CN107888606A - A kind of domain name credit assessment and system - Google Patents

A kind of domain name credit assessment and system Download PDF

Info

Publication number
CN107888606A
CN107888606A CN201711206344.8A CN201711206344A CN107888606A CN 107888606 A CN107888606 A CN 107888606A CN 201711206344 A CN201711206344 A CN 201711206344A CN 107888606 A CN107888606 A CN 107888606A
Authority
CN
China
Prior art keywords
domain name
target domain
information
credit
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711206344.8A
Other languages
Chinese (zh)
Other versions
CN107888606B (en
Inventor
张斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201711206344.8A priority Critical patent/CN107888606B/en
Publication of CN107888606A publication Critical patent/CN107888606A/en
Application granted granted Critical
Publication of CN107888606B publication Critical patent/CN107888606B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiments of the invention provide a kind of domain name credit assessment and system, for improving the accuracy rate of network security detection.Present invention method includes:Web site contents information corresponding to target domain name to be detected is gathered from internet;The web site contents information is inputted domain name classification is carried out in preset sorter model, and the first credit value according to corresponding to classification results determine the target domain name;By the matching of the progress various dimensions of the network security threats information stored in the target domain name and database, and the second credit value according to corresponding to the matching result output target domain name;The credit worthiness according to corresponding to first credit value and the second credit value calculate the target domain name.

Description

A kind of domain name credit assessment and system
Technical field
The present invention relates to network safety filed, and in particular to a kind of domain name credit assessment and system.
Background technology
With the fast development of Internet technology, occurs substantial amounts of malicious attack behavior in network.Attacker uses thing Manage equipment and using the resource got on network, carry out malicious attack behavior on network, such as carry out the automatic of Botnet It is more newly downloaded, malicious code to automatically update download, phishing, automatic using network automatically scanner or spam Send etc., in existing scheme, the detection to malicious attack behavior is often based on domain name used in attacker, to the letter of domain name Reputation degree is assessed, and helps to identify malicious attack behavior.
In existing scheme, the credit worthiness of domain name is assessed often using URL (URL) or IP address parsing Its corresponding domain name or directly the domain name of collection malicious attacker or IP address carry out the information matches of single dimension, Jin Erjian Malicious attack behavior is measured, and then the credit worthiness of domain name is assessed.
However, attacker can be by constantly changing the means such as URL or more new domain name, to hide the inspection of antivirus software Survey, reduce the recall rate of malicious act, secondly, the behavioural characteristic of malicious attack behavior is often various dimensions, based on domain name The information of single dimension network behavior is detected, the risk of flase drop be present.
The content of the invention
The embodiments of the invention provide a kind of domain name credit assessment and system, for improving network security detection Accuracy rate.
First aspect of the embodiment of the present invention provides a kind of domain name credit assessment, it may include:
Web site contents information corresponding to target domain name to be detected is gathered from internet;
The web site contents information is inputted domain name classification is carried out in preset sorter model, and determined according to classification results First credit value corresponding to the target domain name;
By the matching of the progress various dimensions of the network security threats information stored in the target domain name and database, and root The second credit value corresponding to the target domain name is exported according to matching result;
The credit worthiness according to corresponding to first credit value and the second credit value calculate the target domain name.
Optionally, it is described that target domain name to be detected is gathered from internet correspondingly as a kind of possible embodiment Web site contents information, including:
Target domain name to be detected is retrieved to obtain using search engine record is retrieved corresponding to the target domain name;
Web site contents information corresponding to the target domain name is gathered from the retrieval record using web crawlers technology.
Optionally, also include as a kind of possible embodiment, this method:
The unified resource for gathering the website of preset quantity in the top in retrieval record corresponding to the target domain name is determined Position symbol url field;
Judge in the url field of the website of the preset quantity in the top main frame host part whether with the mesh Mark domain name matching, and the quantity of the successful website of statistical match;
The 3rd credit value according to corresponding to the quantity of the website that the match is successful determines the target domain name;
The credit worthiness according to corresponding to the 3rd credit value further calculates the target domain name.
Optionally, as a kind of possible embodiment, the network that will be stored in the target domain name and database The matching of the progress various dimensions of security threat information, including:
Domain name attaching information corresponding to the target domain name is parsed, domain name attaching information includes the target domain name pair One or more in the IP address answered, whois information, URL information;
Domain name attaching information corresponding to the target domain name is matched with preset malice domain-name information storehouse;
And/or IP address corresponding to the target domain name is matched with preset viral network behavioural characteristic storehouse.
Optionally, as a kind of possible embodiment, domain name credit assessment, in addition to:
To reputation information corresponding to target domain name described in user feedback;
The reputation information includes credit worthiness, domain name type label, domain name attaching information,
Wherein, when credit worthiness is less than the first preset threshold values corresponding to the target domain name, the target domain name is marked Domain name type label is malice domain name.
Optionally, as a kind of possible embodiment, domain name credit assessment, in addition to:
Statistics accesses the host number of the target domain name;
When the entitled malice domain name of the aiming field, and the host number for accessing the target domain name is not less than the second preset valve During value, warning information is issued for the target domain name.
Second aspect of the embodiment of the present invention provides a kind of domain name credit worthiness assessment system, it may include:
Information acquisition unit, for gathering web site contents information corresponding to target domain name to be detected from internet;
Domain name taxon, domain name classification is carried out in preset sorter model for the web site contents to be inputted, and root The first credit value corresponding to the target domain name is determined according to classification results;
Domain name association analysis unit, for the network security threats information that will store in the target domain name and database Carry out the matching of various dimensions, and the second credit value according to corresponding to matching result determines the target domain name.
First computing unit, corresponding to calculating the target domain name according to first credit value and the second credit value Credit worthiness.
Optionally, as a kind of possible embodiment, described information collecting unit, including:
Search module, for being retrieved to obtain the target domain name pair to target domain name to be detected using search engine The retrieval record answered;
First acquisition module, it is corresponding for gathering the target domain name from the retrieval record using web crawlers technology Web site contents information.
Optionally, also include the second acquisition module as a kind of possible embodiment, described information collecting unit, be used for Gather the uniform resource position mark URL word of the website of preset quantity in the top in retrieval record corresponding to the target domain name Section;
Domain name credit worthiness assessment system also includes:
Judging unit, for judge the preset quantity in the top website url field in main frame host portions Divide and whether matched with the target domain name, and the quantity of the successful website of statistical match, and according to the website that the match is successful Quantity determine the 3rd credit value corresponding to the target domain name;
Second computing unit, for prestige corresponding to further calculating the target domain name according to the 3rd credit value Degree.
Optionally, as a kind of possible embodiment, domain name association analysis unit, including:
Parsing module, for parsing domain name attaching information corresponding to the target domain name, domain name attaching information includes One or more in IP address, whois information, URL information corresponding to the target domain name;
First matching module, for by domain name attaching information corresponding to the target domain name and preset malice domain-name information Storehouse is matched;
Second matching module, for by IP address corresponding to the target domain name and preset viral network behavioural characteristic storehouse Matched.
