WO2019109529A1 - Webpage identification method, device, computer apparatus, and computer storage medium - Google Patents

Abstract

A webpage identification method, a device, a computer apparatus, and a storage medium. The method comprises: acquiring a webpage having an identified risk level greater than a pre-determined level, and extracting a domain name of the website corresponding to the webpage; acquiring a network address corresponding to the website and according to the domain name of the website; searching for a domain name associated with the network address, and when the domain name associated with the network address is found, using the associated domain name as a domain name to be identified; acquiring webpage data in a website corresponding to the domain name to be identified; and obtaining, according to the acquired webpage data, a webpage having a risk level greater than the pre-determined level and corresponding to the domain name to be identified.

Description

Web page identification method, device, computer device and computer storage medium

This application claims the priority of the Chinese Patent Application filed on Dec. 08, 2017, the Chinese Patent Application No. 201711297266.7, entitled "Web Page Identification Method, Apparatus, Computer Equipment, and Computer Storage Media", the entire contents of which are incorporated by reference. Combined in this application.

Technical field

The present application relates to the field of network security, and in particular, to a webpage identification method, apparatus, computer device, and storage medium.

Background technique

With the development of Internet technology, more and more activities are being carried out on the Internet, such as conducting transactions on the Internet, handling corresponding banking services on the Internet, etc., and thus some websites pretending to be banks will be accessed. It will steal private information such as bank account numbers and passwords submitted by users when using such websites. If such threatening websites are not discovered in time, the user's property will be threatened and the interests of users will be harmed.

Traditionally, since a large number of web pages are generated every day, it is necessary to select a potentially threatening target webpage from a large number of webpages generated on the Internet, thereby performing cumbersome analysis on the selected target webpage, so that the target webpage is identified as a risk level. Whether it is greater than the preset level is not efficient.

Summary of the invention

According to various embodiments of the present application, a web page identification method, apparatus, computer apparatus, and computer storage medium are provided, which solve one or more problems involved in the background art.

A website identification method includes:

Obtaining a webpage whose identified risk level is greater than a preset level, and extracting a website domain name corresponding to the webpage;

Obtaining a network address corresponding to the website according to the website domain name;

Searching for a domain name associated with the network address, and when the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified;

Obtaining webpage data in a website corresponding to the domain name to be identified;

And obtaining, according to the obtained webpage data, a webpage corresponding to the domain name to be identified with a risk level greater than a preset level.

A webpage identification device, the device comprising:

a first acquiring module, configured to acquire a webpage whose identified risk level is greater than a preset level, and extract a website domain name corresponding to the webpage;

a second obtaining module, configured to obtain a network address corresponding to the website according to the website domain name;

a search module, configured to search for a domain name associated with the network address, and when the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified;

a third obtaining module, configured to acquire webpage data in a website corresponding to the domain name to be identified;

The identification module is configured to obtain, according to the acquired webpage data, a webpage whose risk level corresponding to the domain name to be identified is greater than a preset level.

A computer apparatus comprising a memory and a processor, the memory storing computer readable instructions, wherein the processor, when executing the computer readable instructions, implements the step of: computer readable instructions

Obtaining a webpage whose identified risk level is greater than a preset level, and extracting a website domain name corresponding to the webpage;

Obtaining a network address corresponding to the website according to the website domain name;

Searching for a domain name associated with the network address, and when the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified;

Obtaining webpage data in a website corresponding to the domain name to be identified;

And obtaining, according to the obtained webpage data, a webpage corresponding to the domain name to be identified with a risk level greater than a preset level.

One or more non-transitory computer readable storage media storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the steps of: obtaining Identifying a webpage whose risk level is greater than a preset level, and extracting a website domain name corresponding to the webpage;

Obtaining a network address corresponding to the website according to the website domain name;

Searching for a domain name associated with the network address, and when the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified;

Obtaining webpage data in a website corresponding to the domain name to be identified;

And obtaining, according to the obtained webpage data, a webpage corresponding to the domain name to be identified with a risk level greater than a preset level.

Details of one or more embodiments of the present application are set forth in the accompanying drawings and description below. Other features and advantages of the present invention will be apparent from the description, drawings and claims.

DRAWINGS

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings to be used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present application, and other drawings can be obtained according to the drawings without any creative work for those skilled in the art.

1 is an application scenario diagram of a webpage identification method in an embodiment;

2 is a flow chart of a webpage identification method in an embodiment;

3 is a schematic structural diagram of a webpage identification device in an embodiment;

4 is a schematic structural diagram of a computer device in an embodiment.

Detailed ways

In order to make the objects, technical solutions, and advantages of the present application more comprehensible, the present application will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the application and are not intended to be limiting.

Before the embodiments in accordance with the present application are described in detail, it should be noted that the described embodiments are primarily in combination with steps and apparatus components associated with web page identification methods, apparatus, computer devices, and storage media. Accordingly, the device components and method steps have been shown in the drawings by the conventional symbols in the appropriate positions, and only the details related to the understanding of the embodiments of the present application are shown to avoid the benefit of the present application. Those details apparent to those of ordinary skill in the art obscure the disclosure of the present application.

In this context, relational terms such as left and right, up and down, before and after, first and second are only used to distinguish one entity or action from another entity or action, without necessarily requiring or implying such Any actual relationship or order between entities or actions. The terms "comprising," "comprising," or "include" or "includes" or "includes" or "includes" or "includes" or "includes" An element, or an element inherent to such a process, method, item, or device.

Referring to FIG. 1 , FIG. 1 is an application scenario diagram of a webpage identification method according to an embodiment, which includes a webpage recognition platform and a server. The webpage identification platform acquires, from a server, a stored webpage whose detected risk level is greater than a preset level. Obtaining a webpage address on a webpage with a risk level greater than a preset level, and extracting a webpage domain name corresponding to the webpage from the webpage address, the webpage identification platform obtains a webpage address corresponding to the webpage according to the website domain name, and the webpage identification platform according to the network address The domain name associated with the network address is searched in the address association database of the webpage identification platform. When the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified, and the webpage identification platform obtains the domain name corresponding to the domain to be identified. The webpage data on the webpage included in the website obtains a webpage whose risk level corresponding to the domain name to be identified is greater than a preset level according to the obtained webpage data.

Referring to FIG. 2, in one embodiment, a flowchart of a webpage identification method is provided. In this embodiment, the method is applied to the webpage identification platform in FIG. 1 to illustrate that the webpage runs on the platform. The recognition program implements the web page recognition processing by the web page recognition program. The method comprises the following steps:

S202: Acquire a webpage whose identified risk level is greater than a preset level, and extract a website domain name corresponding to the webpage.

