CN112910888A - Illegal domain name registration group mining method and device - Google Patents
Illegal domain name registration group mining method and device Download PDFInfo
- Publication number
- CN112910888A CN112910888A CN202110127589.1A CN202110127589A CN112910888A CN 112910888 A CN112910888 A CN 112910888A CN 202110127589 A CN202110127589 A CN 202110127589A CN 112910888 A CN112910888 A CN 112910888A
- Authority
- CN
- China
- Prior art keywords
- illegal domain
- domain name
- illegal
- domain names
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000005065 mining Methods 0.000 title claims abstract description 29
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 32
- 238000013507 mapping Methods 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 7
- 230000008859 change Effects 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 150000001875 compounds Chemical class 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides an illegal domain name registration group mining method and device. An illegal domain name registration group mining method comprises the following steps: acquiring a plurality of illegal domain names to be registered and clustered, and acquiring attribute values of target attributes of the plurality of illegal domain names; drawing according to the illegal domain name and the attribute value of the target attribute of the illegal domain name, comprising the following steps: taking each illegal domain name as a node in the graph, and if the attribute values of the target attributes of any two illegal domain names in the illegal domain names are the same, connecting the nodes corresponding to the two illegal domain names in the graph; and running a Louvain algorithm based on the drawn graph, and taking each community divided by the Louvain algorithm as an illegal domain name registration group. By the method, the illegal domain name registration group can be comprehensively and accurately mined, and a foundation is laid for further punishing the illegal domain name registration group.
Description
Technical Field
The application relates to the technical field of computers, in particular to an illegal domain name registration group mining method and device.
Background
On one hand, the illegal domain name can be a domain name which is embedded with malicious codes by utilizing a vulnerability of a browser or application software, so that a user can tamper or damage user equipment after clicking unknowingly; on the other hand, an illegal domain name may also refer to a domain name that counterfeits other websites such as a bank website, an e-commerce website, damages the property, reputation, etc. of users and enterprises.
In order to effectively reduce the harm of the illegal domain name, the registration group of the illegal domain name needs to be found in time and punished, and the technical problem of how to comprehensively and accurately mine the registration group of the illegal domain name is still needed to be solved at present.
Disclosure of Invention
The application provides an illegal domain name registration group mining method and device, so that illegal domain name registration groups can be comprehensively and accurately mined. The technical scheme provided by the application comprises the following steps:
in a first aspect, the present application provides an illegal domain name registration group mining method, including:
acquiring a plurality of illegal domain names to be registered and clustered, and acquiring attribute values of target attributes of the plurality of illegal domain names;
the mapping according to the plurality of illegal domain names and the attribute values of the target attributes of the plurality of illegal domain names comprises the following steps: taking each illegal domain name as a node in the graph, and if the attribute values of the target attributes of any two illegal domain names are the same, connecting the nodes corresponding to the two illegal domain names in the graph;
and running a Louvain algorithm based on the drawn graph, and taking each community divided by the Louvain algorithm as an illegal domain name registration group.
In a second aspect, the present application provides an illegal domain name registration group mining device, including:
the system comprises an acquisition unit, a searching unit and a processing unit, wherein the acquisition unit is used for acquiring a plurality of illegal domain names to be subjected to registration group mining and acquiring attribute values of target attributes of the plurality of illegal domain names;
a mapping unit for mapping according to the plurality of illegal domain names and attribute values of target attributes of the plurality of illegal domain names, comprising: taking each illegal domain name as a node in the graph, and if the attribute values of the target attributes of any two illegal domain names are the same, connecting the nodes corresponding to the two illegal domain names in the graph;
and the mining unit is used for operating the Louvain algorithm based on the drawn graph and taking each community divided by the Louvain algorithm as an illegal domain name registration group.
