Method and system for detecting malicious web addresses
First Claim
1. A method for detecting a malicious web address, comprising:
- receiving a uniform resource locator (URL) reported by a terminal device of a user;
acquiring a HyperText Transfer Protocol (HTTP) request chain associated with the URL, the HTTP request chain being a sequential linked list comprising information about multiple HTTP request-response interactions during an access to the URL; and
analyzing the HTTP request chain to determine whether the URL is a malicious web address,wherein the acquiring an HTTP request chain comprises acquiring the HTTP request chain by using an active crawler server nearest to the user in a plurality of active crawler servers distributed in different geographical locations and configured to acquire the HTTP request chain associated with the URL, wherein a geographical location of the used active crawler server nearest to the user is a nearest geographical location to a geographical location of the terminal device of the user among the geographical locations of the plurality of active crawler servers,wherein the acquiring the HTTP request chain further comprises;
determining a geographical location and network environment information of the user;
wherein the determining the geographical location and network environment information of the user comprises;
determining the geographical location and network operator information of the user based on an Internet Protocol (IP) address of the URL reported by the user; and
determining the network environment information of the user based on the network operator information.
3 Assignments
0 Petitions
Accused Products
Abstract
The present application provides a method and system for detecting malicious web addresses. The method includes: receiving a uniform resource locator (URL) reported by a user; acquiring a HyperText Transfer Protocol (HTTP) request chain associated with the URL, wherein the HTTP request chain is a sequential linked list including information about multiple HTTP request-response interactions during an access to the URL; and analyzing the HTTP request chain to determine whether the URL is a malicious web address. The technical solution of the present application can provide an accurate result of malicious web address detection, can detect various newly emerging malicious web addresses, and are user-friendly. The user only needs to upload the URL and does not need to provide any other information.
17 Citations
18 Claims
-
1. A method for detecting a malicious web address, comprising:
-
receiving a uniform resource locator (URL) reported by a terminal device of a user; acquiring a HyperText Transfer Protocol (HTTP) request chain associated with the URL, the HTTP request chain being a sequential linked list comprising information about multiple HTTP request-response interactions during an access to the URL; and analyzing the HTTP request chain to determine whether the URL is a malicious web address, wherein the acquiring an HTTP request chain comprises acquiring the HTTP request chain by using an active crawler server nearest to the user in a plurality of active crawler servers distributed in different geographical locations and configured to acquire the HTTP request chain associated with the URL, wherein a geographical location of the used active crawler server nearest to the user is a nearest geographical location to a geographical location of the terminal device of the user among the geographical locations of the plurality of active crawler servers, wherein the acquiring the HTTP request chain further comprises; determining a geographical location and network environment information of the user;
wherein the determining the geographical location and network environment information of the user comprises;determining the geographical location and network operator information of the user based on an Internet Protocol (IP) address of the URL reported by the user; and determining the network environment information of the user based on the network operator information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for detecting a malicious web address, comprising a crawler subsystem and a detection subsystem,
the crawler subsystem comprising a crawler scheduling server and a plurality of active crawler servers distributed in different geographical locations, the crawler scheduling server being configured to receive a uniform resource locator (URL) reported by a terminal device of a user, and schedule the one or more active crawler servers; - and the active crawler servers being configured to acquire, as scheduled by the crawler scheduling server, a HyperText Transfer Protocol (HTTP) request chain associated with the URL, the HTTP request chain being a sequential linked list comprising information about multiple HTTP request-response interactions during an access to the URL; and
the detection subsystem comprises an analysis unit configured to analyze the HTTP request chain to determine whether the URL is a malicious web address, wherein the crawler scheduling server is configured to schedule the reported URL to the active crawler server nearest to the user in the plurality of active crawler servers, wherein a geographical location of the active crawler server nearest to the user is a nearest geographical location to a geographical location of the terminal device of the user among the geographical locations of the plurality of active crawler servers, wherein the acquiring the HTTP request chain further comprises; determining a geographical location and network environment information of the user;
wherein the determining the geographical location and network environment information of the user comprises;determining the geographical location and network operator information of the user based on an Internet Protocol (IP) address of the URL reported by the user; and determining the network environment information of the user based on the network operator information. - View Dependent Claims (11, 12, 13, 14, 15, 16)
- and the active crawler servers being configured to acquire, as scheduled by the crawler scheduling server, a HyperText Transfer Protocol (HTTP) request chain associated with the URL, the HTTP request chain being a sequential linked list comprising information about multiple HTTP request-response interactions during an access to the URL; and
-
17. A device, comprising:
-
one or more processors; a memory; and one or more programs stored in the memory, the one or more programs being used by the one or more processors to; receive a uniform resource locator (URL) reported by a terminal device of a user; acquire a HyperText Transfer Protocol (HTTP) request chain associated with the URL, wherein the HTTP request chain is a sequential linked list comprising information about multiple HTTP request-response interactions during an access to the URL; and analyze the HTTP request chain to determine whether the URL is a malicious web address, wherein the acquiring an HTTP request chain comprises acquiring the HTTP request chain by using an active crawler server nearest to the user in a plurality of active crawler servers distributed in different geographical locations and configured to acquire the HTTP request chain associated with the URL, wherein a geographical location of the used active crawler server nearest to the user is a nearest geographical location to a geographical location of the terminal device of the user among the geographical locations of the plurality of active crawler servers, wherein the acquiring the HTTP request chain further comprises; determining a geographical location and network environment information of the user;
wherein the determining the geographical location and network environment information of the user comprises;determining the geographical location and network operator information of the user based on an Internet Protocol (IP) address of the URL reported by the user; and determining the network environment information of the user based on the network operator information.
-
-
18. A non-volatile computer readable storage medium, storing one or more programs, the one or more programs, when executed by a device, causing the device to:
-
receive a uniform resource locator (URL) reported by a terminal device of a user; acquire a HyperText Transfer Protocol (HTTP) request chain associated with the URL, the HTTP request chain being a sequential linked list comprising information about multiple HTTP request-response interactions during an access to the URL; and analyze the HTTP request chain to determine whether the URL is a malicious web address, wherein the acquiring an HTTP request chain comprises acquiring the HTTP request chain by using an active crawler server nearest to the user in a plurality of active crawler servers distributed in different geographical locations and configured to acquire the HTTP request chain associated with the URL, wherein a geographical location of the used active crawler server nearest to the user is a nearest geographical location to a geographical location of the terminal device of the user among the geographical locations of the plurality of active crawler servers, wherein the acquiring the HTTP request chain further comprises; determining a geographical location and network environment information of the user;
wherein the determining the geographical location and network environment information of the user comprises;determining the geographical location and network operator information of the user based on an Internet Protocol (IP) address of the URL reported by the user; and determining the network environment information of the user based on the network operator information.
-
Specification