Website processing method, device, apparatus, storage medium and product

By building a website to process tasks, identifying responsible parties and distributing tasks in parallel, and monitoring the effectiveness of the handling, the problem of incompatibility in handling risky websites has been solved, achieving automated collaborative handling and improved network security.

CN122247748APending Publication Date: 2026-06-19BEIJING HONGTENG INTELLIGENT TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING HONGTENG INTELLIGENT TECH CO LTD
Filing Date
2026-04-29
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

In existing technologies, when the handling of risky websites involves multiple parties, the phenomenon of information silos leads to vulnerabilities in the defense system, allowing attackers to bypass blocked channels and continue their attacks, and the handling efficiency is low.

Method used

By building a website to process tasks, identifying a list of responsible parties, distributing tasks to each alliance party in parallel, monitoring the effectiveness of the handling, generating a handling report for feedback, and ensuring that all participants handle the tasks synchronously.

Benefits of technology

It enables automated and collaborative handling of risky websites, preventing attackers from bypassing the system and improving network security and handling efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247748A_ABST
    Figure CN122247748A_ABST
Patent Text Reader

Abstract

This application discloses a website processing method, apparatus, device, storage medium, and product, relating to the field of network security technology. The method includes: constructing a website processing task based on risky website information in a reported request; identifying responsibility for the risky website information and determining a list of responsible parties; and distributing the website processing task in parallel to each alliance responsible party in the list, so that each alliance responsible party in the list executes the corresponding website handling process. Upon receiving reported risky website information, this application can automatically associate relevant alliance responsible parties, construct a list of responsible parties, and distribute the website processing task in parallel to each alliance responsible party in the list, ensuring that all parties involved in the website processing perform website handling synchronously, preventing attackers from bypassing website handling, and improving network security.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and in particular to website processing methods, apparatus, devices, storage media and products. Background Technology

[0002] With the widespread use of the Internet, risky websites (such as phishing websites) have become one of the major threats to cybersecurity. Attackers use risky websites to impersonate well-known websites such as banks, e-commerce platforms, and government agencies, stealing sensitive data such as user accounts, passwords, and bank card information, causing huge economic losses and social harm.

[0003] Currently, the handling of risky websites involves multiple stakeholders, including domain registrars, telecom operators, and cloud service providers. However, in related technologies, these stakeholders generally suffer from "working in isolation" and "information silos." For example, when a browser vendor discovers and blocks a phishing website, other stakeholders such as domain registrars, telecom operators, and content providers are unaware of this and allow the website to continue operating or spreading through other channels. This information asymmetry leads to vulnerabilities in the defense system, allowing attackers to bypass blocked channels and continue their attacks. More typically, the same phishing website is often discovered and dealt with repeatedly by multiple stakeholders, but the information on the handling cannot be effectively shared, resulting in wasted resources and low handling efficiency. Summary of the Invention

[0004] The main objective of this application is to provide a website processing method, apparatus, device, storage medium, and product, which aims to solve the technical problem that the processing of website processing by participating parties is not interconnected, allowing attackers to bypass website processing and continue to carry out attacks.

[0005] To achieve the above objectives, this application proposes a website processing method, the method comprising: Construct website processing tasks based on the risky website information in the reported request; The responsible parties for the aforementioned risky website information will be identified and a list of responsible parties will be compiled. The website processing tasks are distributed in parallel to each alliance responsible party in the list of responsible parties, so that each alliance responsible party in the list of responsible parties can execute the corresponding website handling process.

[0006] Optionally, after distributing the website processing tasks in parallel to each alliance responsible party in the list of responsible parties, the method further includes: Once it is detected that all responsible parties in the alliance in the aforementioned list have completed their actions, the website will check whether the actions have taken effect. If the website action is effective, the website action is considered complete, a action report is generated, and the results are fed back based on the action report.

[0007] Optionally, whether the detection website's actions are effective includes: Extract the website domain name from the website processing task; The authoritative DNS interface is invoked based on the website domain name to determine the domain name resolution result; If the domain name resolution result is "resolution suspended", then the website action is deemed effective.

[0008] Optionally, whether the detection website's actions are effective includes: Extract the website access path from the website processing task; Generate a cache-free request header, and construct a website access request based on the cache-free request header and the website access path; Access the risky website based on the website access request and obtain the website access response; If the response status code in the website access response is a website exception status code, then the website action is deemed effective.

[0009] Optionally, whether the detection website's actions are effective includes: Extract the website access path from the website processing task; Access the risky website based on the website access path to obtain website page data; Extract the visual features of the website page data; Detect the similarity between the visual features of the page and the page feature information recorded in the website processing task; If the feature similarity is less than the preset matching threshold, the website action is deemed effective.

[0010] Optionally, whether the detection website's actions are effective includes: Extract the risky website certificate from the website processing task; Access the certificate issuer corresponding to the certificate of the risky website to obtain the certificate status information; If the certificate status information indicates that the certificate has expired, then the website's action is deemed effective.

[0011] Optionally, the step of detecting whether the website's actions have taken effect when it is detected that all responsible parties in the list of responsible parties have completed their actions includes: When it is detected that all alliance responsible parties in the list of responsible parties have completed their actions, it is checked whether the verification triggering conditions are met. If the verification trigger conditions are met, check whether the website's actions have taken effect.

[0012] Optionally, before detecting whether the website's actions have taken effect after detecting that all responsible parties in the list of responsible parties have completed their actions, the process further includes: The timing begins when the website's processing tasks are completed in parallel distribution. When the preset time is reached, check whether a successful processing response has been received from all alliance responsible parties in the list of responsible parties; If so, it is determined that all responsible parties in the alliance on the list of responsible parties have completed their actions.

