CN110247916A - Malice domain name detection method - Google Patents

Malice domain name detection method Download PDF

Info

Publication number
CN110247916A
CN110247916A CN201910536431.2A CN201910536431A CN110247916A CN 110247916 A CN110247916 A CN 110247916A CN 201910536431 A CN201910536431 A CN 201910536431A CN 110247916 A CN110247916 A CN 110247916A
Authority
CN
China
Prior art keywords
domain name
detected
page
detection
malice
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910536431.2A
Other languages
Chinese (zh)
Other versions
CN110247916B (en
Inventor
常清雪
周玉廷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
Sichuan Changhong Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Changhong Electric Co Ltd filed Critical Sichuan Changhong Electric Co Ltd
Priority to CN201910536431.2A priority Critical patent/CN110247916B/en
Publication of CN110247916A publication Critical patent/CN110247916A/en
Application granted granted Critical
Publication of CN110247916B publication Critical patent/CN110247916B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Abstract

The present invention relates to information security technology, solve the problems, such as that existing malice domain name detection method detection efficiency is lower, accuracy is lower.Technical solution summarize are as follows: the present invention first judge domain name to be detected whether there is in black and white lists, for the domain name to be detected being not present in black and white lists, Classification and Identification is carried out by k nearest neighbor algorithm again and goes out malice domain name, the non-malicious domain name identified for k nearest neighbor algorithm, again its risk is analyzed by one or more detection means, and identify malice domain name in conjunction with risk scoring.Beneficial effect is: the sequential combination that the present invention is detected by black and white lists, k nearest neighbor detection of attribute and risk score detect forms the multistage detection mode of a set of malice domain name, not only increases accuracy in detection, and detection efficiency is higher.

Description

Malice domain name detection method
Technical field
The present invention relates to information security technologies, in particular to domain name detection technique.
Background technique
With the popularity of the internet, net crime event occurs again and again, seriously compromises country, enterprises and individuals' benefit Benefit.During phishing, attacker accesses malice using fraudulent Email, SMS etc., induction user Domain name, Lai Jinhang network fraud, user's exposure individual privacy after accessing these malice domain names, or even one is caused to user Fixed economic loss.In the prior art, the detection method of malice domain name is generally based on and threatens information bank, manual analysis algorithm It is single to the determination method of malice domain name Deng being identified to malice domain name, it is not accurate enough, and existing method is facing quantity It is huge, go fishing means multiplicity malice domain name when, detection efficiency is lower.
Summary of the invention
The present invention is to solve the problems, such as that existing malice domain name detection method detection efficiency is lower, accuracy is lower, provides one Kind malice domain name detection method.
To solve the above problems, the technical solution adopted by the present invention is that:
Malice domain name detection method, comprising the following steps:
Step 1: judging that domain name to be detected whether there is in blacklist or white list, if it exists in blacklist, then sentence Fixed domain name to be detected is that malice domain name then determines domain name to be detected for legitimate domain name, if being both not present if it exists in white list It is also not present in thening follow the steps two in blacklist in white list;
Classify Step 2: treating detection domain name using the k nearest neighbor attributed graph constructed in advance, if classification results are fishing Website then determines that domain name to be detected for malice domain name, otherwise executes step 3;
Step 3: being detected by the risk that at least one detection mode treats detection domain name, and calculate separately out The dangerous values of domain name to be detected, calculate to be checked in conjunction with the dangerous values that all detection modes are calculated under each detection mode Total dangerous values of domain name are surveyed, if total dangerous values of domain name to be detected are greater than or equal to preset danger threshold, are determined to be detected Domain name is malice domain name, otherwise determines domain name to be detected for legitimate domain name.
As advanced optimizing, the building method of the k nearest neighbor attributed graph is used: based on semi-supervised learning algorithm to default Marked fishing link sample and unlabelled fishing link sample carry out semi-supervised learning, according to learning outcome construction K Neighbour's attributed graph.
Specifically, the content that the marked fishing link sample is marked includes: link source characteristics and/or link Text feature and/or link behavioural characteristic.
As advanced optimizing, the detection mode in the step 3 includes: to obtain domain name to be detected by IP prestige library The parameter information of at least one dimension of corresponding IP, and domain name to be detected is analyzed according to the parameter information of each dimension respectively Corresponding IP is calculated further according to IP corresponding to domain name to be detected in the credit value of each dimension in the credit value of each dimension Total credit value of IP corresponding to domain name to be detected, further according to IP corresponding to domain name to be detected total credit value be calculated it is to be detected The dangerous values of domain name.
Specifically, the dimension include true man's probability and/or office probability and/or base station probability and/or liveness and/or Credit stain and/or number of users and/or residential quarters probability and/or domain name registration information.
Specifically, the IP according to corresponding to domain name to be detected is in the credit value of each dimension and the power of preset each dimension Value, obtains total credit value of IP corresponding to domain name to be detected using calculated with weighted average method.
As advanced optimizing, the detection mode in the step 3 includes: to extract webpage corresponding to domain name to be detected Page visual signature, then by the page visual signature extracted and the page visual signature of fishing website prestored or prestore Legitimate site page visual signature carry out visual similarity comparison, obtain webpage corresponding to domain name to be detected and Fishing net Domain name to be detected is calculated further according to vision similarity in vision similarity between the page of the page or legitimate site stood Dangerous values.
Specifically, the page visual signature of webpage corresponding to the domain name to be detected include: page block grade feature and/or Page layout feature and/or page style and features;The page visual signature of the fishing website include: page block grade feature and/ Or page layout feature and/or page style and features;The page visual signature of the legitimate site includes: page block grade feature And/or page layout feature and/or page style and features.
As advanced optimizing, according to the dangerous values of domain name to be detected under each detection mode and in advance in the step 3 If each detection mode weight, total dangerous values of domain name to be detected are obtained using calculated with weighted average method.
Beneficial effect is: the present invention first judges that domain name to be detected whether there is with black and white lists, and detection mode is simply high Effect, accuracy is high, classifies for the domain name to be detected being not present in black and white lists, then by k nearest neighbor algorithm, classifier It does not need to be trained using training set, training time complexity is 0, can more efficiently identify out malice domain name, right Its risk is analyzed in the non-malicious domain name that k nearest neighbor algorithm identifies, then by one or more detection means, and is combined dangerous Property scoring identify malice domain name, improve the accuracy rate of malice domain name detection.The present invention by black and white lists detect, The sequential combination of k nearest neighbor detection of attribute and risk score detection, forms the multistage detection mode of a set of malice domain name, not only mentions High accuracy in detection, and detection efficiency is higher.
Specific embodiment
Below with reference to embodiment, technical solution of the present invention is further illustrated.
The technical scheme is that malice domain name detection method, comprising the following steps:
Step 1: judging that domain name to be detected whether there is in blacklist or white list, if it exists in blacklist, then sentence Fixed domain name to be detected is that malice domain name then determines domain name to be detected for legitimate domain name, if being both not present if it exists in white list It is also not present in thening follow the steps two in blacklist in white list;
Classify Step 2: treating detection domain name using the k nearest neighbor attributed graph constructed in advance, if classification results are fishing Website then determines that domain name to be detected for malice domain name, otherwise executes step 3;
Step 3: being detected by the risk that at least one detection mode treats detection domain name, and calculate separately out The dangerous values of domain name to be detected, calculate to be checked in conjunction with the dangerous values that all detection modes are calculated under each detection mode Total dangerous values of domain name are surveyed, if total dangerous values of domain name to be detected are greater than or equal to preset danger threshold, are determined to be detected Domain name is malice domain name, otherwise determines domain name to be detected for legitimate domain name.
The above method is advanced optimized, specifically may is that
On the one hand, the building method of k nearest neighbor attributed graph can use: based on semi-supervised learning algorithm to preset marked Fishing link sample and unlabelled fishing link sample progress semi-supervised learning, such as first establish gaussian random domain model, It recycles harmonic function to carry out semi-supervised learning, k nearest neighbor attributed graph is constructed according to learning outcome.It is calculated above by semi-supervised learning When method constructs k nearest neighbor attributed graph, a large amount of flag data is not needed, can reduce handmarking's expense, while there is the Supreme People's Procuratorate again Survey rate, low false detection rate effectively increase detecting and alarm performance.Specifically, what the marked fishing link sample was marked Content includes: link source characteristics and/or link text feature and/or link behavioural characteristic, by marking a plurality of types of spies Sign improves the accuracy rate of identification malice domain name.
On the one hand, the detection mode in step 3 may include: to obtain IP corresponding to domain name to be detected by IP prestige library At least one dimension parameter information, and according to the parameter information of each dimension analyze domain name to be detected respectively corresponding to IP In the credit value of each dimension, domain to be detected is calculated in the credit value of each dimension further according to IP corresponding to domain name to be detected Total credit value of IP corresponding to name, the danger of domain name to be detected is calculated further according to total credit value of IP corresponding to domain name to be detected Danger value.Specifically, the dimension includes true man's probability and/or office probability and/or base station probability and/or liveness and/or letter With stain and/or number of users and/or residential quarters probability and/or domain name registration information.Specifically, according to domain name institute to be detected Corresponding IP is obtained to be detected in the credit value of each dimension and the weight of preset each dimension using calculated with weighted average method Total credit value of IP corresponding to domain name.It is scored by the risk that the IP prestige of various dimensions treats detection domain name, credit value Higher, dangerous values are lower, and user can be arranged different according to the attention rate to each dimension when calculating total credit value Weight.Wherein, above-mentioned office probability refers to the position IP in the probability of Administrative Area, and base station probability refers to that the source IP is base The probability stood, number of users refer to that the number of users of IP, residential quarters probability refer to the position IP in residential quarters region Probability.
On the one hand, the detection mode in step 3 may include: to extract the page view of webpage corresponding to domain name to be detected Feature is felt, then by the page visual signature extracted and the page visual signature of fishing website prestored or the legal net prestored The page visual signature stood carries out visual similarity comparison, obtains the page of webpage corresponding to domain name to be detected and fishing website Or the vision similarity between the page of legitimate site, the dangerous values of domain name to be detected are calculated further according to vision similarity. Specifically, the page visual signature of webpage corresponding to the domain name to be detected includes: page block grade feature and/or page layout Feature and/or page style and features;The page visual signature of the fishing website includes: page block grade feature and/or page cloth Office's feature and/or page style and features;The page visual signature of the legitimate site includes: page block grade feature and/or the page Spatial layout feature and/or page style and features.Above-mentioned detection method does not have to the code of concern bottom or the feature of network level, passes through Compare between the page visual signature to realize that phishing detects, sharpest edges are not dependent on the availability of HTML, detect Accuracy rate is high, can detect 0-hour phishing attack, while having preferable robustness, and precision is high, can be with preliminary screening malice Domain name effectively increases detecting and alarm performance, reduces rate of failing to report, rate of false alarm.
On the one hand, according to the dangerous values of domain name to be detected under each detection mode and preset each detection in step 3 The weight of mode obtains total dangerous values of domain name to be detected using calculated with weighted average method.It is always dangerous above by weight computing When value, corresponding weight value can be arranged according to the accuracy rate that various detection modes can reach in user, to improve malice domain name Discrimination.
Embodiment
Concrete example illustrates technical solution of the present invention below.
The malice domain name detection method of this example, follows the steps below detection:
Step S1, judge that domain name to be detected whether there is in blacklist or white list, if it exists in blacklist, then sentence Fixed domain name to be detected is that malice domain name then determines domain name to be detected for legitimate domain name, if being both not present if it exists in white list It is also not present in thening follow the steps two in blacklist in white list.
Step S2, it treats detection domain name using the k nearest neighbor attributed graph constructed in advance to classify, if classification results are fishing Website then determines that domain name to be detected for malice domain name, otherwise executes step 3.Wherein, k nearest neighbor attributed graph needed for this step Building method are as follows: link source characteristics, link text feature and the link behavior spy of the fishing link of handmarking's preset quantity It levies and links sample as marked fishing, be then based on semi-supervised learning algorithm and preset marked fishing link sample This and unlabelled fishing link sample, first establish gaussian random domain model, and harmonic function is recycled to carry out semi-supervised learning, root K nearest neighbor attributed graph is constructed according to learning outcome.
Step S3, general in true man's probability, office probability, base station by IP corresponding to IP prestige library acquisition domain name to be detected Rate, liveness, credit stain, number of users, the parameter information in 8 dimensions of residential quarters probability and domain name registration information, and According to the above-mentioned information got IP corresponding to domain name to be detected is analyzed respectively in the credit value of above-mentioned 8 dimensions, further according to IP corresponding to domain name to be detected above-mentioned 8 dimensions credit value and the preset corresponding weight of each dimension, using weighting Total credit value of IP corresponding to domain name to be detected is calculated in the method for average, further according to total credit value of IP corresponding to domain name to be detected The dangerous values of domain name to be detected are calculated, total credit value is higher, and dangerous values are lower.
Step S4, page block grade feature, page layout feature and the page wind of webpage corresponding to domain name to be detected are extracted Lattice feature, then by the page block grade feature, page layout feature and the page style and features that extract respectively with accordingly prestore The page block grade feature of fishing website, page layout feature and page style and features carry out visual similarity comparison, or with it is corresponding Page block grade feature, page layout feature and the page style and features of the legitimate site prestored carry out visual similarity comparison, obtain Vision similarity between the page of the page or legitimate site of webpage corresponding to domain name to be detected and fishing website, then root The dangerous values of domain name to be detected are calculated according to vision similarity;The page of webpage corresponding to domain name to be detected and fishing website Between vision similarity it is higher, then dangerous values are higher, between webpage corresponding to domain name to be detected and the page of legitimate site Vision similarity it is higher, then dangerous values are lower.
Step S5, it is detected according to above-mentioned steps S3 and step the S4 dangerous values being calculated and preset IP prestige The weight of weight and visual similarity detection, obtains total dangerous values of domain name to be detected using calculated with weighted average method, if to be checked The total dangerous values for surveying domain name are greater than or equal to preset danger threshold, then determine that domain name to be detected for malice domain name, otherwise determines Domain name to be detected is legitimate domain name.

Claims (9)

1. malice domain name detection method, which comprises the following steps:
Step 1: judge domain name to be detected whether there is in blacklist or white list, if it exists in blacklist, then determine to The entitled malice domain name of detecting domains then determines domain name to be detected for legitimate domain name, if being both not present in white if it exists in white list List is also not present in thening follow the steps two in blacklist;
Classify Step 2: treating detection domain name using the k nearest neighbor attributed graph constructed in advance, if classification results are Fishing net It stands, then determines that domain name to be detected for malice domain name, otherwise executes step 3;
Step 3: being detected by the risk that at least one detection mode treats detection domain name, and calculate separately out each The dangerous values of domain name to be detected, calculate domain to be detected in conjunction with the dangerous values that all detection modes are calculated under detection mode Total dangerous values of name determine domain name to be detected if total dangerous values of domain name to be detected are greater than or equal to preset danger threshold For malice domain name, otherwise determine domain name to be detected for legitimate domain name.
2. malice domain name detection method as described in claim 1, which is characterized in that the building method of the k nearest neighbor attributed graph Using: preset marked fishing link sample and unlabelled fishing link sample are carried out based on semi-supervised learning algorithm Semi-supervised learning constructs k nearest neighbor attributed graph according to learning outcome.
3. malice domain name detection method as claimed in claim 2, which is characterized in that the marked fishing links sample institute The content of label includes: link source characteristics and/or link text feature and/or link behavioural characteristic.
4. malice domain name detection method as described in claim 1, which is characterized in that the detection mode packet in the step 3 It includes: obtaining the parameter information of at least one dimension of IP corresponding to domain name to be detected by IP prestige library, and according to each dimension Parameter information analyzes IP corresponding to domain name to be detected in the credit value of each dimension, further according to corresponding to domain name to be detected respectively Total credit value of IP corresponding to domain name to be detected is calculated in the credit value of each dimension by IP, right further according to domain name institute to be detected Answer total credit value of IP that the dangerous values of domain name to be detected are calculated.
5. malice domain name detection method as claimed in claim 4, which is characterized in that the dimension include true man's probability and/or Office probability and/or base station probability and/or liveness and/or credit stain and/or number of users and/or residential quarters probability And/or domain name registration information.
6. malice domain name detection method as claimed in claim 4, which is characterized in that according to IP corresponding to domain name to be detected each The weight of the credit value of a dimension and preset each dimension, is obtained corresponding to domain name to be detected using calculated with weighted average method Total credit value of IP.
7. malice domain name detection method as described in claim 1, which is characterized in that the detection mode packet in the step 3 Include: extracting the page visual signature of webpage corresponding to domain name to be detected, then by the page visual signature extracted with prestore Fishing website page visual signature or the legitimate site prestored page visual signature carry out visual similarity comparison, obtain Vision similarity between the page of the page or legitimate site of webpage corresponding to domain name to be detected and fishing website, further according to The dangerous values of domain name to be detected are calculated in vision similarity.
8. malice domain name detection method as claimed in claim 7, which is characterized in that webpage corresponding to the domain name to be detected Page visual signature include: page block grade feature and/or page layout feature and/or page style and features;The Fishing net The page visual signature stood includes: page block grade feature and/or page layout feature and/or page style and features;It is described legal The page visual signature of website includes: page block grade feature and/or page layout feature and/or page style and features.
9. malice domain name detection method as described in claim 1, which is characterized in that according to each detection side in the step 3 The weight of the dangerous values of domain name to be detected and preset each detection mode, is obtained to be checked using calculated with weighted average method under formula Survey total dangerous values of domain name.
CN201910536431.2A 2019-06-20 2019-06-20 Malicious domain name detection method Active CN110247916B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910536431.2A CN110247916B (en) 2019-06-20 2019-06-20 Malicious domain name detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910536431.2A CN110247916B (en) 2019-06-20 2019-06-20 Malicious domain name detection method

Publications (2)

Publication Number Publication Date
CN110247916A true CN110247916A (en) 2019-09-17
CN110247916B CN110247916B (en) 2021-07-27

Family

ID=67888456

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910536431.2A Active CN110247916B (en) 2019-06-20 2019-06-20 Malicious domain name detection method

Country Status (1)

Country Link
CN (1) CN110247916B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111953695A (en) * 2020-08-14 2020-11-17 中国工商银行股份有限公司 Method and device for constructing terminal behavior portrait
CN112104765A (en) * 2020-11-20 2020-12-18 武汉绿色网络信息服务有限责任公司 Illegal website detection method and device
CN112468484A (en) * 2020-11-24 2021-03-09 山西三友和智慧信息技术股份有限公司 Internet of things equipment infection detection method based on abnormity and reputation
CN113098896A (en) * 2021-04-26 2021-07-09 中国移动通信集团陕西有限公司 Domain name detection method, device, equipment and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739679A (en) * 2012-06-29 2012-10-17 东南大学 URL(Uniform Resource Locator) classification-based phishing website detection method
CN102932348A (en) * 2012-10-30 2013-02-13 常州大学 Real-time detection method and system of phishing website
US20140130167A1 (en) * 2012-11-06 2014-05-08 Korea Internet & Security Agency System and method for periodically inspecting malicious code distribution and landing sites
CN104980446A (en) * 2015-06-30 2015-10-14 百度在线网络技术(北京)有限公司 Detection method and system for malicious behavior
CN105718577A (en) * 2016-01-22 2016-06-29 中国互联网络信息中心 Method and system for automatically detecting phishing aiming at added domain name
CN109510815A (en) * 2018-10-19 2019-03-22 杭州安恒信息技术股份有限公司 A kind of multistage detection method for phishing site and detection system based on supervised learning
CN109522504A (en) * 2018-10-18 2019-03-26 杭州安恒信息技术股份有限公司 A method of counterfeit website is differentiated based on threat information

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739679A (en) * 2012-06-29 2012-10-17 东南大学 URL(Uniform Resource Locator) classification-based phishing website detection method
CN102932348A (en) * 2012-10-30 2013-02-13 常州大学 Real-time detection method and system of phishing website
US20140130167A1 (en) * 2012-11-06 2014-05-08 Korea Internet & Security Agency System and method for periodically inspecting malicious code distribution and landing sites
CN104980446A (en) * 2015-06-30 2015-10-14 百度在线网络技术(北京)有限公司 Detection method and system for malicious behavior
CN105718577A (en) * 2016-01-22 2016-06-29 中国互联网络信息中心 Method and system for automatically detecting phishing aiming at added domain name
CN109522504A (en) * 2018-10-18 2019-03-26 杭州安恒信息技术股份有限公司 A method of counterfeit website is differentiated based on threat information
CN109510815A (en) * 2018-10-19 2019-03-22 杭州安恒信息技术股份有限公司 A kind of multistage detection method for phishing site and detection system based on supervised learning

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111953695A (en) * 2020-08-14 2020-11-17 中国工商银行股份有限公司 Method and device for constructing terminal behavior portrait
CN111953695B (en) * 2020-08-14 2022-10-28 中国工商银行股份有限公司 Terminal behavior portrait construction method and device, electronic equipment and storage medium
CN112104765A (en) * 2020-11-20 2020-12-18 武汉绿色网络信息服务有限责任公司 Illegal website detection method and device
CN112468484A (en) * 2020-11-24 2021-03-09 山西三友和智慧信息技术股份有限公司 Internet of things equipment infection detection method based on abnormity and reputation
CN113098896A (en) * 2021-04-26 2021-07-09 中国移动通信集团陕西有限公司 Domain name detection method, device, equipment and medium

Also Published As

Publication number Publication date
CN110247916B (en) 2021-07-27

Similar Documents

Publication Publication Date Title
CN110247916A (en) Malice domain name detection method
CN104077396B (en) Method and device for detecting phishing website
CN103544436B (en) System and method for distinguishing phishing websites
CN105119909B (en) A kind of counterfeit website detection method and system based on page visual similarity
CN111191695B (en) Website picture tampering detection method based on deep learning
Sanglerdsinlapachai et al. Using domain top-page similarity feature in machine learning-based web phishing detection
CN109922065B (en) Quick identification method for malicious website
CN108111478A (en) A kind of phishing recognition methods and device based on semantic understanding
CN110784462B (en) Three-layer phishing website detection system based on hybrid method
CN109522504A (en) A method of counterfeit website is differentiated based on threat information
CN104899508A (en) Multistage phishing website detecting method and system
CN102932348A (en) Real-time detection method and system of phishing website
CN102170446A (en) Fishing webpage detection method based on spatial layout and visual features
CN106302438A (en) A kind of method of actively monitoring fishing website of Behavior-based control feature by all kinds of means
CN107948168A (en) Page detection method and device
CN107360200A (en) A kind of fishing detection method based on classification confidence and web site features
CN110781876B (en) Method and system for detecting light weight of counterfeit domain name based on visual characteristics
CN107911360A (en) One kind is hacked website detection method and system
Ahammad et al. Phishing URL detection using machine learning methods
CN104202291A (en) Anti-phishing method based on multi-factor comprehensive assessment method
CN108566399A (en) Fishing website recognition methods and system
Yearwood et al. Profiling phishing emails based on hyperlink information
CN110572359A (en) Phishing webpage detection method based on machine learning
CN102999638A (en) Phishing website detection method excavated based on network group
Vargas et al. Knowing your enemies: Leveraging data analysis to expose phishing patterns against a major US financial institution

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant