Specific embodiment
The scheme of the embodiment of the present application can be used for the scene that terminal downloads the contents such as software by browser, to browseAfter the page that device is shown, safe download address included in the webpage is identified and indicated, user is reduced and downloads to maliceThe risk of the unreliable software such as software or bundled software.
In order to make it easy to understand, first the scene that application scheme is applicable in is introduced.Such as, referring to Fig. 1, it illustrates thisA kind of composed structure schematic diagram for scene that the scheme of application is applicable in.
As shown in Figure 1, which includes: terminal 11 and at least one Website server 12.Terminal 11 and Website serverCommunication is realized by network 13 between 12.
Browser is installed in the terminal 11, in the webpage that the browser which can monitor the terminal is shownDownload address, and identify the safe download address in webpage.
In one implementation, browser and for identification security monitoring of download address are installed in the terminal 11Using e.g., which can be the application such as computer house keeper.Terminal monitors browser by security monitoring application,And obtain the relevant information of the webpage shown in browser.
In conjunction with Fig. 1 it is found that terminal 11 can establish communication connection with Website server 12 by browser, and website is takenThe webpage returned in business device 12 shows in the browser of the terminal 11.
It should be noted that Website server can also can return to webpage to the browser of terminal for other by otherServer is only to be illustrated in Fig. 1 by taking Website server as an example.
In the embodiment of the present application, safe download address (also referred to as safe download address or safe download link) isRefer to, file pointed by download address is consistent with file described in the webpage comprising the download address.Such as, to download softwareIt does not include pushing software, bundled software and Malware etc. in software pointed by safe download address for download addressUnreliable software, wherein software pointed by safe download address can be the software that the safe download address is linked to,It can be the software that downloader pointed by the safe download address executes downloading.Wherein, downloader is the program of auxiliary downloading,The chained address for linking the downloader can be all set in many webpages that software download is provided, to start downloader completionThe downloading of corresponding software.
Correspondingly, dangerous download address (also referred to as unsafe download address) refers to, text pointed by download addressPart and file described in webpage not phase.Such as, still by taking the dangerous download address for downloading software as an example, if be described as in webpageFor downloading the download address of software A, but actually the download address has been directed toward another money software B;Alternatively, the download addressIt further include some recommendation softwares or the other software with software A binding, then under this in addition to including software A in the software of directionSet address is dangerous download address;Or downloader pointed by download address is for downloading another money software C or removingOther bundled softwares are also downloaded except downloading software A, then the download address is unsafe download address.
Wherein, the webpage that browser is shown in the embodiment of the present application is referred to as Webpage, Webpage etc..
It is understood that in the embodiment of the present application, terminal 11 can be mobile phone, tablet computer and desktop computer etc.Computer equipment.Such as, referring to fig. 2, it illustrates a kind of composition schematic diagrams of the terminal of the embodiment of the present application;Such as Fig. 2, terminal200 may include: processor 201 and memory 202.
In the embodiment of the present application, the processor 201, can for central processing unit (CentralProcessingUnit,CPU), application-specific integrated circuit (application-specific integrated circuit, ASIC), digital signalProcessor (DSP), specific integrated circuit (ASIC), ready-made programmable gate array (FPGA) or other programmable logic deviceDeng.
The processor can call the program stored in memory 202, specifically, can handle device can execute with the following figureOperation performed by terminal side in 3- Figure 10 embodiment.
For storing one or more than one program in memory 202, program may include program code, described programCode includes computer operation instruction, in the embodiment of the present application, is at least stored in the memory for realizing following functionsProgram:
When detecting that user's triggering browser shows webpage, the linking element in the webpage, the link member are positionedElement is the element that chain is connected to download address in webpage;
The determinant attribute of linking element described in the webpage is extracted, the determinant attribute is for identifying the linking elementThe download address of link;
Whether the determinant attribute for detecting the linking element belongs to the safety-critical attribute for identifying safe download address;
Obtain at least one linking element that determinant attribute in the webpage belongs to the safety-critical attribute;
It is shown in the webpage for prompting at least one described linking element to be identified as safe download linkPrompt information.
In one possible implementation, which may include storing program area and storage data area, whereinStoring program area can application program needed for storage program area and at least one function (such as image player function etc.)Deng;Storage data area can store the data created in the use process according to computer, for example, user data and audio dataEtc..
In addition, memory 202 may include high-speed random access memory, it can also include nonvolatile memory.
The terminal can also include: communication interface 203, input unit 204 and display 205 and communication bus 206.ItsIn, processor 201, memory 202, communication interface 203, input unit 204, display 205, by communication bus 206 it is completeAt mutual communication.
Wherein, which includes display panel, such as touch display panel;The input unit can be with touch sensibleUnit, keyboard etc..
Certainly, terminal structure shown in Fig. 2 does not constitute the restriction to terminal in the embodiment of the present application, in practical applicationsTerminal may include than more or fewer components shown in Fig. 2, or the certain components of combination.
In conjunction with the above general character, from terminal side, a kind of method for identifying safe download link to the embodiment of the present application is situated betweenIt continues.Such as, referring to Fig. 3, it illustrates a kind of a kind of flow diagrams of method for identifying safe download link of the application, and this method canTo include:
S301 detects that user triggers the browser and shows webpage in the browser plug-in by being injected into browserWhen, the linking element in the webpage is positioned by the browser plug-in.
Such as, after user accesses Website server by the browse request of terminal, Website server can be to browsingDevice returns to requested webpage, and due to being injected with browser plug-in in browser, terminal can be timely by browser plug-inIt detects and shows webpage in browser, in order to whether analyze the download link in the webpage that browser currently shows in timeSafety.
Wherein, browser plug-in is that one section of code that terminal is injected into browser can be run in browser executionThe browser plug-in.Pass through the operating status of the available browser of the browser plug-in and the webpage of browser executionRelated data etc..
Optionally, the security monitoring application can be run in the terminal, and is applied by the security monitoring into browserInject browser plug-in.In this way, terminal can monitor that browser shows by the browser plug-in after browser executionThe case where webpage.Wherein, terminal only needs to inject a browser plug-in into browser by security monitoring application, if browsingBrowser plug-in has been had been injected into device, then it is subsequent without repeating to inject browser plug-in into browser.For example, in terminal operatingSecurity monitoring application indicates function configured with a secure link in security monitoring application, if security monitoring application inspectionIt measures user and opens the secure link instruction function, then can detecte in the browser whether be injected with browser plug-in;IfThe browser plug-in is not yet injected in browser, then is applied by the security monitoring and inject the browser plug-in into browser.
The webpage of the application refers to downloading software or downloads the webpage of other content, can be connected in the web page comprising chainThe element of download address, the download address can be the chained address of the contents of object such as downloading software, file.
In the embodiment of the present application, the element that chain in webpage is connected to download address is known as linking element.Wherein, link memberElement can be the elements such as icon, the image of link download address, be also possible to directly make the chained address for being directed toward downloading fileFor linking element.
Particularly, it is contemplated that may can also include to link it in terminal other than being directed toward the linking element of download addressThe element of the network address of his type, in this kind of situation, terminal can obtain chain in webpage by browser plug-in and be connected to netThe feature of each element of network address belongs to each link for being directed toward download address to orient from each element of the webpageElement.
Optionally, it is contemplated that the linking element that chain is connected to download address in the downloading page of contents of object such as downloading software existsGenerally there is relatively fixed position, therefore, terminal, which can first pass through browser plug-in and determine, is associated with net in webpage in webpageAt least one element of network address (also referred to as chained address), and according to the position of at least one element in webpage, from thisLinking element is oriented at least one element.
Such as, referring to fig. 4, it illustrates a kind of schematic diagrames of linking element in webpage.As seen from Figure 4, Fig. 4 is shownOne, for downloading the downloading webpage of software A, is downloaded multiple links of software A in the downloading webpage in addition to indicating thatIt further include the element 402 that other link non-downloading software except element 401, element 402 is usually to link to have for recommending softwareThe network address of relevant information.As seen from Figure 4, linking element is in the overcentre position of the downloading webpage.Meanwhile chainAll there is the linking element for being connected to download address more apparent display feature to be e.g. denoted as " being locally-downloaded ", " downloading " andFeatures such as " high-speed downloads ", it follows that being connected to position of the element of network address in the downloading webpage or aobvious according to chainShow feature, linking element can be oriented from multiple elements that chain is connected to network address in downloading webpage.S302, by thisBrowser plug-in extracts the determinant attribute of linking element in the webpage.
Wherein, determinant attribute is used to identify the download address of linking element link.
Such as, the determinant attribute of the linking element can be the class attribute (also referred to as class label) of linking element, orPerson ID attribute (also referred to as ID label) etc., the class attribute and ID attribute of the linking element can identify link memberThe download address that element is linked.If the linking element does not have class attribute or ID attribute etc., style can also be belonged toProperty etc. can be identified for that out the attribute for the download address that the linking element is linked as determinant attribute.
Optionally, the source code of the webpage can be obtained by browser plug-in, and passes through browser plug-in from the webpageSource code in extract the attribute set of the linking element, the preassigned link is then extracted from the attribute setOne or more kinds of determinant attributes of element.
Webpage and locating web-pages whether are shown in browser it is understood that detecting by browser plug-inIn linking element and to obtain the determinant attribute of linking element be only a kind of implementation, the present embodiment is just for the sake of justIn understanding, and carry out web page monitored with browser plug-in and obtain the data instance of linking element in webpage to be illustrated.ButThere can also be other modes to monitor whether browser shows webpage in practical application, and obtain linking element in webpageRelated data, the application are without restriction to this.
Whether S303, the determinant attribute for detecting linking element belong to the safety-critical attribute for identifying safe download address.
Such as, in one implementation, it may be predetermined that out for identifying the determinant attribute of safe download address, in order toConvenient for distinguishing, the determinant attribute for identifying safe download address is known as safety-critical attribute.Correspondingly, can successively will be in webpageThe determinant attribute of each linking element is matched with each safety-critical attribute is predefined.If matching linking elementDeterminant attribute belong to safety-critical attribute, then illustrate the linking element be linking secure download address linking element;Otherwise,Then think that the download address of linking element link is not belonging to safe download address.
Wherein, predefine the safety-critical attribute for identifying safe download address be possibly stored to the terminal orIn person's cloud server.Such as, multiple safety-critical attributes are recorded by safe list, which can store takes in cloudIt is engaged in device, and the safe list is updated by cloud server timing, correspondingly, terminal can inquire the peace in the cloud serverFull list, to judge whether the determinant attribute of linking element belongs to the safety-critical attribute in safe list.Certainly, the terminalThe safe list can be periodically downloaded, in this way, whether the determinant attribute that terminal can directly inquire the linking element belongs to thisSafety-critical attribute in the safe list of terminal storage.
It is understood that being the determinant attribute to extract linking element in the embodiment of the present application, to analyze the linkWhether the download address of element link belongs to for safe download address, since the determinant attribute of linking element is easy to extract, andIdentification is stronger, therefore, the timeliness and convenience of information extraction can be improved by the way of the present embodiment.But in realityIn the application of border, the other information for the download address that also available linking element links then can also be by obtaining link memberThe information of the download address of element link, is matched with the information of pre-stored safe download address, to analyze linking elementWhether the download address of link belongs to safe download address.For example, obtaining the download address of linking element link, and by the chainThe download address and predetermined safe download address for connecing element link match, to analyze the downloading of linking element linkWhether address belongs to safe download address.
S304 obtains at least one linking element that determinant attribute in the webpage belongs to the safety-critical attribute.
Wherein, the linking element with safety-critical attribute i.e. chain are connected to the linking element of safe download address, lead toStep S303 is crossed, can determine that determinant attribute in the webpage belongs at least one linking element of safety-critical attribute, alsoIt is the linking element for identifying linking secure download address in the webpage.
S305 is shown in the webpage for prompting at least one described linking element to be identified as downloading chain safelyThe prompt information connect.
The safe download address in webpage is identified for the ease of user, is needed in webpage to linking secure download addressLinking element indicated, that is, under being shown in webpage for prompting at least one linking element to be identified as safelyThe prompt information for carrying link can identify linking secure download address in webpage so that user is before clickthrough elementLinking element.Indicated in webpage the linking element of linking secure download address specific implementation can there are many,Such as a prompting frame can be shown on the upper layer of the webpage by browser plug-in.
Optionally, terminal, which can be injected by browser plug-in into the code of the webpage, draws script, e.g., draws scriptIt can be at least one section of JS code.Correspondingly, can be at least one linking element terminal in webpage with security attributeIt is drawn out in webpage by drawing script for prompting at least one linking element to be identified as mentioning for safe download linkIndicating is known.Specifically, terminal passes through browser after part determines that determinant attribute belongs to the linking element of safety-critical attributePlug-in unit obtains the band of position of the linking element with safety-critical attribute in the web page;Then it is run by browser plug-inThe drafting script being injected into the webpage, to pass through the finger for drawing the script corresponding band of position of the linking element in the web pageDetermine to indicate the linking element in position range.
Wherein, indicated in webpage linking element marking mode can also there are many, e.g., can be in linking elementA mark frame or prompt vertically hung scroll are added in top, and the prompt of safe download link is shown in the mark frame or prompt vertically hung scrollLanguage, for example, " download address that the linking element is directed toward safety " etc.;For another example, the color that linking element is presented can also be adjusted,For example, color burn, or show specific color etc..Certainly, the corresponding linking element of safe download address is indicatedMarking mode can also have other may, as long as can allow user identify mark linking element be linking secure download addressLinking element.
In order to make it easy to understand, thering is one of linking element of safe download address to show to indicate link in webpage belowExample is introduced, such as referring to Fig. 5.As seen from Figure 5, the top in 502 position region of linking element is aobvious in webpage 501It is shown with the prompting frame 503 for being directed toward the linking element, which is to determine that 502 chain of linking element is connected to safetyDownload address after, what terminal was drawn out above the linking element in webpage.As shown in Figure 5, it is shown in the prompting frameIt is shown with signal language " being identified as safe download address ", in this way, user is in the web page before clickthrough element, it can be trueThe linking element of linking secure download address is made, dangerous download address is linked to so as to advantageously reduce, to subtractThe risk of unreliable software is downloaded to less.
As it can be seen that, when terminal detects that browser shows webpage, can obtain in the embodiment of the present application and link member in the webpageThe determinant attribute of element, and whether the determinant attribute by detecting the linking element belongs to safe the belonging to of the safe download address of markProperty, to analyze the linking element that chain in webpage is connected to safe download address, thus after browser shows webpage, it canThe linking element for being directed toward safe download address is indicated in webpage in time, so that user recognizes in webpage in timeIt is directed toward the linking element of safe download address, reduces user has downloading risk due to being misled into link member in webpage clickingThe situation of element, and then reduce user by page download to the probability of the risk informations such as unreliable software, it improves and passes through netThe safety of page downloading content.
It is understood that due to the determinant attribute of predetermined safe download address out or safe download addressInformation content is larger, if by the determinant attribute of linking element each in webpage or the information of other download address, in advance reallyThe information such as the fixed determinant attribute of safe download address are matched, then may need more data processing amount.Therefore, in order toData processing amount is reduced, can first be prejudged according to the web page address of webpage, to judge whether the webpage belongs in the presence of downloadingThe risk webpage of risk just identifies that chain is connected under safety in webpage only when the webpage belongs to the webpage in the presence of downloading riskThe linking element of set address.Wherein, the risk webpage that there is downloading risk is connected to the risk webpage of dangerous download address for chain.
Information in view of there is the webpage of downloading risk can store in terminal, be also possible to be stored in cloud serviceDevice, therefore, in order to assist the linking element of linking secure download address in terminal recognition webpage, secure identification system is in addition to includingIt can also include cloud server except terminal.Such as, referring to Fig. 6, it illustrates the sides of the safe download link of identification of the applicationA kind of application scenarios schematic diagram that method is applicable in.
As seen from Figure 6, include secure identification system 60 in the application scenarios, include in the secure identification system 60Terminal 61 and at least one cloud server 62.In the application scenarios further include: Website server 63.
Wherein, terminal 61 and cloud server 62 can by network connection, and, terminal 61 can pass through network and websiteServer 63 establishes communication connection.
Browser is installed in terminal 61, to show the webpage that Website server 63 is fed back to terminal by browser.
Maintenance has safe list in server 62 beyond the clouds, and record has the peace for identifying safe download address in the safe listFull determinant attribute.Such as, cloud server can receive the safety-critical category for the safe download address of mark that any terminal uploadsProperty and store into safe list;Either, cloud server is counted by big data, to determine to identify safe download addressSafety-critical attribute;Or the safety-critical attribute etc. of cloud server storage user configuration.
Meanwhile the newest safety-critical attribute that the cloud server can also be provided according to network data or terminalDeng updating the safety-critical attribute in the safe list.It certainly, is only store safety-critical attribute one using safe listKind storage form, stores the safety-critical attribute using other storage forms and is applied equally to the application.
Optionally, which stores risky address set, includes multiple presence in the risk address setThe web page address of the risk webpage of risk is downloaded, e.g., the web page address of risk webpage is stored in the form of risk list of websites.
Further, which can also store risk set of domains, deposit in the storage risk set of domainsContain the risky multiple top level domain of tool.
Terminal 62 can obtain the safe list, risk address set, one in risk set of domains from cloud serverIt is a or multiple, and safe list, risk address set and the risk set of domains that will acquire are stored to terminal local, withJust terminal is based on these safe lists or set, indicates the linking element of the safety in webpage;Either, terminal is identifyingIn webpage during safe linking element, safe list, risk address set or the risk in cloud server are inquiredSet of domains, finally to identify the linking element of the safety in webpage.
In order to make it easy to understand, having security monitoring application in conjunction with Fig. 6, and with terminal operating, and terminal passes through the security monitoringIt interacts using with cloud server, is introduced for identifying linking element safe in webpage.Such as, it referring to Fig. 7, showsA kind of process interaction schematic diagram of a kind of the embodiment of the present application method for identifying safe download link, the method for the present embodiment canTo include:
S701, terminal operating security monitoring application.
S702, when the security monitoring application detects that user opens secure link instruction function, the security monitoring applicationBrowser plug-in is injected, into browser to run the browser plug-in in a browser.
Wherein, secure link instruction function is to be arranged in security monitoring application for triggering security monitoring application identificationSafe linking element in the webpage shown in browser out, and indicate the option of safe linking element.
Such as, which can be computer house keeper, and a function choosing-item can be set in computer house keeper, useAfter the unlatching function choosing-item is clicked at family, computer house keeper can inject browser plug-in into browser, to monitor the browserThe case where showing the page and the data obtained in the page are analyzed.
It is understood that if security monitoring apply be filled with into browser plug-in before current time it is clearLook at device plug-in unit, then without being repeatedly injected.
Wherein, injected in the embodiment of the present application into browser injection technique used by the browser plug-in can have it is moreKind, the application is without restriction to this.
It is understood that can also be chosen in security monitoring application in the case where terminal has multiple browsersWhich or multiple browsers the secure link instruction function is opened for.But security monitoring applies and is directed to each browserIn the treatment process of webpage that shows be it is identical, it is feelings to show webpage in a browser that the embodiment of the present application is subsequentIt is introduced for condition.
It should be noted that above step S701 and S702 are intended merely to facilitate the browsing for understanding and being injected into browserThe injection process of device plug-in unit, but step S701 and S702 are not each run security monitoring application and operation browserWhen, require the operation executed.
S703, when the browser of terminal receives the page data of Website server return, the browser foundation of terminalThe page data shows webpage.
Such as, after user accesses Website server by the browse request of terminal, Website server can return clearThe requested page data of device of looking at.For example, when user wishes to download certain software, it can be by defeated in the browser's address barEnter corresponding network address, either, clicks corresponding page link, in the page that browser is shown so as in browserIn show the webpage of the download address comprising this software.
S704 when security monitoring application detects that the browser shows webpage, obtains the webpage by browser plug-inPage feature.
S705, security monitoring, which is applied, meets the page feature with linking element in the page feature for detecting the webpageWhen, the page address of the webpage is obtained by browser plug-in.
Wherein, linking element chain is connected to the element of download address.Wherein, download address is to be directed toward the chain of file to be downloadedBe grounded location, file to be downloaded can be software package, document etc., it is without restriction herein.
Wherein, the page feature of webpage can be the composition of element and the arrangement feature of element in the page, can also wrapInclude the features such as attribute of an element in the page.It can reflect out whether the webpage is in soft for downloading by the page feature of webpageThe downloading page of the objects such as part, file (namely with the page of linking element).If the page feature according to the webpage accords withThe page feature for closing the downloading page of the objects such as downloading software, then need to orient the linking element in webpage, and identify linkThe safety of the download address of element link;Otherwise, then it can directly be ended processing without identifying the element in the webpageJourney.
Such as, include download address webpage in generally can all have a special finger of " being locally-downloaded ", " official's downloading " etc.Show information, if showing these special instruction information in the webpage, it can be said that the bright webpage is the net comprising linking elementPage.For another example, it can analyze the source code of the webpage, to determine whether the page shows linking element according to source code, for example,If in the source code including download address, illustrate in the target webpage comprising linking element.It is, of course, also possible to there is its other partyFormula detects whether the webpage is the webpage with linking element, without restriction to this application.
By above step S703 to S705 it is found that the security monitoring application of terminal actually needs passing through browser plug-inWhen detecting that user shows the webpage with linking element by browser, the web page address of the webpage can be just obtained, and carry outThe identification of successive links element, finally to identify the linking element of linking secure download address in webpage.
It is understood that obtaining the page feature of webpage in step S704 and S705, and detect the page of the webpageIt is only a kind of preferred embodiment that whether region feature, which meets the page feature with linking element, and purpose is only to determine netWhether page belongs to the downloading webpage of downloading software or other content, data and exhibition in the downloading webpage of confirmation browse requestNow in the case where support grid page, it can not also execute whether the web page characteristics for judging the webpage meet the page with linking elementThe operation of region feature.
Wherein, the web page address of webpage can be the corresponding uniform resource locator of the webpage (Uniform ResourceLocator, URL).
S706, security monitoring application detect the webpage web page address whether belong to it is preset in terminal in the presence of carry riskWeb page address, if so, thening follow the steps S708;If not, thening follow the steps S707.
Wherein, the web page address that risk is carried in the presence of terminal preset, which can be, is pre-configured in terminal side;It can also be withIt is to be got in cloud server, e.g., terminal inquires the risk address set stored in cloud server according to the fixed cycle, withRisk is carried in the presence of storage using existing in the web page address configuration for downloading risk or more new terminal in the risk address setRisk webpage web page address.For the ease of distinguishing, the webpage that downloading risk will be present is known as risk webpage.
It is understood that the risk webpage in risk will lead to user and download to unreliable file, such as Malware, bundleThe unreliable software such as software is tied up, in the embodiment of the present application, there is the risk net of downloading risk in cloud server or terminalPage can be the webpage for meeting specified conditions analyzed in advance.
Such as, in the case where a kind of possible, the risk webpage that there is downloading risk can be divided into two major classes, and one kind is webpageChained address pointed by middle linking element can not reliable link to file;It is another kind of be in webpage pointed by linking element underCarrying device, there are malicious downloading behaviors.
Wherein, for chained address pointed by linking element in webpage can not reliable link to file the case where, the netPage can satisfy comprising one or more of feature:
1, in the chained address that the linking element of webpage is linked to, exist be not belonging to the webpage description file or underThe risk chained address of device is carried, and linking element associated by the risk chained address is identified as " this underground in webpageThe induction mark that the induction user such as load ", " telecommunications downloading ", " high-speed downloads " clicks.Such as, it is described in webpage under linking element M is" being locally-downloaded " address of software S (or downloader for downloading software S) is carried, but linking element M is actually linkedTo the download address (or downloader) of downloading other software.
2, there is link in webpage and substitute behavior for another surreptitiously.That is, the correct download address that the linking element in webpage is linked to originally,But the chained address or switching that other promote file (e.g. popularization software) are switched to by the random perhaps rule of Website serverFor for downloading the chained address for promoting the download address of file.
3, there are multiple binding behaviors in webpage.That is, what downloader pointed by the linking element of webpage and webpage describedSet membership between file (e.g., software installation packet) is more than one layer.Such as, the linking element of webpage is directed toward downloader A, and downloadsDevice A will start downloader B, then start downloader C by downloader B, and downloader C can just download to it is soft described in the webpagePart.
Wherein, the case where there are malicious downloading behaviors for downloader pointed by linking element in webpage, the webpageThe downloader that linking element is linked to meets following one or more conditions:
1, there is malice popularization behavior in downloader.Such as, there is virus, wooden horse or popularization in the software that downloader is promotedSoftware can not unload.
2, there is silent installation behavior in downloader.Such as, when downloader promotes software, interface is without any surface;Alternatively, can notBy modes such as " terminating process ", stop the software installation of downloader.
3, there are rogues to promote behavior for downloader, that is, the popularization software (or alternative document) that downloader is promoted can not lead toSelection is crossed, the downloading of the software is cancelled.It is chosen for example, not showed in the interface of downloader and promoting the corresponding cancellation of softwareFrame is not shown situations such as choosing in the presence of desalination tick boxes color or default perhaps.
In order to facilitate understanding downloader the case where there are malicious downloading behaviors, referring to Fig. 8, it illustrates a kind of downloadersA kind of schematic diagram at interface.
As seen from Figure 8, the information for needing software to be installed in the interface of the downloader in addition to showing, in the downloadingAlso show the dbase for thering is the downloader to be downloaded, software size etc. relevant information on the left of the interface of device.Meanwhile under thisIt carries and also shows some lists for promoting software on the right side of the interface of device, and shown on each icon 801 for promoting softwareOne frame 802 that can be chosen or cancel choosing can choose while downloading the software by the downloader so as to userThe some popularization softwares of downloading of property.
But if not showing popularization software in the interface of the downloader, and directly downloaded after downloader startingPopularization software;Either, although showing popularization software in the interface of the downloader, popularization selection is not providedCorresponding candidate frame, so that user can not cancel the downloading for promoting software, and the downloader just belongs to that there are malicious downloading behaviorsDownloader.
It is understood that be illustrated by taking the preset web page address that there is downloading risk as an example above, but it can be withUnderstand, the web page address that risk is carried in the presence of preset can be the entire domain name of risk webpage, be also possible to characterize windThe information of the other forms of the web page address of dangerous webpage, it is without restriction herein.
S707 detects that the web page address of the webpage is not belonging to the web page address that there is downloading risk in security monitoring applicationWhen, detect whether the top level domain in the web page address of the webpage belongs to top level domain there are risk, if it is, executing stepRapid S708;If it is not, then terminating.
It is understood that since the quantity for the web page address for carrying risk in the presence of analyzing in advance is than relatively limited, onlyIt may be led only in accordance with the web page address for carrying risk in the presence of preset to analyze the target webpage with the presence or absence of downloading riskSome webpages that there is downloading risk are caused to be missed.
And in view of webpage web page address in top level domain, can reflect out website belonging to the webpage country andArea, moreover, some applied top level domain in website for providing malicious file (such as Malware) are typically all more specialDomain name therefore can be pre-configured with some there are risk according to the general character of top level domain in the website that there is downloading riskTop level domain.Such as, it can configure in terminal there are the top level domain of risk, alternatively, terminal is obtained from server in advance, there are windThe top level domain of danger simultaneously stores in the terminal.
Correspondingly, in order to further reliably identify the webpage in the presence of downloading risk, it is also necessary to extract the net of the webpageTop level domain in page address, and detect the top level domain and whether belong to that preset there are the top level domain of risk.If the meshThe top level domain marked in the web page address of webpage belongs to the top level domain there are risk, then in the presence of being determined as the target webpageCarry the webpage of risk.
It should be noted that step S706 and S707 are in order to before the safe linking element in identification webpage, in advanceFirst judge whether the webpage belongs to the webpage in the presence of downloading risk, so as to subsequent for the webpage that there is downloading risk, identifiesChain is connected to the linking element of safe download address in webpage.But it is understood that in practical applications, can only execute thisA step or two steps in step S706 and S707 do not execute, but directly execute subsequent step S708.
S708, security monitoring, which is applied, positions the linking element in the webpage by browser plug-in, and extracts in webpageThe determinant attribute of linking element.
S709, security monitoring application successively will be in the determinant attribute of each linking element and the safe list of cloud serverThe safety-critical attribute of the safe download address of mark of record is compared, to determine that determinant attribute is safety-critical in webpageAt least one linking element of attribute.
The present embodiment is to be illustrated so that safe list is stored in cloud server as an example, but the present embodiment is also applied forThe case where safe list is stored in terminal.
Above step S708 and S709 may refer to the related introduction of preceding embodiment, and details are not described herein.
At least one linking element for having safety-critical attribute is determined as secure link member by S710, security monitoring applicationElement, and the secure link element that will identify that is indicated to the browser plug-in.
S711, security monitoring is applied determines position of each secure link element in webpage by the browser plug-in respectivelySet region.
It wherein, should the linking element of linking secure download address that namely identifies of secure link element.Safety prisonAfter secure link element is determined in control application, the information such as mark for the secure link element for needing will identify that are notified to browsingDevice plug-in unit, so that browser plug-in positions the position of the secure link element in webpage, consequently facilitating subsequent in corresponding positionUpper drafting prompt mark.
S712, security monitoring, which is applied, injects at least one section drafting script into the code of the webpage.
S712, for each secure link element, security monitoring, which is applied, positions theft-resistant link chain in the webpage by drawing scriptThe band of position of element is connect, and direction secure link member is drawn in the top of the band of position of the secure link element in webpageThe mark frame of element.
Wherein, it can show in the mark frame for prompting the secure link element link to have mentioning for safe download addressShow information.
The present embodiment be by webpage the linking element of linking secure download address top draw mark frame for intoRow explanation, but in practical application, mark frame can also be drawn in the left side, right side or lower section of the linking element;It can be withIt is to play marked effect by changing the display effect of linking element, it is without restriction herein.
It is understood that in any one embodiment of the application, if a terminal detects that each link member of webpageThe determinant attribute of element is not admitted to identify the safety-critical attribute of safe download address, it is determined that there is no link peaces in the webpageThe linking element of full download address.In this kind of situation, terminal can also show indicating risk in webpage, the indicating riskIt is used to indicate and the linking element that chain is connected to safe download address is not present in the webpage.Such as, terminal passes through in the code to webpageScript is drawn in injection, and draws out the prompt column of indicating risk in webpage by drawing script.Certainly, exist by other meansShow that indicating risk is equally applicable in webpage.
Optionally, before indicating secure link element into webpage in terminal, which can also be inserted by browserPart or drafting script export an inquiry frame in the web page, and the inquiry frame is for prompting for there are dangerous in the webpageDownload address, if need to indicate safe linking element.Correspondingly, detecting user's point by browser plug-in in terminalIt hits in inquiry frame after the linking element for agreeing to mark safety, indicates safe link member in the web page by drawing scriptElement.
The scheme of the application in order to facilitate understanding is introduced below with reference to a kind of concrete application scene.Such as, referring to Fig. 9,It illustrates terminal recognition and indicate an example of the linking element of linking secure download address in webpage.In this exampleIt is applied with security monitoring as computer house keeper, and the determinant attribute of class attribute as linking element to extract linking element isExample is illustrated.
The variation schematic diagram of the browser interface of terminal, the piece image in Fig. 9 from left to right is shown in FIG. 9To show a downloading page 901 for downloading software M in the browser of terminal.It can be seen from the piece imageThe downloading page 901 that terminal is shown includes multiple linking elements 902, and each linking element is used to link downloading software M'sDownload address, the download address can be the address of the downloader of downloading software M, be also possible to the corresponding downloading network of software MAddress etc..
Correspondingly, the computer house keeper of terminal is when detecting that the browser shows the downloading page, computer house keeper passes throughBrowser plug-in obtains the web page address of the downloading page, and carries risk in the presence of storing in the web page address and terminalWeb page address is matched.If it is determined that the web page address of the downloading page belongs to the web page address with downloading risk, thenMeeting computer house keeper extracts multiple respective class categories of linking element in the downloading page by being injected into the browser plug-inProperty, and respectively by the safe download address of mark stored in the class attribute of each linking element and cloud serverClass attribute compares.If computer house keeper detects that the class attribute in the webpage there are at least one linking element is not belonging toThe class attribute for identifying safe download address, then can determine whether out in the calss attribute of multiple linking elements, identify safety downloadingThe class attribute of address, meanwhile, a drafting script can be injected, into the code of webpage to draw out an inquiry in webpageFrame is asked, such as referring to the second width image in Fig. 9 from left to right.Show what the browser of terminal showed in the second width imageAn inquiry frame 903 is shown on the downloading page 901.Show that " there are the links of more misleading for current site in the inquiry frame!Computer house keeper can mark safe link for you " signal language, and tool is there are two options in the inquiry frame, a selectionItem is " wouldn't need ", and another options is " checking immediately ".
After if computer house keeper detected that " checking immediately " option is somebody's turn to do in user's click by browser plug-in, the computer pipeThe class attribute for the safe download address of mark that family can determine whether out returns to browser plug-in, so that computer house keeper can lead toIt crosses browser plug-in and orients that identify secure link corresponding to the class attribute of safe download address first from the downloading pageElement.Meanwhile quantity and position of the computer house keeper meeting according to the linking element oriented, it generates at least one and draws script, andAt least one is injected into the code of webpage by browser plug-in and draws script, each drafting script is responsible for indicating a peaceFull linking element.Correspondingly, computer house keeper draws out one above each secure link element determined by drawing scriptA mark frame, such as referring to the third width image in Fig. 9 from left to right.
The third width image is the schematic diagram that safe linking element is indicated in the downloading page 901 in the Fig. 9, byThe third width image, which can be seen that, is determined as theft-resistant link chain for " downloading of approach 1 " this linking element 902 in the downloading page 901Connect element.Correspondingly, computer house keeper in the downloading page should " downloading of approach 1 " this linking element 902 marked with thick line,And by text importing be italic, while a prompting frame 904 is drawn out in the top of " downloading of approach 1 " this linking element 902,It is shown in the prompting frame " computer house keeper is accredited as safe download address ", such user can be with according to the prompt of computer house keeperSafe download address is selected to download software M from the downloading page.
Optionally, in the application any embodiment, more intuitively see for the ease of user and be denoted as downloading safelyLinking element corresponding to address, security monitoring application can also show area by the browser plug-in control adjustment downloading pageThe linking element indicated is showed the central area of browser window by domain.Such as, the second width image and third width in comparison diagram 9The band of position that image can be seen that the window center in browser in the downloading page has found variation, in the third width figureThe linking element 904 indicated as in is in the middle section of window.
It is understood that in view of predefining the determinant attribute for being used to identify safe download address, Yi JiyiA little web page addresses etc. in the presence of downloading risk may have mistake, such as identify the corresponding determinant attribute of dangerous download addressFor safety-critical attribute, or the determinant attribute of some safe download address identified into unsafe determinant attribute etc..ForIt can carry out error correction in time, in the embodiment of the present application, user can also send by terminal to given server wrongInformation is accidentally reported, it can also include the download address quilt which, which reports information to may include the download address for being identified mistake,The concrete reason etc. of wrong identification.
Wherein, given server can be the server of security monitoring application.The security monitoring application can receive userMistake report request, and show a mistake and report the page.
Such as, the option of head of a station feedback can be set in security monitoring application, user clicks the choosing of head of a station feedbackXiang Hou can be triggered to security monitoring application one mistake of sending and be reported request, so that security monitoring application is shownMistake reports the page.Such as, referring to Figure 10, it illustrates a kind of examples that mistake in the application terminal reports the page, by Figure 10First width figure is the schematic diagram that mistake reports the page, and reporting the page in the mistake is " head of a station's feedback " in security monitoring applicationThe page, station address fills in filling out for column 1001, problem description bar 1002 and contact method in the page of " head of a station's feedback "Write column 1003.
Wherein, the station address for thinking there is identification mistake can be filled in by filling in the station address in column 1001;Accordingly, the specific error reason of station address etc. for being identified mistake can be specifically described in the problem description bar 1002.ConnectionMode fills in column and can fill in the mailbox of user for reporting mistake, in telephone number.
When security monitoring application detects that " transmission " option in " head of a station's feedback " page is clicked, then being based on shouldThe content that user inputs in " head of a station's feedback " page, generation error reports information, and reports to the server that security monitoring is appliedThe mistake reports information.
Correspondingly, the security monitoring application server receives after the mistake reports information, can into terminal the peaceFull monitoring application returns to the successfully instruction of a feedback.Security monitoring application can export the instruction of server return.Such as ginsengAs shown in the second width figure in Figure 10, is reported in the mistake and show the successful prompt column 1004 of feedback on the page.
On the other hand, present invention also provides a kind of devices for identifying safe download link.Such as, it referring to Figure 11, showsA kind of composed structure schematic diagram of the device one embodiment for identifying safe download link of the application, the device can be applied toTerminal noted earlier, the apparatus may include:
Positioning unit 1101 is linked, for positioning the net when detecting that user's triggering browser shows webpageLinking element in page, the linking element are the element that chain is connected to download address in webpage;
Attributes extraction unit 1102, for extracting the determinant attribute of linking element described in the webpage, the crucial categoryProperty for identifying the download address of linking element link;
Whether detection of attribute unit 1103, the determinant attribute for detecting the linking element belong to mark safety downloading groundThe safety-critical attribute of location;
Secure identification unit 1104 belongs to the safety-critical attribute at least for obtaining determinant attribute in the webpageOne linking element;
Link mark unit 1105, for being shown in the webpage for prompting at least one described linking element quiltIt is identified as the prompt information of safe download link.
In one possible implementation, link mark unit may include:
Script injects subelement, for by being injected into the browser browser plug-in into the code of the webpageScript is drawn in injection;
Link mark subelement, for by the draftings script drawn out in the webpage for described in prompting at leastOne linking element is identified as the prompt mark of safe download link.
In one possible implementation, the link positioning unit is specifically, for by being injected into browserIn browser plug-in detect that user triggers browser when showing webpage, positioned in the webpage by the browser plug-inLinking element;
Correspondingly, the attributes extraction unit is specifically, extract chain described in the webpage by the browser plug-inConnect the determinant attribute of element.
Optionally, such as Figure 12, it illustrates a kind of another possible group of devices for identifying safe download link of the applicationAt structural schematic diagram, the device is in addition to including above-mentioned link positioning unit 1101, attributes extraction unit 1102, attribute inspectionIt surveys except unit 1103, secure identification unit 1104 and link mark unit 1105, further includes:
Using running unit 1106, for the link positioning unit detect the browser show webpage itBefore, operation safety monitoring application;
Plug-in unit injection unit 1107, for applying the injection browser into the browser to insert by the security monitoringPart.
Alternatively, described in a kind of embodiment for the device for identifying safe download link of any of the abovePositioning unit is linked, may include:
Address obtains subelement, for obtaining the net of the webpage when detecting that user's triggering browser shows webpagePage address;
Address detected subelement, whether the web page address for detecting the webpage is with belonging to the webpage in the presence of downloading riskLocation;
Locator unit is linked, when for belonging to the web page address in the presence of downloading risk when the web page address of the webpage,Position the linking element in the webpage.
Further, which can also include:
Domain name detection unit, for detecting that the web page address of the webpage is not belonging to exist when the address detection unitWhen downloading the web page address of risk, detects the top level domain in the web page address of the webpage and whether belong to that there are the top of riskDomain name, and when the top level domain in the web page address of the webpage belongs to the top level domain there are risk, trigger the linkLocator unit executes the operation of the linking element in the positioning webpage.
In one possible implementation, the link positioning unit, comprising:
Element locator unit, for positioning chain in the webpage when detecting that user's triggering browser shows webpageIt is connected at least one element of network address;
Element screens subelement, for according to the position of at least one element in the webpage, from it is described at leastLinking element is oriented in one element.
In one possible implementation, the link positioning unit, comprising:
Feature obtains subelement, for obtaining the page of the webpage when detecting that user's triggering browser shows webpageRegion feature;
Whether feature detection unit, the page feature for detecting the webpage meet the spy of the page with linking elementSign;
Orientation triggering subelement, when for meeting the page feature with linking element in the page feature of the webpage,Position the linking element in the webpage.
Optionally, which can also include:
Indicating risk unit, the determinant attribute for the linking elements all in detecting webpage are not admitted to identifyWhen the determinant attribute of safe download address, show that indicating risk, the indicating risk are used to indicate described in the webpageSafe download address is not present in webpage.
Optionally, the detection of attribute unit, comprising:
Attribute query subelement, whether determinant attribute for inquiring the linking element belongs to records in safe listFor identifying the safety-critical attribute of safe download address, the safe list is stored in the terminal where the browser,Or it is stored in cloud server.
On the other hand, present invention also provides a kind of storage medium, it is stored with computer program in the storage medium, it is describedWhen computer program is loaded and executed by processor, the downloading chain safely of identification described in as above any one embodiment is realizedThe method connect.
It should be noted that all the embodiments in this specification are described in a progressive manner, each embodiment weightPoint explanation is the difference from other embodiments, and the same or similar parts between the embodiments can be referred to each other.For device class embodiment, since it is basically similar to the method embodiment, so being described relatively simple, related place ginsengSee the part explanation of embodiment of the method.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to byOne entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operationBetween there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaningCovering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes thatA little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article orThe intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arrangedExcept there is also other identical elements in the process, method, article or equipment for including element.
The foregoing description of the disclosed embodiments can be realized those skilled in the art or using the present invention.To thisA variety of modifications of a little embodiments will be apparent for a person skilled in the art, and the general principles defined herein canWithout departing from the spirit or scope of the present invention, to realize in other embodiments.Therefore, the present invention will not be limitedIt is formed on the embodiments shown herein, and is to fit to consistent with the principles and novel features disclosed in this article widestRange.
The above is only the preferred embodiment of the present invention, it is noted that those skilled in the art are comeIt says, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications also should be regarded asProtection scope of the present invention.