[0013] Optionally, after detecting whether a successful processing response has been received from all alliance responsible parties in the responsible party list when the preset time is reached, the method further includes: If not, retrieve the historical retry count; If the number of historical retries does not reach the preset number, then it is determined that no feedback has been given to the responsible party. Update the historical retry count, distribute the website processing tasks in parallel to the parties that have not responded, restart the timing, and return to the step of checking whether a successful processing response has been received from all alliance parties in the list of responsible parties when the timing reaches the preset duration.

[0014] Optionally, determining the party responsible for not providing feedback if the historical retries have not reached a preset number includes: If the number of historical retries does not reach the preset number, the initial waiting time is exponentially increased by the number of historical retries to generate a retry waiting time. When the waiting time reaches the retry waiting time, the responsible party for not providing feedback is determined.

[0015] Optionally, the step of identifying responsibility for the risky website information and determining a list of responsible parties includes: Determine the risk type corresponding to the risky website information; Feature data is extracted from the risk website information based on the matching data type corresponding to the risk type; A list of responsible parties is determined based on the feature data and the matching rules corresponding to the risk types.

[0016] Furthermore, to achieve the above objectives, this application also proposes a website processing apparatus, which includes: The build module is used to construct website processing tasks based on the risky website information in the reported request; The determination module is used to identify the responsible parties by analyzing the risky website information. The distribution module is used to distribute the website processing tasks in parallel to each alliance responsible party in the list of responsible parties, so that each alliance responsible party in the list of responsible parties can execute the corresponding website handling process.

[0017] Optionally, the distribution module is further configured to detect whether the website's handling has taken effect when it is detected that all alliance responsible parties in the list of responsible parties have completed their handling; if the website's handling has taken effect, it is determined that the website's processing is complete, a processing report is generated, and the results are fed back based on the processing report.

[0018] Optionally, the distribution module is further configured to extract the website domain name from the website processing task; call the authoritative DNS interface based on the website domain name to determine the domain name resolution result; if the domain name resolution result is "suspend resolution", then determine that the website processing is effective.

[0019] Optionally, the distribution module is further configured to extract the website access path from the website processing task; generate a cache-free request header, and construct a website access request based on the cache-free request header and the website access path; access the risky website according to the website access request and obtain a website access response; if the response status code in the website access response is a website exception status code, then the website handling is deemed effective.

[0020] Optionally, the distribution module is further configured to extract a website access path from the website processing task; access a risky website according to the website access path to obtain website page data; extract the page visual features corresponding to the website page data; detect the feature similarity between the page visual features and the page feature information recorded in the website processing task; and determine that the website processing is effective if the feature similarity is less than a preset matching threshold.

[0021] Optionally, the distribution module is further configured to extract the risky website certificate from the website processing task; access the certificate issuer corresponding to the risky website certificate to obtain certificate status information; and if the certificate status information indicates that the certificate has expired, determine that the website processing is effective.

[0022] In addition, to achieve the above objectives, this application also proposes a website processing device, the device comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being configured to implement the steps of the website processing method as described above.

[0023] In addition, to achieve the above objectives, this application also proposes a storage medium, which is a computer-readable storage medium, on which a computer program is stored, and which, when executed by a processor, implements the steps of the website processing method described above.

[0024] In addition, to achieve the above objectives, this application also proposes a computer program product comprising a computer program that, when executed by a processor, implements the steps of the website processing method described above.

[0025] One or more technical solutions proposed in this application have at least the following technical effects: Upon receiving reported information about risky websites, the system can automatically associate relevant alliance responsible parties, build a list of responsible parties, and distribute website processing tasks in parallel to each alliance responsible party in the list. This ensures that all parties involved in website processing carry out website processing synchronously, preventing attackers from bypassing website processing and improving network security. Attached Figure Description

[0026] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.

[0027] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0028] Figure 1 This is a flowchart illustrating an embodiment of the website processing method described in this application. Figure 2 This is a flowchart illustrating Embodiment 2 of the website processing method of this application; Figure 3 This is a flowchart illustrating Embodiment 3 of the website processing method of this application; Figure 4 This is a schematic diagram of the module structure of the website processing device according to an embodiment of this application; Figure 5 This is a schematic diagram of the device structure of the hardware operating environment involved in the website processing method in this application embodiment.

[0029] The purpose, features, and advantages of this application will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation

[0030] It should be understood that the specific embodiments described herein are merely illustrative of the technical solutions of this application and are not intended to limit this application.

[0031] To better understand the technical solution of this application, a detailed description will be provided below in conjunction with the accompanying drawings and specific implementation methods.

[0032] Based on this, the embodiments of this application provide a website processing method, referring to... Figure 1 , Figure 1 This is a flowchart illustrating the first embodiment of the website processing method of this application.

[0033] In this embodiment, the website processing method includes steps S10 to S30: Step S10: Construct a website processing task based on the risky website information in the reporting request.

[0034] It should be noted that the executing entity in this embodiment can be the website processing device or a cluster, system, or platform composed of multiple website processing devices. The website processing device can be a personal computer, server, or other electronic device, or other devices that can achieve the same or similar functions. This embodiment does not limit this. In this embodiment and the following embodiments, the website processing method of this application is described using a website processing device as an example.

[0035] It should be noted that a reporting request can be a request submitted to the website processing device by a participant in the risk website detection process when a risk website is detected.

[0036] Depending on their actual responsibilities, level of participation, or role, participants can be categorized into three main types: platform operators, customer users, and alliance member responsible parties. See the table below for details.

[0037] In practical use, since website processing devices need to handle multiple participants simultaneously, and these participants may vary significantly, the website processing devices can provide standardized reporting entry points to ensure that the reporting requests uploaded by each participant meet the requirements. For example, a reporting interface can be set up using RESTful API design specifications. Each participant can access the reporting interface through API interfaces, web forms, mini-programs, etc., and send reporting requests to report threat information. The risky website information (also known as the reporting content) in the reporting request uses a unified JSON format and can include fields such as website link (URL) / domain name / network address (IP), website certificate, website page screenshot evidence / page data, risk assessment conclusion, and assessment confidence score.

