CN116760645A - Malicious domain name detection method and device - Google Patents
Malicious domain name detection method and device Download PDFInfo
- Publication number
- CN116760645A CN116760645A CN202311055354.1A CN202311055354A CN116760645A CN 116760645 A CN116760645 A CN 116760645A CN 202311055354 A CN202311055354 A CN 202311055354A CN 116760645 A CN116760645 A CN 116760645A
- Authority
- CN
- China
- Prior art keywords
- domain name
- detected
- detection
- malicious
- malicious domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 127
- 238000000034 method Methods 0.000 claims abstract description 29
- 239000011159 matrix material Substances 0.000 claims description 16
- 238000004364 calculation method Methods 0.000 claims description 14
- 239000013598 vector Substances 0.000 claims description 14
- 241000894007 species Species 0.000 claims description 6
- 241001377938 Yara Species 0.000 claims description 3
- 238000010606 normalization Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 239000004973 liquid crystal related substance Substances 0.000 description 14
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 206010001488 Aggression Diseases 0.000 description 1
- 238000012935 Averaging Methods 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000003631 expected effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000013178 mathematical model Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The embodiment of the application provides a malicious domain name detection method and device, which belong to the technical field of network security, and the method comprises the following steps: analyzing the domain name to be detected to obtain a structure body to be detected, wherein the structure body to be detected comprises a plurality of domain name characteristics; checking whether the structure to be detected is recorded in a plurality of domain name databases according to a preset checking sequence, if so, ending the detection, otherwise, entering the next step; according to a preset matching sequence and a preset detection sequence, sequentially matching a plurality of domain name features of a structure to be detected with a plurality of malicious domain name rules; determining the weighted average membership degree of the structure to be detected according to the matching result of the multiple domain name characteristics of the structure to be detected and the multiple malicious domain name rules; and when the weighted average membership of the structure to be detected is greater than the dynamic threshold value, determining that the domain name to be detected is a potential malicious domain name. The method and the device can improve the efficiency of malicious domain name detection and the accuracy of malicious domain name detection.
Description
Technical Field
The embodiment of the application belongs to the technical field of network security, and particularly relates to a malicious domain name detection method and device.
Background
The internet has become an integral part of people's daily lives, but at the same time, network security problems have become an increasingly serious problem. Malware and cyber attacks are becoming increasingly rampant, resulting in increasingly greater cyber security threats.
Among them, malicious domain names are one of common attack means. Malicious domain names may be used for many malicious activities such as phishing, malware propagation, and denial of service attacks.
Traditional malicious domain name detection methods typically rely on threat intelligence, i.e., identifying and preventing the offensive behavior of a malicious domain name by analyzing known malicious domain names and network attack events. However, this approach has some drawbacks. First, the collection and analysis of threat intelligence requires a significant amount of time and effort, resulting in inefficient detection of malicious domain names. Secondly, threat information is not necessarily updated or covered on all malicious domain names in time, so that the detection accuracy of the malicious domain names is low.
Disclosure of Invention
The application provides a malicious domain name detection method and device for solving the technical problems of low malicious domain name detection efficiency and low detection accuracy in the prior art.
In a first aspect, the present application provides a malicious domain name detection method, including:
analyzing the domain name to be detected to obtain a structure body to be detected, wherein the structure body to be detected comprises a plurality of domain name characteristics;
checking whether the structure to be detected is recorded in a plurality of domain name databases according to a preset checking sequence, if so, ending the detection, otherwise, entering the next step;
according to a preset matching sequence and a preset detection sequence, sequentially matching a plurality of domain name features of a structure to be detected with a plurality of malicious domain name rules;
determining the weighted average membership degree of the structure to be detected according to the matching result of the multiple domain name characteristics of the structure to be detected and the multiple malicious domain name rules;
and when the weighted average membership of the structure to be detected is greater than the dynamic threshold value, determining that the domain name to be detected is a potential malicious domain name.
In a second aspect, the present application provides a malicious domain name detection device, including:
the analysis module is used for analyzing the domain name to be detected to obtain a structure body to be detected, wherein the structure body to be detected comprises a plurality of domain name characteristics;
the checking module is used for checking whether the structure body to be checked is recorded in a plurality of domain name databases according to a preset checking sequence, if so, ending the detection, otherwise, entering the next step;
the matching module is used for sequentially matching a plurality of domain name features of the structure to be detected with a plurality of malicious domain name rules according to a preset matching sequence and a preset detection sequence;
the first determining module is used for determining weighted average membership of the structure to be detected according to the matching result of the multiple domain name characteristics of the structure to be detected and the multiple malicious domain name rules;
and the second determining module is used for determining that the domain name to be detected is a potential malicious domain name under the condition that the weighted average membership degree of the structure to be detected is larger than the dynamic threshold value.
