CN116886414A - DGA domain name detection method, system and storage medium - Google Patents
DGA domain name detection method, system and storage medium Download PDFInfo
- Publication number
- CN116886414A CN116886414A CN202311002710.3A CN202311002710A CN116886414A CN 116886414 A CN116886414 A CN 116886414A CN 202311002710 A CN202311002710 A CN 202311002710A CN 116886414 A CN116886414 A CN 116886414A
- Authority
- CN
- China
- Prior art keywords
- domain name
- dga
- information
- model
- dga domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 82
- 238000004458 analytical method Methods 0.000 claims abstract description 51
- 238000007670 refining Methods 0.000 claims abstract description 8
- 238000013499 data model Methods 0.000 claims description 71
- 238000012360 testing method Methods 0.000 claims description 15
- 238000012549 training Methods 0.000 claims description 15
- 238000012795 verification Methods 0.000 claims description 8
- 241000287828 Gallus gallus Species 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims description 3
- 230000010365 information processing Effects 0.000 claims description 3
- 238000007781 pre-processing Methods 0.000 claims 1
- 238000004422 calculation algorithm Methods 0.000 description 9
- 238000003745 diagnosis Methods 0.000 description 4
- 238000000034 method Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012417 linear regression Methods 0.000 description 1
- 238000007477 logistic regression Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to the technical field of information security, and discloses a DGA domain name detection method, a DGA domain name detection system and a storage medium, wherein the DGA domain name detection method comprises the following steps: acquiring original data in a normal domain name set and a malicious domain name data set; classifying, refining and extracting basic feature information of the original data, wherein the basic feature information comprises domain name character statistical features and domain name N-Gram model features; establishing a DGA domain name detection model based on the basic characteristic information; and acquiring request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model, and outputting an analysis result. The application improves the accuracy of DGA domain name discovery, reduces the false alarm rate, and can effectively discover and detect the DGA domain name of unknown type.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a DGA domain name detection method, system, and storage medium.
Background
With the continuous development of internet technology, network security becomes particularly important. In the field of network security, an attacker often uses domain names to connect malicious programs to remote command and control servers, thereby achieving the goal of manipulating the victim's machine. An attacker can generate a large number of pseudo-random domain names or domain names which seem to have a certain rule by using a domain name generation algorithm (Domain Generation Algorithm, abbreviated as 'DGA'), the domain names are usually encoded in malicious software, compared with the hard-encoded domain names, the detection of a blacklist list can be effectively avoided by the DGA domain names, and therefore, the traditional domain name detection method cannot accurately detect the DGA domain names, and therefore, early warning cannot be accurately performed.
Disclosure of Invention
The application provides a DGA domain name detection method, a DGA domain name detection system and a storage medium, which improve the accuracy of DGA domain name discovery, reduce the false alarm rate and effectively discover and detect unknown type DGA domain names.
In order to achieve the above object, the present application provides the following solutions: the application provides a DGA domain name detection method, which comprises the following steps: acquiring original data in a normal domain name set and a malicious domain name data set;
classifying, refining and extracting basic feature information of the original data, wherein the basic feature information comprises domain name character statistical features and domain name N-Gram model features;
establishing a DGA domain name detection model based on the basic characteristic information;
and acquiring request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model, and outputting an analysis result.
In one embodiment, the domain name character statistics include domain name character length, character randomness, unique character numbers, and vowel letter proportions.
In one embodiment, when the original data is classified, refined and extracted to obtain the basic feature information, the original data is preprocessed to remove invalid data.
In one embodiment, establishing a DGA domain name detection model based on the basic feature information includes:
establishing a data model cluster based on the basic characteristic information, wherein the data model cluster comprises a plurality of data models;
inputting the basic characteristic information into a plurality of data models respectively to obtain initial prediction results of the corresponding data models;
setting an initial data model based on the matching degree of the request domain name information and an initial prediction result;
and testing the initial data model, and determining the initial data model with the analysis result meeting the preset index as the DGA domain name detection model.
In one embodiment, testing the initial data model includes:
dividing the basic characteristic information into training data and verification data according to preset conditions; training the initial data model based on training data; and testing the trained initial data model based on the verification data, and outputting the initial data model which accords with the preset index.
In one embodiment, testing the initial data model, and determining the initial data model with the analysis result meeting the preset index as the DGA domain name detection model includes:
when the initial data model is unique, determining the initial data model with the analysis result meeting the preset index as the DGA domain name detection model;
and when the initial data model is not unique, determining the initial data model with the analysis result meeting the preset index and the highest preset index rate as the DGA domain name detection model.