Optionally, as a kind of possible embodiment, domain name credit worthiness assessment system, in addition to:
Feedback unit, for reputation information corresponding to target domain name described in user feedback;
The reputation information includes credit worthiness, domain name type label, domain name attaching information, wherein, when the target domain name When corresponding credit worthiness is less than the first preset threshold values, the domain name type label for marking the target domain name is malice domain name.
Optionally, as a kind of possible embodiment, domain name credit worthiness assessment system, in addition to:
Statistic unit, the host number of the target domain name is accessed for counting;
Prewarning unit, when the entitled malice domain name of the aiming field, and the host number for accessing the target domain name is not less than During the second preset threshold values, for issuing warning information for the target domain name.
As can be seen from the above technical solutions, the embodiment of the present invention has advantages below:
In the embodiment of the present invention, domain name credit worthiness assessment system first aspect can be by web site contents corresponding to target domain name Information inputs and domain name classification is carried out in preset sorter model, and the first prestige according to corresponding to classification results determine target domain name Value, second aspect, the network security threats information that domain name credit worthiness assessment system will can store in target domain name and database Progress various dimensions matching, and according to matching result export target domain name corresponding to the second credit value;Finally according to the first letter Reputation value and the second credit value calculate credit worthiness corresponding to target domain name, can be that detection malicious attack behavior carries based on the credit worthiness For reference.Domain name credit worthiness assessment system i.e. in the embodiment of the present invention can not only carry out the detection of various dimensions to target domain name Analysis, the network security threats information for being also based on various dimensions carry out the matching of various dimensions to target domain name, add network The accuracy rate of safety detection.
Brief description of the drawings
Fig. 1 is a kind of one embodiment schematic diagram of domain name credit assessment in the embodiment of the present invention;
Fig. 2 is a kind of another embodiment schematic diagram of domain name credit assessment in the embodiment of the present invention;
Fig. 3 is a kind of another embodiment schematic diagram of domain name credit assessment in the embodiment of the present invention;
Fig. 4 is a kind of one embodiment schematic diagram of domain name credit worthiness assessment system in the embodiment of the present invention;
Fig. 5 is the module of information acquisition unit 401 refinement in a kind of domain name credit worthiness assessment system in the embodiment of the present invention Schematic diagram;
Fig. 6 is a kind of another embodiment schematic diagram of domain name credit worthiness assessment system in the embodiment of the present invention;
Fig. 7 is the module of domain name association analysis unit 403 in a kind of domain name credit worthiness assessment system in the embodiment of the present invention Refine schematic diagram;
Fig. 8 is a kind of another embodiment schematic diagram of domain name credit worthiness assessment system in the embodiment of the present invention.
Embodiment
The embodiments of the invention provide a kind of domain name credit assessment and system, for improving network security detection Accuracy rate.
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people The every other embodiment that member is obtained under the premise of creative work is not made, it should all belong to the model that the present invention protects Enclose.
Term " first ", " second ", " the 3rd " in description and claims of this specification and above-mentioned accompanying drawing, " Four " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so use Data can exchange in the appropriate case, so that the embodiments described herein can be with except illustrating or describing herein Order beyond appearance is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that covering is non-exclusive Include, be not necessarily limited to clearly arrange for example, containing the process of series of steps or unit, method, system, product or equipment Those steps or unit gone out, but may include not list clearly or consolidate for these processes, method, product or equipment The other steps or unit having.
In order to make it easy to understand, the idiographic flow in the embodiment of the present invention is described below, referring to Fig. 1, of the invention A kind of one embodiment of domain name credit assessment may include in embodiment:
101st, web site contents information corresponding to target domain name to be detected is gathered from internet;
In order to target domain name carry out credit worthiness assessment, domain name credit worthiness assessment system can use web crawlers technology from Web site contents information corresponding to target domain name to be detected is gathered in internet, specifically, web site contents information typically all includes Title (title), content (content) etc..
Optionally, gathered from internet to be detected as a kind of possible embodiment, domain name credit worthiness assessment system Target domain name corresponding to web site contents information, including:
Target domain name to be detected is retrieved to obtain using search engine record is retrieved corresponding to target domain name;
Web crawlers technology can be used to gather web site contents information corresponding to target domain name in being recorded from retrieval.
Specifically, for example, domain name credit worthiness assessment system can use search engine search target domain name, and search is extracted The search record of preset quantity in the top, the search can include target domain name and its subdomain name pair in recording in record The website records answered, sequential storage is done according to the rank order of search engine.And the acquisition pair from the retrieval record of search engine The information such as the title (title) that answers, content (content), URL (URL).
It is understood that the mode that web site contents information corresponding to target domain name is gathered in the present embodiment is only exemplary , in practice, can also according to the network port of target domain name gather target domain name corresponding to net corresponding to target domain name Stand content information, the specific mode for gathering web site contents information, do not limit herein.
102nd, web site contents are inputted into progress domain name classification in preset sorter model, and target is determined according to classification results First credit value corresponding to domain name;
Domain name credit worthiness assessment system can gather a large amount of white domain names and black in advance before classifying to target domain name The web site contents information of domain name trains preset sorter model, for example, can gather 100,000 white domain name web site contents information with The web site contents information of 300000 black domain names is used to train Bayesian classifier model, and specific model training method is existing skill Art, do not repeat herein.It is understood that specific preset sorter model can also be decision tree classifier model, shellfish Leaf this sorter model, logistic regression sorter model, SVM classifier model etc., specific sorter model does not limit herein.
, can be to web site contents information corresponding to the target domain name that collects after the training of preset sorter model is completed It is input in preset sorter model and is classified, its classification results is probably white domain name, black domain name, grey domain name, different type Domain name correspond to different credit values, domain name credit worthiness assessment system can determine according to the output result of preset sorter model First credit value corresponding to target domain name.