Compared with the prior art, the application has at least the following beneficial effects:
in the application, a plurality of domain name characteristics of the structure to be detected are sequentially matched with a plurality of malicious domain name rules, the weighted average membership of the structure to be detected is determined, when the weighted average membership of the structure to be detected is larger than a dynamic threshold value, the domain name to be detected is determined to be the potential malicious domain name, the automatic and accurate detection of the potential malicious domain name can be realized, threat information is not needed to be excessively relied on, the malicious domain name detection efficiency is improved, the dynamic threshold value is introduced when the potential malicious domain name is judged, the application range of the malicious domain name detection method can be improved, and the malicious domain name detection accuracy is improved.
Drawings
FIG. 1 is a schematic flow chart of a malicious domain name detection method provided by the application;
FIG. 2 is a schematic diagram of a malicious domain name detection method according to the present application;
fig. 3 is a schematic structural diagram of a malicious domain name detection device provided by the application;
the accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. Some specific embodiments of the application will be described in detail hereinafter by way of example and not by way of limitation with reference to the accompanying drawings.
Detailed Description
In order to enable those skilled in the art to better understand the present application, the following description will make clear and complete descriptions of the technical solutions according to the embodiments of the present application with reference to the accompanying drawings. It will be apparent that the described embodiments are merely some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
In a first aspect, referring to fig. 1, a flowchart of a malicious domain name detection method provided by an embodiment of the present application is shown.
Referring to fig. 2, a schematic structural diagram of a malicious domain name detection method according to an embodiment of the present application is shown.
The application provides a malicious domain name detection method, which comprises the following steps:
s101: and analyzing the domain name to be detected to obtain a structure body to be detected, wherein the structure body to be detected comprises a plurality of domain name characteristics.
Wherein the domain name feature comprises: protocol header, port number, main domain name, sub domain name, request parameters, complete string, and regional top-level domain name.
Specifically, a DNS resolution or URL resolution method may be used to resolve the domain name to be detected, so as to obtain the structure to be detected.
S102: and checking whether the structure to be detected is recorded in a plurality of domain name databases according to a preset checking sequence, if so, ending the detection, otherwise, entering the next step.
In one possible implementation, S102 specifically includes: and checking whether the structure to be detected is recorded in a plurality of domain name databases according to checking sequences of the intrusion detection report database, the threat information database, the blacklist database and the whitelist database in sequence.
Wherein the intrusion detection report database is a database that records known network intrusion events and aggressions. When security events occur, network administrators, security specialists, or security team will investigate and analyze these events and record relevant information in the intrusion detection report database. These databases may be maintained by different organizations, security vendors, or independent security researchers.
The threat information database is a database for recording network threat information, and the information can come from public information sources, malicious sample analysis, vulnerability reports and other channels. The goal of the threat intelligence database is to provide timely, accurate threat information to help security teams identify and address new cyber threats.
The blacklist database is a database for recording known malicious domain names, IP addresses, URLs, and the like. The purpose of these databases is to help network administrators and users avoid interaction with malicious entities, thereby reducing network risk.
The white list database is a database for recording known trusted and legal domain names, IP addresses, URLs and the like. The purpose of these databases is to help network administrators and users identify and trust specific entities, thereby ensuring secure network communications and resource access.
In the application, the intrusion detection report database, the threat information database, the blacklist database and the whitelist database are applied to filter the structure to be detected, so that the calculation cost of a detection algorithm can be reduced to the maximum extent, the safety is kept, the detection efficiency can be improved, whether the domain name belongs to maliciousness or not can be rapidly judged, and unnecessary calculation and resource waste are avoided. Only if no relevant record is found, the next detection flow is continued to perform finer malicious domain name rule matching and weighted average membership calculation, so that malicious domain name detection is performed more comprehensively.
S103: and sequentially matching the plurality of domain name features of the structure to be detected with a plurality of malicious domain name rules according to a preset matching sequence and a preset detection sequence.
In one possible implementation, S103 specifically includes: and sequentially matching each domain name characteristic of the structure to be detected with a plurality of malicious domain name rules according to the matching sequence of the protocol header, the port number, the main domain name, the sub domain name, the request parameter, the complete character string and the regional top-level domain name, and the detection sequence of prefix matching, suffix matching, regular expression matching, YARA expression matching and custom function matching.
S104: and determining the weighted average membership degree of the structure to be detected according to the matching result of the multiple domain name characteristics of the structure to be detected and the multiple malicious domain name rules.
It should be noted that, the system may comprehensively consider the matching condition of multiple features of the domain name to be detected and multiple malicious domain name rules to obtain a comprehensive evaluation value (weighted average membership) to indicate whether the domain name is likely to be malicious. The higher weighted average membership represents that the matching degree of the domain name to be detected and the malicious rule is higher, and the domain name is more likely to be a potential malicious domain name; conversely, a lower weighted average membership indicates a lower degree of matching and a lower likelihood.
In one possible implementation, S104 specifically includes:
when passing through the firstiThe seed detection mode is thatjMalicious domain name rule-like rule and name-like rulekWhen the feature matching of the individual domain names is successful, determining the fuzzy membership degree asm ijk 。
The fuzzy membership is a concept in fuzzy logic and is used for describing the attribution degree of things on a certain attribute or characteristic. In malicious domain name detection, the fuzzy membership is used for measuring the matching degree of a certain characteristic of a domain name to be detected and a malicious domain name rule.
According to the firstiWeight of species detection mode, the firstjWeight of malicious domain name rule-likekWeights and modes for individual domain name featuresDegree of paste membershipm ijk Calculating the weighted membership degree of the structure to be detectedM ijk :Wherein, the liquid crystal display device comprises a liquid crystal display device,u i represent the firstiThe weight of the mode of detection is determined,v j represent the firstjThe weight of the malicious domain name like rule,w k represent the firstkWeight of individual domain name features.
It should be noted that different detection methods, malicious domain name rules, and domain name features may have different importance. Some detection approaches may be more efficient than others, some malicious domain name rules may be more common or dangerous, and some domain name features may be more discriminant. By setting weights, these different importance can be accurately reflected, so that the matching result of important features and rules has a more decisive influence.
Further, the weights of different detection modes, malicious domain name rules and domain name characteristics are set, so that the influence of the detection modes, the malicious domain name rules and the domain name characteristics in final evaluation can be flexibly adjusted. In this way, more important features and rules can be given higher weights according to actual conditions and requirements, so that the more decisive effect of the more important features and rules on the calculation result of the weighted average membership degree is ensured.
According to the weighted membership degree of the structure to be detectedM ijk Calculating weighted average membership degree of structure to be detected:Wherein, the liquid crystal display device comprises a liquid crystal display device,Mrepresenting membership by weightingM ijk A weighted membership matrix is formed,nindicating the total number of detection modes,pthe number of categories representing the rules of the malicious domain name,qrepresenting the total number of domain name features.
According to the method and the device, the matching results of the detection modes, the malicious domain name rules and the domain name features are combined to obtain the weighted average membership, the influence of a plurality of factors can be comprehensively considered in malicious domain name detection, the malicious degree of the domain name to be detected can be more comprehensively evaluated, inaccurate results caused by misjudgment of single features or rules are reduced, and the accuracy and the credibility of malicious domain name detection are improved.
In one possible implementation, the weights of the various detection modesuThe calculation mode of (a) is as follows:
acquisition of the pairnBy means of seed detectionePersonal weight questionnaire.
Calculating according to importance scores in the weight questionnaireeAverage score of importance scores for various detection modes in the individual weight questionnaires:wherein, the liquid crystal display device comprises a liquid crystal display device,B i represent the firstiAverage score of importance scores of species detection means,,, a.>,b ij Represent the firstjPairs in the weight questionnaireiAnd (5) scoring the importance degree of the detection mode.
Calculating the weight of each detection mode according to the average score of the importance scores of the detection modesu i :Wherein, the liquid crystal display device comprises a liquid crystal display device,u i represent the firstiThe weight of the detection mode.
In the present application, by collecting the weight questionnaire and averaging, it can be implemented more easily in practice without the need for complex mathematical models or statistical analysis. The opinion of a plurality of users or experts can be comprehensively considered, and the weights of various detection modes which are more comprehensive, objective and reliable are obtained.
