CN114513355A - Malicious domain name detection method, device, equipment and storage medium - Google Patents
Malicious domain name detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114513355A CN114513355A CN202210134403.XA CN202210134403A CN114513355A CN 114513355 A CN114513355 A CN 114513355A CN 202210134403 A CN202210134403 A CN 202210134403A CN 114513355 A CN114513355 A CN 114513355A
- Authority
- CN
- China
- Prior art keywords
- domain name
- malicious
- information
- neural network
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Mathematical Physics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Molecular Biology (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Software Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to an artificial intelligence technology, and discloses a malicious domain name detection method, which comprises the following steps: performing domain name decomposition on URL information in the designated page to obtain domain name information; performing primary feature extraction on domain name information by using a convolutional neural network in a malicious domain name detection model to obtain primary domain name features; inputting the preliminary domain name features into a multi-head attention mechanism in a malicious detection model to obtain deep domain name features, and performing linear processing on the deep domain name features to obtain malicious probability corresponding to domain name information; and judging the size between the malicious probability and the malicious threshold, and judging the domain name information as a malicious domain name when the malicious probability is greater than or equal to the malicious threshold. In addition, the invention also relates to a block chain technology, and the domain name information can be stored in the nodes of the block chain. The invention also provides a malicious domain name detection device, electronic equipment and a storage medium. The invention can improve the efficiency of malicious domain name detection.
Description
Technical Field
The invention relates to the technical field of artificial intelligence, in particular to a malicious domain name detection method and device, electronic equipment and a computer readable storage medium.
Background
With the vigorous development of computers, the internet walks into thousands of households, but the development is problematic, mainly because malicious behaviors are increasing day by day, and the botnet is one of the malicious behaviors with high destructive power. Botnets heavily use DGAs (domain name generation algorithms), and once a host accesses a domain name generated by a DGA and the domain name is registered by a malicious server, the malicious server can easily communicate with the controlled botnet host, which easily destroys the security of the internet. There is therefore a need for fast detection and localization of malicious domain names.
The existing malicious domain name detection method is mainly based on character characteristics for detection, and a detection mode based on flow characteristics needs to collect a large number of domain names in a local area network or monitor the flow of the large number of domain names, so that a large amount of manpower and material resources are consumed, the detection efficiency is low, and meanwhile, the performance is not guaranteed. Therefore, a method for detecting a malicious domain name with higher efficiency is urgently needed to be provided.
Disclosure of Invention
The invention provides a malicious domain name detection method, a malicious domain name detection device and a computer readable storage medium, and mainly aims to improve the efficiency of malicious domain name detection.
In order to achieve the above object, the present invention provides a malicious domain name detection method, which includes:
capturing URL information in a preset specified page, and performing domain name decomposition on the URL information to obtain domain name information;
constructing a malicious domain name detection model based on a convolutional neural network, a multi-head attention mechanism, a bidirectional RNN layer and an activation layer;
performing primary feature extraction on the domain name information by using a convolutional neural network in the malicious domain name detection model to obtain primary domain name features;
inputting the preliminary domain name features into a multi-head attention mechanism in the malicious detection model to obtain deep domain name features, and performing linear processing on the deep domain name features to obtain malicious probability corresponding to the domain name information;
and judging the size between the malicious probability and a preset malicious threshold, and when the malicious probability is greater than or equal to the malicious threshold, judging the domain name information as a malicious domain name.
Optionally, the performing linear processing on the deep domain name feature to obtain a malicious probability corresponding to the domain name information includes:
performing context extraction on the deep domain name feature by using a preset bidirectional cyclic neural network to obtain a standard domain name feature;
and inputting the standard domain name characteristics into a preset activation function to obtain the malicious probability corresponding to the domain name information.
Optionally, the performing preliminary feature extraction on the domain name information by using a convolutional neural network in the malicious domain name detection model to obtain a preliminary domain name feature includes:
vectorizing the domain name information by using an embedded layer in the convolutional neural network to obtain a domain name vector;
and respectively extracting the characteristics of the domain name vector according to a convolution layer, a pooling layer and a full-connection layer in the convolution neural network to obtain the initial domain name characteristics.
Optionally, the constructing a malicious domain name detection model based on a convolutional neural network, a multi-head attention mechanism, a bidirectional RNN layer, and an activation layer includes:
connecting the convolutional neural network and the multi-head attention mechanism in a connection sequence of the convolutional neural network in front of and the multi-head attention mechanism in back of to obtain a feature extraction module;
and adding an embedding layer before the feature extraction module, and connecting the bidirectional RNN layer and the activation layer after the feature extraction module to obtain a malicious domain name detection model.
Optionally, after the domain name information is determined to be a malicious domain name, the method further includes:
storing the malicious domain name in a preset malicious domain name library; or
And displaying the malicious domain name.
Optionally, before the inputting the preliminary domain name feature into the multi-head attention mechanism in the malicious detection model, the method further comprises:
and utilizing a preset regularization layer to carry out regularization processing on the preliminary domain name features.
Optionally, the performing domain name resolution on the URL information to obtain domain name information includes:
segmenting the URL information to obtain a plurality of segmented URL information;
and identifying host names in the plurality of pieces of partitioned URL information, and taking the host names as domain name information.