In one embodiment, obtaining the request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model, and outputting the analysis result, including:
inputting the request domain name information into the DGA domain name detection model to obtain the analysis result;
storing and outputting the analysis result;
and updating the domain name with the analysis result of the DGA domain name into threat information.
In one embodiment, after acquiring the request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model to output an analysis result, and when the analysis result is a DGA domain name, marking the DGA domain name as "broiler" by the request host.
In order to achieve the above object, there is also provided a DGA domain name detection system, including: the information acquisition module is used for acquiring original data in a normal domain name set and a malicious domain name data set;
the information processing module is used for classifying, refining and extracting basic feature information of the original data, wherein the basic feature information comprises domain name character statistical features and domain name N-Gram model features; establishing a DGA domain name detection model based on the basic characteristic information; and acquiring request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model, and outputting an analysis result.
In order to achieve the above object, there is also provided a computer readable storage medium storing computer program instructions which, when loaded and executed, perform the DGA domain name detection method.
The application has the technical effects that: establishing a DGA domain name detection model based on the basic characteristic information; the method comprises the steps of obtaining request domain name information from DNS traffic, inputting the request domain name information into the DGA domain name detection model to output an analysis result, and taking the output analysis result of the DGA domain name detection model as a detection result of the DGA domain name, so that the DGA domain name can be accurately and efficiently detected.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions of the prior art, the drawings that are needed in the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a DGA domain name detection method provided by an embodiment of the present application;
FIG. 2 is a flowchart for establishing a DGA domain name detection model according to an embodiment of the present application;
FIG. 3 is a flow chart of testing an initial data model provided by an embodiment of the present application;
fig. 4 is a schematic diagram of a DGA domain name detection system according to an embodiment of the present application.
Detailed Description
The following describes in further detail the embodiments of the present application with reference to the drawings and examples. The following examples are illustrative of the application and are not intended to limit the scope of the application.
In the description of the present application, it should be understood that the terms "center," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like indicate orientations or positional relationships based on the orientation or positional relationships shown in the drawings, merely to facilitate describing the present application and simplify the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and thus should not be construed as limiting the present application.
The terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.
In the description of the present application, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present application will be understood in specific cases by those of ordinary skill in the art.
DGA (domain name generation algorithm) is a technical means for generating C & C domain names using random characters, thereby evading detection of a blacklist of domain names. For example, a DGA-generated domain xeogrhxquubt.com created by a cryptolock may infect the cryptolock lux virus if a process tries to establish a connection with it. The blacklist of domain names is typically used to detect and block connections for these domains, but is not effective for the DGA algorithm that is continually updated.
At present, most of safety products are detected based on domain names, and the characteristics of the safety products are extracted for detection, but the problem of high false alarm exists in practical application, and many normal domain names, such as Chinese pinyin domain names and normal overlength domain names, can be detected easily as DGA domain names.
As shown in fig. 1, this embodiment discloses a DGA domain name detection method, which includes:
step S1, obtaining original data in a normal domain name set and a malicious domain name data set;
s2, classifying, refining and extracting basic feature information of the original data, wherein the basic feature information comprises domain name character statistical features and domain name N-Gram model features;
step S3, a DGA domain name detection model is established based on the basic characteristic information;
and S4, acquiring the request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model, and outputting an analysis result.
It can be appreciated that in the above embodiment, the accuracy of DGA domain name discovery can be improved, the false alarm rate can be reduced, and the unknown type of DGA domain name can be effectively discovered and detected.
In some embodiments, the domain name character statistics include domain name character length, character randomness, unique character numbers, and vowel letter proportions.
In some specific embodiments, when the original data is classified, thinned and extracted to obtain the basic feature information, the original data is preprocessed to remove invalid data.
It can be appreciated that in the above embodiment, in order to improve the accuracy of the fault diagnosis model establishment, the original data information needs to be preprocessed to remove the invalid data and the interference data.
As shown in fig. 2, in some specific embodiments, in step S3, building a DGA domain name detection model based on the basic feature information includes:
step S31, a data model cluster is established based on basic characteristic information, and the data model cluster comprises a plurality of data models;
step S32, inputting the basic characteristic information into a plurality of data models respectively to obtain initial prediction results of the corresponding data models;
step S33, setting an initial data model based on the matching degree of the request domain name information and the initial prediction result;
and step S34, testing the initial data model, and determining the initial data model with the analysis result meeting the preset index as the DGA domain name detection model.
It will be appreciated that in the above embodiments, the data model includes, but is not limited to, a random forest algorithm, a support vector machine algorithm, a logistic regression algorithm, etc., and an attacker typically generates a pseudo-random string by a domain name generation algorithm (DGA, domain Generation Algorithm) and uses the pseudo-random string as a top-level domain name and a multi-level domain name to effectively avoid the detection of the blacklist. A DGA domain name detection model needs to be set up to detect DGA domain names. In order to obtain an optimal result as a DGA domain name detection model, different models are evaluated, the advantages and disadvantages of detection effects are compared, the initial data model is specifically tested, and the initial data model with the analysis result conforming to a preset index is determined to be the DGA domain name detection model.
Setting an initial data model based on the matching degree of the request domain name information and an initial prediction result, wherein the method comprises the following steps: and matching the initial prediction result with the request domain name information, and determining the data model corresponding to the initial analysis result with the matching degree larger than the preset matching degree as the initial data model.
As shown in fig. 3, in some embodiments, testing the initial data model includes:
step S341, dividing the basic characteristic information into training data and verification data according to preset conditions;
step S342, training the initial data model based on training data;
step S343, testing the trained initial data model based on the verification data, and outputting an initial data model conforming to the preset index.
It will be appreciated that in the above embodiment, the preset condition may be a preset distribution ratio, for example, 70% of the data samples are classified into training data and 30% of the data samples are classified into verification data. The training data is input into the initial data model, the modeling data of the initial data model is continuously optimized, and a corresponding training mode can be selected according to a specific implementation scene, such as linear regression training by utilizing the training data. And testing and evaluating the trained initial data model by using the verification data, wherein the training is completed when the test result reaches a preset index capable of meeting the current data analysis requirement, and the trained initial data model is used as a fault diagnosis model. For example, the preset index is that the detection success rate of the DGA domain name is 90%.
In some embodiments, testing the initial data model, determining the initial data model with the analysis result meeting the preset index as the DGA domain name detection model includes:
when the initial data model is unique, determining the initial data model with the analysis result meeting the preset index as the DGA domain name detection model;
and when the initial data model is not unique, determining the initial data model with the analysis result meeting the preset index and the highest preset index rate as the DGA domain name detection model.
It can be understood that in the above embodiment, when only one data model corresponding to the initial analysis result with the matching degree greater than the preset matching degree exists, determining the initial data model with the fault analysis result meeting the preset index as the fault diagnosis model; and when the matching degree is greater than the preset matching degree, determining the initial data model with the highest matching degree and the fault analysis result meeting the preset index as the fault diagnosis model, wherein the data model corresponds to the initial analysis result with the matching degree greater than the preset matching degree.
In some specific embodiments, in step S4, obtaining the request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model, and outputting the analysis result, including:
inputting the request domain name information into the DGA domain name detection model to obtain the analysis result;
storing and outputting the analysis result;
and updating the domain name with the analysis result of the DGA domain name into threat information.
It can be understood that in the above embodiment, when the analysis result is the domain name of the DGA domain name, the analysis result is stored and alarm information is output; and when the analysis result is the domain name of the normal domain name, storing the analysis result.
In some specific embodiments, after obtaining the request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model to output an analysis result, and when the analysis result is a DGA domain name, requesting the host to mark the DGA domain name as "broiler chicken".
It will be appreciated that in the above embodiments, features are extracted from a large number of raw data, such as domain name length, number scale, number and scale of vowel consonants, random entropy, n-gram model, domain name suffix, etc.; performing analysis modeling (namely establishing a data model) on the collected data by utilizing machine learning, and selecting an optimal result to be stored as a DGA domain name detection model (namely determining an initial data model with the analysis result conforming to a preset index as the DGA domain name detection model); the method comprises the steps of obtaining a requested domain name from DNS traffic, detecting the domain name of the DNS request by using a DGA domain name detection model, and marking a request host as 'broiler' after detecting the DGA domain name.
As shown in fig. 4, to achieve the above object, there is also provided a DGA domain name detection system, including: the information acquisition module is used for acquiring original data in a normal domain name set and a malicious domain name data set;
the information processing module is used for classifying, refining and extracting basic feature information of the original data, wherein the basic feature information comprises domain name character statistical features and domain name N-Gram model features; establishing a DGA domain name detection model based on the basic characteristic information; and acquiring request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model, and outputting an analysis result.
In order to achieve the above object, there is also provided a computer readable storage medium storing computer program instructions which, when loaded and executed, perform the DGA domain name detection method.