In one possible implementation, the weights of the various malicious domain name rules arevThe calculation mode of (a) is as follows:
classifying malicious domain name rules according to relevance with malicious domain names, and determiningWeighting rules for malicious domain namesv。
Specifically, when the category of the malicious domain name rule is low-level auxiliary information, the weight of the malicious domain name rulev 1 =0.05;
When the category of the malicious domain name rule is general auxiliary information, the weight of the malicious domain name rulev 2 =0.15;
When the category of the malicious domain name rule is special auxiliary information, the weight of the malicious domain name rulev 3 =0.30;
When the category of the malicious domain name rule is low-risk information, the weight of the malicious domain name rulev 4 =0.75;
When the category of the malicious domain name rule is medium-risk information, the weight of the malicious domain name rulev 5 =0.85;
When the category of the malicious domain name rule is high-risk information, the weight of the malicious domain name rulev 6 =0.90;
When the category of the malicious domain name rule is absolute information, the weight of the malicious domain name rulev 7 =1.00。
In the application, the malicious domain name rule is subdivided into different categories, and different weights are given to each category, so that the influence of each rule on malicious domain name detection can be described more finely. Different categories of rules may have different importance, some rules may be only auxiliary information, and some rules may be more reliable and deterministic information. By setting different weights, the influence of different rules can be reasonably quantified. The accuracy and the adaptability of the malicious domain name detection system can be improved, meanwhile, the interpretation and the understanding of the system output are also improved, and further, the detection result is more refined and more credible, and the actual requirements are better met.
In one possible implementation, the weights of the individual domain name featureswThe calculation mode of (a) is as follows:
by comparing the domain name features in pairs and combining nine-level scale, a discrimination matrix is establishedA:Wherein, the liquid crystal display device comprises a liquid crystal display device,a ij represent the firstiThe domain name feature is relative to the firstjImportance of individual domain name features->,qThe total number of domain name features is indicated,a ij the value of (2) can be determined by nine-pole scale.
Nine-level scale is used to evaluate and compare the degree or importance of an object on a particular attribute. Nine-level scaling divides the evaluated object into nine levels, among which the participant needs to select an option that best fits his opinion or opinion. The nine-level scale option is typically represented by a number or expression, where 1 represents the least or least significant and 9 represents the most or most significant.
Calculating a judgment matrixAFeature vectors and feature values of (a):wherein, the method comprises the steps of, wherein,λrepresenting a judgment matrixAIs used for the characteristic value of the (c),ωrepresenting a judgment matrixATakes the maximum characteristic value as the characteristic vector of (1)λ max The feature vector corresponding to the largest feature value is noted asω max ,/>。
For the feature vector corresponding to the largest feature valueω max Normalization processing:
wherein the normalized vector +.>
Is not equal to the respective component of (a)Weights respectively representing the characteristics of each domain name can be respectively recorded asw 1 、w 2 、…、w q 。
In the application, the weight of each domain name characteristic is calculated by a nine-pole scale method and a discrimination matrix, so that the weight has objectivity, comprehensiveness and flexibility. The calculation mode is beneficial to improving the accuracy, the credibility and the interpretation of the malicious domain name detection system, and ensures the rationality and the consistency of the weight value.
S105: and when the weighted average membership of the structure to be detected is greater than the dynamic threshold value, determining that the domain name to be detected is a potential malicious domain name.
It should be noted that the number and type of malicious domain names may change over time. Thus, a fixed threshold may not be able to accommodate malicious domain name detection requirements for different periods of time or under different conditions. By setting the dynamic threshold, the threshold can be automatically adjusted according to the current detection condition and the distribution condition of malicious domain names, so that the detection system can adaptively cope with different conditions.
In one possible implementation, the dynamic threshold is calculated by:
setting the width of the sliding window asW。
And calculating the true positive rate and the false positive rate of malicious domain name detection on each domain name to be detected in the sliding window.
The true positive rate is also referred to as Sensitivity (Sensitivity) or Recall (Recall), and refers to the proportion of samples that are actually positive classes that the classifier correctly predicts as positive classes.
Where false positive rate refers to the proportion of samples of all actually negative categories that the classifier erroneously predicts as positive.
And calculating a dynamic threshold according to the true positive rate and the false positive rate of malicious domain name detection on each domain name to be detected in the sliding window.
In one possible implementation, the dynamic threshold is calculated according to the following formula:wherein, the method comprises the steps of, wherein,Crepresenting dynamic threshold, max [ []Representing the maximum function, min [ []The function of the minimum value is represented by,crepresenting the threshold value before the dynamic update,kwhich represents the parameters of the adjustable-degree,AFPRindicating the actual rate of false positive,EFPRindicating the desired rate of false positive,ATPRindicating the actual true positive rate of the human body,ETPRindicating the desired true positive rate. Wherein, the person skilled in the art can set the adjustable parameters according to the actual situationkThe size of (3) is not limited in the present application.
In the application, by comparing the actual false positive rate with the expected false positive rate and the actual true positive rate with the expected true positive rate, the system can adjust the threshold according to the expected effect index, thereby improving the detection accuracy. By calculating the dynamic threshold, the system can avoid the condition of oversensitivity or oversensitivity as much as possible, thereby improving the accuracy and the credibility of detection.
Compared with the prior art, the application has at least the following beneficial effects:
in the application, a plurality of domain name characteristics of the structure to be detected are sequentially matched with a plurality of malicious domain name rules, the weighted average membership of the structure to be detected is determined, when the weighted average membership of the structure to be detected is larger than a dynamic threshold value, the domain name to be detected is determined to be the potential malicious domain name, the automatic and accurate detection of the potential malicious domain name can be realized, threat information is not needed to be excessively relied on, the malicious domain name detection efficiency is improved, the dynamic threshold value is introduced when the potential malicious domain name is judged, the application range of the malicious domain name detection method can be improved, and the malicious domain name detection accuracy is improved.
In a second aspect, referring to fig. 3, a schematic structural diagram of a malicious domain name detection device according to an embodiment of the present application is shown.
The present application provides a malicious domain name detection device 30, comprising:
the analyzing module 301 is configured to analyze a domain name to be detected to obtain a structure to be detected, where the structure to be detected includes a plurality of domain name features;
the checking module 302 is configured to check whether the structure to be detected is recorded in the multiple domain name databases according to a preset checking sequence, if yes, end detection, otherwise, enter the next step;
the matching module 303 is configured to match, according to a preset matching sequence and a preset detection sequence, a plurality of domain name features of the structure to be detected with a plurality of malicious domain name rules in sequence;
a first determining module 304, configured to determine a weighted average membership degree of the structure to be detected according to a matching result of a plurality of domain name features of the structure to be detected and a plurality of malicious domain name rules;
the second determining module 305 is configured to determine that the domain name to be detected is a potentially malicious domain name if the weighted average membership of the structure to be detected is greater than the dynamic threshold.
In one possible implementation, the investigation module 302 is specifically configured to:
and checking whether the structure to be detected is recorded in a plurality of domain name databases according to checking sequences of the intrusion detection report database, the threat information database, the blacklist database and the whitelist database in sequence.
In one possible implementation, the matching module 303 is specifically configured to:
and sequentially matching each domain name characteristic of the structure to be detected with a plurality of malicious domain name rules according to the matching sequence of the protocol header, the port number, the main domain name, the sub domain name, the request parameter, the complete character string and the regional top-level domain name, and the detection sequence of prefix matching, suffix matching, regular expression matching, YARA expression matching and custom function matching.
In one possible implementation, the first determining module 304 is specifically configured to:
when passing through the firstiThe seed detection mode is thatjMalicious domain name rule-like rule and name-like rulekWhen the feature matching of the individual domain names is successful, determining the fuzzy membership degree asm ijk ;
According to the firstiWeight of species detection mode, the firstjWeight of malicious domain name rule-likekPersonal domain name featureWeights of (2) and fuzzy membership degreem ijk Calculating the weighted membership degree of the structure to be detectedM ijk :Wherein, the method comprises the steps of, wherein,u i represent the firstiThe weight of the mode of detection is determined,v j represent the firstjThe weight of the malicious domain name like rule,w k represent the firstkWeights of the individual domain name features;
according to the weighted membership degree of the structure to be detectedM ijk Calculating weighted average membership degree of structure to be detected:Wherein, the method comprises the steps of, wherein,Mrepresenting membership by weightingM ijk A weighted membership matrix is formed,nindicating the total number of detection modes,pthe number of categories representing the rules of the malicious domain name,qrepresenting the total number of domain name features.
In one possible implementation, the weights of the various detection modesuThe calculation mode of (a) is as follows:
acquisition of the pairnBy means of seed detectioneA personal weight questionnaire;
calculating according to importance scores in the weight questionnaireeAverage score of importance scores for various detection modes in the individual weight questionnaires:wherein, the method comprises the steps of, wherein,B i represent the firstiAverage score of importance scores of species detection means,/->,b ij Represent the firstjPairs in the weight questionnaireiScoring the importance degree of the seed detection mode;
according to various detection modesAverage score of importance degree scores, and weight of various detection modes is calculatedu i :Wherein, the method comprises the steps of, wherein,u i represent the firstiThe weight of the detection mode.
