches the target URL in the malicious URL database, if it exists, execute S404, and if it does not exist, execute S405.

[0050] Match the aforementioned target URL with the reference URL in the malicious URL database. Among them, the reference URLs stored in the malicious URL database are all malicious URLs. If there is a reference URL that matches the target URL in the malicious URL database, S404 is executed, and if the reference URL that matches the target URL does not exist in the malicious URL database, S405 is executed.

[0051] S404: Determine that the target URL is a malicious URL.

[0052] Since the reference URLs in the malicious URL database are all malicious URLs, if there is a reference URL matching the target URL in the malicious URL database, it is determined that the target URL is a malicious URL.

[0053] Further, the malicious website database may also contain the security level corresponding to each reference website, for example, the security level may be: low, normal, severe; when the security level corresponding to the reference website is low, it means that the online security threat to the user is relatively high. Low; when the security level corresponding to the reference website is normal, it indicates that the online security threat to the user is average; when the security level corresponding to the reference website is severe, it indicates that the security threat to the user's online security is serious. After the router determines that the target URL is a malicious URL, it determines that the security level corresponding to the reference URL that matches the target URL is the security level of the target URL, and includes the security level of the target URL in the prompt message of intercepting the target URL to the user terminal. In order to enable users to adopt different processing strategies according to different security levels.

[0054] S405: Further determine whether the target website is a malicious website.

[0055] If there is no reference URL that matches the target URL in the malicious URL database, it is necessary to further determine whether the target URL is a malicious URL. The specific judgment method can be as follows Figure 5 Shown.

[0056] by Figure 4 The method of the illustrated embodiment first filters out safe web addresses through the white list of domain names and/or file name extensions, determines potentially malicious web addresses, and then matches the potential malicious web addresses with reference web addresses in the malicious web address database , To further determine whether the target URL is a malicious URL, which reduces the number of URLs that need to be matched and improves the matching efficiency.

[0057] Figure 5 It is a schematic flowchart of Embodiment 3 of the method for prompting malicious web addresses of the present invention. Figure 5 The embodiment shown is in Figure 4 In the illustrated embodiment, when it is determined that the reference URL that matches the target URL does not exist in the malicious URL database, one of the methods for further determining whether the target URL is a malicious URL, such as Figure 5 As shown, the method of this embodiment includes:

[0058] S501: The router obtains the first page content of the target website.

[0059] The router distributes different target URLs to different detection engines for identification. The crawler module in the detection engine crawls the content of the first page of the target URL. The crawler module starts from the URL of one or several initial webpages and obtains the sub-URLs on the initial webpage. , In the process of crawling webpages, continuously extract new sub-URLs from the current page and put them into the queue until the system's stopping conditions are met. All webpages crawled by the crawler (that is, the first page content) will be stored by the system. Perform certain analysis, filtering, and indexing for subsequent query and retrieval.

[0060] S502: The router parses the content of the first page.

[0061] S503: Determine whether the content of the first page is less than a preset value. If yes, execute S504, if not, execute S507.

[0062] The content of the first page is less than the preset value generally means that the content of the first page is too small, has a lot of interfering words, and does not have much semantic information. The malicious URL identification method of browser webpage snapshot and image recognition is used for comprehensive judgment, and the page that is finally displayed to the user on the browser is taken as a snapshot, and the intercepted image is used for text recognition, face recognition and other related recognition tools to determine the target Whether the URL is malicious. That is, the steps of S504 to S506 are executed to determine whether the target website is a malicious website.

[0063] If the content of the first page is rich, the steps of S507 to S508 are executed to determine whether the target website is a malicious website.

[0064] S504: The router obtains the content of the second page corresponding to the target website.

[0065] The router can obtain the content of the second page corresponding to the target URL from the server pointed to by the target URL through the browser (webkit) kernel.

[0066] S505: The router generates a target page image corresponding to the second page content.

[0067] The router can generate the target page image corresponding to the second page content through page rendering.

[0068] S506: The router determines whether the target URL is a malicious URL according to the target page image.

[0069] The specific implementation of this step includes but is not limited to the following three implementation manners.

[0070] Among them, the first implementation method is: the router matches the target page image with the reference page image in the preset malicious image database; if the similarity is greater than the preset value, the router determines that the target URL is a malicious URL.

[0071] The second implementation method is: the router recognizes the target page image, obtains the content in the target page image, and matches the content in the target page image with the content of the reference page image in the preset malicious image database; if preset If the malicious image database contains the content of the reference page image that matches the content of the target page image, the router determines that the target URL is a malicious URL.

[0072] The third implementation method is: you can also combine the first implementation method with the second implementation method, comprehensively consider whether the target URL is a malicious URL, specifically, combine the target page image with the page image in the preset malicious image database Perform similarity matching to obtain the first matching result; identify the target page image, obtain the content in the target page image, such as text and objects, and compare the content in the target page image with the reference page in the preset malicious image database The image is matched to obtain a second matching result; the first matching result and the second matching result are combined to determine whether the target website is a malicious website.

[0073] S507: The router obtains key information in the content of the first page.

[0074] Among them, the key information is used to screen malicious attributes of the page, such as executable JS, page title, copyright information, etc., to construct the Document Object Model (DOM) and the browser object model ( Browser Object Model, hereinafter referred to as: BOM) tree, and at the same time parse the external links quoted by the web page for use by the thermal statistics module.

[0075] S508: The router determines whether the target website is a malicious website according to the key information.

[0076] The specific implementation of this step includes but is not limited to the following three implementation manners.

[0077] Among them, the first implementation method is: the router performs word segmentation on the text content in the key information to obtain the semantic information of the text content; according to the semantic information of the text content, it is similar to the text content of the malicious page stored in the preset malicious page database. If the similarity is greater than the preset value, the router determines that the target URL is malicious.

[0078] The second implementation method is: the router performs word segmentation on the text content in the key information to obtain the semantic information of the text content; according to the semantic information of the text content, the discrimination is learned through Bayesian classifier, keyword model and/or decision tree Method, determine the classification of the first page content; the classification can be, for example, economy, sports, pornography, phishing, Trojan horse, etc. Among them, pornography, phishing, Trojan horse, etc. belong to malicious URL classification; if the classification of the first page content belongs to malicious URL classification , The router determines that the target URL is malicious.

[0079] The third implementation method is: you can also summarize the judgment results of the first implementation method and the second implementation method, and comprehensively consider whether the target URL is a malicious URL, specifically, based on the semantic information of the text content and the preset malicious page The text content of the malicious page stored in the database is matched by similarity to obtain the matching result; according to the semantic information of the text content, the first page content is determined through the discrimination method of Bayesian classifier, keyword model and/or decision tree learning To obtain the classification result, determine whether the target website is a malicious website based on the above matching result and classification result.

[0080] Figure 5 The method of the illustrated embodiment is mainly for processing that after matching the target URL with the reference URL in the malicious URL database, it is still not determined whether it is the target URL of the malicious URL. With this implementation method, when the target URL is determined to be the malicious URL After that, a prompt message for intercepting the target website is sent to the user terminal, eliminating the need for the user terminal to install malicious website blocking software, which solves the problem that the user terminal cannot install or the user does not install the malicious website blocking software, and improves the security of the user's Internet surfing.

[0081] In each of the above embodiments, after determining that the target website is a malicious website, it further includes adding the target website to the malicious website database, thereby increasing the coverage of the malicious website stored in the malicious website database, and further improving the user’s online security Sex.

[0082] Image 6 It is a schematic structural diagram of Embodiment 1 of the router of the present invention, such as Image 6 As shown, the router of this embodiment includes a web address obtaining module 601, a processing module 602, and a sending module 603. The web address obtaining module 601 is used to obtain the target web address in the network access request accessed by the user terminal; the processing module 602 is used to determine Whether the target website address is a malicious website address; the sending module 603 is configured to send prompt information for intercepting the target website address to the user terminal if the processing module determines that the target website address is a malicious website address.

[0083] The devices of the above embodiments can be used to execute image 3 The implementation principles and technical effects of the technical solutions of the illustrated method embodiments are similar, and will not be repeated here.

[0084] In the above embodiment, the processing module 602 is configured to determine whether the target URL is a malicious URL, and includes: a preprocessing sub-module for determining the target URL based on the domain name and/or file name extension Whether the target URL is a potentially malicious URL; if the preprocessing sub-module determines that the target URL is a potentially malicious URL, the URL cloud check sub-module is used to compare the target URL with a reference in a preset malicious URL database URL matching, wherein the reference URL is a malicious URL; if there is a reference URL matching the target URL in the malicious URL database, the URL cloud search submodule determines that the target URL is a malicious URL.

[0085] The devices in the above embodiments can be used to execute Figure 4 The implementation principles and technical effects of the technical solutions of the illustrated method embodiments are similar, and will not be repeated here.

[0086] In the above-mentioned embodiment, the processing module 602 obtains a sub-module for obtaining the first page of the target website by the router if there is no reference website in the malicious website database that matches the target website. Content; a page parsing submodule, used to parse the first page content, and obtain key information in the first page content; a determining submodule, used to determine whether the target website is a malicious website according to the key information.

[0087] In the above embodiment, the determining submodule is configured to determine whether the target website is a malicious website based on the key information, and includes: a word content segmentation unit for word segmentation of the text content in the key information, Obtaining the semantic information of the text content; a text similarity matching unit for matching the similarity between the semantic information of the text content and the text content of a malicious page stored in a preset malicious page database; a determining unit for If the similarity is greater than the preset value, it is determined that the target website is a malicious website.

[0088] In the above embodiment, the determining sub-module is configured to determine whether the target website is a malicious website based on the key information, and includes: a word content segmentation unit for word segmentation of the text content in the key information, Acquire the semantic information of the text content; a text-based machine recognition unit is used to determine the semantic information of the text content through Bayesian classifiers, keyword models and/or decision tree learning Classification of the content of the first page; a determining unit, configured to determine that the target website is a malicious website if the classification of the content of the first page belongs to a malicious website.

[0089] In the above embodiment, the processing module includes: an acquisition sub-module, configured to, if there is no reference URL that matches the target URL in the malicious URL database, the router acquires the first URL of the target URL Page content; page parsing sub-module for parsing the content of the first page; page screenshot sub-module for obtaining the second corresponding to the target URL if the content of the first page is less than a preset value Page content; generate a target page image corresponding to the second page content; a determining sub-module for determining whether the target website is a malicious website according to the target page image.

[0090] In the above embodiment, the determining submodule is configured to determine whether the target URL is a malicious URL according to the target page image, and includes: a picture similarity matching unit configured to compare the target page image with a preset malicious The reference page pictures in the picture database perform similarity matching; the determining unit is configured to, if the similarity is greater than a preset value, the router determines that the target website is a malicious website.

[0091] In the above embodiment, the determining sub-module is configured to determine whether the target URL is a malicious URL according to the target page picture, and includes: a picture recognition unit configured to recognize the target page picture and obtain the target The content in the page picture matches the content in the target page picture with the content of the reference page picture in the preset malicious picture database; the determining unit is configured to match the content of the target page picture with the content of the reference page picture in the preset malicious picture database. If the content of the target page picture matches the content of the reference page picture, the router determines that the target website address is a malicious website address.

[0092] The devices of the above embodiments can be used to execute Figure 5 The implementation principles and technical effects of the technical solutions of the illustrated method embodiments are similar, and will not be repeated here.

[0093] A person of ordinary skill in the art can understand that all or part of the steps in the foregoing method embodiments can be implemented by a program instructing relevant hardware. The aforementioned program can be stored in a computer readable storage medium. When the program is executed, the steps including the foregoing method embodiments are executed; and the foregoing storage medium includes: ROM, RAM, magnetic disk, or optical disk and other media that can store program codes.

[0094] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand: It is still possible to modify the technical solutions described in the foregoing embodiments, or equivalently replace some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present invention. range.