According to the method and the device, the attribute values of the target attributes of the illegal domain names and the illegal domains to be mined are obtained, drawing is carried out according to the attribute values of the target attributes of the illegal domain names and the illegal domains, and then the Louvain algorithm is operated on the basis of the drawing, so that the illegal domain names with strong connection are quickly extracted, and therefore illegal domain name registration groups are mined. Moreover, the mining of illegal domain name registration gangs is realized by adopting the Louvain algorithm from the perspective of community relation, and the obtained mining result is more comprehensive and accurate.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a flowchart of an illegal domain name registration group mining method provided by the present application;
FIGS. 2A-2B are schematic diagrams of a drawing process provided in accordance with an embodiment of the present application;
fig. 3 is a flowchart of the execution of the Louvain algorithm provided in the embodiment of the present application;
fig. 4 is a schematic diagram of an operation result of the Louvain algorithm provided in the embodiment of the present application;
fig. 5 is a structural diagram of an illegal domain name registration group partner mining device provided in the present application;
fig. 6 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Domain names are host identities in the network, usually consisting of a string of characters separated by dots, which are easier for the user to remember than IP addresses. By establishing a mapping relationship between the IP address and the domain name, the user can access the target host using the domain name instead of the IP address. As for the illegal domain name, it refers to a domain name that damages the benefit of the user through an illegal means, for example, it may refer to a domain name that uses a vulnerability of a browser or application software to embed a malicious code, so that the user may tamper or destroy the user equipment after clicking unknowingly; as another example, it may refer to a domain name that is a counterfeit of other websites, such as banking websites, e-commerce websites, which, although not destructive to the user's device, still may harm the user's property, reputation. In order to reduce the harm of illegal domain names, illegal domain name registration groups need to be timely and comprehensively discovered and punished.
To facilitate understanding of the solution provided by the present application, a brief explanation of an illegitimate domain name registration group is provided below:
domain name registration generally requires a registrant to provide registration information such as name, mailbox and/or telephone, and the actual registration information may be different according to different selected domain name registration authorities, for example, domain name registration authority a may only require a registrant to provide name and telephone, domain name registration authority B may only require a registrant to provide mailbox information, domain name registration authority C may require a registrant to provide name, telephone and mailbox, and so on.
To avoid supervision, illegal domain name registration groups often use sets of different names, mailboxes, and phones to register a large number of domain names in a number of different domain name registration management structures, such as name 1 and phone 1, name 2, and phone 2 at domain name registration authority a, mailbox 1, mailbox 2 at domain name registration authority B, name 1, phone 1, and mailbox 2 at domain name registration authority C, and so on. Therefore, the registered telephone and the registered mailbox may not be completely consistent in the registration information of the domain name obtained by back-checking only some registration information (such as name).
In order to discover illegal domain name registration gangs, the illegal domain name registration gangs mining method is provided, and the mining result is comprehensive and accurate by mining the illegal domain name registration gangs from the perspective of a social network by adopting a Louvain algorithm. In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in detail below with reference to the accompanying drawings and specific embodiments.
Referring to fig. 1, fig. 1 is a flowchart of an illegal domain name registration group mining method provided by the present application. In one embodiment, the process is applicable to electronic devices such as servers, computers, and the like. As shown in fig. 1, the flow includes the following steps S101 to S103:
step S101, a plurality of illegal domain names to be registered and clustered are obtained, and attribute values of target attributes of the plurality of illegal domain names are obtained.
Regarding how to specifically acquire the illegal domain name in step S101, a mature domain name acquisition and illegal domain name identification technology exists in the prior art, and details thereof are not described herein. As an embodiment, when obtaining an illegal domain name from the identified illegal domain names, the illegal domain name may be obtained according to a certain rule according to actual needs, for example: the method can acquire a certain number of illegal domain names, acquire the illegal domain names with correct character composition, acquire the illegal domain names with the registration time in a target time interval and the like.
In one example, a domain name has multiple attributes, such as: IP address from resolving domain name, registrar name, register mailbox, register phone, registration time, expiration time, geographic location, domain name operator, domain name facilitator, etc. As an embodiment, for an illegal domain name that has been identified, the attribute may further include an illegal tag for identifying which kind of illegal domain name the domain name is specific, where the kinds may include: counterfeit websites, malicious domain names, etc.
In one example, the target attribute may include at least one strongly associated attribute. When the attribute values of the strong association attributes of the two illegal domain names are the same, the two illegal domain names can be considered to have strong association, namely the two illegal domain names are more likely to have association, namely the two illegal domain names are more likely to be registered by the same registration group. The strongly associated property is illustrated below:
1) personal information required for domain name registration such as registrant name, registration mailbox, and registration phone:
generally, the same illegal domain name registration group will use at least one group of personal information required for domain name registration, such as registrant name, register mailbox, and register phone, etc., and register a large number of domain names in different domain name registration authorities, and the personal information has certain privacy and is not easy to repeat, so if the personal information required for any registration of two illegal domain names is the same, for example, if the two illegal domain names have the same register phone although the register mailboxes are different, it can be considered that the two illegal domain names have strong association. Therefore, the embodiment of the application considers that personal information required by domain name registration, such as registrant names, registration mailboxes, registration telephones and the like, can be regarded as strong association attributes of illegal domain names.
2) For an IP address obtained by resolving an illegal domain name:
the IP address obtained by resolving the illegal domain name, that is, the IP address having a mapping relation with the illegal domain name, is used for identifying the host used by the illegal domain name registration group. Generally, an illegal domain name registration group uses one or a group of hosts to register multiple domain names, and if IP addresses obtained by resolving two illegal domain names are the same, the hosts used in registering the two illegal domain names are more likely to be the same. Therefore, the IP address obtained by resolving the illegal domain name can be regarded as the strong association attribute of the illegal domain name in the embodiment of the application.
3) For registration time and expiration time:
because a large number of users may register domain names at the same domain name registration authority or multiple domain name registration authorities within a relatively short period of time (e.g., a day), two domain names that are simply registered at the same or similar times are likely to be registered by different illegitimate domain name registration teams. Therefore, the registration time can be regarded as the weak association attribute of the illegal domain name, and the expiration time based on the registration time can also be regarded as the weak association attribute of the illegal domain name.
As an embodiment, the target attribute of the illegal domain name in this step S101 may include: at least one of a registrant name, a registration mailbox, a registration phone, and an IP address obtained by resolving the illegal domain name.
Thus, the illegal domain name and the attribute value of the target attribute of the illegal domain name are obtained.
And step S102, drawing according to the obtained illegal domain name and the attribute value of the target attribute of the illegal domain name.
The graph drawn in this step S102 is used as the operation basis of the Louvain algorithm in the subsequent steps.
In one example, the drawing process in step S102 may include: and taking each obtained illegal domain name as a node in the graph, and connecting the nodes corresponding to the two illegal domain names in the graph if the attribute values of the target attributes of any two illegal domain names are the same.
As an embodiment, if the target attribute includes multiple strongly-associated attributes, it may be determined that the attribute values of the target attributes of two illegal domain names are the same when the attribute values of any one of the target attributes of the two illegal domain names are the same. According to actual needs, when judging whether the IP addresses obtained by analyzing the two illegal domain names are the same, it can be determined that the IP addresses obtained by analyzing the two illegal domain names are the same when the IP addresses are completely the same, or it can be determined that the IP addresses obtained by analyzing the two illegal domain names are the same when the network segments of the IP addresses are the same, and so on. The attribute values of the target attributes of the two illegal domain names may also be determined to be the same in other various manners, for example, when the attribute values of at least two of the target attributes of the two illegal domain names are the same, the attribute values of the target attributes of the two illegal domain names may be determined to be the same, and so on.
For the convenience of understanding the step S102, the following description is made by way of example with reference to fig. 2A and 2B:
fig. 2A-2B are schematic drawing flow diagrams provided in the embodiments of the present application. As shown in fig. 2A, each obtained illegal domain name is used as a node in the graph, that is, each node in fig. 2A corresponds to an illegal domain name.
If the attribute values of the target attributes of any two illegal domain names in the illegal domain names shown in fig. 2A are the same, the two illegal domain names can be connected at the corresponding nodes in the graph. Taking the target attribute including the registrar name, the registration mailbox, and the registration phone as an example, if the registration mailbox of the illegal domain name "erpvh.in" and the illegal domain name "every.pw" in fig. 2A are the same, the corresponding nodes in fig. 2A of "erpvh.in" and "every.pw" may be connected; if the registrant name and the registration phone of the illegal domain name "dyeyx.cn" and the illegal domain name "fesyv.pm" are the same, the "dyeyx.cn" and the "fesyv.pm" can be connected at the corresponding nodes in fig. 2A; and so on. The drawing completion map can be referred to as shown in fig. 2B.
To this end, the drawing of the figure is completed in this step S102.
Step S103, running a Louvain algorithm based on the drawn graph, and taking each community divided by the Louvain algorithm as an illegal domain name registration group.
Louvain is a community discovery algorithm based on Modularity (modulation), and is considered as one of the community discovery algorithms with the best performance, and the closeness degree of a community is measured by the Modularity, and the larger the value of the Modularity, the better the community division is, and the closer the community is. If a node is added to a community with the maximum increase in modularity, the node is considered to belong to the community.