[0038] In practical use, when a website processing device receives a reporting request, it can perform format verification and deduplication on the risky website information in the reporting request (such as deduplication based on the website's domain name or URL), generate a globally unique task number for each reporting request (such as generating a 64-bit ID using the Snowflake algorithm), and calculate the file fingerprint (such as SHA-256 hash value) of the evidence file (such as website page screenshot evidence) for evidence storage. Then, the website processing task is constructed by combining the globally unique task number, file fingerprint, and risky website information.

[0039] Step S20: Identify the responsible parties for the risky website information.

[0040] In practical use, website processing equipment can analyze risky website information and determine all alliance responsible parties that need to participate in the handling of the risky website corresponding to the risky website information, thereby constructing a list of responsible parties.

[0041] In a specific implementation, in order to quickly determine the list of responsible parties, step S20 of this embodiment may include: Determine the risk type corresponding to the risky website information; Feature data is extracted from the risk website information based on the matching data type corresponding to the risk type; A list of responsible parties is determined based on the feature data and the matching rules corresponding to the risk types.

[0042] It should be noted that risk types can include various types such as domain name, IP address, and URL. More types can be set according to actual needs, and this embodiment does not impose any limitations on this. Specifically, risky website information can correspond to at least one risk type.

[0043] In practical use, the risk type can be determined based on the assessment conclusions in the risk website information, or based on the risk type identifier, or based on the information keywords contained in the risk website information. This embodiment does not impose any restrictions on this.

[0044] In practical use, different risk types can correspond to different matching data types. For example, the domain type corresponds to the domain name as the matching data type; the IP type corresponds to the IP information as the matching data type; and the URL type corresponds to the URL, email information, etc.

[0045] In practical use, feature data can be extracted from risk website information based on the matching data type corresponding to the risk type. Then, the target to be matched can be determined according to the matching rules corresponding to the risk type. After that, the feature data is matched with each target to determine the list of responsible parties.

[0046] For example, the matching data types for URL-related risk types are URLs and email information. The extracted feature data are the website URL of the risky website and the email address bound to the website. At this time, browser vendors, antivirus vendors, and content providers can be matched based on the URL, and corresponding email service providers can be matched based on the email address bound to the website. A list of responsible parties can be built based on the matched alliance responsible parties.

[0047] In practice, in some cases, the risk website information may also include an assessment confidence score. However, if the website processing device directly processes data with low confidence scores, it may lead to the wrongful blocking of the website. Therefore, the website processing device can first extract the assessment confidence score from the risk website information and determine whether to execute step S20 and whether manual intervention is required based on the assessment confidence score.

[0048] For example: if the confidence score is greater than 90, then proceed directly to step S20; if the confidence score is greater than 60 and less than or equal to 90, then manual intervention is required. If the assessment is successful, then proceed to step S20; if the confidence score is less than or equal to 60, then the confidence level is too low and the reporting request can be rejected directly without proceeding to the next step.

[0049] Step S30: Distribute the website processing tasks in parallel to each alliance responsible party in the list of responsible parties, so that each alliance responsible party in the list of responsible parties can execute the corresponding website handling process.

[0050] In practical use, after determining the list of responsible parties, website processing tasks can be distributed in parallel to each alliance responsible party in the list, so that each alliance responsible party in the list can execute the corresponding website handling process.

[0051] The website handling process can include at least IP blocking, server shutdown, domain name resolution suspension, antivirus blocking rule updates, removal of illegal content, account banning, and sharing blocking.

[0052] In practical applications, to facilitate transmission, the website processing device can convert website processing tasks into standardized forwarding instructions and send the forwarding instructions in parallel to each alliance responsible party in the responsible party list through a message queue. The alliance responsible party can then carry out the corresponding website processing procedure according to its responsibilities in the website processing alliance.

[0053] For example, the website processing device encapsulates website processing tasks into standardized forwarding instructions. The instructions may include parameter fields such as task number, original reporting party, threat risk identifier, visual evidence (such as screenshot evidence / page data), risk assessment conclusion, handling suggestions, and evidence file fingerprint. Then, during distribution, the responsible party list is traversed and sent concurrently to the alliance member responsible party queue through the message queue. The default maximum concurrent processing capacity is 100 lines per second. Upon receiving the forwarding instruction, each alliance member responsible for a specific task will execute differentiated website handling procedures based on their own business characteristics, for example: Domain registrars suspend domain name resolution; Carriers implement IP blocking; The cloud service provider shut down the servers; Browser vendors issue page alerts; Antivirus vendors are updating their blocking rules; Email service providers perform email filtering; Content providers will remove illegal content, ban accounts that distribute it, and block sharing links.

[0054] This embodiment provides a website processing method. Upon receiving reported risky website information, it can automatically associate relevant alliance responsible parties, construct a list of responsible parties, and distribute website processing tasks in parallel to each alliance responsible party in the list. This ensures that all parties involved in website processing carry out website processing synchronously, preventing attackers from bypassing website processing and improving network security.

[0055] Based on the first embodiment of this application, in the second embodiment of this application, the content that is the same as or similar to that in Embodiment 1 above can be referred to the above description, and will not be repeated hereafter. Based on this, please refer to... Figure 2 After step S30, steps S40-S50 may also be included: Step S40: When it is detected that all alliance responsible parties in the list of responsible parties have completed their actions, check whether the website's actions have taken effect.

[0056] It should be noted that if it is detected that all the alliance responsible parties in the responsible party list have completed the handling, it means that each alliance responsible party has executed the corresponding website handling process. However, in some cases, due to execution vulnerabilities or business issues of the alliance responsible parties, the website handling may not be effective. In order to minimize the possibility of attacks by attackers, after it is detected that all the alliance responsible parties in the responsible party list have completed the handling, it is possible to further check whether the website handling is effective.

