A malicious fake website tracing analysis method and device based on uncertainty reasoning and electronic equipment
By constructing a topology diagram of malicious fake websites and identifying core nodes and topological paths, the accuracy problem of tracing and analyzing malicious fake websites in existing technologies has been solved. This enables the identification and tracking of the administrators behind malicious fake websites, thereby enhancing network security defense capabilities.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- TIANJI YOUMENG (ZHUHAI) TECH CO LTD
- Filing Date
- 2023-08-24
- Publication Date
- 2026-07-03
AI Technical Summary
Existing technologies are unable to accurately determine the category and risk level in the source tracing and analysis of malicious and fake websites, and it is difficult to identify and track the administrators behind them, resulting in a decline in network security defense capabilities.
By using an uncertainty-based reasoning method, a topology diagram of malicious fake websites is constructed, information is expanded and graphically associated, a directed hierarchical graph is formed, core nodes and topological paths are determined, and the topological structure of the malicious fake website organization is generated.
It enables the identification and tracking of administrators behind malicious and fraudulent websites, enhances network security defense capabilities, and reduces network security risks.
Smart Images

Figure CN117220921B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of information security technology, and in particular to a method, apparatus, and electronic device for tracing and analyzing malicious fake websites based on uncertainty reasoning. Background Technology
[0002] Malicious and fraudulent website analysis technology is a cybersecurity solution based on big data analytics and machine learning, designed to help security experts identify and track the administrators behind malicious and fraudulent websites. This technology utilizes massive amounts of network data, including webpage content, IP addresses, and domain registration information, to automatically classify and identify malicious and fraudulent websites through data mining and machine learning algorithms. Specifically, it performs text analysis on the webpage content of malicious and fraudulent websites, extracting features such as keywords, themes, and sentiment. These features are then compared and matched with an existing malicious and fraudulent website feature database to determine the category and risk level of the malicious and fraudulent website. Simultaneously, the technology can automatically update the malicious and fraudulent website feature database, promptly obtaining the latest information and providing accurate threat assessments and recommendations to help security experts better address cyber threats. In addition to classifying and identifying malicious and fraudulent websites, this technology can also automatically analyze the behavioral patterns and network structure of the administrators behind these websites, such as their organizational structure, communication methods, and attack paths. This information helps security experts better understand the administrators' activity patterns and attack methods, enabling them to take more targeted defensive measures. Therefore, malicious website analysis technology is characterized by its high efficiency, accuracy, and intelligence. It helps security experts quickly identify and track the administrators behind malicious websites, improving network security defense capabilities and reducing network security risks. Consequently, malicious website analysis technology has become an indispensable security tool for many enterprises and organizations.
[0003] However, as the offensive and defensive confrontation intensifies, malicious fake websites will quickly change their deployment servers in order to evade detection. This causes the relationships between automatically traced links to change over time when conducting source tracing analysis of malicious fake websites. Consequently, it becomes impossible to accurately determine the category and risk level of malicious fake websites, identify and track the administrators behind them, thereby reducing network security defense capabilities and increasing network security risks. Summary of the Invention
[0004] In order to solve the problems existing in the prior art, the present invention provides the following technical solution.
[0005] The first aspect of this invention provides a method for tracing and analyzing malicious fake websites based on uncertainty reasoning, comprising:
[0006] Based on the domain names of the malicious and fake websites to be traced, information is expanded, and the expanded information is graphically correlated to obtain a topology diagram of the malicious and fake websites.
[0007] Based on the temporal characteristics, a directed hierarchical graph is constructed based on the malicious fake website topology graph, that is, the information on the malicious fake website topology graph is divided into different levels according to different time periods;
[0008] Determine the core nodes of the directed hierarchical graph, and determine the topological path within a preset time period based on the core nodes;
[0009] After placing all the aforementioned topological paths into a set and removing duplicates, an edge table is obtained. This edge table represents the topological structure of a malicious fake website organization.
[0010] Preferably, the core node includes predefined nodes, aggregation points, and cut points; wherein, the predefined nodes are nodes related to social media and personal information; the aggregation points include related feature nodes with importance greater than a threshold and uniqueness, and the contraction points of the aggregation subgraph of the malicious fake website topology.
[0011] Preferably, the related feature nodes with importance greater than the threshold and uniqueness are determined as follows: the highest and lowest relatedness of the related feature nodes are removed, and the average of the remaining relatedness is taken as the importance of the related feature nodes; the related feature nodes with importance greater than the threshold and uniqueness are determined.
[0012] Preferably, the abbreviated points of the aggregated subgraphs of the malicious fake website topology are determined according to the following method: the malicious fake website topology is aggregated to obtain multiple aggregated subgraphs; from the multiple aggregated subgraphs, CDN subgraphs and website association subgraphs deployed on the same server are identified; the CDN subgraphs are abbreviated to CDN nodes, and the website association subgraphs deployed on the same server are abbreviated to Host nodes; the CDN nodes and the Host nodes are respectively determined as the abbreviated points of the CDN subgraphs and the website association subgraphs deployed on the same server.
[0013] Preferably, the cut points are calculated based on the Tarjan algorithm on the topology of the condensed malicious fake website.
[0014] Preferably, determining the topology path within a preset time period based on the core node includes: calculating the shortest path from each malicious fake website domain name node to each core node in the malicious fake website topology diagram based on the Dijkstra algorithm, which conforms to the preset time period constraint, and using the shortest path as the topology path.
[0015] Preferably, the method further includes: outputting an edge table and displaying it visually, and expanding the lower-level information of the CDN nodes and Host nodes after shrinking them to restore the association situation before shrinking.
[0016] Preferably, the information expansion based on the domain name of the malicious fake website to be traced includes: obtaining historical information of the malicious fake website based on PDNS information, obtaining family information of the malicious fake website based on Whois information, obtaining historical attack event information of the malicious fake website based on threat intelligence information, and obtaining family information of the malicious fake website based on key feature strings; and using the historical information, the family information, and the historical attack event information as the expanded information.
[0017] A second aspect of the present invention provides a malicious fake website tracing and analysis device based on uncertainty reasoning, comprising:
[0018] The malicious fake website expansion module is used to expand information based on the domain name of the malicious fake website to be traced, and then graphically associate the expanded information to obtain a malicious fake website expansion diagram.
[0019] The directed hierarchical graph construction module is used to construct a directed hierarchical graph based on the malicious fake website topology graph according to the time sequence characteristics, that is, to divide the information on the malicious fake website topology graph into different levels according to different time periods.
[0020] The core node and topology path determination module is used to determine the core nodes of the directed hierarchical graph and determine the topology path within a preset time period based on the core nodes.
[0021] The malicious fake website organization acquisition module is used to put all the topological paths into a set and remove duplicates to obtain an edge table, which is the topological structure of the malicious fake website organization.
[0022] The present invention also provides an electronic device including a processor and a memory connected to the processor, the memory storing a plurality of instructions which can be loaded and executed by the processor to enable the processor to perform the method as described in the first aspect.
[0023] The beneficial effects of this invention are as follows: The malicious fake website tracing and analysis method, device, and electronic device constructed by this invention based on uncertainty reasoning, based on deterministic and uncertainty associations, comprehensively considers spatiotemporal changes, automatically expands information according to the domain name of the malicious fake website to be traced, and obtains the topological structure of the malicious fake website organization through a series of topological path association calculations, which can serve as a profile of the organization. Using the technical solution provided by this invention, it is possible to identify and track the administrators behind malicious fake websites, enhance network security defense capabilities, and reduce network security risks. Attached Figure Description
[0024] Figure 1 This is a flowchart illustrating the malicious fake website tracing and analysis method based on uncertainty reasoning described in this invention.
[0025] Figure 2 This is a functional structure diagram of the malicious fake website tracing and analysis device based on uncertainty reasoning described in this invention. Detailed Implementation
[0026] To better understand the above technical solutions, the following will provide a detailed explanation of the technical solutions in conjunction with the accompanying drawings and specific implementation methods.
[0027] The method provided by this invention can be implemented in a terminal environment that may include one or more of the following components: a processor, a memory, and a display screen. The memory stores at least one instruction, which is loaded and executed by the processor to implement the method described in the following embodiments.
[0028] A processor may include one or more processing cores. The processor uses various interfaces and lines to connect various parts of the terminal, and performs various functions and processes data by running or executing instructions, programs, code sets or instruction sets stored in memory, and by calling data stored in memory.
[0029] Memory can include random access memory (RAM) or read-only memory (ROM). Memory can be used to store instructions, programs, code, code sets, or instructions.
[0030] The display screen is used to show the user interface of each application.
[0031] In addition, those skilled in the art will understand that the structure of the terminal described above does not constitute a limitation on the terminal. The terminal may include more or fewer components, or combine certain components, or have different component arrangements. For example, the terminal may also include radio frequency circuits, input units, sensors, audio circuits, power supplies, and other components, which will not be described in detail here.
[0032] Example 1
[0033] like Figure 1As shown, this embodiment of the invention provides a method for tracing and analyzing malicious fake websites based on uncertainty reasoning, including: S101, expanding information based on the domain name of the malicious fake website to be traced, and graphically associating the expanded information to obtain a topology diagram of the malicious fake website; S102, constructing a directed hierarchical graph based on the topology diagram of the malicious fake website according to the temporal characteristics, that is, dividing the associated information of different time periods into different levels of the graph; S103, determining the core nodes of the directed hierarchical graph, and determining the topological paths within a preset time period based on the core nodes; S104, putting all the topological paths into a set and removing duplicates to obtain an edge table, which is the topological structure of the malicious fake website organization.
[0034] In step S101, to obtain complete information, information is expanded based on the domain name of the malicious fake website to provide basic information for the malicious fake website topology diagram. This information expansion may include: obtaining historical information of the malicious fake website based on PDNS (Passive Domain Name System) information, obtaining family information of the malicious fake website based on Whois information, obtaining historical attack event information of the malicious fake website based on threat intelligence, and obtaining family information of the malicious fake website based on key feature strings.
[0035] Specifically, PDNS information (including IP address information, DNS resolution records, and network traffic information) from malicious fake websites can be used for the following information expansion: By querying the IP address corresponding to the domain name of a malicious fake website, the location of the server used by the domain and the network topology can be determined; by querying the DNS resolution records of the domain name of a malicious fake website, the DNS server used by the domain and its configuration can be understood; by analyzing the network traffic data of the domain name of a malicious fake website, information such as the access source, access frequency, and access path of the domain name can be understood. Furthermore, PDNS information from malicious fake websites can be used for the following source tracing investigations: By analyzing the domain registration information, IP address information, and DNS resolution records, the source of the attacker or malicious behavior can be determined, thereby taking corresponding measures for prevention and crackdown; by analyzing network traffic information, the path of malicious activities can be traced, thereby determining the attacker's action trajectory and attack methods, providing a basis for subsequent investigation and handling; by tracing the source of multiple domains, the security risks of the entire network can be assessed, and corresponding measures can be taken to strengthen network security protection.
[0036] Based on the key feature strings of malicious and fake websites, an asset mapping engine can be used to obtain websites containing these key feature strings. The specific process is as follows: Based on extensive training, a key feature string extraction model for malicious and fake websites is constructed using LDA (Latent Dirichlet Allocation). At the same time, the models are sorted based on TF-IDF (Term Frequency-Inverse Document Frequency) weights, and the key feature string with the highest weight is taken as the unique key feature string of the malicious and fake website, while other key feature strings are taken as related key feature strings. Based on the extracted key feature strings, the asset mapping engine is used to discover potential related malicious and fake websites. Websites associated with unique key feature strings are classified as deterministic malicious fake websites, while websites associated with related key feature strings are classified as uncertain malicious fake websites. Page content detection is performed on uncertain malicious fake websites, and the relevance between the website and the input malicious fake website domain is calculated. Source code information is collected from the websites; based on the DOM tree webpage structure, source code similarity is calculated using ssdeep (Sampled String Similarity Detection) to obtain source code similarity. Based on screenshots of the malicious fake websites and uncertain malicious fake websites, image embedding is performed using VGG, and cosine distance is used for image similarity comparison. Similarity is calculated from the user's visual perspective to obtain page similarity. The average of the source code similarity and page similarity is taken as the relevance between the uncertain malicious fake website and the malicious website.
[0037] Based on the Whois information (domain name lookup protocol information, including domain registrant information, domain registrar information, domain registration time information, domain DNS server information, and domain expiration time information) of malicious fake websites, the following information can be expanded: By querying the domain registrant information, one can find out who owns the domain, including their name, address, and phone number; by querying the domain registrar information, one can find out who the registrar is, as well as their contact information and geographical location; by querying the domain registration time information, one can understand the domain's registration history and usage; by querying the domain DNS server information, one can understand the DNS servers used by the domain and their configuration; by querying the domain expiration time information, one can find out if the domain is about to expire, and thus take appropriate measures to renew or transfer it. Furthermore, the Whois information of malicious and fake websites allows for the following source tracing investigations: by analyzing the domain's registrant information, registrar information, and expiration time, the source of the cyberattack can be determined, allowing for corresponding preventative and countermeasure measures; by analyzing the domain's DNS server information and expiration time, the path of malicious activities can be traced, thus determining the attacker's actions and attack methods, providing a basis for subsequent investigations and handling; and by querying the Whois information of multiple domains, the security risks of the entire network can be assessed, and corresponding measures can be taken to strengthen network security protection.
[0038] Threat intelligence information based on malicious fake websites can be expanded in the following ways: By analyzing the attacker's IP address, domain name, and other information, we can understand the attacker's identity and background; by analyzing the characteristics and technical means of the attack behavior, we can understand the tools and methods used by the attacker; by analyzing the target and purpose of the attack, we can understand the attacker's intent and motivation; by analyzing the attacker's network path and attack strategy, we can understand the attacker's action trajectory and attack methods; by analyzing information about organizations and personnel related to the attacker, we can understand the support and assistance behind the attacker. Furthermore, threat intelligence information based on malicious fake websites can be used for the following source tracing investigations: By analyzing the attacker's IP address, domain name, and other information, we can determine the attacker's identity and background, thereby taking corresponding measures to combat and prevent attacks; by analyzing the attacker's behavioral characteristics and technical means, we can trace the path of malicious activities, thereby determining the attacker's action trajectory and attack methods, providing a basis for subsequent investigations and handling; by comprehensively analyzing threat intelligence information from multiple sources, we can assess the security risks of the entire network and take corresponding measures to strengthen network security protection; by analyzing and researching threat intelligence information, we can improve security awareness and prevention capabilities, thereby better responding to various network threats.
[0039] As the offensive and defensive confrontation intensifies, the machines used to deploy malicious and fake websites are also changing rapidly. Therefore, it is necessary to model a dynamic spatiotemporal topology of malicious and fake websites based on spatiotemporal factors.
[0040] In this invention, the malicious fake website topology graph is a directed graph. The entity nodes in the graph represent the associated information of the malicious fake website, such as: the URL and corresponding domain name of the malicious fake website, the IP address of the corresponding domain name, the domain name that was previously pointed to by DNS resolution, and the code signature string of the malicious fake website, etc. The lines (edges) connecting the entity nodes in the graph represent the association relationship from the head node to the tail node. The weight on the line represents the probability of the association relationship between the head node and the tail node, with a default probability value of 1, indicating a deterministic association. In addition to entity nodes and their association relationships, the malicious fake website topology graph in this invention also includes attribute nodes and attribute relationships. For example, an IP node can be expanded to include a geographic location attribute node. An attribute edge can be established to connect the IP address to the geographic location, with the edge weight being empty. Spatial information can be represented through geographic location attributes. The relationships between entity nodes also have a time attribute, such as DNS resolution relationships: if the head node is the domain name of a malicious fake website and the tail node is the IP address that resolves to the domain name of the malicious fake website, then the relationship between the head node and the tail node is a DNS resolution relationship with a probability value of 1; the time attribute of this DNS resolution relationship is another value on the edge, for example: June 2023 - July 2023, indicating that the DNS resolution relationship exists within this time range, otherwise the DNS resolution relationship does not exist.
[0041] Step S102 involves constructing a directed hierarchical graph based on the malicious fake website topology map, according to temporal characteristics. This means dividing the information on the malicious fake website topology map into different levels according to different time periods. Since spatial factors are only used as auxiliary information in the source tracing analysis of malicious fake websites, this invention primarily considers temporal factors based on the aforementioned business perspective. It uses a hierarchical graph for abstract modeling, dividing the information on the malicious fake website topology map into different levels according to different time periods. This transforms the malicious fake website topology map into a directed hierarchical graph.
[0042] In step S103, core nodes (nodes that can form topological paths, found from the nodes in the topology graph) are located within a preset time period hierarchy. Then, the shortest path from each malicious fake website domain node to each core node in the malicious fake website topology graph is calculated based on Dijkstra's algorithm, and this shortest path is used as the topological path. In this step, the time period must first be determined. It can default to using the time within six months of the current time as the time constraint for topological path calculation, or a start and end time can be specified. After the time period is confirmed, the directed hierarchical graph only retains the association information that conforms to the time period constraint during the topological path calculation process. However, when calculating node association degree and other information to determine core nodes, all association information can be used, regardless of the time period constraint. The malicious fake website domain nodes in the malicious fake website topology graph are entity nodes.
[0043] In this invention, the core nodes include predefined nodes, aggregation points, and cut points. The predefined nodes are defined based on extensive manual source tracing analysis experience, identifying nodes related to social media and personal information as core nodes, regardless of time constraints. The aggregation points include unique, related feature nodes with importance greater than a threshold and the contracted points of the aggregation subgraph of the malicious fake website topology. Specifically, nodes can be sorted based on their in-degree and out-degree; a node with an importance greater than 5 can be considered an aggregation point. For related feature nodes, importance can be calculated based on the relevance of related websites. The highest and lowest relevance values are removed, and the average of the remaining relevance values is taken as the node's importance. Related feature nodes refer to distinctive code features in the source code of malicious fake website pages. These distinctive code features can be used to search for similar malicious fake websites in an asset mapping engine. These distinctive code features serve as related feature nodes, associating them with the URLs of malicious fake websites. Related websites refer to websites found through DNS or WHOIS information that have a relationship with each other, or websites with the same code characteristics as malicious fake websites identified in the asset mapping engine. The correlation degree refers to the similarity between the code templates of related websites and the malicious fake websites to be traced; after normalization, it can be used as the correlation degree between related websites and malicious fake websites.
[0044] Based on extensive experiments, 0.68 was selected as the threshold in this invention. Finally, for related feature nodes, those with an importance greater than 0.68 and uniqueness were selected as aggregation points. Alternatively, abbreviated nodes can be chosen as aggregation points. Specifically, in this invention, the malicious fake website topology graph is first subjected to subgraph aggregation (i.e., the subgraph is represented by an abstract node for subsequent calculations. This abstract node represents the entire subgraph, and inherits the association relationships between the outermost node and non-subgraph nodes in the subgraph), resulting in an aggregated subgraph. Specifically, the CDN (Content Delivery Network) subgraph and the website association subgraph deployed on the same server are identified; then, the CDN subgraph is abbreviated to CDN nodes, and the website association subgraph deployed on the same server is abbreviated to Host nodes; then, the CDN nodes and Host nodes can be used as aggregation points. In this invention, the Tarjan algorithm (a linear-time algorithm proposed by Robert Tarjan for solving strongly connected components of a directed graph) can be used to calculate cut points on the abbreviated malicious fake website topology graph, and the obtained cut points are used as core nodes. It's important to note that, generally, a website is deployed on only one server. If a website is associated with multiple server IPs, and these IPs are linked to multiple websites, then this server is most likely a CDN node. The graph structure formed by the website nodes associated with this CDN node is the CDN subgraph. The CDN subgraph is a part of the topology graph, a subset of it.
[0045] In this invention, after determining the core nodes, the problem of calculating the organizational topology path on the malicious fake website topology graph is transformed into the problem of finding a subgraph, requiring coverage of all core nodes and minimizing the number of edges covered by the topology path; that is, the topology path needs to cover all core nodes with as few edges as possible. Specifically, the shortest path from each malicious fake website domain node to each core node in the topology graph is calculated based on Dijkstra's algorithm, and this shortest path is the topology path. It should be noted that "organization" refers to the cybersecurity threat group behind the malicious fake websites; it is a conceptual designation, reflected in the topology graph as a subgraph covering multiple malicious fake websites of this group. The organizational topology path represents the association graph of multiple malicious fake websites under this cybersecurity threat group.
[0046] Execute step S104 to put all topological paths into a set and remove duplicates to obtain an edge table. This edge table is the topological structure of the malicious fake website organization, that is, the profile of the malicious fake website organization.
[0047] A topological path is a set of edges. Multiple topological paths may share a common edge. For a set of multiple topological paths, this shared edge may be counted twice. Therefore, in this invention, after placing all topological paths into a set, deduplication is required to obtain an edge table. An edge table is a data structure that stores the graph structure in the form of edges. The data organization is as follows:
[0048] Edge 1: Head node, tail node, edge weight, edge time window information (if it exists, such as DNS resolution relationship);
[0049] Edge 2: Head node, tail node, edge weight, edge time window information (if it exists, such as DNS resolution relationship).
[0050] The embodiments of the present invention may further include the steps of: outputting the set of deduplicated topological paths (i.e. the edge table obtained after deduplication) and displaying it visually, and expanding the lower-level information of the nodes of the condensed nodes to restore the association situation before the condensation.
[0051] Example 2
[0052] like Figure 2 As shown, another aspect of the present invention also includes a functional module architecture that is completely consistent with the aforementioned method flow. That is, the embodiments of the present invention also provide a malicious fake website tracing and analysis device based on uncertainty reasoning, including:
[0053] The malicious fake website expansion module 201 is used to expand information based on the domain name of the malicious fake website to be traced, and to graphically associate the expanded information to obtain a malicious fake website expansion diagram.
[0054] The directed hierarchical graph construction module 202 is used to construct a directed hierarchical graph based on the malicious fake website topology graph according to the time sequence characteristics, that is, to divide the information on the malicious fake website topology graph into different levels according to different time periods.
[0055] The core node and topology path determination module 203 is used to determine the core nodes of the directed hierarchical graph and determine the topology path within a preset time period based on the core nodes.
[0056] The malicious fake website organization acquisition module 204 is used to put all the topological paths into a set and remove duplicates to obtain an edge table, which is the topological structure of the malicious fake website organization.
[0057] The core nodes include predefined nodes, aggregation points, and cut points; the predefined nodes are nodes related to social media and personal information; the aggregation points include relevance feature nodes with importance greater than a threshold and uniqueness, and the contraction points of the aggregation subgraph of the malicious fake website topology.
[0058] Specifically, the related feature nodes with importance greater than the threshold and uniqueness are determined as follows: the highest and lowest relatedness of the related feature nodes are removed, and the average of the remaining relatedness is taken as the importance of the related feature nodes; the related feature nodes with importance greater than the threshold and uniqueness are determined.
[0059] The abbreviated nodes of the aggregated subgraphs of the malicious fake website topology diagram are determined as follows: Subgraph aggregation is performed on the malicious fake website topology diagram to obtain multiple aggregated subgraphs. From these multiple aggregated subgraphs, CDN subgraphs and website association subgraphs deployed on the same server are identified. The CDN subgraphs are abbreviated to CDN nodes, and the website association subgraphs deployed on the same server are abbreviated to Host nodes. The CDN nodes and Host nodes are respectively determined as the abbreviated nodes of the CDN subgraph and the website association subgraphs deployed on the same server.
[0060] Furthermore, the cut points are calculated based on the Tarjan algorithm using the condensed topology of the malicious fake website.
[0061] Furthermore, determining the topology path within a preset time period based on the core node includes: within the preset time period, calculating the shortest path from each malicious fake website domain name node to each core node in the malicious fake website topology diagram based on the Dijkstra algorithm, and using the shortest path as the topology path.
[0062] The apparatus provided in this embodiment of the invention may further include an output display module, which is used to output the side table and perform a visual display, and to expand the lower-level information of the CDN nodes and Host nodes after the point shrinking, restoring the association situation before the point shrinking.
[0063] Furthermore, in this embodiment of the invention, the information expansion based on the domain name of the malicious fake website to be traced may include: obtaining historical information of the malicious fake website based on PDNS information, obtaining family information of the malicious fake website based on Whois information, obtaining historical attack event information of the malicious fake website based on threat intelligence information, and obtaining family information of the malicious fake website based on key feature strings; and using the historical information, the family information, and the historical attack event information as the expanded information.
[0064] This device can be implemented using the malicious fake website tracing analysis method based on uncertainty reasoning provided in Embodiment 1 above. The specific implementation method can be found in the description in Embodiment 1, and will not be repeated here.
[0065] The present invention also provides an electronic device, including a processor and a memory connected to the processor, the memory storing a plurality of instructions which can be loaded and executed by the processor to enable the processor to perform the method as described in Embodiment 1.
[0066] Although preferred embodiments of the invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including both the preferred embodiments and all changes and modifications falling within the scope of the invention. Clearly, those skilled in the art can make various alterations and modifications to the invention without departing from its spirit and scope. Thus, if these modifications and modifications of the invention fall within the scope of the claims and their equivalents, the invention is also intended to include these modifications and modifications.
Claims
1. A method for tracing and analyzing malicious fake websites based on uncertainty reasoning, characterized in that, include: Based on the domain names of the malicious and fake websites to be traced, information is expanded, and the expanded information is graphically correlated to obtain a topology diagram of the malicious and fake websites. Based on the temporal characteristics, a directed hierarchical graph is constructed based on the malicious fake website topology graph, that is, the information on the malicious fake website topology graph is divided into different levels according to different time periods; Determine the core nodes of the directed hierarchical graph, and determine the topological path within a preset time period based on the core nodes; After putting all the aforementioned topological paths into a set and removing duplicates, an edge table is obtained. An edge table is a data structure that stores a graph structure in the form of edges. This edge table is the topological structure of a malicious fake website organization. The core nodes include predefined nodes, aggregation points, and cut points; the predefined nodes are nodes related to social media and personal information; the aggregation points include relevance feature nodes with importance greater than a threshold and uniqueness, and the contraction points of the aggregation subgraph of the malicious fake website topology. The step of determining the topology path within a preset time period based on the core node includes: calculating the shortest path between each malicious fake website domain name node and each core node in the malicious fake website topology diagram based on the Dijkstra algorithm, which meets the constraints of the preset time period, and using the shortest path as the topology path; The information expansion based on the domain name of the malicious fake website to be traced includes: obtaining historical information of the malicious fake website based on PDNS information, obtaining family information of the malicious fake website based on Whois information, obtaining historical attack event information of the malicious fake website based on threat intelligence information, and obtaining family information of the malicious fake website based on key feature strings; the historical information, the family information, and the historical attack event information are used as the expanded information.
2. The method for tracing and analyzing malicious fake websites based on uncertainty reasoning as described in claim 1, characterized in that, The related feature nodes with importance greater than the threshold and uniqueness are determined as follows: the highest and lowest relatedness of the related feature nodes are removed, and the average of the remaining relatedness is taken as the importance of the related feature nodes; the related feature nodes with importance greater than the threshold and uniqueness are determined.
3. The method for tracing and analyzing malicious fake websites based on uncertainty reasoning as described in claim 1, characterized in that, The contraction points of the aggregated subgraphs of the malicious fake website topology are determined as follows: the malicious fake website topology is aggregated to obtain multiple aggregated subgraphs, and the CDN subgraph and the website association subgraphs deployed on the same server are identified from the multiple aggregated subgraphs. The CDN subgraph is condensed into a CDN node, and the website association subgraph deployed on the same server is condensed into a Host node; the CDN node and the Host node are respectively determined as the condensed points of the CDN subgraph and the website association subgraph deployed on the same server.
4. The method for tracing and analyzing malicious fake websites based on uncertainty reasoning as described in claim 3, characterized in that, The cut points were calculated based on the Tarjan algorithm from the topology of the condensed malicious fake website.
5. The method for tracing and analyzing malicious fake websites based on uncertainty reasoning as described in claim 3, characterized in that, The method further includes: outputting the edge table and displaying it visually, and expanding the lower-level information of the CDN nodes and Host nodes after shrinking them to restore the association situation before shrinking.
6. A malicious fake website tracing and analysis device based on uncertainty reasoning, characterized in that, include: The malicious fake website expansion module is used to expand information based on the domain name of the malicious fake website to be traced, and then graphically associate the expanded information to obtain a malicious fake website expansion diagram. The directed hierarchical graph construction module is used to construct a directed hierarchical graph based on the malicious fake website topology graph according to the time sequence characteristics, that is, to divide the information on the malicious fake website topology graph into different levels according to different time periods. The core node and topology path determination module is used to determine the core nodes of the directed hierarchical graph and determine the topology path within a preset time period based on the core nodes. The malicious fake website organization acquisition module is used to put all the topological paths into a set and remove duplicates to obtain an edge table. The edge table is a data structure that stores the graph structure in the form of edges. This edge table is the topological structure of the malicious fake website organization. The core nodes include predefined nodes, aggregation points, and cut points; the predefined nodes are nodes related to social media and personal information; the aggregation points include relevance feature nodes with importance greater than a threshold and uniqueness, and the contraction points of the aggregation subgraph of the malicious fake website topology. The step of determining the topology path within a preset time period based on the core node includes: calculating the shortest path between each malicious fake website domain name node and each core node in the malicious fake website topology diagram based on the Dijkstra algorithm, which meets the constraints of the preset time period, and using the shortest path as the topology path; The information expansion based on the domain name of the malicious fake website to be traced includes: obtaining historical information of the malicious fake website based on PDNS information, obtaining family information of the malicious fake website based on Whois information, obtaining historical attack event information of the malicious fake website based on threat intelligence information, and obtaining family information of the malicious fake website based on key feature strings; the historical information, the family information, and the historical attack event information are used as the expanded information.
7. An electronic device, characterized in that, The method includes a processor and a memory connected to the processor, the memory storing a plurality of instructions that can be loaded and executed by the processor to enable the processor to perform the method as described in any one of claims 1-5.