[go: up one dir, main page]

WO2018099219A1 - Method and device for detecting phishing website - Google Patents

Method and device for detecting phishing website Download PDF

Info

Publication number
WO2018099219A1
WO2018099219A1 PCT/CN2017/107865 CN2017107865W WO2018099219A1 WO 2018099219 A1 WO2018099219 A1 WO 2018099219A1 CN 2017107865 W CN2017107865 W CN 2017107865W WO 2018099219 A1 WO2018099219 A1 WO 2018099219A1
Authority
WO
WIPO (PCT)
Prior art keywords
detected
certificate
https
url
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/107865
Other languages
French (fr)
Chinese (zh)
Inventor
杨阳
胡景秀
陈舟
尹亚伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Publication of WO2018099219A1 publication Critical patent/WO2018099219A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Definitions

  • the present invention claims the priority of the Chinese patent application filed on November 29, 2016 by the Intellectual Property Office of the People's Republic of China, the application number is 201611076447.2, and the invention name is "a phishing website detection method and apparatus", the entire contents of which are incorporated by reference. In the present invention.
  • the present invention relates to the field of communications technologies, and in particular, to a phishing website detecting method and apparatus.
  • Phishing websites usually pretend to be bank and e-commerce websites, stealing private information such as bank accounts and passwords submitted by users.
  • a malicious attacker provides a seemingly normal bank or financial website domain name to the victim through pseudo base stations, phishing emails, etc., and tricks the user into opening a sensitive name, password, card number, ID number, etc. in the phishing website. information.
  • the existing tools for detecting phishing websites mainly use blacklists, whitelists, heuristic analysis and other techniques to identify the URLs of phishing websites. If the domain name of the Uniform Resource Locator (URL) is incorrect, the blacklist and whitelist phishing detection technologies are used for detection.
  • the blacklist-based phishing detection technology is based on known The database constructed by the wrong URL to determine whether the target website is a phishing website, but because the phishing website often has a short time and the blacklist is updated in a timely manner, it is very difficult to prevent the phishing; the whitelist-based phishing website detection technology It is based on the database constructed by the trusted website address to determine whether the target website is a legitimate website. Due to the large number of trusted website addresses, if the legitimate website accessed by the user is not added to the database, the legitimate website may be misjudged as a phishing website.
  • the phishing detection technology of the heuristic analysis is mainly used for detecting: comparing the similarity between the target website and the legitimate website to determine whether the target website is a phishing website, but This detection method is easily bypassed by some deceptions, resulting in a certain degree of missed detection on the phishing website.
  • the target website is detected as a phishing website according to the URL to be detected or according to the similarity of the page layout of the target website and the legal website, and the domain name system (DNS) hijacking, traffic hijacking, and secure hypertext transfer protocol are used.
  • DNS domain name system
  • HTTPS Secure Hypertext Transfer Protocol
  • the domain name corresponding to the URL to be detected is a legal domain name, and the similarity between the target website and the legitimate website is extremely high.
  • the methods in the prior art cannot be effectively determined. Whether the target website is a phishing website. Therefore, there is a need for a phishing website detection method to effectively detect whether the target website that the user is visiting is a phishing website when the domain name of the URL to be detected is a legal domain name.
  • the embodiment of the invention provides a method and a device for detecting a phishing website, which are used to effectively detect whether a target website that the user is visiting is a phishing website when the domain name of the URL to be detected is a legal domain name.
  • the embodiment of the present invention provides a method for detecting a phishing website, including: acquiring a URL of a target website to be detected, and a domain name corresponding to the URL to be detected is a legal domain name; And detecting, by the server corresponding to the domain name of the to-be-detected URL, a legal HTTPS certificate corresponding to the domain name of the to-be-detected URL; and including, according to the to-be-detected HTTPS certificate, the HTTPS certificate to be detected
  • the preset information item and the preset information item included in the legal HTTPS certificate determine whether the target website is a phishing website.
  • the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website includes: determining If the preset information item included in the HTTPS certificate and the preset information items included in the legal HTTPS certificate all match, the target website is determined to be a normal website.
  • the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website includes: determining If at least one of the preset information items included in the HTTPS certificate and the preset information item included in the legal HTTPS certificate does not match: determining the to-be-checked The certificate issuer identifier included in the HTTPS certificate is matched with the certificate issuer identifier included in the legal HTTPS certificate, and the HTTPS certificate to be detected is determined to be valid at the current time according to the validity period of the certificate in the HTTPS certificate to be detected, and according to And determining, by the information about whether the certificate in the HTTPS certificate to be logged off is logged off, that the HTTPS certificate to be detected is not logged out, determining that the target website is a normal website.
  • the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website includes: determining If the at least one of the preset information items included in the HTTPS certificate and the preset information item included in the legal HTTPS certificate does not match: determining that the HTTPS certificate to be detected and the HTTPS certificate to be detected are satisfied Determining, by the at least one of the first preset conditions, that the target website is a phishing website; wherein the first preset condition comprises: determining a certificate issuer identifier included in the HTTPS certificate to be detected and the The certificate issuer identifiers included in the valid HTTPS certificate are not matched; and the HTTPS certificate to be detected is invalidated according to the validity period of the certificate in the HTTPS certificate to be detected; according to whether the certificate in the HTTPS certificate to be detected is cancelled.
  • the information determines that the HTTPS certificate to be detected is logged out.
  • the method further includes: determining that the to-be-detected URL uses HTTPS.
  • the method further includes: determining that the URL to be detected does not use HTTPS, The alarm information is reported, and the alarm information is used to indicate that the target website is in danger.
  • the method further includes: determining that the to-be-detected URL meets any of the second preset conditions.
  • the one or more items, wherein the second preset condition comprises: determining that the domain name of the URL to be detected matches with at least one preset URL domain name; determining the obtained webpage source code corresponding to the to-be-detected URL At least one of the attribute class keywords in the default The keyword matching is determined; at least one of the input class keywords in the webpage source code corresponding to the obtained URL to be detected is matched with the preset input keyword.
  • the phishing website detecting apparatus includes: an obtaining unit, configured to acquire a URL of a target website to be detected, and a domain name corresponding to the URL to be detected is a legal domain name;
  • the target website obtains the HTTPS certificate to be detected corresponding to the URL to be detected, and obtains a valid HTTPS certificate corresponding to the domain name of the URL to be detected from the server corresponding to the domain name of the URL to be detected;
  • the processing unit is configured to: And determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website.
  • the processing unit is configured to determine the target if it is determined that the preset information item included in the HTTPS certificate to be detected and the preset information items included in the legal HTTPS certificate all match
  • the website is a normal website.
  • the processing unit is configured to: when it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match Determining that the certificate issuer identifier included in the HTTPS certificate to be detected matches the certificate issuer identifier included in the legal HTTPS certificate, and determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. The current time is valid, and it is determined that the to-be-detected HTTPS certificate is not logged out according to the information of whether the certificate in the HTTPS certificate to be detected is logged off, and the target website is determined to be a normal website.
  • the processing unit is configured to: when it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match Determining that the to-be-detected HTTPS certificate and the to-be-detected HTTPS certificate satisfy at least one of the first preset conditions, determining that the target website is a phishing website; wherein the first preset condition comprises: determining The certificate issuer identifier included in the HTTPS certificate to be detected does not match the certificate issuer identifier included in the legal HTTPS certificate; and the HTTPS certificate to be detected is determined at the current time according to the validity period of the certificate in the HTTPS certificate to be detected. Determining; determining the to-be-detected according to whether the certificate in the HTTPS certificate to be detected is deregistered The HTTPS certificate was logged out.
  • processing unit is further configured to: determine that the to-be-detected URL uses HTTPS.
  • the processing unit is further configured to: when it is determined that the to-be-detected URL does not use HTTPS, report alarm information, where the alarm information is used to indicate that the target website is in danger.
  • the processing unit is further configured to: determine that the to-be-detected URL meets any one or more of the second preset conditions, where the second preset condition includes: determining the to-be-determined Detecting a domain name of the URL and matching the at least one preset URL domain name; determining that at least one of the attribute class keywords in the webpage source code corresponding to the acquired URL to be detected matches the preset attribute class keyword; determining the acquired At least one of the input class keywords in the webpage source code corresponding to the to-be-detected URL matches at least one of the preset input class keywords.
  • an embodiment of the present invention provides a phishing website detecting apparatus, including a processor and a memory;
  • the memory is configured to store an executable program
  • the processor is configured to read an executable program in the memory and execute:
  • an embodiment of the present invention provides a non-transitory computer readable storage medium, where the non-transitory computer readable storage medium stores computer instructions for causing the computer to perform the first aspect or the A method in any possible implementation on the one hand.
  • an embodiment of the present invention provides a computer program product, the computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instruction is The computer, when executed, causes the computer to perform the method of the first aspect or any possible implementation of the first aspect.
  • the HTTPS certificate to be detected corresponding to the URL to be detected is obtained from the target website, and the domain name of the URL to be detected is correct, so that the legal HTTPS certificate corresponding to the URL to be detected can be obtained; the domain name of one URL corresponds to a legal HTTPS certificate.
  • the server corresponding to the domain name of the detected URL obtains the legal HTTPS certificate corresponding to the domain name of the URL to be detected, and according to the HTTPS certificate to be detected and the legal HTTPS certificate, it can effectively detect whether the target website that the user is visiting is a phishing website.
  • FIG. 1 is a schematic structural diagram of a system for detecting a phishing website according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a method for detecting a phishing website according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of another method for detecting a phishing website according to an embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a phishing website detecting apparatus according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of another phishing website detecting apparatus according to an embodiment of the present invention.
  • FIG. 1 is a schematic diagram showing the system architecture of the phishing website detection according to the embodiment of the present invention.
  • the phishing website detection system architecture 100 applicable to the embodiment of the present invention includes a server 101, a server 102, a terminal 103, and a fishing system.
  • the website detecting device 104; the server 101, the server 102, and the terminal 103 may be connected by a wireless connection or a wired connection or other means; the server 101, the server 102, and the phishing website detecting device 104 may also be connected by a wireless connection or a wired connection or other means;
  • the server 101 is a server corresponding to the target website, the server 102 is a server corresponding to the domain name of the URL to be detected, and the phishing website detecting device 104 is installed in the terminal 103.
  • the terminal 103 transmits the URL of the access target website to the server 101, and after receiving the URL, the server 101 transmits the web page content corresponding to the URL, such as the web page source code, to the terminal 103.
  • the phishing website detecting means 104 can obtain the HTTPS certificate to be detected from the server 102; the phishing website detecting means 104 can obtain the legal HTTPS certificate corresponding to the domain name of the URL from the server 102. For example, if the target website is Baidu, the URL corresponding to Baidu is https://www.baidu.com/, and the domain name of the URL is www.baidu.com.
  • the terminal 103 may be a mobile phone, a tablet computer, a computer, or the like; optionally, the phishing website detecting device 104 may be installed in the terminal 103 to detect whether the target website accessed by the terminal is a phishing website;
  • the website detection device 104 can be a UnionPay program plugin or a security guard application.
  • FIG. 2 is a schematic flowchart diagram of a method for detecting a phishing website according to an embodiment of the present invention.
  • a method for detecting a phishing website includes the following steps:
  • Step S201 The phishing website detecting device acquires the to-be-detected uniform resource locator URL of the target website; the domain name corresponding to the to-be-detected URL is a legal domain name;
  • Step S202 The phishing website detecting device acquires, from the target website, a security hypertext transfer protocol HTTPS certificate to be detected corresponding to the URL to be detected;
  • Step S203 The phishing website detecting device acquires a legal HTTPS certificate corresponding to the domain name of the URL to be detected from the server corresponding to the domain name of the URL to be detected;
  • Step S204 The phishing website detecting device determines, according to the preset information item included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website.
  • the legal domain name is the correct domain name of the target website that the user is expected to access; for example, the target website that the user currently visits is expected to visit is ICBC, and the URL to be detected input by the user is http://www. Icbc.com.cn/icbc/, the domain name of the URL to be detected is www.icbc.com.cn, this domain name is the correct domain name of Industrial and Commercial Bank of China, which is a legal domain name.
  • the target website is the website that the user expects to visit: Industrial and Commercial Bank of China; complex in the DNS hijacking, traffic hijacking, HTTPS middleman, etc.
  • the phishing website can not effectively detect whether the target website corresponding to the domain name of the URL to be detected by the user is a phishing website, and the method provided by the embodiment of the present invention can effectively detect the to-be-detected URL currently accessed by the user. Whether the target website corresponding to the legal domain name is a phishing website.
  • the phishing website detecting device takes the UnionPay program plug-in as an example, and the UnionPay program plug-in uses a Transport Layer Security Protocol (TLS) to securely connect to the UnionPay backend server; the UnionPay backend server according to the domain name of the URL to be detected.
  • TLS Transport Layer Security Protocol
  • the legal HTTPS certificate is directly sent to the UnionPay program plug-in to verify the validity of the HTTPS certificate to be detected; if the UnionPay background server caches the database itself The valid HTTPS certificate corresponding to the domain name of the URL to be detected does not exist.
  • the UnionPay background server actively accesses the URL to be detected, obtains the legal HTTPS certificate corresponding to the URL to be detected from the server corresponding to the domain name of the URL to be detected, and stores the legal HTTPS certificate in itself.
  • the database is cached, and the legal HTTPS certificate corresponding to the URL to be detected is sent to the UnionPay program plugin.
  • the UnionPay backend server In order to ensure the timeliness of its own cache database, the UnionPay backend server periodically verifies whether the HTTPS certificate in its own cache database is logged out or not in the validity period. If the HTTPS certificate is logged out or not in the validity period, the HTTPS certificate is marked as invalid. HTTPS certificate.
  • any one of the HTTPS certificate and the valid HTTPS certificate to be detected includes a plurality of key factors such as a certificate issuer identifier, a certificate validity period, a certificate serial number, and a certificate signature.
  • the preset information item may be Including any one of a plurality of key factors, for example, the certificate issuer identifier is used as a preset information item; the preset information item may also include any N of a plurality of key factors, and N is an integer greater than 1, for example, issuing a certificate
  • the identifier of the certificate and the validity period of the certificate are used as preset information items, for example, the certificate issuer identifier and the certificate serial number are used as preset information items, and for example, the certificate is The issuer ID, certificate serial number, and certificate signature are used as preset information items.
  • the HTTPS certificate to be detected corresponding to the URL to be detected is obtained from the target website, and the domain name of the URL to be detected is correct, so that the legal HTTPS certificate corresponding to the URL to be detected can be obtained; the domain name of one URL corresponds to a legal HTTPS certificate.
  • the server corresponding to the domain name of the URL to be detected obtains the legal HTTPS certificate corresponding to the domain name of the URL to be detected, and according to the HTTPS certificate to be detected and the legal HTTPS certificate, it can effectively detect whether the target website that the user is visiting is a phishing website.
  • the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website includes: determining If the preset information item included in the HTTPS certificate and the preset information items included in the legal HTTPS certificate all match, the target website is determined to be a normal website.
  • the preset information item when the preset information item includes a key factor, for example, the preset information item is a certificate issuer identifier, and the certificate issuer identifier included in the HTTPS certificate to be detected and the certificate included in the legal HTTPS certificate are determined.
  • the issuer identifier matches, the target website is determined to be a normal website; optionally, when the preset information item includes N key factors, for example, N is equal to 2, and the two key factors included in the preset information item are The certificate issuer identifier and the certificate serial number are used as an example, and the certificate issuer identifier, the certificate serial number, and the certificate issuer identifier and the certificate serial number included in the legal HTTPS certificate are all matched in the determination of the HTTPS certificate to be detected.
  • the target website is determined to be a normal website; for example, N is equal to 4, and the four key factors included in the preset information item are the certificate issuer identifier, the certificate validity period, the certificate serial number, and the certificate signature.
  • Declaring the certificate issuer ID, the certificate validity period, the certificate serial number, the certificate signature, and the package in the legal HTTPS certificate included in the detected HTTPS certificate The identity of the certificate issuer certificate is valid, the certificate serial number, in the case of all certificate signature matching to determine the target site is a normal website.
  • determining that the target website is a phishing website if it is determined that at least one of the preset information item included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match, determining that the target website is a phishing website .
  • N is equal to 2
  • the four key factors included in the preset information item are the certificate issuer identifier and the certificate serial number, and the certificate included in the HTTPS certificate to be detected is determined.
  • the phishing website detecting device can determine whether the HTTPS certificate to be detected is a legitimate certificate according to whether the preset information items included in the HTTPS certificate to be detected and the legal HTTPS certificate are completely matched, thereby effectively determining whether the target website is a normal website; If the HTTPS certificate is a valid certificate, the target website is determined to be a normal website, and the terminal can browse the webpage corresponding to the URL to be detected normally; if it is determined that the HTTPS certificate is not a legal certificate, the target website is determined to be a phishing website, and the police information is reported, and Remind users not to continue to access the web page corresponding to the URL to be detected to avoid the disclosure of personal information.
  • the method provided in the embodiment of the present invention does not need to perform black and white list query of the URL to be detected, so the detection result is not affected by the update frequency and coverage rate of the black and white list database.
  • the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website includes: determining If at least one of the preset information items included in the HTTPS certificate and the preset information item included in the legal HTTPS certificate does not match, the target is determined if the following three conditions are met simultaneously.
  • the website is a normal website: condition one, determining that the certificate issuer identifier included in the HTTPS certificate to be detected matches the certificate issuer identifier included in the legal HTTPS certificate; condition two, according to the certificate in the HTTPS certificate to be detected The validity period determines that the HTTPS certificate to be detected is valid at the current time; and the third condition determines that the HTTPS certificate to be detected is not logged out according to the information of whether the certificate in the HTTPS certificate to be detected is logged off.
  • the phishing website detecting device may Conditions to determine if the target site is a normal site.
  • the HTTPS certificates to be detected may be inconsistent when different terminals access the target website.
  • the terminal in East China connects to the target website server in East China and the terminal in South China connects to the server in South China.
  • the HTTPS certificate includes the same certificate issuer ID, and the certificate serial number may be different.
  • the solution provided by the embodiment of the present invention fully considers that the HTTPS certificate that may be obtained when different terminals access the target website may be inconsistent due to the existence of the CDN or the load balancing, and avoids the preset information of the HTTPS certificate to be detected and the legal HTTPS certificate.
  • the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website includes: determining If the at least one of the preset information items included in the HTTPS certificate and the preset information item included in the legal HTTPS certificate does not match: determining that the HTTPS certificate to be detected and the HTTPS certificate to be detected are satisfied Determining, by the at least one of the first preset conditions, that the target website is a phishing website; wherein the first preset condition comprises: determining a certificate issuer identifier included in the HTTPS certificate to be detected and the The certificate issuer identifiers included in the valid HTTPS certificate are not matched; and the HTTPS certificate to be detected is invalidated according to the validity period of the certificate in the HTTPS certificate to be detected; according to whether the certificate in the HTTPS certificate to be detected is cancelled.
  • the information determines that the HTTPS certificate to be detected is logged out.
  • the HTTPS certificate may be inconsistent when different terminals access the target website due to the existence of CDN or load balancing, and more accurately the target website whose HTTPS certificate to be detected satisfies at least one of the above first preset conditions. Determined to be a phishing site.
  • the method provided in the embodiment of the present invention does not need to perform black and white list query of the URL to be detected, so the detection result is not affected by the update frequency and coverage rate of the black and white list database; meanwhile, the URL of all websites can be avoided and verified. Whether the URL of all websites is a waste of resources for phishing websites.
  • the method further includes: determining the URL to be detected.
  • Use secure hypertext transfer protocol HTTPS For example, the URL to be detected is https://zhidao.baidu.com/, and the protocol of the URL to be detected is HTTPS.
  • the phishing detection device can continue to obtain the HTTPS certificate to be detected according to the HTTPS used by the URL to be detected, and continue to determine the pending Check the validity of the HTTPS certificate to determine whether the target website is a phishing website.
  • the method further includes: determining that the URL to be detected does not use HTTPS, The alarm information is reported, and the alarm information is used to indicate that the target website is in danger.
  • the URL to be detected is http://abc.com/
  • the protocol of the URL to be detected is http
  • HTTPS is not used; thus, the phishing detection device does not need to continue to obtain the HTTPS certificate to be detected, and may not use HTTPS according to the URL to be detected. Directly report dangerous alarm information on the target website to prevent users from entering the dangerous target website without knowing it.
  • the method further includes: determining that the to-be-detected URL meets any of the second preset conditions.
  • the second preset condition includes: condition one, determining that the domain name of the URL to be detected matches the at least one preset URL domain name; and second, determining the acquired to-be-detected At least one of the attribute class keywords in the webpage source code corresponding to the URL is matched with the preset attribute class keyword; condition three, determining that at least the input class keyword in the webpage source code corresponding to the acquired URL to be detected is present One matches the default input class keyword.
  • the target website is a normal website, and the terminal is normally accessible on the terminal.
  • Target website is a normal website
  • the preset URL domain name may be set according to actual needs.
  • the preset URL domain name may be set as a domain name of a website related to bank account information and personal information; optionally,
  • the URL domain name can be the domain name of the bank website URL.
  • the domain name of ICBC is www.icbc.com.cn; for example, the domain name of the Agricultural Bank of China is www.abchina.com;
  • the default URL domain name can also be
  • the social networking site URL domain name for example, the Sina Weibo URL domain name is weibo.com.
  • the preset attribute category keywords can be set according to actual needs.
  • the target website accessed by the terminal is a bank website
  • the preset attribute category keywords may be set to include banking, online banking, payment, finance, etc.
  • the preset input keyword may be set according to actual needs, optionally,
  • the preset input category keywords can be set as the login account, card number, password, ID number, and the like.
  • the CONTENT attribute in the ⁇ body> tag is extracted; optionally, the input class keyword in the webpage source code corresponding to the URL to be detected may be extracted from a tag such as an ⁇ input> tag in a webpage source code corresponding to the URL to be detected.
  • OCR Optical Character Recognition
  • the HTTPS certificate to be detected is continuously obtained from the target website to verify whether the HTTPS certificate to be detected is legal; for example; If the domain name of the URL to be detected is www.abc.com.cn and does not match the domain name of the ICBC, it may continue to determine whether the URL to be detected satisfies Condition 2 and Condition 3 in the second preset condition, that is, Whether the attribute class keyword in the webpage source code corresponding to the URL to be detected matches at least one preset attribute class keyword, or at least one of the input class keywords matches the preset input class keyword, or the attribute class keyword is At least one of the matching with the at least one preset attribute class keyword and the input class keyword matches the preset input class keyword.
  • whether the target website needs to perform phishing website detection according to whether the URL to be detected satisfies the second preset condition may be simple, easy, efficient, and targeted. Effectively defend against sensitive information disclosure while avoiding affecting the user experience when accessing a normal website on a terminal.
  • FIG. 3 is a schematic flowchart showing another method for detecting a phishing website according to an embodiment of the present invention. Based on the system architecture shown in FIG. 1, as shown in FIG. 3, the method includes the following steps:
  • Step S301 The phishing website detecting device acquires the uniform resource locator to be detected of the target website URL;
  • Step S302 The domain name corresponding to the URL to be detected is a legal domain name; if yes, step S303 is performed; if not, step S312 is performed;
  • Step S303 The domain name of the URL to be detected is matched with at least one preset URL domain name; if yes, step S306 is performed; if not, step S304 is performed;
  • Step S304 The at least one attribute keyword in the webpage source code corresponding to the acquired URL to be detected is matched with the preset attribute category keyword; if yes, step S305 is performed; if not, step S313 is performed;
  • Step S305 determining that at least one of the input class keywords in the webpage source code corresponding to the acquired URL to be detected matches the preset input class keyword; if yes, executing step S306; if not, executing step S313;
  • Step S306 determining whether the URL to be detected uses the secure hypertext transfer protocol HTTPS; if yes, executing step S307; if not, executing step S314;
  • Step S307 Obtain an HTTPS certificate to be detected corresponding to the URL to be detected from the target website, and obtain a legal HTTPS certificate corresponding to the domain name of the URL to be detected from the server corresponding to the domain name of the URL to be detected;
  • Step S308 determining whether the preset information item included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate are all matched; if yes, executing step S313; if not, executing step S309;
  • Step S309 determining whether the certificate issuer identifier included in the HTTPS certificate to be detected and the certificate issuer identifier included in the legal HTTPS certificate match; if yes, executing step S310; if not, executing step S312;
  • Step S310 determining whether the HTTPS certificate to be detected is valid at the current time according to the validity period of the certificate in the HTTPS certificate to be detected; if yes, executing step S311; if not, executing step S312;
  • Step S311 determining whether the HTTPS certificate to be detected is not logged out according to whether the certificate in the HTTPS certificate is to be logged out; if yes, executing step S313; if not, executing step S312;
  • Step S312 determining that the target website is a phishing website
  • Step S313 determining that the target website is a normal website
  • Step S314 Reporting alarm information, where the alarm information is used to indicate that the target website is in danger.
  • the method for detecting a phishing website in the embodiment of the present invention provides a method for determining whether the target website needs to perform phishing website detection according to whether the URL to be detected satisfies the second preset condition. It is highly efficient and targeted, and can effectively prevent sensitive information from being leaked, while avoiding affecting the user experience when users access the normal website on the terminal.
  • the HTTPS certificate to be detected corresponding to the URL to be detected is obtained from the target website, and the domain name of the URL to be detected is correct, so that the legal HTTPS certificate corresponding to the URL to be detected can be obtained; the domain name of one URL corresponds to a legal HTTPS certificate.
  • the server corresponding to the domain name of the URL to be detected obtains the legal HTTPS certificate corresponding to the domain name of the URL to be detected, and according to the HTTPS certificate to be detected and the legal HTTPS certificate, it can effectively detect whether the target website that the user is visiting is a phishing website.
  • the embodiment of the present invention fully considers that the HTTPS certificate may be inconsistent when different terminals access the target website due to the existence of CDN or load balancing, and more accurately and effectively detect whether the target website that the user is visiting is a phishing website.
  • the method provided in the embodiment of the present invention does not need to perform black and white list query of the URL to be detected, so the detection result is not affected by the update frequency and coverage rate of the black and white list database, and the URL of all websites can be avoided and verified. Whether the URL of all websites is a waste of resources for phishing websites.
  • FIG. 4 is a schematic structural diagram of a phishing website detecting apparatus according to an embodiment of the present invention.
  • a phishing website detecting apparatus configured to execute the foregoing method.
  • the phishing website detecting apparatus 400 includes an obtaining unit 401 and a processing unit 402.
  • the obtaining unit 401 is configured to obtain a to-be-detected uniform resource locator URL of the target website, where the domain name corresponding to the to-be-detected URL is a legal domain name, and obtain the HTTPS certificate to be detected corresponding to the to-be-detected URL from the target website. ; corresponding to the domain name of the URL to be detected Obtaining a legal HTTPS certificate corresponding to the domain name of the URL to be detected on the server;
  • the processing unit 402 is configured to determine, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website.
  • the processing unit 402 is configured to: when it is determined that the preset information item included in the HTTPS certificate to be detected and the preset information items included in the legal HTTPS certificate all match,
  • the target website is a normal website.
  • the processing unit 402 is configured to: determine that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match The following: determining that the certificate issuer identifier included in the HTTPS certificate to be detected matches the certificate issuer identifier included in the legal HTTPS certificate, and determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. And determining, according to the information that the certificate in the HTTPS certificate to be detected is to be logged off, that the HTTPS certificate to be detected is not logged off, determining that the target website is a normal website.
  • the processing unit 402 is configured to: determine that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match The following: determining that the to-be-detected HTTPS certificate and the to-be-detected HTTPS certificate meet at least one of the first preset conditions, determining that the target website is a phishing website; wherein the first preset condition includes: Determining that the certificate issuer identifier included in the HTTPS certificate to be detected does not match the certificate issuer identifier included in the legal HTTPS certificate; determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. The timeout is invalid; determining that the HTTPS certificate to be detected is logged out according to the information of whether the certificate in the HTTPS certificate to be detected is logged out.
  • processing unit 402 is further configured to: determine that the to-be-detected URL uses HTTPS.
  • the processing unit 402 is further configured to: report, in the case that the to-be-detected URL is not using the HTTPS, to report the alarm information, where the alarm information is used to indicate that the target website is in danger.
  • the processing unit 402 is further configured to: determine that the to-be-detected URL meets any one or more of the second preset conditions, where the second preset condition includes: determining the The domain name of the URL to be detected matches the at least one preset URL domain name; determining that at least one of the attribute class keywords in the webpage source code corresponding to the acquired URL to be detected matches the preset attribute class keyword; At least one of the input class keywords in the webpage source code corresponding to the obtained URL to be detected is matched with the preset input class keyword.
  • a device for detecting a phishing website is provided, and whether the target website needs to perform phishing website detection according to whether the URL to be detected satisfies the second preset condition is simple or easy. It is highly efficient and targeted, and can effectively prevent sensitive information from being leaked, while avoiding affecting the user experience when users access the normal website on the terminal.
  • the HTTPS certificate to be detected corresponding to the URL to be detected is obtained from the target website, and the domain name of the URL to be detected is correct, so that the legal HTTPS certificate corresponding to the URL to be detected can be obtained; the domain name of one URL corresponds to a legal HTTPS certificate.
  • the server corresponding to the domain name of the URL to be detected obtains the legal HTTPS certificate corresponding to the domain name of the URL to be detected, and according to the HTTPS certificate to be detected and the legal HTTPS certificate, it can effectively detect whether the target website that the user is visiting is a phishing website.
  • the embodiment of the present invention fully considers that the HTTPS certificate may be inconsistent when different terminals access the target website due to the existence of CDN or load balancing, and more accurately and effectively detect whether the target website that the user is visiting is a phishing website.
  • the method provided in the embodiment of the present invention does not need to perform black and white list query of the URL to be detected, so the detection result is not affected by the update frequency and coverage rate of the black and white list database, and the URL of all websites can be avoided and verified. Whether the URL of all websites is a waste of resources for phishing websites.
  • FIG. 5 is a schematic structural diagram of another phishing website detecting apparatus according to an embodiment of the present invention.
  • the phishing website detecting apparatus 500 includes a processor 501 and a memory 502.
  • a communication interface 503 is further included, and the processor 501, the memory 502, and the communication interface 503 are connected by a bus 504.
  • the bus 504 can be a peripheral component interconnect (peripheral component interconnect, Referred to as PCI) bus or extended industry standard architecture (EISA) bus.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 5, but it does not mean that there is only one bus or one type of bus.
  • the memory 502 may include a volatile memory such as a random-access memory (RAM); the memory may also include a non-volatile memory such as a flash memory (flash) Memory), hard disk drive (HDD) or solid-state drive (SSD); the memory 502 may also include a combination of the above types of memory.
  • RAM random-access memory
  • flash flash memory
  • HDD hard disk drive
  • SSD solid-state drive
  • the communication interface 503 can be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface can be, for example, an Ethernet interface.
  • the Ethernet interface can be an optical interface, an electrical interface, or a combination thereof.
  • the wireless communication interface can be a WLAN interface.
  • the processor 501 can be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP.
  • CPU central processing unit
  • NP network processor
  • the processor 501 may further include a hardware chip.
  • the hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination.
  • the processor 501 is configured to read a program in the memory 502 and perform the following methods:
  • the memory 502 is configured to store one or more executable programs, and may store data used by the processor 501 when performing operations.
  • the processor 501 is configured to: after determining that the preset information item included in the HTTPS certificate to be detected and the preset information items included in the legal HTTPS certificate all match
  • the target website is a normal website.
  • the processor 501 is configured to: determine that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match The following: determining that the certificate issuer identifier included in the HTTPS certificate to be detected matches the certificate issuer identifier included in the legal HTTPS certificate, and determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. And determining, according to the information that the certificate in the HTTPS certificate to be detected is to be logged off, that the HTTPS certificate to be detected is not logged off, determining that the target website is a normal website.
  • the processor 501 is configured to: determine that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match The following: determining that the to-be-detected HTTPS certificate and the to-be-detected HTTPS certificate meet at least one of the first preset conditions, determining that the target website is a phishing website; wherein the first preset condition includes: Determining that the certificate issuer identifier included in the HTTPS certificate to be detected does not match the certificate issuer identifier included in the legal HTTPS certificate; determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. The timeout is invalid; determining that the HTTPS certificate to be detected is logged out according to the information of whether the certificate in the HTTPS certificate to be detected is logged out.
  • the processor 501 is further configured to: determine that the to-be-detected URL uses HTTPS.
  • the processor 501 is further configured to: report alarm information, where the alarm information is used to indicate that the target website is in danger, if it is determined that the to-be-detected URL does not use HTTPS.
  • the processor 501 is further configured to: determine that the to-be-detected URL meets any one or more of the second preset conditions, where the second preset condition includes: determining the The domain name of the URL to be detected matches the at least one preset URL domain name; determining the acquired URL to be detected At least one of the attribute class keywords in the corresponding webpage source code is matched with the preset attribute class keyword; determining that at least one of the input class keywords in the webpage source code corresponding to the acquired URL to be detected is preset and preset Input class keyword matching.
  • the obtaining unit 401 and the processing unit 402 may be implemented by the processor 501.
  • the phishing website detecting apparatus 500 may include a processor 501, a memory 502, and optionally, a communication interface 503.
  • the memory 502 can be used to store the code when the processor 501 executes the solution, and the code can be a program/code pre-installed when the phishing website detects the device 500.
  • the domain name of the URL to be detected is correct, because the domain name of the URL to be detected is correct, and the domain name of the URL to be detected is correct.
  • the valid HTTPS certificate corresponding to the URL to be detected is obtained.
  • the domain name of the URL is a legal HTTPS certificate, and the legal HTTPS certificate corresponding to the domain name of the URL to be detected is obtained from the server corresponding to the domain name of the URL to be detected.
  • the HTTPS certificate and the legal HTTPS certificate can effectively detect whether the target website that the user is visiting is a phishing website.
  • the computer program product includes one or more instructions.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the instructions may be stored in a computer storage medium or transferred from one computer storage medium to another computer storage medium, for example, the instructions may be wired from a website site, computer, server or data center (eg, coaxial cable, Fiber, Digital Subscriber Line (DSL) or wireless (eg infrared, wireless, microwave, etc.) is transmitted to another website, computer, server or data center.
  • the computer storage medium can be any available media that can be accessed by a computer or a server, data that includes one or more available media integrations. Data storage devices such as the center.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape, a magneto-optical disk (MO), etc.), an optical medium (eg, CD, DVD, BD, HVD, etc.), or a semiconductor medium (eg, ROM, EPROM, EEPROM, non-volatile memory (NAND FLASH), solid state disk (SSD), etc.
  • a magnetic medium eg, a floppy disk, a hard disk, a magnetic tape, a magneto-optical disk (MO), etc.
  • an optical medium eg, CD, DVD, BD, HVD, etc.
  • a semiconductor medium eg, ROM, EPROM, EEPROM, non-volatile memory (NAND FLASH), solid state disk (SSD), etc.
  • embodiments of the present application can be provided as a method, system, or computer program product. Therefore, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, embodiments of the present application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowcharts and/or block diagrams, and combinations of flow and/or blocks in the flowcharts and/or ⁇ RTIgt; These instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine such that instructions executed by a processor of a computer or other programmable data processing device are utilized for implementation A means of function specified in a flow or a flow and/or a block diagram of a block or blocks.
  • the instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to the field of communications, and specifically, to a method and device for detecting a phishing website, effectively determining, when a URL domain name is a valid domain name, whether a target website being accessed by a user is a phishing website. The method comprises: obtaining a uniform resource locator (URL) to be determined of a target website; determining that the URL to be determined is a valid domain name; obtaining, from the target website, a hypertext transfer protocol secure (HTTPS) certificate to be determined and corresponding to the URL to be determined; obtaining, from a server corresponding to the domain name of the URL to be determined, a valid HTTPS certificate corresponding to the domain name of the URL to be determined; and determining, according to a preconfigured information item in the HTTPS certificate to be determined and a preconfigured information item in the valid HTTPS certificate, whether the target website is a phishing website. As a result, the embodiment is utilized to effectively determine, when a URL domain name is a valid domain name, whether a target website being accessed by a user is a phishing website.