103rd, by the matching of the progress various dimensions of the network security threats information stored in target domain name and database, and root According to the second credit value corresponding to matching result output target domain name;
The behavioural characteristic of malicious attack behavior in internet is often what is be associated, for example, the IP of attacker Location may forge multiple domain names or multiple URL carry out malicious attack.Also likely to be present between multiple malicious attack behaviors directly or Indirect association, for example, domain name current owner's information in the whois information of domain name corresponding to multiple malicious attack behaviors can Same attacker can be pointed to.The network security prestige that domain name credit worthiness assessment system will can store in target domain name and database Coerce the matching of the progress various dimensions of information, and the second credit value according to corresponding to matching result exports target domain name.
Specifically, domain name credit worthiness assessment system can first parse domain name attaching information corresponding to target domain name, the domain name Attaching information can include the one or more in IP address, whois information, URL information corresponding to target domain name;
Optionally, can be by corresponding to target domain name as a kind of possible embodiment, domain name credit worthiness assessment system Domain name attaching information is matched with preset malice domain-name information storehouse;
Analyzed specifically, domain name credit worthiness assessment system can be based on big data, store substantial amounts of network security threats letter Breath, wherein can be including corresponding to URL corresponding to substantial amounts of malice domain name, malicious IP addresses, malice domain name and malice domain name Whois information, the whois information comprise at least the owner information of corresponding malice domain name, and domain name credit worthiness assessment system can With by domain name attaching information corresponding to target domain name and the malice domain name, malicious IP addresses and the malice domain name pair that prestore The whois information answered is matched, and domain name credit worthiness assessment system can be according to the malicious IP addresses that the match is successful, malice domain name The second credit value of target domain name, is matched into corresponding to the quantity determination of URL corresponding to corresponding whois information, malice domain name The quantity of work(is more, and corresponding second credit value is lower.
Further, optionally, in order to expand the dimension that target domain name can match, network security detection is further increased Accuracy rate, domain name credit worthiness assessment system can also be special with preset viral network behavior by IP address corresponding to target domain name Sign storehouse is matched.
Specifically, domain name credit worthiness assessment system can be by target domain name or corresponding IP address and preset viral network Behavioural characteristic storehouse is matched, for example, as it is known that viral network access target domain name number and frequency, access target domain name It is confirmed as the information such as the domain name quantity of malice domain name in other domain names belonging to the species of virus, the owner of target domain name, Domain name credit worthiness assessment system can according to above-mentioned analysis result according to determine predetermined rule determine target domain name corresponding to the Two credit values, it is known that viral network access target domain name frequency and number it is higher, the viral species of access target domain name More, it is more to be confirmed as the domain name quantity of malice domain name in other domain names belonging to the owner of target domain name, and corresponding Two credit values are lower.
104th, the credit worthiness according to corresponding to the first credit value and the second credit value calculate target domain name.
After the first credit value corresponding to target domain name and the second credit value is drawn, domain name credit worthiness assessment system can be with Credit worthiness corresponding to target domain name is calculated accordingly, specifically, domain name credit worthiness assessment system can directly ask for the first credit value And second credit value sum as credit worthiness corresponding to target domain name, or the first credit value and the second credit value distribution pair The weights answered, ask for the first credit value and the second credit value weighted value sum, or the first credit value and the second credit value Calculating process in each continuous item distinguish weights assigned value to calculate the weighting of the first credit value and the second credit value respectively Value, and the first credit value and the second credit value weighted value sum are calculated as credit worthiness corresponding to target domain name, it is specific to calculate Mode, do not limit herein.
In the embodiment of the present invention, domain name credit worthiness assessment system first aspect can be by web site contents corresponding to target domain name Information inputs and domain name classification is carried out in preset sorter model, and the first prestige according to corresponding to classification results determine target domain name Value, second aspect, the network security threats information that domain name credit worthiness assessment system will can store in target domain name and database Progress various dimensions matching, and according to matching result export target domain name corresponding to the second credit value;Finally according to the first letter Reputation value and the second credit value calculate credit worthiness corresponding to target domain name.Domain name credit worthiness assessment system i.e. in the embodiment of the present invention The detection and analysis of various dimensions can be not only carried out to target domain name, are also based on the network security threats information of various dimensions to mesh The matching that domain name carries out various dimensions is marked, and then the credit worthiness can be based on can to provide reference for detection malicious attack behavior, is increased The accuracy rate of network security detection is added.
On the basis of above-described embodiment, in order to further increase the accuracy rate of detection, can also further it increase pair The detection dimensions of target domain name, for example, search note that can be based on the preset quantity in the top searched of search engine The URL of corresponding website and the match condition of target domain name in record, to judge the credit worthiness of target domain name, referring to Fig. 2, this hair A kind of another embodiment of domain name credit assessment in bright embodiment may include:
201st, target domain name to be detected is retrieved to obtain using search engine and record is retrieved corresponding to target domain name And gather web site contents information corresponding to target domain name in being recorded using web crawlers technology from retrieval;
Specifically, for example, domain name credit worthiness assessment system can use search engine search target domain name, and search is extracted The search record of preset quantity in the top, the search include corresponding to target domain name and its subdomain name in recording in record Website records, sequential storage is done according to the rank order of search engine.And corresponding to being obtained from the retrieval record of search engine The information such as title (title), content (content), URL (URL).
202nd, web site contents are inputted into progress domain name classification in preset sorter model, and target is determined according to classification results First credit value corresponding to domain name;
203rd, by the matching of the progress various dimensions of the network security threats information stored in target domain name and database, and root According to the second credit value corresponding to matching result output target domain name;
Step 202 in the present embodiment to 203 respectively with described in the step 102 in the embodiment shown in Fig. 1,103 Content it is similar, referring specifically to step 102,103, do not repeat herein.
204th, the unified resource for gathering the website of preset quantity in the top in retrieval record corresponding to target domain name is determined Position symbol url field;
205th, judge in the url field of the website of preset quantity in the top main frame host part whether with aiming field Name matching, and the quantity of the successful website of statistical match is simultaneously determined corresponding to target domain name according to the quantity for the website that the match is successful 3rd credit value;
Domain name credit worthiness assessment system may determine that the url field in the search record of preset quantity in the top Whether host parts match with target domain name, if it does, then the rank value of explanation target domain name is higher, it is normal domain name Probability is larger, otherwise illustrates that the rank value of target domain name is relatively low, it is likely to malice.Specifically can be according to url field Website url field corresponding to which bar record that whether host parts include target domain name, the retrieval of target domain name records Situations such as host parts include target domain name distributes the 3rd credit value to aiming field name.Such as, it can be determined that aiming field name is retrieved Whether target domain name is included in the url field of 10 website before ranking in record, if comprising target domain name, the match is successful, no Then, match unsuccessful, the 10 website Websites quantity that the match is successful more at most can be with corresponding to sets target domain name the before ranking Three credit values are higher, can also set with the target domain name website that the match is successful ranking more forward corresponding the in retrieval records Three credit values are higher, do not limit herein specifically.It is determined that after the 3rd credit value corresponding to target domain name can according to 3rd credit value further calculates credit worthiness corresponding to target domain name.
206th, the credit worthiness according to corresponding to the first credit value, the second credit value and the 3rd credit value calculate target domain name.
After the 3rd credit value corresponding to target domain name is drawn, domain name credit worthiness assessment system can be counted further accordingly Credit worthiness corresponding to target domain name is calculated, specifically, domain name credit worthiness assessment system can directly ask for the first credit value, the second letter Reputation value and the 3rd credit value sum are as credit worthiness corresponding to target domain name, or the first credit value, the second credit value and Weights corresponding to the distribution of 3rd credit value, ask for the first credit value, the second credit value and the 3rd credit value weighted value sum, also may be used Think in the calculating process of the first credit value, the second credit value and the 3rd credit value each continuous item difference weights assigned value with The weighted value of the first credit value, the second credit value and the 3rd credit value is calculated respectively, and calculates the first credit value, the second credit value And the 3rd credit value weighted value sum as credit worthiness corresponding to target domain name, specific calculation, do not limit herein.
On the basis of above-described embodiment, after the credit worthiness of target domain name to be detected is got, target domain name Credit worthiness carries out network behavior to user has directive significance, it is necessary to the credit worthiness of target domain name corresponding to user feedback. Referring to Fig. 3, a kind of another embodiment of domain name credit assessment may include in the embodiment of the present invention:
301st, web site contents information corresponding to target domain name to be detected is gathered from internet;
302nd, web site contents are inputted into progress domain name classification in preset sorter model, and target is determined according to classification results First credit value corresponding to domain name;
303rd, by the matching of the progress various dimensions of the network security threats information stored in target domain name and database, and root According to the second credit value corresponding to matching result output target domain name;
304th, the credit worthiness according to corresponding to the first credit value and the second credit value calculate target domain name;
Step 201 in the present embodiment to 204 with described in the step 101 in the embodiment shown in above-mentioned Fig. 1 to 104 Content is similar, and referring specifically to step 101 to 104, here is omitted.
305th, to reputation information corresponding to user feedback target domain name;
After the credit worthiness of target domain name to be detected is got, the credit worthiness of target domain name carries out network row to user For with directive significance, it is necessary to the credit worthiness relevant information of target domain name corresponding to user feedback.Specifically, domain name prestige Assessment system is spent to attack so as to obtain user and can take precautions against possible network to reputation information corresponding to user feedback target domain name Hit.
Optionally, reputation information includes credit worthiness, domain name type label, domain name attaching information, wherein, when target domain name pair When the credit worthiness answered is less than the first preset threshold values, the domain name type label of mark target domain name is malice domain name, specific first Preset threshold values does not limit herein.Further reputation information, security threat type corresponding to target domain name can also be included and believed The information such as breath, newest active time, such as threat types are:C&C servers, newest active time:20171001 12:00:00 Etc. information, it is to be understood that reputation information can according to for target domain name may attack behavioural characteristic and The demand of user is reasonably set, and specific reputation information does not limit herein.
306th, the host number of access target domain name is counted, when the entitled malice domain name of aiming field, and access target domain name When host number is not less than the second preset threshold values, warning information is issued for target domain name.
Optionally, in order to find or take precautions against large-scale attack in time, domain name credit worthiness assessment system can be with The host number of access target domain name is counted, when the entitled malice domain name of aiming field, and the host number of access target domain name is not small When the second preset threshold values, warning information is issued for target domain name, to prompt user to take precautions against possible network attack.
It is understood that the step 305 and 306 in the present embodiment can also apply in the embodiment shown in Fig. 2.
In the embodiment of the present invention, domain name credit worthiness assessment system can not only carry out the detection point of various dimensions to target domain name Analysis, the network security threats information for being also based on various dimensions carry out the matching of various dimensions to target domain name, add network peace Full inspection survey accuracy rate, secondly, domain name credit worthiness assessment system can also to the reputation information of user feedback target domain name so that Target domain name can be got information about with the presence or absence of threat by obtaining user, so that possible network attack can be taken precautions against by obtaining user, when The entitled malice domain name of aiming field, and influence main frame it is more when, domain name credit worthiness assessment system can also be directed to target domain name send out The large-scale warning information of cloth, so that possible network attack can be taken precautions against by obtaining user.
It is understood that in various embodiments of the present invention, the size of the sequence number of above steps is not meant to The priority of execution sequence, the execution sequence of each step should be determined with its function and internal logic, without tackling the embodiment of the present invention Implementation process form any restriction.
Domain name credit assessment in the embodiment of the present invention is described above-described embodiment, below will be to this hair Domain name credit worthiness assessment system in bright embodiment is described, referring to Fig. 4, a kind of domain name credit worthiness in the embodiment of the present invention One embodiment of assessment system may include:
Information acquisition unit 401, for gathering web site contents information corresponding to target domain name to be detected from internet;
Domain name taxon 402, domain name classification is carried out in preset sorter model for web site contents to be inputted, and according to Classification results determine the first credit value corresponding to target domain name;
Domain name association analysis unit 403, for the network security threats information that will store in target domain name and database Carry out the matching of various dimensions, and the second credit value according to corresponding to matching result determines target domain name.
First computing unit 404, corresponding to calculating target domain name according to first credit value and the second credit value Credit worthiness.
Optionally, as a kind of possible embodiment, referring to Fig. 5, information acquisition unit 401 in the embodiment of the present invention, It may further include:
Search module 4011, for being retrieved to obtain target domain name pair to target domain name to be detected using search engine The retrieval record answered;
First acquisition module 4012, for gathering net corresponding to target domain name in being recorded using web crawlers technology from retrieval Stand content information.
Optionally, as a kind of possible embodiment, referring to Fig. 6, in the embodiment of the present invention, described information collecting unit 401 also include the second acquisition module 4013, in the top preset in retrieval record for gathering corresponding to the target domain name The uniform resource position mark URL field of the website of quantity;
Domain name credit worthiness assessment system also includes:
Judging unit 405, for judge the preset quantity in the top website url field in main frame host Whether part matches with the target domain name, and the quantity of the successful website of statistical match, and according to the net that the match is successful The quantity stood determines the 3rd credit value corresponding to the target domain name;
Second computing unit 406, for letter corresponding to further calculating the target domain name according to the 3rd credit value Reputation degree.
Optionally, as a kind of possible embodiment, referring to Fig. 7, domain name association analysis unit in the embodiment of the present invention 403, it may further include:
Parsing module 4031, for parsing domain name attaching information corresponding to target domain name, domain name attaching information includes target One or more in IP address, whois information, URL information corresponding to domain name;
First matching module 4032, for by domain name attaching information corresponding to target domain name and preset malice domain-name information Storehouse is matched;
Second matching module 4033, for by IP address corresponding to target domain name and preset viral network behavioural characteristic storehouse Matched.
Optionally, as a kind of possible embodiment, referring to Fig. 8, the domain name credit worthiness in the embodiment of the present invention is assessed System, it can further include:
Feedback unit 407, for reputation information corresponding to user feedback target domain name;
Reputation information includes credit worthiness, domain name type label, domain name attaching information, wherein, when letter corresponding to target domain name When reputation degree is less than the first preset threshold values, the domain name type label of mark target domain name is malice domain name.
Optionally, as a kind of possible embodiment, referring to Fig. 8, the domain name credit worthiness in the embodiment of the present invention is assessed System, it can further include:
Statistic unit 408, for counting the host number of access target domain name;
Prewarning unit 409, when the entitled malice domain name of aiming field, and the host number of access target domain name is pre- not less than second When putting threshold values, for issuing warning information for target domain name.
It is understood that the statistic unit 408 and prewarning unit 409 in the present embodiment can be used for the reality shown in Fig. 6 Example is applied, is not limited herein specifically.
In the embodiment of the present invention, domain name credit worthiness assessment system first aspect can be by web site contents corresponding to target domain name Information inputs and domain name classification is carried out in preset sorter model, and the first prestige according to corresponding to classification results determine target domain name Value, second aspect, the network security threats information that domain name credit worthiness assessment system will can store in target domain name and database Progress various dimensions matching, and according to matching result export target domain name corresponding to the second credit value;Finally according to the first letter Reputation value and the second credit value calculate credit worthiness corresponding to target domain name.Domain name credit worthiness assessment system i.e. in the embodiment of the present invention The detection and analysis of various dimensions can be not only carried out to target domain name, are also based on the network security threats information of various dimensions to mesh The matching that domain name carries out various dimensions is marked, adds the accuracy rate of network security detection.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of unit and module, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method can be with Realize by another way.For example, device embodiment described above is only schematical, for example, the unit Division, only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or The mutual coupling discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, device or unit Close or communicate to connect, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or use When, it can be stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially The part to be contributed in other words to prior art or all or part of the technical scheme can be in the form of software products Embody, the computer software product is stored in a storage medium, including some instructions are causing a computer Equipment (can be personal computer, server, or network equipment etc.) performs the complete of each embodiment methods described of the present invention Portion or part steps.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can store journey The medium of sequence code.
Described above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to before Embodiment is stated the present invention is described in detail, it will be understood by those within the art that:It still can be to preceding State the technical scheme described in each embodiment to modify, or equivalent substitution is carried out to which part technical characteristic;And these Modification is replaced, and the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (12)