[0057] In practical use, the website processing device can be equipped with multiple detection nodes. Each detection node can detect whether the website processing is effective in parallel. Specifically, the role of the detection nodes in determining the effectiveness of the overall website processing can be adjusted according to actual needs. For example, it can be set that if more than half of the detection nodes detect that the website processing is effective, then the website processing is considered effective. Alternatively, the system can be configured such that if more than a preset number of detection nodes detect that the website action is ineffective, then the website action is considered effective.

[0058] In a specific implementation, detecting whether the website action is effective can be done by detecting whether domain name resolution is truly suspended. In this case, the steps for detecting whether the website action is effective as described in this embodiment can include: Extract the website domain name from the website processing task; The authoritative DNS interface is invoked based on the website domain name to determine the domain name resolution result; If the domain name resolution result is "resolution suspended", then the website action is deemed effective.

[0059] It should be noted that the authoritative DNS interface can be the domain name resolution interface provided by an authoritative DNS server.

[0060] Specifically, website processing equipment administrators can pre-record the API access methods of the domain name resolution interface of the authoritative DNS server. Based on this, when it is necessary to detect whether domain name resolution is truly suspended, the website processing equipment can extract the website domain name from the website processing task, call the authoritative DNS interface based on the API access method and the website domain name, and receive the domain name resolution results fed back by the authoritative DNS interface.

[0061] Understandably, if the domain name resolution result is "suspended," it means that the domain name resolution for the risky website has been genuinely suspended, and therefore, the website action can be considered effective; conversely, if the result is "not effective," the website action can be considered ineffective.

[0062] In a specific implementation, detecting whether website measures are effective can involve checking whether the risky website is still accessible, i.e., checking whether IP blocking, server shutdown, etc., are truly effective. In this case, the steps for detecting whether website measures are effective as described in this embodiment can include: Extract the website access path from the website processing task; Generate a cache-free request header, and construct a website access request based on the cache-free request header and the website access path; Access the risky website based on the website access request and obtain the website access response; If the response status code in the website access response is a website exception status code, then the website action is deemed effective.

[0063] It should be noted that the website access path can be the access path (URL) of a risky website. In order to avoid the impact of caching on verification, the website processing device can construct a no-caching request header, and then construct a website access request based on the no-caching request header and the website access path. After that, the risky website is accessed according to the website access request, and the website access response is obtained. Finally, the response status code in the website access response can be checked to see if it is a website abnormal status code. If the response status code in the website access response is a website exception status code, it means that the risky website can no longer be accessed normally. It can be determined that the website measures such as IP blocking and server shutdown have taken effect, and therefore the website measures can be judged to be effective. Conversely, it can be judged that the website measures have not taken effect.

[0064] Among them, the website error status code can be preset by the administrator of the website processing equipment according to the network protocol used. For example, taking HTTP requests as an example, 404 and 502 indicate website errors, so 404 and 502 can be set as website error status codes.

[0065] For example: force the addition of Cache-Control: no-cache and Pragma: no-cache parameters to disable caching, construct a no-cache request header, construct a website access request based on the no-cache request header and the website access path, and at the same time randomly generate a User-Agent. Use the User-Agent to access the risky website with the website access request, obtain the website access response, and then check whether the response status code is 4xx or 5xx to verify whether the IP or URL has been blocked.

[0066] In a specific implementation, detecting whether the website's actions are effective can involve detecting whether the website's webpage content has undergone the expected changes, i.e., detecting whether the risky website has removed the risky content. In this case, the steps for detecting whether the website's actions are effective as described in this embodiment can include: Extract the website access path from the website processing task; Access the risky website based on the website access path to obtain website page data; Extract the visual features of the website page data; Detect the similarity between the visual features of the page and the page feature information recorded in the website processing task; If the feature similarity is less than the preset matching threshold, the website action is deemed effective.

[0067] It should be noted that in some cases, risky websites are not completely blocked, but only required to remove specific illegal or risky content. In this case, it is necessary to detect whether the page content of the risky website has changed accordingly. Therefore, the website access path can be extracted from the website processing task, and the risky website can be accessed based on the website access path to obtain the website page data. Then, the page visual features corresponding to the website page data can be extracted using a preset feature extraction algorithm. After that, the feature similarity between the page visual features and the page feature information recorded in the website processing task can be calculated. Understandably, if the feature similarity is greater than or equal to the preset matching threshold, it means that the page content of the risky website has changed very little, and it can be determined that the website handling has not been effective. If the feature similarity is less than the preset matching threshold, it means that the page content of the risky website has changed significantly, and the website action can be deemed effective.

[0068] The preset feature extraction algorithm can be a perceptual hash algorithm or other similar visual feature extraction algorithms; the preset matching threshold can be set in advance by the administrator of the website processing equipment.

[0069] For example: Set the preset matching threshold to 85%, access the risky website according to the website access path, capture page screenshots, use the perceptual hash algorithm to extract the visual features of the page, and compare them with the feature information of the risky page before the action to determine the feature similarity. If the feature similarity is greater than or equal to 85%, it is determined that the website action has not taken effect; if the feature similarity is less than 85%, it is determined that the website action has taken effect.

[0070] In a specific implementation, detecting whether the website action is effective can be done by checking whether the website's certificate has expired. Therefore, the steps for detecting whether the website action is effective as described in this embodiment may include: Extract the risky website certificate from the website processing task; Access the certificate issuer corresponding to the certificate of the risky website to obtain the certificate status information; If the certificate status information indicates that the certificate has expired, then the website's action is deemed effective.