Description

一种钓鱼网站检测方法和装置Method and device for detecting phishing website

本发明要求在2016年11月29日提交中华人民共和国知识产权局、申请号为201611076447.2、发明名称为“一种钓鱼网站检测方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本发明中。The present invention claims the priority of the Chinese patent application filed on November 29, 2016 by the Intellectual Property Office of the People's Republic of China, the application number is 201611076447.2, and the invention name is "a phishing website detection method and apparatus", the entire contents of which are incorporated by reference. In the present invention.

技术领域Technical field

本发明涉及通信技术领域,尤其涉及一种钓鱼网站检测方法和装置。The present invention relates to the field of communications technologies, and in particular, to a phishing website detecting method and apparatus.

背景技术Background technique

钓鱼网站通常伪装成银行及电子商务网站,窃取用户提交的银行帐号、密码等私密信息。恶意的攻击者通过伪基站、钓鱼邮件等方式,给受害者提供一个看似正常的银行或金融类网站域名,诱骗用户打开后在钓鱼网站内输入用户名、密码、卡号、身份证号等敏感信息。Phishing websites usually pretend to be bank and e-commerce websites, stealing private information such as bank accounts and passwords submitted by users. A malicious attacker provides a seemingly normal bank or financial website domain name to the victim through pseudo base stations, phishing emails, etc., and tricks the user into opening a sensitive name, password, card number, ID number, etc. in the phishing website. information.

现有的检测钓鱼网站的工具主要使用黑名单、白名单、启发式分析等多种技术识别钓鱼网站的网址。对于待检测统一资源定位符(Uniform Resource Locator,简称URL)的域名错误的情况下,主要是采用黑名单、白名单的钓鱼网站检测技术进行检测:基于黑名单的钓鱼网站检测技术是根据已知的错误的URL构建的数据库来判断目标网站是否为钓鱼网站,但由于钓鱼网站往往存在时间较短、黑名单的及时更新十分困难,使得该技术不能有效防止钓鱼;基于白名单的钓鱼网站检测技术是根据可信网站地址构建的数据库来判断目标网站是否为合法网站,由于可信网站地址数量庞大,若用户访问的合法网址未被加入数据库,则可能导致将合法网站误判为钓鱼网站。The existing tools for detecting phishing websites mainly use blacklists, whitelists, heuristic analysis and other techniques to identify the URLs of phishing websites. If the domain name of the Uniform Resource Locator (URL) is incorrect, the blacklist and whitelist phishing detection technologies are used for detection. The blacklist-based phishing detection technology is based on known The database constructed by the wrong URL to determine whether the target website is a phishing website, but because the phishing website often has a short time and the blacklist is updated in a timely manner, it is very difficult to prevent the phishing; the whitelist-based phishing website detection technology It is based on the database constructed by the trusted website address to determine whether the target website is a legitimate website. Due to the large number of trusted website addresses, if the legitimate website accessed by the user is not added to the database, the legitimate website may be misjudged as a phishing website.

对于待检测URL的域名正确的情况下,主要是采用启发式分析的钓鱼网站检测技术进行检测:根据目标网站和合法网站进行网页页面布局相似度进行比对,确定目标网站是否为钓鱼网站,但这种检测方法容易被一些欺骗手段绕过,导致对钓鱼网站存在一定程度的漏检。 When the domain name of the URL to be detected is correct, the phishing detection technology of the heuristic analysis is mainly used for detecting: comparing the similarity between the target website and the legitimate website to determine whether the target website is a phishing website, but This detection method is easily bypassed by some deceptions, resulting in a certain degree of missed detection on the phishing website.

现有技术中只根据待检测URL或根据目标网站和合法网站的页面布局相似度检测目标网站是否为钓鱼网站,对于域名系统(Domain Name System,简称DNS)劫持、流量劫持、安全超文本传输协议(Secure Hypertext Transfer Protocol,简称HTTPS)中间人等复杂的钓鱼攻击手段,获取的待检测URL对应的域名为合法域名,且目标网站和合法网站的相似度极高,现有技术中的方法无法有效确定目标网站是否为钓鱼网站。因此,亟需一种钓鱼网站检测方法,有效检测待检测URL的域名为合法域名时用户正在访问的目标网站是否是钓鱼网站。In the prior art, the target website is detected as a phishing website according to the URL to be detected or according to the similarity of the page layout of the target website and the legal website, and the domain name system (DNS) hijacking, traffic hijacking, and secure hypertext transfer protocol are used. (Secure Hypertext Transfer Protocol, HTTPS for short) is a sophisticated phishing attack. The domain name corresponding to the URL to be detected is a legal domain name, and the similarity between the target website and the legitimate website is extremely high. The methods in the prior art cannot be effectively determined. Whether the target website is a phishing website. Therefore, there is a need for a phishing website detection method to effectively detect whether the target website that the user is visiting is a phishing website when the domain name of the URL to be detected is a legal domain name.

发明内容Summary of the invention

本发明实施例提供一种钓鱼网站检测方法和装置,用以有效检测待检测URL的域名为合法域名时用户正在访问的目标网站是否是钓鱼网站。The embodiment of the invention provides a method and a device for detecting a phishing website, which are used to effectively detect whether a target website that the user is visiting is a phishing website when the domain name of the URL to be detected is a legal domain name.

第一方面,本发明实施例中提供一种钓鱼网站检测方法,包括:获取目标网站的待检测统一资源定位符URL;所述待检测URL对应的域名为合法域名;从所述目标网站获取待检测URL对应的待检测安全超文本传输协议HTTPS证书;从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书;根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站。In a first aspect, the embodiment of the present invention provides a method for detecting a phishing website, including: acquiring a URL of a target website to be detected, and a domain name corresponding to the URL to be detected is a legal domain name; And detecting, by the server corresponding to the domain name of the to-be-detected URL, a legal HTTPS certificate corresponding to the domain name of the to-be-detected URL; and including, according to the to-be-detected HTTPS certificate, the HTTPS certificate to be detected The preset information item and the preset information item included in the legal HTTPS certificate determine whether the target website is a phishing website.

可选地,所述根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站,包括:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项全部匹配的情况下,确定所述目标网站为正常网站。Optionally, the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website, includes: determining If the preset information item included in the HTTPS certificate and the preset information items included in the legal HTTPS certificate all match, the target website is determined to be a normal website.

可选地,所述根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站,包括:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:在确定所述待检 测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识匹配、根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻有效、且根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书未被注销,则确定所述目标网站为正常网站。Optionally, the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website, includes: determining If at least one of the preset information items included in the HTTPS certificate and the preset information item included in the legal HTTPS certificate does not match: determining the to-be-checked The certificate issuer identifier included in the HTTPS certificate is matched with the certificate issuer identifier included in the legal HTTPS certificate, and the HTTPS certificate to be detected is determined to be valid at the current time according to the validity period of the certificate in the HTTPS certificate to be detected, and according to And determining, by the information about whether the certificate in the HTTPS certificate to be logged off is logged off, that the HTTPS certificate to be detected is not logged out, determining that the target website is a normal website.

可选地,所述根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站,包括:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:确定所述待检测HTTPS证书和所述待检测HTTPS证书满足第一预设条件中的至少一项,则确定所述目标网站为钓鱼网站;其中,所述第一预设条件包括:在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识不匹配;根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻失效;根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书被注销。Optionally, the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website, includes: determining If the at least one of the preset information items included in the HTTPS certificate and the preset information item included in the legal HTTPS certificate does not match: determining that the HTTPS certificate to be detected and the HTTPS certificate to be detected are satisfied Determining, by the at least one of the first preset conditions, that the target website is a phishing website; wherein the first preset condition comprises: determining a certificate issuer identifier included in the HTTPS certificate to be detected and the The certificate issuer identifiers included in the valid HTTPS certificate are not matched; and the HTTPS certificate to be detected is invalidated according to the validity period of the certificate in the HTTPS certificate to be detected; according to whether the certificate in the HTTPS certificate to be detected is cancelled. The information determines that the HTTPS certificate to be detected is logged out.

可选地,所述获取目标网站的待检测URL之后,从所述目标网站获取待检测URL对应的待检测HTTPS证书之前,还包括:确定所述待检测URL使用HTTPS。Optionally, after the obtaining the to-be-detected URL of the target website, obtaining the HTTPS certificate to be detected corresponding to the to-be-detected URL from the target website, the method further includes: determining that the to-be-detected URL uses HTTPS.

可选地,所述获取目标网站的待检测URL之后,从所述目标网站获取待检测URL对应的待检测HTTPS证书之前,还包括:在确定所述待检测URL未使用HTTPS的情况下,上报告警信息,所述告警信息用于指示所述目标网站存在危险。Optionally, after the obtaining the to-be-detected URL of the target website, obtaining the HTTPS certificate to be detected corresponding to the URL to be detected from the target website, the method further includes: determining that the URL to be detected does not use HTTPS, The alarm information is reported, and the alarm information is used to indicate that the target website is in danger.

可选地,所述获取目标网站的待检测URL之后,从所述目标网站获取待检测URL对应的待检测HTTPS证书之前,还包括:确定所述待检测URL满足第二预设条件中的任一项或任多项,其中,所述第二预设条件包括:确定所述待检测URL的域名与至少一个预设的URL域名匹配;确定所获取的所述待检测URL对应的网页源代码中的属性类关键词中存在至少一个与预设属 性类关键词匹配;确定所获取的所述待检测URL对应的网页源代码中输入类关键词中存在至少一个与预设输入类关键词匹配。Optionally, after the obtaining the to-be-detected URL of the target website, obtaining the HTTPS certificate to be detected corresponding to the to-be-detected URL from the target website, the method further includes: determining that the to-be-detected URL meets any of the second preset conditions. The one or more items, wherein the second preset condition comprises: determining that the domain name of the URL to be detected matches with at least one preset URL domain name; determining the obtained webpage source code corresponding to the to-be-detected URL At least one of the attribute class keywords in the default The keyword matching is determined; at least one of the input class keywords in the webpage source code corresponding to the obtained URL to be detected is matched with the preset input keyword.

第二方面,本发明实施例提供的一种钓鱼网站检测装置,包括:获取单元,用于获取目标网站的待检测统一资源定位符URL;所述待检测URL对应的域名为合法域名;从所述目标网站获取待检测URL对应的待检测安全超文本传输协议HTTPS证书;从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书;处理单元,用于根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站。In a second aspect, the phishing website detecting apparatus provided by the embodiment of the present invention includes: an obtaining unit, configured to acquire a URL of a target website to be detected, and a domain name corresponding to the URL to be detected is a legal domain name; The target website obtains the HTTPS certificate to be detected corresponding to the URL to be detected, and obtains a valid HTTPS certificate corresponding to the domain name of the URL to be detected from the server corresponding to the domain name of the URL to be detected; the processing unit is configured to: And determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website.

可选地,所述处理单元,用于:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项全部匹配的情况下,确定所述目标网站为正常网站。Optionally, the processing unit is configured to determine the target if it is determined that the preset information item included in the HTTPS certificate to be detected and the preset information items included in the legal HTTPS certificate all match The website is a normal website.

可选地,所述处理单元,用于:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识匹配、根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻有效、且根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书未被注销,则确定所述目标网站为正常网站。Optionally, the processing unit is configured to: when it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match Determining that the certificate issuer identifier included in the HTTPS certificate to be detected matches the certificate issuer identifier included in the legal HTTPS certificate, and determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. The current time is valid, and it is determined that the to-be-detected HTTPS certificate is not logged out according to the information of whether the certificate in the HTTPS certificate to be detected is logged off, and the target website is determined to be a normal website.

可选地,所述处理单元,用于:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:确定所述待检测HTTPS证书和所述待检测HTTPS证书满足第一预设条件中的至少一项,则确定所述目标网站为钓鱼网站;其中,所述第一预设条件包括:在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识不匹配;根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻失效;根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测 HTTPS证书被注销。Optionally, the processing unit is configured to: when it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match Determining that the to-be-detected HTTPS certificate and the to-be-detected HTTPS certificate satisfy at least one of the first preset conditions, determining that the target website is a phishing website; wherein the first preset condition comprises: determining The certificate issuer identifier included in the HTTPS certificate to be detected does not match the certificate issuer identifier included in the legal HTTPS certificate; and the HTTPS certificate to be detected is determined at the current time according to the validity period of the certificate in the HTTPS certificate to be detected. Determining; determining the to-be-detected according to whether the certificate in the HTTPS certificate to be detected is deregistered The HTTPS certificate was logged out.