Specifically, the risk level refers to a security indicator for evaluating whether the webpage is secure, and the risk level may be a different level of whether the predetermined evaluation webpage is secure. For example, the risk level may be set from low to high according to the level, and the risk level is higher. It means that the corresponding webpage has a higher risk. For example, the risk level is set to level 1 to level 5, indicating that the risk corresponding to the webpage is getting higher and higher. The website domain name refers to the logo of the relevant website. There may be multiple web pages under the same website domain name. For example, the website name of the website "Baidu" is "baidu.com", and there are multiple web pages under the domain name of the website, such as the "Baidu Encyclopedia" webpage. Wait. Wherein, the server is provided with a risk database, the risk database stores a webpage with a risk level greater than a preset level, and the webpage with a risk level greater than a preset level indicates a webpage with high risk, and the webpage recognition platform obtains the identified webpage from the server. If the webpage whose risk level is greater than the preset level is obtained, the webpage address corresponding to the webpage is obtained according to the obtained webpage, and the webpage identification platform extracts the webpage according to the webpage address. The domain name of the website in the address. It should be noted that the webpage address of the webpage refers to a corresponding unique identifier of each webpage in the network, and the webpage address may be a URL (Uniform Resoure Locator) address. A risk database is a database that stores web pages with a risk level greater than a preset value.

S204: Obtain a network address corresponding to the website according to the website domain name.

Specifically, the network address refers to a communicable identifier when the computer network is connected to each other or communicates, and may be a network address of a computer in a network, the network address may uniquely identify the computer device in the network, the computer When communicating with other computers, the network address can be used as the communication identifier. For example, the network address can be an IP (Internet Protocol) address, and different website domain names have corresponding network addresses. Further, the webpage identification platform queries the web address corresponding to the website according to the website domain name, and the webpage identification platform sends corresponding test data to the webpage server corresponding to the website according to the obtained website domain name, and the corresponding web server returns a response. When the data is used, the webpage identification platform extracts the corresponding network address from the response data sent by the web server.

S206: Search for a domain name associated with the network address. When the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified.

Specifically, the associated domain name refers to a domain name that can share the same network address. When sites corresponding to different website domain names are stored in the same website server, the same network address can be shared, and the website corresponding to different website domain names is in the website server. There are different access ports in the corresponding ones, and different websites corresponding to different website domain names are distinguished according to different access ports. Further, the webpage identification platform pre-stores different network addresses and corresponding website domain names, and the webpage identification platform queries the domain name associated with the network address according to the obtained network address, and the associated domain name and the identified risk level are greater than the pre- If the domain name of the website is different, if the domain name associated with the network address corresponding to the website with the risk level greater than the preset level is found, the associated domain name is used as the domain name to be identified.

S208: Acquire webpage data in a website corresponding to the domain name to be identified.

Specifically, the webpage data refers to content displayed on a webpage page, and the webpage data may be text data, image data, digital data, and the like. Specifically, the website may include different web pages, and the webpage identification platform is based on the obtained domain name that is found by the webpage corresponding to the network address corresponding to the preset level of the website. The obtained domain name to be identified finds the website corresponding to the domain name to be identified, thereby obtaining webpage data of different webpages included in the website corresponding to the domain name to be identified, such as obtaining text data displayed on different webpages.

S210: Obtain a webpage whose risk level corresponding to the domain name to be identified is greater than a preset level according to the acquired webpage data.

Specifically, the webpage identification platform identifies the webpage data according to the obtained webpage data, and when there is suspicious data in the obtained webpage data, the webpage including the webpage data is further used as a webpage whose risk level is greater than a preset level. The webpage recognition platform may identify the characters in the text data one by one according to the text data of the obtained webpage data. When the suspicious character data is recognized, the webpage including the text data is a risk corresponding to the domain name to be identified. A web page with a rating greater than the preset level. It should be noted that the suspicious data may be preset data. When the webpage includes the preset data, the webpage is a webpage whose risk level is greater than a preset level, and the suspicious data may be text data, image data, digital data, etc. For example, the data can be set to the words "bank", "point" or "prize" and the like.

In this embodiment, the webpage identification platform queries the other associated domain names through a recognized webpage whose risk level is greater than the preset level, and obtains other risk levels greater than the preset level according to the webpage data in the website corresponding to the associated domain name. For a webpage, a webpage with a risk level greater than a preset level can be associated with a webpage with a different risk level than a preset level to improve query efficiency.

In one embodiment, step S206 may include the following process, step S206, that is, the step of searching for a domain name associated with the network address, including:

The network address is matched to the pre-stored network address in the address association library. Specifically, the address association library refers to a database in which different network addresses and domain names corresponding to different network addresses are stored. The webpage recognition platform obtains a webpage with a risk level greater than a preset level, and obtains a webpage address of a webpage whose risk level is greater than a preset level, extracts a webpage domain name corresponding to the webpage according to the webpage address, and obtains the risk level greater than the pre-requisite according to the webpage domain name. The network address corresponding to the graded website is further matched, and the network address corresponding to the website with the identified risk level greater than the preset level is matched with all the network addresses pre-stored in the address association library, and the matching address is traversed one by one. All network addresses stored in the repository.

When the network address and the network address pre-stored in the address association library are successfully matched, the domain name to be matched associated with the pre-stored network address is obtained. Specifically, the domain name to be matched refers to a domain name associated with a network address pre-stored in the address association library, and the domain name may be an identifier of a related website, and may be associated when the network address is obtained in the address association repository. The associated domain name to be matched corresponding to the network address. The webpage identification platform matches the network address with the identified risk level greater than the preset level and all the network addresses stored in the address association library one by one, and the webpage identification platform selects the identified network address with the risk level greater than the preset level. The network address that is successfully matched in the associated library is obtained, and the associated domain name to be matched associated with the successfully matched network address is obtained from the address association library.

Obtain the valid deadline for obtaining the domain name to be matched in the address association library. Specifically, the effective expiration time refers to the last valid time to be carried in the associated domain name to be matched, the effective expiration time may be the year time, the effective expiration time may be the specific month in the year, and the effective deadline may be a specific detailed date, etc., for example, The effective deadline can be 2017, the effective deadline can be the specific month in the year is December 2017, and the effective deadline can be the specific detailed date is December 31, 2017. The webpage identification platform successfully matches the network address corresponding to the webpage with the identified risk level greater than the preset level to the network address stored in the address association library, and the webpage identification platform obtains the to-be-matched associated domain name associated with the successfully matched network address. The webpage identifying platform obtains the valid expiration time corresponding to the to-be-matched domain name according to the to-be-matched domain name in the address-associated database, that is, obtains the final effective time corresponding to the to-be-matched domain name according to the to-be-matched domain name in the address-associated database.

If the current time is less than or equal to the valid deadline, the associated domain name to be matched is extracted as the domain name to be identified. Specifically, the current time refers to the time when the associated domain name is to be matched, and the current time may be the system time. For example, the current time may be the year time, the current time may be the specific month in the year, and the current time may also be a specific date. Wait. The webpage identification platform obtains the associated domain name to be matched, and obtains the current time. The current time may be the system time. The webpage identification platform performs the current deadline and the valid deadline corresponding to the domain name to be matched according to the obtained current time. If the current time of the domain name to be matched is less than the effective expiration time, the acquired domain name to be matched does not exceed the effective expiration time, that is, the acquired domain name to be matched is valid, then the webpage identification platform will obtain The associated domain name to be matched is used as the associated domain name, and the associated domain name is used as the domain name to be identified.

It should be noted that, in this embodiment, the address association library may be a passive DNS (passive domain name system) database, and the webpage identification platform obtains the network address of the website according to the obtained identified risk level that is greater than the preset level. Matches the network address stored in the passive DNS database. If the matching is successful, the domain name of the domain name to be matched in the passive DNS database is obtained. The current time of the domain name to be matched is less than or equal to the matching domain name. When the valid deadline of the associated domain name is used, the associated domain name to be matched is used as the associated domain name.

It should be noted that a webpage with a risk level greater than a preset level may be a high-risk webpage disguised as a normal webpage. When the user accesses, the user's relevant bank card information is stolen, thereby threatening the user's property security, such as a phishing webpage; It may also be other webpages that restrict access when risk management is required. For example, a webpage with a risk level greater than a preset level is an access right of a corresponding webpage in some enterprises, and a webpage that restricts access may be regarded as a risk level. A web page that is larger than the preset level. In this embodiment, the webpage identification platform obtains the domain name to be matched according to the pre-stored network address that is successfully matched from the address association library, and compares the current time with the valid deadline of the domain name to be matched, when the current time is less than or equal to When the valid deadline is valid, the domain name to be matched is valid, that is, the associated domain name can be used as the domain name to be identified, and the domain name to be matched that is invalid according to the filtering of the current time and the valid deadline is directly operated, the efficiency is improved, and the pair is invalid. The domain name to be matched is directly filtered to improve the accuracy of selecting the associated domain name.

In one embodiment, the webpage identification method may further include the following steps. The step may be performed after the step S206, that is, after searching for the domain name associated with the network address, the step may include:

When the domain name associated with the network address is not found, the registration data corresponding to the domain name of the website is obtained, and the corresponding domain name is queried according to the registration data as the domain name to be identified. Specifically, the registration data refers to data indicating the detailed information of the user who registered the domain name of the website. The registration data may be text data, picture data, or digital data. For example, the registration data may be a personal name, and the registration data may be a personal mailbox. The registration data can be a personal phone, and the registration data can also be a personal photo or the like. If the webpage identification platform does not match the pre-stored network address in the address association library, the domain identification platform acquires the identified risk level greater than the preset level. The registration data corresponding to the domain name of the website, and the webpage identification platform queries the domain name corresponding to the registration data according to the registered registration data, and the domain name corresponding to the registration data is different from the domain name of the website whose risk level is greater than the preset level. Further, the queried domain name different from the domain name of the website whose risk level is greater than the preset level is used as the domain name to be identified.

In this embodiment, when the domain name associated with the network address corresponding to the website whose risk level is greater than the preset level is not found in the address association library, the website corresponding to the determined level is greater than the preset level. The registration data is queried to a different domain name as the domain name to be identified, that is, the associated domain name can be queried again through the registration information, and the associated domain name is used as the domain name to be identified, thereby improving the accuracy of the website with the risk level greater than the preset level.

In one of the embodiments, the step of obtaining the registration data corresponding to the domain name of the website and querying the corresponding domain name as the domain name to be identified according to the registration data may include the following processes:

Obtain the registration data corresponding to the domain name of the website, and select the conversion logic corresponding to the registration data from the conversion logic library. Specifically, the conversion logic library is a database that stores conversion logic for converting registration data into a fixed format registration data. The conversion logic refers to a rule for converting registration data. The conversion logic may replace characters in the registration data with preset characters, and the conversion logic may delete invalid characters or the like. Further, when the webpage recognition platform obtains the recognized webpage with a risk level greater than the preset level, the website domain name corresponding to the webpage whose detected risk level is greater than the preset level is extracted according to the webpage address of the webpage, and is extracted by the webpage recognition platform. When the domain name of the website is obtained, the registration data corresponding to the webpage whose detected risk level is greater than the preset level is obtained according to the domain name of the website, and the obtained registration data is not displayed according to the specified format, and the conversion is performed according to the type of the registration data. The conversion logic corresponding to the registration data is selected in the logic library, and the acquired registration data is further according to a prescribed display format. For example, the webpage identification platform extracts the registration data corresponding to the domain name according to the domain name of the website, such as the registered name, the registered email address, the registered telephone number, etc. according to the extracted domain name of the website whose authorized risk level is greater than the preset level, and the registered name contains a space in the middle. If the registration phone contains a connector, according to the registration data type, that is, the webpage identification selects the registration name from the logical conversion library according to the registered name, and the conversion logic displayed according to the display rule is deleted, and the space in the registered name is deleted, and then converted according to the registered phone. In the logic library, the conversion logic displayed by the registration phone according to the display rule is selected, and the connector in the registered phone is deleted.

The registration data is converted according to the conversion logic to obtain the converted registration data. Specifically, when the webpage recognition platform selects the conversion logic, that is, the webpage identification adds the rules to convert the registration data, such as replacing the characters in the registration data with the preset characters, deleting invalid characters, etc., the webpage The recognition platform converts the registration data to the converted registration data according to the conversion logic, and the converted registration data may be displayed according to a prescribed display format. For example, the registration data has a registered name, a registered email address, a registered telephone number, etc., and the webpage identification platform selects the conversion logic of the registered name and the registered telephone, and then deletes the invalid space character according to the conversion logic in the registered name, and can also follow the registration telephone. The conversion logic in the registration phone deletes the connector.

The converted registration data is matched with the information data stored in the information repository. Specifically, the information repository refers to a database storing different registration information and a domain name associated with the registration information, and the information repository may store a registered name, a registered email address, a registered telephone, etc., a registered name, a registered email address, and the stored in the information database. The registration phones may correspond to each other, and the information repository may store the website domain name associated with the registration information. The information data refers to data showing the detailed information of the registrant of the related domain name, and the information data may be text data, and the information data may be digital data or image data, for example, the information data may be a name, a phone, a mailbox, or a photo. Wait. Specifically, the webpage identification platform matches the acquired registration data with the information data stored in the information repository one by one, and the registration data acquired by the webpage identification platform is a registered name, a registered email address, and a registration phone, and the webpage identification platform is based on The conversion rule converts the registered name, registered email address and registered telephone to obtain the converted registered name, the converted registered email address and the converted registration telephone, and the webpage identification platform performs the converted registered name and the name stored in the information repository. The matching, the webpage identification platform then matches the converted registration phone with the phone stored in the information repository, and the webpage identification platform matches the converted registration mailbox with the mailbox stored in the information repository.

When the converted registration data is successfully matched with the information data stored in the information repository, the domain name associated with the successfully matched information data is obtained as the domain name to be identified. Specifically, when the webpage identification platform matches the converted registration data with the information data stored by the information repository one by one, when the corresponding information data is matched in the information repository, the domain name associated with the successfully matched information data is obtained. The associated domain name is used as the domain name to be identified. The webpage identification platform may match each of the data in the registration data with the information data stored in the information data, and when each data in the registration data is successfully matched with the information data stored in the information database, the webpage identification platform acquires The domain name associated with the information data. The webpage identification platform matches the converted registered name with the name stored in the information database. When the matching is successful, the registered mailbox is matched with the mailbox corresponding to the name stored in the information database, and when the registered mailbox matches successfully, then Matching the registration phone with the phone number corresponding to the name and the mailbox stored in the information database, and when the registration phone is also successfully matched, the matching name, the phone number, and the domain name associated with the mailbox stored in the information repository are extracted, thereby The extracted domain name is used as the domain name to be identified. It should be noted that the webpage identification platform only uses any registration data in the registration data to match the data stored in the information data. When the matching is successful, the domain name associated with the matching success information data is used as the domain name to be identified. If the converted registered name is matched with the name stored in the information database, the domain name associated with the successfully matched name is directly extracted as the domain name to be identified.

It should be noted that, in this embodiment, the information storage database may be a whois database, and the webpage identification platform obtains the domain name of the website whose identified risk level is greater than the preset level, and obtains the registration data corresponding to the website according to the domain name. The registration data may be matched with the information data stored in the whois database. When the matching is successful, the domain name associated with the information data is obtained as the domain name to be identified.

In this embodiment, the webpage identification platform first converts the acquired registration data according to the conversion logic, and obtains the converted registration data that can be displayed according to the display rule, thereby improving the accuracy of identifying the associated domain name to be identified, and further, according to the conversion. The registration data is matched with the information data stored in the information repository. When the matching is successful, the domain name associated with the successfully matched information data is obtained as the domain name to be identified, and different domain names to be identified can be obtained according to the registration information, thereby improving the recognition efficiency. .

In one of the examples, the step of obtaining a webpage whose risk level corresponding to the domain name to be identified is greater than a preset level according to the obtained webpage data may include:

The webpage data is matched with the first filtering data stored in the preset blacklist. When the website data and the first filtering data are successfully matched, the suspicious label is added to the domain name to be identified. Specifically, the blacklist refers to storing data having a risk level greater than a preset level, and the data with a risk level greater than a preset level may be text data, picture data, digital data, etc., for example, characters such as “bank” may be stored. "Points" and so on. The first filtered data refers to data whose risk level is greater than a preset level. When the webpage contains the first filtered data, the website may be a webpage whose risk level is greater than a preset level, and the first filtered data may be text data, image data, Digital data, etc. A suspicious tag means that the domain name to be identified may be a tag whose risk level is greater than a preset level. Specifically, when the webpage identification platform extracts all the webpages included in the website corresponding to the domain name to be identified to the webpage data, the webpage data extracted is matched with the first filtering data stored in the preset blacklist one by one. When all the webpage data matches any of the first filtered data stored in the blacklist, the webpage identifying platform adds the to-be-identified domain name corresponding to the webpage associated with the webpage of the source of the webpage data to the label. It should be noted that the matching quantity threshold may be set, that is, the webpage identification platform matches all the webpage data acquired by the webpage identification platform with the first filtering data stored in the blacklist one by one, when the storage with the preset quantity is black. If the first filtering data in the list is successfully matched, the suspicious label is added to the domain name to be identified corresponding to the website associated with the webpage to which the webpage data originates. The threshold of the matching quantity may be preset to 1, preset to 3, and preset to 4 Wait. The suspicious tag may be added to the to-be-identified domain name when the webpage data of the webpage included in the website corresponding to the obtained domain name to be identified has been successfully matched with the first filtering data in the blacklist.

Matching the webpage data in the website corresponding to the domain name to be identified with the suspicious tag to the second filtering data stored in the preset whitelist. Specifically, the whitelist refers to a database in which trusted data is stored, and the trusted data refers to data whose risk level is less than or equal to a preset level. The trusted data may be text data, image data, digital data, etc., for example, may be stored. Characters such as "gaming" and so on. The second filtered data refers to data whose risk level is less than or equal to the preset level, that is, trusted data. When the webpage contains the second filtered data, the website may be a trusted website, and the second filtered data may be text data. , picture data, digital data, etc. Specifically, the webpage identification platform extracts the to-be-identified domain name to which the suspicious tag is added, and the webpage data on all the webpages included in the website of the to-be-identified domain name to which the suspicious tag is added and the second filtering data stored in the preset whitelist. Matching one by one, when the webpage data on all the webpages included in the website corresponding to the domain name to be identified with the suspicious label is matched with the second filtering data pre-stored in the whitelist, the suspiciously carried on the domain to be identified is carried. The label is deleted. It should be noted that, when the webpage data on the webpage included in the website of the preset number of the domain name to be identified with the suspicious label is matched with the second filtering data stored in the preset whitelist, Delete the suspicious tag carried on the domain to be identified.

When the webpage data and the second filtering data are not successfully matched, the domain name to be identified carrying the suspicious label is extracted, and the webpage in the website corresponding to the domain name to be identified is obtained as a webpage whose risk level is greater than the preset level. Specifically, when the webpage data included in the website corresponding to the domain name to be identified that adds the suspicious tag does not match the second filtering data, the domain name still carries the suspicious tag, and the webpage identification platform extracts The domain name to be identified with the suspicious tag is still carried, and the website corresponding to the domain name to be identified is obtained, and the webpage included in the corresponding website is extracted as a webpage with a risk level greater than a preset level.

In this embodiment, the webpage data is filtered by the first filtering data stored in the blacklist and the second filtering data stored in the whitelist, thereby obtaining a webpage with a required risk level greater than a preset level, thereby preventing occurrence of carrying The webpage data with a risk level greater than the preset level is actually a trusted webpage, and after two levels of filtering, the accuracy of identifying a webpage with a risk level greater than a preset level is improved.

In one embodiment, the webpage identification method may further include:

If the domain name to be identified carrying the suspicious tag does not exist after the data is identified by the preset blacklist and the preset whitelist, the identifier corresponding to the domain to be identified is obtained. Specifically, the identifier refers to a website-specific identifier corresponding to the domain name to be identified, and the identifier may be an enterprise identifier. For example, the identifier may be a corporate logo or the like. Specifically, when the webpage identification platform performs data identification according to the preset blacklist and the preset whitelist according to the webpage data on the webpage included in the website corresponding to the domain name to be identified, the domain name to be identified is not carried. In the case of a suspicious tag, the webpage identification platform obtains an identifier corresponding to the domain name to be identified after the webpage data identifies that the webpage whose risk level is greater than the preset level is not recognized.

The identifier is matched to a security identifier pre-stored in the security identity store. Specifically, the security identity repository refers to a database that stores an identifier of a trusted website and a website domain name corresponding to the identifier. The security identifier refers to the logo of the trusted website. The security identifier can be the logo of the enterprise of the secure webpage. For example, the security identifier is the logo of the ICBC webpage, and the logo of the Ping An Group webpage. Specifically, the webpage identification platform matches the obtained identifier with the security identifier stored in the security identifier repository one by one, and the identifier corresponding to the domain name to be identified obtained by the webpage identification platform is the Pingguo Group logo. And, the acquired identifier corresponding to the domain name to be identified, that is, the Ping An Group logo, is matched with the security identifier stored in the security identifier storage.

When the identifier corresponding to the domain name to be identified is successfully matched, the secure domain name associated with the security identifier stored in the security identifier repository is obtained, and the secure domain name is matched with the domain name to be identified. Specifically, the webpage identification platform matches the identifier corresponding to the domain name to be identified with the security identifier stored in the security repository, and the domain name to be identified corresponding to the security identifier corresponding to the domain name to be identified may be a secure domain name, and thus needs to be performed. Further matching and identifying, the webpage identification platform obtains the secure domain name associated with the security identifier stored in the former security identifier repository, and matches the secure domain name associated with the security identifier stored in the security identifier repository. Match the secure domain name with the domain name to be identified. For example, if the identifier of the to-be-identified domain name corresponding to the domain name obtained by the webpage matches the Ping An Group logo stored in the secure repository, the domain name associated with the Ping An Group logo stored in the security identity repository is obtained. “pingan.com” ", and match the domain name to be identified with the associated domain name "pingan.com".

When the matching of the secure domain name and the domain name to be identified is unsuccessful, the webpage in the website corresponding to the domain name to be identified is used as a webpage with a risk level greater than a preset level. Specifically, when the webpage identification platform matches the domain name to be identified with the security domain name, the identifier corresponding to the domain name to be identified is a forged security identifier, and the webpage included in the website corresponding to the domain name to be identified is regarded as a risk level greater than A web page with a preset level. For example, the identifier of the domain name to be identified obtained by the webpage recognition platform is the Pingan Group logo. When the security logo stored in the security group store and the security identity store is successfully matched, the domain name associated with the security identity store is obtained. Pingan.com When the domain name to be identified is not "pingan.com", the domain name to be identified forged the Pingguo Group logo, and the webpage in the website corresponding to the domain name to be identified is used as a webpage whose risk level is greater than a preset level.

In this embodiment, when the webpage data is identified and the suspicious domain name is not obtained, the identifier is further identified according to the identifier carried by the domain name to be identified, so that the webpage included in the website corresponding to the domain name to be identified is greater than the preset value. The webpage adopts a multi-identification method to improve the accuracy of identifying a webpage whose risk level is greater than a preset level.

In one embodiment, after the step S210, the method further includes the following steps: Step S210, after the step of obtaining the webpage with the risk level corresponding to the domain name to be identified that is greater than the preset level according to the acquired website data, the method further includes:

The keywords of the webpage data whose risk level is greater than the preset level webpage are extracted, and the corresponding category label is added according to the keyword to the domain name to be identified whose risk level is greater than the preset level. Specifically, the category label refers to an identifier of a type of webpage data, and the category label may be a label of a different risk category. For example, the category label may be a bank category label, may be a shopping category label, or the like. Specifically, the webpage recognition platform identifies a webpage whose risk level is greater than a preset level, and further, the webpage recognition platform extracts keywords of the webpage data, and the webpage recognition platform selects the keyword of the webpage data according to the key of the extracted webpage data. The word, the corresponding category label is added to the domain name to be identified associated with the website corresponding to the webpage containing the webpage data. For example, the webpage identification platform identifies the webpages whose risk level is greater than the preset level, and then extracts keywords from the webpage recognition platform from different webpages as “points” and “banks” respectively, and the webpage recognition platform is based on the extracted webpage data. The keyword "point" and "bank" add a "bank tag" or "point tag" when adding a corresponding category tag to the domain name to be identified associated with the website corresponding to the webpage containing the webpage data.

The category label of the domain name to be identified whose risk level is greater than the preset level is matched with the stored category label. Specifically, the webpage identification platform matches the category labels of the stored webpage recognition platform one by one according to the category label of the domain name to be added until all the stored category labels are traversed. For example, the tags to be added to the domain name to be identified are "bank" and "points", and the tag "bank" added to the domain to be identified is matched one by one with the stored category tags, and then the category tag "integration" added to the domain name to be identified is The stored category labels are matched one by one.

When the unmatching is successful, the category label of the domain name to be identified whose risk level is greater than the preset level is added, and the webpage whose risk level is greater than the preset level is stored under the category label. Specifically, when the added category label does not match the stored category label successfully, the added category label is a new category label, and the category label of the domain name to be identified whose risk level is not matched is greater than the preset level. Add to the category label of the stored category category label, and add the webpage with the risk level greater than the preset level included in the website corresponding to the domain name to be identified of the added category label to the category label. For example, the category labels added to the domain name to be identified are “bank” and “point” respectively, and the category label “bank” is matched with the stored category labels one by one, and the category label “integration” added to the domain name to be identified is stored. The category labels are matched one by one. When the category label "Bank" does not match successfully, the category label "Bank" is added to the stored category label, and the website corresponding to the domain to be identified with the "Bank" category label added A web page containing a risk level greater than a preset level is added to the category label.

It should be noted that the webpage recognition platform may preset the time, and send the updated category label and the webpage with the risk level corresponding to the category label greater than the preset level to the server for storage. For example, the preset category label and the webpage corresponding to the risk level corresponding to the preset level of the category label are sent to the server for storage by one hour at a preset interval.

In this embodiment, the keywords of the webpage data in the webpage with the risk level greater than the preset level are extracted, and the corresponding category label is added according to the keyword to the domain name to be identified whose risk level is greater than the preset level, and then the category label is added. If the matching category label does not match successfully, the added category label is added to the stored category label, and the webpage with the risk level greater than the preset level is stored in the added category label, and the stored category is gradually expanded. Labels for enhanced applicability.

In one embodiment, when the webpage whose risk level is greater than the preset level is a phishing webpage, for example, when the webpage identifying platform obtains the identified phishing webpage, the webpage domain name corresponding to the phishing webpage is extracted, and then the webpage domain name is further Obtaining a network address of the website corresponding to the phishing webpage, the webpage identifying platform searches for the domain name associated with the network address according to the queried network address, and searching for the domain name associated with the network address may be the website corresponding to the phishing webpage that the webpage identification platform will query The network address and the address association library are matched with the stored network address. When the network address of the website corresponding to the phishing webpage and the pre-stored network address in the address association library are successfully matched, the network address associated with the pre-stored network address is obtained. Matching the associated domain name, and determining whether the associated domain name to be matched is valid according to the effective time of the domain name to be matched, that is, when the current time is less than or equal to the effective deadline, the domain name to be matched is extracted as the domain name to be identified, and then the webpage is identified. The platform finds the network address When the domain name is linked, the associated domain name is used as the domain name to be identified. When the domain name associated with the network address is not queried by the above method, the registration data corresponding to the domain name of the website is obtained, and the corresponding domain name is used as the domain name to be identified according to the registration data, and the domain name corresponding to the registration data is used as the to-be-identified domain name. The domain name may be: the webpage identification platform obtains the registration data corresponding to the domain name of the website corresponding to the phishing website, and further selects the conversion logic corresponding to the registration data from the conversion logic library, and then converts the registration data according to the conversion logic to obtain the converted registration data. And matching the converted registration data with the information data stored in the information repository. When the converted registration data and the information data stored in the information repository are successfully matched, the domain name associated with the successfully matched information data is obtained as Identify the domain name. First, the domain name associated with the network address of the website corresponding to the identified phishing website is used to query the domain name to be identified, and when not found, the registration data corresponding to the network address of the website corresponding to the identified phishing website is used to query the domain name to be identified. Query by means of two queries to ensure that the query will not be missed.

When the webpage identification platform obtains the domain name to be identified, the webpage data of the webpage included in the website corresponding to the domain name to be identified is obtained, and the webpage data is matched with the first data stored in the preset blacklist, and when the matching is successful, Adding a suspicious tag to the domain to be identified corresponding to the website from which the webpage corresponding to the webpage data is added, and further adding the webpage data in the website corresponding to the domain to be identified with the suspicious tag and the second filtering data stored in the preset whitelist. If the matching does not match the second filtering data, the domain name to be identified carrying the suspicious tag is extracted, so that the webpage in the website corresponding to the domain name to be identified carrying the suspicious tag is used as the phishing webpage. Further, when the data is matched by the preset blacklist and the preset list to identify that the domain name to be identified with the suspicious tag does not exist, the identifier corresponding to the domain name to be identified, such as the enterprise logo, is further obtained. The obtained logo is matched with the security identifier pre-stored in the security identifier store. When the match is successful, the secure domain name associated with the secure identifier stored in the security identifier database is obtained, and the secure domain name and the domain name to be identified are obtained. If the matching is unsuccessful, the domain name to be identified is masqueraded as a secure domain name, and the webpage in the website corresponding to the domain name to be identified is used as a phishing webpage, and the webpage data in the webpage included in the website corresponding to the domain name to be recognized is The webpage identifier is queried to determine whether the webpage included in the website corresponding to the domain name to be identified is a phishing webpage, and the webpage data and the webpage identifier are used for secondary detection, thereby improving the accuracy of detecting the phishing webpage.

Further, when the phishing webpage is identified, the key of the webpage data on the phishing webpage is extracted, and the category label is added to the domain name to be identified corresponding to the phishing webpage according to the keyword, and the category label does not match the stored category label. When successful, the category label of the domain name to be identified corresponding to the phishing webpage is added, and the phishing webpage is added to the category label.

In this embodiment, a phishing webpage can be associated with multiple to-be-identified domain names to improve the efficiency of the communication, enhance the applicability, and query the webpage data of the webpage in the website corresponding to the domain name, and the webpage identifier. The query determines whether the corresponding webpage in the domain name to be identified is a phishing webpage, and the query is accurate, and the phishing webpages that are queried are classified according to categories, so as to facilitate subsequent query and push.

In one embodiment, please refer to FIG. 3, which is a schematic structural diagram of a webpage identification apparatus. The webpage identification apparatus 300 may include:

The first obtaining module 310 is configured to obtain a webpage whose identified risk level is greater than a preset level, and extract a website domain name corresponding to the webpage.

The second obtaining module 320 is configured to obtain a network address corresponding to the website according to the website domain name.

The searching module 330 is configured to search for a domain name associated with the network address. When the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified.

The third obtaining module 340 is configured to obtain webpage data in a website corresponding to the domain name to be identified.

The identification module 350 is configured to obtain, according to the acquired webpage data, a webpage whose risk level corresponding to the domain name to be identified is greater than a preset level.

In one embodiment, the lookup module 330 can include:

The first matching unit is configured to match the network address with a pre-stored network address in the address association library.

The domain name obtaining unit is configured to acquire the to-be-matched associated domain name associated with the pre-stored network address when the network address is successfully matched with the network address pre-stored in the address association library.

The time obtaining unit is configured to obtain an effective deadline for the associated domain name to be matched.

The extracting unit is configured to extract the domain name to be matched as the domain name to be identified if the current time is less than or equal to the effective deadline.

In one embodiment, the webpage identification device may further include:

The query module is configured to obtain the registration data corresponding to the domain name of the website when the domain name associated with the network address is not found, and query the corresponding domain name as the domain name to be identified according to the registration data.

In one of the embodiments, the query module can include:

The selecting unit is configured to obtain registration data corresponding to the domain name of the website, and select a conversion logic corresponding to the registration data from the conversion logic library.

a conversion unit, configured to convert the registration data according to the conversion logic to obtain the converted registration data.

And a second matching unit, configured to match the converted registration data with the information data stored in the information repository.

The domain name obtaining unit is configured to obtain the domain name associated with the successfully matched information data as the domain name to be identified when the converted registration data is successfully matched with the information data stored in the information repository.

In one embodiment, the identification module 350 can further include:

The first filtering unit is configured to match the webpage data with the first filtering data stored in the preset blacklist. When the website data and the first filtering data are successfully matched, the suspicious label is added to the domain name to be identified.

The second filtering unit is configured to match the webpage data in the website corresponding to the to-be-identified domain name to which the suspicious tag is added, and the second filtering data stored in the preset whitelist.

The tag domain name obtaining unit is configured to: when the webpage data and the second filtering data are not successfully matched, extract the domain name to be identified carrying the suspicious tag, and obtain the webpage in the website corresponding to the domain name to be identified as the webpage whose risk level is greater than the preset level. .

In one example, the webpage identification device 300 may further include:

The identifier obtaining module is configured to obtain an identifier corresponding to the domain name to be identified when the domain name to be identified carrying the suspicious tag does not exist after the data is identified by the preset blacklist and the preset whitelist.

An identifier matching module for matching the identifier with a security identifier pre-stored in the security identity store.

The secure domain name matching module is configured to: when the identifier corresponding to the domain name to be identified is successfully matched, obtain the secure domain name associated with the security identifier stored in the security identifier repository, and the secure domain name and the to-be-identified Domain name matching.

The suspicious domain name extraction module is configured to: when the matching of the secure domain name and the domain name to be identified is unsuccessful, the webpage in the website corresponding to the domain name to be identified is a webpage with a risk level greater than a preset level.

In one embodiment, the webpage identification device 300 may further include:

The keyword extraction module is configured to extract a keyword of the webpage data of the webpage whose risk level is greater than the preset level, and add a corresponding category label to the to-be-identified domain name corresponding to the webpage whose risk level is greater than the preset level according to the keyword.

The label matching module is configured to match the category label of the domain name to be identified whose risk level is greater than the preset level with the stored category label.

The adding module is configured to add a category label of the domain name to be identified with a risk level greater than a preset level when the unmatched success, and store the webpage with a risk level greater than the preset level under the category label.

For the specific definition of the webpage identification device, reference may be made to the above description of the webpage identification method, and details are not described herein again. Each of the above-described web page identification devices may be implemented in whole or in part by software, hardware, and combinations thereof. Each of the above modules may be embedded in or independent of the processor in the computer device, or may be stored in a memory in the computer device in a software form, so that the processor invokes the operations corresponding to the above modules. The processor can be a central processing unit (CPU), a microprocessor, a microcontroller, or the like. The web page identification device described above can be implemented in the form of a computer readable instruction that can be executed on a web page data processing platform device as shown in FIG.

The embodiment of the present application provides a computer device, which may be a server, and an internal structure diagram thereof may be as shown in FIG. 4 . The computer device includes a processor, memory, network interface, and database connected by a system bus. The processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium, an internal memory. The non-volatile storage medium stores an operating system, computer readable instructions, and a database. The internal memory provides an environment for operation of an operating system and computer readable instructions in a non-volatile storage medium. The database of the computer device is used to store web page identification data. The network interface of the computer device is used to communicate with an external terminal via a network connection. The computer readable instructions are executed by a processor to implement a web page identification method.

It will be understood by those skilled in the art that the structure shown in FIG. 4 is only a block diagram of a part of the structure related to the solution of the present application, and does not constitute a limitation of the computer device to which the solution of the present application is applied. The specific computer device may It includes more or fewer components than those shown in the figures, or some components are combined, or have different component arrangements. The processor executes the following steps: obtaining a webpage whose identified risk level is greater than a preset level, and extracting a website domain name corresponding to the webpage. Get the web address corresponding to the website according to the website domain name. Find the domain name associated with the network address. When the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified. Get the webpage data in the website corresponding to the domain name to be identified. And obtaining, according to the obtained webpage data, a webpage whose risk level corresponding to the domain name to be identified is greater than a preset level.

For the specific definition of the computer device, reference may be made to the definition of the webpage identification method in the above, and details are not described herein again.

In one embodiment, with continued reference to FIG. 4, a non-transitory computer readable storage medium storing computer readable instructions executed by one or more processors is provided, such that The one or more processors perform the following steps: acquiring a webpage whose identified risk level is greater than a preset level, and extracting a website domain name corresponding to the webpage. Get the web address corresponding to the website according to the website domain name. Find the domain name associated with the network address. When the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified. Get the webpage data in the website corresponding to the domain name to be identified. And obtaining, according to the obtained webpage data, a webpage whose risk level corresponding to the domain name to be identified is greater than a preset level.

For the specific definition of the storage medium, reference may be made to the definition of the webpage identification method in the above, and details are not described herein again.

One of ordinary skill in the art can understand that all or part of the process of implementing the above embodiments can be completed by computer readable instructions, which can be stored in a non-volatile computer. The readable storage medium, which when executed, may include the flow of an embodiment of the methods as described above. Any reference to a memory, storage, database or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. Non-volatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of formats, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronization chain. Synchlink DRAM (SLDRAM), Memory Bus (Rambus) Direct RAM (RDRAM), Direct Memory Bus Dynamic RAM (DRDRAM), and Memory Bus Dynamic RAM (RDRAM).

The technical features of the above-described embodiments may be arbitrarily combined. For the sake of brevity of description, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction between the combinations of these technical features, All should be considered as the scope of this manual.

The above-mentioned embodiments are merely illustrative of several embodiments of the present application, and the description thereof is more specific and detailed, but is not to be construed as limiting the scope of the invention. It should be noted that a number of variations and modifications may be made by those skilled in the art without departing from the spirit and scope of the present application. Therefore, the scope of the invention should be determined by the appended claims.

Claims (20)

A webpage identification method, comprising: Obtaining a webpage whose identified risk level is greater than a preset level, and extracting a website domain name corresponding to the webpage; Obtaining a network address corresponding to the website according to the website domain name; Searching for a domain name associated with the network address, and when the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified; Obtaining webpage data in a website corresponding to the domain name to be identified; and And obtaining, according to the obtained webpage data, a webpage corresponding to the domain name to be identified with a risk level greater than a preset level. The method of claim 1, wherein the step of searching for a domain name associated with the network address comprises: Matching the network address with a pre-stored network address in the address association library; Obtaining a domain name to be matched associated with the pre-stored network address when the network address is successfully matched with the network address pre-stored in the address association library; Obtaining an effective deadline for the associated domain name to be matched; and If the current time is less than or equal to the valid deadline, the associated domain name to be matched is extracted as the domain name to be identified. The method of claim 1 further comprising: When the domain name associated with the network address is not found, the registration data corresponding to the domain name of the website is obtained, and the corresponding domain name is used as the domain name to be identified according to the registration data. The method according to claim 3, wherein the step of obtaining the registration data corresponding to the domain name of the website, and querying the corresponding domain name as the domain name to be identified according to the registration data comprises: Obtaining registration data corresponding to the domain name of the website, and selecting, from the conversion logic library, conversion logic corresponding to the registration data; Converting the registration data according to the conversion logic to obtain converted registration data; Matching the converted registration data with the information data stored in the information repository; and When the converted registration data is successfully matched with the information data stored in the information repository, the domain name associated with the information data that is successfully matched is obtained as the domain name to be identified. The method according to claim 1, wherein the step of obtaining a webpage having a risk level corresponding to the to-be-identified domain name that is greater than a preset level according to the obtained webpage data comprises: Matching the webpage data with the first filtering data stored in the preset blacklist, and when the website data is successfully matched with the first filtering data, adding a suspicious tag to the domain name to be identified; Matching the webpage data in the website corresponding to the to-be-identified domain name to which the suspicious tag is added, and the second filtering data stored in the preset whitelist; and When the webpage data and the second filtering data are not successfully matched, the domain name to be identified carrying the suspicious tag is extracted, and the webpage in the website corresponding to the domain name to be identified is obtained as a webpage whose risk level is greater than a preset level. The method of claim 5, wherein the method further comprises: Obtaining an identifier corresponding to the to-be-identified domain name when the domain name to be identified carrying the suspicious tag does not exist after the data is identified by the preset blacklist and the preset whitelist; Matching the identifier with a security identifier pre-stored in a secure identity store; When the identifier corresponding to the to-be-identified domain name is successfully matched, the secure domain name associated with the security identifier stored in the security identifier repository is obtained, and the secure domain name is obtained. Matching the domain name to be identified; and When the matching of the secure domain name and the domain name to be identified is unsuccessful, the webpage in the website corresponding to the domain name to be identified is used as a webpage whose risk level is greater than a preset level. The method according to claim 1, wherein the step of obtaining a webpage having a risk level corresponding to the to-be-identified domain name that is greater than a preset level according to the acquired webpage data further comprises: Extracting a keyword of the webpage data of the webpage whose risk level is greater than the preset level, and adding a corresponding category label to the to-be-identified domain name corresponding to the webpage whose risk level is greater than the preset level according to the keyword; Matching the category label of the domain name to be identified with the risk level greater than the preset level to the stored category label; and When the unmatching is successful, the category label of the domain name to be identified whose risk level is greater than the preset level is added, and the webpage whose risk level is greater than the preset level is stored under the category label. A webpage identification device, characterized in that the device comprises: a first acquiring module, configured to acquire a webpage whose identified risk level is greater than a preset level, and extract a website domain name corresponding to the webpage; a second obtaining module, configured to obtain a network address corresponding to the website according to the website domain name; a search module, configured to search for a domain name associated with the network address, and when the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified; a third obtaining module, configured to acquire webpage data in a website corresponding to the domain name to be identified; The identification module is configured to obtain, according to the acquired webpage data, a webpage whose risk level corresponding to the domain name to be identified is greater than a preset level. The device according to claim 1, wherein the searching module comprises: a first matching unit, configured to match the network address with a pre-stored network address in the address association library; a domain name obtaining unit, configured to acquire a to-be-matched associated domain name associated with the pre-stored network address when the network address is successfully matched with the network address pre-stored in the address association library; a time obtaining unit, configured to obtain an effective deadline for the associated domain name to be matched; and The extracting unit is configured to extract the to-be-matched associated domain name as the to-be-identified domain name if the current time is less than or equal to the valid deadline. A computer apparatus comprising a memory and a processor, the memory storing computer readable instructions, wherein the processor, when executing the computer readable instructions, implements the following steps: Obtaining a webpage whose identified risk level is greater than a preset level, and extracting a website domain name corresponding to the webpage; Obtaining a network address corresponding to the website according to the website domain name; Searching for a domain name associated with the network address, and when the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified; Obtaining webpage data in a website corresponding to the domain name to be identified; and And obtaining, according to the obtained webpage data, a webpage corresponding to the domain name to be identified with a risk level greater than a preset level. The computer device according to claim 10, wherein the step of searching for the domain name associated with the network address implemented by the processor when the computer readable instructions are executed further comprises the step of: Matching the network address with a pre-stored network address in the address association library; Obtaining a domain name to be matched associated with the pre-stored network address when the network address is successfully matched with the network address pre-stored in the address association library; Obtaining an effective deadline for the associated domain name to be matched; and If the current time is less than or equal to the valid deadline, the associated domain name to be matched is extracted as the domain name to be identified. The computer apparatus according to claim 10, wherein said processor further implements the following steps when said computer readable instructions are executed: When the domain name associated with the network address is not found, the registration data corresponding to the domain name of the website is obtained, and the corresponding domain name is used as the domain name to be identified according to the registration data. The computer device according to claim 12, wherein the processor executes the computer readable instructions to obtain the registration data corresponding to the domain name of the website, and queries the corresponding data according to the registration data. The domain name as a step of identifying the domain name also includes the following steps: Obtaining registration data corresponding to the domain name of the website, and selecting, from the conversion logic library, conversion logic corresponding to the registration data; Converting the registration data according to the conversion logic to obtain converted registration data; Matching the converted registration data with the information data stored in the information repository; and When the converted registration data is successfully matched with the information data stored in the information repository, the domain name associated with the information data that is successfully matched is obtained as the domain name to be identified. The computer device according to claim 10, wherein the processor, when the processor executes the computer readable instructions, obtains a risk level corresponding to the domain name to be identified that is greater than a pre-determined according to the acquired webpage data. The step of leveling the webpage further includes performing the following steps: Matching the webpage data with the first filtering data stored in the preset blacklist, and when the website data is successfully matched with the first filtering data, adding a suspicious tag to the domain name to be identified; Matching the webpage data in the website corresponding to the to-be-identified domain name to which the suspicious tag is added, and the second filtering data stored in the preset whitelist; and When the webpage data and the second filtering data are not successfully matched, the domain name to be identified carrying the suspicious tag is extracted, and the webpage in the website corresponding to the domain name to be identified is obtained as a webpage whose risk level is greater than a preset level. The computer apparatus according to claim 14, wherein said processor further implements the following steps when said computer readable instructions are executed: Obtaining an identifier corresponding to the to-be-identified domain name when the domain name to be identified carrying the suspicious tag does not exist after the data is identified by the preset blacklist and the preset whitelist; Matching the identifier with a security identifier pre-stored in a secure identity store; When the identifier corresponding to the to-be-identified domain name is successfully matched, the secure domain name associated with the security identifier stored in the security identifier repository is obtained, and the secure domain name is obtained. Matching the domain name to be identified; and When the matching of the secure domain name and the domain name to be identified is unsuccessful, the webpage in the website corresponding to the domain name to be identified is used as a webpage whose risk level is greater than a preset level. The computer device according to claim 10, wherein the processor, when the processor executes the computer readable instructions, obtains a risk level corresponding to the domain name to be identified that is greater than a pre-determined according to the acquired webpage data. After the step of leveling the webpage, it also includes: Extracting a keyword of the webpage data of the webpage whose risk level is greater than the preset level, and adding a corresponding category label to the to-be-identified domain name corresponding to the webpage whose risk level is greater than the preset level according to the keyword; Matching the category label of the domain name to be identified with the risk level greater than the preset level to the stored category label; and When the unmatching is successful, the category label of the domain name to be identified whose risk level is greater than the preset level is added, and the webpage whose risk level is greater than the preset level is stored under the category label. One or more non-transitory computer readable storage mediums storing computer readable instructions, wherein when the computer readable instructions are executed by one or more processors, cause one or more processors to perform the following step: Obtaining a webpage whose identified risk level is greater than a preset level, and extracting a website domain name corresponding to the webpage; Obtaining a network address corresponding to the website according to the website domain name; Searching for a domain name associated with the network address, and when the domain name associated with the network address is found, the associated domain name is used as the domain name to be identified; Obtaining webpage data in a website corresponding to the domain name to be identified; and And obtaining, according to the obtained webpage data, a webpage corresponding to the domain name to be identified with a risk level greater than a preset level. The storage medium of claim 17, wherein the computer readable instructions are executed by one or more processors such that one or more processors perform the lookup of the domain name associated with the network address Steps, including: Matching the network address with a pre-stored network address in the address association library; Obtaining a domain name to be matched associated with the pre-stored network address when the network address is successfully matched with the network address pre-stored in the address association library; Obtaining an effective deadline for the associated domain name to be matched; and If the current time is less than or equal to the valid deadline, the associated domain name to be matched is extracted as the domain name to be identified. The storage medium of claim 17, wherein the computer readable instructions are executed by one or more processors such that the one or more processors can further perform the following steps: When the domain name associated with the network address is not found, the registration data corresponding to the domain name of the website is obtained, and the corresponding domain name is used as the domain name to be identified according to the registration data. The storage medium of claim 19, wherein the computer readable instructions are executed by one or more processors such that the one or more processors execute the registration data corresponding to the domain name of the website The step of querying the corresponding domain name as the domain name to be identified according to the registration data includes: acquiring registration data corresponding to the domain name of the website, and selecting a conversion logic corresponding to the registration data from the conversion logic library; Converting the registration data according to the conversion logic to obtain converted registration data; Matching the converted registration data with the information data stored in the information repository; and When the converted registration data is successfully matched with the information data stored in the information repository, the domain name associated with the information data that is successfully matched is obtained as the domain name to be identified.

Images