In one possible implementation, the weights of the various malicious domain name rules arevThe calculation mode of (a) is as follows:
classifying malicious domain name rules according to relevance with malicious domain names, and determining weights of various malicious domain name rulesv。
In one possible implementation, the weights of the individual domain name featureswThe calculation mode of (a) is as follows:
by comparing the domain name features in pairs and combining nine-level scale, a discrimination matrix is establishedA:Wherein, the method comprises the steps of, wherein,a ij represent the firstiThe domain name feature is relative to the firstjImportance of individual domain name features->,qThe total number of domain name features is indicated,a ij the value of (2) can be determined by a nine-pole scale method;
calculating a judgment matrixAFeature vectors and feature values of (a):wherein, the liquid crystal display device comprises a liquid crystal display device,λrepresenting a judgment matrixAIs used for the characteristic value of the (c),ωrepresenting a judgment matrixATakes the maximum characteristic value as the characteristic vector of (1)λ max The feature vector corresponding to the largest feature value is noted asω max ,/>;
For the feature vector corresponding to the largest feature valueω max Normalization processing:
wherein the normalized vector->Are>Weights respectively representing the characteristics of each domain name can be respectively recorded asw 1 、w 2 、…、w q 。
In one possible implementation, the dynamic threshold is calculated by:
setting the width of the sliding window asW;
Calculating the true positive rate and the false positive rate of malicious domain name detection on each domain name to be detected in the sliding window;
and calculating a dynamic threshold according to the true positive rate and the false positive rate of malicious domain name detection on each domain name to be detected in the sliding window.
In one possible implementation manner, the dynamic threshold is calculated according to the true positive rate and the false positive rate of malicious domain name detection on each domain name to be detected in the sliding window, and specifically includes:
the dynamic threshold is calculated according to the following formula:
wherein, the liquid crystal display device comprises a liquid crystal display device,Crepresenting a dynamic threshold value of the dynamic range,crepresenting the threshold value before the dynamic update,kwhich represents the parameters of the adjustable-degree,AFPRindicating the actual rate of false positive,EFPRindicating the desired rate of false positive,ATPRindicating the actual true positive rate of the human body,ETPRindicating the desired true positive rate.
The malicious domain name detection device 30 provided by the present application can implement each process implemented in the above method embodiment, and in order to avoid repetition, details are not repeated here.
The virtual device provided by the application can be a device, and can also be a component, an integrated circuit or a chip in a terminal.
Compared with the prior art, the application has at least the following beneficial effects:
in the application, a plurality of domain name characteristics of the structure to be detected are sequentially matched with a plurality of malicious domain name rules, the weighted average membership of the structure to be detected is determined, when the weighted average membership of the structure to be detected is larger than a dynamic threshold value, the domain name to be detected is determined to be the potential malicious domain name, the automatic and accurate detection of the potential malicious domain name can be realized, threat information is not needed to be excessively relied on, the malicious domain name detection efficiency is improved, the dynamic threshold value is introduced when the potential malicious domain name is judged, the application range of the malicious domain name detection method can be improved, and the malicious domain name detection accuracy is improved.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.
Claims (10)
1. A method for detecting a malicious domain name, comprising:
analyzing a domain name to be detected to obtain a structure body to be detected, wherein the structure body to be detected comprises a plurality of domain name characteristics;
checking whether the structure to be detected is recorded in a plurality of domain name databases according to a preset checking sequence, if so, ending the detection, otherwise, entering the next step;
according to a preset matching sequence and a preset detection sequence, sequentially matching a plurality of domain name features of the structure to be detected with a plurality of malicious domain name rules;
determining weighted average membership of the structure to be detected according to matching results of a plurality of domain name features and a plurality of malicious domain name rules of the structure to be detected;
and when the weighted average membership of the structure to be detected is greater than a dynamic threshold value, determining that the domain to be detected is a potential malicious domain.
2. The method for detecting a malicious domain name according to claim 1, wherein the checking whether the structure to be detected is recorded in a plurality of domain name databases according to a preset checking sequence specifically comprises:
and checking whether the structure to be detected is recorded in a plurality of domain name databases according to checking sequences of the intrusion detection report database, the threat information database, the blacklist database and the whitelist database in sequence.
3. The method for detecting a malicious domain name according to claim 1, wherein the matching of each domain name feature of the structure to be detected with a plurality of malicious domain name rules sequentially comprises:
and sequentially matching each domain name characteristic of the structure to be detected with a plurality of malicious domain name rules according to the matching sequence of the protocol header, the port number, the main domain name, the sub domain name, the request parameter, the complete character string and the regional top-level domain name, and the detection sequence of prefix matching, suffix matching, regular expression matching, YARA expression matching and custom function matching.