  1. A kind of 1. domain name credit assessment, it is characterised in that including:
    Web site contents information corresponding to target domain name to be detected is gathered from internet;
    The web site contents information is inputted domain name classification is carried out in preset sorter model, and according to determining classification results First credit value corresponding to target domain name;
    By the matching of the progress various dimensions of the network security threats information stored in the target domain name and database, and according to The second credit value corresponding to the target domain name is exported with result;
    The credit worthiness according to corresponding to first credit value and the second credit value calculate the target domain name.
  2. 2. according to the method for claim 1, it is characterised in that described that target domain name pair to be detected is gathered from internet The web site contents information answered, including:
    Target domain name to be detected is retrieved to obtain using search engine record is retrieved corresponding to the target domain name;
    Web site contents information corresponding to the target domain name is gathered from the retrieval record using web crawlers technology.
  3. 3. according to the method for claim 2, it is characterised in that also include:
    Gather the URL of the website of preset quantity in the top in retrieval record corresponding to the target domain name Url field;
    Judge in the url field of the website of the preset quantity in the top main frame host part whether with the aiming field Name matching, and the quantity of the successful website of statistical match;
    The 3rd credit value according to corresponding to the quantity of the website that the match is successful determines the target domain name;
    The credit worthiness according to corresponding to the 3rd credit value further calculates the target domain name.
  4. 4. according to the method for claim 1, it is characterised in that the net that will be stored in the target domain name and database The matching of the progress various dimensions of network security threat information, including:
    Domain name attaching information corresponding to the target domain name is parsed, domain name attaching information is included corresponding to the target domain name One or more in IP address, whois information, URL information;
    Domain name attaching information corresponding to the target domain name is matched with preset malice domain-name information storehouse;
    And/or IP address corresponding to the target domain name is matched with preset viral network behavioural characteristic storehouse.
  5. 5. method according to any one of claim 1 to 4, it is characterised in that also include:
    To reputation information corresponding to target domain name described in user feedback;
    The reputation information includes credit worthiness, domain name type label, domain name attaching information,
    Wherein, when credit worthiness is less than the first preset threshold values corresponding to the target domain name, the domain name of the target domain name is marked Type label is malice domain name.
  6. 6. according to the method for claim 5, it is characterised in that also include:
    Statistics accesses the host number of the target domain name;
    When the entitled malice domain name of the aiming field, and the host number for accessing the target domain name is not less than the second preset threshold values When, issue warning information for the target domain name.
  7. A kind of 7. domain name credit worthiness assessment system, it is characterised in that including:
    Information acquisition unit, for gathering web site contents information corresponding to target domain name to be detected from internet;
    Domain name taxon, domain name classification is carried out in preset sorter model for the web site contents to be inputted, and according to point Class result determines the first credit value corresponding to the target domain name;
    Domain name association analysis unit, for the progress for the network security threats information that will be stored in the target domain name and database The matching of various dimensions, and the second credit value according to corresponding to matching result determines the target domain name.
    First computing unit, for the prestige according to corresponding to first credit value and the second credit value calculating target domain name Degree.
  8. 8. system according to claim 7, it is characterised in that described information collecting unit, including:
    Search module, for being retrieved to obtain corresponding to the target domain name to target domain name to be detected using search engine Retrieval record;
    First acquisition module, for gathering net corresponding to the target domain name from the retrieval record using web crawlers technology Stand content information.
  9. 9. system according to claim 8, it is characterised in that
    Described information collecting unit also includes the second acquisition module, is arranged for gathering in retrieval record corresponding to the target domain name The uniform resource position mark URL field of the website of the forward preset quantity of name;
    Domain name credit worthiness assessment system also includes:
    Judging unit, for judge the preset quantity in the top website url field in main frame host part be It is no to be matched with the target domain name, and the quantity of the successful website of statistical match, and according to the number of the website that the match is successful Amount determines the 3rd credit value corresponding to the target domain name;
    Second computing unit, for credit worthiness corresponding to further calculating the target domain name according to the 3rd credit value.
  10. 10. system according to claim 7, it is characterised in that domain name association analysis unit, including:
    Parsing module, for parsing domain name attaching information corresponding to the target domain name, domain name attaching information includes described One or more in IP address, whois information, URL information corresponding to target domain name;
    First matching module, for domain name attaching information corresponding to the target domain name and preset malice domain-name information storehouse to be entered Row matching;
    Second matching module, for IP address corresponding to the target domain name and preset viral network behavioural characteristic storehouse to be carried out Matching.
  11. 11. the system according to any one of claim 7 to 10, it is characterised in that also include:
    Feedback unit, for reputation information corresponding to target domain name described in user feedback;
    The reputation information includes credit worthiness, domain name type label, domain name attaching information, wherein, when the target domain name is corresponding Credit worthiness when being less than the first preset threshold values, the domain name type label for marking the target domain name is malice domain name.
  12. 12. system according to claim 11, it is characterised in that also include:
    Statistic unit, the host number of the target domain name is accessed for counting;
    Prewarning unit, when the entitled malice domain name of the aiming field, and the host number for accessing the target domain name is not less than second During preset threshold values, for issuing warning information for the target domain name.
CN201711206344.8A 2017-11-27 2017-11-27 Domain name credit assessment method and system Active CN107888606B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711206344.8A CN107888606B (en) 2017-11-27 2017-11-27 Domain name credit assessment method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711206344.8A CN107888606B (en) 2017-11-27 2017-11-27 Domain name credit assessment method and system

Publications (2)

Publication Number Publication Date
CN107888606A true CN107888606A (en) 2018-04-06
CN107888606B CN107888606B (en) 2020-11-13

Family

ID=61775345

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711206344.8A Active CN107888606B (en) 2017-11-27 2017-11-27 Domain name credit assessment method and system

Country Status (1)

Country Link
CN (1) CN107888606B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108510332A (en) * 2018-04-17 2018-09-07 中国互联网络信息中心 A kind of domain name prestige assessment method and device
CN109831545A (en) * 2019-01-31 2019-05-31 中国互联网络信息中心 A kind of domain name abuse processing method and system based on block chain
CN110427540A (en) * 2019-07-30 2019-11-08 国家计算机网络与信息安全管理中心 A kind of realization method and system of determining IP address responsible party
CN111131175A (en) * 2019-12-04 2020-05-08 互联网域名***北京市工程研究中心有限公司 Threat intelligence domain name protection system and method
CN112511489A (en) * 2020-10-29 2021-03-16 中国互联网络信息中心 Domain name service abuse evaluation method and device
CN114640513A (en) * 2022-03-04 2022-06-17 中国互联网络信息中心 Domain name abuse management method and system based on credit incentive

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428187A (en) * 2012-05-25 2013-12-04 腾讯科技(深圳)有限公司 Method and system for access controlling, and equipment
CN103905372A (en) * 2012-12-24 2014-07-02 珠海市君天电子科技有限公司 Method and device for removing false alarm of phishing website
CN104615760A (en) * 2015-02-13 2015-05-13 北京瑞星信息技术有限公司 Phishing website recognizing method and phishing website recognizing system
CN106131016A (en) * 2016-07-13 2016-11-16 北京知道创宇信息技术有限公司 Maliciously URL detection interference method, system and device
CN107360185A (en) * 2017-08-18 2017-11-17 ***通信集团海南有限公司 A kind of assessing network method and system based on DNS behavioural characteristics

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428187A (en) * 2012-05-25 2013-12-04 腾讯科技(深圳)有限公司 Method and system for access controlling, and equipment
CN103905372A (en) * 2012-12-24 2014-07-02 珠海市君天电子科技有限公司 Method and device for removing false alarm of phishing website
CN104615760A (en) * 2015-02-13 2015-05-13 北京瑞星信息技术有限公司 Phishing website recognizing method and phishing website recognizing system
CN106131016A (en) * 2016-07-13 2016-11-16 北京知道创宇信息技术有限公司 Maliciously URL detection interference method, system and device
CN107360185A (en) * 2017-08-18 2017-11-17 ***通信集团海南有限公司 A kind of assessing network method and system based on DNS behavioural characteristics

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108510332A (en) * 2018-04-17 2018-09-07 中国互联网络信息中心 A kind of domain name prestige assessment method and device
CN109831545A (en) * 2019-01-31 2019-05-31 中国互联网络信息中心 A kind of domain name abuse processing method and system based on block chain
CN110427540A (en) * 2019-07-30 2019-11-08 国家计算机网络与信息安全管理中心 A kind of realization method and system of determining IP address responsible party
CN110427540B (en) * 2019-07-30 2021-11-30 国家计算机网络与信息安全管理中心 Implementation method and system for determining IP address responsibility main body
CN111131175A (en) * 2019-12-04 2020-05-08 互联网域名***北京市工程研究中心有限公司 Threat intelligence domain name protection system and method
CN112511489A (en) * 2020-10-29 2021-03-16 中国互联网络信息中心 Domain name service abuse evaluation method and device
CN112511489B (en) * 2020-10-29 2023-06-27 中国互联网络信息中心 Domain name service abuse assessment method and device
CN114640513A (en) * 2022-03-04 2022-06-17 中国互联网络信息中心 Domain name abuse management method and system based on credit incentive

Also Published As

Publication number Publication date
CN107888606B (en) 2020-11-13

Similar Documents

Publication Publication Date Title
CN107888606A (en) A kind of domain name credit assessment and system
EP3651043B1 (en) Url attack detection method and apparatus, and electronic device
CN112738126B (en) Attack tracing method based on threat intelligence and ATT & CK
CN103559235B (en) A kind of online social networks malicious web pages detection recognition methods
US8972401B2 (en) Search spam analysis and detection
US9430577B2 (en) Search ranger system and double-funnel model for search spam analyses and browser protection
CN106599686A (en) Malware clustering method based on TLSH character representation
CN108234462A (en) A kind of method that intelligent intercept based on cloud protection threatens IP
US8667117B2 (en) Search ranger system and double-funnel model for search spam analyses and browser protection
TW201926106A (en) URL attack detection method and apparatus, and electronic device
CN107437038A (en) A kind of detection method and device of webpage tamper
CN109005145A (en) A kind of malice URL detection system and its method extracted based on automated characterization
CN103685307A (en) Method, system, client and server for detecting phishing fraud webpage based on feature library
CN104156490A (en) Method and device for detecting suspicious fishing webpage based on character recognition
Sonowal Phishing email detection based on binary search feature selection
CN108304426B (en) Identification obtaining method and device
CN109104421B (en) Website content tampering detection method, device, equipment and readable storage medium
CN110830490B (en) Malicious domain name detection method and system based on area confrontation training deep network
CN106779278A (en) The evaluation system of assets information and its treating method and apparatus of information
CN104202291A (en) Anti-phishing method based on multi-factor comprehensive assessment method
CN104158828B (en) The method and system of suspicious fishing webpage are identified based on cloud content rule base
CN107392022A (en) Reptile identification, processing method and relevant apparatus
CN102446255A (en) Method and device for detecting page tamper
CN107426148A (en) A kind of anti-reptile method and system based on running environment feature recognition
CN102663060A (en) Method and device for identifying tampered webpage

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant