CN103336693B - The creation method of refer chain, device and security detection equipment - Google Patents

Abstract

The invention discloses a refer chain creation method, device and safety detection equipment. The method includes: after monitoring the access request of the initial page, generating the page ID of the initial page, obtaining the URL of the initial page, and creating the first-level node of the refer chain; after monitoring the access request of the i-th level page, generating the first-level node The page ID of the i-level page, obtain the URL of the i-level page and the page ID or URL of the i-1 level page; and query the refer chain containing the page ID or URL of the i-1 level page, and create the refer chain The i-th level node of ; create all levels of nodes of the refer chain through this step. Through this technical solution, a refer chain composed of URLs of pages at various levels can be obtained in real time while the page is accessed, so that the client can use the refer chain to detect whether the access behavior of the current page is safe.

Description

Refer chain creation method, device and safety detection equipment

technical field

The invention relates to the technical field of computer networks, in particular to a refer chain creation method, device and safety detection equipment.

Background technique

With the development of the Internet, WEB-based applications are becoming more and more popular. People can query bank accounts, online shopping, e-commerce, query information, acquire knowledge, and perform entertainment through browsers. WEB provides people with a convenient and fast way of interaction.

However, when people are surfing the Internet and browsing the web, they often encounter attacks from malicious websites, causing computers to be infected by viruses, Trojan horses, and the like.

Malicious websites, such as phishing websites, fraudulent websites, counterfeit websites, etc., mainly fake the URL addresses or page content of real websites, pretend to be banking and e-commerce websites, or use loopholes in real website server programs , inserting dangerous webpage codes into some webpages of the website to defraud users of private information such as bank or credit card account numbers and passwords. Malicious webpages contain many sensitive features. For example, malicious webpages related to financial fraud will imitate the official website in terms of text and pictures, or insert information such as fake ticketing, fake lottery winning, fake online banking, and fake shopping into real webpages. Features mostly appear in web pages in the form of text strings.

The current method for identifying malicious webpages is mainly to manually review malicious webpages to collect text features of some simple malicious websites, which are used by browser plug-ins to judge webpage content based on these text features, and filter out these reported attack websites. However, the survival period of malicious websites is getting shorter and shorter, new malicious webpages emerge in endlessly, and the amount of webpages that need to be reviewed is too large; and the characteristics of malicious websites are changing rapidly. According to the traditional manual review method, the efficiency of extracting information will be relatively low. .

The existing main means to prevent malicious websites is that when a user visits a certain website, the client sends the URL of the website to the black and white list database on the server side for query. The so-called blacklist database is the URL list of malicious websites that have been verified and confirmed. Database, the so-called white list database is the URL of the safe website that has been audited and confirmed. After querying, the server will feed back the result of whether the website is a malicious website to the client.

The above existing technical means can only detect a single URL. However, because the URLs of malicious websites are constantly changing, the update speed of the black and white list database on the server side is far slower than that of malicious websites. Therefore, the technical means of detecting a single URL cannot effectively detect malicious websites, so it cannot be real-time, fast and effective. Protect the client's web browsing security.

Existing browsers provide an interface for obtaining refer information of a URL, that is, a get_refer interface. However, the refer information obtained through the get_refer interface only includes the URL of the webpage visited last time before the current webpage is accessed, and malicious websites cannot be effectively detected through the URL of the current webpage and the URL of the webpage visited last time. Moreover, it takes a long time to open a web page until the get_refer interface is available. If it takes too long to perform detection after the get_refer interface is available, it will take a long time for the user to get the current Therefore, according to this method, the webpage browsing security of the client cannot be protected in real time and quickly.

Contents of the invention

In view of the above problems, the present invention is proposed to provide a method for creating a refer chain, a corresponding device for creating a refer chain, and a security detection device that overcome the above problems or at least partially solve the above problems.

According to one aspect of the present invention, a method for creating a refer chain is provided, including:

After monitoring the access request of the initial page, generate the page ID of the initial page, obtain the URL of the initial page, create the first-level node of the refer chain, and write the page ID and URL of the initial page as the information of the first-level node Enter the refer chain;

After monitoring the access request of the i-th level page, i≥2, generate the page ID of the i-th level page, obtain the URL of the i-th level page and the page ID or URL of the i-1th level page, the i-th level The page is a page-level jump page of the i-1th level page; and, query the refer chain containing the page ID or URL of the i-1th level page, create the i-th level node of the refer chain, and convert the i-th level The page ID and URL of the i-level page are used as the information of the i-level node; through this step, all levels of nodes of the refer chain are created.

According to another aspect of the present invention, a device for creating a refer chain is provided, including:

The first node creation unit is suitable for generating the page ID of the initial page after monitoring the access request of the initial page, obtaining the URL of the initial page, creating a first-level node of the refer chain, and combining the page ID and URL of the initial page Write the refer chain as the information of the first-level node;

The second node creation unit is adapted to generate the page ID of the i-level page after monitoring the access request of the i-level page, and obtain the URL of the i-level page and the page ID of the i-1-th level page or URL, the i-th level page is the page-level jump page of the i-1th level page; The i-level node uses the page ID and URL of the i-level page as the information of the i-level node;

The second node creation unit is adapted to create nodes at all levels of the refer chain.

According to another aspect of the present invention, there is provided a security detection device, including the above-mentioned refer chain creation device, and also includes: a detection module, adapted to use all URLs contained in the refer chain to process the page access behavior .

According to the method, device and safety detection device for creating a refer chain provided by the present invention, whenever a new page is opened through the links of all levels of the initial page, the page ID and URL of the new page and the page ID of the upper-level page of the new page are obtained or URL, query the corresponding refer chain according to the page ID or URL of the upper-level page, and create the corresponding node of the refer chain. Through this technical solution, a refer chain composed of URLs of pages at various levels can be obtained in real time while the page is accessed, so that the client can use the refer chain to detect whether the access behavior of the current page is safe.

The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

Description of drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same components. In the attached picture:

Fig. 1 shows a flowchart of a method for creating a refer chain according to an embodiment of the present invention;

FIG. 2 shows a structural block diagram of an apparatus for creating a refer chain according to an embodiment of the present invention;

Fig. 3 shows a structural block diagram of interaction between a client as a security detection device and a server according to an embodiment of the present invention.

detailed description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

The browser needs to send the URL information of the webpage that the user wants to visit or may visit to the filtering module; wherein, the URL information includes the URL of the browsed webpage, part of the content of the browsed webpage URL, the URL of the user's favorites, and the URLs in the favorites Part of the content, etc., hereinafter collectively referred to as URL information.

Existing browsers provide an interface for obtaining refer information of a URL, that is, a get_refer interface. However, the refer information obtained through the get_refer interface only includes the URL of the page visited last time before visiting the current page, that is, the URL of the previous page linked to the current page; and, opening from a page to the get_refer interface can use It takes a long time. If you wait until the get_refer interface is available, it will take too long to perform detection. In order to obtain the refer chain composed of URLs of pages at all levels in real time, the present invention provides a method for creating a refer chain, which specifically includes: whenever a new page is opened through the links of all levels of the initial page, the process of maintaining the refer chain Obtain the page ID and URL of the new page and the page ID or URL of the upper-level page of the new page, query the corresponding refer chain according to the page ID or URL of the upper-level page, and create the corresponding node of the refer chain.

Usually, after the user opens the browser, the browser accesses the default initial page or triggers the initial page access request through the user's input in the address bar, and the initial page is linked to the second page by the user clicking a link on the initial page or other links. The level page is linked from the level 2 page to the level 3 page through the user clicking a link on the level 2 page or other link methods, and so on, and finally the i-1 level page is linked to the i level page. For example, after the user opens the browser and enters www.so.com in the address bar, this page is the initial page (the URL is represented by A in the following); then, the user enters "phone recharge" in the search bar and clicks the search button, The browser will jump to http://www.so.com/s?ie=utf-8&src=360sou_home&q=%E8%AF%9D%E8%B4%B9%E5%85%85%E5%80%BC, This page is a second-level page (B is used to indicate its URL below); the second-level page provides many links, and the user clicks one of the links, and the browser will jump to the page corresponding to this link http://chongzhi.360. cn/mobile/, this page is the third-level page (C is used to represent its URL below); the user clicks the link of "online game point card" on the third-level page, and the browser will jump to http://chongzhi.360. cn/GameCard/index, this page is a level 4 page (D is used below to represent its URL). For the page that the current user is visiting, its refer information is the URL of the parent page of the current page, that is, the URL of the previous page linked to the current page. The present invention obtains the refer chain according to the URLs of several levels of pages linked to the current page, and the refer chain can be used to process the web page access behavior.

Fig. 1 shows a flowchart of a method 100 for creating a refer chain according to an embodiment of the present invention. As shown in FIG. 1 , the method 100 starts at step S101 of creating a first-level node. In the first-level node creation step S101, after monitoring the access request of the initial page, generate the page ID of the initial page, obtain the URL of the initial page, create the first-level node of the refer chain, and combine the page ID and URL of the initial page It is written into the refer chain as the information of the first-level node. For the default page accessed by the browser or the page triggered by the user's input in the address bar, use it as the initial page and create a new refer chain. Specifically, after monitoring the access request of the initial page, the browser loads the initial page. During the process of loading the initial page, the browser generates a unique ID as the page ID of the initial page, and obtains the URL of the initial page. Wherein, the URL of the initial page may be obtained by specifying a response event interface, for example, by implementing a specified response event interface of a standard plug-in mechanism.

In the IE (Internet Explorer) browser, the browser helper object (BrowserHelperObject, referred to as: BHO) plug-in mechanism can be used to obtain the currently loaded URL of IE by responding to the "BeforeNavigate2" event. In the Firefox browser, use the specified response event interface provided by the Firefox extension mechanism to obtain the URL currently loaded by the Firefox browser. Use the Netscape Plugin Application Programming Interface (NPAPI for short) plug-in mechanism in the Google (chrome) browser to obtain the URL currently loaded by the Google browser. After obtaining the page ID (such as ID1) and URL (such as A) of the initial page, use ID1 and A as the first-level node information of the refer chain, and create a refer chain as: A(ID1). Wherein, ID1 is index information.

It should be noted that, since in actual applications, people use computers with different application environments, such as operating systems, browser types, etc., therefore, there may be multiple implementations for the executing entities of the foregoing steps. For example, it may be a browser with the function of identifying and adding tags, wherein the browser may be Internet Explorer (IE for short) which is a built-in browser of the Windows operating system, or other third-party browsers. The so-called third-party browsers usually refer to non-IE browser software running on the Windows operating system. Such third-party browsers usually provide users with rich and unique function designs and personalized extensions for users. Many handy apps. For example, the same plug-in mechanism can run on multiple types of browsers, for example, the browsers are IE, firefox, google chrome, safari, opera, QQ browser, Aoyou browser, Sogou browser or Cheetah browser and so on.

After the first-level node creation step S101, the method 100 enters into the process of creating the i-th level node in a loop. Starting from i=2, the method 100 enters step S102, wherein after monitoring the access request of the i-th level page, the page ID of the i-th level page is generated, and the URL of the i-th level page and the page of the i-1th level page are obtained ID or URL, the i-th level page is the page-level redirection page of the i-1 level page. In this article, linking from the i-1th level page to the i-th level page by clicking on a link on the i-1th level page or by other user actions is called page-level jumping. After the browser monitors the access request of the i-th level page through the page-level jump, it will load the i-th level page. During the process of loading the i-th level page, the browser generates a unique ID as the page ID of the i-th level page, and obtains the URL of the i-th level page. Wherein, the URL of the i-th level page can be obtained by specifying a response event interface, for example, by implementing a specified response event interface of a standard plug-in mechanism. For specific methods, refer to the previous description about how to obtain the URL of the initial page.

In order to find the corresponding refer chain and continue to create nodes on it, in step S102 it is also necessary to obtain the page ID or URL of the i-1th level page. The present invention provides two different ways to obtain the information of the i-1th level page according to the different situations of the browser accessing the new page, one way (i.e. the following way 1) is applicable to the new window or new tab (tab) The situation where the i-level page is opened by the first page; the other method (i.e. the second method below) is applicable to the situation that the i-level page is still opened through the current window or the current tab page.

method one:

First, after monitoring the access request of the i-th level page, obtain the interface object pointer of the i-th level page, and write the interface object of the i-th level page according to the interface object pointer to the interface object of the i-th level page. Get the page ID of the i-1th level page. Then, in the process of loading the i-th level page, the page ID of the i-1 level page is obtained by reading the information provided by the interface object of the i-th level page.

The above method 1 is applicable to the situation that the i-th level page is opened through a new window or a new tab (tab) page. Taking IE browser as an example, by analyzing IE browser to open a new window or new tab page, find the relevant processing function called by the new window or new tab page created by the internal module of IE browser, capture (Hook) this function, and use this The return value of the function obtains the interface object pointer of the new window or new tab page (the window or tab page that will load the i-level page), such as the IWEBBROWSER2 pointer; since the browser has not started loading the i-level page at this time, the browser’s The recorded page ID of the current page is still the page ID of the i-1th level page obtained during the loading of the i-1th level page. Therefore, at this time, the browser can write the IWEBBROWSER2 object to the IWEBBROWSER2 object according to the interface object pointer. The page ID of the page at level i-1. After starting to load the i-th level page, the page ID of the i-1 level page can be obtained by reading the information provided by the IWEBBROWSER2 object of the i-th level page.

Method 2:

After monitoring the access request of the i-level page and before loading the i-level page, obtain the URL of the i-1 level page through the get_locationURL interface provided by the browser.

The second method above is applicable to the situation that the i-th level page is still opened through the current window or the current tab page. In this case, since no new window or new tab page is opened, the page ID of the i-1th level page cannot be obtained in a manner similar to the first method. In this case, after monitoring the access request of the i-level page, but before the "BeforeNavigate2" event of the i-level page, the get_locationURL interface still provides the URL of the i-1 level page, so use the get_locationURL interface The URL of the i-1 level page can be obtained.

However, after the step of obtaining the URL of the i-1th level page through the get_locationURL interface provided by the browser, it is necessary to determine whether the opening of the i-th level page is triggered by the input behavior of the browser address bar. Specifically, according to the browser address If the judgment result is yes, clear the URL of the i-1th level page obtained through the get_locationURL interface provided by the browser, process the i-th level page as the initial page, and execute step S101 ; If the judgment result is no, execute step S103.

The above method 1 and method 2 are respectively aimed at different situations. If the i-th level page is opened through a new window or a new tab page, step S102 obtains the page ID of the i-1th level page through the above method 1; if the i-th level page is opened through a current window or a current tab page, Then step S102 obtains the URL of the i-1th level page through the second method above. If step S102 obtains the page ID of the i-1th level page, then follow up to query the corresponding refer chain according to the page ID; if step S102 obtains the URL of the i-1th level page, then follow up according to the URL Query the corresponding refer chain.

After step S102, the method 100 proceeds to step S103, wherein the refer chain containing the page ID or URL of the i-1th level page is queried, the i-th level node of the refer chain is created, and the page ID and URL of the i-th level page are used as The information of the i-level node.

Specifically, if in step S102, the page ID of the i-1th level page is acquired by the above method 1, then it is sufficient to directly query the refer chain including the page ID of the i-1th level page. For example, if the page ID of the second-level page is ID2, the URL is B, and the page ID of the first-level page (that is, the initial page) is ID1 through step S102, then in this step, query the refer chain containing ID1, And the index information of the last-level node of the refer chain is ID1, that is, A(ID1); create the second-level node of the refer chain, use ID2 and B as the information of the second-level node, and obtain the refer chain as A(ID1 )->B(ID2). If in step S102, the URL of the i-1th level page is obtained by using the second method above, then it is necessary to query the refer chain containing the URL of the i-1th level page. Since the process of maintaining the refer chain may maintain multiple refer chains containing the same URL, this step may query and obtain multiple refer chains containing the URL of the i-1th level page. However, since the timing of page jumps is good when the i-level page is still opened through the current window or the current tab page, which is applicable to the above-mentioned method 2, the latest updated refer chain can be selected as the i-level node to be created The refer chain.

Optionally, in the first method of step S102, it is also possible to write only the URL of the i-1th level page to the interface object of the i-th level page, and by reading the information provided by the interface object of the i-th level page, Get the URL of the i-1 level page. Next, in step S103, query the refer chain containing the URL of the i-1th level page, and select the latest updated refer chain as the refer chain of the i-th level node to be created if multiple refer chains are found. However, in the case of opening the i-th level page through a new window or a new tab (tab) page applicable to the above method 1, the timing of the page jump is poor, so the accuracy of the method of finding the refer chain based on the page ID It will be higher than the method of finding the refer chain based on the URL.

The above step S102 and step S103 are executed cyclically, thereby creating a complete refer chain. For the above example, the created refer chain is: A(ID1)->B(ID2)->C(ID3)->D(ID4).

In the process of creating the refer chain, you also need to consider a special situation, that is, when you visit certain pages, the page will automatically jump multiple times, such as 3xx and other jumps. This article will refer to this jump Turning is called jumping between pages. In IE browser, the BHO mechanism provides three events when visiting the same page, namely BeforeNavigate2, NavigateComplete2 and DocumentComplete2. Under normal circumstances, the URLs corresponding to the three events are the same, but if multiple 302 redirects occur, the following will happen: (BeforeNavigate2)url0->(302)url1->(302)url2->( NavigateComplete2) url2 -> (DocumentComplete2) url2. If the above example is still taken as an example, when page C is accessed, page C may automatically jump multiple times, jumping to C1 and C2 in turn. Therefore, if there is a jump between pages, it may not be possible to capture URLs of all the jump pages by relying on the above method.

In view of the above-mentioned special circumstances, the embodiment of the present invention further includes the step of creating at least one i-th child node after the above-mentioned step S103, that is, step S104. This step is performed when an inter-page jump occurs on the i-th level page, Wherein at least one i-th child node corresponds to at least one inter-page jump page of the i-th level page. In step S104, the function called during redirection processing is captured, and the URL of at least one jump page between pages of the i-level page is obtained from the input parameters of the function called during redirection processing; and, the query includes the i-level The refer chain of the page ID of the page, create at least one i-th child node of the refer chain, and use the page ID of the i-th page and the URL of at least one jump page between pages of the i-th page as at least one i-th level Information about child nodes. Specifically, when a jump such as 3xx occurs, the browser will perform redirection processing. During the redirection processing, the browser will call the "Urlmon!CINet::OnRedirect" function, and the input parameter of this function will record the jump between pages. The URL of the redirected page. By capturing this function, the URL of at least one inter-page jump page of the i-th level page can be obtained. The URL of the inter-page jump page obtained by this method is used as the information of the i-th child node, and the index ID of the inter-page jump page is the same as the page ID of the i-th level page. For the above example, the created refer chain is: A(ID1)->B(ID2)->C(ID3)->C1(ID3)->C2(ID3)->D(ID4).

According to the method for creating a refer chain provided by an embodiment of the present invention, a refer chain composed of URLs of pages at various levels can be obtained in real time while the page is accessed, so that the client can use the refer chain to detect whether the access behavior of the current page is safe. Specifically, the client can extract all the URLs contained in the refer chain, and then compare these URLs with the blacklist/whitelist database stored by itself to obtain the detection result. The cloud security server builds a cloud security server through the cloud security server cluster of the whole web spider, and stores a library of malicious URLs, a library of phishing URLs, a library of advertising fraud, etc., from which we can find changed webpages and newly added webpages. Preferably, the cloud security server can match the extracted features with the dangerous website information in the database, so as to determine the security category and corresponding security level of the website to which the feature belongs; Websites, fraudulent websites, malicious websites, safe websites, etc., and each type of website has a corresponding security level. For example, if the security level is from level 1 to level 10, the cloud security server can classify the matched information and obtain the Matches the security level of the information in this category.

In the embodiment of the present invention, the browser can connect to the corresponding website according to the web page address in the address bar, so information such as the web page address can be obtained first from the address bar of the browser. After extracting all the URLs contained in the refer chain, the client can encrypt these URLs into URL ciphertexts and send them to the cloud security server. URL string for password, do not upload such URLs. The cloud security server compares these URLs with the blacklist/whitelist database saved by itself, obtains the detection results, and then feeds back the detection results to the client. The feedback results can include information such as credible, phishing, and advertising fraud, or Other types of malicious URLs, so that users can deal with them according to different types. The present invention obtains in real time a refer chain composed of URLs of pages at all levels, and utilizes all URLs included in the refer chain to process page access behaviors. The link provides more URLs and wider coverage, so the detection efficiency is higher, and it can protect the security of client web browsing more quickly and effectively in real time.

Fig. 2 shows a structural block diagram of an apparatus for creating a refer chain according to an embodiment of the present invention. As shown in FIG. 2 , the device includes: a first node creation unit 21 and a second node creation unit 22 .

The first node creation unit 21 is adapted to generate the page ID of the initial page after monitoring the access request of the initial page, obtain the URL of the initial page, create the first-level node of the refer chain, and use the page ID and URL of the initial page as the first node The information of level 1 nodes is written into the refer chain. Further, the first node creation unit 21 includes: an initial page page ID generation unit 211 , an initial page URL acquisition unit 212 and a first node creation subunit 213 . The page ID generating unit 211 of the initial page is adapted to generate a page ID of the initial page after monitoring an access request of the initial page. The URL acquiring unit 212 of the initial page is adapted to acquire the URL of the currently loaded initial page through a designated response event interface during the process of loading the initial page. For example, by implementing the specified response event interface of the standard plug-in mechanism. Use the BHO plug-in mechanism of the browser helper object in the IE browser to obtain the currently loaded URL of the IE by responding to the "BeforeNavigate2" event. In the Firefox browser, use the specified response event interface provided by the Firefox extension mechanism to obtain the URL currently loaded by the Firefox browser. Use the NPAPI plug-in mechanism in the Google (chrome) browser to get the URL currently loaded by the Google browser. The first node creation subunit 213 is adapted to create a first-level node of the refer chain, and write the page ID and URL of the initial page as information of the first-level node into the refer chain.

The second node creation unit 22, i≥2, is adapted to generate the page ID of the i-th page after monitoring the access request of the i-th page, and obtain the URL of the i-th page and the page of the i-1th page ID or URL, the i-level page is the page-level jump page of the i-1 level page; and, query the refer chain containing the page ID or URL of the i-1 level page, and create the i-level node of the refer chain , the page ID and URL of the i-th level page are used as the information of the i-th level node; the second node creating unit 22 is adapted to create all levels of nodes of the refer chain. Further, the second node creation unit 22 includes: the page ID generation unit 221 of the i-th level page, the URL acquisition unit 222 of the i-th level page, the page ID or URL acquisition unit 223 of the i-1th level page and the second node Subunit 224 is created. The page ID generating unit 221 of the i-th level page is adapted to generate the page ID of the i-th level page after monitoring the access request of the i-th level page. The URL acquiring unit 222 of the i-th level page is adapted to acquire the URL of the currently loaded i-th level page through a designated response event interface during the loading of the i-th level page. For a specific manner of obtaining the URL of the currently loaded i-th level page, refer to the relevant description of obtaining the URL of the initial page. The page ID or URL acquiring unit 223 of the i-1th level page is adapted to acquire the page ID or URL of the i-1th level page after monitoring the access request of the i-th level page. The second node creation subunit 224 is adapted to query the refer chain containing the page ID or URL of the i-1th level page, create the i-th level node of the refer chain, and use the page ID and URL of the i-th level page as the i-th level Node information.

Optionally, the second node creation unit 22 of the client further includes: a capturing unit 225 and a writing unit 226 . The capture unit 225 is adapted to obtain the interface object pointer of the i-th level page after monitoring the access request of the i-th level page. The writing unit 226 is adapted to write the page ID of the i-1th level page acquired during the process of loading the i-1th level page into the interface object of the i-th level page according to the interface object pointer. This implementation manner is applicable to the situation that the i-th level page is opened through a new window or a new tab (tab) page. Taking the IE browser as an example, the capture unit 225 is further adapted to capture the function called by the browser to create a new window or new tab page after monitoring the access request of the i-level page, and use the return value of the function to obtain the i-level page. Interface object pointer of the page, such as IWEBBROWSER2 pointer. Since the browser has not yet started loading the i-th level page at this time, the page ID of the current page recorded by the browser is still the page ID of the i-1th level page obtained during the loading of the i-1th level page, so At this time, the writing unit 226 can write the page ID of the i-1th level page to the IWEBBROWSER2 object according to the interface object pointer. The page ID or URL obtaining unit 223 of the i-1th level page is specifically adapted to: in the process of loading the i-th level page, by reading the information provided by the interface object of the i-th level page, to obtain the i-1th level page The page ID of the . Optionally, the writing unit 226 is adapted to write the URL of the i-1th level page acquired during the process of loading the i-1th level page to the interface object of the i-th level page according to the interface object pointer.

Optionally, the page ID or URL acquisition unit 223 of the i-1th level page is further adapted to: after monitoring the access request of the i-th level page and before loading the i-th level page, obtain the URL through the get_locationURL interface provided by the browser The URL of the page at level i-1. The second node creating unit 22 also includes: a judging unit 227 and a clearing unit 228 . Wherein, the judging unit 227 is suitable for judging whether the i-th level page is triggered by the input behavior of the browser address bar, specifically, it can be judged by clicking and inputting actions according to the browser address bar; When the judgment result of 227 is yes, the page ID of the i-1th level page or the URL of the i-1th level page acquired by the URL acquisition unit 223 is cleared, and the first node creation unit 21 is triggered to convert the i-th level The page is processed as the initial page; in the case that the judgment result of the judging unit 227 is negative, the judging unit 227 triggers the second node creating subunit 224 to create the i-th level node of the refer chain.

If the page ID or URL acquisition unit 223 of the i-1th level page obtains the page ID of the i-1th level page, then the second node creation subunit 224 directly queries the refer chain containing the page ID of the i-1th level page , create the i-th level node of the refer chain, and use the page ID and URL of the i-th level page as the information of the i-th level node. If the page ID of the i-1th level page or the URL obtaining unit 223 obtains the URL of the i-1th level page, then the second node creation subunit 224 queries the refer chain containing the URL of the i-1th level page, and in When multiple refer chains are found, select the most recently updated refer chain, create the i-th level node of the refer chain, and use the page ID and URL of the i-th level page as the information of the i-th level node.

In the process of creating the refer chain, considering the situation that multiple automatic jumps occur on the page, the device further includes: a second child node creation unit 23, adapted to capture the function called during redirection processing, from the redirection processing Obtain the URL of at least one inter-page jump page of the i-level page in the input parameter of the called function; and query the refer chain containing the page ID of the i-level page, and create at least one i-level child node of the refer chain , using the page ID of the i-th level page and the URL of at least one inter-page jump page of the i-th level page as the information of at least one i-th level child node. Specifically, when a jump such as 3xx occurs, the browser will perform redirection processing. During the redirection processing, the browser will call the "Urlmon!CINet::OnRedirect" function, and the input parameter of this function will record the jump between pages. For the URL of the redirected page, the second child node creating unit 23 can obtain the URL of at least one inter-page jump page of the i-th level page by capturing this function. The URL of the inter-page jump page obtained in this way is used as the information of the i-th child node, and the index ID of the inter-page jump page is the same as the page ID of the i-th level page.

According to the device for creating a refer chain provided by the embodiment of the present invention, the refer chain composed of URLs of pages at all levels can be obtained in real time while the page is accessed, so that the client can use the refer chain to detect whether the access behavior of the current page is safe.

The present invention also provides a safety detection device, which includes the above refer chain creation device, and the safety detection device can use the URL contained in the refer chain to process the page access behavior. Optionally, the security detection device is a client, which completes the interaction with the server. Fig. 3 shows a structural block diagram of interaction between a client as a security detection device and a server according to an embodiment of the present invention. As shown in Figure 3, the client 31 includes a refer chain creation device 311 and a processing module 312, wherein the specific structure of the refer chain creation device 311 is the same as the above-mentioned embodiment, and the processing module 312 is suitable for utilizing all URLs contained in the refer chain , to process the access behavior of the page. The server 32 can be a cloud security server constructed by the cloud security server cluster of the whole web spider, and stores a library of malicious URLs, a library of phishing URLs, a library of advertising fraud, etc., from which changed webpages and newly added webpages can be found. After the processing module 312 extracts all the URLs included in the refer chain, it encrypts these URLs into URL ciphertexts and sends them to the server 32. When uploading the URL ciphertexts of the URLs to the server 32, it is necessary to block the URLs that may contain user passwords first. String, do not upload URL ciphertext of this type of URL. The server 32 compares these URLs with the black/white list database stored by itself, obtains the detection results, and then feeds back the detection results to the client. The feedback results can include information such as credible, phishing, advertising fraud, or other types of malicious URLs, so that users can deal with them according to different types. The present invention obtains in real time a refer chain composed of URLs of pages at all levels, and utilizes all URLs included in the refer chain to process page access behaviors. The link provides more URLs and wider coverage, so the detection efficiency is higher, and it can protect the security of client web browsing more quickly and effectively in real time.

The embodiment of the present invention provides that the second node creation unit further includes: a capture unit adapted to obtain the interface object pointer of the i-th level page after monitoring the access request of the i-th level page; and a writing unit adapted to The interface object pointer writes the page ID of the i-1th level page obtained during loading the i-1th level page into the interface object of the i-th level page;

The page ID or URL acquisition unit of the i-1th level page is specifically suitable for: during the process of loading the i-th level page, by reading the information provided by the interface object of the i-th level page, to obtain the i-1th level page page ID.

According to the device described in the embodiment of the present invention, the capture unit is further adapted to: after monitoring the access request of the i-th level page, capture the function called by the browser to create a new window or a new tab page, and use the function returned The value gets the interface object pointer of the i-th level page.

According to the device described in the embodiment of the present invention, the page ID or URL acquisition unit of the i-1th level page is further adapted to: after monitoring the access request of the i-th level page and before loading the i-th level page, by The get_locationURL interface provided by the browser obtains the URL of the i-1 level page.

According to the device described in the embodiment of the present invention, the second node creation unit further includes:

The judging unit is suitable for judging whether the i-th level page is triggered by the input behavior of the browser address bar;

The emptying unit is adapted to clear the page ID of the i-1th level page or the URL of the i-1th level page acquired by the URL acquisition unit when the judgment result of the judgment unit is yes, and trigger The first node creation unit processes the i-th level page as the initial page;

If the judging result of the judging unit is negative, the judging unit triggers the second node creation subunit to create the i-th level node of the refer chain.

According to the device described in the embodiment of the present invention, the refer chain creation module further includes: a second child node creation unit, adapted to capture the function called during redirection processing, from the function called during redirection processing Obtain the URL of at least one inter-page jump page of the i-level page in the input parameter; and query the refer chain containing the page ID of the i-level page, create at least one i-level child node of the refer chain, and The page ID of the i-th level page and the URL of at least one inter-page jump page of the i-th level page are used as information of at least one i-th level child node.

The embodiment of the present invention also provides a security detection device, which includes the above-mentioned refer chain creation device, and further includes: a processing module, adapted to use all URLs included in the refer chain to process page access behaviors.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings), as well as any method or method so disclosed, may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all of the refer chain creation device and some or all of the components in the security detection device according to the embodiment of the present invention. Full functionality. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

Claims (16)

1. A method for creating a refer chain, comprising: After monitoring the access request of the initial page, generate the page ID of the initial page, obtain the URL of the initial page, create the first-level node of the refer chain, and write the page ID and URL of the initial page as the information of the first-level node Enter the refer chain; After monitoring the access request of the i-th level page, i≥2, generate the page ID of the i-th level page, obtain the URL of the i-th level page and the page ID or URL of the i-1th level page, the i-th level The page is the page-level jump page of the i-1 level page, and the i-1 level page is linked to the i-level page by clicking on a link on the i-1 level page or other links triggered by user behavior; and, query Including the refer chain of the page ID or URL of the i-1th level page, creating the i-th level node of the refer chain, using the page ID and URL of the i-th level page as the information of the i-th level node; through this The step is to create nodes at all levels of the refer chain. 2. The method according to claim 1, after monitoring the access request of the initial page, obtaining the URL of the initial page is specifically: in the process of loading the initial page, obtaining the currently loaded initial page by specifying the response event interface the URL; After monitoring the access request of the i-level page, obtaining the URL of the i-level page specifically includes: during the process of loading the i-level page, obtaining the URL of the currently loaded i-level page through a designated response event interface. 3. The method according to claim 2, said obtaining the page ID of the i-1th level page further comprising: After monitoring the access request of the i-th level page, obtain the interface object pointer of the i-th level page, and write the interface object of the i-th level page according to the interface object pointer to the interface object of the i-th level page in the process of loading the i-1 level page The obtained page ID of the i-1th level page; In the process of loading the i-th level page, the page ID of the i-1 level page is obtained by reading the information provided by the interface object of the i-th level page. 4. The method according to claim 3, the step of obtaining the interface object pointer of the i-level page comprises: capturing the function called by the browser to create a new window or a new tab page, and utilizing the return value of the function to obtain the i-th level page The interface object pointer of the level page. 5. The method according to claim 2, said obtaining the URL of the i-1th level page further comprising: After monitoring the access request of the i-level page and before loading the i-level page, obtain the URL of the i-1 level page through the get_locationURL interface provided by the browser. 6. The method according to claim 5, after the step of obtaining the page ID and URL of the i-1th level page through the get_locationURL interface provided by the browser, it also includes: Determine whether the opening of the i-level page is triggered by the input behavior of the browser address bar; If the judgment result is yes, clear the URL of the i-1 level page obtained through the get_locationURL interface provided by the browser, and process the i-level page as the initial page; If the judgment result is no, execute the step of creating the i-th level node of the refer chain. 7. The method according to claim 1, after the i-th level node creation step, further comprising: at least one i-th level child node creation step, said at least one i-th level child node corresponding to the i-th level page At least one inter-page jump page: capture the function called during redirection processing, and obtain the URL of at least one inter-page jump page of the i-level page from the input parameters of the function called during redirection processing; and , query the refer chain containing the page ID of the i-th level page, create at least one i-th level child node of the refer chain, and combine the page ID of the i-th level page and at least one page of the i-th level page The URL of the inter-jump page is used as the information of at least one i-th child node. 8. The method according to any one of claims 1-7, after creating the nodes of all levels of the refer chain, further comprising: using all the URLs included in the refer chain to process the page access behavior. 9. A device for creating a refer chain, comprising: The first node creation unit is suitable for generating the page ID of the initial page after monitoring the access request of the initial page, obtaining the URL of the initial page, creating a first-level node of the refer chain, and combining the page ID and URL of the initial page Write the refer chain as the information of the first-level node; The second node creation unit is adapted to generate the page ID of the i-level page after monitoring the access request of the i-level page, and obtain the URL of the i-level page and the page ID of the i-1-th level page Or URL, the i-th level page is the page-level jump page of the i-1th level page, and the i-1th level page is linked to by clicking on a link on the i-1th level page or other link methods triggered by user behavior The i-th level page; and, query the refer chain containing the page ID or URL of the i-1th level page, create the i-th level node of the refer chain, and use the page ID and URL of the i-th level page as the first The information of the i-level node; The second node creation unit is adapted to create nodes at all levels of the refer chain. 10. The device of claim 9, The first node creation unit includes: The page ID generating unit of the initial page is adapted to generate the page ID of the initial page after monitoring the access request of the initial page; The URL acquisition unit of the initial page is adapted to obtain the URL of the currently loaded initial page by specifying a response event interface during the process of loading the initial page; The first node creation subunit is adapted to create a first-level node of the refer chain, and writes the page ID and URL of the initial page into the refer chain as information of the first-level node; The second node creation unit includes: The page ID generating unit of the i-level page is adapted to generate the page ID of the i-level page after monitoring the access request of the i-level page; The URL obtaining unit of the i-level page is adapted to obtain the URL of the currently loaded i-level page through a specified response event interface during the loading of the i-level page; The page ID or URL acquisition unit of the i-1th level page is adapted to obtain the page ID or URL of the i-1th level page after monitoring the access request of the i-th level page; The second node creates a subunit, which is suitable for querying the refer chain containing the page ID or URL of the i-1th level page, creating the i-level node of the refer chain, and using the page ID and URL of the i-th level page As the information of the i-th level node. 11. The device according to claim 10, the second node creating unit further comprising: a capturing unit adapted to acquire the interface object pointer of the i-th level page after monitoring the access request of the i-th level page; and, The writing unit is adapted to write the page ID of the i-1th level page acquired during the process of loading the i-1th level page to the interface object of the i-th level page according to the interface object pointer; The page ID or URL acquiring unit of the i-1th level page is specifically adapted to: in the process of loading the i-th level page, by reading the information provided by the interface object of the i-th level page, to obtain the i-1th level The page ID of the page. 12. The device according to claim 11, the capture unit is further adapted to: after monitoring the access request of the i-th level page, capture the function called by the browser to create a new window or a new tab page, utilize the function The return value obtains the interface object pointer of the i-level page. 13. The device according to claim 10, the page ID or URL obtaining unit of the i-1th level page is further adapted to: after monitoring the access request of the i-th level page and before loading the i-th level page, Obtain the URL of the i-1 level page through the get_locationURL interface provided by the browser. 14. The device according to claim 13, the second node creation unit further comprising: The judging unit is suitable for judging whether the i-th level page is triggered by the input behavior of the browser address bar; The emptying unit is adapted to clear the page ID of the i-1th level page or the URL of the i-1th level page acquired by the URL acquisition unit when the judgment result of the judgment unit is yes, and trigger The first node creation unit processes the i-th level page as the initial page; If the judging result of the judging unit is negative, the judging unit triggers the second node creation subunit to create the i-th level node of the refer chain. 15. The device according to claim 9, the refer chain creation module further comprising: a second child node creation unit adapted to capture a function called during redirection processing, from the function called during redirection processing Obtain the URL of at least one inter-page jump page of the i-level page in the input parameter of the i-level page; and query the refer chain containing the page ID of the i-level page, and create at least one i-level child node of the refer chain, The page ID of the i-th level page and the URL of at least one inter-page jump page of the i-th level page are used as the information of at least one i-th level child node. 16. A security detection device, comprising the creation device of the refer chain according to any one of claims 9-15, further comprising: a processing module adapted to use all URLs contained in the refer chain to access the page Behavior is processed.