可选地,所述处理单元,还用于:确定所述待检测URL使用HTTPS。Optionally, the processing unit is further configured to: determine that the to-be-detected URL uses HTTPS.

可选地,所述处理单元,还用于:在确定所述待检测URL未使用HTTPS的情况下,上报告警信息,所述告警信息用于指示所述目标网站存在危险。Optionally, the processing unit is further configured to: when it is determined that the to-be-detected URL does not use HTTPS, report alarm information, where the alarm information is used to indicate that the target website is in danger.

可选地,所述处理单元,还用于:确定所述待检测URL满足第二预设条件中的任一项或任多项,其中,所述第二预设条件包括:确定所述待检测URL的域名与至少一个预设的URL域名匹配;确定所获取的所述待检测URL对应的网页源代码中的属性类关键词中存在至少一个与预设属性类关键词匹配;确定所获取的所述待检测URL对应的网页源代码中输入类关键词中存在至少一个与预设输入类关键词匹配。Optionally, the processing unit is further configured to: determine that the to-be-detected URL meets any one or more of the second preset conditions, where the second preset condition includes: determining the to-be-determined Detecting a domain name of the URL and matching the at least one preset URL domain name; determining that at least one of the attribute class keywords in the webpage source code corresponding to the acquired URL to be detected matches the preset attribute class keyword; determining the acquired At least one of the input class keywords in the webpage source code corresponding to the to-be-detected URL matches at least one of the preset input class keywords.

第三方面,本发明实施例提供一种钓鱼网站检测装置,包括处理器和存储器;In a third aspect, an embodiment of the present invention provides a phishing website detecting apparatus, including a processor and a memory;

所述存储器,用于存储可执行程序;The memory is configured to store an executable program;

所述处理器用于读取所述存储器中的可执行程序,执行:The processor is configured to read an executable program in the memory and execute:

获取目标网站的待检测统一资源定位符URL;所述待检测URL对应的域名为合法域名;从所述目标网站获取待检测URL对应的待检测安全超文本传输协议HTTPS证书;从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书;根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站。Obtaining a to-be-detected uniform resource locator URL of the target website; the domain name corresponding to the URL to be detected is a legal domain name; obtaining a security hypertext transfer protocol HTTPS certificate corresponding to the to-be-detected URL from the target website; And obtaining, by the server corresponding to the domain name of the URL, a legal HTTPS certificate corresponding to the domain name of the URL to be detected; determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate. Whether the target website is a phishing website.

第四方面,本发明实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使所述计算机执行第一方面或第一方面的任意可能的实现方式中的方法。In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, where the non-transitory computer readable storage medium stores computer instructions for causing the computer to perform the first aspect or the A method in any possible implementation on the one hand.

第五方面,本发明实施例提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行第一方面或第一方面的任意可能的实现方式中的方法。 In a fifth aspect, an embodiment of the present invention provides a computer program product, the computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instruction is The computer, when executed, causes the computer to perform the method of the first aspect or any possible implementation of the first aspect.

本发明实施例中从目标网站获取待检测URL对应的待检测HTTPS证书,待检测URL的域名正确,因此才能获取待检测URL对应的合法HTTPS证书;一个URL的域名对应一个合法HTTPS证书,从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书,根据待检测HTTPS证书和合法HTTPS证书,进而可有效检测用户正在访问的目标网站是否为钓鱼网站。In the embodiment of the present invention, the HTTPS certificate to be detected corresponding to the URL to be detected is obtained from the target website, and the domain name of the URL to be detected is correct, so that the legal HTTPS certificate corresponding to the URL to be detected can be obtained; the domain name of one URL corresponds to a legal HTTPS certificate. The server corresponding to the domain name of the detected URL obtains the legal HTTPS certificate corresponding to the domain name of the URL to be detected, and according to the HTTPS certificate to be detected and the legal HTTPS certificate, it can effectively detect whether the target website that the user is visiting is a phishing website.

附图说明DRAWINGS

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below.

图1为本发明实施例提供的一种钓鱼网站检测的系统架构示意图;1 is a schematic structural diagram of a system for detecting a phishing website according to an embodiment of the present invention;

图2为本发明实施例提供的一种钓鱼网站检测方法流程示意图;2 is a schematic flowchart of a method for detecting a phishing website according to an embodiment of the present invention;

图3为本发明实施例提供的在另一种钓鱼网站检测方法流程示意图;FIG. 3 is a schematic flowchart of another method for detecting a phishing website according to an embodiment of the present invention;

图4为本发明实施例提供的一种钓鱼网站检测装置的结构示意图;4 is a schematic structural diagram of a phishing website detecting apparatus according to an embodiment of the present invention;

图5为本发明实施例提供的另一种钓鱼网站检测装置的结构示意图。FIG. 5 is a schematic structural diagram of another phishing website detecting apparatus according to an embodiment of the present invention.

具体实施方式detailed description

为了使本发明的目的、技术方案及有益效果更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

图1示例性示出了本发明实施例适用的钓鱼网站检测的系统架构示意图,如图1所示,本发明实施例适用的钓鱼网站检测系统架构100包括服务器101、服务器102、终端103、钓鱼网站检测装置104;服务器101、服务器102和终端103可以通过无线连接或有线连接或其它方式连接;服务器101、服务器102和钓鱼网站检测装置104也可通过无线连接或有线连接或其它方式连接;其中,服务器101为目标网站对应的服务器,服务器102为待检测URL的域名对应的服务器,钓鱼网站检测装置104安装于终端103中。 FIG. 1 is a schematic diagram showing the system architecture of the phishing website detection according to the embodiment of the present invention. As shown in FIG. 1 , the phishing website detection system architecture 100 applicable to the embodiment of the present invention includes a server 101, a server 102, a terminal 103, and a fishing system. The website detecting device 104; the server 101, the server 102, and the terminal 103 may be connected by a wireless connection or a wired connection or other means; the server 101, the server 102, and the phishing website detecting device 104 may also be connected by a wireless connection or a wired connection or other means; The server 101 is a server corresponding to the target website, the server 102 is a server corresponding to the domain name of the URL to be detected, and the phishing website detecting device 104 is installed in the terminal 103.

终端103向服务器101发送访问目标网站的URL,服务器101接收到该URL后,向终端103发送该URL对应的网页内容,例如网页源代码等。钓鱼网站检测装置104可从服务器102上获得待检测HTTPS证书;钓鱼网站检测装置104可从服务器102上获得URL的域名对应的合法HTTPS证书。例如,目标网站为百度,则百度对应的URL为https://www.baidu.com/,URL的域名为www.baidu.com。The terminal 103 transmits the URL of the access target website to the server 101, and after receiving the URL, the server 101 transmits the web page content corresponding to the URL, such as the web page source code, to the terminal 103. The phishing website detecting means 104 can obtain the HTTPS certificate to be detected from the server 102; the phishing website detecting means 104 can obtain the legal HTTPS certificate corresponding to the domain name of the URL from the server 102. For example, if the target website is Baidu, the URL corresponding to Baidu is https://www.baidu.com/, and the domain name of the URL is www.baidu.com.

可选地,终端103可以为手机、平板电脑、计算机等;可选地,钓鱼网站检测装置104可安装于终端103中,用于检测终端访问的目标网站是否为钓鱼网站;可选地,钓鱼网站检测装置104可以为银联程序插件,也可以为安全卫士应用。Optionally, the terminal 103 may be a mobile phone, a tablet computer, a computer, or the like; optionally, the phishing website detecting device 104 may be installed in the terminal 103 to detect whether the target website accessed by the terminal is a phishing website; The website detection device 104 can be a UnionPay program plugin or a security guard application.

图2示例性示出了本发明实施例提供的一种钓鱼网站检测方法流程示意图。FIG. 2 is a schematic flowchart diagram of a method for detecting a phishing website according to an embodiment of the present invention.

基于图1所示的系统架构,如图2所示,本发明实施例提供的一种钓鱼网站检测方法,包括以下步骤:Based on the system architecture shown in FIG. 1, as shown in FIG. 2, a method for detecting a phishing website according to an embodiment of the present invention includes the following steps:

步骤S201:钓鱼网站检测装置获取目标网站的待检测统一资源定位符URL;所述待检测URL对应的域名为合法域名;Step S201: The phishing website detecting device acquires the to-be-detected uniform resource locator URL of the target website; the domain name corresponding to the to-be-detected URL is a legal domain name;

步骤S202:钓鱼网站检测装置从所述目标网站获取待检测URL对应的待检测安全超文本传输协议HTTPS证书;Step S202: The phishing website detecting device acquires, from the target website, a security hypertext transfer protocol HTTPS certificate to be detected corresponding to the URL to be detected;

步骤S203:钓鱼网站检测装置从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书;Step S203: The phishing website detecting device acquires a legal HTTPS certificate corresponding to the domain name of the URL to be detected from the server corresponding to the domain name of the URL to be detected;

步骤S204:钓鱼网站检测装置根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站。Step S204: The phishing website detecting device determines, according to the preset information item included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website.

基于上述实施例,步骤S201中,合法域名为用户预期访问的目标网站的正确域名;例如,用户当前访问预期访问的目标网站为中国工商银行,用户输入的待检测URL为http://www.icbc.com.cn/icbc/,待检测URL的域名为www.icbc.com.cn,这个域名为中国工商银行的正确域名,即为合法域名。在 正常情况下,当用户访问http://www.icbc.com.cn/icbc/时,进入的目标网站为用户预期访问的网站:中国工商银行;在DNS劫持、流量劫持、HTTPS中间人等复杂的钓鱼攻击手段存在的情况下,用户当前访问http://www.icbc.com.cn/icbc/时,其对应的域名仍为合法域名www.icbc.com.cn,但是用户进入的目标网站为钓鱼网站,现有技术中无法有效检测出用户当前访问的待检测URL的域名为合法域名时对应的目标网站是否为钓鱼网站,本发明实施例提供的方法可以有效检测用户当前访问的待检测URL的域名为合法域名时对应的目标网站是否为钓鱼网站。Based on the above embodiment, in step S201, the legal domain name is the correct domain name of the target website that the user is expected to access; for example, the target website that the user currently visits is expected to visit is ICBC, and the URL to be detected input by the user is http://www. Icbc.com.cn/icbc/, the domain name of the URL to be detected is www.icbc.com.cn, this domain name is the correct domain name of Industrial and Commercial Bank of China, which is a legal domain name. In Under normal circumstances, when the user visits http://www.icbc.com.cn/icbc/, the target website is the website that the user expects to visit: Industrial and Commercial Bank of China; complex in the DNS hijacking, traffic hijacking, HTTPS middleman, etc. In the case of phishing attacks, when the user currently visits http://www.icbc.com.cn/icbc/, the corresponding domain name is still the legal domain name www.icbc.com.cn, but the target website that the user enters is The phishing website can not effectively detect whether the target website corresponding to the domain name of the URL to be detected by the user is a phishing website, and the method provided by the embodiment of the present invention can effectively detect the to-be-detected URL currently accessed by the user. Whether the target website corresponding to the legal domain name is a phishing website.

本发明实施例中,钓鱼网站检测装置以银联程序插件为例,银联程序插件使用安全传输层协议(Transport Layer Security Protocol,简称TLS)安全连接银联后台服务器;银联后台服务器根据待检测URL的域名,若银联后台服务器的缓存数据库中存在待检测URL的域名对应的合法HTTPS证书,则直接将合法HTTPS证书发送至银联程序插件,进行验证待检测HTTPS证书的合法性;若银联后台服务器的自身缓存数据库中不存在待检测URL的域名对应的合法HTTPS证书,银联后台服务器主动访问待检测URL,从待检测URL的域名对应的服务器上获取待检测URL对应的合法HTTPS证书,将合法HTTPS证书存放于自身缓存数据库,并将待检测URL对应的合法HTTPS证书发送至银联程序插件。为保证自身缓存数据库的时效性,银联后台服务器定期验证自身缓存数据库中的HTTPS证书是否被注销或不在有效期内,若存在HTTPS证书被注销或不在有效期内的情况,将该HTTPS证书标记为不合法HTTPS证书。In the embodiment of the present invention, the phishing website detecting device takes the UnionPay program plug-in as an example, and the UnionPay program plug-in uses a Transport Layer Security Protocol (TLS) to securely connect to the UnionPay backend server; the UnionPay backend server according to the domain name of the URL to be detected. If there is a valid HTTPS certificate corresponding to the domain name of the URL to be detected in the cache database of the UnionPay background server, the legal HTTPS certificate is directly sent to the UnionPay program plug-in to verify the validity of the HTTPS certificate to be detected; if the UnionPay background server caches the database itself The valid HTTPS certificate corresponding to the domain name of the URL to be detected does not exist. The UnionPay background server actively accesses the URL to be detected, obtains the legal HTTPS certificate corresponding to the URL to be detected from the server corresponding to the domain name of the URL to be detected, and stores the legal HTTPS certificate in itself. The database is cached, and the legal HTTPS certificate corresponding to the URL to be detected is sent to the UnionPay program plugin. In order to ensure the timeliness of its own cache database, the UnionPay backend server periodically verifies whether the HTTPS certificate in its own cache database is logged out or not in the validity period. If the HTTPS certificate is logged out or not in the validity period, the HTTPS certificate is marked as invalid. HTTPS certificate.

本发明实施例中,待检测HTTPS证书和合法HTTPS证书中的任一个HTTPS证书包括证书签发者标识、证书有效期、证书序列号、证书签名等多个关键因素;可选地,预设信息项可包括多个关键因素中的任一个,例如将证书签发者标识作为预设信息项;预设信息项也可包括多个关键因素中的任N个,N为大于1的整数,例如将证书签发者标识、证书有效期作为预设信息项,又例如将证书签发者标识、证书序列号作为预设信息项,再例如将证书 签发者标识、证书序列号、证书签名作为预设信息项。In the embodiment of the present invention, any one of the HTTPS certificate and the valid HTTPS certificate to be detected includes a plurality of key factors such as a certificate issuer identifier, a certificate validity period, a certificate serial number, and a certificate signature. Optionally, the preset information item may be Including any one of a plurality of key factors, for example, the certificate issuer identifier is used as a preset information item; the preset information item may also include any N of a plurality of key factors, and N is an integer greater than 1, for example, issuing a certificate The identifier of the certificate and the validity period of the certificate are used as preset information items, for example, the certificate issuer identifier and the certificate serial number are used as preset information items, and for example, the certificate is The issuer ID, certificate serial number, and certificate signature are used as preset information items.

由于本发明实施例中从目标网站获取待检测URL对应的待检测HTTPS证书,待检测URL的域名正确,因此才能获取待检测URL对应的合法HTTPS证书;一个URL的域名对应一个合法HTTPS证书,从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书,根据待检测HTTPS证书和合法HTTPS证书,进而可有效检测用户正在访问的目标网站是否为钓鱼网站。In the embodiment of the present invention, the HTTPS certificate to be detected corresponding to the URL to be detected is obtained from the target website, and the domain name of the URL to be detected is correct, so that the legal HTTPS certificate corresponding to the URL to be detected can be obtained; the domain name of one URL corresponds to a legal HTTPS certificate. The server corresponding to the domain name of the URL to be detected obtains the legal HTTPS certificate corresponding to the domain name of the URL to be detected, and according to the HTTPS certificate to be detected and the legal HTTPS certificate, it can effectively detect whether the target website that the user is visiting is a phishing website.

可选地,所述根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站,包括:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项全部匹配的情况下,确定所述目标网站为正常网站。Optionally, the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website, includes: determining If the preset information item included in the HTTPS certificate and the preset information items included in the legal HTTPS certificate all match, the target website is determined to be a normal website.

可选地,预设信息项包括一个关键因素时,例如预设信息项为证书签发者标识,在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识匹配的情况下,确定所述目标网站为正常网站;可选地,预设信息项包括N个关键因素时,例如,N等于2,以预设信息项包括的两个关键因素为证书签发者标识、证书序列号为例,在确定所述待检测HTTPS证书中包括的证书签发者标识、证书序列号和所述合法HTTPS证书中包括的证书签发者标识、证书序列号全部匹配的情况下,确定所述目标网站为正常网站;例如,N等于4,以预设信息项包括的四个关键因素为证书签发者标识、证书有效期、证书序列号、证书签名为例,在确定所述待检测HTTPS证书中包括的证书签发者标识、证书有效期、证书序列号、证书签名和所述合法HTTPS证书中包括的证书签发者标识、证书有效期、证书序列号、证书签名全部匹配的情况下,确定所述目标网站为正常网站。Optionally, when the preset information item includes a key factor, for example, the preset information item is a certificate issuer identifier, and the certificate issuer identifier included in the HTTPS certificate to be detected and the certificate included in the legal HTTPS certificate are determined. In the case that the issuer identifier matches, the target website is determined to be a normal website; optionally, when the preset information item includes N key factors, for example, N is equal to 2, and the two key factors included in the preset information item are The certificate issuer identifier and the certificate serial number are used as an example, and the certificate issuer identifier, the certificate serial number, and the certificate issuer identifier and the certificate serial number included in the legal HTTPS certificate are all matched in the determination of the HTTPS certificate to be detected. In the case, the target website is determined to be a normal website; for example, N is equal to 4, and the four key factors included in the preset information item are the certificate issuer identifier, the certificate validity period, the certificate serial number, and the certificate signature. Declaring the certificate issuer ID, the certificate validity period, the certificate serial number, the certificate signature, and the package in the legal HTTPS certificate included in the detected HTTPS certificate The identity of the certificate issuer certificate is valid, the certificate serial number, in the case of all certificate signature matching to determine the target site is a normal website.

可选地,在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中至少一项不匹配的情况下,确定所述目标网站为钓鱼网站。例如,N等于2,以预设信息项包括的四个关键因素为证书签发者标识、证书序列号为例,在确定所述待检测HTTPS证书中包括的证书 签发者标识和所述合法HTTPS证书中包括的证书签发者标识不匹配的情况下,确定所述目标网站为钓鱼网站;或者,在确定所述待检测HTTPS证书中包括的证书序列号和所述合法HTTPS证书中包括的证书序列号不匹配的情况下,确定所述目标网站为钓鱼网站;或者,在确定所述待检测HTTPS证书中包括的证书签发者标识、证书序列号和所述合法HTTPS证书中包括的证书签发者标识、证书序列号均不匹配的情况下,确定所述目标网站为钓鱼网站。如此,钓鱼网站检测装置可根据待检测HTTPS证书中和合法HTTPS证书中包括的预设信息项是否完全匹配,确定待检测HTTPS证书是否合法证书,进而有效确定目标网站是否为正常网站;而且,在确定HTTPS证书是合法证书情况下,确定目标网站为正常网站,终端可以正常浏览待检测URL对应的网页;在确定HTTPS证书不是合法证书情况下,确定目标网站为钓鱼网站,上报告警信息,并提醒用户不要继续访问待检测URL对应的网页,以避免造成个人信息的泄露。本发明实施例中提供的方法不需要进行待检测URL的黑白名单查询,因此检测结果不受黑白名单数据库更新频率和覆盖率的影响。Optionally, if it is determined that at least one of the preset information item included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match, determining that the target website is a phishing website . For example, N is equal to 2, and the four key factors included in the preset information item are the certificate issuer identifier and the certificate serial number, and the certificate included in the HTTPS certificate to be detected is determined. And determining, in the case that the issuer identifier and the certificate issuer identifier included in the legal HTTPS certificate do not match, determining that the target website is a phishing website; or determining a certificate serial number included in the HTTPS certificate to be detected and the If the certificate serial number included in the legal HTTPS certificate does not match, determining that the target website is a phishing website; or determining a certificate issuer identifier, a certificate serial number, and the legal HTTPS included in the HTTPS certificate to be detected. If the certificate issuer ID and the certificate serial number included in the certificate do not match, the target website is determined to be a phishing website. In this way, the phishing website detecting device can determine whether the HTTPS certificate to be detected is a legitimate certificate according to whether the preset information items included in the HTTPS certificate to be detected and the legal HTTPS certificate are completely matched, thereby effectively determining whether the target website is a normal website; If the HTTPS certificate is a valid certificate, the target website is determined to be a normal website, and the terminal can browse the webpage corresponding to the URL to be detected normally; if it is determined that the HTTPS certificate is not a legal certificate, the target website is determined to be a phishing website, and the police information is reported, and Remind users not to continue to access the web page corresponding to the URL to be detected to avoid the disclosure of personal information. The method provided in the embodiment of the present invention does not need to perform black and white list query of the URL to be detected, so the detection result is not affected by the update frequency and coverage rate of the black and white list database.

可选地,所述根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站,包括:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:在同时满足以下三个条件的情况下,确定所述目标网站为正常网站:条件一,确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识匹配;条件二,根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻有效;条件三,根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书未被注销。如此,在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下,钓鱼网站检测装置可根据以上三个条件,确定目标网站是否为正常网站。Optionally, the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website, includes: determining If at least one of the preset information items included in the HTTPS certificate and the preset information item included in the legal HTTPS certificate does not match, the target is determined if the following three conditions are met simultaneously. The website is a normal website: condition one, determining that the certificate issuer identifier included in the HTTPS certificate to be detected matches the certificate issuer identifier included in the legal HTTPS certificate; condition two, according to the certificate in the HTTPS certificate to be detected The validity period determines that the HTTPS certificate to be detected is valid at the current time; and the third condition determines that the HTTPS certificate to be detected is not logged out according to the information of whether the certificate in the HTTPS certificate to be detected is logged off. In this case, if it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match, the phishing website detecting device may Conditions to determine if the target site is a normal site.

在实际应用场景下,由于内容分发网络(Content Delivery Network,简称 CDN)或负载均衡的存在,不同的终端访问目标网站时看到的待检测HTTPS证书可能不一致;例如华东地区的终端连接华东地区的目标网站服务器和华南地区的终端连接华南地区的服务器,待检测HTTPS证书包括的证书签发者标识一样,证书序列号有可能不一样。本发明实施例提供的方案充分考虑了可能由于CDN或负载均衡的存在,导致不同终端访问目标网站时可能得到的HTTPS证书不一致的情况,避免了将待检测HTTPS证书和合法HTTPS证书的预设信息项中存在至少一项不匹配的正常网站确定为钓鱼网站的情况。In the actual application scenario, due to the content delivery network (Content Delivery Network, referred to as CDN) or load balancing exists. The HTTPS certificates to be detected may be inconsistent when different terminals access the target website. For example, the terminal in East China connects to the target website server in East China and the terminal in South China connects to the server in South China. The HTTPS certificate includes the same certificate issuer ID, and the certificate serial number may be different. The solution provided by the embodiment of the present invention fully considers that the HTTPS certificate that may be obtained when different terminals access the target website may be inconsistent due to the existence of the CDN or the load balancing, and avoids the preset information of the HTTPS certificate to be detected and the legal HTTPS certificate. There is at least one mismatched normal website identified as a phishing website.

可选地,所述根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站,包括:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:确定所述待检测HTTPS证书和所述待检测HTTPS证书满足第一预设条件中的至少一项,则确定所述目标网站为钓鱼网站;其中,所述第一预设条件包括:在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识不匹配;根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻失效;根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书被注销。如此,本发明实施例提供的方案,在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下,充分考虑了可能由于CDN或负载均衡的存在,导致不同终端访问目标网站时可能得到的HTTPS证书不一致的情况,更准确的将待检测HTTPS证书满足上述第一预设条件中的至少一项的目标网站确定为钓鱼网站。本发明实施例中提供的方法不需要进行待检测URL的黑白名单查询,因此检测结果不受黑白名单数据库更新频率和覆盖率的影响;同时,也可避免大规模搜索所有网站的URL,并验证所有网站的URL是否为钓鱼网站的资源浪费。Optionally, the determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website, includes: determining If the at least one of the preset information items included in the HTTPS certificate and the preset information item included in the legal HTTPS certificate does not match: determining that the HTTPS certificate to be detected and the HTTPS certificate to be detected are satisfied Determining, by the at least one of the first preset conditions, that the target website is a phishing website; wherein the first preset condition comprises: determining a certificate issuer identifier included in the HTTPS certificate to be detected and the The certificate issuer identifiers included in the valid HTTPS certificate are not matched; and the HTTPS certificate to be detected is invalidated according to the validity period of the certificate in the HTTPS certificate to be detected; according to whether the certificate in the HTTPS certificate to be detected is cancelled. The information determines that the HTTPS certificate to be detected is logged out. As such, in the solution provided by the embodiment of the present invention, when it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match, Considering the fact that the HTTPS certificate may be inconsistent when different terminals access the target website due to the existence of CDN or load balancing, and more accurately the target website whose HTTPS certificate to be detected satisfies at least one of the above first preset conditions. Determined to be a phishing site. The method provided in the embodiment of the present invention does not need to perform black and white list query of the URL to be detected, so the detection result is not affected by the update frequency and coverage rate of the black and white list database; meanwhile, the URL of all websites can be avoided and verified. Whether the URL of all websites is a waste of resources for phishing websites.

可选地,所述获取目标网站的待检测URL之后,从所述目标网站获取待检测URL对应的待检测HTTPS证书之前,还包括:确定所述待检测URL使 用安全超文本传输协议HTTPS。例如,待检测URL为https://zhidao.baidu.com/,该待检测URL的协议为HTTPS;如此,钓鱼检测装置可根据待检测URL使用的HTTPS,继续获取待检测HTTPS证书,继续判断待检测HTTPS证书的合法性,进而判断目标网站是否为钓鱼网站。Optionally, after the obtaining the to-be-detected URL of the target website, obtaining the HTTPS certificate to be detected corresponding to the URL to be detected from the target website, the method further includes: determining the URL to be detected. Use secure hypertext transfer protocol HTTPS. For example, the URL to be detected is https://zhidao.baidu.com/, and the protocol of the URL to be detected is HTTPS. In this way, the phishing detection device can continue to obtain the HTTPS certificate to be detected according to the HTTPS used by the URL to be detected, and continue to determine the pending Check the validity of the HTTPS certificate to determine whether the target website is a phishing website.

可选地,所述获取目标网站的待检测URL之后,从所述目标网站获取待检测URL对应的待检测HTTPS证书之前,还包括:在确定所述待检测URL未使用HTTPS的情况下,上报告警信息,所述告警信息用于指示所述目标网站存在危险。例如,待检测URL为http://abc.com/,该待检测URL的协议为http,未使用HTTPS;如此,钓鱼检测装置不需要继续获取待检测HTTPS证书,可根据待检测URL未使用HTTPS,直接上报目标网站存在危险的告警信息,避免用户在不知情的情况下进入存在危险的目标网站。Optionally, after the obtaining the to-be-detected URL of the target website, obtaining the HTTPS certificate to be detected corresponding to the URL to be detected from the target website, the method further includes: determining that the URL to be detected does not use HTTPS, The alarm information is reported, and the alarm information is used to indicate that the target website is in danger. For example, the URL to be detected is http://abc.com/, the protocol of the URL to be detected is http, and HTTPS is not used; thus, the phishing detection device does not need to continue to obtain the HTTPS certificate to be detected, and may not use HTTPS according to the URL to be detected. Directly report dangerous alarm information on the target website to prevent users from entering the dangerous target website without knowing it.

可选地,所述获取目标网站的待检测URL之后,从所述目标网站获取待检测URL对应的待检测HTTPS证书之前,还包括:确定所述待检测URL满足第二预设条件中的任一项或任多项,其中,所述第二预设条件包括:条件一,确定所述待检测URL的域名与至少一个预设的URL域名匹配;条件二,确定所获取的所述待检测URL对应的网页源代码中的属性类关键词中存在至少一个与预设属性类关键词匹配;条件三,确定所获取的所述待检测URL对应的网页源代码中输入类关键词中存在至少一个与预设输入类关键词匹配。可选地,所述获取目标网站的待检测URL之后,在确定所述待检测URL满足第二预设条件中的任一项的情况下,确定目标网站为正常网站,可正常在终端上访问目标网站。Optionally, after the obtaining the to-be-detected URL of the target website, obtaining the HTTPS certificate to be detected corresponding to the to-be-detected URL from the target website, the method further includes: determining that the to-be-detected URL meets any of the second preset conditions. One or more, wherein the second preset condition includes: condition one, determining that the domain name of the URL to be detected matches the at least one preset URL domain name; and second, determining the acquired to-be-detected At least one of the attribute class keywords in the webpage source code corresponding to the URL is matched with the preset attribute class keyword; condition three, determining that at least the input class keyword in the webpage source code corresponding to the acquired URL to be detected is present One matches the default input class keyword. Optionally, after the obtaining the to-be-detected URL of the target website, determining that the to-be-detected URL meets any one of the second preset conditions, determining that the target website is a normal website, and the terminal is normally accessible on the terminal. Target website.

本发明实施例中,预设的URL域名可以根据实际需要进行设定,可选地,可以将预设的URL域名设为涉及到银行账户信息以及个人信息的网站的域名;可选地,预设的URL域名可以为银行网站URL域名,例如,中国工商银行的URL域名为www.icbc.com.cn;例如,中国农业银行的URL域名为www.abchina.com;预设的URL域名也可以为社交网站URL域名,例如,新浪微博的URL域名为weibo.com。预设属性类关键词可根据实际需求设定, 可选地,终端访问的目标网站为银行网站,可将预设属性类关键词设置为包括银行、网银、支付、金融等;预设输入类关键词可根据实际需求设定,可选地,可将预设输入类关键词设置为登录账户、卡号、密码、身份证号等。In the embodiment of the present invention, the preset URL domain name may be set according to actual needs. Optionally, the preset URL domain name may be set as a domain name of a website related to bank account information and personal information; optionally, The URL domain name can be the domain name of the bank website URL. For example, the domain name of ICBC is www.icbc.com.cn; for example, the domain name of the Agricultural Bank of China is www.abchina.com; the default URL domain name can also be For the social networking site URL domain name, for example, the Sina Weibo URL domain name is weibo.com. The preset attribute category keywords can be set according to actual needs. Optionally, the target website accessed by the terminal is a bank website, and the preset attribute category keywords may be set to include banking, online banking, payment, finance, etc.; the preset input keyword may be set according to actual needs, optionally, The preset input category keywords can be set as the login account, card number, password, ID number, and the like.

可选地,待检测URL对应的网页源代码中属性类关键词可从待检测URL对应的网页源代码中的<TITLE>标记、<METAname=”Keywords”/”Description”/”Copyright”>标记中的CONTENT属性、<body>标记中的提取;可选地,待检测URL对应的网页源代码中输入类关键词可从待检测URL对应的网页源代码中的<input>标记等标记中提取。同时考虑到部分钓鱼网站会使用截图来布局,上述属性类关键词和输入类关键词在提取时会同步提取通过光学字符识别(Optical Character Recognition,简称OCR)识别到的图片中的文字。Optionally, the attribute class keyword in the webpage source code corresponding to the URL to be detected may be a <TITLE> tag, a <METAname="Keywords"/"Description"/"Copyright"> tag in the webpage source code corresponding to the URL to be detected. The CONTENT attribute in the <body> tag is extracted; optionally, the input class keyword in the webpage source code corresponding to the URL to be detected may be extracted from a tag such as an <input> tag in a webpage source code corresponding to the URL to be detected. . At the same time, it is considered that some phishing websites use screenshots to layout, and the above attribute keywords and input keywords are synchronously extracted in the pictures recognized by Optical Character Recognition (OCR).

例如,待检测URL的域名为www.icbc.com.cn,则与预设的中国工商银行的域名匹配,则继续从目标网站获取待检测HTTPS证书,以进行验证待检测HTTPS证书是否合法;例如,待检测URL的域名为www.abc.com.cn,与预设的中国工商银行的域名不匹配,则可以继续判断待检测URL是否满足第二预设条件中的条件二和条件三,即待检测URL对应的网页源代码中的属性类关键词是否与至少一个预设属性类关键词匹配,或输入类关键词中存在至少一个与预设输入类关键词匹配,或属性类关键词是否与至少一个预设属性类关键词匹配和输入类关键词中存在至少一个与预设输入类关键词匹配。如此,可根据待检测URL是否满足第二预设条件,确定目标网站是否需要进行钓鱼网站检测,这种判断目标网站是否需要进行钓鱼网站检测的方法简单易行、效率高、针对性强,可有效的防御敏感信息泄露,同时避免影响在终端上访问正常网站时的用户体验。For example, if the domain name of the URL to be detected is www.icbc.com.cn, and the domain name of the ICBC is matched, the HTTPS certificate to be detected is continuously obtained from the target website to verify whether the HTTPS certificate to be detected is legal; for example; If the domain name of the URL to be detected is www.abc.com.cn and does not match the domain name of the ICBC, it may continue to determine whether the URL to be detected satisfies Condition 2 and Condition 3 in the second preset condition, that is, Whether the attribute class keyword in the webpage source code corresponding to the URL to be detected matches at least one preset attribute class keyword, or at least one of the input class keywords matches the preset input class keyword, or the attribute class keyword is At least one of the matching with the at least one preset attribute class keyword and the input class keyword matches the preset input class keyword. In this way, whether the target website needs to perform phishing website detection according to whether the URL to be detected satisfies the second preset condition may be simple, easy, efficient, and targeted. Effectively defend against sensitive information disclosure while avoiding affecting the user experience when accessing a normal website on a terminal.

为了更清楚的介绍上述方法流程,本发明实施例提供以下示例。In order to introduce the above method flow more clearly, the following examples are provided by the embodiments of the present invention.

图3示例性示出了本发明实施例提供的另一种钓鱼网站检测方法流程示意图,基于图1所示的系统架构,如图3所示,该方法包括以下步骤:FIG. 3 is a schematic flowchart showing another method for detecting a phishing website according to an embodiment of the present invention. Based on the system architecture shown in FIG. 1, as shown in FIG. 3, the method includes the following steps:

步骤S301:钓鱼网站检测装置获取目标网站的待检测统一资源定位符 URL;Step S301: The phishing website detecting device acquires the uniform resource locator to be detected of the target website URL;

步骤S302:待检测URL对应的域名是否为合法域名;若是,则执行步骤S303;若否,则执行步骤S312;Step S302: The domain name corresponding to the URL to be detected is a legal domain name; if yes, step S303 is performed; if not, step S312 is performed;

步骤S303:待检测URL的域名是否与至少一个预设的URL域名匹配;若是,则执行步骤S306;若否,则执行步骤S304;Step S303: The domain name of the URL to be detected is matched with at least one preset URL domain name; if yes, step S306 is performed; if not, step S304 is performed;

步骤S304:所获取的待检测URL对应的网页源代码中的属性类关键词中是否存在至少一个与预设属性类关键词匹配;若是,则执行步骤S305;若否,则执行步骤S313;Step S304: The at least one attribute keyword in the webpage source code corresponding to the acquired URL to be detected is matched with the preset attribute category keyword; if yes, step S305 is performed; if not, step S313 is performed;

步骤S305:确定所获取的待检测URL对应的网页源代码中输入类关键词中存在至少一个与预设输入类关键词匹配;若是,则执行步骤S306;若否,则执行步骤S313;Step S305: determining that at least one of the input class keywords in the webpage source code corresponding to the acquired URL to be detected matches the preset input class keyword; if yes, executing step S306; if not, executing step S313;

步骤S306:确定待检测URL是否使用安全超文本传输协议HTTPS;若是,则执行步骤S307;若否,则执行步骤S314;Step S306: determining whether the URL to be detected uses the secure hypertext transfer protocol HTTPS; if yes, executing step S307; if not, executing step S314;

步骤S307:从目标网站获取待检测URL对应的待检测HTTPS证书,并从待检测URL的域名对应的服务器上获取待检测URL的域名对应的合法HTTPS证书;Step S307: Obtain an HTTPS certificate to be detected corresponding to the URL to be detected from the target website, and obtain a legal HTTPS certificate corresponding to the domain name of the URL to be detected from the server corresponding to the domain name of the URL to be detected;

步骤S308:确定待检测HTTPS证书中包括的预设信息项和合法HTTPS证书中包括的预设信息项是否全部匹配;若是,则执行步骤S313;若否,则执行步骤S309;Step S308: determining whether the preset information item included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate are all matched; if yes, executing step S313; if not, executing step S309;

步骤S309:确定待检测HTTPS证书中包括的证书签发者标识和合法HTTPS证书中包括的证书签发者标识是否匹配;若是,则执行步骤S310;若否,则执行步骤S312;Step S309: determining whether the certificate issuer identifier included in the HTTPS certificate to be detected and the certificate issuer identifier included in the legal HTTPS certificate match; if yes, executing step S310; if not, executing step S312;

步骤S310:根据待检测HTTPS证书中的证书有效期确定待检测HTTPS证书在当前时刻是否有效;若是,则执行步骤S311;若否,则执行步骤S312;Step S310: determining whether the HTTPS certificate to be detected is valid at the current time according to the validity period of the certificate in the HTTPS certificate to be detected; if yes, executing step S311; if not, executing step S312;

步骤S311:根据待检测HTTPS证书中的证书是否被注销的信息确定待检测HTTPS证书是否未被注销;若是,则执行步骤S313;若否,则执行步骤S312; Step S311: determining whether the HTTPS certificate to be detected is not logged out according to whether the certificate in the HTTPS certificate is to be logged out; if yes, executing step S313; if not, executing step S312;

步骤S312:确定目标网站为钓鱼网站;Step S312: determining that the target website is a phishing website;

步骤S313:确定目标网站为正常网站;Step S313: determining that the target website is a normal website;

步骤S314:上报告警信息,所述告警信息用于指示所述目标网站存在危险。Step S314: Reporting alarm information, where the alarm information is used to indicate that the target website is in danger.

从上述内容可以看出:本发明实施例中提供了一种钓鱼网站检测方法的方法,根据待检测URL是否满足第二预设条件判断目标网站是否需要进行钓鱼网站检测,这种判断方法简单易行、效率高、针对性强,可有效的防御敏感信息泄露,同时避免影响用户在终端上访问正常网站时的用户体验。由于本发明实施例中从目标网站获取待检测URL对应的待检测HTTPS证书,待检测URL的域名正确,因此才能获取待检测URL对应的合法HTTPS证书;一个URL的域名对应一个合法HTTPS证书,从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书,根据待检测HTTPS证书和合法HTTPS证书,进而可有效检测用户正在访问的目标网站是否为钓鱼网站。本发明实施例中充分考虑了可能由于CDN或负载均衡的存在,导致不同终端访问目标网站时可能得到的HTTPS证书不一致的情况,更准确、有效的检测用户正在访问的目标网站是否为钓鱼网站。进一步,本发明实施例中提供的方法不需要进行待检测URL的黑白名单查询,因此检测结果不受黑白名单数据库更新频率和覆盖率的影响,也可避免大规模搜索所有网站的URL,并验证所有网站的URL是否为钓鱼网站的资源浪费。It can be seen from the above that the method for detecting a phishing website in the embodiment of the present invention provides a method for determining whether the target website needs to perform phishing website detection according to whether the URL to be detected satisfies the second preset condition. It is highly efficient and targeted, and can effectively prevent sensitive information from being leaked, while avoiding affecting the user experience when users access the normal website on the terminal. In the embodiment of the present invention, the HTTPS certificate to be detected corresponding to the URL to be detected is obtained from the target website, and the domain name of the URL to be detected is correct, so that the legal HTTPS certificate corresponding to the URL to be detected can be obtained; the domain name of one URL corresponds to a legal HTTPS certificate. The server corresponding to the domain name of the URL to be detected obtains the legal HTTPS certificate corresponding to the domain name of the URL to be detected, and according to the HTTPS certificate to be detected and the legal HTTPS certificate, it can effectively detect whether the target website that the user is visiting is a phishing website. The embodiment of the present invention fully considers that the HTTPS certificate may be inconsistent when different terminals access the target website due to the existence of CDN or load balancing, and more accurately and effectively detect whether the target website that the user is visiting is a phishing website. Further, the method provided in the embodiment of the present invention does not need to perform black and white list query of the URL to be detected, so the detection result is not affected by the update frequency and coverage rate of the black and white list database, and the URL of all websites can be avoided and verified. Whether the URL of all websites is a waste of resources for phishing websites.

图4示例性示出了本发明实施例提供的一种钓鱼网站检测装置的结构示意图。FIG. 4 is a schematic structural diagram of a phishing website detecting apparatus according to an embodiment of the present invention.

基于相同构思,本发明实施例提供的一种钓鱼网站检测装置,用于执行上述方法流程,如图4所示,该钓鱼网站检测装置400包括获取单元401、处理单元402;其中:Based on the same concept, a phishing website detecting apparatus provided by an embodiment of the present invention is configured to execute the foregoing method. As shown in FIG. 4, the phishing website detecting apparatus 400 includes an obtaining unit 401 and a processing unit 402.

获取单元401,用于获取目标网站的待检测统一资源定位符URL;所述待检测URL对应的域名为合法域名;从所述目标网站获取待检测URL对应的待检测安全超文本传输协议HTTPS证书;从所述待检测URL的域名对应 的服务器上获取所述待检测URL的域名对应的合法HTTPS证书;The obtaining unit 401 is configured to obtain a to-be-detected uniform resource locator URL of the target website, where the domain name corresponding to the to-be-detected URL is a legal domain name, and obtain the HTTPS certificate to be detected corresponding to the to-be-detected URL from the target website. ; corresponding to the domain name of the URL to be detected Obtaining a legal HTTPS certificate corresponding to the domain name of the URL to be detected on the server;

处理单元402,用于根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站。The processing unit 402 is configured to determine, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website.

可选地,所述处理单元402,用于:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项全部匹配的情况下,确定所述目标网站为正常网站。Optionally, the processing unit 402 is configured to: when it is determined that the preset information item included in the HTTPS certificate to be detected and the preset information items included in the legal HTTPS certificate all match, The target website is a normal website.

可选地,所述处理单元402,用于:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识匹配、根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻有效、且根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书未被注销,则确定所述目标网站为正常网站。Optionally, the processing unit 402 is configured to: determine that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match The following: determining that the certificate issuer identifier included in the HTTPS certificate to be detected matches the certificate issuer identifier included in the legal HTTPS certificate, and determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. And determining, according to the information that the certificate in the HTTPS certificate to be detected is to be logged off, that the HTTPS certificate to be detected is not logged off, determining that the target website is a normal website.

可选地,所述处理单元402,用于:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:确定所述待检测HTTPS证书和所述待检测HTTPS证书满足第一预设条件中的至少一项,则确定所述目标网站为钓鱼网站;其中,所述第一预设条件包括:在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识不匹配;根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻失效;根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书被注销。Optionally, the processing unit 402 is configured to: determine that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match The following: determining that the to-be-detected HTTPS certificate and the to-be-detected HTTPS certificate meet at least one of the first preset conditions, determining that the target website is a phishing website; wherein the first preset condition includes: Determining that the certificate issuer identifier included in the HTTPS certificate to be detected does not match the certificate issuer identifier included in the legal HTTPS certificate; determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. The timeout is invalid; determining that the HTTPS certificate to be detected is logged out according to the information of whether the certificate in the HTTPS certificate to be detected is logged out.

可选地,所述处理单元402,还用于:确定所述待检测URL使用HTTPS。Optionally, the processing unit 402 is further configured to: determine that the to-be-detected URL uses HTTPS.

可选地,所述处理单元402,还用于:在确定所述待检测URL未使用HTTPS的情况下,上报告警信息,所述告警信息用于指示所述目标网站存在危险。 Optionally, the processing unit 402 is further configured to: report, in the case that the to-be-detected URL is not using the HTTPS, to report the alarm information, where the alarm information is used to indicate that the target website is in danger.

可选地,所述处理单元402,还用于:确定所述待检测URL满足第二预设条件中的任一项或任多项,其中,所述第二预设条件包括:确定所述待检测URL的域名与至少一个预设的URL域名匹配;确定所获取的所述待检测URL对应的网页源代码中的属性类关键词中存在至少一个与预设属性类关键词匹配;确定所获取的所述待检测URL对应的网页源代码中输入类关键词中存在至少一个与预设输入类关键词匹配。Optionally, the processing unit 402 is further configured to: determine that the to-be-detected URL meets any one or more of the second preset conditions, where the second preset condition includes: determining the The domain name of the URL to be detected matches the at least one preset URL domain name; determining that at least one of the attribute class keywords in the webpage source code corresponding to the acquired URL to be detected matches the preset attribute class keyword; At least one of the input class keywords in the webpage source code corresponding to the obtained URL to be detected is matched with the preset input class keyword.

从上述内容可以看出:本发明实施例中提供了一种钓鱼网站检测方法的装置,根据待检测URL是否满足第二预设条件判断目标网站是否需要进行钓鱼网站检测,这种判断方法简单易行、效率高、针对性强,可有效的防御敏感信息泄露,同时避免影响用户在终端上访问正常网站时的用户体验。由于本发明实施例中从目标网站获取待检测URL对应的待检测HTTPS证书,待检测URL的域名正确,因此才能获取待检测URL对应的合法HTTPS证书;一个URL的域名对应一个合法HTTPS证书,从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书,根据待检测HTTPS证书和合法HTTPS证书,进而可有效检测用户正在访问的目标网站是否为钓鱼网站。本发明实施例中充分考虑了可能由于CDN或负载均衡的存在,导致不同终端访问目标网站时可能得到的HTTPS证书不一致的情况,更准确、有效的检测用户正在访问的目标网站是否为钓鱼网站。进一步,本发明实施例中提供的方法不需要进行待检测URL的黑白名单查询,因此检测结果不受黑白名单数据库更新频率和覆盖率的影响,也可避免大规模搜索所有网站的URL,并验证所有网站的URL是否为钓鱼网站的资源浪费。It can be seen from the above that: in the embodiment of the present invention, a device for detecting a phishing website is provided, and whether the target website needs to perform phishing website detection according to whether the URL to be detected satisfies the second preset condition is simple or easy. It is highly efficient and targeted, and can effectively prevent sensitive information from being leaked, while avoiding affecting the user experience when users access the normal website on the terminal. In the embodiment of the present invention, the HTTPS certificate to be detected corresponding to the URL to be detected is obtained from the target website, and the domain name of the URL to be detected is correct, so that the legal HTTPS certificate corresponding to the URL to be detected can be obtained; the domain name of one URL corresponds to a legal HTTPS certificate. The server corresponding to the domain name of the URL to be detected obtains the legal HTTPS certificate corresponding to the domain name of the URL to be detected, and according to the HTTPS certificate to be detected and the legal HTTPS certificate, it can effectively detect whether the target website that the user is visiting is a phishing website. The embodiment of the present invention fully considers that the HTTPS certificate may be inconsistent when different terminals access the target website due to the existence of CDN or load balancing, and more accurately and effectively detect whether the target website that the user is visiting is a phishing website. Further, the method provided in the embodiment of the present invention does not need to perform black and white list query of the URL to be detected, so the detection result is not affected by the update frequency and coverage rate of the black and white list database, and the URL of all websites can be avoided and verified. Whether the URL of all websites is a waste of resources for phishing websites.

基于相同构思,本发明实施例提供另一种钓鱼网站检测装置,可用于执行上述钓鱼网站检测方法流程。图5为本发明实施例提供的另一种钓鱼网站检测装置的结构示意图。如图5所示,钓鱼网站检测装置500包括处理器501、存储器502。可选的,还可以包括通信接口503,所述处理器501、所述存储器502与所述通信接口503之间通过总线504连接。Based on the same concept, the embodiment of the present invention provides another phishing website detecting apparatus, which can be used to execute the phishing website detecting method flow. FIG. 5 is a schematic structural diagram of another phishing website detecting apparatus according to an embodiment of the present invention. As shown in FIG. 5, the phishing website detecting apparatus 500 includes a processor 501 and a memory 502. Optionally, a communication interface 503 is further included, and the processor 501, the memory 502, and the communication interface 503 are connected by a bus 504.

总线504可以是外设部件互连标准(peripheral component interconnect, 简称PCI)总线或扩展工业标准结构(extended industry standard architecture,简称EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图5中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 504 can be a peripheral component interconnect (peripheral component interconnect, Referred to as PCI) bus or extended industry standard architecture (EISA) bus. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 5, but it does not mean that there is only one bus or one type of bus.

存储器502可以包括易失性存储器(volatile memory),例如随机存取存储器(random-access memory,简称RAM);存储器也可以包括非易失性存储器(non-volatile memory),例如快闪存储器(flash memory),硬盘(hard disk drive,简称HDD)或固态硬盘(solid-state drive,简称SSD);存储器502还可以包括上述种类的存储器的组合。The memory 502 may include a volatile memory such as a random-access memory (RAM); the memory may also include a non-volatile memory such as a flash memory (flash) Memory), hard disk drive (HDD) or solid-state drive (SSD); the memory 502 may also include a combination of the above types of memory.

通信接口503可以为有线通信接入口,无线通信接口或其组合,其中,有线通信接口例如可以为以太网接口。以太网接口可以是光接口,电接口或其组合。无线通信接口可以为WLAN接口。The communication interface 503 can be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface can be, for example, an Ethernet interface. The Ethernet interface can be an optical interface, an electrical interface, or a combination thereof. The wireless communication interface can be a WLAN interface.

处理器501可以是中央处理器(central processing unit,简称CPU),网络处理器(network processor,简称NP)或者CPU和NP的组合。The processor 501 can be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP.

处理器501还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,简称ASIC),可编程逻辑器件(programmable logic device,简称PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,简称CPLD),现场可编程逻辑门阵列(field-programmable gate array,简称FPGA),通用阵列逻辑(generic array logic,简称GAL)或其任意组合。The processor 501 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination.

所述处理器501,用于读取所述存储器502中的程序,执行下列方法:The processor 501 is configured to read a program in the memory 502 and perform the following methods:

获取目标网站的待检测统一资源定位符URL;所述待检测URL对应的域名为合法域名;从所述目标网站获取待检测URL对应的待检测安全超文本传输协议HTTPS证书;从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书;根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站。 Obtaining a to-be-detected uniform resource locator URL of the target website; the domain name corresponding to the URL to be detected is a legal domain name; obtaining a security hypertext transfer protocol HTTPS certificate corresponding to the to-be-detected URL from the target website; And obtaining, by the server corresponding to the domain name of the URL, a legal HTTPS certificate corresponding to the domain name of the URL to be detected; determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate. Whether the target website is a phishing website.

所述存储器502,用于存储一个或多个可执行程序,可以存储所述处理器501在执行操作时所使用的数据。The memory 502 is configured to store one or more executable programs, and may store data used by the processor 501 when performing operations.

可选地,所述处理器501,用于:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项全部匹配的情况下,确定所述目标网站为正常网站。Optionally, the processor 501 is configured to: after determining that the preset information item included in the HTTPS certificate to be detected and the preset information items included in the legal HTTPS certificate all match The target website is a normal website.

可选地,所述处理器501,用于:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识匹配、根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻有效、且根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书未被注销,则确定所述目标网站为正常网站。Optionally, the processor 501 is configured to: determine that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match The following: determining that the certificate issuer identifier included in the HTTPS certificate to be detected matches the certificate issuer identifier included in the legal HTTPS certificate, and determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. And determining, according to the information that the certificate in the HTTPS certificate to be detected is to be logged off, that the HTTPS certificate to be detected is not logged off, determining that the target website is a normal website.

可选地,所述处理器501,用于:在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:确定所述待检测HTTPS证书和所述待检测HTTPS证书满足第一预设条件中的至少一项,则确定所述目标网站为钓鱼网站;其中,所述第一预设条件包括:在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识不匹配;根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻失效;根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书被注销。Optionally, the processor 501 is configured to: determine that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match The following: determining that the to-be-detected HTTPS certificate and the to-be-detected HTTPS certificate meet at least one of the first preset conditions, determining that the target website is a phishing website; wherein the first preset condition includes: Determining that the certificate issuer identifier included in the HTTPS certificate to be detected does not match the certificate issuer identifier included in the legal HTTPS certificate; determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. The timeout is invalid; determining that the HTTPS certificate to be detected is logged out according to the information of whether the certificate in the HTTPS certificate to be detected is logged out.

可选地,所述处理器501,还用于:确定所述待检测URL使用HTTPS。Optionally, the processor 501 is further configured to: determine that the to-be-detected URL uses HTTPS.

可选地,所述处理器501,还用于:在确定所述待检测URL未使用HTTPS的情况下,上报告警信息,所述告警信息用于指示所述目标网站存在危险。Optionally, the processor 501 is further configured to: report alarm information, where the alarm information is used to indicate that the target website is in danger, if it is determined that the to-be-detected URL does not use HTTPS.

可选地,所述处理器501,还用于:确定所述待检测URL满足第二预设条件中的任一项或任多项,其中,所述第二预设条件包括:确定所述待检测URL的域名与至少一个预设的URL域名匹配;确定所获取的所述待检测URL 对应的网页源代码中的属性类关键词中存在至少一个与预设属性类关键词匹配;确定所获取的所述待检测URL对应的网页源代码中输入类关键词中存在至少一个与预设输入类关键词匹配。Optionally, the processor 501 is further configured to: determine that the to-be-detected URL meets any one or more of the second preset conditions, where the second preset condition includes: determining the The domain name of the URL to be detected matches the at least one preset URL domain name; determining the acquired URL to be detected At least one of the attribute class keywords in the corresponding webpage source code is matched with the preset attribute class keyword; determining that at least one of the input class keywords in the webpage source code corresponding to the acquired URL to be detected is preset and preset Input class keyword matching.

应理解,以上各个单元的划分仅仅是一种逻辑功能的划分,实际实现时可以全部或部分集成到一个物理实体上,也可以物理上分开。本发明实施例中,获取单元401和处理单元402可以由处理器501实现。如图5所示,钓鱼网站检测装置500可以包括处理器501、存储器502,可选的,还可以包括通信接口503。其中,存储器502可以用于存储处理器501执行方案时的代码,该代码可为钓鱼网站检测装置500出厂时预装的程序/代码。It should be understood that the division of each unit above is only a division of a logical function, and the actual implementation may be integrated into one physical entity in whole or in part, or may be physically separated. In the embodiment of the present invention, the obtaining unit 401 and the processing unit 402 may be implemented by the processor 501. As shown in FIG. 5, the phishing website detecting apparatus 500 may include a processor 501, a memory 502, and optionally, a communication interface 503. The memory 502 can be used to store the code when the processor 501 executes the solution, and the code can be a program/code pre-installed when the phishing website detects the device 500.

从上述内容可以看出:本发明实施例中提供一种钓鱼网站检测方法和装置,由于本发明实施例中从目标网站获取待检测URL对应的待检测HTTPS证书,待检测URL的域名正确,因此才能获取待检测URL对应的合法HTTPS证书;一个URL的域名对应一个合法HTTPS证书,从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书,根据待检测HTTPS证书和合法HTTPS证书,进而可有效检测用户正在访问的目标网站是否为钓鱼网站。It can be seen from the above that the phishing website detection method and device are provided in the embodiment of the present invention. The domain name of the URL to be detected is correct, because the domain name of the URL to be detected is correct, and the domain name of the URL to be detected is correct. The valid HTTPS certificate corresponding to the URL to be detected is obtained. The domain name of the URL is a legal HTTPS certificate, and the legal HTTPS certificate corresponding to the domain name of the URL to be detected is obtained from the server corresponding to the domain name of the URL to be detected. The HTTPS certificate and the legal HTTPS certificate can effectively detect whether the target website that the user is visiting is a phishing website.

在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现、当使用软件程序实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述指令可以存储在计算机存储介质中,或者从一个计算机存储介质向另一个计算机存储介质传输,例如,所述指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据 中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带、磁光盘(MO)等)、光介质(例如,CD、DVD、BD、HVD等)、或者半导体介质(例如ROM、EPROM、EEPROM、非易失性存储器(NAND FLASH)、固态硬盘(Solid State Disk,SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof, and when implemented using a software program, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present application are generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device. The instructions may be stored in a computer storage medium or transferred from one computer storage medium to another computer storage medium, for example, the instructions may be wired from a website site, computer, server or data center (eg, coaxial cable, Fiber, Digital Subscriber Line (DSL) or wireless (eg infrared, wireless, microwave, etc.) is transmitted to another website, computer, server or data center. The computer storage medium can be any available media that can be accessed by a computer or a server, data that includes one or more available media integrations. Data storage devices such as the center. The usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape, a magneto-optical disk (MO), etc.), an optical medium (eg, CD, DVD, BD, HVD, etc.), or a semiconductor medium (eg, ROM, EPROM, EEPROM, non-volatile memory (NAND FLASH), solid state disk (SSD), etc.

本领域内的技术人员应明白,本申请实施例可提供为方法、系统、或计算机程序产品。因此,本申请实施例可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present application can be provided as a method, system, or computer program product. Therefore, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, embodiments of the present application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.

本申请实施例是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowcharts and/or block diagrams, and combinations of flow and/or blocks in the flowcharts and/or <RTIgt; These instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine such that instructions executed by a processor of a computer or other programmable data processing device are utilized for implementation A means of function specified in a flow or a flow and/or a block diagram of a block or blocks.

这些指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. A function specified in a block or blocks of a flow or a flow and/or a block diagram of a flow chart.

这些指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for providing instructions for execution on a computer or other programmable device The steps used to implement the functions specified in one or more of the flow or in a block or blocks of the flowchart.

显然,本领域的技术人员可以对本申请实施例进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请实施例的这些修改和变型属于本申 请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the embodiments of the present application without departing from the spirit and scope of the application. Thus, if these modifications and variations of the embodiments of the present application belong to the present application The scope of the claims and the equivalents thereof are intended to cover such modifications and variations.

Claims (23)

一种钓鱼网站检测方法,其特征在于,包括:A phishing website detecting method, comprising: 获取目标网站的待检测统一资源定位符URL;所述待检测URL对应的域名为合法域名;Obtaining a to-be-detected uniform resource locator URL of the target website; the domain name corresponding to the to-be-detected URL is a legal domain name; 从所述目标网站获取待检测URL对应的待检测安全超文本传输协议HTTPS证书;Acquiring, by the target website, a security hypertext transfer protocol HTTPS certificate to be detected corresponding to the URL to be detected; 从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书;Obtaining a legal HTTPS certificate corresponding to the domain name of the to-be-detected URL from the server corresponding to the domain name of the URL to be detected; 根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站。And determining, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website. 如权利要求1所述的方法,其特征在于,所述根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站,包括:The method according to claim 1, wherein the determining whether the target website is based on the preset information item included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate Phishing sites, including: 在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项全部匹配的情况下,确定所述目标网站为正常网站。And determining, in the case that all the preset information items included in the HTTPS certificate to be detected and the preset information items included in the legal HTTPS certificate match, the target website is determined to be a normal website. 如权利要求1或2所述的方法,其特征在于,所述根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站,包括:The method according to claim 1 or 2, wherein the determining the target website according to the preset information item included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate Whether it is a phishing website, including: 在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:When it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match: 在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识匹配、根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻有效、且根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书未被注销,则确定所述目标网站为正常网站。Determining that the certificate issuer identifier included in the HTTPS certificate to be detected matches the certificate issuer identifier included in the legal HTTPS certificate, and determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. And determining, according to the information about whether the certificate in the HTTPS certificate to be detected is deregistered, that the HTTPS certificate to be detected is not logged out, determining that the target website is a normal website. 如权利要求1或2所述的方法,其特征在于,所述根据所述待检测 HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站,包括:The method according to claim 1 or 2, wherein said detecting is based on said The preset information item included in the HTTPS certificate and the preset information item included in the legal HTTPS certificate determine whether the target website is a phishing website, including: 在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:When it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match: 确定所述待检测HTTPS证书和所述待检测HTTPS证书满足第一预设条件中的至少一项,则确定所述目标网站为钓鱼网站;其中,所述第一预设条件包括:Determining that the to-be-detected HTTPS certificate and the to-be-detected HTTPS certificate meet at least one of the first preset conditions, and determining that the target website is a phishing website; wherein the first preset condition includes: 在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识不匹配;Determining that the certificate issuer identifier included in the HTTPS certificate to be detected does not match the certificate issuer identifier included in the legal HTTPS certificate; 根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻失效;Determining, according to the validity period of the certificate in the HTTPS certificate to be detected, that the HTTPS certificate to be detected is invalid at the current time; 根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书被注销。Determining that the to-be-detected HTTPS certificate is logged out according to the information of whether the certificate in the HTTPS certificate to be detected is logged out. 如权利要求1所述的方法,其特征在于,所述获取目标网站的待检测URL之后,从所述目标网站获取待检测URL对应的待检测HTTPS证书之前,还包括:The method of claim 1, wherein after obtaining the to-be-detected URL of the target website, obtaining the HTTPS certificate to be detected corresponding to the URL to be detected from the target website, the method further includes: 确定所述待检测URL使用HTTPS。Determining that the to-be-detected URL uses HTTPS. 如权利要求5所述的方法,其特征在于,所述获取目标网站的待检测URL之后,从所述目标网站获取待检测URL对应的待检测HTTPS证书之前,还包括:The method according to claim 5, wherein, after the obtaining the to-be-detected URL of the target website, obtaining the HTTPS certificate to be detected corresponding to the URL to be detected from the target website, the method further includes: 在确定所述待检测URL未使用HTTPS的情况下,上报告警信息,所述告警信息用于指示所述目标网站存在危险。In the case that it is determined that the to-be-detected URL does not use HTTPS, the alarm information is reported, and the alarm information is used to indicate that the target website is in danger. 如权利要求1所述的方法,其特征在于,所述获取目标网站的待检测URL之后,从所述目标网站获取待检测URL对应的待检测HTTPS证书之前,还包括:The method of claim 1, wherein after obtaining the to-be-detected URL of the target website, obtaining the HTTPS certificate to be detected corresponding to the URL to be detected from the target website, the method further includes: 确定所述待检测URL满足第二预设条件中的任一项或任多项,其中,所述第二预设条件包括: Determining that the to-be-detected URL satisfies any one or more of the second preset conditions, where the second preset condition includes: 确定所述待检测URL的域名与至少一个预设的URL域名匹配;Determining that the domain name of the URL to be detected matches at least one preset URL domain name; 确定所获取的所述待检测URL对应的网页源代码中的属性类关键词中存在至少一个与预设属性类关键词匹配;Determining that at least one of the attribute category keywords in the webpage source code corresponding to the obtained URL to be detected matches at least one of the preset attribute category keywords; 确定所获取的所述待检测URL对应的网页源代码中输入类关键词中存在至少一个与预设输入类关键词匹配。Determining that at least one of the input class keywords in the webpage source code corresponding to the acquired URL to be detected matches at least one of the preset input class keywords. 一种钓鱼网站检测装置,其特征在于,包括:A phishing website detecting device, comprising: 获取单元,用于获取目标网站的待检测统一资源定位符URL;所述待检测URL对应的域名为合法域名;从所述目标网站获取待检测URL对应的待检测安全超文本传输协议HTTPS证书;从所述待检测URL的域名对应的服务器上获取所述待检测URL的域名对应的合法HTTPS证书;An obtaining unit, configured to obtain a to-be-detected uniform resource locator URL of the target website; the domain name corresponding to the to-be-detected URL is a legal domain name; and the to-be-detected security hypertext transfer protocol HTTPS certificate corresponding to the to-be-detected URL is obtained from the target website; Obtaining a legal HTTPS certificate corresponding to the domain name of the to-be-detected URL from the server corresponding to the domain name of the URL to be detected; 处理单元,用于根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站。The processing unit is configured to determine, according to the preset information item included in the HTTPS certificate to be detected, and the preset information item included in the legal HTTPS certificate, whether the target website is a phishing website. 如权利要求8所述的装置,其特征在于,所述处理单元,用于:The apparatus according to claim 8, wherein said processing unit is configured to: 在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项全部匹配的情况下,确定所述目标网站为正常网站。And determining, in the case that all the preset information items included in the HTTPS certificate to be detected and the preset information items included in the legal HTTPS certificate match, the target website is determined to be a normal website. 如权利要求8或9所述的装置,其特征在于,所述处理单元,用于:The device according to claim 8 or 9, wherein the processing unit is configured to: 在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识匹配、根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻有效、且根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书未被注销,则确定所述目标网站为正常网站。When it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match: determining the included in the HTTPS certificate to be detected And the certificate issuer identifier is matched with the certificate issuer identifier included in the legal HTTPS certificate, and the HTTPS certificate to be detected is valid at the current time according to the validity period of the certificate in the HTTPS certificate to be detected, and according to the HTTPS certificate to be detected. If the information in the certificate is deregistered, it is determined that the HTTPS certificate to be detected is not logged out, and then the target website is determined to be a normal website. 如权利要求8或9所述的装置,其特征在于,所述处理单元,用于:The device according to claim 8 or 9, wherein the processing unit is configured to: 在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:When it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match: 确定所述待检测HTTPS证书和所述待检测HTTPS证书满足第一预设条 件中的至少一项,则确定所述目标网站为钓鱼网站;其中,所述第一预设条件包括:Determining that the HTTPS certificate to be detected and the HTTPS certificate to be detected satisfy the first preset And determining, by the at least one item, that the target website is a phishing website; wherein the first preset condition includes: 在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识不匹配;Determining that the certificate issuer identifier included in the HTTPS certificate to be detected does not match the certificate issuer identifier included in the legal HTTPS certificate; 根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻失效;Determining, according to the validity period of the certificate in the HTTPS certificate to be detected, that the HTTPS certificate to be detected is invalid at the current time; 根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书被注销。Determining that the to-be-detected HTTPS certificate is logged out according to the information of whether the certificate in the HTTPS certificate to be detected is logged out. 如权利要求8所述的装置,其特征在于,所述处理单元,还用于:The device according to claim 8, wherein the processing unit is further configured to: 确定所述待检测URL使用HTTPS。Determining that the to-be-detected URL uses HTTPS. 如权利要求12所述的装置,其特征在于,所述处理单元,还用于:The device according to claim 12, wherein the processing unit is further configured to: 在确定所述待检测URL未使用HTTPS的情况下,上报告警信息,所述告警信息用于指示所述目标网站存在危险。In the case that it is determined that the to-be-detected URL does not use HTTPS, the alarm information is reported, and the alarm information is used to indicate that the target website is in danger. 如权利要求8所述的装置,其特征在于,所述处理单元,还用于:The device according to claim 8, wherein the processing unit is further configured to: 确定所述待检测URL满足第二预设条件中的任一项或任多项,其中,所述第二预设条件包括:Determining that the to-be-detected URL satisfies any one or more of the second preset conditions, where the second preset condition includes: 确定所述待检测URL的域名与至少一个预设的URL域名匹配;Determining that the domain name of the URL to be detected matches at least one preset URL domain name; 确定所获取的所述待检测URL对应的网页源代码中的属性类关键词中存在至少一个与预设属性类关键词匹配;Determining that at least one of the attribute category keywords in the webpage source code corresponding to the obtained URL to be detected matches at least one of the preset attribute category keywords; 确定所获取的所述待检测URL对应的网页源代码中输入类关键词中存在至少一个与预设输入类关键词匹配。Determining that at least one of the input class keywords in the webpage source code corresponding to the acquired URL to be detected matches at least one of the preset input class keywords. 一种钓鱼网站检测装置,其特征在于,包括处理器和存储器;A phishing website detecting device, comprising: a processor and a memory; 所述存储器,用于存储可执行程序;The memory is configured to store an executable program; 所述处理器用于读取所述存储器中的可执行程序,执行:The processor is configured to read an executable program in the memory and execute: 获取目标网站的待检测统一资源定位符URL;所述待检测URL对应的域名为合法域名;从所述目标网站获取待检测URL对应的待检测安全超文本传输协议HTTPS证书;从所述待检测URL的域名对应的服务器上获取所述待 检测URL的域名对应的合法HTTPS证书;根据所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项,确定所述目标网站是否为钓鱼网站。Obtaining a to-be-detected uniform resource locator URL of the target website; the domain name corresponding to the URL to be detected is a legal domain name; obtaining a security hypertext transfer protocol HTTPS certificate corresponding to the to-be-detected URL from the target website; Obtaining the waiting on the server corresponding to the domain name of the URL Detecting a valid HTTPS certificate corresponding to the domain name of the URL; determining whether the target website is a phishing website according to the preset information item included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate. 如权利要求15所述的装置,其特征在于,所述处理器,用于:The apparatus according to claim 15, wherein said processor is configured to: 在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项全部匹配的情况下,确定所述目标网站为正常网站。And determining, in the case that all the preset information items included in the HTTPS certificate to be detected and the preset information items included in the legal HTTPS certificate match, the target website is determined to be a normal website. 如权利要求15或16所述的装置,其特征在于,所述处理器,用于:The device according to claim 15 or 16, wherein the processor is configured to: 在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:When it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match: 在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识匹配、根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻有效、且根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书未被注销,则确定所述目标网站为正常网站。Determining that the certificate issuer identifier included in the HTTPS certificate to be detected matches the certificate issuer identifier included in the legal HTTPS certificate, and determining the HTTPS certificate to be detected according to the validity period of the certificate in the HTTPS certificate to be detected. And determining, according to the information about whether the certificate in the HTTPS certificate to be detected is deregistered, that the HTTPS certificate to be detected is not logged out, determining that the target website is a normal website. 如权利要求15或16所述的装置,其特征在于,所述处理器,用于:The device according to claim 15 or 16, wherein the processor is configured to: 在确定所述待检测HTTPS证书中包括的预设信息项和所述合法HTTPS证书中包括的预设信息项中存在至少一项不匹配的情况下:When it is determined that at least one of the preset information items included in the HTTPS certificate to be detected and the preset information item included in the legal HTTPS certificate does not match: 确定所述待检测HTTPS证书和所述待检测HTTPS证书满足第一预设条件中的至少一项,则确定所述目标网站为钓鱼网站;其中,所述第一预设条件包括:Determining that the to-be-detected HTTPS certificate and the to-be-detected HTTPS certificate meet at least one of the first preset conditions, and determining that the target website is a phishing website; wherein the first preset condition includes: 在确定所述待检测HTTPS证书中包括的证书签发者标识和所述合法HTTPS证书中包括的证书签发者标识不匹配;Determining that the certificate issuer identifier included in the HTTPS certificate to be detected does not match the certificate issuer identifier included in the legal HTTPS certificate; 根据所述待检测HTTPS证书中的证书有效期确定所述待检测HTTPS证书在当前时刻失效;Determining, according to the validity period of the certificate in the HTTPS certificate to be detected, that the HTTPS certificate to be detected is invalid at the current time; 根据所述待检测HTTPS证书中的证书是否被注销的信息确定所述待检测HTTPS证书被注销。Determining that the to-be-detected HTTPS certificate is logged out according to the information of whether the certificate in the HTTPS certificate to be detected is logged out. 如权利要求15所述的装置,其特征在于,所述处理器,还用于: The device according to claim 15, wherein the processor is further configured to: 确定所述待检测URL使用HTTPS。Determining that the to-be-detected URL uses HTTPS. 如权利要求19所述的装置,其特征在于,所述处理器,还用于:The device according to claim 19, wherein the processor is further configured to: 在确定所述待检测URL未使用HTTPS的情况下,上报告警信息,所述告警信息用于指示所述目标网站存在危险。In the case that it is determined that the to-be-detected URL does not use HTTPS, the alarm information is reported, and the alarm information is used to indicate that the target website is in danger. 如权利要求15所述的装置,其特征在于,所述处理器,还用于:The device according to claim 15, wherein the processor is further configured to: 确定所述待检测URL满足第二预设条件中的任一项或任多项,其中,所述第二预设条件包括:Determining that the to-be-detected URL satisfies any one or more of the second preset conditions, where the second preset condition includes: 确定所述待检测URL的域名与至少一个预设的URL域名匹配;Determining that the domain name of the URL to be detected matches at least one preset URL domain name; 确定所获取的所述待检测URL对应的网页源代码中的属性类关键词中存在至少一个与预设属性类关键词匹配;Determining that at least one of the attribute category keywords in the webpage source code corresponding to the obtained URL to be detected matches at least one of the preset attribute category keywords; 确定所获取的所述待检测URL对应的网页源代码中输入类关键词中存在至少一个与预设输入类关键词匹配。Determining that at least one of the input class keywords in the webpage source code corresponding to the acquired URL to be detected matches at least one of the preset input class keywords. 一种非暂态计算机可读存储介质,其特征在于,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使计算机执行权利要求1~7任一权利要求所述方法。A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any of claims 1-7 . 一种计算机程序产品,其特征在于,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行权利要求1~7任一权利要求所述方法。 A computer program product, comprising: a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer, The computer performs the method of any of claims 1-7.
PCT/CN2017/107865 2016-11-29 2017-10-26 Method and device for detecting phishing website Ceased WO2018099219A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611076447.2A CN106789939B (en) 2016-11-29 2016-11-29 Method and device for detecting phishing website
CN201611076447.2 2016-11-29

Publications (1)

Publication Number Publication Date
WO2018099219A1 true WO2018099219A1 (en) 2018-06-07

Family

ID=58901010

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/107865 Ceased WO2018099219A1 (en) 2016-11-29 2017-10-26 Method and device for detecting phishing website

Country Status (2)

Country Link
CN (1) CN106789939B (en)
WO (1) WO2018099219A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112532624A (en) * 2020-11-27 2021-03-19 深信服科技股份有限公司 Black chain detection method and device, electronic equipment and readable storage medium
CN112785130A (en) * 2021-01-13 2021-05-11 上海派拉软件股份有限公司 Website risk level identification method, device, equipment and storage medium
CN113722639A (en) * 2021-08-25 2021-11-30 北京奇艺世纪科技有限公司 Website access verification method and device, electronic equipment and readable storage medium
CN113868649A (en) * 2021-09-10 2021-12-31 绿盟科技集团股份有限公司 Malicious external link detection method and device, electronic equipment and storage medium
CN113901370A (en) * 2021-10-11 2022-01-07 北京百度网讯科技有限公司 Certificate deployment method, apparatus, electronic device, and storage medium
CN114363163A (en) * 2021-12-09 2022-04-15 北京六方云信息技术有限公司 HTTPS-based device deployment method, system, device and medium
US11546377B2 (en) 2020-04-13 2023-01-03 Qatar Foundation For Education, Science And Community Development Phishing domain detection systems and methods

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789939B (en) * 2016-11-29 2019-04-26 中国银联股份有限公司 Method and device for detecting phishing website
CN107682371A (en) * 2017-11-21 2018-02-09 北京安博通科技股份有限公司 A kind of malice AP detection method and device
CN109033399B (en) * 2018-08-02 2021-06-18 挖财网络技术有限公司 Method for detecting validity of link
CN113014678A (en) * 2019-12-19 2021-06-22 厦门网宿有限公司 Domain name filtering method and device
CN111683089B (en) * 2020-06-08 2022-12-30 绿盟科技集团股份有限公司 Method, server, medium and computer equipment for identifying phishing website
CN114844857B (en) * 2022-04-02 2023-08-25 南京邮电大学 Automatic website HTTPS deployment measurement method based on domain name
CN116389158B (en) * 2023-05-09 2024-06-28 北京灵云数科信息技术有限公司 Method for realizing account-density fishing protection based on isolation technology
CN117040804A (en) * 2023-07-17 2023-11-10 中国银行股份有限公司 Network attack detection methods, devices, equipment, media and program products for websites

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141447A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 HTTPS communication tunnel security inspection and content filtering system and method
US7698442B1 (en) * 2005-03-03 2010-04-13 Voltage Security, Inc. Server-based universal resource locator verification service
CN101977235A (en) * 2010-11-03 2011-02-16 北京北信源软件股份有限公司 URL (Uniform Resource Locator) filtering method aiming at HTTPS (Hypertext Transport Protocol Server) encrypted website access
CN105516169A (en) * 2015-12-23 2016-04-20 北京奇虎科技有限公司 Method and device for detecting website security
CN106789939A (en) * 2016-11-29 2017-05-31 中国银联股份有限公司 A kind of detection method for phishing site and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8838973B1 (en) * 2011-02-28 2014-09-16 Google Inc. User authentication method
CN103825887B (en) * 2014-02-14 2017-06-16 深信服网络科技(深圳)有限公司 Website programming method and system based on HTTPS encryptions
CN105792216B (en) * 2016-05-18 2019-08-02 上海交通大学 Wireless fishing based on certification accesses point detecting method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7698442B1 (en) * 2005-03-03 2010-04-13 Voltage Security, Inc. Server-based universal resource locator verification service
CN101141447A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 HTTPS communication tunnel security inspection and content filtering system and method
CN101977235A (en) * 2010-11-03 2011-02-16 北京北信源软件股份有限公司 URL (Uniform Resource Locator) filtering method aiming at HTTPS (Hypertext Transport Protocol Server) encrypted website access
CN105516169A (en) * 2015-12-23 2016-04-20 北京奇虎科技有限公司 Method and device for detecting website security
CN106789939A (en) * 2016-11-29 2017-05-31 中国银联股份有限公司 A kind of detection method for phishing site and device

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11546377B2 (en) 2020-04-13 2023-01-03 Qatar Foundation For Education, Science And Community Development Phishing domain detection systems and methods
CN112532624A (en) * 2020-11-27 2021-03-19 深信服科技股份有限公司 Black chain detection method and device, electronic equipment and readable storage medium
CN112532624B (en) * 2020-11-27 2023-09-05 深信服科技股份有限公司 Black chain detection method and device, electronic equipment and readable storage medium
CN112785130A (en) * 2021-01-13 2021-05-11 上海派拉软件股份有限公司 Website risk level identification method, device, equipment and storage medium
CN112785130B (en) * 2021-01-13 2024-04-16 上海派拉软件股份有限公司 Website risk level identification method, device, equipment and storage medium
CN113722639A (en) * 2021-08-25 2021-11-30 北京奇艺世纪科技有限公司 Website access verification method and device, electronic equipment and readable storage medium
CN113722639B (en) * 2021-08-25 2023-08-25 北京奇艺世纪科技有限公司 Website access verification method, device, electronic equipment and readable storage medium
CN113868649A (en) * 2021-09-10 2021-12-31 绿盟科技集团股份有限公司 Malicious external link detection method and device, electronic equipment and storage medium
CN113868649B (en) * 2021-09-10 2024-08-02 绿盟科技集团股份有限公司 Malicious outer chain detection method and device, electronic equipment and storage medium
CN113901370A (en) * 2021-10-11 2022-01-07 北京百度网讯科技有限公司 Certificate deployment method, apparatus, electronic device, and storage medium
CN113901370B (en) * 2021-10-11 2023-09-08 北京百度网讯科技有限公司 Certificate deployment method, device, electronic equipment and storage medium
CN114363163A (en) * 2021-12-09 2022-04-15 北京六方云信息技术有限公司 HTTPS-based device deployment method, system, device and medium

Also Published As

Publication number Publication date
CN106789939A (en) 2017-05-31
CN106789939B (en) 2019-04-26

Similar Documents

Publication Publication Date Title
WO2018099219A1 (en) Method and device for detecting phishing website
US11463460B1 (en) Network traffic inspection
US11188645B2 (en) Identifying whether an application is malicious
US10027708B2 (en) Login failure sequence for detecting phishing
US8776196B1 (en) Systems and methods for automatically detecting and preventing phishing attacks
US12488058B2 (en) Phishing detection of uncategorized URLs using heuristics and scanning
CN109690547B (en) System and method for detecting online fraud
US8763071B2 (en) Systems and methods for mobile application security classification and enforcement
US20170331634A1 (en) Detecting and preventing man-in-the-middle attacks on an encrypted connection
US8505102B1 (en) Detecting undesirable content
US20130036466A1 (en) Internet infrastructure reputation
JP6374947B2 (en) Recoverable and recoverable dynamic device identification
US20160337378A1 (en) Method and apparatus for detecting security of online shopping environment
WO2020000749A1 (en) Method and apparatus for detecting unauthorized vulnerabilities
US20190044950A1 (en) Detection of Compromised Access Points
US11303670B1 (en) Pre-filtering detection of an injected script on a webpage accessed by a computing device
US10078750B1 (en) Methods and systems for finding compromised social networking accounts
US10110601B1 (en) Systems and methods for protecting users from malicious content
WO2015078247A1 (en) Method, apparatus and terminal for monitoring phishing
GB2555384A (en) Preventing phishing attacks
US10474810B2 (en) Controlling access to web resources
US9762591B2 (en) Message sender authenticity validation
Shahriar et al. Mobile anti-phishing: Approaches and challenges
CN116346439A (en) Malicious website identification method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17876155

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17876155

Country of ref document: EP

Kind code of ref document: A1