[0071] It should be noted that if the website action is effective, the risk website certificate of the website that won the bet should be updated to an invalid state. Therefore, the risk website certificate can be extracted from the website action task first. Next, visit the certificate issuer corresponding to the risky website certificate to determine the current status of the risky website certificate and obtain the certificate status information.

[0072] Understandably, if the certificate status information indicates that the certificate has expired, it means that the previous website action has taken effect, and therefore, the website action can be deemed effective.

[0073] In practical applications, when detecting whether the website's actions have taken effect, the probe node can execute any of the methods mentioned above. Of course, multiple methods can be executed simultaneously. When multiple methods are executed, the probe node can only determine that the website action is truly effective if all detection results indicate that the website action is effective.

[0074] In practical implementation, due to delays in caching or data exchange between various alliance parties, website processing may take a certain amount of time to truly take effect. Therefore, it can be detected some time after the website processing is completed. In this case, detecting whether the website processing has taken effect needs to be performed after a certain period of time has elapsed since the website processing was completed. At this time, step S40 of this embodiment may include: When it is detected that all alliance responsible parties in the list of responsible parties have completed their actions, it is checked whether the verification triggering conditions are met. If the verification trigger conditions are met, check whether the website's actions have taken effect.

[0075] It should be noted that the verification trigger conditions can be preset by the administrators of the website processing equipment. For example, the conditions can be set to be met 1 hour, 24 hours, or 72 hours after the website processing is completed.

[0076] In practical use, in some cases, after the website action is actually effective, attackers may take other measures to restore the operation of the risky website. In order to ensure that detection can still be carried out in this case, detection can be carried out at multiple different times. In this case, it can be set to determine whether the verification trigger condition is met 1 hour, 24 hours and 72 hours after the website action is completed.

[0077] If the detection is set to be performed at multiple different times, the task rollback mechanism can be triggered if the website processing is found to be ineffective at any time. At this time, the execution step S30 can be returned to perform the website processing again.

[0078] Step S50: If the website action is effective, the website action is considered complete, a action report is generated, and the results are fed back based on the action report.

[0079] Understandably, if the website action is effective, the website action can be considered complete. At this point, a action report can be generated, and feedback can be provided based on the action report to inform the submitting party that the website action has been completed.

[0080] The processing report may include specific handling methods, namely the website handling process and status information carried out by each alliance member responsible party. If necessary, it may also include task information of the website handling task. Feedback can be provided by sending a processing report to the party that initiated the reporting request, or by sending the processing report to all parties involved in the website's processing flow, such as the party that initiated the request or the responsible party in the alliance. If necessary, the website can also include a task status indicator in the task processing information. In this case, the task status indicator in the website can be changed to "task completed".

[0081] In actual use, if the website processing is found to be ineffective, a task rollback is required. In this case, you can return to step S30 and try to process the website again.

[0082] In practical applications, website processing equipment can also record and trace the entire process log. For example, the equipment records key operations such as reporting requests, matching responsible parties, distributing website processing tasks, handling websites by various alliance responsible parties, and verifying whether the website handling is effective. It constructs logs by recording operation timestamps, operation content, and evidence hash values, and writes the constructed logs to a blockchain-based evidence storage platform to ensure immutability. It can then support precise retrieval by task number and return complete handling chain information, providing technical evidence for post-event traceability.

[0083] This embodiment provides a website processing method. After the website is processed, the method is verified to determine whether the processing is truly effective and to ensure that the risky website is effectively blocked.

[0084] Based on the first embodiment of this application, in the second embodiment of this application, the content that is the same as or similar to that in Embodiment 1 above can be referred to the above description, and will not be repeated hereafter. Based on this, please refer to... Figure 2 Before step S40, steps S31-S33 are also included: Step S31: Start timing when the website processing task is completed in parallel distribution.

[0085] It should be noted that, in order to ensure that the alliance's responsible party has taken action on the website, a timer can be started when the website processing task is completed in parallel distribution.

[0086] Step S32: When the timer reaches the preset duration, check whether a successful processing response has been received from all alliance responsible parties in the list of responsible parties.

[0087] It should be noted that the preset duration can be set in advance by the administrator of the website processing equipment, for example, the preset duration can be set to 30 seconds.

[0088] Understandably, if the timer reaches 30 seconds, it indicates that the maximum waiting time for response feedback under normal circumstances has been reached. At this point, it is possible to check whether a successful processing response has been received from all the alliance responsible parties in the list of responsible parties.

[0089] Step S33: If yes, it is determined that all responsible parties in the alliance in the list of responsible parties have completed their actions.

[0090] It is understandable that if a successful response is received from all the alliance responsible parties in the list of responsible parties, it means that all the alliance responsible parties in the list of responsible parties have performed the corresponding website handling and provided the corresponding response. Therefore, it can be determined that the handling of each alliance responsible party in the list of responsible parties has been completed, and at this time step S40 and subsequent steps can be executed.

[0091] In a specific implementation, to ensure that the website processing can be completed as much as possible, after step S32 in this embodiment, the following may also be included: If not, retrieve the historical retry count; If the number of historical retries does not reach the preset number, then it is determined that no feedback has been given to the responsible party. Update the historical retry count, distribute the website processing tasks in parallel to the parties that have not responded, restart the timing, and return to the step of checking whether a successful processing response has been received from all alliance parties in the list of responsible parties when the timing reaches the preset duration.

[0092] It should be noted that if no successful processing response is received from all the alliance responsible parties in the responsible party list, it means that at least one alliance responsible party in the responsible party list has not responded with a successful processing response. This may be because the alliance responsible party has not successfully processed the website, or it may be that it has not actually received the website processing task. In this case, you can first check whether a retry has been performed before, so you can obtain the historical number of retries.

[0093] In actual use, if the number of historical retries has not reached the preset number, it means that the number of retries has not exceeded the limit. Therefore, the party responsible for not providing feedback can be identified, the number of historical retries can be incremented by one, the website processing task can be redistributed to the party responsible for not providing feedback, the timer can be restarted, and the process can return to step S32.

