CN109150873A - Malice domain name detection system and method based on PSO_SVM optimization algorithm - Google Patents

Malice domain name detection system and method based on PSO_SVM optimization algorithm Download PDF

Info

Publication number
CN109150873A
CN109150873A CN201810933699.5A CN201810933699A CN109150873A CN 109150873 A CN109150873 A CN 109150873A CN 201810933699 A CN201810933699 A CN 201810933699A CN 109150873 A CN109150873 A CN 109150873A
Authority
CN
China
Prior art keywords
domain name
module
malice
machine learning
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201810933699.5A
Other languages
Chinese (zh)
Inventor
高岩
保永武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HONGXU INFORMATION TECHNOLOGY Co Ltd WUHAN
Original Assignee
HONGXU INFORMATION TECHNOLOGY Co Ltd WUHAN
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by HONGXU INFORMATION TECHNOLOGY Co Ltd WUHAN filed Critical HONGXU INFORMATION TECHNOLOGY Co Ltd WUHAN
Priority to CN201810933699.5A priority Critical patent/CN109150873A/en
Publication of CN109150873A publication Critical patent/CN109150873A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of malice domain name detection systems and method based on PSO_SVM optimization algorithm, are related to information security field.This system includes malice domain name detection unit (10) and machine learning training unit (20);Malice domain name detection unit (10) includes domain-name information acquisition module (11) to be measured, domain name characteristic extracting module to be measured (12) and the malice domain name detection module (13) successively interacted;Machine learning training unit (20) includes the domain name sample information acquisition module (21), domain name sample characteristics extraction module (22) and machine learning training module (23) successively interacted;Interaction before and after machine learning training module (23) and malice domain name detection module (13).The present invention includes 1. availability;2. scalability;3. validity.

