Method and device for preventing phishing attack and computer readable storage medium
阅读说明:本技术 防钓鱼攻击的方法、装置及计算机可读存储介质 (Method and device for preventing phishing attack and computer readable storage medium ) 是由 王海燚 佟欣哲 刘紫千 沈军 金华敏 樊宁 于 2018-07-02 设计创作,主要内容包括:本公开提供了一种防钓鱼攻击的方法、装置及计算机可读存储介质,涉及信息安全技术领域。其中的防钓鱼攻击的方法包括:对访问钓鱼网站的报文进行实时监控;复制并解析报文,提取报文中的用户输入信息;将用户输入信息发送至相应的用户信息管理机构,以便相应的用户信息管理机构通知用户泄露了用户输入信息。本公开能够检测到用户访问钓鱼网站时泄露的敏感信息,指示相应的用户信息管理机构通知用户并采取相应的安全措施,从而有效防止钓鱼网站对用户的攻击,提升了用户的网络信息安全性以及财产安全性。(The disclosure provides a method and a device for preventing phishing attack and a computer readable storage medium, and relates to the technical field of information security. The method for preventing phishing attacks comprises the following steps: monitoring messages of visiting the phishing website in real time; copying and analyzing the message, and extracting user input information in the message; and sending the user input information to the corresponding user information management mechanism so that the corresponding user information management mechanism informs the user that the user input information is leaked. The method and the system can detect the sensitive information leaked when the user accesses the phishing website, instruct the corresponding user information management mechanism to notify the user and take corresponding safety measures, thereby effectively preventing the phishing website from attacking the user and improving the network information safety and property safety of the user.)
1. A method of preventing phishing attacks, comprising:
monitoring messages of visiting the phishing website in real time;
copying and analyzing the message, and extracting user input information in the message;
and sending the user input information to a corresponding user information management mechanism so that the corresponding user information management mechanism informs the user that the user input information is leaked.
2. The method of claim 1, wherein the method further comprises:
and determining the corresponding user information management mechanism by utilizing the characteristics of the user input information and the information characteristics of the user information management mechanism.
3. The method of claim 2, wherein said determining a corresponding user information authority using characteristics of the user input information and information characteristics of the user information authority comprises:
and matching the characteristics of the user input information with the information characteristics of each user information management mechanism to obtain the user information management mechanism corresponding to the user input information.
4. The method of claim 2, wherein,
the user input information comprises an account number, a password, a name, a certificate number, a bank card number and a mobile phone number which are input by a user;
the characteristics of the user input information comprise an account number coding rule, a password coding rule, a name coding rule, a certificate number coding rule, a bank card number coding rule and a mobile phone number coding rule which are input by the user;
the information characteristics of the user information management mechanism comprise an account number encoding rule, a password encoding rule, a name encoding rule, a certificate number encoding rule, a bank card number encoding rule and a mobile phone number encoding rule of the user information management mechanism.
5. The method of claim 1, wherein messages that access a particular phishing website are monitored in real time, the particular phishing website being a phishing website of a particular phishing website being counterfeited.
6. The method of claim 1, wherein,
the method further comprises the following steps: collecting phishing websites to form a phishing website list;
the real-time monitoring of the message for accessing the phishing website comprises the following steps: and monitoring the messages of the phishing websites on the list of the phishing websites in real time.
7. The method of claim 6, wherein,
the method further comprises the following steps: classifying the fishing websites on the fishing website list;
the real-time monitoring of the message for accessing the phishing website comprises the following steps: and monitoring the messages of the phishing websites of the specified category on the list of the phishing websites in real time.
8. The method of claim 7, wherein the classifying the fishing websites on the list of fishing websites comprises:
and classifying the fishing websites on the fishing website list according to the mechanism type and the protocol type of the counterfeited websites.
9. The method of claim 6, wherein,
the method further comprises the following steps: updating the phishing website list according to a preset rule;
the updating the phishing website list according to the preset rule comprises the following steps: and adding the newly collected phishing websites into the phishing website list, and deleting the expired phishing websites from the phishing website list.
10. The method of claim 1, wherein said sending said user input information to a respective user information authority comprises:
sending the user input information to a corresponding user information management mechanism by utilizing a preset communication interface; alternatively, the first and second electrodes may be,
sending the user input information to a corresponding user information management mechanism in an encryption mode; alternatively, the first and second electrodes may be,
and sending the user input information to a corresponding user information management mechanism in a data desensitization mode of keeping the unique characteristics.
11. An apparatus for preventing phishing attacks, comprising:
the deep message detection module is configured to monitor messages for accessing the phishing website in real time, copy the messages and send the messages to the directional flow analysis module;
and the directional flow analysis module is configured to analyze the message, extract the user input information in the message and send the user input information to the corresponding user information management mechanism, so that the corresponding user information management mechanism informs the user that the user input information is leaked.
12. The apparatus of claim 11, wherein the apparatus further comprises:
and the management mechanism determining module is configured to determine the corresponding user information management mechanism by using the characteristics of the user input information and the information characteristics of the user information management mechanism.
13. The apparatus of claim 12, wherein the authority determination module is configured to:
and matching the characteristics of the user input information with the information characteristics of each user information management mechanism to obtain the user information management mechanism corresponding to the user input information.
14. The apparatus of claim 12, wherein,
the user input information comprises an account number, a password, a name, a certificate number, a bank card number and a mobile phone number which are input by a user;
the characteristics of the user input information comprise an account number coding rule, a password coding rule, a name coding rule, a certificate number coding rule, a bank card number coding rule and a mobile phone number coding rule which are input by the user;
the information characteristics of the user information management mechanism comprise an account number encoding rule, a password encoding rule, a name encoding rule, a certificate number encoding rule, a bank card number encoding rule and a mobile phone number encoding rule of the user information management mechanism.
15. The apparatus of claim 11, wherein the deep packet inspection module is configured to:
and monitoring the messages accessing a specific phishing website in real time, wherein the specific phishing website is a phishing website of a specific counterfeited website.
16. The apparatus of claim 11, wherein,
the device also comprises a phishing website collection module which is configured to collect phishing websites to form a phishing website list;
the deep packet inspection module is configured to: and monitoring the messages of the phishing websites on the list of the phishing websites in real time.
17. The apparatus of claim 16, wherein,
the device also comprises a phishing website classification module which is configured to classify the phishing websites on the phishing website list;
the deep packet inspection module is configured to: and monitoring the messages of the phishing websites of the specified category on the list of the phishing websites in real time.
18. The apparatus of claim 17, wherein the phishing website collection module is configured to: and classifying the fishing websites on the fishing website list according to the mechanism type and the protocol type of the counterfeited websites.
19. The apparatus of claim 16, wherein,
the device also comprises a phishing website list updating module which is configured to update the phishing website list according to a preset rule, add the newly collected phishing websites into the phishing website list and delete the failed phishing websites from the phishing website list.
20. The apparatus of claim 11, wherein the directional traffic analysis module is configured to:
sending the user input information to a corresponding user information management mechanism by utilizing a preset communication interface; alternatively, the first and second electrodes may be,
sending the user input information to a corresponding user information management mechanism in an encryption mode; alternatively, the first and second electrodes may be,
and sending the user input information to a corresponding user information management mechanism in a data desensitization mode of keeping the unique characteristics.
21. An apparatus for preventing phishing attacks, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the method of preventing phishing attacks of any of claims 1-10 based on instructions stored in the memory.
22. A computer readable storage medium, wherein the computer readable storage medium stores computer instructions which, when executed by a processor, implement a method of preventing phishing attacks as recited in any one of claims 1-10.
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a method and an apparatus for preventing phishing attacks, and a computer-readable storage medium.
Background
Phishing attacks refer to the act of gaining a user's personal secret information (e.g., bank account numbers and passwords) by constructing a page that is highly similar to a target website and sending fraudulent messages purporting to be from a counterfeited organization, typically in the form of spam, instant chat, short message, etc., to trick the user's access.
The phishing website susceptible users particularly refer to internet users susceptible to phishing events, and the users are the main targets of black underground industries.
Disclosure of Invention
The inventor researches and discovers that generally, the black underground industry acquires account information of a victim by using a phishing website, funds are not usually drawn immediately, but due to the lack of an active monitoring mechanism, counterfeited organizations do not know which users leak information on the phishing website, often only some users suffer from economic loss, can execute related risk control strategies after reporting, and is poor in timeliness and incapable of providing power for users who leak information but do not know the information yet. Thus, the location and discovery of users attacked by phishing websites has become key to the ability of phishing organizations to promote coping with phishing websites, performing effective risk control measures.
One technical problem solved by the present disclosure is how to prevent phishing websites from attacking users.
According to an aspect of an embodiment of the present disclosure, there is provided a method of preventing phishing attacks, including: monitoring messages of visiting the phishing website in real time; copying and analyzing the message, and extracting user input information in the message; and sending the user input information to the corresponding user information management mechanism so that the corresponding user information management mechanism informs the user that the user input information is leaked.
In some embodiments, the method further comprises: and determining the corresponding user information management mechanism by utilizing the characteristics of the user input information and the information characteristics of the user information management mechanism.
In some embodiments, determining a corresponding user information authority using the characteristics of the user input information and the information characteristics of the user information authorities comprises: and matching the characteristics of the user input information with the information characteristics of each user information management mechanism to obtain the user information management mechanism corresponding to the user input information.
In some embodiments, the user input information includes an account number, a password, a name, a certificate number, a bank card number, a mobile phone number input by the user; the characteristics of the information input by the user comprise an account number coding rule, a password coding rule, a name coding rule, a certificate number coding rule, a bank card number coding rule and a mobile phone number coding rule input by the user; the information characteristics of the user information management mechanism comprise an account number encoding rule, a password encoding rule, a name encoding rule, a certificate number encoding rule, a bank card number encoding rule and a mobile phone number encoding rule of the user information management mechanism.
In some embodiments, messages that access a particular phishing website are monitored in real time, the particular phishing website being a phishing website of a particular phishing website being counterfeited.
In some embodiments, the method further comprises: collecting phishing websites to form a phishing website list; the real-time monitoring of the message of visiting the phishing website comprises the following steps: and monitoring the messages of the phishing websites on the list of the phishing websites in real time.
In some embodiments, the method further comprises: classifying the fishing websites on the fishing website list; the real-time monitoring of the message of visiting the phishing website comprises the following steps: and monitoring the messages of the phishing websites of the specified category on the list of the phishing websites in real time.
In some embodiments, classifying the phishing websites on the list of phishing websites comprises: and classifying the fishing websites on the fishing website list according to the mechanism type and the protocol type of the counterfeited websites.
In some embodiments, the method further comprises: updating the phishing website list according to a preset rule; the updating of the phishing website list according to the preset rule comprises the following steps: and adding the newly collected phishing websites into the phishing website list, and deleting the expired phishing websites from the phishing website list.
In some embodiments, sending the user input information to the respective user information authority comprises: sending user input information to a corresponding user information management mechanism by utilizing a preset communication interface; or, the user input information is sent to the corresponding user information management mechanism in an encryption mode; alternatively, the user input information is sent to the corresponding user information authority in a data desensitization manner that preserves the uniqueness characteristic.
According to another aspect of the embodiments of the present disclosure, there is provided an apparatus for preventing phishing attacks, including: the deep message detection module is configured to monitor messages for accessing the phishing website in real time, copy the messages and send the messages to the directional flow analysis module; and the directional flow analysis module is configured to analyze the message, extract the user input information in the message and send the user input information to the corresponding user information management mechanism, so that the corresponding user information management mechanism informs the user of revealing the user input information.
In some embodiments, the apparatus further comprises: and the management mechanism determining module is configured to determine the corresponding user information management mechanism by utilizing the characteristics of the user input information and the information characteristics of the user information management mechanism.
In some embodiments, the authority determination module is configured to: and matching the characteristics of the user input information with the information characteristics of each user information management mechanism to obtain the user information management mechanism corresponding to the user input information.
In some embodiments, the user input information includes an account number, a password, a name, a certificate number, a bank card number, a mobile phone number input by the user; the characteristics of the information input by the user comprise an account number coding rule, a password coding rule, a name coding rule, a certificate number coding rule, a bank card number coding rule and a mobile phone number coding rule input by the user; the information characteristics of the user information management mechanism comprise an account number encoding rule, a password encoding rule, a name encoding rule, a certificate number encoding rule, a bank card number encoding rule and a mobile phone number encoding rule of the user information management mechanism.
In some embodiments, the deep packet inspection module is configured to: and monitoring the messages accessing the specific phishing websites in real time, wherein the specific phishing websites are the phishing websites of the specific counterfeited websites.
In some embodiments, the apparatus further comprises a phishing website collection module configured to collect phishing websites to form a phishing website list; the deep packet inspection module is configured to: and monitoring the messages of the phishing websites on the list of the phishing websites in real time.
In some embodiments, the apparatus further comprises a phishing website classification module configured to classify phishing websites on the list of phishing websites; the deep packet inspection module is configured to: and monitoring the messages of the phishing websites of the specified category on the list of the phishing websites in real time.
In some embodiments, the phishing website collection module is configured to: and classifying the fishing websites on the fishing website list according to the mechanism type and the protocol type of the counterfeited websites.
In some embodiments, the device further comprises a phishing website list updating module configured to update the phishing website list according to a preset rule, add the newly collected phishing websites to the phishing website list, and delete the failed phishing websites from the phishing website list.
In some embodiments, the directional traffic analysis module is configured to: sending user input information to a corresponding user information management mechanism by utilizing a preset communication interface; or, the user input information is sent to the corresponding user information management mechanism in an encryption mode; alternatively, the user input information is sent to the corresponding user information authority in a data desensitization manner that preserves the uniqueness characteristic.
According to still another aspect of an embodiment of the present disclosure, there is provided an apparatus for preventing phishing attacks, including: a memory; and a processor coupled to the memory, the processor configured to execute the foregoing anti-phishing attack method based on instructions stored in the memory.
According to still another aspect of an embodiment of the present disclosure, a computer-readable storage medium is provided, wherein the computer-readable storage medium stores computer instructions, and the instructions, when executed by a processor, implement the foregoing method for preventing phishing attacks.
The method and the system can detect the sensitive information leaked when the user accesses the phishing website, instruct the corresponding user information management mechanism to notify the user and take corresponding safety measures, thereby effectively preventing the phishing website from attacking the user and improving the network information safety and property safety of the user.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and for those skilled in the art, other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 shows a flow diagram of a method for preventing phishing attacks according to an embodiment of the present disclosure.
Fig. 2 shows a flow diagram of a method of preventing phishing attacks according to another embodiment of the present disclosure.
Fig. 3 shows a schematic flow diagram of an apparatus for preventing phishing attacks according to an embodiment of the present disclosure.
Fig. 4 is a schematic structural diagram of an application example of the system for preventing phishing attacks.
Fig. 5 is a schematic diagram illustrating an application scenario of an application example of the system for preventing phishing attacks.
Fig. 6 shows a schematic structural diagram of the device for preventing phishing attack according to one embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
A method of preventing phishing attacks according to one embodiment of the present disclosure will first be described with reference to fig. 1.
Fig. 1 shows a flow diagram of a method for preventing phishing attacks according to an embodiment of the present disclosure. As shown in fig. 1, the method for preventing phishing attack in this embodiment includes steps S100 to S108.
In step S100, the phishing websites are collected to form a phishing website list.
In step S102, the message for accessing the phishing website is monitored in real time.
Specifically, the messages of the phishing websites on the list of the phishing websites can be monitored in real time, and the messages of the specific phishing websites can also be monitored in real time. Wherein, the specific phishing website is a phishing website of the specific counterfeited website.
In step S104, the message is copied and parsed, and the user input information in the message is extracted.
In step S106, the user input information is transmitted to the corresponding user information authority so that the corresponding user information authority notifies the user that the user input information is leaked.
Specifically, the preset communication interface can be utilized to send the user input information to the corresponding user information management mechanism; or, the user input information can be sent to the corresponding user information management mechanism in an encryption mode; alternatively, the user input information may be sent to the corresponding user information authority in a data desensitized manner that preserves the uniqueness characteristic.
According to the embodiment, sensitive information leaked when a user accesses the phishing website can be detected, a corresponding user information management mechanism is indicated to notify the user and corresponding safety measures are taken, so that the phishing website is effectively prevented from attacking the user, and the network information safety and the property safety of the user are improved.
A method of preventing phishing attacks according to another embodiment of the present disclosure is described below with reference to fig. 2.
Fig. 2 shows a flow diagram of a method of preventing phishing attacks according to another embodiment of the present disclosure. As shown in fig. 2, on the basis of the embodiment shown in fig. 1, the method for preventing phishing attack in this embodiment further includes step 201, step S203, and step S207.
In step S201, fishing websites on the list of fishing websites are classified.
Specifically, fishing websites on the list of phishing websites can be classified according to the organization type and the agreement type of the counterfeited websites. Accordingly, in step S102, messages that access the phishing websites of the specified category on the list of the phishing websites can be monitored in real time.
In step S205, the corresponding user information management entity is determined using the characteristics of the user input information and the information characteristics of the user information management entity.
Specifically, the characteristics of the user input information may be matched with the information characteristics of each user information management mechanism to obtain the user information management mechanism corresponding to the user input information. The user input information comprises an account number, a password, a name, a certificate number, a bank card number and a mobile phone number which are input by a user; the characteristics of the information input by the user comprise an account number coding rule, a password coding rule, a name coding rule, a certificate number coding rule, a bank card number coding rule and a mobile phone number coding rule input by the user; the information characteristics of the user information management mechanism comprise an account number encoding rule, a password encoding rule, a name encoding rule, a certificate number encoding rule, a bank card number encoding rule and a mobile phone number encoding rule of the user information management mechanism.
For example, if the feature of the user input information is 11 digits and the first three digits are 134 digits, it may be determined that the user input information is a mobile phone number, and the corresponding user information management entity obtained by matching is a D telecom operator. For example, if the user input information is characterized by 19 digits and the first two digits are 62, it may be determined that the user input information is a bank card number, and the corresponding user information management entity obtained by matching is bank E. For another example, if the feature of the user input information is 18 digits and the first three digits are 110 digits, it can be determined that the user input information is an identity card number, and the corresponding user information management authority obtained by matching is F police.
In step S207, the list of phishing websites is updated according to a preset rule.
Specifically, newly collected phishing websites can be added into the phishing website list, and expired phishing websites can be deleted from the phishing website list.
In the embodiment, the messages of the phishing websites with the specified categories can be monitored in real time by classifying the phishing websites on the phishing website list; meanwhile, the corresponding user information management mechanism is determined by utilizing the characteristics of the user input information and the information characteristics of the user information management mechanism; in addition, the phishing website list is updated according to the preset rule, and the monitored phishing websites can be adjusted in time, so that the reaction speed of phishing attacks is further increased, and the information safety and property safety of users are effectively guaranteed.
An apparatus for preventing phishing attacks according to an embodiment of the present disclosure is described below with reference to fig. 3.
Fig. 3 shows a schematic flow diagram of an apparatus for preventing phishing attacks according to an embodiment of the present disclosure. As shown in fig. 3, the apparatus for preventing phishing attack in the present embodiment includes:
the deep message detection module 302 is configured to monitor messages accessing the phishing website in real time, copy the messages and send the messages to the directional flow analysis module;
and the directional flow analysis module 304 is configured to parse the message, extract the user input information in the message, and send the user input information to the corresponding user information management mechanism, so that the corresponding user information management mechanism notifies the user that the user input information is leaked.
In some embodiments, the apparatus further comprises: the administrator determination module 303 is configured to determine the corresponding user information administrator using the characteristics of the user input information and the information characteristics of the user information administrator.
In some embodiments, the authority determination module 303 is configured to: and matching the characteristics of the user input information with the information characteristics of each user information management mechanism to obtain the user information management mechanism corresponding to the user input information.
In some embodiments, the user input information includes an account number, a password, a name, a certificate number, a bank card number, a mobile phone number input by the user; the characteristics of the information input by the user comprise an account number coding rule, a password coding rule, a name coding rule, a certificate number coding rule, a bank card number coding rule and a mobile phone number coding rule input by the user; the information characteristics of the user information management mechanism comprise an account number encoding rule, a password encoding rule, a name encoding rule, a certificate number encoding rule, a bank card number encoding rule and a mobile phone number encoding rule of the user information management mechanism.
In some embodiments, the deep packet inspection module is configured to: and monitoring the messages accessing the specific phishing websites in real time, wherein the specific phishing websites are the phishing websites of the specific counterfeited websites.
In some embodiments, the apparatus further comprises a phishing website collection module 300 configured to collect phishing websites to form a phishing website list; deep packet inspection module 302 is configured to: and monitoring the messages of the phishing websites on the list of the phishing websites in real time.
In some embodiments, the apparatus further comprises a phishing website classification module 301 configured to classify phishing websites on the list of phishing websites; the deep packet inspection module is configured to: and monitoring the messages of the phishing websites of the specified category on the list of the phishing websites in real time.
In some embodiments, phishing website collection module 300 is configured to: and classifying the fishing websites on the fishing website list according to the mechanism type and the protocol type of the counterfeited websites.
In some embodiments, the apparatus further comprises a phishing website list updating module 306 configured to update the phishing website list according to a preset rule, add a newly collected phishing website to the phishing website list, and delete a failed phishing website from the phishing website list.
In some embodiments, the directional traffic analysis module 304 is configured to: sending user input information to a corresponding user information management mechanism by utilizing a preset communication interface; or, the user input information is sent to the corresponding user information management mechanism in an encryption mode; alternatively, the user input information is sent to the corresponding user information authority in a data desensitization manner that preserves the uniqueness characteristic.
The method for preventing phishing attacks of the present disclosure can also be implemented by a system for preventing phishing attacks. One application example of a system for preventing phishing attacks is described below in conjunction with fig. 4.
Fig. 4 is a schematic structural diagram of an application example of the system for preventing phishing attacks. Fig. 5 is a schematic diagram illustrating an application scenario of an application example of the system for preventing phishing attacks. As shown in fig. 4, the system for preventing phishing attacks may include a phishing
One application of the workflow of the system for preventing phishing attacks is as follows:
(1) the phishing website susceptible user identification system collects phishing websites in various modes to form a phishing website list, and submits a Deep Packet Inspection (DPI) system deployed in an operator network for real-time monitoring.
Specifically, the phishing website susceptible user identification system collects massive phishing websites in various modes by using a phishing website collection module, wherein the collection modes include but are not limited to active detection discovery, customer self declaration, social resource sharing and the like, and the phishing website collection module forms a list of the collected phishing websites and submits the list to a DPI system for real-time monitoring. The phishing website list content includes, but is not limited to, a phishing website domain name, a phishing website IP address, etc. The DPI system deployment position comprises but is not limited to IDC outlet, IP metropolitan area network, IP backbone network, Internet international gateway, operator interconnection and interworking and other layers.
Optionally, the phishing website collection module may submit all the collected phishing websites to the DPI system for real-time monitoring, and may also classify the phishing websites, and submit the phishing websites of the designated category to the DPI system for real-time monitoring. For example, phishing websites are classified according to the types of counterfeited organizations, such as financial institutions, e-commerce, media and the like; or may be classified according to protocol type, such as WAP sites, Web sites, etc.
Optionally, the phishing website collection module may also submit the phishing websites imitating the specific organization to the DPI system for real-time monitoring. For example, all collected phishing websites of the counterfeit bank A are collected to form a list of phishing websites of the bank A, and the list is submitted to a DPI system for real-time monitoring.
Optionally, the phishing website collection module may update the phishing website list according to a preset rule. The updating includes, but is not limited to, adding newly collected phishing websites to the list, and removing phishing websites that have failed from the list.
(2) The DPI system copies and distributes original messages for accessing the phishing website to a directional flow analysis module of the phishing website susceptible user identification system.
Specifically, the DPI system deployed in the operator network can filter the specified traffic based on the conditions such as domain name, IP address field, etc., according to the phishing website list submitted by the phishing website collection module, and copy and distribute the original message accessing the phishing website to the directional traffic analysis module of the phishing website susceptible user identification system.
(3) And the directional flow analysis module analyzes the message, extracts the sensitive information input to the phishing website by the user and sends the sensitive information to the susceptible user positioning module.
Specifically, a directional flow analysis module of the phishing website susceptible user identification system receives directional mirror image data forwarded by the DPI system, analyzes messages according to different protocol types, extracts sensitive information input into the phishing website by a user, and sends the sensitive information to a susceptible user positioning module. Protocol types include, but are not limited to, HTTP protocol, WAP protocol. Sensitive information includes, but is not limited to, account numbers, passwords, names, certificate numbers, bank card numbers, cell phone numbers, and the like. For example, the directional traffic analysis module receives an original HTTP message forwarded by the DPI system to access the phishing website B, and extracts personal information submitted to the website by the user by deep parsing the HTTP request message, such as: zhang san, 13912345678, 110100123401011111, 4367123412341234123. And the directional flow analysis module sends the information to the susceptible user positioning module.
(4) The susceptible user positioning module is combined with various pre-defined coding rules of the counterfeit object database and the information characteristics of the counterfeit object to position the counterfeit mechanism to which the susceptible user belongs.
Specifically, the susceptible user positioning module receives user sensitive information sent by the directional flow analysis module, performs information combing and characteristic comparison through various coding rules predefined by the counterfeit object database and information characteristics of the counterfeited mechanism, positions the counterfeited mechanism to which the susceptible user belongs, and then sends the sensitive information and the name of the counterfeited mechanism to the data protection transmission module. The predefined encoding rules include, but are not limited to, bank card number encoding rules, user account number encoding rules, mobile phone number encoding rules, identification card number encoding rules, and the like. Information characteristics including, but not limited to, the counterfeited institution's business account information and encoding rules, business type, etc., may be used to locate the counterfeited institution, e.g., the issuer name may be determined based on bank card number encoding rules. For example, the susceptible user positioning module receives user sensitive information sent by the directional traffic analysis module, such as: zhang san, 13912345678, 110100123401011111, 4367123412341234123. Combining a counterfeit object database, carrying out information combing and characteristic comparison according to various predefined coding rules and information characteristics of a counterfeit organization, and further sorting out personal information and attributes, names, submitted to the website by a user: zhang III, mobile phone number: 13912345678, identification number: 110100123401011111, bank card number: 4367123412341234123, and the bank card number belongs to bank a.
(5) The phishing website susceptible user identification system utilizes the data protection transmission module to safely send user sensitive information to a counterfeited organization to which the user belongs.
Specifically, the phishing website susceptible user identification system utilizes the data protection transmission module to safely send user sensitive information to a counterfeited mechanism to which the user belongs according to a preset communication interface.
Optionally, in order to ensure the security of the sensitive information sending process, the data protection transmission module may send the data in an encryption manner or in a data desensitization manner that maintains the unique characteristic. Encryption schemes include, but are not limited to, symmetric encryption, asymmetric encryption, end-to-end encryption, link encryption, and the like. Data desensitization ways to preserve the unique characteristic include, but are not limited to, one-way hashing, and the like. For example, the susceptible user positioning module sorts out the sensitive information entered into the phishing website by the user, wherein the bank card number belongs to bank a, the data protection transmission module can adopt a high-strength encryption algorithm to send the encrypted user sensitive information such as the bank card number to bank a, or carry out one-way hash operation on the bank card number to send the hash value to bank a. The bank A obtains the bank card number after decryption, or obtains the bank card number through back check of a pre-calculated rainbow table based on hash values, and then identifies the user, and can start a preset risk control measure aiming at the user who has leaked information on the phishing website.
Another example application of the workflow of the system for preventing phishing attacks is as follows:
(1) the phishing website collection module submits the phishing websites imitating the specific organizations to a DPI system deployed in an operator network for real-time monitoring, and simultaneously sends the names of the imitated organizations to the susceptible user positioning module.
Specifically, the phishing website susceptible user identification system collects phishing websites imitating a specific mechanism in multiple modes by using a phishing website collection module to form a phishing website list, submits the DPI system for real-time monitoring, and simultaneously sends the name of the imitated mechanism to the susceptible user positioning module. For example, the phishing website collection module collects a large number of phishing websites imitating the e-commerce website C through active detection discovery, customer self declaration, social resource sharing and other modes to form an e-commerce website C fishing website list, submits the E-commerce website C fishing website list to the DPI system for real-time monitoring, and simultaneously sends the name of the e-commerce website C to the susceptible user positioning module.
(2) The DPI system copies and distributes original messages of phishing websites imitating a specific organization to a directional flow analysis module of a phishing website susceptible user identification system.
Specifically, the DPI system deployed in the operator network can filter the specified traffic based on conditions such as a domain name, an IP address segment, and the like according to the phishing website list of the phishing website imitation specific organization submitted by the phishing website collection module, and copy and distribute the original message of the accessed phishing website to the directional traffic analysis module of the phishing website susceptible user identification system.
(3) And the directional flow analysis module analyzes the message, extracts the sensitive information input to the phishing website by the user and sends the sensitive information to the susceptible user positioning module.
Specifically, a directional flow analysis module of the phishing website susceptible user identification system receives directional mirror image data forwarded by the DPI system, analyzes messages according to different protocol types, extracts sensitive information input into the phishing website by a user, and sends the sensitive information to a susceptible user positioning module. For example, the directional traffic analysis module receives an original HTTP message forwarded by the DPI system to access the phishing website D, and extracts personal information submitted to the website by the user by deep parsing the HTTP request message, such as: prune four, 13987654321, [email protected], net, 123456. And the directional flow analysis module sends the information to the susceptible user positioning module.
(4) And the susceptible user positioning module combines various coding rules predefined by the counterfeit object database to carry out information combing, and sends the sensitive information and the mechanism name to the data protection transmission module.
Specifically, the susceptible user positioning module receives user sensitive information sent by the directional flow analysis module, performs information combing through various coding rules predefined by the counterfeit object database, and then sends the sensitive information and the received name of the counterfeit organization provided by the phishing website collection module to the data protection transmission module. For example, the susceptible user positioning module receives user sensitive information sent by the directional traffic analysis module, such as: prune four, 13987654321, [email protected], net, 123456. Combining a counterfeit object database to carry out information combing according to various predefined coding rules, and further sorting out personal information and attributes submitted to the website by the user, and names: li IV, mobile phone number: 13987654321, user account: [email protected], password: 123456. the phishing website collection module sends the phishing authority name as e-commerce C in step 201. And the susceptible user positioning module sends the sorted user sensitive information and the counterfeited agency name electronic commerce C to the data protection transmission module.
(5) The data protection transmission module sends the sensitive information to the counterfeited mechanism safely.
Specifically, the phishing website susceptible user identification system utilizes the data protection transmission module to safely send user sensitive information to a counterfeited mechanism to which the user belongs according to a preset communication interface. For example, the data protection transmission module receives sensitive information which is obtained by the arrangement of the susceptible user positioning module and is input to a phishing website by a user, and the electronic commerce C is the name of a counterfeited organization, then the encrypted user sensitive information is sent to the electronic commerce C by adopting a high-strength encryption algorithm, the electronic commerce C identifies the user, and preset risk control measures can be started for the user who has leaked the information on the phishing website.
The application example provides a system for phishing attack. Aiming at the problems that the user suffers from economic loss and the counterfeited mechanism can only perform post-processing mechanism and the like because the user can not be found and positioned in time after the information is revealed on the phishing website at present, a DPI system deployed in an operator network is utilized to actively monitor a target phishing website in real time, directional flow analysis is performed on the user accessing the phishing website, discovery and recording of information entering behaviors of a susceptible user on the phishing website are achieved, sensitive information is safely sent to the counterfeited mechanism, the counterfeited mechanism can quickly start targeted risk control measures for the user who has revealed the information without waiting for reporting of the user after the information is revealed by the susceptible user, the response capability of the mechanism on the phishing website is effectively improved, and the fund safety of the user is practically guaranteed. Meanwhile, the user does not need to install anti-phishing controls which need to consume a large amount of terminal resources, and the use habit does not need to be changed, so that the user experience is improved.
Fig. 6 shows a schematic structural diagram of a device for preventing phishing attacks according to another embodiment of the present disclosure. As shown in fig. 6, the
The phishing
The present disclosure also includes a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement a method of preventing phishing attacks in any of the foregoing embodiments.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only exemplary of the present disclosure and is not intended to limit the present disclosure, so that any modification, equivalent replacement, or improvement made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
- 上一篇:一种医用注射器针头装配设备
- 下一篇:一种HTTP请求鉴权方法及装置