阅读说明：本技术 一种恶意域名检测特征处理方法、装置和电子设备 (Malicious domain name detection feature processing method and device and electronic equipment ) 是由 宋冰晶 梁兴强 于 2020-05-19 设计创作，主要内容包括：本发明提供了一种恶意域名检测特征处理方法、装置和电子设备,其中,该方法包括：获取待处理的恶意域名和正常域名；对恶意域名进行处理,得到恶意域名的第一主域名、第一子域名以及第一域名后缀；对正常域名进行处理,得到正常域名的第二主域名、第二子域名和第二域名后缀；对恶意域名的第一主域名、第一子域名以及第一域名后缀以及正常域名的第二主域名、第二子域名和第二域名后缀分别进行处理,得到恶意域名检测特征。通过本发明实施例提供的恶意域名检测特征处理方法、装置和电子设备,可以得到能够全面客观反映恶意域名和正常域名的细节的恶意域名检测特征。(The invention provides a malicious domain name detection feature processing method, a malicious domain name detection feature processing device and electronic equipment, wherein the method comprises the following steps: acquiring a malicious domain name and a normal domain name to be processed; processing the malicious domain name to obtain a first main domain name, a first sub-domain name and a first domain name suffix of the malicious domain name; processing the normal domain name to obtain a second main domain name, a second sub domain name and a second domain name suffix of the normal domain name; and respectively processing a first main domain name, a first sub-domain name and a first domain name suffix of the malicious domain name and a second main domain name, a second sub-domain name and a second domain name suffix of the normal domain name to obtain the malicious domain name detection characteristics. By the malicious domain name detection feature processing method, the malicious domain name detection feature processing device and the electronic equipment, malicious domain name detection features capable of comprehensively and objectively reflecting details of a malicious domain name and a normal domain name can be obtained.)

1. A malicious domain name detection feature processing method is characterized by comprising the following steps:

acquiring a malicious domain name and a normal domain name to be processed;

processing the malicious domain name to obtain a first main domain name, a first sub-domain name and a first domain name suffix of the malicious domain name;

processing the normal domain name to obtain a second main domain name, a second sub domain name and a second domain name suffix of the normal domain name;

and respectively processing the first main domain name, the first sub-domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name to obtain the malicious domain name detection characteristics.

2. The method of claim 1, wherein the malicious domain name detection feature comprises: a main domain name feature, a sub-domain name feature, and a domain name suffix feature; the domain name suffix characteristic is used for reflecting the malicious degree of the domain name suffix;

respectively processing a first main domain name, a first sub-domain name and a first domain name suffix of the malicious domain name and a second main domain name, a second sub-domain name and a second domain name suffix of the normal domain name to obtain malicious domain name detection characteristics, comprising:

respectively processing a first main domain name of the malicious domain name and a second main domain name of the normal domain name to obtain the characteristics of the main domain names;

respectively processing a first sub-domain name of the malicious domain name and a second sub-domain name of the normal domain name to obtain sub-domain name characteristics;

acquiring a domain name suffix list, wherein the domain name suffix list is used for recording the usage ranking of a preset number of domain name suffixes with more usage;

when the ranking of the first domain name suffix and/or the ranking of the second domain name suffix can be inquired from the domain name suffix list, determining a first suffix reputation corresponding to the ranking of the first domain name suffix and/or a second suffix reputation corresponding to the ranking of the second domain name suffix;

and taking the determined first suffix reputation and/or second suffix reputation as a domain name suffix feature, thereby obtaining the malicious domain name detection feature.

3. The method of claim 2, wherein the master domain name feature comprises: the method comprises the following steps that the length ratio of a first main domain name in the malicious domain name to the malicious domain name, the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first main domain name are calculated;

processing a first main domain name of the malicious domain name, including:

determining a first character length of a malicious domain name and a second character length of a first main domain name in the malicious domain name;

calculating the length ratio of the first main domain name to the malicious domain name by using the first character length and the second character length;

and respectively determining the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first main domain name of the malicious domain name.

4. The method of claim 2, wherein the sub-domain name feature comprises: the domain name length of each level of sub domain name in a first sub domain name in the malicious domain name, the length ratio of the first sub domain name to the malicious domain name, the number of English characters in the first sub domain name, the number of digital characters and the number of symbols;

processing a first sub-domain name of the malicious domain name, including:

determining the domain name length of each level of sub domain name in the first sub domain name, and removing separators for separating each level of sub domain name in the first sub domain name to obtain character strings forming the first sub domain name;

determining a third character length of a character string forming the first sub-domain name and a first character length of the malicious domain name;

calculating to obtain the length ratio of the first sub-domain name to the malicious domain name by using the first character number and the third character number;

and respectively determining the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first sub-domain of the malicious domain name.

5. The method of claim 3, wherein processing the first master domain name of the malicious domain name further comprises:

acquiring a word correlation list, and acquiring all words contained in the first main domain name from the word correlation list;

counting the number of words of all words contained in the first main domain name acquired from the word correlation list, and respectively calculating the length ratio of each word in all words to the first main domain name;

and acquiring a brand list, acquiring all brands contained in the first main domain name from the brand list, and counting to obtain the number of the brands of all brands.

6. The method of claim 2, wherein the primary domain name feature further comprises: a natural language feature of a second primary domain name of the normal domain name;

processing a second main domain name of the normal domain name, including:

processing a second main domain name of the normal domain name by using an N-gram model to obtain a univariate vector, a binary vector and a ternary vector of the second main domain name;

inquiring self-language features corresponding to the second main domain name from a corresponding relation table of the main domain name and the natural language features;

and when the inquired self-language features are matched with the unary vector, the binary vector and the ternary vector, the unary vector, the binary vector and the ternary vector obtained after the second main domain name of the normal domain name is processed by using an N-element grammar model are used as the natural language features of the second main domain name of the normal domain name.

7. The method of claim 6, wherein the master domain name feature further comprises: a transition probability feature of a second primary domain name of the normal domain name;

processing the second main domain name of the normal domain name, further comprising:

calculating a Markov chain of a second main domain name of the normal domain name;

inquiring the transition probability characteristic corresponding to the second main domain name from the corresponding relation table of the main domain name and the transition probability characteristic;

and when the transfer probability characteristic corresponding to the second main domain name obtained by query is the same as the Markov chain of the second main domain name of the normal domain name obtained by calculation, taking the Markov chain obtained by calculation as the transfer probability characteristic of the second main domain name of the normal domain name.

8. A malicious domain name detection feature processing apparatus, comprising:

the acquisition module is used for acquiring a malicious domain name and a normal domain name to be processed;

the first processing module is used for processing the malicious domain name to obtain a first main domain name, a first sub-domain name and a first domain name suffix of the malicious domain name;

the second processing module is used for processing the normal domain name to obtain a second main domain name, a second sub domain name and a second domain name suffix of the normal domain name;

and the third processing module is used for respectively processing the first main domain name, the first sub-domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name to obtain the malicious domain name detection characteristics.

9. The apparatus of claim 8, wherein the malicious domain name detection feature comprises: a main domain name feature, a sub-domain name feature, and a domain name suffix feature; the domain name suffix characteristic is used for reflecting the malicious degree of the domain name suffix;

the third processing module is specifically configured to:

respectively processing a first main domain name of the malicious domain name and a second main domain name of the normal domain name to obtain the characteristics of the main domain names;

respectively processing a first sub-domain name of the malicious domain name and a second sub-domain name of the normal domain name to obtain sub-domain name characteristics;

acquiring a domain name suffix list, wherein the domain name suffix list is used for recording the usage ranking of a preset number of domain name suffixes with more usage;

when the ranking of the first domain name suffix and/or the ranking of the second domain name suffix can be inquired from the domain name suffix list, determining a first suffix reputation corresponding to the ranking of the first domain name suffix and/or a second suffix reputation corresponding to the ranking of the second domain name suffix;

and taking the determined first suffix reputation and/or second suffix reputation as a domain name suffix feature, thereby obtaining the malicious domain name detection feature.

10. The apparatus of claim 9, wherein the master domain name feature comprises: the method comprises the following steps that the length ratio of a first main domain name in the malicious domain name to the malicious domain name, the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first main domain name are calculated;

the third processing module is configured to process the first main domain name of the malicious domain name, and includes:

determining a first character length of a malicious domain name and a second character length of a first main domain name in the malicious domain name;

calculating the length ratio of the first main domain name to the malicious domain name by using the first character length and the second character length;

and respectively determining the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first main domain name of the malicious domain name.

11. The apparatus of claim 9, wherein the sub-domain name feature comprises: the domain name length of each level of sub domain name in a first sub domain name in the malicious domain name, the length ratio of the first sub domain name to the malicious domain name, the number of English characters in the first sub domain name, the number of digital characters and the number of symbols;

the third processing module is configured to process a first sub-domain name of the malicious domain name, and includes:

determining the domain name length of each level of sub domain name in the first sub domain name, and removing separators for separating each level of sub domain name in the first sub domain name to obtain character strings forming the first sub domain name;

determining a third character length of a character string forming the first sub-domain name and a first character length of the malicious domain name;

calculating to obtain the length ratio of the first sub-domain name to the malicious domain name by using the first character number and the third character number;

and respectively determining the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first sub-domain of the malicious domain name.

12. The apparatus of claim 11, wherein the third processing module is configured to process the first master domain name of the malicious domain name, and further comprising:

acquiring a word correlation list, and acquiring all words contained in the first main domain name from the word correlation list;

counting the number of words of all words contained in the first main domain name acquired from the word correlation list, and respectively calculating the length ratio of each word in all words to the first main domain name;

and acquiring a brand list, acquiring all brands contained in the first main domain name from the brand list, and counting to obtain the number of the brands of all brands.

13. The apparatus of claim 9, wherein the master domain name feature further comprises: a natural language feature of a second primary domain name of the normal domain name;

the third processing module is configured to process the second main domain name of the normal domain name, and includes:

processing a second main domain name of the normal domain name by using an N-gram model to obtain a univariate vector, a binary vector and a ternary vector of the second main domain name;

inquiring self-language features corresponding to the second main domain name from a corresponding relation table of the main domain name and the natural language features;

and when the inquired self-language features are matched with the unary vector, the binary vector and the ternary vector, the unary vector, the binary vector and the ternary vector obtained after the second main domain name of the normal domain name is processed by using an N-element grammar model are used as the natural language features of the second main domain name of the normal domain name.

14. The apparatus of claim 13, wherein the master domain name feature further comprises: a transition probability feature of a second primary domain name of the normal domain name;

the third processing module is configured to process the second main domain name of the normal domain name, and further includes:

calculating a Markov chain of a second main domain name of the normal domain name;

inquiring the transition probability characteristic corresponding to the second main domain name from the corresponding relation table of the main domain name and the transition probability characteristic;

and when the transfer probability characteristic corresponding to the second main domain name obtained by query is the same as the Markov chain of the second main domain name of the normal domain name obtained by calculation, taking the Markov chain obtained by calculation as the transfer probability characteristic of the second main domain name of the normal domain name.

15. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of the claims 1 to 7.

16. An electronic device comprising a memory, a processor, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the processor to perform the steps of the method of any of claims 1-7.

Technical Field

The invention relates to the technical field of computers, in particular to a malicious domain name detection feature processing method and device and electronic equipment.

Background

At present, the number and complexity of malicious programs continue to increase, and attackers often use malicious domain names to control target networks during attacks. In order to prevent an attacker from using a malicious domain name to control a target network as much as possible, the malicious domain name needs to be detected.

In order to detect the malicious domain name, a complete malicious domain name serving as a feature can be used for training the deep learning neural network to obtain a malicious domain name detection model; and then, detecting the malicious domain name by using the obtained malicious domain name detection model.

In the process of detecting the malicious domain name by using the malicious domain name detection model, the problems of missing detection and wrong identification of the malicious domain name are easy to occur, and the detection precision of the malicious domain name is low.

Disclosure of Invention

In order to solve the above problem, an embodiment of the present invention provides a malicious domain name detection feature processing method and apparatus, and an electronic device.

In a first aspect, an embodiment of the present invention provides a malicious domain name detection feature processing method, including:

acquiring a malicious domain name and a normal domain name to be processed;

processing the malicious domain name to obtain a first main domain name, a first sub-domain name and a first domain name suffix of the malicious domain name;

processing the normal domain name to obtain a second main domain name, a second sub domain name and a second domain name suffix of the normal domain name;

and respectively processing the first main domain name, the first sub-domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name to obtain the malicious domain name detection characteristics.

In a second aspect, an embodiment of the present invention further provides a malicious domain name detection feature processing apparatus, including:

the acquisition module is used for acquiring a malicious domain name and a normal domain name to be processed;

the first processing module is used for processing the malicious domain name to obtain a first main domain name, a first sub-domain name and a first domain name suffix of the malicious domain name;

the second processing module is used for processing the normal domain name to obtain a second main domain name, a second sub domain name and a second domain name suffix of the normal domain name;

and the third processing module is used for respectively processing the first main domain name, the first sub-domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name to obtain the malicious domain name detection characteristics.

In a third aspect, the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program performs the steps of the method in the first aspect.

In a fourth aspect, embodiments of the present invention also provide an electronic device, which includes a memory, a processor, and one or more programs, where the one or more programs are stored in the memory and configured to be executed by the processor to perform the steps of the method according to the first aspect.

In the solutions provided in the above first to fourth aspects of the embodiments of the present invention, a first main domain name, a first sub-domain name, a first domain name suffix of a malicious domain name, and a second main domain name, a second sub-domain name, and a second domain name suffix of a normal domain name are obtained by processing a malicious domain name and a normal domain name, respectively, and a first main domain name, a first sub-domain name, and a first domain name suffix of a malicious domain name, and a second main domain name, a second sub-domain name, and a second domain name suffix of a normal domain name are processed, respectively, to obtain malicious domain name detection features, and compared with a manner in which a deep learning neural network is trained with a complete malicious domain as a feature in the related art, the malicious domain name is divided into a first main domain name, a first sub-domain name, and a first domain name suffix, and the normal domain name is divided into a second main domain name, a second sub-domain name, and a second domain name suffix, and then respectively processing a first main domain name, a first sub domain name and a first domain name suffix of the malicious domain name and a second main domain name, a second sub domain name and a second domain name suffix of the normal domain name to obtain malicious domain name detection characteristics capable of comprehensively and objectively reflecting details of the malicious domain name and the normal domain name, inputting the obtained malicious domain name detection characteristics into a malicious domain name detection model obtained after deep learning neural network training, and more accurately identifying and detecting the malicious domain name, thereby reducing the conditions of missing detection and wrong identification of the malicious domain name.

In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 shows a flowchart of a malicious domain name detection feature processing method according to embodiment 1 of the present invention;

fig. 2 is a schematic structural diagram illustrating a malicious domain name detection feature processing apparatus according to embodiment 2 of the present invention;

fig. 3 shows a schematic structural diagram of an electronic device provided in embodiment 3 of the present invention.

Detailed Description

At present, identification and classification of malicious encrypted traffic are the current research hotspots, in recent years, the number and complexity of malicious programs are continuously increased, and an attacker often uses a malicious domain name when performing control on a target network in an attack process, for example, when a domain name is used by a DNS protocol to access the internet, the domain name used by the attacker can be preempted by the domain name, that is, the domain name of an existing company name or a person name is registered in advance, or a domain name very similar to the name of the existing company name or the person name is registered, so as to achieve the purpose of being illegal. An attacker can also integrate DGA algorithm in software to generate a variable domain name as a backup or primary means of communicating with the C2 server to achieve persistent control over infected hosts, which can make malicious programs better hidden and prolong survival time. Domain name information such as DNS, SNI and common name in a certificate exists in TLS encrypted flow, and an attacker can utilize the domain names to achieve the illegal purpose, so that detection of malicious domain names provides a certain basis for detection of encrypted malicious flow, the existing malicious domain name identification mode can be identified through threat intelligence, but certain defects exist, namely false alarm and missing report can occur, and updating is not timely.

In order to solve the problems, a mode of combining machine learning and deep learning is a good mode for malicious domain name detection, and an ideal detection effect is achieved by counting and analyzing a large amount of malicious domain name data and then learning through machine learning or deep learning.

The features play a decisive role in the effect of machine learning, the extraction of the features is not easy in the field of malicious domain names, and the extracted features need to have good distinguishability and higher accuracy.

The number and complexity of malicious programs continues to grow, and attackers often use malicious domain names to exercise control over the target network during an attack. In order to prevent an attacker from using a malicious domain name to control a target network as much as possible, the malicious domain name needs to be detected.

In order to detect the malicious domain name, a complete malicious domain name serving as a feature can be used for training the deep learning neural network to obtain a malicious domain name detection model; and then, detecting the malicious domain name by using the obtained malicious domain name detection model.

In the process of detecting the malicious domain name by using the malicious domain name detection model, the problems of missing detection and wrong identification of the malicious domain name are easy to occur, and the detection precision of the malicious domain name is low.

Based on this, the present embodiment provides a malicious domain name detection feature processing method, apparatus and electronic device, by dividing the malicious domain name into a first main domain name, a first sub-domain name and a first domain name suffix and dividing the normal domain name into a second main domain name, a second sub-domain name and a second domain name suffix, then respectively processing a first main domain name, a first sub domain name and a first domain name suffix of the malicious domain name and a second main domain name, a second sub domain name and a second domain name suffix of the normal domain name to obtain malicious domain name detection characteristics capable of comprehensively and objectively reflecting the details of the malicious domain name and the normal domain name, inputting the obtained malicious domain name detection characteristics into a deep learning neural network for training to obtain a malicious domain name detection model, the malicious domain name identification and detection are more accurate, so that the conditions of missing detection and wrong identification of the malicious domain name are reduced.

In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.

Example 1

The embodiment provides that an execution main body of the malicious domain name detection feature processing method is a server.

The server may adopt any computing device capable of processing the malicious domain name detection feature in the prior art, and details are not repeated here.

Referring to a flowchart of a malicious domain name detection feature processing method shown in fig. 1, the present embodiment provides a malicious domain name detection feature processing method, including:

step 100, acquiring a malicious domain name and a normal domain name to be processed.

In the above step 100, the malicious domain name is used to represent a domain name used by a network attacker to perform malicious network activities using a specific domain name as a network infrastructure.

The malicious domain name includes but is not limited to: c2 domain name, DGA domain name, and mock domain name.

The C2 domain name is used to indicate a domain name used by a network attacker when using a server bound by a specific domain name as a Command and Control (C & C) server to launch malicious network behaviors.

The C2 domain name may be, but is not limited to: com, news, and globalenergization.

The DGA Domain name is used to represent a C & C Domain name generated by Domain Generation Algorithm (DGA), and the DGA Domain name can evade Domain name blacklist detection.

The DGA domain name may be, but is not limited to: 5cyd1e1lp8ec493xkgb43e8vs. biz, 1mnr4as13ze8f71berg 21ybue287. co, and p9c5c85747c054fa40ed361f0e2a8868dc. cn.

The counterfeit domain name is used for representing a domain name obtained by imitating a normal domain name. Is a common technique in phishing, which can induce a spoofing user to access this domain name to perform malicious actions of an attacker.

The counterfeit domain name, similar to the normal domain name, makes the user confuse, and may be but is not limited to: www.siha.com (obtained under the trademark www.sina.com), and www.google docs.com (obtained under the trademark patents.glgoo.top/www.google.com).

The normal domain name is used for representing a domain name which can be normally accessed by a user in the Internet, and the user cannot be attacked by a malicious program when accessing the normal domain name.

The normal domain name may be, but is not limited to: com and patents.glgoo.top/www.google.com.

The server can acquire the malicious domain name from a malicious domain name database arranged in the server and acquire the normal domain name from a normal domain name database arranged in the server.

After the malicious domain name is obtained, the server can display the obtained malicious domain name to workers, the workers can classify the malicious domain name, allocate a C2 domain name label to a C2 domain name in the malicious domain name, allocate a DGA domain name label to a DGA domain name in the malicious domain name, and allocate a counterfeit domain name label to a counterfeit domain name in the malicious domain name.

And 102, processing the malicious domain name to obtain a first main domain name, a first sub-domain name and a first domain name suffix of the malicious domain name.

In the step 102, any domain name analysis algorithm in the prior art may be adopted to process the malicious domain name to obtain a first main domain name, a first sub-domain name and a first domain name suffix of the malicious domain name, which are not described herein again.

Moreover, after the domain name analysis algorithm processes the malicious domain name, the domain name analysis algorithm can also respectively identify the first main domain name, the first sub-domain name and the English characters, the numerical characters and the symbols in the suffix of the first domain name in the malicious domain name.

And 104, processing the normal domain name to obtain a second main domain name, a second sub domain name and a second domain name suffix of the normal domain name.

In the step 104, any domain name analysis algorithm in the prior art may be adopted to process the normal domain name to obtain the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name, which is not described herein again.

After the normal domain name is processed, the domain name analysis algorithm can respectively identify English characters, numeric characters and symbols in a second main domain name, a second sub domain name and a second domain name suffix in the normal domain name.

In one embodiment, the domain name is: com.cn, wherein the subdomain name is "a.b.c.d", the main domain name is "google", and the domain name suffix is com.cn.

And step 106, respectively processing the first main domain name, the first sub-domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name to obtain malicious domain name detection characteristics.

The malicious domain name detection feature includes: a main domain name feature, a sub-domain name feature, and a domain name suffix feature; the domain name suffix characteristic is used for reflecting the malicious degree of the domain name suffix.

The main domain name feature is used for representing feature data extracted by analyzing a main domain name character string.

And the sub-domain name features are used for representing feature data extracted after the sub-domain name character strings are analyzed.

The main domain name features include, but are not limited to: the length ratio of a first main domain name in the malicious domain names to the malicious domain name; the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first main domain name; word-related characteristics of a first main domain name in the malicious domain name and a second main domain name in the normal domain name; the natural language feature of the second main domain name of the normal domain name and the transition probability feature of the second main domain name of the normal domain name; the length ratio of a second main domain name in the normal domain name to the normal domain name; and the number of Chinese and English characters, the number of numeric characters and the number of symbols of the second main domain name.

The word association features include: the method comprises the steps of obtaining the number of all words contained in a main domain name from a word related list, the length ratio of each word in all words to the main domain name, all brands contained in the main domain name obtained from a brand list, and the number of all brands obtained.

The word association list, including but not limited to: a list of participles and a list of words.

The word segmentation list is cached in the server and used for representing a part of English corpora from the existing Wikipedia, possibly English words and possibly single English characters and a spliced character string of a plurality of English characters.

In one embodiment, the word segmentation list may include, but is not limited to: new, i, ben, th, and no.

The word list is cached in the server and used for representing a common English word list consisting of English characters.

In one embodiment, the word list may include, but is not limited to: abandon, affinity, and able.

The brand list is cached in the server and used for representing a list of known brands at home and abroad.

In one embodiment, the word list may include, but is not limited to: amazon, apple, and baidu.

In order to obtain the malicious domain name detection feature, the step 106 may perform the following steps (1) to (7):

(1) respectively processing a first main domain name of the malicious domain name and a second main domain name of the normal domain name to obtain the characteristics of the main domain names;

(2) respectively processing a first sub-domain name of the malicious domain name and a second sub-domain name of the normal domain name to obtain sub-domain name characteristics;

(3) acquiring a domain name suffix list;

(4) when the ranking of the first domain name suffix cannot be inquired from the domain name suffix list, setting the reputation of the first suffix corresponding to the ranking of the first domain name suffix to 0;

(5) when the ranking of the second domain name suffix cannot be inquired from the domain name suffix list, setting the reputation of the second suffix corresponding to the ranking of the second domain name suffix to 0;

(6) when the ranking of the first domain name suffix and/or the ranking of the second domain name suffix can be inquired from the domain name suffix list, determining a first suffix reputation corresponding to the ranking of the first domain name suffix and/or a second suffix reputation corresponding to the ranking of the second domain name suffix;

(7) and taking the determined first suffix reputation and/or second suffix reputation as a domain name suffix feature, thereby obtaining the malicious domain name detection feature.

In the step (1), when the first main domain name of the malicious domain name is processed, the following steps (11) to (13) may be performed:

(11) determining a first character length of a malicious domain name and a second character length of a first main domain name in the malicious domain name;

(12) calculating the length ratio of the first main domain name to the malicious domain name by using the first character length and the second character length;

(13) and respectively determining the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first main domain name of the malicious domain name.

In the step (11) above, the character length of the domain name is related to the number of characters of the domain name, and when the domain name includes 12 characters, the character length of the domain name is 12.

After obtaining the english characters, the numeric characters and the symbols of the first main domain name, the first sub domain name and the first domain name suffix in the malicious domain name, the server determines the first character length of the malicious domain name based on the respectively identified english characters, numeric characters and symbols of the first main domain name, the first sub domain name and the first domain name suffix, and determines the second character length of the first main domain name based on the identified english characters, numeric characters and symbols in the first main domain name.

In the step (12), the length ratio of the first main domain name to the malicious domain name is equal to the second character length/the first character length.

In the step (13), the server may respectively determine the number of english characters, the number of numeric characters, and the number of symbols in the first main domain name of the malicious domain name based on the english characters, the numeric characters, and the symbols of the first main domain name that are respectively identified, and a specific processing procedure is the prior art and is not described herein again.

The content described in the above steps (11) to (13) is a specific process of obtaining the length ratio between the first main domain name and the malicious domain name in the main domain name feature, and the number of english characters, the number of numeric characters, and the number of symbols in the first main domain name.

In addition, how to obtain the word-related feature in the main domain name is described by the following steps (21) to (23):

(21) acquiring a word correlation list, and acquiring all words contained in the first main domain name from the word correlation list;

(22) counting the number of words of all words contained in the first main domain name acquired from the word correlation list, and respectively calculating the length ratio of each word in all words to the first main domain name;

(23) and acquiring a brand list, acquiring all brands contained in the first main domain name from the brand list, and counting to obtain the number of the brands of all brands.

In the step (21), all words included in the first main domain name refer to english words and english letters that can be found in the english characters that constitute the first main domain name.

When the word association list is a word list, all words contained in the first main domain name are english words that can be found in the first main domain name.

When the word association list is a word segmentation list, all words contained in the first main domain name are English words and English letters which can be found in the first main domain name.

In one embodiment, when the first main domain name is google, then when the word association list is a word list, all words contained in the first main domain name that are english words that can be found in the first main domain name at least include: go, goo, goog, google, and lee.

When the word correlation list is a word segmentation list, all words contained in the first main domain name google are english words that can be found in the first main domain name, and the word correlation list at least includes: go, goo, goog, google, and lee; and English letters include: g. o, l and e.

All words contained in the first main domain name can be acquired from the word correlation list by using an existing natural language identification algorithm, and the specific process is the prior art and is not repeated here.

In the step (22), the process of calculating the length ratio between each of all the terms and the first main domain name is similar to the process of calculating the length ratio between the first main domain name and the malicious domain name by using the first character length and the second character length in the steps (11) to (13), and details are not repeated here.

In the step (23), a process of acquiring all brands included in the first main domain name from the brand list is similar to a process of acquiring all words included in the first main domain name from the word related list in the step (21), and details are not repeated here.

In one embodiment, the first main domain name google comprises brands including at least: google and lee.

The first master domain name of the malicious domain name can be processed through the contents respectively described in the above steps (11) to (13) and the above steps (21) to (23).

The specific process described in the above step (11) to step (13) to obtain the length ratio between the first main domain name and the malicious domain name in the main domain name feature, and the number of the english characters, the number of the numeric characters, and the number of the symbols in the first main domain name may further process the second main domain name of the normal domain name to obtain the length ratio between the second main domain name and the normal domain name in the main domain name feature, and the number of the english characters, the number of the numeric characters, and the number of the symbols in the second main domain name, and the specific processing process is similar to the process described in the above step (11) to step (13), and is not repeated here.

The process of obtaining the word correlation characteristic in the first main domain name of the malicious domain name described in the above steps (21) to (23) may further process the second main domain name of the normal domain name to obtain the word correlation characteristic in the second main domain name of the normal domain name, and the specific process is similar to the process described in the above steps (21) to (23), and is not repeated here.

After the length ratio of the second main domain name to the normal domain name in the normal domain name, the number of english characters, the number of numeric characters, and the number of symbols in the second main domain name, and the word-related features in the second main domain name of the normal domain name are obtained, the process of obtaining the natural language features of the second main domain name of the normal domain name may be described through the following steps (31) to (33):

and processing a second main domain name of the normal domain name, wherein the processing comprises the following steps (31) to (33):

(31) processing a second main domain name of the normal domain name by using an N-gram model (N-gram model) to obtain a univariate vector (1-gram vector), a binary vector (2-gram vector) and a ternary vector (3-gram vector) of the second main domain name;

(32) inquiring self-language features corresponding to the second main domain name from a corresponding relation table of the main domain name and the natural language features;

(33) and when the inquired self-language features are matched with the unary vector, the binary vector and the ternary vector, the unary vector, the binary vector and the ternary vector obtained after the second main domain name of the normal domain name is processed by using an N-element grammar model are used as the natural language features of the second main domain name of the normal domain name.

In the step (31), the process of processing the second main domain name of the normal domain name by using the N-gram model to obtain the unary vector, the binary vector, and the ternary vector of the second main domain name is the prior art, and is not described herein again.

In the step (32), the table of correspondence between the main domain name and the natural language feature is cached in the server.

The corresponding relation table of the main domain name and the natural language features is used for storing the natural language features of all normal domain names, and the storage form is as follows: and the corresponding relation between the normal domain name and the natural language features.

Here, the natural language features include: unary, binary, and ternary vectors for normal domain names.

In the step (33), when the univariate vector in the self-language feature of the second main domain name queried from the corresponding relation table between the main domain name and the natural language feature is the same as the univariate vector of the second main domain name obtained by processing the second main domain name of the normal domain name by using the N-gram model; processing a binary vector in the self-language feature of the second main domain name inquired from the corresponding relation table of the main domain name and the natural language feature by using an N-element grammar model to obtain the binary vector of the second main domain name; and determining that the inquired self-language features are matched with the unary vectors, the binary vectors and the ternary vectors when the ternary vectors of the second main domain are the same as the ternary vectors of the normal domain by processing the second main domain of the normal domain through an N-element grammar model according to the ternary vectors in the self-language features of the second main domain inquired from the corresponding relation table of the main domain and the natural language features.

After the process of obtaining the natural language features of the second main domain name of the normal domain name is performed through the steps (31) to (33), the transition probability features of the second main domain name of the normal domain name are described through the following steps (41) to (43):

processing the second main domain name of the normal domain name, further comprising:

(41) calculating a Markov chain of a second main domain name of the normal domain name;

(42) inquiring the transition probability characteristic corresponding to the second main domain name from the corresponding relation table of the main domain name and the transition probability characteristic;

(43) and when the transfer probability characteristic corresponding to the second main domain name obtained by query is the same as the Markov chain of the second main domain name of the normal domain name obtained by calculation, taking the Markov chain obtained by calculation as the transfer probability characteristic of the second main domain name of the normal domain name.

In the step (41), the process of calculating the markov chain of the second main domain name of the normal domain name is the prior art, and is not described herein again.

In the step (42), the correspondence table between the master domain name and the transition probability feature is stored in the server.

Here, the correspondence table between the main domain name and the transition probability feature is used to store the correspondence between each main domain name in all normal domain names and the transition probability feature calculated by each main domain name.

In this embodiment, the transition probability feature is used to indicate a probability that each character in the main domain name is respectively transferred to a character next to the character.

From the above, how to obtain the main domain name feature is described.

Similar to the main domain name feature, the sub-domain name feature includes: the domain name length of each level of sub domain name in the first sub domain name of the malicious domain name; the length ratio of a first sub-domain name in the malicious domain name to the malicious domain name; the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first sub-domain name; word correlation characteristics of a first sub-domain name in the malicious domain name and a second sub-domain name in the normal domain name; the domain name length of each level of sub domain name in the second sub domain name of the normal domain name; the natural language feature of the second sub-domain of the normal domain name, the transition probability feature of the second sub-domain of the normal domain name; the length ratio of a second sub-domain name in the normal domain name to the normal domain name; and the number of English characters, the number of numeric characters and the number of symbols in the second sub-domain name.

In the step (2), in order to process the first sub-domain name of the malicious domain name, the following steps (21) to (24) may be performed:

(21) determining the domain name length of each level of sub domain name in the first sub domain name, and removing separators for separating each level of sub domain name in the first sub domain name to obtain character strings forming the first sub domain name;

(22) determining a third character length of a character string forming the first sub-domain name and a first character length of the malicious domain name;

(23) calculating to obtain the length ratio of the first sub-domain name to the malicious domain name by using the first character number and the third character number;

(24) and respectively determining the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first sub-domain of the malicious domain name.

In the step (21), each level of the first sub-domain name is separated by a separator. For the sub-domain name "a.b.c.d" of the domain name a.b.c.d.google.com.cn, a, b, c and d are sub-domain names at various levels, and the ". multidot.n" between sub-domain names at various levels is a separator between sub-domain names at various levels.

In order to determine the domain length of each level of sub-domain in the first sub-domain, the number of characters included in each level of sub-domain in the first sub-domain needs to be determined, and in order to determine the number of characters included in each level of sub-domain in the first sub-domain, a natural language processing technology may be adopted to process the first sub-domain and determine the number of characters included in each level of sub-domain in the first sub-domain, and a specific processing process is the prior art and is not described herein again.

The domain name length of each level of sub domain name in the first sub domain name is the same as the number of characters contained in each level of sub domain name.

Therefore, when the sub-domain name is "a.b.c.d", the domain name length of each level of the first sub-domain name is 1. It can be determined that each level of sub-domain names with the length of 4 is included in the sub-domain names of the domain name a.b.c.d.google.com.cn.

The specific implementation process of the step (22) to the step (24) is similar to the specific process of obtaining the length ratio of the first main domain name to the malicious domain name in the main domain name feature, and the number of the english characters, the number of the numeric characters, and the number of the symbols in the first main domain name through the process of the step (11) to the step (13) in the step (1), and is not repeated here.

Word correlation characteristics of a first sub-domain name in the malicious domain name and a second sub-domain name in the normal domain name in the sub-domain name characteristics; the domain name length of each level of sub domain name in the second sub domain name of the normal domain name; the natural language feature of the second sub-domain of the normal domain name, the transition probability feature of the second sub-domain of the normal domain name; the length ratio of a second sub-domain name in the normal domain name to the normal domain name; and the process of obtaining the number of the english characters, the number of the numeric characters, and the number of the symbols in the second main domain is similar to the process of implementing the relevant features in the above main domain features, and is not repeated here.

In the step (3), the domain name suffix list is cached in the server.

The domain name suffix list is used for recording the usage ranking of the preset number of domain name suffixes with larger usage.

The ranking of the usage of the domain name suffixes is proportional to the current usage number of the domain name suffixes in the internet, i.e. the ranking of the usage of the domain name suffixes is higher when the current usage number of the domain name suffixes in the internet is larger.

In one embodiment, the preset number may be 100 or 200, and the domain name suffix list is used to record usage ranking of 100 or 200 domain name suffixes with larger usage.

In the step (4), the server further records a corresponding relationship between the domain name suffix rank and the suffix reputation.

In one embodiment, the correspondence between the domain name suffix ranking and the suffix reputation can be expressed as follows:

the domain name suffix rank 1-20 suffix reputation is 100;

the domain name suffix rank 21-40 suffix reputation is 95;

……

the domain name suffix ranking 181-.

The suffix reputation is used for objectively reflecting the malicious degree of the domain name suffix, namely the higher the suffix reputation is, the lower the malicious degree of the domain name suffix is. If the domain name suffix is not in the domain name suffix list, the suffix reputation corresponding to the domain name suffix is set to 0.

When the ranking of the first domain name suffix and/or the ranking of the second domain name suffix can be inquired from the domain name suffix list, determining a first suffix reputation corresponding to the ranking of the first domain name suffix and/or a second suffix reputation corresponding to the ranking of the second domain name suffix from the corresponding relation between the domain name suffix ranking and the suffix reputation.

To sum up, the malicious domain detection feature processing method provided in the embodiment of the present application obtains the first main domain name, the first sub-domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name by processing the malicious domain name and the normal domain name respectively, and obtains the malicious domain detection feature by processing the first main domain name, the first sub-domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name respectively And then respectively processing the first main domain name, the first sub domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub domain name and the second domain name suffix of the normal domain name to obtain malicious domain name detection characteristics capable of comprehensively and objectively reflecting details of the malicious domain name and the normal domain name, inputting the obtained malicious domain name detection characteristics into a malicious domain name detection model obtained after deep learning neural network training, and more accurately identifying and detecting the malicious domain name, thereby reducing the conditions of missing detection and wrong identification of the malicious domain name.

Example 2

This embodiment provides a malicious domain name detection feature processing apparatus, configured to execute the malicious domain name detection feature processing method provided in embodiment 1.

Referring to fig. 2, a schematic structural diagram of a malicious domain name detection feature processing apparatus includes:

an obtaining module 200, configured to obtain a malicious domain name and a normal domain name to be processed;

the first processing module 202 is configured to process the malicious domain name to obtain a first main domain name, a first sub-domain name, and a first domain name suffix of the malicious domain name;

a second processing module 204, configured to process the normal domain name to obtain a second main domain name, a second sub-domain name, and a second domain name suffix of the normal domain name;

the third processing module 206 is configured to process the first main domain name, the first sub-domain name, and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name, and the second domain name suffix of the normal domain name, respectively, to obtain malicious domain name detection features.

The malicious domain name detection feature includes: a main domain name feature, a sub-domain name feature, and a domain name suffix feature; the domain name suffix characteristic is used for reflecting the malicious degree of the domain name suffix.

The third processing module is specifically configured to:

respectively processing a first main domain name of the malicious domain name and a second main domain name of the normal domain name to obtain the characteristics of the main domain names;

respectively processing a first sub-domain name of the malicious domain name and a second sub-domain name of the normal domain name to obtain sub-domain name characteristics;

acquiring a domain name suffix list, wherein the domain name suffix list is used for recording the usage ranking of a preset number of domain name suffixes with more usage;

when the ranking of the first domain name suffix and/or the ranking of the second domain name suffix can be inquired from the domain name suffix list, determining a first suffix reputation corresponding to the ranking of the first domain name suffix and/or a second suffix reputation corresponding to the ranking of the second domain name suffix;

and taking the determined first suffix reputation and/or second suffix reputation as a domain name suffix feature, thereby obtaining the malicious domain name detection feature.

The main domain name features comprise: the method comprises the following steps of obtaining the length ratio of a first main domain name in the malicious domain name to the malicious domain name, and obtaining the number of English characters, number characters and number of symbols of the first main domain name.

The third processing module is configured to process the first main domain name of the malicious domain name, and includes:

determining a first character length of a malicious domain name and a second character length of a first main domain name in the malicious domain name;

calculating the length ratio of the first main domain name to the malicious domain name by using the first character length and the second character length;

and respectively determining the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first main domain name of the malicious domain name.

The sub-domain name features include: the domain name length of each level of sub domain name in a first sub domain name in the malicious domain name, the length ratio of the first sub domain name to the malicious domain name, and the number of English characters, the number of digital characters and the number of symbols in the first sub domain name.

The third processing module is configured to process a first sub-domain name of the malicious domain name, and includes:

determining the domain name length of each level of sub domain name in the first sub domain name, and removing separators for separating each level of sub domain name in the first sub domain name to obtain character strings forming the first sub domain name;

determining a third character length of a character string forming the first sub-domain name and a first character length of the malicious domain name;

calculating to obtain the length ratio of the first sub-domain name to the malicious domain name by using the first character number and the third character number;

and respectively determining the number of Chinese and English characters, the number of numeric characters and the number of symbols of the first sub-domain of the malicious domain name.

The third processing module is configured to process the first main domain name of the malicious domain name, and further includes:

acquiring a word correlation list, and acquiring all words contained in the first main domain name from the word correlation list;

counting the number of words of all words contained in the first main domain name acquired from the word correlation list, and respectively calculating the length ratio of each word in all words to the first main domain name;

and acquiring a brand list, acquiring all brands contained in the first main domain name from the brand list, and counting to obtain the number of the brands of all brands.

The main domain name feature further comprises: a natural language feature of a second primary domain name of the normal domain name.

The third processing module is configured to process the second main domain name of the normal domain name, and includes:

processing a second main domain name of the normal domain name by using an N-gram model to obtain a univariate vector, a binary vector and a ternary vector of the second main domain name;

inquiring self-language features corresponding to the second main domain name from a corresponding relation table of the main domain name and the natural language features;

and when the inquired self-language features are matched with the unary vector, the binary vector and the ternary vector, the unary vector, the binary vector and the ternary vector obtained after the second main domain name of the normal domain name is processed by using an N-element grammar model are used as the natural language features of the second main domain name of the normal domain name.

The main domain name feature further comprises: a transition probability feature of a second primary domain name of the normal domain name.

The third processing module is configured to process the second main domain name of the normal domain name, and further includes:

calculating a Markov chain of a second main domain name of the normal domain name;

inquiring the transition probability characteristic corresponding to the second main domain name from the corresponding relation table of the main domain name and the transition probability characteristic;

and when the transfer probability characteristic corresponding to the second main domain name obtained by query is the same as the Markov chain of the second main domain name of the normal domain name obtained by calculation, taking the Markov chain obtained by calculation as the transfer probability characteristic of the second main domain name of the normal domain name.

To sum up, the malicious domain detection feature processing apparatus provided in the embodiment of the present application obtains the first main domain name, the first sub-domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name by processing the malicious domain name and the normal domain name respectively, and processes the first main domain name, the first sub-domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name respectively to obtain the malicious domain detection feature And then respectively processing the first main domain name, the first sub domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub domain name and the second domain name suffix of the normal domain name to obtain malicious domain name detection characteristics capable of comprehensively and objectively reflecting details of the malicious domain name and the normal domain name, inputting the obtained malicious domain name detection characteristics into a malicious domain name detection model obtained after deep learning neural network training, and more accurately identifying and detecting the malicious domain name, thereby reducing the conditions of missing detection and wrong identification of the malicious domain name.

Example 3

The present embodiment proposes a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the data processing method described in embodiment 1 above. For specific implementation, refer to method embodiment 1, which is not described herein again.

In addition, referring to the schematic structural diagram of an electronic device shown in fig. 3, the present embodiment further provides an electronic device, where the electronic device includes a bus 51, a processor 52, a transceiver 53, a bus interface 54, a memory 55, and a user interface 56. The electronic device comprises a memory 55.

In this embodiment, the electronic device further includes: one or more programs stored on the memory 55 and executable on the processor 52, configured to be executed by the processor for performing the following steps (1) to (4):

(1) acquiring a malicious domain name and a normal domain name to be processed;

(2) processing the malicious domain name to obtain a first main domain name, a first sub-domain name and a first domain name suffix of the malicious domain name;

(3) processing the normal domain name to obtain a second main domain name, a second sub domain name and a second domain name suffix of the normal domain name;

(4) and respectively processing the first main domain name, the first sub-domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name to obtain the malicious domain name detection characteristics.

A transceiver 53 for receiving and transmitting data under the control of the processor 52.

In fig. 3, a bus architecture (represented by bus 51), bus 51 may include any number of interconnected buses and bridges, with bus 51 linking together various circuits including one or more processors, represented by general purpose processor 52, and memory, represented by memory 55. The bus 51 may also link various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further in this embodiment. A bus interface 54 provides an interface between the bus 51 and the transceiver 53. The transceiver 53 may be one element or may be multiple elements, such as multiple receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. For example: the transceiver 53 receives external data from other devices. The transceiver 53 is used for transmitting data processed by the processor 52 to other devices. Depending on the nature of the computing system, a user interface 56, such as a keypad, display, speaker, microphone, joystick, may also be provided.

The processor 52 is responsible for managing the bus 51 and the usual processing, running a general-purpose operating system as described above. And memory 55 may be used to store data used by processor 52 in performing operations.

Alternatively, processor 52 may be, but is not limited to: a central processing unit, a singlechip, a microprocessor or a programmable logic device.

It will be appreciated that the memory 55 in embodiments of the invention may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic random access memory (ddr Data Rate SDRAM, ddr SDRAM), Enhanced Synchronous SDRAM (ESDRAM), Synchlink DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The memory 55 of the systems and methods described in this embodiment is intended to comprise, without being limited to, these and any other suitable types of memory.

In some embodiments, memory 55 stores the following elements, executable modules or data structures, or a subset thereof, or an expanded set thereof: an operating system 551 and application programs 552.

The operating system 551 includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks. The application 552 includes various applications, such as a Media Player (Media Player), a Browser (Browser), and the like, for implementing various application services. A program implementing the method of an embodiment of the present invention may be included in the application 552.

In summary, the present embodiment provides a computer-readable storage medium and an electronic device, which respectively process a malicious domain name and a normal domain name to obtain a first main domain name, a first sub-domain name and a first domain name suffix of the malicious domain name and a second main domain name, a second sub-domain name and a second domain name suffix of the normal domain name, and respectively process the first main domain name, the first sub-domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub-domain name and the second domain name suffix of the normal domain name to obtain a malicious domain name detection feature And then respectively processing the first main domain name, the first sub domain name and the first domain name suffix of the malicious domain name and the second main domain name, the second sub domain name and the second domain name suffix of the normal domain name to obtain malicious domain name detection characteristics capable of comprehensively and objectively reflecting details of the malicious domain name and the normal domain name, inputting the obtained malicious domain name detection characteristics into a malicious domain name detection model obtained after deep learning neural network training, and more accurately identifying and detecting the malicious domain name, thereby reducing the conditions of missing detection and wrong identification of the malicious domain name.

The above description is only an embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the present invention, and the present invention shall be covered by the claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.