4. The method for detecting a malicious domain name according to claim 1, wherein the determining a weighted average membership degree of the structure to be detected according to a matching result of the plurality of domain name features of the structure to be detected and the plurality of malicious domain name rules specifically comprises:
when passing through the firstiThe seed detection mode is thatjMalicious domain name rule-like rule and name-like rulekWhen the feature matching of the individual domain names is successful, determining the fuzzy membership degree asm ijk ;
According to the firstiWeight of species detection mode, the firstjMalicious domain nameWeights of rules, thkWeights of individual domain name features and the fuzzy membership degreem ijk Calculating the weighted membership degree of the structure to be detectedM ijk :
Wherein, the method comprises the steps of, wherein,u i represent the firstiThe weight of the mode of detection is determined,v j represent the firstjThe weight of the malicious domain name like rule,w k represent the firstkWeights of the individual domain name features;
according to the weighted membership degree of the structure to be detectedM ijk Calculating the weighted average membership degree of the structure to be detected:/>Wherein, the method comprises the steps of, wherein,Mrepresenting membership by weightingM ijk A weighted membership matrix is formed,nindicating the total number of detection modes,pthe number of categories representing the rules of the malicious domain name,qrepresenting the total number of domain name features.
5. The method of claim 4, wherein the weights of the detection modes are respectively equal to or different from each otheruThe calculation mode of (a) is as follows:
acquisition of the pairnBy means of seed detectioneA personal weight questionnaire;
calculating according to importance scores in the weight questionnaireeAverage score of importance scores for various detection modes in the individual weight questionnaires:wherein, the method comprises the steps of, wherein,B i represent the firstiAverage score of importance scores of species detection means +.>,b ij Represent the firstjPairs in the weight questionnaireiScoring the importance degree of the seed detection mode;
calculating the weight of each detection mode according to the average score of the importance scores of the detection modesu i :Wherein, the method comprises the steps of, wherein,u i represent the firstiThe weight of the detection mode.
6. The malicious domain name detection method according to claim 4, wherein the weights of the various types of malicious domain name rulesvThe calculation mode of (a) is as follows:
classifying malicious domain name rules according to relevance with malicious domain names, and determining weights of various malicious domain name rulesv。
7. The method of claim 4, wherein the weight of each domain name featurewThe calculation mode of (a) is as follows:
by comparing the domain name features in pairs and combining nine-level scale, a discrimination matrix is establishedA:Wherein, the method comprises the steps of, wherein,a ij represent the firstiThe domain name feature is relative to the firstjImportance of individual domain name features->,qThe total number of domain name features is indicated,a ij the value of (2) can be determined by a nine-pole scale method;
calculating a judgment matrixAFeature vectors and feature values of (a):wherein, the method comprises the steps of, wherein,λrepresenting the judgment matrixAIs used for the characteristic value of the (c),ωrepresenting the judgment matrixATakes the maximum characteristic value as the characteristic vector of (1)λ max The feature vector corresponding to the largest feature value is noted asω max, />For the feature vector corresponding to the maximum feature valueω max Normalization processing: />Wherein the normalized vector +.>Are>Weights respectively representing the characteristics of each domain name can be respectively recorded asw 1 、w 2 、…、w q 。
8. The malicious domain name detection method according to claim 1, wherein the dynamic threshold is calculated by:
setting the width of the sliding window asW;
Calculating the true positive rate and the false positive rate of malicious domain name detection on each domain name to be detected in the sliding window;
and calculating the dynamic threshold according to the true positive rate and the false positive rate of malicious domain name detection on each domain name to be detected in the sliding window.
9. The malicious domain name detection method according to claim 8, wherein the calculating the dynamic threshold includes:
the dynamic threshold is calculated according to the following formula:wherein, the method comprises the steps of, wherein,Crepresenting dynamic threshold, max [ []Representing the maximum function, min [ []The function of the minimum value is represented by,crepresenting the threshold value before the dynamic update,kwhich represents the parameters of the adjustable-degree,AFPRindicating the actual rate of false positive,EFPRindicating the desired rate of false positive,ATPRindicating the actual true positive rate of the human body,ETPRindicating the desired true positive rate.
10. A malicious domain name detection apparatus, comprising:
the analysis module is used for analyzing the domain name to be detected to obtain a structure body to be detected, wherein the structure body to be detected comprises a plurality of domain name characteristics;
the checking module is used for checking whether the structure body to be detected is recorded in a plurality of domain name databases according to a preset checking sequence, if so, ending the detection, otherwise, entering the next step;
the matching module is used for matching the domain name characteristics of the structure to be detected with a plurality of malicious domain name rules in sequence according to a preset matching sequence and a preset detection sequence;
the first determining module is used for determining the weighted average membership of the structure to be detected according to the matching result of the domain name characteristics of the structure to be detected and the malicious domain name rules;
and the second determining module is used for determining that the domain name to be detected is a potential malicious domain name under the condition that the weighted average membership degree of the structure to be detected is larger than a dynamic threshold value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311055354.1A CN116760645B (en) | 2023-08-22 | 2023-08-22 | Malicious domain name detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311055354.1A CN116760645B (en) | 2023-08-22 | 2023-08-22 | Malicious domain name detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116760645A true CN116760645A (en) | 2023-09-15 |
| CN116760645B CN116760645B (en) | 2023-11-14 |
Family
ID=87953781
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311055354.1A Active CN116760645B (en) | 2023-08-22 | 2023-08-22 | Malicious domain name detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116760645B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105119915A (en) * | 2015-08-14 | 2015-12-02 | 中国传媒大学 | Malicious domain detection method and device based on intelligence analysis |
| CN106230867A (en) * | 2016-09-29 | 2016-12-14 | 北京知道创宇信息技术有限公司 | Prediction domain name whether method, system and the model training method thereof of malice, system |
| CN106453412A (en) * | 2016-12-01 | 2017-02-22 | 绵阳灵先创科技有限公司 | Malicious domain name determination method based on frequency characteristics |
| RU2668710C1 (en) * | 2018-01-17 | 2018-10-02 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | Computing device and method for detecting malicious domain names in network traffic |
| CN108632227A (en) * | 2017-03-23 | 2018-10-09 | 中国移动通信集团广东有限公司 | A kind of malice domain name detection process method and device |
| CN111800404A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for identifying malicious domain name and storage medium |
| CN113765841A (en) * | 2020-06-01 | 2021-12-07 | 中国电信股份有限公司 | Malicious domain name detection method and device |
-
2023
- 2023-08-22 CN CN202311055354.1A patent/CN116760645B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105119915A (en) * | 2015-08-14 | 2015-12-02 | 中国传媒大学 | Malicious domain detection method and device based on intelligence analysis |
| CN106230867A (en) * | 2016-09-29 | 2016-12-14 | 北京知道创宇信息技术有限公司 | Prediction domain name whether method, system and the model training method thereof of malice, system |
| CN106453412A (en) * | 2016-12-01 | 2017-02-22 | 绵阳灵先创科技有限公司 | Malicious domain name determination method based on frequency characteristics |
| CN108632227A (en) * | 2017-03-23 | 2018-10-09 | 中国移动通信集团广东有限公司 | A kind of malice domain name detection process method and device |
| RU2668710C1 (en) * | 2018-01-17 | 2018-10-02 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | Computing device and method for detecting malicious domain names in network traffic |
| CN113765841A (en) * | 2020-06-01 | 2021-12-07 | 中国电信股份有限公司 | Malicious domain name detection method and device |
| CN111800404A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for identifying malicious domain name and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116760645B (en) | 2023-11-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107579956B (en) | User behavior detection method and device | |
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| US20140007238A1 (en) | Collective Threat Intelligence Gathering System | |
| CN107800671B (en) | Method and device for generating firewall rules | |
| CN110830490B (en) | Malicious domain name detection method and system based on area confrontation training deep network | |
| US20230018908A1 (en) | Feedback-based control system for software defined networks | |
| Sun et al. | Detection and classification of malicious patterns in network traffic using Benford's law | |
| EP3913888A1 (en) | Detection method for malicious domain name in domain name system and detection device | |
| CN110011976B (en) | Network attack destruction capability quantitative evaluation method and system | |
| US10320823B2 (en) | Discovering yet unknown malicious entities using relational data | |
| CN113111951A (en) | Data processing method and device | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| Zhou et al. | An efficient victim prediction for Sybil detection in online social network | |
| US20070282770A1 (en) | System and methods for filtering electronic communications | |
| CN116760645B (en) | Malicious domain name detection method and device | |
| Goswami et al. | Phishing detection using significant feature selection | |
| CN110650157B (en) | Fast-flux domain name detection method based on ensemble learning | |
| Zheng et al. | Preprocessing method for encrypted traffic based on semisupervised clustering | |
| Prathibha et al. | Analysis of hybrid intrusion detection system based on data mining techniques | |
| Chae et al. | Adaptive threshold selection for trust-based detection systems | |
| CN113221100B (en) | Countermeasure intrusion detection method for industrial internet boundary protection | |
| CN113726775A (en) | Attack detection method, device, equipment and storage medium | |
| CN114268446A (en) | Data asset security assessment method, device and storage medium | |
| CN110689074A (en) | Feature selection method based on fuzzy set feature entropy value calculation | |
| KR100738550B1 (en) | Network intrusion detection system using genetic algorithm and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |