CN105119915A - Malicious domain detection method and device based on intelligence analysis - Google Patents

Abstract

The invention provides a malicious domain name detection method and device based on intelligence analysis. The method includes: obtaining communication data in the network; analyzing the communication data to extract the IP of the source host involved in the communication data, the domain name queried by the source host, and the time of querying the domain name; querying the domain name risk level database to obtain Determine whether the domain name queried by the source host exists in the domain name risk level database, if it exists, take it out from the domain name risk level database and present the risk level result corresponding to the domain name, if it does not exist, evaluate the risk level of the domain name and A risk level assessment result is presented, wherein the risk level assessment includes analysis of search engine indexing conditions and analysis of Internet archives. The malicious domain name detection method and device provided by the present invention can accurately detect unknown malicious domain names.

Description

Malicious domain name detection method and device based on intelligence analysis

technical field

The invention relates to the technical field of network security, in particular to a method and device for detecting a malicious domain name based on intelligence analysis.

Background technique

With the rapid development of network technology and the arrival of the network age, the vast and rich resources contained in the network have brought a lot of convenience to human society. However, while people's lives are becoming more and more dependent on the Internet, network security incidents driven by interests are emerging one after another. Seriously affected the normal use of the network, but also brought great harm to all sectors of society, so the detection of these events is extra important.

The domain name system is one of the important infrastructures of the current Internet, and a large number of network services rely on domain name services to carry out. Domain Name Resolution Service (DNS) maps abstract IP addresses into easy-to-remember domain names, making it easier for Internet users to access various network resources. It is one of the important basic services in the Internet architecture. Because the domain name system does not detect the service behaviors that rely on it, the DNS service lacks the ability to detect malicious behavior, so it is often used by malicious programs. In order to detect these malicious events, malicious domain names need to be detected.

Existing technologies for detecting malicious domain names often rely on black and white lists, restricting user access by explicitly "allowing" and "not allowing" to achieve a "safety" effect. However, such methods are often accompanied by a large number of false positives and false negatives, and have poor adaptability to different user environments and business requirements.

Contents of the invention

In view of the deficiencies in the prior art, on the one hand, the present invention provides a malicious domain name detection method based on intelligence analysis, the malicious domain name detection method includes: obtaining communication data in the network; analyzing the communication data to extract The IP of the source host involved in the communication data, the domain name queried by the source host, and the time of querying the domain name; and querying the domain name risk level database to determine whether the domain name queried by the source host exists in the In the above-mentioned domain name risk level database, if it exists, take out from the domain name risk level database and present the risk level result corresponding to the domain name, if it does not exist, evaluate the risk level of the domain name and present the risk level Evaluation results, wherein, the risk level evaluation includes the analysis of search engine indexing and Internet Archives, the analysis of search engine indexing and the analysis of Internet Archives are respectively assigned a first weight and a second weight, and the search Engine indexing analysis determines whether the domain name is indexed by the search engine and analyzes the search engine's webpage level score for the domain name, and calculates the first risk score of the domain name based on the analysis and judgment result and the first weight, so The Internet Archives analysis is used to query and analyze the historical activity records and/or historical snapshots of the domain name in the Internet Archives and calculate the second risk score of the domain name based on the analysis results and the second weight, the The calculation of the risk level assessment result is based on the first risk score and the second risk score.

In an embodiment of the present invention, the risk level assessment further includes domain name registration information association analysis, the domain name registration information association analysis is assigned a third weight, and the domain name registration information association analysis determines the domain name registration information comprehensiveness and/or authenticity, and calculate a third risk score of the domain name based on the determination result and the third weight, and the calculation of the risk level evaluation result is also based on the third risk score.

In one embodiment of the present invention, the risk level assessment further includes high-frequency access list analysis, the high-frequency access list analysis is assigned a fourth weight, and the high-frequency access list analysis determines that the domain name is currently and in the past whether they are all in or not in the list of the top several domain names with the highest access frequency of the source host within the preset time period, and calculate the fourth risk score of the domain name based on the judgment result and the fourth weight, and The calculation of the risk level evaluation result is also based on the fourth risk score.

In an embodiment of the present invention, the risk level assessment further includes a failure monitoring analysis, the failure monitoring analysis is assigned a fifth weight, and the failure monitoring analysis is used to monitor the failure of the domain name server of the domain name The domain name server sends the host number of the re-query request, and calculates the fifth risk score of the domain name based on the monitoring result and the fifth weight, and the calculation of the risk level evaluation result is also based on the fifth risk score value.

In an embodiment of the present invention, the risk level assessment further includes an abnormal heartbeat analysis, the abnormal heartbeat analysis is assigned a sixth weight, and the abnormal heartbeat analysis determines that the source host has a Whether there is regularity in the query request, and calculate the sixth risk score of the domain name based on the judgment result and the sixth weight, and the calculation of the risk level evaluation result is also based on the sixth risk score.

In an embodiment of the present invention, the risk level assessment further includes a subdomain name semantic analysis, the subdomain name semantic analysis is assigned a seventh weight, and the subdomain name semantic analysis determines that the subdomain name of the domain name queried by the source host Whether the domain name has practical significance, and calculate the seventh risk score of the domain name based on the determination result and the seventh weight, and the calculation of the risk level evaluation result is also based on the seventh risk score.

In an embodiment of the present invention, the malicious domain name detection method further includes: after performing risk level assessment, entering the domain name and the risk level assessment result corresponding to the domain name into the domain name risk level in the database.

Another invention, the present invention also provides a malicious domain name detection device based on intelligence analysis, the malicious domain name detection device includes: a data acquisition module, used to obtain communication data in the network; a data analysis module, used to analyze the communication data The data is analyzed to extract the IP of the source host involved in the communication data, the domain name queried by the source host and the time of querying the domain name; the data query module is used to query the domain name risk level database to determine Whether the domain name queried by the source host exists in the domain name risk level database; the domain name risk level evaluation module is used to evaluate the domain name when the domain name queried by the source host does not exist in the domain name risk level database performing risk level assessment; and an assessment result display module, configured to present the risk corresponding to the domain name extracted from the domain name risk level database when the domain name queried by the source host exists in the domain name risk level database Level results, and when the domain name queried by the source host does not exist in the domain name risk level database, the risk level assessment result of the domain name risk level assessment module for the domain name is presented, wherein the domain name risk level assessment module Including: a search engine inclusion situation analysis module, used to determine whether the domain name is included by the search engine and analyze the webpage level score of the domain name by the search engine, and calculate the domain name based on the analysis and determination results and the assigned first weight and an Internet Archive analysis module, configured to query and analyze historical activity records and/or historical snapshots of the domain name in the Internet Archive and calculate the A second risk score of the domain name, wherein the calculation of the risk level evaluation result is based on the first risk score and the second risk score.

In an embodiment of the present invention, the domain name risk level assessment module further includes at least one of the following modules: a domain name registration information correlation analysis module, configured to determine the comprehensiveness and/or authenticity of the registration information of the domain name, And calculate the third risk score of the domain name based on the judgment result and the assigned third weight; the high-frequency access list analysis module is used to determine whether the domain name is currently and in the past preset time period or whether are not in the list of the top several domain names with the highest access frequency of the source host, and calculate the fourth risk score of the domain name based on the judgment result and the assigned fourth weight; the fault monitoring and analysis module is used to When the domain name server fails, monitor the number of hosts that send re-query requests to the domain name server, and calculate the fifth risk score of the domain name based on the monitoring results and the assigned fifth weight; the abnormal heartbeat analysis module is used to determine Whether there is regularity in the query request of the domain name by the source host within a unit time interval, and calculating the sixth risk score of the domain name based on the judgment result and the assigned sixth weight; and a subdomain name semantic analysis module, used to determine whether the subdomain name of the domain name queried by the source host has practical significance, and calculate the seventh risk score of the domain name based on the determination result and the assigned seventh weight, wherein the risk level evaluation result of the The calculation is also based on at least one of: the third risk score, the fourth risk score, the fifth risk score, the sixth risk score, and the seventh risk score.

In an embodiment of the present invention, the domain name risk level assessment module is further configured to input the domain name with risk level assessment and the risk level assessment result corresponding to the domain name into the domain name risk level database.

The malicious domain name detection method and device based on intelligence analysis provided by the present invention do not rely on black and white lists, and can accurately detect unknown malicious domain names.

Description of drawings

The following drawings of the invention are hereby included as part of the invention for understanding the invention. The accompanying drawings illustrate embodiments of the invention and description thereof to explain principles of the invention.

In the attached picture:

FIG. 1 shows a flow chart of a method for detecting a malicious domain name based on intelligence analysis according to an embodiment of the present invention;

Fig. 2 shows a flow chart of abnormal heartbeat analysis according to an embodiment of the present invention; and

Fig. 3 shows a structure diagram of a domain name risk level assessment module according to an embodiment of the present invention.

Detailed ways

In the following description, numerous specific details are given in order to provide a more thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without one or more of these details. In other examples, some technical features known in the art are not described in order to avoid confusion with the present invention.

It should be understood that the invention can be embodied in different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms "a", "an" and "the/the" are intended to include the plural forms as well, unless the context clearly dictates otherwise. It should also be understood that the terms "consists of" and/or "comprising", when used in this specification, identify the presence of stated features, integers, steps, operations, elements and/or parts, but do not exclude one or more other Presence or addition of features, integers, steps, operations, elements, parts and/or groups. As used herein, the term "and/or" includes any and all combinations of the associated listed items.

In order to thoroughly understand the present invention, detailed steps and detailed structures will be provided in the following description, so as to illustrate the technical solution of the present invention. Preferred embodiments of the present invention are described in detail below, however, the present invention may have other embodiments besides these detailed descriptions.

An embodiment of the present invention provides a malicious domain name detection method based on intelligence analysis. In the following, a method for detecting a malicious domain name according to an embodiment of the present invention will be specifically described with reference to FIG. 1 . Fig. 1 shows a flowchart of a method for detecting a malicious domain name based on intelligence analysis according to an embodiment of the present invention. As shown in Figure 1, the flow of the malicious domain name detection method based on intelligence analysis is as follows:

Firstly, data acquisition is performed, that is, communication data in the network is acquired. Exemplarily, the communication data in the network to be monitored can be obtained through query logs of the DNS server or data traffic captured by a sniffer (sinffer).

After the data is acquired, the acquired data is analyzed to extract the IP of the source host involved in the communication data, the domain name queried by the source host, and the time of querying the domain name. The content extracted through data parsing can be represented by the domain name query structure A, and this structure is used as the basic data structure of the query. Wherein, the domain name query structure A may be a structure including the following table items as shown in Table 1:

Table 1

Query domain name query time Query source host IP

After analyzing the data, perform data query, that is, query the domain name risk level database to determine whether the domain name queried by the source host exists in the domain name risk level database. Wherein, the domain name risk level database may include malicious domain names of attack events that have occurred and their corresponding risk levels. Exemplarily, the storage structure of the domain name risk level database may be as shown in Table 2:

Table 2

Among them, the domain name risk level score can be continuously updated. The initial domain name risk level score is the score at the time of initial recruitment. As the number of updates increases, the final risk level score can be calculated by weighting multiple scores. The initial recruitment time refers to the time when the domain name is initially entered into the domain name risk level database. The latest update time refers to the latest update time of the domain name risk rating score corresponding to the domain name. The update period refers to the update period of the domain name entered into the domain name risk level database. When the update period is reached, the domain name risk level score and domain name risk level will be automatically updated. The change record records the time point of initial domain name entry and each update and the domain name risk level score, which is used to weight the domain name risk level score to determine the final domain name risk level score. Weighting means that the closer the time is, the greater the weight value , the longer the time, the smaller the weight. Domain name activity records monitor the activity of domain names in the network, and determine the number of queries per unit time based on statistical domain name query data. If there are more queries, domain name activity is high, and domain name activity can affect the update cycle of domain names, that is to say, for activity Low domain name, its update cycle can be correspondingly longer.

By querying the domain name risk level database, it can be determined whether the domain name queried by the source host exists in the domain name risk level database, and if so, the risk level result corresponding to the queried domain name is retrieved from the domain name risk level database and presented . Conversely, if the domain name queried by the source host does not exist in the domain name risk level database, the risk level assessment is performed on the domain name, and then the risk level assessment result is presented.

Preferably, the risk level assessment results can be entered into the domain name risk level database to further update the domain name risk level database, so that the above-mentioned malicious domain name detection method based on intelligence analysis according to the embodiment of the present invention is not based on existing black and white The list restricts access, but dynamically generates a domain name risk level database that can be used to accurately judge the maliciousness of domain names through system evaluation.

Wherein, domain name risk level assessment may include abnormal heartbeat analysis. Abnormal heartbeat analysis determines the risk level of the domain name by determining whether there is regularity in the source host's query requests for the domain name within a unit time interval. According to the research on the APT attacks that have occurred, in order to maintain the connection, APT attacks usually send heartbeat packets regularly to ensure survival. This is a mechanism that normal applications do not have. We can set a statistical time period to count domain name query requests in each statistical time period. The domain name queries of normal applications or web browsing should be random and irregular. If there are periodic and regular domain name queries, it means that there may be abnormal. At this time, it can be determined that the risk level of the domain name is high. Or, for example, when the domain name risk level assessment includes other analysis, a corresponding score may be added to the risk level of the domain name based on the weight assigned to the abnormal heartbeat analysis, as shown in FIG. 2 .

The domain name risk level assessment according to the embodiment of the present invention may also include subdomain name semantic analysis. The subdomain semantic analysis determines the risk level of the domain name by determining whether the subdomain name of the domain name queried by the source host has practical significance. Exemplarily, the semantic analysis of the sub-domain name may include meaning analysis of the first-level and second-level domain names, for example, it may be checked whether the first-level and second-level domain names of the query domain name have actual meanings, such as words, pinyin, single letters and other corresponding meanings. The top-level domain names and first- and second-level domain names of normal domain names have practical meanings. Top-level domain names are divided into two categories: one is the national top-level domain name, and more than 200 countries have allocated top-level domain names according to the ISO3166 country code. It is us, Japan is jp, etc.; the second is the international top-level domain name, such as .com for industrial and commercial enterprises, .net for network providers, .org for non-profit organizations, etc. The first-level domain name refers to the online name of the domain name registrant under the international top-level domain name, such as ibm, yahoo, microsoft, etc.; under the national top-level domain name, it refers to the symbol of the registered enterprise category, such as com, edu, gov, net, etc. If the top-level domain name of the query domain name is neither a top-level domain name assigned according to the ISO3166 country code, nor an international top-level domain name, and the first-level domain name is not the online name of a well-known registrant, and has no actual meaning (corresponding words, pinyin, letter meaning, etc.), then It can be regarded as a malicious domain name, or, for example, when the domain name risk level assessment includes other analysis, the risk level of the domain name can be included in the corresponding risk score based on the weight assigned to the semantic analysis of the subdomain name.

According to an embodiment of the present invention, domain name risk level assessment may also include association analysis of domain name registration information. The domain name registration information association analysis determines the risk level of the domain name by judging the comprehensiveness and/or authenticity of the registration information of the domain name. You can check the registration information of the domain name, use Whois to query the registration information of the domain name and fill in the domain name registration structure B. Exemplarily, domain name registration structure B may be shown in Table 3 below:

table 3

Correlation analysis can be performed on each table item in the registration structure B. The more comprehensive and authentic the registration information is, the longer the domain name registration time is, and the registered name and registered email address have no malicious behavior records through correlation analysis, the condition is considered safe and will not be counted. The corresponding risk score, that is, the risk score is 0 points; if the registration information is incomplete, the domain name registration time is short, or the domain name is a similar domain name registered on a large scale within a certain period of time, the registered name or registered email address can be linked If the analysis finds that it is also the registered name or registered email address of some malicious domain names, the domain name is considered to have a higher risk level, and the corresponding risk score is calculated according to the preset weight.

According to an embodiment of the present invention, domain name risk level assessment may also include frequent access list analysis. The high-frequency access list analysis determines the risk level of the domain name by judging whether the domain name is currently in or not in the list of the top several domain names with the highest frequency of source host visits within the preset time period in the past. Exemplarily, time periods may be divided, and the first several digits of the commonly used domain names of each host are counted periodically. For example, according to statistical laws and the Internet access rules of each host, the first few digits of the common domain names of each host can be counted periodically, such as Top10. Under normal circumstances, the Top10 list will basically not change, indicating that the Internet access is stable. For example, if the domain name is currently in the Top 10 list and in the past preset time period, or the domain name is not in the Top 10 list in the past preset time period, it can be considered that the domain name is not malicious, so it can be Not included in the corresponding risk score, that is, the risk score is 0 points. Conversely, if the Top 10 list has undergone major changes, for example, a domain name that has never appeared in the Top 10 list in the past appears in the Top 10 list, it is considered that the "behavior" of the host during this period is abnormal compared with usual, and the changed domain name Then it is likely to be a malicious domain name. Exemplarily, when the risk level assessment of the domain name includes other analysis, the risk level of the domain name may be included in the corresponding risk score based on the weight assigned to the analysis of the high-frequency access list.

According to an embodiment of the present invention, domain name risk level assessment may also include fault monitoring and analysis. Failure monitoring analysis determines the risk level of a domain name by monitoring the number of hosts that send re-query requests to the domain name server when the domain name server of the domain name fails. When the domain name server fails to respond, most of the hosts in the monitoring network segment should resend the query request. If only a few fixed hosts send the query request of the domain name regularly at this time, the possibility of the domain name being a malicious domain name is relatively high. Because normal domain names are widely accessed in daily situations, if it fails, the proportion of users revisiting the domain name is relatively high, but if it is a malicious domain name on the attack side, it is only related to one or a few computers in the monitoring network. The host has communication needs, so the amount of re-request queries generated by it is relatively small, or has a single source, then we think that the query domain name may be a malicious domain name. Exemplarily, when the assessment of the risk level of the domain name includes other analysis, the risk level of the domain name may be included in a corresponding risk score based on the weight assigned to the fault monitoring analysis.

According to an embodiment of the present invention, the assessment of the risk level of the domain name may also include the analysis of the indexing conditions of search engines. The analysis of search engine indexing determines the risk level of the domain name by determining whether the domain name is indexed by the search engine and/or referring to the webpage rating score of the domain name by the search engine. Search engines usually have a collection function for currently active domain names, that is to say, all currently active pages can be crawled by search engines, and for those domain names with zero collection, that is, domain names that cannot be crawled by search engines , it is considered that it is more likely to be a malicious domain name. In addition, the scores of Google PR and Sogou PR can also be listed as reference objects at the same time. PR is PageRank, that is, the level of the web page, and its scoring level is from 0 to 10, with 10 being the full score. The higher the PR value, the more popular (and more important) the webpage is. For example: a website with a PR value of 1 indicates that the website is not very popular, while a PR value of 7 to 10 indicates that the website is very popular (or extremely important). Generally, if the PR value reaches 4, it is considered a good website. The more popular a domain name is, the less likely it is a malicious domain name; on the contrary, the domain name with a lower score, especially 0 points, has a higher possibility of being a malicious domain name. Exemplarily, when the domain name risk level assessment includes other analysis, the risk level of the domain name may be included in the corresponding risk score based on the weight assigned to the analysis of the search engine indexing situation.

According to an embodiment of the present invention, domain name risk level assessment may also include Internet Archives analysis. Internet Archive analysis determines the risk level of a domain name by querying and analyzing the domain name's historical activity records and/or historical snapshots in the Internet Archive. Compared with the retrieval record query of search engines, the Internet Archive archive.org query has the advantage that the search engine of offline websites will exclude the search result records, but the Internet Archive is a large encyclopedia of the entire Internet history. That is to say, for those offline websites, search engines no longer include them, but archive.org can still retrieve historical snapshots. Therefore, based on the analysis of its activity time, activity behavior, and historical snapshots, it can be determined whether it is suspected of being a malicious domain name. For example, if a domain name has been active for a period of time, and after it disappears, large-scale activities occur again, then it can be considered suspicious. Exemplarily, when the assessment of the risk level of the domain name includes other analysis, the risk level of the domain name may be included in the corresponding risk score based on the weight assigned to the analysis of the Internet Archive.

According to the above-mentioned embodiment, domain name risk level assessment may include any one of abnormal heartbeat analysis, subdomain semantic analysis, domain name registration information association analysis, high-frequency access list analysis, fault monitoring analysis, search engine indexing analysis, and Internet Archive analysis or any combination of them. When combined analysis, they can be assigned corresponding weights, so that their respective analyzes can calculate corresponding risk scores according to the assigned weights, and the final overall risk level evaluation result is the sum of their respective calculated risk scores. Among them, the weight assigned to each analysis can be changed according to the actual situation, so as to realize the customized domain name risk level assessment.

The final risk level evaluation result may include a risk score and its corresponding risk level. For example, it may be set as a high risk level within a certain risk score range, a suspicious risk level within another risk score range, and a low risk level within another risk score range. The alarm mechanism can be set according to the risk level of the domain name. For example, the high-risk domain name system that monitors hosts in the network to access high-risk domain names sends out high-risk alarms; the system that monitors hosts in the network that access suspicious-risk domain names sends out low-risk alarms; If it is found that the hosts in the monitoring network frequently query suspicious risk domain names, you need to strengthen your vigilance; if the hosts in the monitoring network frequently query high-risk domain names, it can be considered that they have suffered APT attacks.

The above risk assessment process is described below with an example. In one example, domain name risk level assessment includes abnormal heartbeat analysis, subdomain semantic analysis and domain name registration information association analysis. Among them, for example, abnormal heartbeat analysis is assigned a weight of 40%, and subdomain semantic analysis and domain name registration information association analysis are assigned a weight of 30%. If it has been determined that the risk score of a malicious domain name is 100 points, then, if the abnormal heartbeat analysis determines that there is regularity in the query request of the domain name by the source host within a unit time interval, the first risk score of the domain name can be calculated as 40%. *100=40 points; if the subdomain name semantic analysis determines that the subdomain name of the domain name queried by the source host has practical significance, then this analysis will not be included in the risk score, that is, the second risk score is 0 points; similarly, if Domain name registration information association analysis determines that the registration information of the domain name is incomplete or untrue, etc., then the third risk score of the domain name can be calculated as 30%*100=30 points. In this way, the overall risk score of domain name risk level evaluation is 40+0+30=70 points. If the domain name risk grade score is defined as a high-risk domain name in the range of (80, 100), a suspicious risk domain name in the range of (40, 80], and a low-risk domain name in the range of [0, 40], then the risk of the domain name The level is a suspicious risk domain name, which can, for example, trigger a low-risk alert to prompt that vigilance needs to be strengthened. Those of ordinary skill in the art can understand that the above description is only an example, the analysis included in the domain name risk level assessment, and the assigned The corresponding relationship between weight, risk score and risk level, etc. can be changed according to different situations, so as to adapt to the needs of different businesses and different environments.

The malicious domain name detection method based on intelligence analysis according to the embodiment of the present invention does not rely on black and white lists for determining malicious domain names. Although the black and white list mechanism is widely used because of its "simple and rude", however, restricting user access through explicit permission and disallowance is often accompanied by a large number of false positives and false positives. Different user environments and business demand scenarios Very poor adaptability. The above-mentioned malicious domain name detection method based on intelligence analysis according to the embodiment of the present invention does not restrict access based on the existing black and white lists, but dynamically generates a domain name risk level database through system evaluation, which can not only remind users of the risk level of accessing domain names, but also based on specific The user situation sets the response linkage policy to block access to high-risk domain names.

In addition, the above malicious domain name detection method based on intelligence analysis according to the embodiment of the present invention can discover unknown malicious domain names. This method allows the unknown domain name to obtain a risk level score (such as a score of 100 points) after comprehensive evaluation by the domain name risk level evaluation system. The size of the score indicates the risk level of the unknown domain name. Criteria can spot new malicious domains.

Furthermore, the above-mentioned malicious domain name detection method based on intelligence analysis according to the embodiment of the present invention can integrate a multi-dimensional evaluation system to evaluate the risk level of malicious domain names, reducing the false positive rate of judging domain names as malicious domain names based on a single condition. Using multiple judgment sources to set different action weights to realize the judgment of domain name maliciousness, on the one hand, it can reduce the accidental and false positives of a single judgment source, and on the other hand, it also enhances the adaptability of the domain name risk level assessment system, which can According to different environmental requirements, dynamically change the weight of malicious domain name judgment source, so as to realize customized domain name risk level assessment.

According to another aspect of the present invention, a malicious domain name detection device based on intelligence analysis is also provided, the malicious domain name detection device includes: a data acquisition module, used to obtain communication data in the network; a data analysis module, used to analyze the communication data Analyze to extract the IP of the source host involved in the communication data, the domain name queried by the source host and the time of querying the domain name; the data query module is used to query the domain name risk level database to determine whether the domain name queried by the source host is It exists in the domain name risk level database; the domain name risk level assessment module is used to evaluate the risk level of the domain name when the domain name queried by the source host does not exist in the domain name risk level database; and the assessment result display module is used to check the domain name risk level When the domain name queried by the source host exists in the database, the risk level result corresponding to the domain name extracted from the domain name risk level database is presented, and the domain name risk level evaluation module is displayed when the domain name queried by the source host does not exist in the domain name risk level database The result of the risk level assessment of the domain name.

Among them, the domain name risk level assessment module may include at least one of the following modules as shown in Figure 3 or any combination thereof:

The search engine inclusion status analysis module is used to determine whether the domain name is included by the search engine and analyze the webpage level score of the domain name by the search engine, and calculate the first risk score of the domain name based on the analysis and determination results and the assigned first weight.

The Internet Archive analysis module is configured to analyze historical activity records and/or historical snapshots of the domain name in the Internet Archive, and calculate the second risk score of the domain name based on the analysis result and the assigned second weight.

The domain name registration information association analysis module is used to determine the comprehensiveness and/or authenticity of the registration information of the domain name, and calculate the third risk score of the domain name based on the determination result and the assigned third weight.

The high-frequency access list analysis module is used to determine whether the domain name is currently and in the past preset time period, or whether it is not in the list of the top several domain names with the highest access frequency of the source host, and based on the determination result and the assigned No. The four weights calculate the fourth risk score for the domain name.

The failure monitoring and analysis module is used to monitor the number of hosts sending re-query requests to the domain name server when the domain name server of the domain name fails, and calculate the fifth risk score of the domain name based on the monitoring result and the assigned fifth weight.

The abnormal heartbeat analysis module is used to determine whether there is regularity in the query request of the domain name by the source host within a unit time interval, and calculate the sixth risk score of the domain name based on the determination result and the assigned sixth weight.

The subdomain name semantic analysis module is used to determine whether the subdomain name of the domain name queried by the source host has practical significance, and calculate the seventh risk score of the domain name based on the determination result and the assigned seventh weight.

Wherein, the calculation of the risk level evaluation result is based on at least one of the following: first risk score, second risk score, third risk score, fourth risk score, fifth risk score, sixth risk score and the seventh risk score.

Preferably, the domain name risk level assessment module is also used to input the domain name with risk level assessment and the risk level assessment result corresponding to the domain name into the domain name risk level database.

Each module of the embodiment of the present invention may be realized by hardware, or by a software module running on one or more processors, or by a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all functions of some or all components in the medical laboratory sheet image classification device according to the embodiment of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a storage carrier, or provided in any other form.

The present invention has been described through the above-mentioned embodiments, but it should be understood that the above-mentioned embodiments are only for the purpose of illustration and description, and are not intended to limit the present invention to the scope of the described embodiments. In addition, those skilled in the art can understand that the present invention is not limited to the above-mentioned embodiments, and more variations and modifications can be made according to the teachings of the present invention, and these variations and modifications all fall within the claimed scope of the present invention. within the range. The protection scope of the present invention is defined by the appended claims and their equivalent scope.

Claims (10)

1. A malicious domain name detection method based on intelligence analysis, characterized in that, the malicious domain name detection method comprises: Obtain communication data in the network; parsing the communication data to extract the IP of the source host involved in the communication data, the domain name queried by the source host, and the time of querying the domain name; and Query the domain name risk level database to determine whether the domain name queried by the source host exists in the domain name risk level database, and if so, retrieve and present the risk corresponding to the domain name from the domain name risk level database Level result, if it does not exist, perform a risk level assessment on the domain name and present the risk level assessment result, Wherein, the risk level assessment includes the analysis of the search engine indexing situation and the analysis of the Internet Archives, the analysis of the search engine indexing situation and the analysis of the Internet Archives are respectively assigned a first weight and a second weight, and the search engine indexing situation Analyzing and determining whether the domain name is included by the search engine and analyzing the webpage level score of the domain name by the search engine, and calculating the first risk score of the domain name based on the analysis and determination result and the first weight, the Internet archives The library analysis is used to query and analyze the historical activity records and/or historical snapshots of the domain name in Internet Archives and calculate the second risk score of the domain name based on the analysis result and the second weight, and the risk level evaluation The calculation of the result is based on the first risk score and the second risk score. 2. The malicious domain name detection method according to claim 1, wherein the risk level assessment further comprises domain name registration information association analysis, the domain name registration information association analysis is assigned a third weight, and the domain name registration information association analyzing and determining the comprehensiveness and/or authenticity of the registration information of the domain name, and calculating the third risk score of the domain name based on the determination result and the third weight, and the calculation of the risk level evaluation result is also based on the Describe the third risk score. 3. The malicious domain name detection method according to claim 1, wherein the risk level assessment also includes an analysis of a high-frequency access list, the analysis of the high-frequency access list is assigned a fourth weight, and the high-frequency access list Analyzing and determining whether the domain name is currently in or is not in the list of the top several domain names with the highest access frequency of the source host within the preset time period in the past, and calculates the domain name based on the determination result and the fourth weight A fourth risk score of the domain name, and the calculation of the risk level evaluation result is also based on the fourth risk score. 4. The malicious domain name detection method according to claim 1, wherein the risk level assessment further comprises fault monitoring analysis, the fault monitoring analysis is assigned a fifth weight, and the fault monitoring analysis is used in the When the domain name server of the domain name fails, monitor the number of hosts that send re-query requests to the domain name server, and calculate the fifth risk score of the domain name based on the monitoring result and the fifth weight, and the risk level evaluation result The calculation is also based on the fifth risk score. 5. The malicious domain name detection method according to claim 1, wherein the risk level assessment further includes abnormal heartbeat analysis, the abnormal heartbeat analysis is assigned a sixth weight, and the abnormal heartbeat analysis determines that the source host Whether there is regularity in the query request for the domain name within a unit time interval, and calculate the sixth risk score of the domain name based on the determination result and the sixth weight, and the calculation of the risk level evaluation result is also based on the determined Describe the sixth risk score. 6. The malicious domain name detection method according to claim 1, wherein the risk level assessment further comprises a sub-domain name semantic analysis, the sub-domain name semantic analysis is assigned a seventh weight, and the sub-domain name semantic analysis determines the Whether the subdomain name of the domain name queried by the source host has practical significance, and calculate the seventh risk score of the domain name based on the judgment result and the seventh weight, and the calculation of the risk level evaluation result is also based on the first Seven risk scores. 7. The method for detecting a malicious domain name according to any one of claims 1-6, wherein the method for detecting a malicious domain name further comprises: after performing a risk level assessment, combining the domain name and the domain name with the domain name The corresponding risk level assessment results are entered into the domain name risk level database. 8. A malicious domain name detection device based on intelligence analysis, characterized in that, the malicious domain name detection device comprises: A data acquisition module, configured to acquire communication data in the network; A data parsing module, configured to parse the communication data to extract the IP of the source host involved in the communication data, the domain name queried by the source host, and the time when the domain name was queried; A data query module, configured to query the domain name risk level database to determine whether the domain name queried by the source host exists in the domain name risk level database; A domain name risk level assessment module, configured to assess the risk level of the domain name when the domain name queried by the source host does not exist in the domain name risk level database; and An assessment result display module, configured to present a risk level result corresponding to the domain name extracted from the domain name risk level database when the domain name queried by the source host exists in the domain name risk level database, and in the When the domain name queried by the source host does not exist in the domain name risk level database, the risk level assessment result of the domain name risk level assessment module for the domain name is presented, Wherein, the domain name risk level assessment module includes: A search engine indexing situation analysis module, used to determine whether the domain name is included by the search engine and analyze the webpage level score of the domain name by the search engine, and calculate the first weight of the domain name based on the analysis and determination results and the assigned first weight a risk score; and The Internet Archives analysis module is used to query and analyze the historical activity records and/or historical snapshots of the domain name in the Internet Archives, and calculate the second risk score of the domain name based on the analysis results and the assigned second weight , Wherein, the calculation of the risk level evaluation result is based on the first risk score and the second risk score. 9. The malicious domain name detection device according to claim 8, wherein the domain name risk level assessment module further comprises at least one of the following modules: A domain name registration information association analysis module, configured to determine the comprehensiveness and/or authenticity of the registration information of the domain name, and calculate the third risk score of the domain name based on the determination result and the assigned third weight; The high-frequency access list analysis module is used to determine whether the domain name is currently and in the past preset time period or whether it is not in the list of the top several domain names with the highest access frequency of the source host, and based on the determination result and calculating a fourth risk score for the domain name with the assigned fourth weight; A failure monitoring and analysis module, configured to monitor the number of hosts sending re-query requests to the domain name server when the domain name server of the domain name fails, and calculate the fifth risk of the domain name based on the monitoring result and the assigned fifth weight Score; An abnormal heartbeat analysis module, configured to determine whether there is regularity in the query request of the domain name by the source host within a unit time interval, and calculate the sixth risk score of the domain name based on the determination result and the assigned sixth weight ;as well as a subdomain name semantic analysis module, configured to determine whether the subdomain name of the domain name queried by the source host has practical significance, and calculate the seventh risk score of the domain name based on the determination result and the assigned seventh weight, Wherein, the calculation of the risk level evaluation result is also based on at least one of the following: the third risk score, the fourth risk score, the fifth risk score, the sixth risk score and The seventh risk score. 10. The malicious domain name detection device according to claim 8 or 9, wherein the domain name risk level assessment module is also used to pass the domain name that has undergone risk level assessment and the risk level assessment result corresponding to the domain name Entered into the domain name risk level database.