[0094] The preset number of attempts can be set in advance by the administrator of the website processing equipment, for example, setting the preset number of attempts to 3.

[0095] In specific implementation, to minimize the possibility of missing responses from responsible parties within the alliance, the step of determining the party that has not responded if the historical retries have not reached a preset number, as described in this embodiment, may include: If the number of historical retries does not reach the preset number, the initial waiting time is exponentially increased by the number of historical retries to generate a retry waiting time. When the waiting time reaches the retry waiting time, the responsible party for not providing feedback is determined.

[0096] It should be noted that, in order to avoid missing the responses of the alliance's responsible parties and to prevent them from repeatedly performing website processing, we can try to wait for a longer period of time before resending the website processing task. This waiting time can increase with the number of retries. Based on this, an exponential growth model can be adopted. In this case, the initial waiting time can be exponentially increased by using the historical number of retries as the exponent. It can be characterized as: tw=ts*2 n In the formula, tw is the retry waiting time, ts is the initial waiting time, and n is the number of historical retries.

[0097] For example: if the initial waiting time is 5 seconds, and the first transmission has 0 historical retries, then the retry waiting time is 5 * 2. 0 =5 seconds; for the second transmission, the historical retry count is 1, and the retry waiting time is 5*2. 1 =10 seconds; the third time it is sent, the historical retry count is 2, and the retry waiting time is 5*2. 2 =20 seconds, and so on.

[0098] This embodiment provides a website processing method. After sending website processing tasks in parallel, this embodiment also detects the responses of each alliance responsible party. If no response is received within the timeout period, it attempts to resend the website processing task to ensure the successful execution of website processing as much as possible.

[0099] It should be noted that the above examples are only for understanding this application and do not constitute a limitation on the website processing method of this application. Any simple modifications based on this technical concept are within the protection scope of this application.

[0100] This application also provides a website processing device, please refer to... Figure 4 The website processing device includes: Module 10 is used to construct website processing tasks based on the risky website information in the reported request; Module 20 is used to identify the responsible parties by analyzing the risky website information. The distribution module 30 is used to distribute the website processing tasks in parallel to each alliance responsible party in the list of responsible parties, so that each alliance responsible party in the list of responsible parties can execute the corresponding website handling process.

[0101] The website processing apparatus provided in this application, employing the website processing method described in the above embodiments, can solve the technical problem that the processing of related technologies' website processing is not interconnected, allowing attackers to bypass website processing and continue their attacks. Compared with the prior art, the beneficial effects of the website processing apparatus provided in this application are the same as those of the website processing method provided in the above embodiments, and other technical features in the website processing apparatus are the same as those disclosed in the methods of the above embodiments, and will not be repeated here.

[0102] This application provides a website processing device, which includes: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, which are executed by the at least one processor to enable the at least one processor to perform the website processing method in Embodiment 1 above.

[0103] The following is for reference. Figure 5 The diagram illustrates a structural schematic of a website processing device suitable for implementing embodiments of this application. The website processing device in these embodiments may include, but is not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (Personal Digital Assistants), PADs (Portable Application Description), PMPs (Portable Media Players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and fixed terminals such as digital TVs and desktop computers. Figure 5 The website processing device shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of this application.

[0104] like Figure 5 As shown, the website processing device may include a processing unit 1001 (e.g., a central processing unit, a graphics processing unit, etc.), which can perform various appropriate actions and processes according to a program stored in a read-only memory 1002 or a program loaded from a storage device 1003 into a random access memory 1004. The random access memory 1004 also stores various programs and data required for the operation of the website processing device. The processing unit 1001, the read-only memory 1002, and the random access memory 1004 are interconnected via a bus 1005. An input / output interface 1006 is also connected to the bus. Typically, the following systems can be connected to the input / output interface 1006: input devices 1007 including, for example, a touchscreen, touchpad, keyboard, mouse, image sensor, microphone, accelerometer, gyroscope, etc.; output devices 1008 including, for example, a liquid crystal display (LCD), speaker, vibrator, etc.; storage devices 1003 including, for example, magnetic tape, hard disk, etc.; and communication devices 1009. Communication device 1009 allows the website processing device to communicate wirelessly or wiredly with other devices to exchange data. Although the figures show website processing devices with various systems, it should be understood that implementation or possession of all the systems shown is not required. More or fewer systems may be implemented alternatively.

[0105] Specifically, according to the embodiments disclosed in this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments disclosed in this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device, or installed from storage device 1003, or installed from read-only memory 1002. When the computer program is executed by processing device 1001, it performs the functions defined in the methods of the embodiments disclosed in this application.

[0106] The website processing device provided in this application, employing the website processing method described in the above embodiments, can solve the technical problem that the processing of related technologies' website processing is not interconnected, allowing attackers to bypass website processing and continue their attacks. Compared with the prior art, the beneficial effects of the website processing device provided in this application are the same as those of the website processing method provided in the above embodiments, and other technical features in this website processing device are the same as those disclosed in the previous embodiment method, and will not be repeated here.

[0107] It should be understood that the various parts disclosed in this application can be implemented using hardware, software, firmware, or a combination thereof. In the description of the above embodiments, specific features, structures, materials, or characteristics can be combined in any suitable manner in one or more embodiments or examples.

[0108] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

[0109] This application provides a computer-readable storage medium having computer-readable program instructions (i.e., a computer program) stored thereon. The computer-readable program instructions are used to execute the related technical website processing in the above embodiments. The actions of the parties involved are not interconnected, which allows attackers to bypass website processing and continue to carry out attack methods.

[0110] The computer-readable storage medium provided in this application may be, for example, a USB flash drive, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems or devices, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this embodiment, the computer-readable storage medium may be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system or device. The program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to: wires, optical cables, RF (Radio Frequency), etc., or any suitable combination thereof.

[0111] The aforementioned computer-readable storage medium may be included in the website processing device; or it may exist independently and not assembled into the website processing device.

[0112] The aforementioned computer-readable storage medium carries one or more programs that, when executed by a website processing device, cause the website processing device to: construct a website processing task based on the risk website information in the reporting request; identify the responsibility for the risk website information and determine a list of responsible parties; and distribute the website processing task in parallel to each alliance responsible party in the list of responsible parties, so that each alliance responsible party in the list of responsible parties can execute the corresponding website handling process.

[0113] Computer program code for performing the operations of this application can be written in one or more programming languages ​​or a combination thereof. These programming languages ​​include object-oriented programming languages—such as Python, Java, Smalltalk, and C++—and conventional procedural programming languages—such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).

[0114] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0115] The modules described in the embodiments of this application can be implemented in software or hardware. The names of the modules do not necessarily limit the functionality of the unit itself.

[0116] The readable storage medium provided in this application is a computer-readable storage medium that stores computer-readable program instructions (i.e., a computer program) for executing the above-described website processing method. This addresses the technical problem that the processing methods of participating parties in related technical website processing are not interconnected, allowing attackers to bypass website processing and continue their attacks. Compared to the prior art, the beneficial effects of the computer-readable storage medium provided in this application are the same as those of the website processing method provided in the above embodiments, and will not be elaborated upon here.

[0117] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of the website processing method described above.

[0118] The computer program product provided in this application can solve the technical problem that the processing of related technical website processes is not interconnected, allowing attackers to bypass website processing and continue their attacks. Compared with the prior art, the beneficial effects of the computer program product provided in this application are the same as those of the website processing methods provided in the above embodiments, and will not be repeated here.

[0119] All user-related data involved in this application (such as user privacy data, user behavior data, etc.) were obtained with the user's permission or consent; that is to say, when this application is used in a specific product or technology, user permission is required to obtain and process the relevant data, and the processing of the relevant data must comply with the relevant laws, regulations and regulatory standards of the relevant countries and regions.

[0120] The above description is only a part of the embodiments of this application and does not limit the scope of protection of this application. All equivalent structural transformations made under the technical concept of this application and using the content of this application specification and drawings, or direct / indirect applications in other related technical fields, are included in the scope of protection of this application.

[0121] This application also discloses A1, a website processing method, the website processing method comprising: Construct website processing tasks based on the risky website information in the reported request; The responsible parties for the aforementioned risky website information will be identified and a list of responsible parties will be compiled. The website processing tasks are distributed in parallel to each alliance responsible party in the list of responsible parties, so that each alliance responsible party in the list of responsible parties can execute the corresponding website handling process.

[0122] A2. The website processing method as described in A1, after distributing the website processing tasks in parallel to each alliance responsible party in the responsible party list, further includes: Once it is detected that all responsible parties in the alliance in the aforementioned list have completed their actions, the website will check whether the actions have taken effect. If the website action is effective, the website action is considered complete, a action report is generated, and the results are fed back based on the action report.

[0123] A3. The website processing method as described in A2, wherein detecting whether the website processing is effective includes: Extract the website domain name from the website processing task; The authoritative DNS interface is invoked based on the website domain name to determine the domain name resolution result; If the domain name resolution result is "resolution suspended", then the website action is deemed effective.

[0124] A4. The website processing method as described in A2, wherein detecting whether the website processing is effective includes: Extract the website access path from the website processing task; Generate a cache-free request header, and construct a website access request based on the cache-free request header and the website access path; Access the risky website based on the website access request and obtain the website access response; If the response status code in the website access response is a website exception status code, then the website action is deemed effective.

[0125] A5. The website processing method as described in A2, wherein detecting whether the website processing is effective includes: Extract the website access path from the website processing task; Access the risky website based on the website access path to obtain website page data; Extract the visual features of the website page data; Detect the similarity between the visual features of the page and the page feature information recorded in the website processing task; If the feature similarity is less than the preset matching threshold, the website action is deemed effective.

[0126] A6. The website processing method as described in A2, wherein detecting whether the website processing is effective includes: Extract the risky website certificate from the website processing task; Access the certificate issuer corresponding to the certificate of the risky website to obtain the certificate status information; If the certificate status information indicates that the certificate has expired, then the website's action is deemed effective.

[0127] A7. The website processing method as described in A2, wherein when it is detected that all alliance responsible parties in the list of responsible parties have completed their processing, detecting whether the website processing has taken effect includes: When it is detected that all alliance responsible parties in the list of responsible parties have completed their actions, it is checked whether the verification triggering conditions are met. If the verification trigger conditions are met, check whether the website's actions have taken effect.

[0128] A8. The website processing method as described in A2, before detecting whether the website processing has taken effect after detecting that all alliance responsible parties in the list of responsible parties have completed their processing, further includes: The timing begins when the website's processing tasks are completed in parallel distribution. When the preset time is reached, check whether a successful processing response has been received from all alliance responsible parties in the list of responsible parties; If so, it is determined that all responsible parties in the alliance on the list of responsible parties have completed their actions.

[0129] A9. The website processing method as described in A8, after detecting whether a successful processing response has been received from all alliance responsible parties in the responsible party list when the timer reaches the preset duration, further includes: If not, retrieve the historical retry count; If the number of historical retries does not reach the preset number, then it is determined that no feedback has been given to the responsible party. Update the historical retry count, distribute the website processing tasks in parallel to the parties that have not responded, restart the timing, and return to the step of checking whether a successful processing response has been received from all alliance parties in the list of responsible parties when the timing reaches the preset duration.

[0130] A10. The website processing method as described in A9, wherein determining the party responsible for not providing feedback if the historical retries have not reached a preset number includes: If the number of historical retries does not reach the preset number, the initial waiting time is exponentially increased by the number of historical retries to generate a retry waiting time. When the waiting time reaches the retry waiting time, the responsible party for not providing feedback is determined.

[0131] A11. The website processing method as described in any one of A1-A10, wherein the step of identifying responsibility for the risky website information and determining a list of responsible parties includes: Determine the risk type corresponding to the risky website information; Feature data is extracted from the risk website information based on the matching data type corresponding to the risk type; A list of responsible parties is determined based on the feature data and the matching rules corresponding to the risk types.

[0132] This application also discloses B12, a website processing apparatus, the website processing apparatus comprising: The build module is used to construct website processing tasks based on the risky website information in the reported request; The determination module is used to identify the responsible parties by analyzing the risky website information. The distribution module is used to distribute the website processing tasks in parallel to each alliance responsible party in the list of responsible parties, so that each alliance responsible party in the list of responsible parties can execute the corresponding website handling process.

[0133] B13. The website processing device as described in B12, wherein the distribution module is further configured to detect whether the website processing is effective when it is detected that all alliance responsible parties in the list of responsible parties have completed the processing; if the website processing is effective, the website processing is determined to be complete, a processing report is generated, and the result is fed back based on the processing report.

[0134] B14. The website processing apparatus as described in B13, wherein the distribution module is further configured to extract the website domain name from the website processing task; call the authoritative DNS interface according to the website domain name to determine the domain name resolution result; and if the domain name resolution result is "suspend resolution", then determine that the website processing is effective.

[0135] B15. The website processing apparatus as described in B13, wherein the distribution module is further configured to extract a website access path from the website processing task; generate a cache-free request header, and construct a website access request based on the cache-free request header and the website access path; access a risky website according to the website access request, and obtain a website access response; if the response status code in the website access response is a website exception status code, then the website handling is deemed effective.

[0136] B16. The website processing apparatus as described in B13, wherein the distribution module is further configured to extract a website access path from the website processing task; access a risky website according to the website access path to obtain website page data; extract the page visual features corresponding to the website page data; detect the feature similarity between the page visual features and the page feature information recorded in the website processing task; and determine that the website processing is effective if the feature similarity is less than a preset matching threshold.

[0137] B17. The website processing apparatus as described in B13, wherein the distribution module is further configured to extract the risky website certificate from the website processing task; access the certificate issuer corresponding to the risky website certificate to obtain certificate status information; and if the certificate status information indicates that the certificate has expired, determine that the website processing is effective.

[0138] This application also discloses C18, a website processing device, the device comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being configured to implement the steps of the website processing method as described above.

[0139] This application also discloses D19, a storage medium, which is a computer-readable storage medium, on which a computer program is stored, and which, when executed by a processor, implements the steps of the website processing method described above.

[0140] This application also discloses E20, a computer program product comprising a computer program that, when executed by a processor, implements the steps of the website processing method described above.

Claims

1. A website processing method, characterized in that, The website processing method includes: Construct website processing tasks based on the risky website information in the reported request; The responsible parties for the aforementioned risky website information will be identified and a list of responsible parties will be compiled. The website processing tasks are distributed in parallel to each alliance responsible party in the list of responsible parties, so that each alliance responsible party in the list of responsible parties can execute the corresponding website handling process.

2. The website processing method as described in claim 1, characterized in that, After distributing the website processing tasks in parallel to each alliance responsible party in the list of responsible parties, the method further includes: Once it is detected that all responsible parties in the alliance in the aforementioned list have completed their actions, the website will check whether the actions have taken effect. If the website action is effective, the website action is considered complete, a action report is generated, and the results are fed back based on the action report.

3. The website processing method as described in claim 2, characterized in that, Whether the measures taken by the detection website are effective includes: Extract the website domain name from the website processing task; The authoritative DNS interface is invoked based on the website domain name to determine the domain name resolution result; If the domain name resolution result is "resolution suspended", then the website action is deemed effective.

4. The website processing method as described in claim 2, characterized in that, Whether the measures taken by the detection website are effective includes: Extract the website access path from the website processing task; Generate a cache-free request header, and construct a website access request based on the cache-free request header and the website access path; Access the risky website based on the website access request and obtain the website access response; If the response status code in the website access response is a website exception status code, then the website action is deemed effective.

5. The website processing method as described in claim 2, characterized in that, Whether the measures taken by the detection website are effective includes: Extract the website access path from the website processing task; Access the risky website based on the website access path to obtain website page data; Extract the visual features of the website page data; Detect the similarity between the visual features of the page and the page feature information recorded in the website processing task; If the feature similarity is less than the preset matching threshold, the website action is deemed effective.

6. The website processing method as described in claim 2, characterized in that, Whether the measures taken by the detection website are effective includes: Extract the risky website certificate from the website processing task; Access the certificate issuer corresponding to the certificate of the risky website to obtain the certificate status information; If the certificate status information indicates that the certificate has expired, then the website's action is deemed effective.

7. A website processing device, characterized in that, The website processing device includes: The build module is used to construct website processing tasks based on the risky website information in the reported request; The determination module is used to identify the responsible parties by analyzing the risky website information. The distribution module is used to distribute the website processing tasks in parallel to each alliance responsible party in the list of responsible parties, so that each alliance responsible party in the list of responsible parties can execute the corresponding website handling process.

8. A website processing device, characterized in that, The device includes: a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being configured to implement the steps of the website processing method as described in any one of claims 1 to 6.

9. A storage medium, characterized in that, The storage medium is a computer-readable storage medium, and a computer program is stored on the storage medium. When the computer program is executed by a processor, it implements the steps of the website processing method as described in any one of claims 1 to 6.

10. A computer program product, characterized in that, The computer program product includes a computer program that, when executed by a processor, implements the steps of the website processing method as described in any one of claims 1 to 6.