It should be understood that, although the steps in the flowcharts of the embodiments of the present application are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in various embodiments may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed need to be sequential, but may be performed in rotation or alternating with at least a portion of the sub-steps or stages of other steps or steps.
Those of ordinary skill in the art will appreciate that: the above is only a preferred embodiment of the present application, and the present application is not limited thereto, but it is to be understood that the present application is described in detail with reference to the foregoing embodiments, and modifications and equivalents of some of the technical features described in the foregoing embodiments may be made by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (10)
1. The DGA domain name detection method is characterized by comprising the following steps of:
acquiring original data in a normal domain name set and a malicious domain name data set;
classifying, refining and extracting basic feature information of the original data, wherein the basic feature information comprises domain name character statistical features and domain name N-Gram model features;
establishing a DGA domain name detection model based on the basic characteristic information;
and acquiring request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model, and outputting an analysis result.
2. The DGA domain name detection method according to claim 1, wherein the domain name character statistics comprise domain name character length, character randomness, unique character number and vowel letter ratio.
3. The DGA domain name detection method according to claim 1, wherein when classifying, refining and extracting each basic feature information from the original data, preprocessing is performed on the original data, and invalid data is removed.
4. The DGA domain name detection method according to claim 1, wherein establishing a DGA domain name detection model based on the basic feature information comprises:
establishing a data model cluster based on the basic characteristic information, wherein the data model cluster comprises a plurality of data models;
inputting the basic characteristic information into a plurality of data models respectively to obtain initial prediction results of the corresponding data models;
setting an initial data model based on the matching degree of the request domain name information and an initial prediction result;
and testing the initial data model, and determining the initial data model with the analysis result meeting the preset index as the DGA domain name detection model.
5. The DGA domain name detection method according to claim 4, wherein testing the initial data model comprises:
dividing the basic characteristic information into training data and verification data according to preset conditions; training the initial data model based on training data; and testing the trained initial data model based on the verification data, and outputting the initial data model which accords with the preset index.
6. The DGA domain name detection method according to claim 4, wherein testing the initial data model and determining an initial data model whose analysis result meets a preset index as the DGA domain name detection model comprises:
when the initial data model is unique, determining the initial data model with the analysis result meeting the preset index as the DGA domain name detection model;
and when the initial data model is not unique, determining the initial data model with the analysis result meeting the preset index and the highest preset index rate as the DGA domain name detection model.
7. The DGA domain name detection method according to claim 4, wherein acquiring request domain name information from DNS traffic, inputting the request domain name information into the DGA domain name detection model, and outputting an analysis result, comprises:
inputting the request domain name information into the DGA domain name detection model to obtain the analysis result;
storing and outputting the analysis result;
and updating the domain name with the analysis result of the DGA domain name into threat information.
8. The DGA domain name detection method according to claim 4, wherein the requesting host marks the DGA domain name as "broiler" when the analysis result is a DGA domain name after acquiring the request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model, and outputting the analysis result.
9. A DGA domain name detection system, comprising:
the information acquisition module is used for acquiring original data in a normal domain name set and a malicious domain name data set;
the information processing module is used for classifying, refining and extracting basic feature information of the original data, wherein the basic feature information comprises domain name character statistical features and domain name N-Gram model features; establishing a DGA domain name detection model based on the basic characteristic information; and acquiring request domain name information from the DNS traffic, inputting the request domain name information into the DGA domain name detection model, and outputting an analysis result.
10. A computer readable storage medium storing computer program instructions which, when loaded and executed, perform the DGA domain name detection method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311002710.3A CN116886414A (en) | 2023-08-09 | 2023-08-09 | DGA domain name detection method, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311002710.3A CN116886414A (en) | 2023-08-09 | 2023-08-09 | DGA domain name detection method, system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116886414A true CN116886414A (en) | 2023-10-13 |
Family
ID=88264519
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311002710.3A Pending CN116886414A (en) | 2023-08-09 | 2023-08-09 | DGA domain name detection method, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116886414A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170026390A1 (en) * | 2015-07-22 | 2017-01-26 | Cisco Technology, Inc. | Identifying Malware Communications with DGA Generated Domains by Discriminative Learning |
| CN109391706A (en) * | 2018-11-07 | 2019-02-26 | 顺丰科技有限公司 | Domain name detection method, device, equipment and storage medium based on deep learning |
| US20190387005A1 (en) * | 2017-03-10 | 2019-12-19 | Visa International Service Association | Identifying malicious network devices |
| CN111031026A (en) * | 2019-12-09 | 2020-04-17 | 杭州安恒信息技术股份有限公司 | DGA malicious software infected host detection method |
| CN112287338A (en) * | 2020-11-30 | 2021-01-29 | 国网新疆电力有限公司电力科学研究院 | Intrusion detection method and device based on ADASYN algorithm and improved convolutional neural network |
| CN112929390A (en) * | 2021-03-12 | 2021-06-08 | 厦门帝恩思科技股份有限公司 | Network intelligent monitoring method based on multi-strategy fusion |
| US20210320946A1 (en) * | 2020-04-13 | 2021-10-14 | Qatar Foundation For Education, Science And Community Development | Phishing domain detection systems and methods |
| CN115277198A (en) * | 2022-07-27 | 2022-11-01 | 西安热工研究院有限公司 | Vulnerability detection method and device for industrial control system network and storage medium |
| CN116455620A (en) * | 2023-03-31 | 2023-07-18 | 华能信息技术有限公司 | Malicious domain name access analysis and determination method |
-
2023
- 2023-08-09 CN CN202311002710.3A patent/CN116886414A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170026390A1 (en) * | 2015-07-22 | 2017-01-26 | Cisco Technology, Inc. | Identifying Malware Communications with DGA Generated Domains by Discriminative Learning |
| US20190387005A1 (en) * | 2017-03-10 | 2019-12-19 | Visa International Service Association | Identifying malicious network devices |
| CN109391706A (en) * | 2018-11-07 | 2019-02-26 | 顺丰科技有限公司 | Domain name detection method, device, equipment and storage medium based on deep learning |
| CN111031026A (en) * | 2019-12-09 | 2020-04-17 | 杭州安恒信息技术股份有限公司 | DGA malicious software infected host detection method |
| US20210320946A1 (en) * | 2020-04-13 | 2021-10-14 | Qatar Foundation For Education, Science And Community Development | Phishing domain detection systems and methods |
| CN112287338A (en) * | 2020-11-30 | 2021-01-29 | 国网新疆电力有限公司电力科学研究院 | Intrusion detection method and device based on ADASYN algorithm and improved convolutional neural network |
| CN112929390A (en) * | 2021-03-12 | 2021-06-08 | 厦门帝恩思科技股份有限公司 | Network intelligent monitoring method based on multi-strategy fusion |
| CN115277198A (en) * | 2022-07-27 | 2022-11-01 | 西安热工研究院有限公司 | Vulnerability detection method and device for industrial control system network and storage medium |
| CN116455620A (en) * | 2023-03-31 | 2023-07-18 | 华能信息技术有限公司 | Malicious domain name access analysis and determination method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110233849B (en) | Method and system for analyzing network security situation | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| EP4319054A2 (en) | Identifying legitimate websites to remove false positives from domain discovery analysis | |
| CN107918733A (en) | The system and method for detecting the malicious element of webpage | |
| CN111818198B (en) | Domain name detection method, domain name detection device, equipment and medium | |
| CN104615760A (en) | Phishing website recognizing method and phishing website recognizing system | |
| CN109391706A (en) | Domain name detection method, device, equipment and storage medium based on deep learning | |
| CN110557382A (en) | Malicious domain name detection method and system by utilizing domain name co-occurrence relation | |
| CN112492059A (en) | DGA domain name detection model training method, DGA domain name detection device and storage medium | |
| CN112989348B (en) | Attack detection method, model training method, device, server and storage medium | |
| KR102022058B1 (en) | Method and system for detecting counterfeit of web page | |
| CN113704328B (en) | User behavior big data mining method and system based on artificial intelligence | |
| CN111488590A (en) | SQ L injection detection method based on user behavior credibility analysis | |
| CN109495479A (en) | A kind of user's abnormal behaviour recognition methods and device | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| CN115580494B (en) | Method, device and equipment for detecting weak password | |
| CN111654504B (en) | DGA domain name detection method and device | |
| CN110855716B (en) | Self-adaptive security threat analysis method and system for counterfeit domain names | |
| CN112905996A (en) | Information security traceability system and method based on multi-dimensional data association analysis | |
| CN112311809A (en) | Attack detection method and device | |
| CN109995751B (en) | Internet access equipment marking method and device, storage medium and computer equipment | |
| CN113176968B (en) | Security test method, device and storage medium based on interface parameter classification | |
| CN110855635A (en) | URL (Uniform resource locator) identification method and device and data processing equipment | |
| Alosefer et al. | Predicting client-side attacks via behaviour analysis using honeypot data | |
| CN115022152B (en) | Method and device for judging threat degree of event and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |