CN111245784A - Method for multi-dimensional detection of malicious domain name - Google Patents
Method for multi-dimensional detection of malicious domain name Download PDFInfo
- Publication number
- CN111245784A CN111245784A CN201911393883.6A CN201911393883A CN111245784A CN 111245784 A CN111245784 A CN 111245784A CN 201911393883 A CN201911393883 A CN 201911393883A CN 111245784 A CN111245784 A CN 111245784A
- Authority
- CN
- China
- Prior art keywords
- domain name
- malicious
- malicious domain
- random forest
- network behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/004—Artificial life, i.e. computing arrangements simulating life
- G06N3/006—Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The invention provides a method for multi-dimensional detection of malicious domain names, which comprises the following steps: 1) analyzing the domain name to be detected through the existing malicious domain name information base; executing the step 2 under the condition of judging the suspected malicious domain name; 2) analyzing the attribute characteristics of the suspected malicious domain name, and judging the prediction result through a random forest algorithm; executing the step 3; 3) and analyzing the network behavior of the random forest algorithm model according to the prediction result obtained by the random forest algorithm model, and comprehensively judging the suspicious degree of the random forest algorithm model by returning information characteristics and the like. The invention provides a malicious domain name identification method and device, which can timely and accurately defend the attack of malicious domain names and have low cost. The accuracy of comprehensively judging the malicious domain name is greatly improved, and each module can be independently deployed and executed with high efficiency and strong traceability. The method provided by the invention reduces the dependence on the sample, reduces the magnitude order, uses less resources and has good generalization performance.
Description
Technical Field
The invention relates to an information security technology, in particular to a method for multi-dimensionally detecting a malicious domain name.
Background
With the popularization of the internet, internet crime incidents frequently occur, and the national benefits, the enterprises and the personal benefits are seriously damaged. In the phishing process, an attacker induces a user to access a malicious domain name by using deceptive emails, mobile phone short messages and the like to perform phishing activities, and the user exposes personal privacy after accessing the malicious domain name and even causes certain economic loss to the user. In the prior art, a detection method for malicious domain names generally identifies the malicious domain names based on a threat intelligence library, a manual analysis algorithm and the like, the judgment method for the malicious domain names is single and not accurate enough, and the detection efficiency is low when the existing method faces the malicious domain names with huge number and various fishing means.
Malicious domain names are a relatively popular method of network attack. The method is often used for counterfeiting other standard websites, helps viruses and trojans to spread faster, steals user sensitive information, and obtains attack scenes such as hacking instructions. The existing defense technology is generally based on a malicious domain name library for plugging, the malicious domain name library generally comes from attack collection and reverse cracking of malicious Trojan horse programs, and some special security organizations can regularly update the malicious domain name library. However, the malicious domain name library is used for plugging, so that great hysteresis exists, and a new malicious domain name cannot be dealt with in time. The method of data mining and cloud analysis has the problems of high cost and low accuracy. The invention provides a method for multi-dimensionally detecting a malicious domain name, which aims to solve the problems of low detection efficiency and low accuracy of the conventional multi-dimensionally detecting the malicious domain name.
Most of the existing multi-dimensional methods for detecting malicious domain names mostly rely on threat intelligence, and single association analysis finds out possible domain names. The first accuracy is not high and the second is lagging heavily relying on threat intelligence. The third threat intelligence is costly to collect.
Accordingly, there is a need for improvements in the art.
Disclosure of Invention
The invention aims to provide an efficient method for multi-dimensional detection of malicious domain names.
In order to solve the technical problem, the invention provides a method for multi-dimensionally detecting a malicious domain name, which comprises the following steps:
1) analyzing the domain name to be detected through the existing malicious domain name information base; executing the step 2 under the condition of judging the suspected malicious domain name;
2) analyzing the attribute characteristics of the suspected malicious domain name, and judging the prediction result through a random forest algorithm; executing the step 3;
3) and analyzing the network behavior of the random forest algorithm model according to the prediction result obtained by the random forest algorithm model, and comprehensively judging the suspicious degree of the random forest algorithm model by returning information characteristics and the like.
As an improvement of the method for multi-dimensional detection of malicious domain names, the method comprises the following steps: further comprising the steps of:
4) and detecting and analyzing the real-time flow, and if the flow is smaller than a threshold value, determining the domain name as a legal domain name, otherwise, determining the domain name as a malicious domain name.
As a further improvement of the method for multi-dimensional detection of malicious domain names of the present invention:
the step 1 comprises the following steps: associating the ip corresponding to the malicious domain name, generating algorithm association for the malicious domain name and calculating the similarity of the domain name;
(1.1) associating the ip corresponding to the malicious domain name: inquiring a malicious domain name information base, and inquiring whether corresponding matching information exists in an original information base according to the current domain name corresponding to the ip; if the domain name exists, judging the domain name to be suspected to be malicious;
(1.2) a malicious domain name generation algorithm association and domain name similarity algorithm: according to the current domain name and an original malicious domain name library, carrying out character information entropy matching, and judging the degree of recognition, wherein in the method, the domain name judged to be suspected to be malicious is judged if the threshold value is set to be more than 0.75;
and (3) executing the step (2) under the condition that any one of the step (1.1) and the step (1.2) is judged to be the malicious domain name.
As a further improvement of the method for multi-dimensional detection of malicious domain names of the present invention:
the step 2 comprises the following steps:
2.1) constructing a positive and negative sample set based on the threat intelligence library and the ALEXA website ranking; step 2.2 is executed;
2.2) extracting feature vectors based on the analysis of the upper complaint features, taking the domain names in the positive and negative sample sets as training sets, filtering out noise, training a single learner, and obtaining a random forest algorithm model through multiple random combination training; step 2.3 is executed;
2.3) inputting the suspected malicious domain name into a random forest algorithm model to obtain a prediction result.
As a further improvement of the method for multi-dimensional detection of malicious domain names of the present invention:
the step 3 comprises the following steps:
3.1) acquiring a network traffic data set based on a prediction result obtained by a random forest algorithm model;
3.2) taking the network traffic with the same characteristics of quintuple and the quantity more than or equal to N in the network traffic data set as malicious network behavior data flow, and taking the rest as normally applied network behavior data flow;
the quintuple characteristics refer to the source IP, the destination IP, the source port, the destination port and the protocol type which are the same;
3.3) constructing a network behavior sequence diagram according to the malicious network behavior data stream extracted in the step 3.2 and the network behavior data stream of the normal application to obtain the network behavior sequence diagram of the normal application and the network behavior sequence diagram of the malicious application;
the method comprises the characteristics of the flow duration of the domain name, the number of destination ports and the like;
3.4) judging whether the domain name is a malicious domain name according to the similarity matching degree of the network behavior sequence diagram of the normal application and the network behavior sequence diagram of the malicious application.
As a further improvement of the method for multi-dimensional detection of malicious domain names of the present invention:
the data collected by the sample set includes: the method comprises the following steps of website address and corresponding domain name length, maximum sub-domain name length, character entropy, number-letter conversion rate, continuous number length, continuous letter length, domain name A record, domain name ip entropy and NS record number.
The method for multi-dimensionally detecting the malicious domain name has the technical advantages that:
the invention provides a malicious domain name identification method and device, which can timely and accurately defend the attack of malicious domain names and have low cost. The accuracy of comprehensively judging the malicious domain name is greatly improved, and each module can be independently deployed and executed with high efficiency and strong traceability. The method provided by the invention reduces the dependence on the sample, reduces the magnitude order, uses less resources and has good generalization performance.
Drawings
The following describes embodiments of the present invention in further detail with reference to the accompanying drawings.
Fig. 1 is a flowchart illustrating a method for multi-dimensionally detecting a malicious domain name according to the present invention.
Detailed Description
The invention will be further described with reference to specific examples, but the scope of the invention is not limited thereto.
Embodiment 1, a method for multi-dimensionally detecting a malicious domain name, as shown in fig. 1, includes the following steps:
1) and analyzing the domain name to be detected through the existing malicious domain name information base. The method comprises the following steps: associating the ip corresponding to the malicious domain name, generating algorithm association for the malicious domain name and calculating the similarity of the domain name;
(1.1) associating the ip corresponding to the malicious domain name: and inquiring a malicious domain name intelligence library, and inquiring whether the original intelligence library has corresponding matching information according to the current domain name corresponding to the ip. If the domain name exists, judging the domain name to be suspected to be malicious;
(1.2) a malicious domain name generation algorithm association and domain name similarity algorithm: according to the current domain name and an original malicious domain name library, carrying out character information entropy matching, and judging the degree of recognition, wherein in the method, the domain name judged to be suspected to be malicious is judged if the threshold value is set to be more than 0.75;
executing the step 2 under the condition that any one of the step 1.1 and the step 1.2 is judged to be a suspected malicious domain name;
2) and analyzing the attribute characteristics of the domain name to be detected, and predicting the result judgment through a random forest algorithm.
Malicious domain names generally have very unbalanced characteristic attributes with normal domain names, including:
(2.1), static vocabulary characteristics: malicious domain names used by attackers are generally generated by a DGA algorithm, and have a large number of large lengths and no semantics;
dynamic DNS resolution characteristics: to circumvent blacklists and to resist theft, DNS answers returned by malicious domain name servers typically contain multiple DNS a records (i.e., address records) or NS records (i.e., name server records).
(2.2) combining the different attribute characteristics of the dynamic and static combination, and performing machine learning algorithm (random forest algorithm) to predict multidimensional information (extracted from domain names and dns records) such as domain name length, sub-domain name maximum length, character entropy, number-letter conversion rate, continuous number length, continuous letter length, domain name A record, domain name ip entropy, NS record number and the like, and then performing step 2.3 to judge the suspicious degree of the malicious domain name.
(2.3) constructing a feature vector according to the above-mentioned description dimension characteristics, and training a random forest algorithm model;
the method comprises the following specific steps:
(2.3.1) constructing a positive and negative sample set based on a threat intelligence library (artificially preset known threat intelligence) and an ALEXA website ranking;
(2.3.2) extracting feature vectors based on the above-mentioned feature analysis, taking domain names in a black and white list as a training set, filtering out noise, training a single learner (and a decision tree), and obtaining a random forest algorithm model through multiple random combination training;
collecting a sample set, and acquiring a website address and corresponding domain name length, sub-domain name maximum length, character entropy, number-letter conversion rate, continuous number length, continuous letter length, domain name A record, domain name ip entropy and NS record number.
Firstly, malicious sample set:
the malicious domain name mainly comes from a malicious domain name library downloaded from a professional website, a c2 domain name obtained by reverse engineering analysis of malicious software, and a third-party threat intelligence library.
II, white list sample set:
the white list domain name is taken from the website domain name 10000 before the ALEXA website ranking.
ROC curve result distribution:
single result
(2.3.3), inputting the domain name to be detected into a random forest algorithm model to obtain a prediction result.
The sampling method adopted by the random forest is generally Bootstap sampling, and for an original sample set, one sample is randomly acquired at first and then put into the sampling set, and a sample set is obtained after a certain amount of sampling. Because of random sampling, the sampling set at each time is different from the original sampling set, and is also different from other sampling sets, so that the obtained individual learners are also different. By randomly sampling n times, n sample sets can be obtained. For the n sample sets, n individual learners can be trained independently respectively, and then final output is obtained for the n individual learners through a set strategy, wherein the n individual learners are independent from one another and can be parallel. And finally, selecting a voting method to obtain a result by combining a random forest.
3) And analyzing the network behavior of the random forest algorithm model according to the prediction result obtained by the random forest algorithm model, wherein the network behavior mainly comprises active time, communication times in unit time, TTL response values, returned information characteristics and the like, and comprehensively judging the suspicious degree of the random forest algorithm model.
The method comprises the following specific steps:
(3.1) acquiring a network traffic data set based on a prediction result obtained by a random forest algorithm model;
(3.2) extracting malicious network behavior data streams from the collected network traffic data set according to quintuple characteristics; wherein, the five-tuple character refers to the source IP, the destination IP, the source port, the destination port and the protocol type which are the same;
namely: and taking the network traffic (repeated occurrence) with the same characteristics of the quintuple and the number of the network traffic more than or equal to N as malicious network behavior data flow, and taking the rest as the network behavior data flow of normal application.
And (3.3) constructing a network behavior sequence diagram according to the malicious network behavior data stream extracted in the step 3.2 and the network behavior data stream of the normal application, and obtaining the network behavior sequence diagram of the normal application and the network behavior sequence diagram of the malicious application. The method comprises the characteristics of the flow duration of the domain name, the number of destination ports and the like;
and (3.4) judging whether the domain name is a malicious domain name according to the similarity matching degree of the network behavior sequence diagram of the normal application and the network behavior sequence diagram of the malicious application.
4) And detecting and analyzing the real-time flow, and if the flow is smaller than a threshold (preset), determining the domain name to be a legal domain name, otherwise, determining the domain name to be a malicious domain name.
Finally, it is also noted that the above-mentioned lists merely illustrate a few specific embodiments of the invention. It is obvious that the invention is not limited to the above embodiments, but that many variations are possible. All modifications which can be derived or suggested by a person skilled in the art from the disclosure of the present invention are to be considered within the scope of the invention.
Claims (6)
1. The method for multi-dimensionally detecting the malicious domain name is characterized by comprising the following steps: the method comprises the following steps:
1) analyzing the domain name to be detected through the existing malicious domain name information base; executing the step 2 under the condition of judging the suspected malicious domain name;
2) analyzing the attribute characteristics of the suspected malicious domain name, and judging the prediction result through a random forest algorithm; executing the step 3;
3) and analyzing the network behavior of the random forest algorithm model according to the prediction result obtained by the random forest algorithm model, and comprehensively judging the suspicious degree of the random forest algorithm model by returning information characteristics and the like.
2. The method for multidimensional detection of malicious domain names according to claim 1, wherein: further comprising the steps of:
4) and detecting and analyzing the real-time flow, and if the flow is smaller than a threshold value, determining the domain name as a legal domain name, otherwise, determining the domain name as a malicious domain name.
3. The method for multidimensional detection of malicious domain names according to claim 2, wherein:
the step 1 comprises the following steps: associating the ip corresponding to the malicious domain name, generating algorithm association for the malicious domain name and calculating the similarity of the domain name;
(1.1) associating the ip corresponding to the malicious domain name: inquiring a malicious domain name information base, and inquiring whether corresponding matching information exists in an original information base according to the current domain name corresponding to the ip; if the domain name exists, judging the domain name to be suspected to be malicious;
(1.2) a malicious domain name generation algorithm association and domain name similarity algorithm: according to the current domain name and an original malicious domain name library, carrying out character information entropy matching, and judging the degree of recognition, wherein in the method, the domain name judged to be suspected to be malicious is judged if the threshold value is set to be more than 0.75;
and (3) executing the step (2) under the condition that any one of the step (1.1) and the step (1.2) is judged to be the malicious domain name.
4. The method for multidimensional detection of malicious domain names according to claim 3, wherein:
the step 2 comprises the following steps:
2.1) constructing a positive and negative sample set based on the threat intelligence library and the ALEXA website ranking; step 2.2 is executed;
2.2) extracting feature vectors based on the analysis of the upper complaint features, taking the domain names in the positive and negative sample sets as training sets, filtering out noise, training a single learner, and obtaining a random forest algorithm model through multiple random combination training; step 2.3 is executed;
2.3) inputting the suspected malicious domain name into a random forest algorithm model to obtain a prediction result.
5. The method for multidimensional detection of malicious domain names according to claim 4, wherein:
the step 3 comprises the following steps:
3.1) acquiring a network traffic data set based on a prediction result obtained by a random forest algorithm model;
3.2) taking the network traffic with the same characteristics of quintuple and the quantity more than or equal to N in the network traffic data set as malicious network behavior data flow, and taking the rest as normally applied network behavior data flow;
the quintuple characteristics refer to the source IP, the destination IP, the source port, the destination port and the protocol type which are the same;
3.3) constructing a network behavior sequence diagram according to the malicious network behavior data stream extracted in the step 3.2 and the network behavior data stream of the normal application to obtain the network behavior sequence diagram of the normal application and the network behavior sequence diagram of the malicious application;
the method comprises the characteristics of the flow duration of the domain name, the number of destination ports and the like;
3.4) judging whether the domain name is a malicious domain name according to the similarity matching degree of the network behavior sequence diagram of the normal application and the network behavior sequence diagram of the malicious application.
6. The method for multidimensional detection of malicious domain names according to claim 5, wherein:
the data collected by the sample set includes: the method comprises the following steps of website address and corresponding domain name length, maximum sub-domain name length, character entropy, number-letter conversion rate, continuous number length, continuous letter length, domain name A record, domain name ip entropy and NS record number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911393883.6A CN111245784A (en) | 2019-12-30 | 2019-12-30 | Method for multi-dimensional detection of malicious domain name |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911393883.6A CN111245784A (en) | 2019-12-30 | 2019-12-30 | Method for multi-dimensional detection of malicious domain name |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111245784A true CN111245784A (en) | 2020-06-05 |
Family
ID=70869338
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911393883.6A Pending CN111245784A (en) | 2019-12-30 | 2019-12-30 | Method for multi-dimensional detection of malicious domain name |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111245784A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111800404A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for identifying malicious domain name and storage medium |
| CN111935099A (en) * | 2020-07-16 | 2020-11-13 | 兰州理工大学 | Malicious domain name detection method based on deep noise reduction self-coding network |
| CN112468484A (en) * | 2020-11-24 | 2021-03-09 | 山西三友和智慧信息技术股份有限公司 | Internet of things equipment infection detection method based on abnormity and reputation |
| CN112787946A (en) * | 2021-01-28 | 2021-05-11 | 哈尔滨工业大学(威海) | Method for eliminating noise data caused by network blockage during network data acquisition |
| CN112929390A (en) * | 2021-03-12 | 2021-06-08 | 厦门帝恩思科技股份有限公司 | Network intelligent monitoring method based on multi-strategy fusion |
| CN114070819A (en) * | 2021-10-09 | 2022-02-18 | 北京邮电大学 | Malicious domain name detection method, device, electronic device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105022960A (en) * | 2015-08-10 | 2015-11-04 | 济南大学 | Multi-feature mobile terminal malicious software detecting method based on network flow and multi-feature mobile terminal malicious software detecting system based on network flow |
| CN107566390A (en) * | 2017-09-20 | 2018-01-09 | 东北大学 | A kind of industrial control system Network security analysis system and method based on threat information |
| CN107689965A (en) * | 2017-09-30 | 2018-02-13 | 北京奇虎科技有限公司 | Means of defence, the apparatus and system of the network equipment |
| CN107786575A (en) * | 2017-11-11 | 2018-03-09 | 北京信息科技大学 | A kind of adaptive malice domain name detection method based on DNS flows |
-
2019
- 2019-12-30 CN CN201911393883.6A patent/CN111245784A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105022960A (en) * | 2015-08-10 | 2015-11-04 | 济南大学 | Multi-feature mobile terminal malicious software detecting method based on network flow and multi-feature mobile terminal malicious software detecting system based on network flow |
| CN107566390A (en) * | 2017-09-20 | 2018-01-09 | 东北大学 | A kind of industrial control system Network security analysis system and method based on threat information |
| CN107689965A (en) * | 2017-09-30 | 2018-02-13 | 北京奇虎科技有限公司 | Means of defence, the apparatus and system of the network equipment |
| CN107786575A (en) * | 2017-11-11 | 2018-03-09 | 北京信息科技大学 | A kind of adaptive malice domain name detection method based on DNS flows |
Non-Patent Citations (2)
| Title |
|---|
| 程亚楠: ""恶意域名挖掘与分析系统的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 马旸: "大规模网络中基于集成学习的恶意域名检测", 《计算机工程》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111800404A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for identifying malicious domain name and storage medium |
| CN111800404B (en) * | 2020-06-29 | 2023-03-24 | 深信服科技股份有限公司 | Method and device for identifying malicious domain name and storage medium |
| CN111935099A (en) * | 2020-07-16 | 2020-11-13 | 兰州理工大学 | Malicious domain name detection method based on deep noise reduction self-coding network |
| CN112468484A (en) * | 2020-11-24 | 2021-03-09 | 山西三友和智慧信息技术股份有限公司 | Internet of things equipment infection detection method based on abnormity and reputation |
| CN112468484B (en) * | 2020-11-24 | 2022-09-20 | 山西三友和智慧信息技术股份有限公司 | Internet of things equipment infection detection method based on abnormity and reputation |
| CN112787946A (en) * | 2021-01-28 | 2021-05-11 | 哈尔滨工业大学(威海) | Method for eliminating noise data caused by network blockage during network data acquisition |
| CN112787946B (en) * | 2021-01-28 | 2022-04-15 | 哈尔滨工业大学(威海) | Method for eliminating noise data caused by network blockage during network data acquisition |
| CN112929390A (en) * | 2021-03-12 | 2021-06-08 | 厦门帝恩思科技股份有限公司 | Network intelligent monitoring method based on multi-strategy fusion |
| CN114070819A (en) * | 2021-10-09 | 2022-02-18 | 北京邮电大学 | Malicious domain name detection method, device, electronic device and storage medium |
| CN114070819B (en) * | 2021-10-09 | 2022-11-18 | 北京邮电大学 | Malicious domain name detection method, device, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | Detecting android malware leveraging text semantics of network flows | |
| CN111245784A (en) | Method for multi-dimensional detection of malicious domain name | |
| CN106713371B (en) | Fast Flux botnet detection method based on DNS abnormal mining | |
| US9912691B2 (en) | Fuzzy hash of behavioral results | |
| CN108833186B (en) | Network attack prediction method and device | |
| US10375143B2 (en) | Learning indicators of compromise with hierarchical models | |
| CN109117634B (en) | Malicious software detection method and system based on network traffic multi-view fusion | |
| CN111131260B (en) | Mass network malicious domain name identification and classification method and system | |
| US10187412B2 (en) | Robust representation of network traffic for detecting malware variations | |
| CN107370752B (en) | Efficient remote control Trojan detection method | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| JP6174520B2 (en) | Malignant communication pattern detection device, malignant communication pattern detection method, and malignant communication pattern detection program | |
| Fraunholz et al. | YAAS-On the Attribution of Honeypot Data. | |
| Vij et al. | Detection of algorithmically generated domain names using LSTM | |
| Ring et al. | A toolset for intrusion and insider threat detection | |
| Brissaud et al. | Passive monitoring of https service use | |
| CN110493253B (en) | Botnet analysis method of home router based on raspberry group design | |
| Bao et al. | Using passive dns to detect malicious domain name | |
| CN111291078B (en) | Domain name matching detection method and device | |
| CN111447169B (en) | Method and system for identifying malicious webpage in real time on gateway | |
| Zheng et al. | Preprocessing method for encrypted traffic based on semisupervised clustering | |
| CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
| CN113132316A (en) | Web attack detection method and device, electronic equipment and storage medium | |
| TWI777766B (en) | System and method of malicious domain query behavior detection | |
| CN111371917B (en) | Domain name detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200605 |
|
| RJ01 | Rejection of invention patent application after publication |