CN103368957B - Method and system that web page access behavior is processed, client, server - Google Patents

Abstract

The invention discloses a method, a system, a client and a server for processing web page access behaviors. The method includes: after monitoring the access request of the i-level page, obtaining a refer chain containing the page ID of the i-level page, the refer chain comprising the page ID and URL of the initial page to the i-level page; All URLs of the server are sent to the server for the server to query whether all the URLs contained in the refer chain belong to the blacklist and/or whitelist database it saves, and then match the query results with the preset rules to obtain the matching results; the receiving server returns The matching result of the i-th level page is processed according to the matching result. Compared with the prior art, the present invention has higher detection efficiency because the refer chain provides more URLs and wider coverage, and can more effectively protect the security of client webpage browsing.

Description

Method and system for processing webpage access behavior, client, server

technical field

The invention relates to the technical field of computer networks, in particular to a method and system for processing web page access behaviors, a client and a server.

Background technique

Malicious websites, such as phishing websites, fraudulent websites, counterfeit websites, etc., mainly fake the URL addresses or page content of real websites, pretend to be banking and e-commerce websites, or use loopholes in real website server programs , inserting dangerous webpage codes into some webpages of the website to defraud users of private information such as bank or credit card account numbers and passwords. Malicious webpages contain many sensitive features. For example, malicious webpages related to financial fraud will imitate the official website in terms of text and pictures, or insert information such as fake ticketing, fake lottery winning, fake online banking, and fake shopping into real webpages. Features mostly appear in web pages in the form of text strings.

The current method for identifying malicious webpages is mainly to manually review malicious webpages to collect text features of some simple malicious websites, which are used by browser plug-ins to judge webpage content based on these text features, and filter out these reported attack websites. However, the survival period of malicious websites is getting shorter and shorter, new malicious webpages emerge in endlessly, and the amount of webpages that need to be reviewed is too large; and the characteristics of malicious websites are changing rapidly. According to the traditional manual review method, the efficiency of extracting information will be relatively low. .

The existing main means to prevent malicious websites is that when a user visits a certain website, the client sends the URL of the website to the black and white list database on the server side for query. The so-called blacklist database is the URL list of malicious websites that have been verified and confirmed. Database, the so-called white list database is the URL of the safe website that has been audited and confirmed. After querying, the server will feed back the result of whether the website is a malicious website to the client.

The above existing technical means can only detect a single URL. However, because the URLs of malicious websites are constantly changing, the update speed of the black and white list database on the server side is far slower than that of malicious websites. Therefore, the technical means of detecting a single URL cannot effectively detect malicious websites, so it cannot be real-time, fast and effective. Protect the client's web browsing security.

Contents of the invention

In view of the above problems, the present invention is proposed to provide a system for processing web page access behaviors, a client, a server and a corresponding method for processing web page access behaviors, which overcome the above problems or at least partially solve the above problems.

According to one aspect of the present invention, a method for processing webpage access behavior is provided, which is used to detect the i-th level page opened by the i-th level link of the initial page, i≥2; the method includes:

After monitoring the access request of the i-level page, obtain a refer chain comprising the page ID of the i-level page, the refer chain comprising the page ID and URL of the initial page to the i-level page;

Send all the URLs included in the refer chain to the server, so that the server can query whether all the URLs included in the refer chain belong to the blacklist and/or whitelist database saved by the server, and then compare the query results with the preset Match the rules to get the matching result;

The matching result returned by the server is received, and the access behavior of the i-th level page is processed according to the matching result.

According to another aspect of the present invention, a client is provided, which is used to detect the i-th level page opened by the i-th level link of the initial page, i≥2; the client includes:

The monitoring module is adapted to obtain a refer chain including the page ID of the i-level page after monitoring the access request of the i-level page, and the refer chain includes page IDs and URLs from the initial page to the i-level page;

A query interface, adapted to send all the URLs included in the refer chain to the server, so that the server can query whether all the URLs included in the refer chain belong to the blacklist and/or whitelist database saved by the server, and then send matching the query result with a preset rule to obtain a matching result; and receiving the matching result returned by the server;

The protection module is adapted to process the access behavior of the i-th level page according to the matching result.

According to another aspect of the present invention, a server is provided, which is used to detect the i-th level page opened by the i-th level link of the initial page, i≥2; the server includes:

a blacklist and/or whitelist database adapted to save URLs belonging to the blacklist and/or whitelist;

The query interface is adapted to receive all URLs contained in the refer chain sent by the client, query whether all the URLs contained in the refer chain belong to the blacklist and/or whitelist database, and then compare the query results with the preset rules Matching is performed to obtain a matching result, and the matching result is returned to the client.

According to another aspect of the present invention, a system for processing webpage access behavior is provided, including: the above-mentioned client and server.

According to the method, system, client, and server for processing webpage access behaviors provided by the present invention, whenever the client monitors an access request to a new page through links at all levels of the initial page, it obtains the refer chain corresponding to the new page , report all URLs contained in the refer chain to the server, the server detects matching results based on these URLs, and the client processes the access behavior of the new page according to the matching results. Compared with the prior art that only utilizes the URL of the new page for detection, since the refer chain provides more URLs and covers a wider area, the detection efficiency is higher, and the security of the client's web browsing can be more effectively protected.

The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

Description of drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same parts. In the attached picture:

FIG. 1 shows a flowchart of a method for processing web page access behaviors according to an embodiment of the present invention;

FIG. 2 shows a flowchart of a method for creating a refer chain according to an embodiment of the present invention;

Fig. 3 shows a structural block diagram of a client according to an embodiment of the present invention;

Fig. 4 shows a structural block diagram of a server according to an embodiment of the present invention;

Fig. 5 shows a structural block diagram of a system for processing webpage access behaviors according to an embodiment of the present invention.

detailed description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

Aiming at the technical problem existing in the prior art that using a single URL for detection cannot effectively detect malicious websites, and therefore cannot quickly and effectively protect the client’s web browsing security in real time, the present invention provides a method for using refer chains to detect web pages. The scheme by which access behavior is handled. For the page that the current user is visiting, its refer information is the URL of the parent page of the current page, that is, the URL of the previous page linked to the current page. The present invention obtains refer chains according to the URLs of several levels of pages linked to the current page, and uses the refer chains to process webpage access behaviors.

Fig. 1 shows a flowchart of a method 100 for processing web page access behaviors according to an embodiment of the present invention. In this embodiment, the current page is referred to as the i-th level page, i≥2, and the i-th level page is a page opened by the i-th level link of the initial page. Usually, after the user opens the browser, the browser accesses the default initial page or triggers the initial page access request through the user's input in the address bar, and the initial page is linked to the second page by the user clicking a link on the initial page or other links. The level page is linked from the level 2 page to the level 3 page through the user clicking a link on the level 2 page or other link methods, and so on, and finally the i-1 level page is linked to the i level page. For example, after the user opens the browser and enters www.so.com in the address bar, this page is the initial page (the URL is represented by A in the following); then, the user enters "phone recharge" in the search bar and clicks the search button, The browser will jump to http://www.so.com/s?ie=utf-8&src=360sou_home&q=%E8%AF%9D%E8%B4%B9%E5%85%85%E5%80%BC, This page is a second-level page (B is used to indicate its URL below); the second-level page provides many links, and the user clicks one of the links, and the browser will jump to the page corresponding to this link http://chongzhi.360. cn/mobile/, this page is the third-level page (C is used to represent its URL below); the user clicks the link of "online game point card" on the third-level page, and the browser will jump to http://chongzhi.360. cn/GameCard/index, this page is a level 4 page (D is used below to represent its URL).

As shown in FIG. 1 , the method 100 starts at step S101 , where the browser of the client monitors the access request of the i-th level page. The access request for the i-th level page is triggered by the user clicking a link or other link on the i-1 level page. In the above example, when the user clicks the link of "Online Game Point Card" on the third-level page, the browser will monitor the access request of the fourth-level page: http://chongzhi.360.cn/GameCard/index.

After monitoring the access request of the i-th level page, the browser will load the i-th level page, and during the process of loading the i-th level page, obtain a refer chain including the page ID of the i-th level page, ie step S102. The refer chain includes page IDs and URLs from the initial page to the i-th level page, where the page IDs of all levels of pages are unique IDs generated by the browser during page loading, and serve as the URL of the page in the refer chain index value. The browser uses the page ID of the i-level page to query the refer chain that contains the URL of the i-level page and the i-level page is the last-level page. For example, the refer chain is A(ID1)->B(ID2)->C(ID3)->D(ID4), where A, B, C and D are the URLs of pages at all levels, ID1, ID2, ID3 and ID4 are page IDs of pages at all levels respectively. When the browser loads the page D, the above refer chain is queried according to the page ID4 of the page D.

In the above example, during the process of loading the fourth-level page, the following refer chain will be obtained:

A(ID1)->B(ID2)->C(ID3)->D(ID4)

After step S102, the method 100 enters step S103, wherein the client sends all URLs contained in the refer chain to the server. The client can only report the URLs of the pages at all levels included in the refer chain to the server without reporting the page IDs of the pages at all levels. For the refer chain: A(ID1)->B(ID2)->C(ID3)->D(ID4), the client sends A->B->C->D to the server. Optionally, according to the cloud query protocol with the server, this method can encrypt all URLs included in the refer chain into ciphertext and send it to the server. Here, the present invention may adopt a reversible encryption method to encrypt all URLs, and may also adopt an irreversible encryption method to encrypt all URLs. For example, the feature value of each URL included in the refer chain is calculated as ciphertext. Optionally, the characteristic value can be a hash value calculated according to MD5 (Message Digest Algorithm, message digest algorithm fifth edition), or SHA1 (Secure Hash Algorithm, secure hash algorithm) code, or CRC (Cyclic Redundancy Check, Cyclic redundancy check) codes and other feature codes that can uniquely identify the original information. It should be noted that when uploading the ciphertext of the URL to the cloud security server, it is necessary to block the URL string that may contain the user password first, and not upload such URLs, so as to ensure the security of user information

After step S103, the method 100 proceeds to step S104, wherein the server queries whether all URLs included in the refer chain belong to the blacklist and/or whitelist database saved by the server, and obtains the query result. If on the client side, all the URLs contained in the refer chain are encrypted by a reversible encryption method, then the server first decrypts the received ciphertext to obtain all the URLs contained in the refer chain; correspondingly, the blacklist saved by the server And/or the whitelist database stores URLs, after the server obtains all the URLs included in the refer chain, it queries the blacklist and/or whitelist database to obtain the query results of whether these URLs belong to the blacklist or whether they belong to the whitelist. If on the client side, the URL contained in the refer chain is encrypted by an irreversible encryption method, correspondingly, the blacklist and/or whitelist database stored by the server also stores the characteristic value of the corresponding URL, and the refer chain is obtained on the server After the feature values of all the URLs are included, the blacklist and/or whitelist database is queried to obtain the query result of whether these URLs belong to the blacklist or whether they belong to the whitelist.

After step S104, the method 100 proceeds to step S105, wherein the server matches the query result with a preset rule to obtain a matching result. Among them, the preset rules are set according to actual needs, and specifically stipulate the situations where risk warnings are required. The following two preset rules are used as examples for illustration:

Rule 1: Jump to malicious or dangerous or unknown pages through search engines

If the query result shows that the URL of the i-th page belongs to the blacklist database, that is, the i-th page is a malicious page or a dangerous page; or, the URL of the i-th page does not belong to the whitelist database, that is, the i-th page is an unknown page; And it is determined that any page from the initial page to the i-1th level page is a search page, that is, the i-th level page is redirected by a search engine, indicating that the query result matches the rule one, and the matching result is a risk warning information.

Optionally, the server also saves a search page URL list. In this step, it is determined whether the URL of any page from the initial page to the i-1th level page belongs to the search page URL list, and if so, it is determined that any page from the initial page to the i-1th level page is a search page. It should be noted that other methods may also be used for determining the search page, and the method is not limited to this method.

Rule 2: Jump to the payment page through a malicious page, a dangerous page, or an unknown page

If the query results show that the URL of any page from the initial page to the i-1th level page belongs to the blacklist database, that is, the page is a malicious page or a dangerous page; or, any of the initial page to the i-1th level page The URL of the page does not belong to the whitelist database, that is, the page is an unknown page; and it is judged that the i-th level page is a payment page, indicating that the query result matches the rule 2, and the matching result is risk warning information.

Optionally, the server also saves a payment page URL list. In this step, it is determined whether the URL of the i-level page belongs to the payment page URL list, and if so, it is determined that the i-level page is a payment page. It should be noted that other methods may also be used for determining the payment page, and are not limited to this method.

The above-mentioned rule 1 and rule 2 are only two specific examples, and the present invention is not limited to these two rules. According to actual needs, the server can preset multiple rules for matching query results.

After step S105, the method 100 enters step S106, wherein the client receives the matching result returned by the server.

Subsequently, the method 100 enters step S107, and the browser of the client processes the access behavior of the i-th level page according to the matching result. If the received matching result is risk warning information, the browser prompts the user of the risk. Optionally, the browser may provide the user with the option of intercepting the current page and continuing to visit the current page. If the user chooses to intercept the current page, the browser will intercept the access behavior of the current page. Prompting the risk to the user here can be specifically: mark the page with the problem on the user interface; or, when the mouse moves over the page, a floating window prompts; if it is determined to intercept the access behavior of the page, you can directly block or cover the page with problem page.

According to the method for processing webpage access behaviors provided by the embodiments of the present invention, whenever an access request to a new page is monitored through links at all levels of the initial page, the refer chain corresponding to the new page is obtained, and all the links contained in the refer chain are The URLs are reported to the server, and the server detects matching results based on these URLs, and the client processes the access behavior of the new page according to the matching results. Compared with the prior art that only utilizes the URL of the new page for detection, since the refer chain provides more URLs and covers a wider area, the detection efficiency is higher, and the security of the client's web browsing can be more effectively protected.

Further, on the basis of the above embodiments, a process of creating a refer chain is also included before step S102. Existing browsers provide an interface for obtaining refer information of a URL, that is, a get_refer interface. However, the refer information obtained through the get_refer interface only includes the URL of the page visited last time before visiting the current page, that is, the URL of the previous page linked to the current page; and, opening from a page to the get_refer interface can use It takes a long time. If you wait until the get_refer interface can be used, it will take too long to perform detection. In order to be able to obtain the refer chain composed of the URLs of pages at all levels in real time, the present invention provides a method for creating the refer chain, which specifically includes: whenever a new page is opened through the links of all levels of the initial page, the process of maintaining the refer chain Obtain the page ID and URL of the new page and the page ID or URL of the upper-level page of the new page, query the corresponding refer chain according to the page ID or URL of the upper-level page, and create the corresponding node of the refer chain.

Fig. 2 shows a flowchart of a method 200 for creating a refer chain according to an embodiment of the present invention. As shown in FIG. 2 , the method 200 starts at step S201 of creating a first-level node. In the first-level node creation step S201, after monitoring the access request of the initial page, generate the page ID of the initial page, obtain the URL of the initial page, create the first-level node of the refer chain, and combine the page ID and URL of the initial page It is written into the refer chain as the information of the first-level node. For the default page accessed by the browser or the page triggered by the user's input in the address bar, use it as the initial page and create a new refer chain. Specifically, after monitoring the access request of the initial page, the browser loads the initial page. During the process of loading the initial page, the browser generates a unique ID as the page ID of the initial page, and obtains the URL of the initial page. Wherein, the URL of the initial page may be obtained by specifying a response event interface, for example, by implementing a specified response event interface of a standard plug-in mechanism.

Use the Browser Helper Object (BHO for short: BHO) plug-in mechanism in the IE (Internet Explorer) browser to obtain the URL currently loaded by IE by responding to the "BeforeNavigate2" event. In the Firefox browser, use the specified response event interface provided by the Firefox extension mechanism to obtain the URL currently loaded by the Firefox browser. Use the Netscape Plugin Application Programming Interface (NPAPI for short) plug-in mechanism in the Google (chrome) browser to obtain the URL currently loaded by the Google browser. After obtaining the page ID (such as ID1) and URL (such as A) of the initial page, use ID1 and A as the first-level node information of the refer chain, and create a refer chain as: A(ID1). Wherein, ID1 is index information.

It should be noted that, since in actual applications, people use computers with different application environments, such as operating systems, browser types, etc., therefore, there may be multiple implementations for the executing entities of the foregoing steps. For example, it may be a browser with the function of identifying and adding tags, wherein the browser may be Internet Explorer (IE for short) which is a built-in browser of the Windows operating system, or other third-party browsers. The so-called third-party browsers usually refer to non-IE browser software running on the Windows operating system. Such third-party browsers usually provide users with rich and unique function designs and personalized extensions for users. Many handy apps. For example, the same plug-in mechanism can run on multiple types of browsers, for example, the browsers are IE, firefox, google chrome, safari, opera, QQ browser, Aoyou browser, Sogou browser or Cheetah browser, etc.

After the first-level node creation step S201, the method 200 enters into a process of cyclically creating the i-th level node. Starting from i=2, the method 200 enters step S202, wherein after monitoring the access request of the i-th level page, the page ID of the i-th level page is generated, and the URL of the i-th level page and the page of the i-1th level page are obtained ID or URL, the i-th level page is the page-level redirection page of the i-1 level page. In this article, linking from the i-1th level page to the i-th level page by clicking on a link on the i-1th level page or by other user actions is called page-level jumping. After the browser monitors the access request of the i-th level page through the page-level jump, it will load the i-th level page. During the process of loading the i-th level page, the browser generates a unique ID as the page ID of the i-th level page, and obtains the URL of the i-th level page. Wherein, the URL of the i-th level page can be obtained by specifying a response event interface, for example, by implementing a specified response event interface of a standard plug-in mechanism. For specific methods, refer to the previous description about how to obtain the URL of the initial page.

In order to find the corresponding refer chain and continue to create nodes on it, in step S202 it is also necessary to obtain the page ID or URL of the i-1th level page. The present invention provides two different ways to obtain the information of the i-1th level page according to the different situations of the browser accessing the new page, one way (i.e. the following way 1) is applicable to the new window or new tab (tab) The situation where the i-level page is opened by the first page; the other method (i.e. the second method below) is applicable to the situation that the i-level page is still opened through the current window or the current tab page.

method one:

First, after monitoring the access request of the i-th level page, obtain the interface object pointer of the i-th level page, and write the interface object of the i-th level page according to the interface object pointer to the interface object of the i-th level page. Get the page ID of the i-1th level page. Then, in the process of loading the i-th level page, the page ID of the i-1 level page is obtained by reading the information provided by the interface object of the i-th level page.

The above method 1 is applicable to the situation that the i-th level page is opened through a new window or a new tab (tab) page. Taking IE browser as an example, by analyzing the implementation principle of IE browser to open a new window or new tab page, find the relevant processing function called by the internal module of IE browser to create a new window or new tab page, and capture (Hook) this function , use the return value of this function to obtain the interface object pointer of the new window or new tab page (the window or tab page that will load the i-level page), such as the IWEBBROWSER2 pointer; since the browser has not started loading the i-level page at this time, The page ID of the current page recorded by the browser is still the page ID of the i-1th level page obtained during the loading of the i-1th level page. Therefore, at this time, the browser can point to the IWEBBROWSER2 object according to the interface object pointer Write the page ID of the i-1th level page. After starting to load the i-th level page, the page ID of the i-1 level page can be obtained by reading the information provided by the IWEBBROWSER2 object of the i-th level page.

Method 2:

After monitoring the access request of the i-level page and before loading the i-level page, obtain the URL of the i-1 level page through the get_locationURL interface provided by the browser.

The second method above is applicable to the situation that the i-th level page is still opened through the current window or the current tab page. In this case, since no new window or new tab page is opened, the page ID of the i-1th level page cannot be obtained in a manner similar to the first method. In this case, after monitoring the access request of the i-level page, but before the "BeforeNavigate2" event of the i-level page, the get_locationURL interface still provides the URL of the i-1 level page, so use the get_locationURL interface The URL of the i-1 level page can be obtained.

However, after the step of obtaining the URL of the i-1th level page through the get_locationURL interface provided by the browser, it is necessary to determine whether the opening of the i-th level page is triggered by the input behavior of the browser address bar. Specifically, according to the browser address If the judgment result is yes, the URL of the i-1th level page obtained through the get_locationURL interface provided by the browser will be cleared, and the i-th level page will be processed as the initial page, and step S201 will be executed. ; If the judgment result is no, execute step S203.

The above method 1 and method 2 are respectively aimed at different situations. If the i-th level page is opened through a new window or a new tab page, then step S202 obtains the page ID of the i-1th level page through the above method 1; if the i-th level page is opened through a current window or a current tab page, Then step S202 obtains the URL of the i-1th level page through the second method above. If step S202 obtains the page ID of the i-1th level page, then follow up to query the corresponding refer chain according to the page ID; if step S202 obtains the URL of the i-1th level page, then follow up according to the URL Query the corresponding refer chain.

After step S202, the method 200 enters step S203, wherein the refer chain containing the page ID or URL of the i-1th level page is queried, the i-th level node of the refer chain is created, and the page ID and URL of the i-th level page are used as The information of the i-level node.

Specifically, if in step S202, the page ID of the i-1th level page is acquired by the above method 1, then it is sufficient to directly query the refer chain containing the page ID of the i-1th level page. For example, if the page ID of the second-level page is ID2, the URL is B, and the page ID of the first-level page (that is, the initial page) is ID1 through step S202, then in this step, query the refer chain containing ID1, And the index information of the last-level node of the refer chain is ID1, that is, A(ID1); create the second-level node of the refer chain, use ID2 and B as the information of the second-level node, and obtain the refer chain as A(ID1 )->B(ID2). If in step S202, the URL of the i-1th level page is obtained by using the second method above, then it is necessary to query the refer chain containing the URL of the i-1th level page. Since the process of maintaining the refer chain may maintain multiple refer chains containing the same URL, this step may query and obtain multiple refer chains containing the URL of the i-1th level page. However, since the timing of page jumps is good when the i-level page is still opened through the current window or the current tab page, which is applicable to the above-mentioned method 2, the latest updated refer chain can be selected as the i-level node to be created The refer chain.

Optionally, in the first method of step S202 above, it is also possible to write only the URL of the i-1th level page to the interface object of the i-th level page, and by reading the information provided by the interface object of the i-th level page, Get the URL of the i-1 level page. Next, in step S203, query the refer chain containing the URL of the i-1th level page, and select the latest updated refer chain as the refer chain of the i-th level node to be created if multiple refer chains are found. However, in the case of opening the i-level page through a new window or a new tab (tab) page applicable to the above method 1, the timing of page jumps is poor, so the accuracy of the method of finding the refer chain based on the page ID It will be higher than the method of finding the refer chain based on the URL.

The above step S202 and step S203 are executed cyclically, thereby creating a complete refer chain. For the above example, the created refer chain is: A(ID1)->B(ID2)->C(ID3)->D(ID4).

In the process of creating the refer chain, you also need to consider a special situation, that is, when you visit certain pages, the page will automatically jump multiple times, such as 3xx and other jumps. This article will refer to this jump Turning is called jumping between pages. In IE browser, the BHO mechanism provides three events when visiting the same page, namely BeforeNavigate2, NavigateComplete2 and DocumentComplete2. Under normal circumstances, the URLs corresponding to the three events are the same, but if multiple 302 redirects occur, the following will happen: (BeforeNavigate2)url0->(302)url1->(302)url2->( NavigateComplete2) url2 -> (DocumentComplete2) url2. If the above example is still taken as an example, when page C is accessed, page C may automatically jump multiple times, jumping to C1 and C2 in turn. Therefore, if there is a jump between pages, it may not be possible to capture URLs of all the jump pages by relying on the above method.

In view of the above-mentioned special circumstances, the embodiment of the present invention further includes the step of creating at least one i-th child node after the above-mentioned step S203, that is, step S204, which is executed when the i-th-level page jumps between pages, Wherein at least one i-th child node corresponds to at least one inter-page jump page of the i-th level page. In step S204, the function called during redirection processing is captured, and the URL of at least one jump page between pages of the i-level page is obtained from the input parameters of the function called during redirection processing; and, the query includes the i-level The refer chain of the page ID of the page, create at least one i-th child node of the refer chain, and use the page ID of the i-th page and the URL of at least one jump page between pages of the i-th page as at least one i-th level Information about child nodes. Specifically, when a jump such as 3xx occurs, the browser will perform redirection processing. During the redirection processing, the browser will call the "Urlmon!CINet::OnRedirect" function, and the input parameter of this function will record the jump between pages. The URL of the redirected page. By capturing this function, the URL of at least one inter-page jump page of the i-th level page can be obtained. The URL of the inter-page jump page obtained by this method is used as the information of the i-th child node, and the index ID of the inter-page jump page is the same as the page ID of the i-th level page. For the above example, the created refer chain is: A(ID1)->B(ID2)->C(ID3)->C1(ID3)->C2(ID3)->D(ID4).

According to the method for processing webpage access behaviors provided by the embodiments of the present invention, whenever an access request to a new page is monitored through links at all levels of the initial page, the refer chain corresponding to the new page is obtained, and all the links contained in the refer chain are The URLs are reported to the server, and the server detects matching results based on these URLs, and the client processes the access behavior of the new page according to the matching results. Compared with the prior art that only utilizes the URL of the new page for detection, since the refer chain provides more URLs and covers a wider area, the detection efficiency is higher, and the security of the client's web browsing can be more effectively protected. Further, the embodiment of the present invention also provides a method for creating a refer chain. According to this method, the refer chain composed of URLs of pages at all levels can be obtained in real time, so that the client can also send all the URLs contained in the refer chain to the The server, so that the server can obtain very comprehensive URL information in a timely manner, and according to the URL information, the server can return the matching result to the client in a timely manner, thereby realizing real-time and rapid protection of the security of the client's web browsing.

Fig. 3 shows a structural block diagram of a client according to an embodiment of the present invention. The client is used to detect the i-th level page opened by the i-th level link of the initial page, i≥2. As shown in FIG. 3 , the client includes: a monitoring module 31 , a query interface 32 and a protection module 33 ; optionally, the client may also include: an encryption module 34 .

The monitoring module 31 is adapted to obtain the refer chain including the page ID of the i-th level page after monitoring the access request of the i-th level page. The access request for the i-th level page is triggered by the user clicking a link or other link on the i-1 level page. After the monitoring module 31 monitors the access request of the i-th level page, the browser will load the i-th level page, and during the process of loading the i-th level page, the monitoring module 31 obtains the refer chain containing the page ID of the i-th level page. The refer chain includes page IDs and URLs from the initial page to the i-th level page, where the page IDs of all levels of pages are unique IDs generated by the browser during page loading, and serve as the URL of the page in the refer chain index value. The browser uses the page ID of the i-level page to query the refer chain that contains the URL of the i-level page and the i-level page is the last-level page.

The query interface 32 is suitable for sending all URLs included in the refer chain to the server, so that the server can inquire whether all URLs included in the refer chain belong to the blacklist and/or whitelist database saved by the server, and then compare the query results with the preset The rules are matched to obtain a matching result; and, the matching result returned by the server is received. Optionally, according to the cloud query protocol with the server, the encryption module 34 encrypts all URLs contained in the refer chain into ciphertext (for a description of the encryption method, please refer to the method embodiment), and sends it to the query interface 32. Interface 32 sends the ciphertext to the server. The query interface 32 may only report to the server the ciphertext of the URLs of the pages at all levels included in the refer chain, without reporting the page IDs of the pages at all levels.

The protection module 33 is adapted to process the access behavior of the i-th level page according to the matching result. If the matching result is risk warning information, the protection module 33 will remind the user of the risk. Optionally, the protection module 33 may provide the user with options to block the current page and continue to visit the current page. If the user chooses to block the current page, the protection module 33 will block the access behavior of the current page.

Further, the client may also include a refer chain creation module 35. The refer chain creation module 35 includes: a first node creation unit 36 and a second node creation unit 37 .

The first node creating unit 36 is adapted to generate the page ID of the initial page after monitoring the access request of the initial page, obtain the URL of the initial page, create the first-level node of the refer chain, and use the page ID and URL of the initial page as the first node The information of level 1 nodes is written into the refer chain. Further, the first node creation unit 36 includes: an initial page page ID generation unit 361 , an initial page URL acquisition unit 362 and a first node creation subunit 363 . The page ID generating unit 361 of the initial page is adapted to generate the page ID of the initial page after monitoring the access request of the initial page. The initial page URL acquiring unit 362 is adapted to acquire the URL of the currently loaded initial page through a specified response event interface during the process of loading the initial page. For example, by implementing the specified response event interface of the standard plug-in mechanism. Use the BHO plug-in mechanism of the browser helper object in the IE browser to obtain the currently loaded URL of the IE by responding to the "BeforeNavigate2" event. In the Firefox browser, use the specified response event interface provided by the Firefox extension mechanism to obtain the URL currently loaded by the Firefox browser. Use the NPAPI plug-in mechanism in the Google (chrome) browser to get the URL currently loaded by the Google browser. The first node creation subunit 363 is adapted to create a first-level node of the refer chain, and write the page ID and URL of the initial page as information of the first-level node into the refer chain.

The second node creation unit 37, i≥2, is adapted to generate the page ID of the i-th page after monitoring the access request of the i-th page, and obtain the URL of the i-th page and the page of the i-1th page ID or URL, the i-level page is the page-level jump page of the i-1 level page; and, query the refer chain containing the page ID or URL of the i-1 level page, and create the i-level node of the refer chain , the page ID and URL of the i-th level page are used as the information of the i-th level node; the second node creating unit 37 is adapted to create all levels of nodes of the refer chain. Further, the second node creation unit 37 includes: the page ID generation unit 371 of the i-th level page, the URL acquisition unit 372 of the i-th level page, the page ID or URL acquisition unit 373 of the i-1th level page and the second node Create subunit 374 . The page ID generating unit 371 of the i-th level page is adapted to generate the page ID of the i-th level page after monitoring the access request of the i-th level page. The URL acquiring unit 372 of the i-th level page is adapted to acquire the URL of the currently loaded i-th level page through a designated response event interface during the loading of the i-th level page. For a specific manner of obtaining the URL of the currently loaded i-th level page, refer to the relevant description of obtaining the URL of the initial page. The page ID or URL acquiring unit 373 of the i-1th level page is adapted to acquire the page ID or URL of the i-1th level page after monitoring the access request of the i-th level page. The second node creation subunit 374 is suitable for querying the refer chain containing the page ID or URL of the i-1th level page, creating the i-th level node of the refer chain, and using the page ID and URL of the i-th level page as the i-th level Node information.

Optionally, the second node creation unit 37 of the client further includes: a capturing unit 375 and a writing unit 376 . The capturing unit 375 is adapted to acquire the interface object pointer of the i-th level page after monitoring the access request of the i-th level page. The writing unit 376 is adapted to write the page ID of the i-1th level page acquired during the process of loading the i-1th level page into the interface object of the i-th level page according to the interface object pointer. This implementation manner is applicable to the situation that the i-th level page is opened through a new window or a new tab (tab) page. Taking the IE browser as an example, the capture unit 375 is further adapted to capture the function called by the browser to create a new window or new tab page after monitoring the access request of the i-level page, and use the return value of the function to obtain the i-level page. Interface object pointer of the page, such as IWEBBROWSER2 pointer. Since the browser has not yet started loading the i-th level page at this time, the page ID of the current page recorded by the browser is still the page ID of the i-1th level page obtained during the loading of the i-1th level page, so At this time, the writing unit 376 can write the page ID of the i-1th level page to the IWEBBROWSER2 object according to the interface object pointer. The page ID or URL acquisition unit 373 of the i-1th level page is specifically adapted to: in the process of loading the i-th level page, by reading the information provided by the interface object of the i-th level page, to obtain the i-1th level page The page ID of the . Optionally, the writing unit 376 is adapted to write the URL of the i-1th level page acquired during the process of loading the i-1th level page to the interface object of the i-th level page according to the interface object pointer.

Optionally, the page ID or URL obtaining unit 373 of the i-1th level page is further adapted to: after monitoring the access request of the i-th level page and before loading the i-th level page, obtain the URL through the get_locationURL interface provided by the browser The URL of the page at level i-1. The second node creating unit 37 also includes: a judging unit 377 and a clearing unit 378 . Wherein, the judging unit 377 is suitable for judging whether the input behavior of the browser address bar triggers the opening of the i-th level page, specifically, it can be judged by clicking and inputting actions according to the browser address bar; the emptying unit 378 is suitable for judging unit When the judgment result of 377 is yes, the page ID of the i-1th level page or the URL of the i-1th level page acquired by the URL acquisition unit 373 is cleared, and the first node creation unit 36 is triggered to convert the i-th level The page is processed as the initial page; if the judging result of the judging unit 377 is negative, the judging unit 377 triggers the second node creating subunit 374 to create the i-th level node of the refer chain.

If the page ID or URL acquisition unit 373 of the i-1th level page obtains the page ID of the i-1th level page, then the second node creation subunit 374 directly queries the refer chain containing the page ID of the i-1th level page , create the i-th level node of the refer chain, and use the page ID and URL of the i-th level page as the information of the i-th level node. If the page ID of the i-1th level page or the URL obtaining unit 373 obtains the URL of the i-1th level page, then the second node creation subunit 374 queries the refer chain containing the URL of the i-1th level page, and in When multiple refer chains are found, select the most recently updated refer chain, create the i-th level node of the refer chain, and use the page ID and URL of the i-th level page as the information of the i-th level node.

In the process of creating the refer chain, considering that the page automatically jumps multiple times, the refer chain creation module 35 also includes: a second child node creation unit 38, adapted to capture the function called when the redirection is processed, from the redirection Obtain the URL of at least one inter-page jump page of the i-level page from the input parameter of the function called during processing; and query the refer chain containing the page ID of the i-level page, and create at least one i-th page of the refer chain The first-level child node uses the page ID of the i-th level page and the URL of at least one inter-page jump page of the i-th level page as the information of at least one i-th level child node.

Fig. 4 shows a structural block diagram of a server according to an embodiment of the present invention. The server is used to detect the i-th level page opened by the i-th level link of the initial page, i≥2. As shown in FIG. 4 , the server includes: a blacklist and/or whitelist database 41 and a query interface 42 . in,

The blacklist and/or whitelist database 41 is adapted to store URLs belonging to the blacklist and/or whitelist. The server collects identified safe webpages and dangerous/malicious webpages in advance, saves URLs of safe webpages in a whitelist database, and saves URLs of dangerous/malicious webpages in a blacklist database. Optionally, what is stored in the blacklist and/or whitelist database 41 may also be characteristic values of URLs.

Preferably, the blacklist and/or whitelist database 41 in the embodiment of the present invention may include, but not limited to, a phishing website library, an advertising fraud website library, or any other type of malicious website library.

The query interface 42 is suitable for receiving all URLs contained in the refer chain sent by the client, querying whether all URLs contained in the refer chain belong to the blacklist and/or whitelist database, and then matching the query results with preset rules to obtain a match As a result, the matching result is returned to the client. If on the client side, all the URLs included in the refer chain are encrypted by a reversible encryption method, then the query interface 42 includes a module for decrypting the received encrypted ciphertext. All URLs for .

The preset rules are set according to actual needs, and specifically stipulate situations in which risk warnings are required. The following two preset rules are used as examples for illustration:

Rule 1: Jump to malicious or dangerous or unknown pages through search engines

For this rule one, the query interface 42 is further suitable for: if the query result shows that the URL of the i-th page belongs to the blacklist database, that is, the i-th page is a malicious page or a dangerous page; or, the URL of the i-th page does not belong to the blacklist database. List database, that is, the i-th level page is an unknown page; and it is judged that any page from the initial page to the i-1th level page is a search page, that is, the i-th level page is redirected by a search engine, indicating the query result Match the rule one, and the matching result is risk warning information.

Rule 2: Jump to the payment page through a malicious page, a dangerous page, or an unknown page

For the second rule, the query interface 42 is further suitable: if the query result shows that the URL of any page from the initial page to the i-1th level page belongs to the blacklist database, that is, the page is a malicious page or a dangerous page; or, the initial page The URL of any page from the page to the i-1th level page does not belong to the whitelist database, that is, the page is an unknown page; and it is judged that the i-th level page is a payment page, indicating that the query result matches the rule 2, and a match is obtained The result is a risk warning message.

The above-mentioned rule 1 and rule 2 are only two specific examples, and the present invention is not limited to these two rules. According to actual needs, the server can preset multiple rules for matching query results.

Further, the server may further include: a search page URL database 43, adapted to store a list of search page URLs; a payment page URL database 44, adapted to store a list of payment page URLs. The query interface 42 determines that any page from the initial page to the i-1th level page is a search page by judging that the URL of any page from the initial page to the i-1th level page belongs to the preset search page URL list; and, by It is judged that the URL of the i-th level page belongs to the preset payment page URL list, and it is determined that the i-th level page is a payment page.

Fig. 5 shows a structural block diagram of a system for processing webpage access behaviors according to an embodiment of the present invention. As shown in FIG. 5 , the system includes a client 30 and a server 40 . For the specific structures and functions of the client 30 and the server 40 , refer to the description of the above-mentioned embodiments, which will not be repeated here.

According to the client, the server, and the system for processing web page access behaviors provided by the embodiments of the present invention, whenever the client monitors a request for access to a new page through links at all levels of the initial page, it obtains the refer chain corresponding to the new page , report all URLs contained in the refer chain to the server, the server detects matching results based on these URLs, and the client processes the access behavior of the new page according to the matching results. Compared with the prior art that only utilizes the URL of the new page for detection, since the refer chain provides more URLs and covers a wider area, the detection efficiency is higher, and the security of the client's web browsing can be more effectively protected. Further, the client in the embodiment of the present invention also has the function of creating a refer chain, and according to this function, the refer chain composed of URLs of pages at all levels can be obtained in real time, so that the client can also timely upload all URLs contained in the refer chain By sending it to the server, the server can obtain very comprehensive URL information in a timely manner. According to the URL information, the server can return the matching result to the client in a timely manner, thereby realizing real-time and rapid protection of the security of the client's web browsing.

According to the method provided in the embodiment of the present invention, after the step of obtaining the page ID and URL of the i-1th level page through the get_locationURL interface provided by the browser, it further includes:

Determine whether the opening of the i-level page is triggered by the input behavior of the browser address bar;

If the judgment result is yes, clear the URL of the i-1 level page obtained through the get_locationURL interface provided by the browser, and process the i-level page as the initial page;

If the judgment result is no, execute the step of creating the i-th level node of the refer chain.

According to the method provided in the embodiment of the present invention, after the step of creating the i-th level node, it further includes: a step of creating at least one i-th level child node, and the at least one i-th level child node corresponds to at least one of the i-th level page Inter-page jump page: capture the function called during redirection processing, and obtain the URL of at least one inter-page jump page of the i-level page from the input parameters of the function called during the redirection processing; and, query Including the refer chain of the page ID of the i-th level page, creating at least one i-th level child node of the refer chain, and jumping between the page ID of the i-th level page and at least one page of the i-th level page The URL of the forwarded page is used as information of at least one i-th child node.

The client provided according to the embodiment of the present invention is used to detect the i-th level page opened by the i-th level link of the initial page, i≥2; the client includes:

The monitoring module is adapted to obtain a refer chain including the page ID of the i-level page after monitoring the access request of the i-level page, and the refer chain includes page IDs and URLs from the initial page to the i-level page;

A query interface, adapted to send all the URLs included in the refer chain to the server, so that the server can query whether all the URLs included in the refer chain belong to the blacklist and/or whitelist database saved by the server, and then send matching the query result with a preset rule to obtain a matching result; and receiving the matching result returned by the server;

The protection module is adapted to process the access behavior of the i-th level page according to the matching result.

According to the client according to the embodiment of the present invention, if the matching result received by the query interface is risk warning information, the protection module is further adapted to: remind the user of the risk according to the risk warning information, and according to the user's selection Intercepting the access behavior of the i-th level page.

The client according to the embodiment of the present invention further includes: an encryption module, adapted to encrypt all URLs contained in the refer chain into ciphertexts, and send them to the query interface, and the ciphertexts are encrypted by the query interface. The text is sent to the server.

The client according to the embodiment of the present invention further includes: a refer chain creation module;

The refer chain creation module includes:

The first node creation unit is suitable for generating the page ID of the initial page after monitoring the access request of the initial page, obtaining the URL of the initial page, creating a first-level node of the refer chain, and combining the page ID and URL of the initial page Write the refer chain as the information of the first-level node;

The second node creation unit, i≥2, is adapted to generate the page ID of the i-th level page after monitoring the access request of the i-th level page, and obtain the URL of the i-th level page and the page ID of the i-1th level page or URL, the i-th level page is the page-level jump page of the i-1th level page; The i-level node uses the page ID and URL of the i-level page as the information of the i-level node;

The second node creation unit is adapted to create nodes at all levels of the refer chain.

According to the client described in the embodiment of the present invention,

The first node creation unit includes:

The page ID generating unit of the initial page is adapted to generate the page ID of the initial page after monitoring the access request of the initial page;

The URL acquisition unit of the initial page is adapted to obtain the URL of the currently loaded initial page by specifying a response event interface during the process of loading the initial page;

The first node creation subunit is adapted to create a first-level node of the refer chain, and writes the page ID and URL of the initial page into the refer chain as information of the first-level node;

The second node creation unit includes:

The page ID generating unit of the i-level page is adapted to generate the page ID of the i-level page after monitoring the access request of the i-level page;

The URL obtaining unit of the i-level page is adapted to obtain the URL of the currently loaded i-level page through a specified response event interface during the loading of the i-level page;

The page ID or URL acquisition unit of the i-1th level page is adapted to obtain the page ID or URL of the i-1th level page after monitoring the access request of the i-th level page;

The second node creates a subunit, which is suitable for querying the refer chain containing the page ID or URL of the i-1th level page, creating the i-level node of the refer chain, and using the page ID and URL of the i-th level page As the information of the i-th level node.

According to the client described in the embodiment of the present invention, the second node creation unit further includes: a capturing unit adapted to obtain the interface object pointer of the i-th level page after monitoring the access request of the i-th level page; and, The writing unit is adapted to write the page ID of the i-1th level page acquired during the process of loading the i-1th level page to the interface object of the i-th level page according to the interface object pointer;

The page ID or URL acquiring unit of the i-1th level page is specifically adapted to: in the process of loading the i-th level page, by reading the information provided by the interface object of the i-th level page, to obtain the i-1th level The page ID of the page.

According to the client described in the embodiment of the present invention, the capture unit is further adapted to: after monitoring the access request of the i-th level page, capture the function called by the browser to create a new window or a new tab page, and use the function The return value obtains the interface object pointer of the i-level page.

According to the client described in the embodiment of the present invention, the page ID or URL acquisition unit of the i-1th level page is further adapted to: after monitoring the access request of the i-th level page and before loading the i-th level page, Obtain the URL of the i-1 level page through the get_locationURL interface provided by the browser.

According to the client described in the embodiment of the present invention, the second node creation unit further includes:

The judging unit is suitable for judging whether the i-th level page is triggered by the input behavior of the browser address bar;

The emptying unit is adapted to clear the page ID of the i-1th level page or the URL of the i-1th level page acquired by the URL acquisition unit when the judgment result of the judgment unit is yes, and trigger The first node creation unit processes the i-th level page as the initial page;

If the judging result of the judging unit is negative, the judging unit triggers the second node creation subunit to create the i-th level node of the refer chain.

According to the client described in the embodiment of the present invention, the refer chain creation module further includes: a second child node creation unit, adapted to capture the function called during redirection processing, from the function called during redirection processing Obtain the URL of at least one inter-page jump page of the i-level page in the input parameter of the i-level page; and query the refer chain containing the page ID of the i-level page, and create at least one i-level child node of the refer chain, The page ID of the i-th level page and the URL of at least one inter-page jump page of the i-th level page are used as the information of at least one i-th level child node.

The server according to the embodiment of the present invention is used to detect the i-th level page opened by the i-th level link of the initial page, i≥2; the server includes:

a blacklist and/or whitelist database adapted to save URLs belonging to the blacklist and/or whitelist;

The query interface is adapted to receive all URLs contained in the refer chain sent by the client, query whether all the URLs contained in the refer chain belong to the blacklist and/or whitelist database, and then compare the query results with the preset rules Matching is performed to obtain a matching result, and the matching result is returned to the client.

According to the server described in the embodiment of the present invention, the query interface is further adapted to:

If the query result indicates that the URL of the i-level page belongs to the blacklist database or does not belong to the whitelist database, and it is determined that any page from the initial page to the i-1 level page is a search page, the matching result is a risk warning message;

Or, if the query result shows that the URL of any page from the initial page to the i-1th level page belongs to the blacklist database or does not belong to the whitelist database, and it is judged that the i-th level page is a payment page, the matching result is a risk warning information.

The server according to the embodiment of the present invention also includes:

Search page URL database, suitable for saving search page URL list;

A payment page URL database, suitable for storing a list of payment page URLs;

The query interface determines that any page from the initial page to the i-1th level page is a search page by judging that the URL of any page from the initial page to the i-1th level page belongs to the preset search page URL list. and, determining that the i-th level page is a payment page by judging that the URL of the i-th level page belongs to a preset payment page URL list.

A system for processing webpage access behaviors according to an embodiment of the present invention includes the above-mentioned client and the above-mentioned server.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the contents of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings), as well as any method or method so disclosed, may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all of the client, the server, and the system for processing webpage access behaviors according to the embodiments of the present invention Some or all of the features of the component. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

Claims (26)

1. A method for processing webpage access behavior, which is used to detect the i-th level page opened by the i-th level link of the initial page, and the access request of the i-level page is to click on the link on the i-1 level page or Triggered by other linking methods, i≥2; the method includes: The step of creating a refer chain, wherein, whenever the i-th level page is opened through the i-th level link of the initial page, the process responsible for maintaining the refer chain obtains the page ID and URL of the i-th level page and the page of the i-1 level page ID or URL, query the corresponding refer chain according to the page ID or URL of the i-1 level page, and create the corresponding node of the refer chain; After monitoring the access request of the i-level page, obtain a refer chain comprising the page ID of the i-level page, the refer chain comprising the page ID and URL of the initial page to the i-level page; Send all the URLs included in the refer chain to the server, so that the server can query whether all the URLs included in the refer chain belong to the blacklist and/or whitelist database saved by the server, and then compare the query results with the preset Match the rules to get the matching result; The matching result returned by the server is received, and the access behavior of the i-th level page is processed according to the matching result. 2. The method according to claim 1, said matching the query result with the preset rule to obtain the matching result further comprises: If the query result indicates that the URL of the i-level page belongs to the blacklist database or does not belong to the whitelist database, and it is determined that any page from the initial page to the i-1 level page is a search page, the matching result is a risk warning message; Or, if the query result shows that the URL of any page from the initial page to the i-1th level page belongs to the blacklist database or does not belong to the whitelist database, and it is judged that the i-th level page is a payment page, the matching result is a risk warning information. 3. The method according to claim 2, said determining that any page from the initial page to the i-1th level page is a search page is specifically: judging any page from the initial page to the i-1th level page Whether the URL of the URL belongs to the preset search page URL list, if so, it is determined that any page from the initial page to the i-1th level page is a search page; The determining that the i-th level page is a payment page specifically includes: determining whether the URL of the i-th level page belongs to a preset payment page URL list, and if so, determining that the i-th level page is a payment page. 4. The method according to claim 2 or 3, if the matching result is risk warning information, then processing the access behavior of the i-th level page according to the matching result specifically comprises: according to the risk The prompt information reminds the user of the risk, and intercepts the access behavior of the i-level page according to the user's choice. 5. The method according to claim 1, wherein said sending all URLs included in the refer chain to the server specifically comprises: encrypting all URLs included in the refer chain into ciphertext and sending them to the server. 6. The method according to claim 1 or 2 or 3 or 5, the step of creating a refer chain further comprises: Level 1 node creation steps: After monitoring the access request of the initial page, generate the page ID of the initial page, obtain the URL of the initial page, create the first level node of the refer chain, and use the page ID and URL of the initial page as The information of the first level node is written into the refer chain; The i-level node creation step, i≥2: After monitoring the access request of the i-level page, generate the page ID of the i-level page, obtain the URL of the i-level page and the page ID of the i-1 level page or URL, the i-th level page is the page-level jump page of the i-1th level page; and, query the refer chain containing the page ID or URL of the i-1 level page, and create the i-th level of the refer chain A level node, using the page ID and URL of the i-th level page as the information of the i-th level node; Create nodes at all levels of the refer chain through the i-th level node creating step. 7. The method according to claim 6, after monitoring the access request of the initial page, obtaining the URL of the initial page is specifically: in the process of loading the initial page, obtaining the currently loaded initial page by specifying a response event interface the URL; After monitoring the access request of the i-level page, obtaining the URL of the i-level page specifically includes: during the process of loading the i-level page, obtaining the URL of the currently loaded i-level page through a designated response event interface. 8. The method according to claim 7, said acquiring the page ID of the i-1th level page further comprises: After monitoring the access request of the i-th level page, obtain the interface object pointer of the i-th level page, and write the interface object of the i-th level page according to the interface object pointer to the interface object of the i-th level page in the process of loading the i-1 level page The obtained page ID of the i-1th level page; In the process of loading the i-th level page, the page ID of the i-1 level page is obtained by reading the information provided by the interface object of the i-th level page. 9. The method according to claim 8, the step of obtaining the interface object pointer of the i-th level page comprises: capturing the function called by the browser to create a new window or new tab page, and using the return value of the function to obtain the i-th level page The interface object pointer of the level page. 10. The method according to claim 7, said obtaining the URL of the i-1th level page further comprising: After monitoring the access request of the i-level page and before loading the i-level page, obtain the URL of the i-1 level page through the get_locationURL interface provided by the browser. 11. The method according to claim 10, after the step of obtaining the page ID and URL of the i-1th level page through the get_locationURL interface provided by the browser, further comprising: Determine whether the opening of the i-level page is triggered by the input behavior of the browser address bar; If the judgment result is yes, clear the URL of the i-1th level page obtained through the get_locationURL interface provided by the browser, and process the i-th level page as the initial page; If the judgment result is no, execute the step of creating the i-th level node of the refer chain. 12. The method according to claim 6, after the i-th level node creation step, further comprising: at least one i-th level child node creation step, said at least one i-th level child node corresponding to the i-th level page At least one inter-page jump page: capture the function called during redirection processing, and obtain the URL of at least one inter-page jump page of the i-level page from the input parameters of the function called during redirection processing; and , query the refer chain containing the page ID of the i-th level page, create at least one i-th level child node of the refer chain, and combine the page ID of the i-th level page and at least one page of the i-th level page The URL of the inter-jump page is used as the information of at least one i-th child node. 13. A client, used to detect the i-th level page opened by the i-th level link of the initial page, the access request of the i-th level page is triggered by clicking on a link or other links on the i-1 level page, i≥2; the client includes: The refer chain creation module is suitable for whenever the i-level page is opened through the i-level link of the initial page, the process responsible for maintaining the refer chain obtains the page ID and URL of the i-level page and the page ID of the i-1 level page or URL, query the corresponding refer chain according to the page ID or URL of the i-1 level page, and create the corresponding node of the refer chain; The monitoring module is adapted to obtain a refer chain including the page ID of the i-level page after monitoring the access request of the i-level page, and the refer chain includes page IDs and URLs from the initial page to the i-level page; A query interface, adapted to send all the URLs included in the refer chain to the server, so that the server can query whether all the URLs included in the refer chain belong to the blacklist and/or whitelist database saved by the server, and then send matching the query result with a preset rule to obtain a matching result; and receiving the matching result returned by the server; The protection module is adapted to process the access behavior of the i-th level page according to the matching result. 14. The client according to claim 13, if the matching result received by the query interface is risk warning information, the protection module is further adapted to: remind the user of a risk according to the risk warning information, and according to the user's Choose to intercept the access behavior of the i-th level page. 15. The client according to claim 13, further comprising: an encryption module, adapted to encrypt all URLs included in the refer chain into ciphertext, and send them to the query interface, and the query interface encrypts the The ciphertext is sent to the server. 16. The client according to claim 13 or 14 or 15, the refer chain creation module further comprising: The first node creation unit is suitable for generating the page ID of the initial page after monitoring the access request of the initial page, obtaining the URL of the initial page, creating a first-level node of the refer chain, and combining the page ID and URL of the initial page Write the refer chain as the information of the first-level node; The second node creation unit, i≥2, is adapted to generate the page ID of the i-th level page after monitoring the access request of the i-th level page, and obtain the URL of the i-th level page and the page ID of the i-1th level page or URL, the i-th level page is the page-level jump page of the i-1th level page; The i-level node uses the page ID and URL of the i-level page as the information of the i-level node; The second node creation unit is adapted to create nodes at all levels of the refer chain. 17. The client of claim 16, The first node creation unit includes: The page ID generating unit of the initial page is adapted to generate the page ID of the initial page after monitoring the access request of the initial page; The URL acquisition unit of the initial page is adapted to obtain the URL of the currently loaded initial page by specifying a response event interface during the process of loading the initial page; The first node creation subunit is adapted to create a first-level node of the refer chain, and writes the page ID and URL of the initial page into the refer chain as information of the first-level node; The second node creation unit includes: The page ID generating unit of the i-level page is adapted to generate the page ID of the i-level page after monitoring the access request of the i-level page; The URL obtaining unit of the i-level page is adapted to obtain the URL of the currently loaded i-level page through a specified response event interface during the loading of the i-level page; The page ID or URL acquisition unit of the i-1th level page is adapted to obtain the page ID or URL of the i-1th level page after monitoring the access request of the i-th level page; The second node creates a subunit, which is suitable for querying the refer chain containing the page ID or URL of the i-1th level page, creating the i-level node of the refer chain, and using the page ID and URL of the i-th level page As the information of the i-th level node. 18. The client according to claim 17, the second node creation unit further comprising: a capturing unit adapted to acquire the interface object pointer of the i-th level page after monitoring the access request of the i-th level page; and , a writing unit, adapted to write the page ID of the i-1th level page acquired during the process of loading the i-1th level page to the interface object of the i-th level page according to the interface object pointer; The page ID or URL acquiring unit of the i-1th level page is specifically adapted to: in the process of loading the i-th level page, by reading the information provided by the interface object of the i-th level page, to obtain the i-1th level The page ID of the page. 19. The client according to claim 18, the capture unit is further adapted to: after monitoring the access request of the i-th level page, capture the function called by the browser to create a new window or a new tab page, utilize the function The return value of gets the interface object pointer of the i-th level page. 20. The client according to claim 17, the page ID or URL obtaining unit of the i-1th level page is further adapted to: after monitoring the access request of the i-th level page and before loading the i-th level page , obtain the URL of the page at level i-1 through the get_locationURL interface provided by the browser. 21. The client according to claim 20, the second node creation unit further comprising: The judging unit is suitable for judging whether the i-th level page is triggered by the input behavior of the browser address bar; The emptying unit is adapted to clear the page ID of the i-1th level page or the URL of the i-1th level page acquired by the URL acquisition unit when the judgment result of the judgment unit is yes, and trigger The first node creation unit processes the i-th level page as the initial page; If the judging result of the judging unit is negative, the judging unit triggers the second node creation subunit to create the i-th level node of the refer chain. 22. The client according to claim 16, the refer chain creation module further comprising: a second child node creation unit adapted to capture a function called during redirection processing, from the function called during redirection processing Obtain the URL of at least one inter-page jump page of the i-level page in the input parameter of the function; and query the refer chain containing the page ID of the i-level page, and create at least one i-level child node of the refer chain , using the page ID of the i-th level page and the URL of at least one inter-page jump page of the i-th level page as the information of at least one i-th level child node. 23. A server, used to detect the i-th level page opened by the i-th level link of the initial page, the access request of the i-th level page is triggered by clicking on a link or other links on the i-1 level page, i ≥2; said server includes: a blacklist and/or whitelist database adapted to save URLs belonging to the blacklist and/or whitelist; The query interface is adapted to receive all URLs contained in the refer chain sent by the client, query whether all the URLs contained in the refer chain belong to the blacklist and/or whitelist database, and then compare the query results with the preset rules Perform matching to obtain a matching result, and return the matching result to the client; Wherein, the refer chain is created in the following manner: whenever the i-th level page is opened through the i-th level link of the initial page, the process responsible for maintaining the refer chain obtains the page ID and URL of the i-th level page and the i-1 level The page ID or URL of the page, query the corresponding refer chain according to the page ID or URL of the i-1th level page, and create the corresponding node of the refer chain. 24. The server of claim 23, the query interface being further adapted to: If the query result indicates that the URL of the i-level page belongs to the blacklist database or does not belong to the whitelist database, and it is determined that any page from the initial page to the i-1 level page is a search page, the matching result is a risk warning message; Or, if the query result shows that the URL of any page from the initial page to the i-1th level page belongs to the blacklist database or does not belong to the whitelist database, and it is judged that the i-th level page is a payment page, the matching result is a risk warning information. 25. The server of claim 24, further comprising: Search page URL database, suitable for saving search page URL list; A payment page URL database, suitable for storing a list of payment page URLs; The query interface determines that any page from the initial page to the i-1th level page is a search page by judging that the URL of any page from the initial page to the i-1th level page belongs to the preset search page URL list. page; and, determining that the i-th level page is a payment page by judging that the URL of the i-th level page belongs to a preset payment page URL list. 26. A system for processing webpage access behaviors, comprising the client according to any one of claims 13-22 and the server according to any one of claims 23-25.