Description

Malice domain name detection system and method based on PSO_SVM optimization algorithm
Technical field
The present invention relates to information security field more particularly to a kind of malice domain name detections based on PSO_SVM optimization algorithm System and method.
Background technique
The rapid development of computer technology and Internet technology and popularizing for information technology application, internet has become The main tool and Important Platform of people exchange and information sharing.According to statistics, by December, 2017, China's netizen's scale reaches 7.72 hundred million, whole year total newly-increased 40,740,000 people of netizen.Internet penetration is 55.8%, promotes 2.6 percentages compared with the end of the year 2016 Point.Personal Internet application in China's keeps fast-developing, and types of applications userbase is in rising trend.
Rapidly develop with internet, the safety problem of internet is also following.In the internet virtual world, domain Name is equivalent to identity card, is the mark of website identity.It is but not stringent enough to the management of domain name in the internet virtual world, domain The registration process very simple of name, can directly arrive associated mechanisms without close scrutiny and be registered.Domain name Management organization can to domain name use and it is registered purpose it is unknown in the case where handle domain name registration, could not be to malicious user It is screened, leads to fishing website, obscene porn site, the malice domain name such as illegal political speech website and malicious code website It emerges one after another, brings serious threat to national security, enterprise and the property safety of individual.According to statistics, the whole world in 2017 Malice domain name total amount is intercepted and captured in range altogether and reaches 80,110,000, wherein extension horse website 42,750,000, swindles website 37,350,000.Beauty State's malice domain name total amount is 26,840,000, ranks the whole world first, followed by 13,500,000, China.The malice domain name quantity in China is only Inferior to the U.S., security situation allows of no optimist.
In the prior art, it generallys use and machine learning training is carried out to the structure feature of domain name, after then passing through training Machine learning model detects malice domain name, and wherein machine learning model classifies to domain name usually using PSO_SVM algorithm. But not comprehensive and traditional PSO_SVM algorithm is only detected in malice domain to domain name by the structure feature of domain name Name classification is upper and inaccurate, therefore the structure feature of domain name and the machine learning mould based on the training of PSO_SVM algorithm is only used only Type detects malice domain name and not perfect.
Summary of the invention
The object of the invention is that overcoming shortcoming and defect of the existing technology, provide a kind of excellent based on PSO_SVM The malice domain name detection system and method for changing algorithm improve the accuracy of malice domain name detection and improve machine learning training The performance of module.
Realizing the object of the invention technical solution is:
The present invention is morphological analysis to be carried out by domain name, not only from the length of domain name, word based on malice domain name detection technique The ratio of female number is analyzed, also by the similarity degree introduced feature vector between domain name, while by the WHOIS information of domain name Data (WHOIS information integrity, history modification time and number etc.) set of eigenvectors is also added, obtain more comprehensive Set of eigenvectors.
In machine learning training module, based on traditional parameter using particle swarm algorithm Support Vector Machines Optimized algorithm Classify to malice domain name, present invention optimizes the inertia weights of particle swarm algorithm, so that algorithm performance is promoted.
One, the malice domain name detection system (abbreviation system) based on PSO_SVM optimization algorithm
This system includes malice domain name detection unit 1 and machine learning training unit;
Malice domain name detection unit includes the domain-name information acquisition module to be measured successively interacted, domain name feature extraction mould to be measured Block and malice domain name detection module;
Machine learning training unit includes the domain name sample information acquisition module successively interacted, domain name sample characteristics extraction mould Block and machine learning training module;
Interaction before and after machine learning training module and malice domain name detection module.
Two, the malice domain name detection method based on PSO_SVM optimization algorithm (abbreviation method)
Whether this method research is that malice domain name carries out accurate area to domain name to be measured by the system after machine learning training Point;This method is trained using the machine learning for the detection of malice domain name of the PSO_SVM algorithm after optimization.
This method includes the following steps:
1. relatively accurately separating malice domain name after the machine learning training module training after optimization:
Machine learning training module is trained sample by optimizing PSO_SVM algorithm, by the spy of each sample domain name Sign is input in machine learning training module, mainly includes sample domain name WHOIS information, domain name mapping feature, domain name morphology spy Sign, domain name mapping feature, domain name WHOIS information characteristics carry out the training of machine learning to features above, by repeatedly training Afterwards, machine learning training module can relatively accurately distinguish whether domain name is malice domain name;
2. acquiring the information characteristics of domain name to be detected as vector set, for judging whether domain name is malice domain name:
In malice domain name detection module, domain name to be detected is subjected to information collection, parsing information including domain name and WHOIS information;The characteristic information of domain name to be measured is acquired, lexical characteristics, domain name mapping feature, domain name including domain name to be detected WHOIS information characteristics, by the vector set after acquisition be input to by machine learning training after malice domain name detection module in into Row detection;
3. the method based on machine learning detection malice domain name:
Domain name to be detected is detected by the malice domain name detection module after machine learning training, whether identifies domain name to be detected For malice domain name.
The present invention has following advantages and good effect:
1. feasibility: the system can have after using a large amount of domain names, black, white list is trained by machine learning training Tell whether domain name to be measured is malice domain name to effect, to prevent malice domain name from bringing threat to user;
2. scalability: the training sample of machine learning of the present invention mostlys come from the malice domain name of statistics in 2017, can To be trained by the way that nearest malice domain name is collected and is added in machine learning training module, malice domain can be improved The accuracy of name identification;
3. validity: by random forests algorithm, PSO_SVM algorithm and changing in machine learning training module of the present invention PSO_SVM algorithm after is tested and is compared, it is known that three kinds of methods can all distinguish malice domain name, wherein the PSO_ after optimization The precision ratio of SVM, recall rate are higher, and rate of false alarm is lower, therefore the present invention can more effectively identify malice domain name.
Detailed description of the invention
Fig. 1 is the structural block diagram of this system;
Fig. 2 is particle swarm optimization algorithm flow chart;
Fig. 3 is particle swarm optimization algorithm flow chart after optimization.
In figure:
10-malice domain name detection units,
11-domain-name information acquisition modules to be measured,
12-domain name characteristic extracting modules to be measured,
13-malice domain name detection modules;
20-machine learning training units
21-domain name sample information acquisition modules,
22-domain name sample characteristics extraction modules,
23-machine learning training modules.
Abbreviation:
1, WHOIS: being the transport protocol for the information such as the IP of nslookup and the owner, is in current domain name system An indispensable information service.When browsing domain name, many users wish to further appreciate that domain name, name server it is detailed Thin information, this will use WHOIS;For the registration service mechanism (registrar) of domain name, to confirm that domain name data is It is no to be correctly registered to domain name registration center (registry), also often use WHOIS;From the point of view of intuitive, WHOIS is exactly chain It is connected to the search engine of dns database, is in general the name clothes for belonging to Network Information Centre (NIC) and providing and safeguarding One of business.
2, SVM: referring to support vector machines, is a kind of common method of discrimination;In machine learning field, being one has supervision Learning model, commonly used to carry out pattern-recognition, classification and regression analysis.
3, PSO: particle swarm optimization algorithm is a kind of random optimization technology based on population, by Eberhart and Kennedy It is proposed in nineteen ninety-five;Particle swarm algorithm imitates the collective behaviour of insect, herd, flock of birds and shoal of fish etc., these groups are according to one kind The mode search of food of cooperation, each member in group by learn own experience and other members experience come it is continuous Change its search pattern.
Specific embodiment
It is described in detail with reference to the accompanying drawings and examples:
One, system
1, overall
Such as Fig. 1, this system includes malice domain name detection unit 10 and machine learning training unit 20;
Malice domain name detection unit 10 includes that successively the domain-name information acquisition module 11 to be measured of interaction, domain name feature to be measured mention Modulus block 12 and malice domain name detection module 13;
Machine learning training unit 20 is mentioned including successively interactive domain name sample information acquisition module 21, domain name sample characteristics Modulus block 22 and machine learning training module 23;
Interaction before and after machine learning training module 23 and malice domain name detection module 13.
2, functional module
1) domain-name information acquisition module 11 to be measured
Domain-name information acquisition module 11 to be measured is to be crawled and parsed information progress to domain-name information by WHOIS interface Acquisition, and the information classification storage crawled is read during subsequent detection under the file of the domain name.
Registion time, expiration time, registrant, IP address, ownership place and the inspection of domain name can be inquired by the module Survey network attribute required for the subsequent detection of domain name time;The parsing information is acquired, mainly for the TTL of domain name Value, the address A record (IPV4), canonical name (CNAME) and PTR reversely record the domain-name information number of (secondary IP address parsing domain name) According to, and data preservation is used for subsequent malice domain name and is judged.
2) domain name characteristic extracting module 12 to be measured
Domain name characteristic extracting module 12 to be measured is to carry out after the information of domain name to be measured is acquired to the feature of domain name to be measured It extracts.
This module is mainly for the lexical characteristics of domain name, domain name mapping feature, domain name WHOIS feature.The wherein word of domain name Method feature include domain name length, in domain name after entire length ratio, domain name shared by number between separator maximum length, domain name whether Include spcial character, the comentropy with the editing distance of legitimate domain name, domain name;The parsing feature of domain name includes corresponding to domain name IP address quantity, TTL average value, TTL variance, TTL maximum value;Integrated degree of the domain name WHOIS feature comprising WHOIS information, Domain name IP renewal frequency, domain name WHOIS information year renewal frequency.Characteristic information be will acquire as feature vector, and be converted into The data file that machine learning training module can use.
3) malice domain name detection module 13
Malice domain name detection module 13 is that acquired above domain-name information and domain name feature are input to trained completion Malice domain name detection module 13 in, obtain the testing result of domain name to be measured.
4) domain name sample information acquisition module 21
It is to be acquired the information data of sample domain name by the progress information collection of great amount of samples domain name, information collected Data type is identical as 11 data type of domain-name information acquisition module to be measured, is input in machine learning training module 23 and is divided Class training.
5) domain name sample characteristics extraction module 22
Domain name sample characteristics extraction module 22 be by sample domain name carry out feature extraction, extracted feature data types with 12 data type of domain name characteristic extracting module to be measured is identical, is input in machine learning training module 23 and carries out classification based training.
6) machine learning training module 23
Machine learning training module 23 is after extracting required domain name characteristic, after this module is using optimization PSO_SVM (algorithm of support vector machine of particle group optimizing) carries out domain name detection.
SVM (support vector machines) is built upon on statistical theory, optimal to pass in principle with structural risk minimization Method training sample set solve Machine Learning Problems;The basic principle is that the set nonlinear transformation of input to multidimensional In space, the hyperplane (Optimal Hyperplane) of an optimal classification is acquired, which is reasonably divided into two A part, this nonlinear transformation are realized by kernel function;For in SVM algorithm, present invention is generally directed to radial base cores Function and penalty factor optimize, wherein penalty factor can enable in algorithm of support vector machine accidentally point specimen types ratio and Algorithm complexity compromise.
The value that Radial basis kernel function and penalty factor are chosen determines the accuracy and efficiency of machine learning algorithm, because This introduces PSO (particle swarm optimization algorithm) and carries out parameter optimization to algorithm of support vector machine, obtains more efficient, accurate result.
PSO is a kind of algorithm based on group's optimization, proposes that each particle has speed and the position of oneself, speed indicates The moving direction and distance of the particle, the coordinate of position representation space.Generally indicate i-th of particle in state at that time with vi Speed, xi indicate position of i-th particle under state at that time, and pBesti is expressed as the optimal location that i-th of particle was searched, GBest indicates the optimal location of entire population.Particle swarm algorithm the initial stage can all particles of random initializtion speed with Position then records pBesti and gBest come the speed of more new particle and position, to obtain optimal solution by iteration.Algorithm It is as follows:
vi=vi-1+c1rand(pBesti-xi-1)+c2Rand(gBest-xi-1)
xi=xi-1+vi
Wherein rand and Rand is the random number for belonging to [0,1];C1 and c2 is Studying factors and the constant that is positive;i Indicate the number of current iteration.Its Optimal Parameters, the process for obtaining optimal solution are as shown in Figure 3.
But the convergent speed of this kind of particle swarm algorithm is quickly, be easy to cause local optimum as a result, leading to testing result not Accurately.The present invention proposes that inertia weight w, which is added, optimizes particle swarm algorithm.Formula is as follows
vi=wvi-1+c1rand(pBesti-xi-1)+c2Rand(gBesti-xi-1)
W value is bigger, and the ability of searching optimum of the algorithm is stronger, and local search ability is weak;W value is smaller, then the office of the algorithm Portion's search capability is stronger, and ability of searching optimum is weak.In the present invention, after particle swarm algorithm iteration n times, obtained gBest's Value does not change, and at this moment thinks that the priority of the current local search of the algorithm is high;In particle swarm algorithm subsequent iteration n times, often The value of secondary gBest is all changing, and at this moment thinks that the priority of the current global search of the algorithm is high.W value is chosen as follows:
If the continuous n times iteration of the value of gBest is all changing;And w is less than the maximum value of w, then increases w value;
If the continuous n times iteration of the value of gBest is all changing;And w is equal to the maximum value of w, then increases w value;
If the continuous n times iteration of gBest is not all updated;And w is greater than the minimum value of w, then reduces w value;
If the continuous n times iteration of gBest is not all updated;And w is less than the minimum value of w, then reduces w value;
Global search and local search of this method using the particle swarm algorithm after, automatically and rapidly search out optimal Solution so that the parameter Radial basis kernel function and penalty factor in algorithm of support vector machine obtain optimal solution, process such as Fig. 3.
(1) 2 parameters of the Radial basis kernel function in vector machine and penalty factor are as in particle swarm algorithm search space Particle;Initialize speed and the position of the particle;Its population quantity is set, greatest iteration number imax and changes its inertia power The number of iterations n needed for weight values.
(2) value of each particle fitness is calculated, and the optimal solution of each particle is recorded as pBesti, population is optimal Solution is recorded as gBest.
(3) value of inertia weight is changed according to the n value of setting in calculating process, updates the value of pBesti and gBest.
(4) then add 1 to be compared with set maximum number of iterations imax the number i of current institute's iteration, judge Size.Carry out the process in step (2) again if number i+1 < imax of current institute iteration;If current iteration number reaches Imax then terminates the algorithm, and current obtained solution is optimal solution.
Finally by machine learning module by a large amount of domain name samples of training, the accuracy of detection malice domain name is improved.
3, the working mechanism of this system:
This system is divided into preparation stage and implementation phase:
Information collection is carried out to a large amount of domain name samples in the preparation stage and feature is collected, the data of collection are input to machine In device learning training module 23, by optimization after PSO_SVM sorting algorithm in machine learning training module 23 to sample into Row classification, the machine learning training module 23 after largely training can efficiently tell malice domain name;
In implementation phase, the information of detection domain name is treated after obtaining domain name to be detected and characteristic is collected, Data after collection are input in malice domain name detection module 13, the testing result of domain name to be detected can be obtained.
Two, method
1, traditional PSO_SVM algorithm
As the workflow of Fig. 2, traditional PSO_SVM algorithm are:
A, the particle position and speed -201 in random initializtion population;
B, the fitness value -202 of each particle is calculated;
C, judge individual population optimum point whether -203 in domain,
It is to enter step d, otherwise jumps to step e;
D, the replacement -204 of optimum point
E, judge whether to meet termination condition -205,
It is to enter step f, otherwise passes sequentially through optimization particle rapidity -207, optimization particle position -208 and generation new one For particle -209, then jump to step b;
F, process terminates -206.
2, the workflow of this PSO_SVM algorithm
As the workflow of Fig. 3, this PSO_SVM algorithm are:
A, start algorithm -301;
B, particle rapidity and position initialization -302;
C, particle fitness carries out calculating -303;
D, the value of parameter w is adjusted, w is inertia weight, determines the ability of searching optimum of algorithm, is not herein pair W is linearly chosen, but dynamically chooses optimal value -304;
E, the Position And Velocity -305 of more new particle;
F, the number of iterations of particle adds one -306;
G, judge whether particle is less than the maximum number of iterations -307 of particle,
It is to jump to step C, otherwise enters step H;
H, terminate -308.
Global search and local search of this algorithm using improved particle swarm algorithm, automatically and rapidly search out most The optimal solution that excellent solution algorithm solves, the i.e. optimum position of particle, value are directly substituted into algorithm of support vector machine, just Algorithm of support vector machine after being optimized.
Three, it applies
In the verification test of the system, 5000 white list samples and 5000 malice domain name samples are had chosen, are divided into 5 Group, every group is instructed as training set with machine learning method comprising 1000 white list samples and 1000 malice domain name samples Practice.After the completion of training, 500 samples are extracted respectively from white list sample and malice domain name sample and are detected.Experiment is tied Fruit compares with the malice domain name detection method based on random forests algorithm, is as follows:
Algorithm Recall rate Precision ratio Rate of false alarm
Random forest 92.56% 92.86% 8.67%
PSO_SVM 98.13% 98.57% 1.44%
Wherein recall rate refers to the ratio for detecting that malice domain name accounts for malice domain name sample, and precision ratio, which refers to, detects malice Domain name is that true malice domain name accounts for the ratio for detecting malice domain name, and rate of false alarm refers to that the domain name in malice domain name sample is missed It is considered that non-malicious domain name accounts for the ratio of malice domain name sample.
Malice domain name detection method it can be seen from verification test result based on PSO_SVM optimization algorithm can be effective And accurate detection goes out malice domain name;The present invention can be with the batch detection of user's malice domain name.

Claims (4)

1. a kind of malice domain name detection system based on PSO_SVM optimization algorithm, it is characterised in that:
Including malice domain name detection unit (10) and machine learning training unit (20);
Malice domain name detection unit (10) includes that the domain-name information acquisition module (11) to be measured successively interacted, domain name feature to be measured mention Modulus block (12) and malice domain name detection module (13);
Machine learning training unit (20) includes that domain name sample information acquisition module (21), the domain name sample characteristics successively interacted mention Modulus block (22) and machine learning training module (23);
Interaction before and after machine learning training module (23) and malice domain name detection module (13).
2. malice domain name detection system according to claim 1, it is characterised in that:
The domain-name information acquisition module (11) to be measured is to be crawled and parsed information to domain-name information by WHOIS interface It is acquired, and the information classification storage crawled is read during subsequent detection under the file of the domain name;
The domain name characteristic extracting module (12) to be measured is after the information of domain name to be measured is acquired, to the feature of domain name to be measured It extracts;
The malice domain name detection module (13) is that acquired above domain-name information and domain name feature are input to training In the malice domain name detection module (13) of completion, the testing result of domain name to be measured is obtained;
The domain name sample information acquisition module (21) is that great amount of samples domain name is carried out information collection, wherein in sample domain name It need to include normal domain name and malice domain name, be input in machine learning module and carry out classification based training;
The domain name sample characteristics extraction module (22) is that sample domain name is carried out feature extraction, is input to machine learning module Middle carry out classification based training;
The machine learning training module (23) is after extracting required domain name characteristic, this module utilizes optimization PSO_SVM afterwards carries out domain name detection.
3. the malice domain name detection method based on malice domain name detection system claimed in claims 1-2, it is characterised in that:
1. more accurately distinguishing malice domain name after the machine learning training module training after optimization:
Machine learning training module is trained sample by optimizing PSO_SVM algorithm, and the feature of each sample domain name is defeated Enter into machine learning training module, mainly includes sample domain name WHOIS information, domain name mapping feature, domain name lexical characteristics, domain Name parsing feature, domain name WHOIS information characteristics, the training of machine learning is carried out to features above, after repeatedly training, machine Study module can more accurately distinguish whether domain name is malice domain name;
2. acquiring the information characteristics of domain name to be detected as vector set, for judging whether domain name is malice domain name:
In malice domain name detection unit, domain name to be detected is subjected to information collection, parsing information and WHOIS including domain name Information;The characteristic information of domain name to be measured is acquired, lexical characteristics, domain name mapping feature, domain name WHOIS including domain name to be detected Vector set after acquisition is input in the detection module after machine learning training and detects by information characteristics;
3. the method based on machine learning detection malice domain name:
Domain name to be detected is detected by the detection module after machine learning training, identifies whether domain name to be detected is malice domain name.
4. malice domain name detection method according to claim 3, it is characterised in that:
The step 1. in the workflow of PSO_SVM algorithm of machine learning training module be:
A, start algorithm (301);
B, particle rapidity and position initialization (302);
C, particle fitness is calculated (303);
D, the value of parameter w is adjusted, w is inertia weight, determine the ability of searching optimum of algorithm, herein not to w into Line is chosen, but dynamically chooses optimal value (304);
E, the Position And Velocity (305) of more new particle;
F, the number of iterations of particle adds one (306);
G, judge whether particle is less than the maximum number of iterations (307) of particle,
It is to jump to step C, otherwise enters step H;
H, terminate (308).
CN201810933699.5A 2018-08-16 2018-08-16 Malice domain name detection system and method based on PSO_SVM optimization algorithm Withdrawn CN109150873A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810933699.5A CN109150873A (en) 2018-08-16 2018-08-16 Malice domain name detection system and method based on PSO_SVM optimization algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810933699.5A CN109150873A (en) 2018-08-16 2018-08-16 Malice domain name detection system and method based on PSO_SVM optimization algorithm

Publications (1)

Publication Number Publication Date
CN109150873A true CN109150873A (en) 2019-01-04

Family

ID=64789629

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810933699.5A Withdrawn CN109150873A (en) 2018-08-16 2018-08-16 Malice domain name detection system and method based on PSO_SVM optimization algorithm

Country Status (1)

Country Link
CN (1) CN109150873A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109714356A (en) * 2019-01-08 2019-05-03 北京奇艺世纪科技有限公司 A kind of recognition methods of abnormal domain name, device and electronic equipment
CN110008705A (en) * 2019-04-15 2019-07-12 北京微步在线科技有限公司 A kind of recognition methods of malice domain name, device and electronic equipment based on deep learning
CN110798481A (en) * 2019-11-08 2020-02-14 杭州安恒信息技术股份有限公司 Malicious domain name detection method and device based on deep learning
CN111355733A (en) * 2020-02-29 2020-06-30 中国地震局地震研究所 Earthquake damage information intrusion detection system and detection method based on SVM algorithm
US20210099485A1 (en) * 2019-09-27 2021-04-01 Mcafee, Llc Methods and apparatus to detect website phishing attacks
CN114050912A (en) * 2021-09-30 2022-02-15 中国科学院信息工程研究所 Malicious domain name detection method and device based on deep reinforcement learning
CN114090967A (en) * 2021-10-25 2022-02-25 广州大学 APT (android package) organization tracing and tracing method and system based on PSO-MSVM (Power System-Mobile virtual machine)
CN116384253A (en) * 2023-04-20 2023-07-04 中国石油大学(北京) Method and device for establishing and predicting depth prediction model of pipeline magnetic flux leakage detection defect

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103077347A (en) * 2012-12-21 2013-05-01 中国电力科学研究院 Combined type intrusion detecting method on basis of data fusion of improved core vector machine
US20130163829A1 (en) * 2011-12-21 2013-06-27 Electronics And Telecommunications Research Institute System for recognizing disguised face using gabor feature and svm classifier and method thereof
CN104732244A (en) * 2015-04-15 2015-06-24 大连交通大学 Wavelet transform, multi-strategy PSO (particle swarm optimization) and SVM (support vector machine) integrated based remote sensing image classification method
CN105704103A (en) * 2014-11-26 2016-06-22 中国科学院沈阳自动化研究所 Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model
CN106503788A (en) * 2016-10-28 2017-03-15 中国矿业大学 Least square method supporting vector machine Forecasting Methodology based on self adaptation population
CN106682682A (en) * 2016-10-20 2017-05-17 北京工业大学 Method for optimizing support vector machine based on Particle Swarm Optimization
CN108270761A (en) * 2017-01-03 2018-07-10 中国移动通信有限公司研究院 A kind of domain name legitimacy detection method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130163829A1 (en) * 2011-12-21 2013-06-27 Electronics And Telecommunications Research Institute System for recognizing disguised face using gabor feature and svm classifier and method thereof
CN103077347A (en) * 2012-12-21 2013-05-01 中国电力科学研究院 Combined type intrusion detecting method on basis of data fusion of improved core vector machine
CN105704103A (en) * 2014-11-26 2016-06-22 中国科学院沈阳自动化研究所 Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model
CN104732244A (en) * 2015-04-15 2015-06-24 大连交通大学 Wavelet transform, multi-strategy PSO (particle swarm optimization) and SVM (support vector machine) integrated based remote sensing image classification method
CN106682682A (en) * 2016-10-20 2017-05-17 北京工业大学 Method for optimizing support vector machine based on Particle Swarm Optimization
CN106503788A (en) * 2016-10-28 2017-03-15 中国矿业大学 Least square method supporting vector machine Forecasting Methodology based on self adaptation population
CN108270761A (en) * 2017-01-03 2018-07-10 中国移动通信有限公司研究院 A kind of domain name legitimacy detection method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
袁福祥等: "基于历史数据的异常域名检测算法", 《通信学报》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109714356A (en) * 2019-01-08 2019-05-03 北京奇艺世纪科技有限公司 A kind of recognition methods of abnormal domain name, device and electronic equipment
CN110008705A (en) * 2019-04-15 2019-07-12 北京微步在线科技有限公司 A kind of recognition methods of malice domain name, device and electronic equipment based on deep learning
US20210099485A1 (en) * 2019-09-27 2021-04-01 Mcafee, Llc Methods and apparatus to detect website phishing attacks
US11831419B2 (en) * 2019-09-27 2023-11-28 Mcafee, Llc Methods and apparatus to detect website phishing attacks
CN110798481A (en) * 2019-11-08 2020-02-14 杭州安恒信息技术股份有限公司 Malicious domain name detection method and device based on deep learning
CN111355733A (en) * 2020-02-29 2020-06-30 中国地震局地震研究所 Earthquake damage information intrusion detection system and detection method based on SVM algorithm
CN114050912A (en) * 2021-09-30 2022-02-15 中国科学院信息工程研究所 Malicious domain name detection method and device based on deep reinforcement learning
CN114090967A (en) * 2021-10-25 2022-02-25 广州大学 APT (android package) organization tracing and tracing method and system based on PSO-MSVM (Power System-Mobile virtual machine)
CN116384253A (en) * 2023-04-20 2023-07-04 中国石油大学(北京) Method and device for establishing and predicting depth prediction model of pipeline magnetic flux leakage detection defect
CN116384253B (en) * 2023-04-20 2024-04-05 中国石油大学(北京) Method and device for establishing and predicting depth prediction model of pipeline magnetic flux leakage detection defect

Similar Documents

Publication Publication Date Title
CN109150873A (en) Malice domain name detection system and method based on PSO_SVM optimization algorithm
CN107577688B (en) Original article influence analysis system based on media information acquisition
CN104239436B (en) It is a kind of that method is found based on the network hotspot event of text classification and cluster analysis
CN102937951B (en) Set up the method for IP address sort model, the method and device to user&#39;s classification
CN111385297B (en) Wireless device fingerprint identification method, system, device and readable storage medium
US20150200963A1 (en) Method for detecting phishing website without depending on samples
CN106375345B (en) It is a kind of based on the Malware domain name detection method being periodically detected and system
CN111131260B (en) Mass network malicious domain name identification and classification method and system
CN108769079A (en) A kind of Web Intrusion Detection Techniques based on machine learning
CN108319672B (en) Mobile terminal bad information filtering method and system based on cloud computing
CN106843941B (en) Information processing method, device and computer equipment
CN103218431A (en) System and method for identifying and automatically acquiring webpage information
CN110737821B (en) Similar event query method, device, storage medium and terminal equipment
CN105704259B (en) A kind of domain name authority services source IP recognition methods and system
CN109284613B (en) Method, device, equipment and storage medium for identification detection and counterfeit site detection
CN107368856A (en) Clustering method and device, the computer installation and readable storage medium storing program for executing of Malware
Bai Phishing website detection based on machine learning algorithm
CN108268886A (en) For identifying the method and system of plug-in operation
CN106446124A (en) Website classification method based on network relation graph
CN112615861A (en) Malicious domain name identification method and device, electronic equipment and storage medium
CN107493275A (en) The extracted in self-adaptive and analysis method and system of heterogeneous network security log information
CN104933178B (en) Official website determines method and system and the sort method of official website
CN111222031A (en) Website distinguishing method and system
CN106776958A (en) Illegal website identifying system and its method based on critical path
CN115392351A (en) Risk user identification method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20190104

WW01 Invention patent application withdrawn after publication