The definition of the modularity can be seen in the following formula:
wherein Q represents modularity, m represents the number of edges in the graph, c represents community, EcRepresents the number of edges in the community c, and Σ tot represents the sum of degrees of nodes in the community c, i.e., the number of child nodes owned by the node in the community cAmount of the compound (A).
In specific implementation, there are multiple implementation manners for running the Louvain algorithm based on the drawn graph in step 103, and one of the implementation manners is illustrated in the following by referring to fig. 3 for example, which is not described herein again.
After the Louvain algorithm is run based on the graph drawn in step S102, a plurality of communities are obtained, where each community is a group composed of a plurality of strongly associated illegal domain names, that is, a group composed of a plurality of illegal domain names that are likely to be registered by the same illegal domain name registration group. Therefore, each community divided by the Louvain algorithm can be directly used as an illegal domain name registration group.
Thus, the flow shown in fig. 1 is completed.
Through the process shown in fig. 1, the method and the device for mining the illegal domain name registration cluster can rapidly and comprehensively dig out the illegal domain name registration cluster by acquiring the attribute values of the target attributes of the illegal domain name and the illegal domain name to be mined, drawing according to the attribute values of the target attributes of the illegal domain name and the illegal domain name, and operating the Louvain algorithm based on the drawn drawing.
As an embodiment, for the excavated illegal domain name registration group, the illegal domain name registration group can be tracked and punished according to the information such as the registration information used by the illegal domain name registration group. This section is not described in detail herein, as it is not subject to the main protection of this application.
With reference to fig. 3, how to specifically run the Louvain algorithm based on the graph drawn in step S102 in step S103 is described as follows:
referring to fig. 3, fig. 3 is a flowchart illustrating the operation of the Louvain algorithm provided in the embodiment of the present application. As shown in fig. 3, the process includes:
step S301, each node in the graph is respectively used as a community.
For ease of understanding, each community can be directly considered as an illegal domain name registration group, and step S301 can be understood as: and respectively regarding the nodes corresponding to each illegal domain name in the graph as an independent illegal domain name registration group.
Step S302, aiming at each node, trying to distribute the node to communities where each adjacent node is located in sequence, calculating the modularity variation value before and after distribution, determining the maximum modularity variation value, and if the maximum modularity variation value is larger than 0, distributing the node to the community corresponding to the maximum modularity variation value.
As an example, the modularity variation value in step S302 refers to the difference between the modularity after the assignment and the modularity before the assignment, and the calculation of the modularity may refer to the modularity calculation formula provided above.
Step S303, compressing all nodes of each community into a new node, converting the weight of each node in the community into the weight of a ring of the new node, and converting the weight of the edge of the community interval into the weight of the edge between the corresponding new nodes.
It should be noted that, after all the nodes in each community are compressed into a new node, all the nodes in the community are child nodes of the new node.
And step S304, repeatedly executing the steps S301-S303 until the communities to which all the nodes belong do not change.
And when the communities to which all the nodes belong do not change any more, obtaining a final community division result, namely obtaining a final illegal domain name registration group mining result.
As an embodiment, the obtained final community division result may be output in a graph form or a text form.
The operation result of running the Louvain algorithm based on the drawn graph can be seen in fig. 4. Fig. 4 is a schematic diagram of an operation result of the Louvain algorithm provided in the embodiment of the present application, and in fig. 4, nodes with different gray levels represent different communities, that is, represent different illegal domain name registration groups. It should be noted that, when the Louvain algorithm is run, the nodes are compressed, and the illegal domain name finally corresponding to each node is not marked in fig. 4.
The flow shown in fig. 3 is completed.
It should be noted that the flow shown in fig. 3 is only an example, and other implementation manners that may exist in practical applications may also be used to implement the step S103 provided in this application.
The method provided by the present application is described above, and the device provided by the present application is described below:
referring to fig. 5, fig. 5 is a structural diagram of an illegal domain name registration group mining device provided in the present application. As shown in fig. 5, the apparatus includes an acquisition unit 501, a drawing unit 502, and a digging unit 503.
In an example, the obtaining unit 501 is configured to obtain an illegal domain name to be subjected to registration group mining, and obtain an attribute value of a target attribute of the illegal domain name;
the mapping unit 502 is configured to map according to the illegal domain name and the attribute value of the target attribute of the illegal domain name, and includes: taking each illegal domain name as a node in the graph, and if the attribute values of the target attributes of any two illegal domain names in the illegal domain names are the same, connecting the nodes corresponding to the two illegal domain names in the graph;
and the mining unit 503 is configured to run a Louvain algorithm based on the drawn graph, and use each community partitioned by the Louvain algorithm as an illegal domain name registration group.
As an embodiment, the target attribute at least includes: registrant, register mailbox, register telephone and/or resolve the IP address that the above-mentioned illegal domain name got.
As an embodiment, the mapping unit 502 determines that the attribute values of the target attributes of two illegal domain names are the same by:
and if the attribute value of any one of the target attributes of the two illegal domain names is the same, determining that the attribute values of the target attributes of the two illegal domain names are the same.
As an embodiment, the digging unit 503 is specifically configured to:
the following steps are repeatedly executed until the communities to which all the nodes in the graph belong do not change any more:
each node in the graph is respectively used as a community;
aiming at each node in the graph, trying to sequentially distribute the node to communities where each adjacent node is located, calculating the modularity variation value before and after distribution, determining the maximum modularity variation value, and if the maximum modularity variation value is larger than 0, distributing the node to the community corresponding to the maximum modularity variation value;
compressing all nodes of each community into a new node, converting the weight of each node in the community into the weight of a ring of the new node, and converting the weight of an edge of a community interval into the weight of an edge between the corresponding new nodes.
The implementation process of the functions and actions of the modules in the apparatus is specifically described in the implementation process of the corresponding steps in the method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the components shown as modules may or may not be physical modules, may be located in one place, or may be distributed over a plurality of network modules. The modules can be selected according to actual needs to achieve the purpose of the scheme in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
Referring to fig. 6, fig. 6 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present disclosure. The electronic device may include a processor 601, memory 602, and a communication bus 603. The processor 601 and the memory 602 communicate with each other via a communication bus 603. Wherein, the memory 602 stores a computer program; processor 601 may perform the illegitimate domain name registration group mining method described above by executing a program stored on memory 602.
The memory 602 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the memory 602 may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
Embodiments of the present application also provide a machine-readable storage medium, such as the memory 602 in fig. 6, storing a computer program, which can be executed by the processor 601 in the electronic device shown in fig. 6 to implement the illegal domain name registration group mining method described above.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. An illegal domain name registration group mining method, characterized in that the method comprises:
acquiring a plurality of illegal domain names to be registered and clustered, and acquiring attribute values of target attributes of the plurality of illegal domain names;
drawing according to the plurality of illegal domain names and the attribute values of the target attributes of the plurality of illegal domain names, comprising: taking each illegal domain name as a node in the graph, and if the attribute values of the target attributes of any two illegal domain names are the same, connecting the nodes corresponding to the two illegal domain names in the graph;
and running a Louvain algorithm based on the drawn graph, and taking each community divided by the Louvain algorithm as an illegal domain name registration group.
2. The method of claim 1, wherein the target attributes comprise at least: registrant, register mailbox, register phone and/or resolve the IP address that the said illegal domain name got.
3. The method according to claim 2, wherein the attribute value of the target attribute of two illegal domain names is the same can be determined by:
and if the attribute value of any one of the target attributes of the two illegal domain names is the same, determining that the attribute values of the target attributes of the two illegal domain names are the same.
4. The method of claim 1, wherein the running the Louvain algorithm based on the rendered graph comprises:
the following steps are repeatedly executed until the communities to which all the nodes in the graph belong do not change any more:
taking each node in the graph as a community respectively;
aiming at each node in the graph, trying to sequentially distribute the node to communities where each adjacent node is located, calculating modularity variation values before and after distribution, determining a maximum modularity variation value, and if the maximum modularity variation value is larger than 0, distributing the node to the community corresponding to the maximum modularity variation value;
compressing all nodes of each community into a new node, converting the weight of each node in the community into the weight of a ring of the new node, and converting the weight of an edge of a community interval into the weight of an edge between the corresponding new nodes.
5. An illegal domain name registration group mining device, comprising:
the system comprises an acquisition unit, a searching unit and a processing unit, wherein the acquisition unit is used for acquiring a plurality of illegal domain names to be subjected to registration group mining and acquiring attribute values of target attributes of the plurality of illegal domain names;
the drawing unit is used for drawing according to the plurality of illegal domain names and the attribute values of the target attributes of the plurality of illegal domain names, and comprises the following steps: taking each illegal domain name as a node in the graph, and if the attribute values of the target attributes of any two illegal domain names are the same, connecting the nodes corresponding to the two illegal domain names in the graph;
and the mining unit is used for operating the Louvain algorithm based on the drawn graph and taking each community divided by the Louvain algorithm as an illegal domain name registration group.
6. The apparatus of claim 5, wherein the target attribute comprises at least: registrant, register mailbox, register phone and/or resolve the IP address that the said illegal domain name got.
7. The apparatus according to claim 6, wherein the mapping unit determines that the attribute values of the target attributes of the two illegal domain names are the same by:
and if the attribute value of any one of the target attributes of the two illegal domain names is the same, determining that the attribute values of the target attributes of the two illegal domain names are the same.
8. The device according to claim 5, characterized in that the digging unit is particularly adapted to:
the following steps are repeatedly executed until the communities to which all the nodes in the graph belong do not change any more:
taking each node in the graph as a community respectively;
aiming at each node in the graph, trying to sequentially distribute the node to communities where each adjacent node is located, calculating modularity variation values before and after distribution, determining a maximum modularity variation value, and if the maximum modularity variation value is larger than 0, distributing the node to the community corresponding to the maximum modularity variation value;
compressing all nodes of each community into a new node, converting the weight of each node in the community into the weight of a ring of the new node, and converting the weight of an edge of a community interval into the weight of an edge between the corresponding new nodes.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the method of any of claims 1 to 4.
10. A computer-readable storage medium, comprising a stored computer program, wherein the computer program, when executed by a processor, controls an apparatus in which the storage medium is located to perform the method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110127589.1A CN112910888A (en) | 2021-01-29 | 2021-01-29 | Illegal domain name registration group mining method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110127589.1A CN112910888A (en) | 2021-01-29 | 2021-01-29 | Illegal domain name registration group mining method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112910888A true CN112910888A (en) | 2021-06-04 |
Family
ID=76121291
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110127589.1A Pending CN112910888A (en) | 2021-01-29 | 2021-01-29 | Illegal domain name registration group mining method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112910888A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113988870A (en) * | 2021-10-27 | 2022-01-28 | 支付宝(杭州)信息技术有限公司 | Group partner identification method and device |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160260039A1 (en) * | 2015-03-03 | 2016-09-08 | Go Daddy Operating Company, LLC | System and method for domain name community network |
| CN108600249A (en) * | 2018-05-04 | 2018-09-28 | 哈尔滨工业大学(威海) | The method that illegal domain name registration clique excavates is carried out based on multidimensional related information |
| CN108681936A (en) * | 2018-04-26 | 2018-10-19 | 浙江邦盛科技有限公司 | A kind of fraud clique recognition methods propagated based on modularity and balance label |
| CN109859054A (en) * | 2018-12-13 | 2019-06-07 | 平安科技(深圳)有限公司 | Network community method for digging, device, computer equipment and storage medium |
| CN110135853A (en) * | 2019-04-25 | 2019-08-16 | 阿里巴巴集团控股有限公司 | Clique's user identification method, device and equipment |
| CN110209660A (en) * | 2019-06-10 | 2019-09-06 | 北京阿尔山金融科技有限公司 | Cheat clique's method for digging, device and electronic equipment |
| CN110557382A (en) * | 2019-08-08 | 2019-12-10 | 中国科学院信息工程研究所 | Malicious domain name detection method and system by utilizing domain name co-occurrence relation |
| CN110830607A (en) * | 2019-11-08 | 2020-02-21 | 杭州安恒信息技术股份有限公司 | Domain name analysis method and device and electronic equipment |
| CN110929141A (en) * | 2018-09-20 | 2020-03-27 | 百度在线网络技术(北京)有限公司 | Group mining method, device, equipment and storage medium |
| CN111355697A (en) * | 2018-12-24 | 2020-06-30 | 深信服科技股份有限公司 | Detection method, device, equipment and storage medium for botnet domain name family |
| CN112104677A (en) * | 2020-11-23 | 2020-12-18 | 北京金睛云华科技有限公司 | Controlled host detection method and device based on knowledge graph |
| CN112148767A (en) * | 2020-09-11 | 2020-12-29 | 支付宝(杭州)信息技术有限公司 | Group mining method, abnormal group identification method and device and electronic equipment |
-
2021
- 2021-01-29 CN CN202110127589.1A patent/CN112910888A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160260039A1 (en) * | 2015-03-03 | 2016-09-08 | Go Daddy Operating Company, LLC | System and method for domain name community network |
| CN108681936A (en) * | 2018-04-26 | 2018-10-19 | 浙江邦盛科技有限公司 | A kind of fraud clique recognition methods propagated based on modularity and balance label |
| CN108600249A (en) * | 2018-05-04 | 2018-09-28 | 哈尔滨工业大学(威海) | The method that illegal domain name registration clique excavates is carried out based on multidimensional related information |
| CN110929141A (en) * | 2018-09-20 | 2020-03-27 | 百度在线网络技术(北京)有限公司 | Group mining method, device, equipment and storage medium |
| CN109859054A (en) * | 2018-12-13 | 2019-06-07 | 平安科技(深圳)有限公司 | Network community method for digging, device, computer equipment and storage medium |
| CN111355697A (en) * | 2018-12-24 | 2020-06-30 | 深信服科技股份有限公司 | Detection method, device, equipment and storage medium for botnet domain name family |
| CN110135853A (en) * | 2019-04-25 | 2019-08-16 | 阿里巴巴集团控股有限公司 | Clique's user identification method, device and equipment |
| CN110209660A (en) * | 2019-06-10 | 2019-09-06 | 北京阿尔山金融科技有限公司 | Cheat clique's method for digging, device and electronic equipment |
| CN110557382A (en) * | 2019-08-08 | 2019-12-10 | 中国科学院信息工程研究所 | Malicious domain name detection method and system by utilizing domain name co-occurrence relation |
| CN110830607A (en) * | 2019-11-08 | 2020-02-21 | 杭州安恒信息技术股份有限公司 | Domain name analysis method and device and electronic equipment |
| CN112148767A (en) * | 2020-09-11 | 2020-12-29 | 支付宝(杭州)信息技术有限公司 | Group mining method, abnormal group identification method and device and electronic equipment |
| CN112104677A (en) * | 2020-11-23 | 2020-12-18 | 北京金睛云华科技有限公司 | Controlled host detection method and device based on knowledge graph |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113988870A (en) * | 2021-10-27 | 2022-01-28 | 支付宝(杭州)信息技术有限公司 | Group partner identification method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11005779B2 (en) | Method of and server for detecting associated web resources | |
| Béres et al. | Blockchain is watching you: Profiling and deanonymizing ethereum users | |
| Xu et al. | Am I eclipsed? A smart detector of eclipse attacks for Ethereum | |
| Beverly et al. | Forensic carving of network packets and associated data structures | |
| WO2016022720A2 (en) | Method and apparatus of identifying a transaction risk | |
| CN108600163B (en) | Cloud environment distributed hash chain architecture and cloud data integrity verification method | |
| CN110247894B (en) | Method and device for identifying fake handle server | |
| CN102186173B (en) | Identity authentication method and system | |
| CN109951435A (en) | A kind of device identification providing method and device and risk control method and device | |
| JP2019145925A (en) | Method for verifying transaction in blockchain network, and node for constituting the network | |
| US9141824B2 (en) | Dynamic database update in multi-server private information retrieval scheme | |
| US20160269431A1 (en) | Predictive analytics utilizing real time events | |
| CN104080081A (en) | Space anonymization method suitable for mobile terminal position privacy protection | |
| CN103745014A (en) | False and true mapping method and system of social network users | |
| JP6467540B1 (en) | Method for verifying transactions in a blockchain network and nodes for configuring the network | |
| CN105022939A (en) | Information verification method and device | |
| CN111107181B (en) | NAT rule matching method and device, electronic equipment and storage medium | |
| Maeng et al. | Visualization of Ethereum P2P network topology and peer properties | |
| KR20190095067A (en) | Method for managing information using merkle tree based on blockchain, server and terminal using the same | |
| CN111314379A (en) | Attacked domain name identification method and device, computer equipment and storage medium | |
| CN112910888A (en) | Illegal domain name registration group mining method and device | |
| Mauw et al. | Anonymising social graphs in the presence of active attackers. | |
| CN112860810B (en) | Domain name multiple graph embedded representation method, device, electronic equipment and medium | |
| CN105988998B (en) | Relational network construction method and device | |
| CN112968870A (en) | Network group discovery method based on frequent itemset |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210604 |
|
| RJ01 | Rejection of invention patent application after publication |