In order to solve the above problem, the present invention further provides a malicious domain name detection apparatus, including:
the domain name information acquisition module is used for capturing URL information in a preset specified page and carrying out domain name decomposition on the URL information to obtain domain name information;
the model building module is used for building a malicious domain name detection model based on a convolutional neural network, a multi-head attention mechanism, a bidirectional RNN layer and an activation layer;
the model application module is used for performing primary feature extraction on the domain name information by using a convolutional neural network in the malicious domain name detection model to obtain primary domain name features, inputting the primary domain name features into a multi-head attention mechanism in the malicious domain name detection model to obtain deep domain name features, and performing linear processing on the deep domain name features to obtain malicious probability corresponding to the domain name information;
and the domain name judging module is used for judging the size between the malicious probability and a preset malicious threshold, and judging the domain name information as a malicious domain name when the malicious probability is greater than or equal to the malicious threshold.
In order to solve the above problem, the present invention also provides an electronic device, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the malicious domain name detection method described above.
In order to solve the above problem, the present invention further provides a computer-readable storage medium, in which at least one computer program is stored, and the at least one computer program is executed by a processor in an electronic device to implement the malicious domain name detection method described above.
According to the method and the device for detecting the domain name, domain name decomposition is carried out on the URL information in the captured designated page to obtain domain name information, a malicious domain name detection model is built based on a convolutional neural network, a multi-head attention mechanism, a bidirectional RNN layer and an activation layer, the domain name information is input into the malicious domain name detection model, and malicious probability corresponding to the domain name information is obtained. The convolutional neural network can improve the efficiency of extracting the characteristics of the domain name information, the multi-head attention mechanism can perform attention calculation on information at different positions at one time, so that the dependency relationship in the whole domain name information is obtained, the size between the malicious probability and a preset malicious threshold value is judged, and when the malicious probability is larger than or equal to the malicious threshold value, the domain name information is judged to be a malicious domain name. Therefore, the malicious domain name detection method, the malicious domain name detection device, the electronic equipment and the computer readable storage medium can solve the problem that the malicious domain name detection efficiency is not high enough.
Drawings
Fig. 1 is a schematic flowchart of a malicious domain name detection method according to an embodiment of the present invention;
fig. 2 is a functional block diagram of a malicious domain name detection apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device for implementing the malicious domain name detection method according to an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
The embodiment of the application provides a malicious domain name detection method. The execution subject of the malicious domain name detection method includes, but is not limited to, at least one of electronic devices that can be configured to execute the method provided by the embodiments of the present application, such as a server, a terminal, and the like. In other words, the malicious domain name detection method may be performed by software or hardware installed in a terminal device or a server device, and the software may be a block chain platform. The server includes but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like. The server may be an independent server, or may be a cloud server that provides basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a Content Delivery Network (CDN), a big data and artificial intelligence platform, and the like.
Fig. 1 is a schematic flow chart of a malicious domain name detection method according to an embodiment of the present invention. In this embodiment, the malicious domain name detection method includes:
s1, capturing URL information in a preset appointed page, and carrying out domain name decomposition on the URL information to obtain domain name information.
In this embodiment of the present invention, the designated page may be an arbitrarily selected target page, and the URL (Uniform Resource Locator) information refers to a Uniform Resource Locator and is an address of a standard Resource on the internet. Each file on the internet has a unique URL that contains information indicating the location of the file and how the browser should handle it.
Specifically, capturing the URL information in the preset specified page includes real-time URL capturing and URL batch capturing. The real-time URL grabbing function ensures that the system has a direct and real-time source, and can ensure that the system can acquire and analyze the URL at the moment of access of a user, so that quasi-real-time detection is realized. The batch URL capture meets the requirement of uniform analysis on a large number of URLs, and the system crawls the URLs in a specified page through a crawler written in advance and then performs subsequent analysis.
Further, the performing domain name resolution on the URL information to obtain domain name information includes:
segmenting the URL information to obtain a plurality of segmented URL information;
and identifying host names in the plurality of pieces of partitioned URL information, and taking the host names as domain name information.
In detail, the general format of the URL information is protocol name:// host name [: port number ] [/target path/file name ], for example, for HTTP:// www.***.com/web/20211117/idex. html, where www is host name and ***.com is host name or domain name. In a URL, the host name is typically a domain name or ip address. Identifying the hostname is primarily handled using regular expressions in JAVA or Python.
Preferably, the main role of domain name resolution is to resolve the collected domain name and extract the host name part as domain name information. Domain names can be structurally divided into two parts: host and domain names (including top level domain and possibly second level domain, third level domain, etc.)
S2, constructing a malicious domain name detection model based on the convolutional neural network, the multi-head attention mechanism, the bidirectional RNN layer and the activation layer.
In the embodiment of the invention, because the characteristics capable of representing the characteristics of the whole model cannot be extracted manually and the traditional character characteristics are not suitable, the neural network is adopted in the malicious domain name detection model in the scheme. The advantage of the neural network is that feature extraction can be performed instead of manually. Besides the application of the neural network, in order to better extract the characteristics of the domain name, the malicious domain name detection model simultaneously adopts a multi-head attention mechanism, and the core of the multi-head attention mechanism is a self-attention mechanism. The method has the advantage that the information of the current position and the information of all other positions can be subjected to attention calculation at one time, so that the dependency relationship in the whole input sequence can be obtained.
Specifically, the constructing of the malicious domain name detection model based on the convolutional neural network, the multi-head attention mechanism, the bidirectional RNN layer and the activation layer includes:
connecting the convolutional neural network and the multi-head attention mechanism in a connection sequence in which the convolutional neural network is in front of the multi-head attention mechanism to obtain a feature extraction module;
and adding an embedding layer before the feature extraction module, and connecting the bidirectional RNN layer and the activation layer after the feature extraction module to obtain a malicious domain name detection model.
In detail, the malicious domain name detection model comprises five layers, wherein the embedded layer is used for carrying out distributed representation on the domain name information, and carrying out subsequent processing after word vectorization is carried out on the domain name. The function of the convolutional neural network immediately after the embedding layer is to calculate the input word vector and perform preliminary feature extraction. The convolutional neural network is followed by a multi-head attention layer, which performs deep feature extraction on the output of the previous layer, and after the extraction of the previous two layers, the model outputs a subsequent and immediately connected bidirectional RNN layer. And finally, inputting the input into the activation layer to obtain probability distribution through linear processing.
And S3, performing primary feature extraction on the domain name information by using the convolutional neural network in the malicious domain name detection model to obtain primary domain name features.
In the embodiment of the present invention, the Convolutional Neural Networks (CNN) is a type of feed-forward Neural network that includes convolution calculation and has a deep structure.
Specifically, the performing preliminary feature extraction on the domain name information by using the convolutional neural network in the malicious domain name detection model to obtain a preliminary domain name feature includes:
vectorizing the domain name information by using an embedded layer in the convolutional neural network to obtain a domain name vector;
and respectively extracting the characteristics of the domain name vector according to a convolution layer, a pooling layer and a full-connection layer in the convolution neural network to obtain the initial domain name characteristics.
In detail, the embedding layer is used for performing distributed representation on the domain name, and performing subsequent processing after word vectorization is performed on the domain name. The function of the convolutional layer is to perform feature extraction on input data, and the convolutional layer internally comprises a plurality of convolutional kernels. After feature extraction is performed on the convolutional layer, the output data is transmitted to a pooling layer for feature selection and information filtering, wherein the pooling layer comprises a preset pooling function. The fully-connected layer in the convolutional neural network is equivalent to the hidden layer in the traditional feedforward neural network. The fully-connected layer is located at the last part of the hidden layer of the convolutional neural network and only signals are transmitted to other fully-connected layers.
S4, inputting the preliminary domain name features into a multi-head attention mechanism in the malicious detection model to obtain deep domain name features, and performing linear processing on the deep domain name features to obtain the malicious probability corresponding to the domain name information.
In the embodiment of the invention, the multi-head attention mechanism carries out deep feature extraction on the output of the convolutional neural network.
Specifically, before the inputting the preliminary domain name feature into the multi-head attention mechanism in the malicious detection model, the method further includes:
and utilizing a preset regularization layer to carry out regularization processing on the preliminary domain name features.
In detail, each position of the multi-head attention sub-mechanism can obtain all the position information of the previous layer, namely the convolutional neural network layer. With a regularization layer added after each sub-layer. To facilitate the connection between the various sublayers, the model fixes the output dimension.
Further, the performing linear processing on the deep domain name features to obtain the malicious probability corresponding to the domain name information includes:
performing context extraction on the deep domain name feature by using a preset bidirectional cyclic neural network to obtain a standard domain name feature;
and inputting the standard domain name characteristics into a preset activation function to obtain the malicious probability corresponding to the domain name information.
In detail, the bidirectional Recurrent Neural Network (RNN) is a type of Recurrent Neural Network that takes sequence data as input, recurses in the evolution direction of the sequence, and all nodes are connected in a chain. The basic idea of a bidirectional recurrent neural network is that each training sequence is two recurrent neural networks forward and backward, respectively, and both are connected to an output layer. This structure provides complete past and future context information for each point in the output layer input sequence. Forward and backward work together on the result. After receiving the output of the multi-head attention sublayer, the method splices the state information of the last unit in the network from front to back, which contains the whole feature information of the whole domain name sequence from front to back.
Preferably, the preset activation function is a SoftMax function.
Specifically, the inputting the standard domain name feature into a preset activation function to obtain the malicious probability corresponding to the domain name information includes:
the preset activation function is as follows:
wherein S isiAnd e is the malicious probability corresponding to the domain name information, e is the standard domain name characteristic, and i and j are preset fixed parameters.
In detail, the role of the SoftMax function is to perform classification. For the multi-class problem, the SoftMax function may represent the probability distribution over n different classes. It maps the outputs of multiple neurons into the (0,1) interval.
And S5, judging the size between the malicious probability and a preset malicious threshold, and when the malicious probability is greater than or equal to the malicious threshold, judging the domain name information as a malicious domain name.
In the embodiment of the present invention, the domain name information may be determined according to a size between the malicious probability and the malicious threshold, when the malicious probability is greater than or equal to the malicious threshold, the domain name information is determined as a malicious domain name, and when the malicious probability is smaller than the malicious threshold, the domain name information is determined as a non-malicious domain name. Meanwhile, the domain name information determined as the malicious domain name can be further divided into malicious domain names of different grades or different types by comparing with a preset interval.
In another embodiment of the present invention, the determination of the malicious domain name may also be implemented by static detection. The static detection refers to detection based on a pre-constructed malicious domain name library. This approach may reduce the time spent in dynamic detection of domain names as much as possible. Meanwhile, the malicious domain name library can be synchronously updated, so that the problem of hysteresis is solved.
Specifically, after the domain name information is determined as a malicious domain name, the method further includes:
storing the malicious domain name in a preset malicious domain name library; or alternatively
And displaying the malicious domain name.
In detail, the malicious domain name library stores malicious domain name information which is mainly stored and recorded during the operation period of the system, and the malicious domain name information is recorded in the form of a data table in the database. The display processing comprises a DGA domain name real-time display function, a DGA Family viewing function, a recent DGA domain name viewing function and a legal domain name display function. The DGA domain name real-time display function and the legal domain name display function aim at that when a system detects a domain name which is being accessed, if the domain name which is being accessed is a malicious domain name, the DGA real-time display function can mark and display the domain name immediately, and the marked content comprises the domain name, the DGA category and the time of the domain name. The legal domain name shows the legal domain name accessed in the same day, and the user can select whether to put the domain name in a local white list or a black list. The DGA Family view function is intended to include examples of currently known types of DGAs and corresponding domain names. As part of the popular science function, the method is convenient for users to know the type and related knowledge of the D GA. The recent DGA domain name viewing function can select time and DGA type by a user, and view the DGA domain name of the DGA type in the malicious domain name library in the time.
According to the method and the device for detecting the domain name, domain name decomposition is carried out on the URL information in the captured designated page to obtain domain name information, a malicious domain name detection model is built based on a convolutional neural network, a multi-head attention mechanism, a bidirectional RNN layer and an activation layer, the domain name information is input into the malicious domain name detection model, and malicious probability corresponding to the domain name information is obtained. The convolutional neural network can improve the efficiency of extracting the characteristics of the domain name information, the multi-head attention mechanism can perform attention calculation on information at different positions at one time, so that the dependency relationship in the whole domain name information is obtained, the size between the malicious probability and a preset malicious threshold value is judged, and when the malicious probability is larger than or equal to the malicious threshold value, the domain name information is judged to be a malicious domain name. Therefore, the malicious domain name detection method provided by the invention can solve the problem that the efficiency of malicious domain name detection is not high enough.
Fig. 2 is a functional block diagram of a malicious domain name detection apparatus according to an embodiment of the present invention.
The malicious domain name detection apparatus 100 according to the present invention may be installed in an electronic device. According to the implemented functions, the malicious domain name detection apparatus 100 may include a domain name information obtaining module 101, a model building module 102, a model application module 103, and a domain name determining module 104. The module of the present invention, which may also be referred to as a unit, refers to a series of computer program segments that can be executed by a processor of an electronic device and that can perform a fixed function, and that are stored in a memory of the electronic device.
In the present embodiment, the functions regarding the respective modules/units are as follows:
the domain name information acquisition module 101 is configured to capture URL information in a preset specified page, and perform domain name resolution on the URL information to obtain domain name information;
the model building module 102 is configured to build a malicious domain name detection model based on a convolutional neural network, a multi-head attention mechanism, a bidirectional RNN layer, and an activation layer;
the model application module 103 is configured to perform preliminary feature extraction on the domain name information by using a convolutional neural network in the malicious domain name detection model to obtain a preliminary domain name feature, input the preliminary domain name feature into a multi-head attention mechanism in the malicious domain name detection model to obtain a deep domain name feature, and perform linear processing on the deep domain name feature to obtain a malicious probability corresponding to the domain name information;
the domain name judging module 104 is configured to judge a magnitude between the malicious probability and a preset malicious threshold, and when the malicious probability is greater than or equal to the malicious threshold, judge the domain name information as a malicious domain name.
In detail, the specific implementation of each module of the malicious domain name detection apparatus 100 is as follows:
step one, capturing URL information in a preset appointed page, and carrying out domain name decomposition on the URL information to obtain domain name information.
In this embodiment of the present invention, the designated page may be an arbitrarily selected target page, and the URL (Uniform Resource Locator) information refers to a Uniform Resource Locator and is an address of a standard Resource on the internet. Each file on the internet has a unique URL that contains information indicating the location of the file and how the browser should handle it.
Specifically, capturing the URL information in the preset specified page includes real-time URL capturing and URL batch capturing. The real-time URL grabbing function ensures that the system has a direct and real-time source, and can ensure that the system can acquire and analyze the URL at the moment of access of a user, so that quasi-real-time detection is realized. The batch URL capture meets the requirement of uniform analysis on a large number of URLs, and the system crawls the URLs in a specified page through a crawler written in advance and then performs subsequent analysis.
Further, the performing domain name resolution on the URL information to obtain domain name information includes:
segmenting the URL information to obtain a plurality of segmented URL information;
and identifying host names in the plurality of pieces of partitioned URL information, and taking the host names as domain name information.
In detail, the general format of the URL information is protocol name:// host name [: port number ] [/target path/file name ], for example, for HTTP:// www.***.com/web/20211117/idex. html, where www is host name and ***.com is host name or domain name. In a URL, the host name is typically a domain name or ip address. Identifying the hostname is primarily handled using regular expressions in JAVA or Python.
Preferably, the main role of domain name resolution is to resolve the collected domain name and extract the host name part as domain name information. Domain names can be structurally divided into two parts: host and domain names (including top level domain and possibly second level domain, third level domain, etc.)
And step two, constructing a malicious domain name detection model based on the convolutional neural network, the multi-head attention mechanism, the bidirectional RNN layer and the activation layer.
In the embodiment of the invention, because the characteristics capable of representing the characteristics of the whole model cannot be extracted manually and the traditional character characteristics are not suitable, the neural network is adopted in the malicious domain name detection model in the scheme. The advantage of the neural network is that feature extraction can be performed instead of manually. Besides the application of the neural network, in order to better extract the characteristics of the domain name, the malicious domain name detection model simultaneously adopts a multi-head attention mechanism, and the core of the multi-head attention mechanism is a self-attention mechanism. The method has the advantage that the information of the current position and the information of all other positions can be subjected to attention calculation at one time, so that the dependency relationship in the whole input sequence can be obtained.
Specifically, the constructing of the malicious domain name detection model based on the convolutional neural network, the multi-head attention mechanism, the bidirectional RNN layer and the activation layer includes:
connecting the convolutional neural network and the multi-head attention mechanism in a connection sequence in which the convolutional neural network is in front of the multi-head attention mechanism to obtain a feature extraction module;
and adding an embedding layer before the feature extraction module, and connecting the bidirectional RNN layer and the activation layer after the feature extraction module to obtain a malicious domain name detection model.
In detail, the malicious domain name detection model comprises five layers, wherein the embedded layer is used for carrying out distributed representation on the domain name information, and carrying out subsequent processing after word vectorization is carried out on the domain name. The function of the convolutional neural network immediately after the embedding layer is to calculate the input word vector and perform preliminary feature extraction. The convolutional neural network is followed by a multi-head attention layer, which performs deep feature extraction on the output of the previous layer, and after the extraction of the previous two layers, the model outputs a subsequent and immediately connected bidirectional RNN layer. And finally, inputting the input into the activation layer to obtain probability distribution through linear processing.
And thirdly, performing primary feature extraction on the domain name information by using a convolutional neural network in the malicious domain name detection model to obtain primary domain name features.
In the embodiment of the present invention, the Convolutional Neural Network (CNN) is a type of feed-forward Neural network that includes convolution calculation and has a depth structure.
Specifically, the performing preliminary feature extraction on the domain name information by using the convolutional neural network in the malicious domain name detection model to obtain a preliminary domain name feature includes:
vectorizing the domain name information by using an embedded layer in the convolutional neural network to obtain a domain name vector;
and respectively extracting the characteristics of the domain name vector according to a convolution layer, a pooling layer and a full-connection layer in the convolution neural network to obtain the initial domain name characteristics.
In detail, the embedding layer is used for performing distributed representation on the domain name, and performing subsequent processing after performing word vectorization on the domain name. The function of the convolutional layer is to perform feature extraction on input data, and the convolutional layer internally comprises a plurality of convolutional kernels. After the feature extraction is performed on the convolutional layer, the output data is transmitted to a pooling layer for feature selection and information filtering, wherein the pooling layer comprises a preset pooling function. The fully-connected layer in the convolutional neural network is equivalent to the hidden layer in the traditional feedforward neural network. The fully-connected layer is located at the last part of the hidden layer of the convolutional neural network and only signals are transmitted to other fully-connected layers.
Inputting the preliminary domain name features into a multi-head attention mechanism in the malicious detection model to obtain deep domain name features, and performing linear processing on the deep domain name features to obtain malicious probability corresponding to the domain name information.
In the embodiment of the invention, the multi-head attention mechanism carries out deep feature extraction on the output of the convolutional neural network.
Specifically, before inputting the preliminary domain name feature into the multi-head attention mechanism in the malicious detection model, further performing:
and utilizing a preset regularization layer to carry out regularization processing on the preliminary domain name features.
In detail, each position of the multi-head attention sub-mechanism can obtain all the position information of the previous layer, namely the convolutional neural network layer. With a regularization layer added after each sub-layer. To facilitate the connection between the various sublayers, the model fixes the output dimension.
Further, the performing linear processing on the deep domain name feature to obtain a malicious probability corresponding to the domain name information includes:
performing context extraction on the deep domain name feature by using a preset bidirectional cyclic neural network to obtain a standard domain name feature;
and inputting the standard domain name characteristics into a preset activation function to obtain the malicious probability corresponding to the domain name information.
In detail, the bidirectional Recurrent Neural Network (RNN) is a type of Recurrent Neural Network in which sequence data is input, recursion is performed in the evolution direction of the sequence, and all nodes are connected in a chain manner. The basic idea of a bidirectional recurrent neural network is that each training sequence is two recurrent neural networks forward and backward, respectively, and both are connected to an output layer. This structure provides complete past and future context information for each point in the output layer input sequence. Forward and backward work together on the result. After receiving the output of the multi-head attention sublayer, the method splices the state information of the last unit in the network from front to back, which contains the whole feature information of the whole domain name sequence from front to back.
Preferably, the preset activation function is a SoftMax function.
Specifically, the inputting the standard domain name feature into a preset activation function to obtain the malicious probability corresponding to the domain name information includes:
the preset activation function is as follows:
wherein S isiAnd e is the malicious probability corresponding to the domain name information, e is the standard domain name characteristic, and i and j are preset fixed parameters.
In detail, the role of the SoftMax function is to perform classification. For the multi-class problem, the SoftMax function may represent the probability distribution over n different classes. It maps the outputs of multiple neurons into the (0,1) interval.
And fifthly, judging the size between the malicious probability and a preset malicious threshold, and judging the domain name information as a malicious domain name when the malicious probability is greater than or equal to the malicious threshold.
In the embodiment of the present invention, the domain name information may be determined according to a size between the malicious probability and the malicious threshold, when the malicious probability is greater than or equal to the malicious threshold, the domain name information is determined as a malicious domain name, and when the malicious probability is smaller than the malicious threshold, the domain name information is determined as a non-malicious domain name. Meanwhile, the domain name information determined as the malicious domain name can be further divided into malicious domain names of different grades or different types by comparing with a preset interval.
In another embodiment of the present invention, the determination of the malicious domain name may also be implemented by static detection. The static detection refers to detection based on a pre-constructed malicious domain name library. This approach may reduce the time spent in dynamic detection of domain names as much as possible. Meanwhile, the malicious domain name library can be synchronously updated, so that the problem of hysteresis is solved.
Specifically, after the domain name information is determined as a malicious domain name, the following steps are further performed:
storing the malicious domain name in a preset malicious domain name library; or
And displaying the malicious domain name.
In detail, the malicious domain name library stores malicious domain name information which is mainly stored and recorded during the operation period of the system, and the malicious domain name information is recorded in the form of a data table in the database. The display processing comprises a DGA domain name real-time display function, a DGA Family viewing function, a recent DGA domain name viewing function and a legal domain name display function. The DGA domain name real-time display function and the legal domain name display function aim at that when a system detects a domain name which is being accessed, if the domain name which is being accessed is a malicious domain name, the DGA real-time display function can mark and display the domain name immediately, and the marked content comprises the domain name, the DGA category and the time of the domain name. The legal domain name shows the legal domain name accessed in the same day, and the user can select whether to put the domain name in a local white list or a black list. The DGA Family view function is intended to include examples of currently known types of DGAs and corresponding domain names. It is a part of the science popularization function, and is convenient for users to know the type and relevant knowledge of the D GA. The recent DGA domain name viewing function can select time and DGA type by a user, and view the DGA domain name of the DGA type in the malicious domain name library in the time.
According to the method and the device for detecting the domain name, domain name decomposition is carried out on the URL information in the captured designated page to obtain domain name information, a malicious domain name detection model is built based on a convolutional neural network, a multi-head attention mechanism, a bidirectional RNN layer and an activation layer, the domain name information is input into the malicious domain name detection model, and malicious probability corresponding to the domain name information is obtained. The convolutional neural network can improve the efficiency of extracting the characteristics of the domain name information, the multi-head attention mechanism can perform attention calculation on information at different positions at one time, so that the dependency relationship in the whole domain name information is obtained, the size between the malicious probability and a preset malicious threshold value is judged, and when the malicious probability is larger than or equal to the malicious threshold value, the domain name information is judged to be a malicious domain name. Therefore, the malicious domain name detection device provided by the invention can solve the problem that the malicious domain name detection efficiency is not high enough.
Fig. 3 is a schematic structural diagram of an electronic device implementing a malicious domain name detection method according to an embodiment of the present invention.
The electronic device 1 may include a processor 10, a memory 11, a communication bus 12, and a communication interface 13, and may further include a computer program, such as a malicious domain name detection program, stored in the memory 11 and executable on the processor 10.
In some embodiments, the processor 10 may be composed of an integrated circuit, for example, a single packaged integrated circuit, or may be composed of a plurality of integrated circuits packaged with the same function or different functions, and includes one or more Central Processing Units (CPUs), a microprocessor, a digital Processing chip, a graphics processor, a combination of various control chips, and the like. The processor 10 is a Control Unit (Control Unit) of the electronic device, connects various components of the electronic device by using various interfaces and lines, and executes various functions and processes data of the electronic device by running or executing programs or modules (for example, executing a malicious domain name detection program, etc.) stored in the memory 11 and calling data stored in the memory 11.
The memory 11 includes at least one type of readable storage medium including flash memory, removable hard disks, multimedia cards, card-type memory (e.g., SD or DX memory, etc.), magnetic memory, magnetic disks, optical disks, etc. The memory 11 may in some embodiments be an internal storage unit of the electronic device, for example a removable hard disk of the electronic device. The memory 11 may also be an external storage device of the electronic device in other embodiments, such as a plug-in mobile hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the electronic device. Further, the memory 11 may also include both an internal storage unit and an external storage device of the electronic device. The memory 11 may be used to store not only application software installed in the electronic device and various types of data, such as codes of a malicious domain name detection program, but also temporarily store data that has been output or is to be output.
The communication bus 12 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The bus may be divided into an address bus, a data bus, a control bus, etc. The bus is arranged to enable connection communication between the memory 11 and at least one processor 10 or the like.
The communication interface 13 is used for communication between the electronic device and other devices, and includes a network interface and a user interface. Optionally, the network interface may include a wired interface and/or a wireless interface (e.g., WI-FI interface, bluetooth interface, etc.), which are typically used to establish a communication connection between the electronic device and other electronic devices. The user interface may be a Display (Display), an input unit such as a Keyboard (Keyboard), and optionally a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable, among other things, for displaying information processed in the electronic device and for displaying a visualized user interface.
Fig. 3 only shows an electronic device with components, and it will be understood by a person skilled in the art that the structure shown in fig. 3 does not constitute a limitation of the electronic device 1, and may comprise fewer or more components than shown, or a combination of certain components, or a different arrangement of components.
For example, although not shown, the electronic device may further include a power supply (such as a battery) for supplying power to each component, and preferably, the power supply may be logically connected to the at least one processor 10 through a power management device, so that functions of charge management, discharge management, power consumption management and the like are realized through the power management device. The power supply may also include any component of one or more dc or ac power sources, recharging devices, power failure detection circuitry, power converters or inverters, power status indicators, and the like. The electronic device may further include various sensors, a bluetooth module, a Wi-Fi module, and the like, which are not described herein again.
It is to be understood that the described embodiments are for purposes of illustration only and that the scope of the appended claims is not limited to such structures.
The malicious domain name detection program stored in the memory 11 of the electronic device 1 is a combination of a plurality of instructions, and when running in the processor 10, can implement:
capturing URL information in a preset specified page, and performing domain name decomposition on the URL information to obtain domain name information;
constructing a malicious domain name detection model based on a convolutional neural network, a multi-head attention mechanism, a bidirectional RNN layer and an activation layer;
performing primary feature extraction on the domain name information by using a convolutional neural network in the malicious domain name detection model to obtain primary domain name features;
inputting the preliminary domain name features into a multi-head attention mechanism in the malicious detection model to obtain deep domain name features, and performing linear processing on the deep domain name features to obtain malicious probability corresponding to the domain name information;
and judging the size between the malicious probability and a preset malicious threshold, and when the malicious probability is greater than or equal to the malicious threshold, judging the domain name information as a malicious domain name.
Specifically, the specific implementation method of the instruction by the processor 10 may refer to the description of the relevant steps in the embodiment corresponding to the drawings, which is not described herein again.
Further, the integrated modules/units of the electronic device 1, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. The computer readable storage medium may be volatile or non-volatile. For example, the computer-readable medium may include: any entity or device capable of carrying said computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM).
The present invention also provides a computer-readable storage medium, storing a computer program which, when executed by a processor of an electronic device, may implement:
capturing URL information in a preset specified page, and performing domain name decomposition on the URL information to obtain domain name information;
constructing a malicious domain name detection model based on a convolutional neural network, a multi-head attention mechanism, a bidirectional RNN layer and an activation layer;
performing primary feature extraction on the domain name information by using a convolutional neural network in the malicious domain name detection model to obtain primary domain name features;
inputting the preliminary domain name features into a multi-head attention mechanism in the malicious detection model to obtain deep domain name features, and performing linear processing on the deep domain name features to obtain malicious probability corresponding to the domain name information;
and judging the malicious probability and a preset malicious threshold, and when the malicious probability is greater than or equal to the malicious threshold, judging the domain name information as a malicious domain name.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus, device and method can be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof.
The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
The embodiment of the application can acquire and process related data based on an artificial intelligence technology. Among them, Artificial Intelligence (AI) is a theory, method, technique and application system that simulates, extends and expands human Intelligence using a digital computer or a machine controlled by a digital computer, senses the environment, acquires knowledge and uses the knowledge to obtain the best result.
Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the system claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.
Claims (10)
1. A malicious domain name detection method, characterized in that the method comprises:
capturing URL information in a preset specified page, and performing domain name decomposition on the URL information to obtain domain name information;
constructing a malicious domain name detection model based on a convolutional neural network, a multi-head attention mechanism, a bidirectional RNN layer and an activation layer;
performing primary feature extraction on the domain name information by using a convolutional neural network in the malicious domain name detection model to obtain primary domain name features;
inputting the preliminary domain name features into a multi-head attention mechanism in the malicious detection model to obtain deep domain name features, and performing linear processing on the deep domain name features to obtain malicious probability corresponding to the domain name information;
and judging the size between the malicious probability and a preset malicious threshold, and when the malicious probability is greater than or equal to the malicious threshold, judging the domain name information as a malicious domain name.
2. The method according to claim 1, wherein the performing linear processing on the deep domain name features to obtain a malicious probability corresponding to the domain name information comprises:
performing context extraction on the deep domain name feature by using a preset bidirectional cyclic neural network to obtain a standard domain name feature;
and inputting the standard domain name characteristics into a preset activation function to obtain the malicious probability corresponding to the domain name information.
3. The method according to claim 1, wherein the performing preliminary feature extraction on the domain name information by using a convolutional neural network in the malicious domain name detection model to obtain preliminary domain name features comprises:
vectorizing the domain name information by using an embedded layer in the convolutional neural network to obtain a domain name vector;
and respectively extracting the characteristics of the domain vector according to a convolution layer, a pooling layer and a full-link layer in the convolution neural network to obtain initial domain characteristics.
4. The malicious domain name detection method according to claim 1, wherein constructing the malicious domain name detection model based on the convolutional neural network, the multi-head attention mechanism, the bidirectional RNN layer, and the activation layer comprises:
connecting the convolutional neural network and the multi-head attention mechanism in a connection sequence of the convolutional neural network in front of and the multi-head attention mechanism in back of to obtain a feature extraction module;
and adding an embedding layer before the feature extraction module, and connecting the bidirectional RNN layer and the activation layer after the feature extraction module to obtain a malicious domain name detection model.
5. The malicious domain name detection method according to claim 1, wherein after the domain name information is determined to be a malicious domain name, the method further comprises:
storing the malicious domain name in a preset malicious domain name library; or
And displaying the malicious domain name.
6. The malicious domain name detection method according to claim 1, wherein prior to the inputting the preliminary domain name features into a multi-head attention mechanism in the malicious detection model, the method further comprises:
and utilizing a preset regularization layer to carry out regularization processing on the preliminary domain name features.
7. The malicious domain name detection method according to any one of claims 1 to 6, wherein the performing domain name resolution on the URL information to obtain domain name information includes:
segmenting the URL information to obtain a plurality of segmented URL information;
and identifying host names in the plurality of pieces of partitioned URL information, and taking the host names as domain name information.
8. An apparatus for malicious domain name detection, the apparatus comprising:
the domain name information acquisition module is used for capturing URL information in a preset specified page and carrying out domain name decomposition on the URL information to obtain domain name information;
the model building module is used for building a malicious domain name detection model based on a convolutional neural network, a multi-head attention mechanism, a bidirectional RNN layer and an activation layer;
the model application module is used for performing primary feature extraction on the domain name information by utilizing a convolutional neural network in the malicious domain name detection model to obtain primary domain name features, inputting the primary domain name features into a multi-head attention mechanism in the malicious domain name detection model to obtain deep domain name features, and performing linear processing on the deep domain name features to obtain malicious probability corresponding to the domain name information;
and the domain name judging module is used for judging the size between the malicious probability and a preset malicious threshold, and judging the domain name information as a malicious domain name when the malicious probability is greater than or equal to the malicious threshold.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the malicious domain name detection method according to any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the malicious domain name detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210134403.XA CN114513355A (en) | 2022-02-14 | 2022-02-14 | Malicious domain name detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210134403.XA CN114513355A (en) | 2022-02-14 | 2022-02-14 | Malicious domain name detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114513355A true CN114513355A (en) | 2022-05-17 |
Family
ID=81552306
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210134403.XA Pending CN114513355A (en) | 2022-02-14 | 2022-02-14 | Malicious domain name detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114513355A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115550021A (en) * | 2022-09-26 | 2022-12-30 | 东华理工大学 | Method and system for accurately replicating network space in big data environment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110807098A (en) * | 2019-09-24 | 2020-02-18 | 武汉智美互联科技有限公司 | DGA domain name detection method based on BiRNN deep learning |
| CN112926303A (en) * | 2021-02-23 | 2021-06-08 | 南京邮电大学 | Malicious URL detection method based on BERT-BiGRU |
-
2022
- 2022-02-14 CN CN202210134403.XA patent/CN114513355A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110807098A (en) * | 2019-09-24 | 2020-02-18 | 武汉智美互联科技有限公司 | DGA domain name detection method based on BiRNN deep learning |
| CN112926303A (en) * | 2021-02-23 | 2021-06-08 | 南京邮电大学 | Malicious URL detection method based on BERT-BiGRU |
Non-Patent Citations (1)
| Title |
|---|
| 黄偲琪: "恶意域名检测技术的研究与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115550021A (en) * | 2022-09-26 | 2022-12-30 | 东华理工大学 | Method and system for accurately replicating network space in big data environment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112231586A (en) | Course recommendation method, device, equipment and medium based on transfer learning | |
| CN111666415A (en) | Topic clustering method and device, electronic equipment and storage medium | |
| CN114398557B (en) | Information recommendation method and device based on double images, electronic equipment and storage medium | |
| CN113806434B (en) | Big data processing method, device, equipment and medium | |
| CN113360803A (en) | Data caching method, device and equipment based on user behavior and storage medium | |
| CN112559923A (en) | Website resource recommendation method and device, electronic equipment and computer storage medium | |
| CN114513355A (en) | Malicious domain name detection method, device, equipment and storage medium | |
| CN114841165B (en) | User data analysis and display method and device, electronic equipment and storage medium | |
| CN116401602A (en) | Event detection method, device, equipment and computer readable medium | |
| CN110442807A (en) | A kind of webpage type identification method, device, server and storage medium | |
| CN114518993A (en) | System performance monitoring method, device, equipment and medium based on business characteristics | |
| CN115186188A (en) | Product recommendation method, device and equipment based on behavior analysis and storage medium | |
| CN114978964A (en) | Communication announcement configuration method, device, equipment and medium based on network self-checking | |
| CN111860661B (en) | Data analysis method and device based on user behaviors, electronic equipment and medium | |
| CN114722280A (en) | User portrait based course recommendation method, device, equipment and storage medium | |
| CN114332599A (en) | Image recognition method, image recognition device, computer equipment, storage medium and product | |
| CN114969333A (en) | Network information security management method and device based on data mining | |
| CN113486238A (en) | Information pushing method, device and equipment based on user portrait and storage medium | |
| CN112580505A (en) | Method and device for identifying opening and closing states of network points, electronic equipment and storage medium | |
| CN113724065B (en) | Auxiliary collecting method, device, equipment and storage medium based on flow guidance | |
| KR20210144049A (en) | Device, method, system and computer readable storage medium for generating training data of machine learing model and generating fake image using machine learning model | |
| CN115098688B (en) | Multi-label classification model training method and device, electronic equipment and storage medium | |
| CN114359645B (en) | Image expansion method, device, equipment and storage medium based on characteristic area | |
| CN114757541B (en) | Performance analysis method, device, equipment and medium based on training behavior data | |
| CN114625442A (en) | Cold start recommendation method and device, electronic equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |