Internet risk prediction method and device based on domain name analysis, equipment and medium

By retrieving monitoring threads from the domain name analysis system and combining blacklists, whitelists, and risk grading rules, a hybrid model of convolutional neural networks and recurrent neural networks is used to predict domain name risks. This solves the problems of slow response speed and inaccurate analysis in existing technologies, and enables real-time risk identification and dynamic management.

CN122160168APending Publication Date: 2026-06-05KANG JIAN INFORMATION TECH (SHENZHEN) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
KANG JIAN INFORMATION TECH (SHENZHEN) CO LTD
Filing Date
2026-04-14
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing domain name analysis risk prediction systems rely on static blacklists and whitelists, which cannot be dynamically updated, resulting in slow response times, inability to detect and block risky domain names in real time, and a lack of unified management interfaces and accurate analysis capabilities.

Method used

By accessing monitoring threads, the risk level of a domain name is determined based on blacklist rules, whitelist rules, and risk grading rules. A risk prediction model combining convolutional neural networks and recurrent neural networks is used for intelligent analysis, and predictions are made by combining domain name reputation, historical behavior, and IP address.

Benefits of technology

It enables intelligent analysis of domain name behavior and real-time risk prediction, improving the accuracy and response speed of risk identification, and supporting dynamic rule updates and unified management.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160168A_ABST
    Figure CN122160168A_ABST
Patent Text Reader

Abstract

The application discloses an Internet risk prediction method and device based on domain name analysis, equipment and medium, relates to the technical field of artificial intelligence, can be applied to the field of finance and medical health, and mainly aims to solve the problem of poor prediction accuracy of the existing Internet domain name risk. Including: in response to an Internet data access request, calling a monitoring thread; determining the risk level of the user access domain name based on at least one of the blacklist rules, the whitelist rules and the risk classification rules in the monitoring thread; if the risk level is low risk or medium risk, a risk prediction model corresponding to the risk level is called, and the domain name reputation, historical behavior and IP address associated with the user access domain name are predicted based on the risk prediction model to obtain a risk prediction result, and the risk prediction model is constructed based on a convolutional neural network and a recurrent neural network.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of artificial intelligence technology, which can be applied to the financial and healthcare fields, and in particular to an internet risk prediction method, device, equipment, and medium based on domain name analysis. Background Technology

[0002] With the widespread adoption of internet technology and the evolution of increasingly covert attack methods, the Domain Name System (DNS), as a core infrastructure for network communication, has become a significant carrier and covert channel for malicious activities. This is particularly true in critical sectors like healthcare and finance, where data security and business continuity are paramount, making DNS-level security vulnerabilities even more destructive. In the healthcare field, malicious domain names are frequently used to steal patient privacy, tamper with medical data, and attack hospital information systems, directly threatening the rights of doctors and patients and disrupting medical order. In the financial sector, attackers use methods such as domain name forgery and DNS hijacking to carry out phishing scams, steal user account information, and illegally transfer funds, severely damaging the credibility of financial institutions and the security of users' assets. Therefore, internet risk prediction technology based on domain name analysis has emerged and become a key support for network security protection.

[0003] Currently, existing domain name analysis-based risk prediction typically combines domain name feature extraction with anomaly detection to create domain name management systems with risk prediction capabilities. At the feature level, structural features such as domain name length, entropy value, and subdomain diversity are analyzed, combined with behavioral features such as DNS request frequency, resolution failure rate, and IP association relationships to construct multi-dimensional risk identification indicators. In terms of detection methods, a collaborative approach using machine learning algorithms is employed. This involves quickly filtering known malicious domain names through predefined rules and intelligently identifying unknown threats such as domain name generation algorithm (DGA) domains and look-like domains using models such as decision trees, XGBoost, and LSTM. However, existing risk domain name management systems still rely on static blacklist or whitelist configurations, which cannot be dynamically updated, resulting in slow response times. Real-time monitoring and blocking of risky domains are not possible. Furthermore, domain name configuration management is often scattered across multiple systems, lacking a unified management interface and tools. Domain name analysis is often based on simple keyword matching, lacking accurate analysis and prediction of domain behavior. Therefore, a domain name analysis-based internet risk prediction method is urgently needed to address these issues. Summary of the Invention

[0004] In view of this, this application provides an Internet risk prediction method, apparatus, device, and medium based on domain name analysis, with the main purpose of solving the problem of poor accuracy in existing Internet domain name risk prediction.

[0005] According to one aspect of this application, an Internet risk prediction method based on domain name analysis is provided, comprising: In response to an internet data access request, the monitoring thread is invoked; The risk level of the domain name accessed by the user is determined based on at least one of the blacklist rules, whitelist rules, and risk classification rules in the monitoring thread. If the risk level is low or medium, the risk prediction model corresponding to the risk level is retrieved, and the domain reputation, historical behavior, and IP address associated with the user's access domain are predicted based on the risk prediction model to obtain the risk prediction result. The risk prediction model is constructed based on a hybrid convolutional neural network and recurrent neural network.

[0006] Furthermore, before invoking the monitoring thread, the method further includes: Obtain the blacklist rules, whitelist rules, and risk classification rules corresponding to different domain name services, and create at least one monitoring thread; Configure the blacklist rules, whitelist rules, and risk classification rules to correspond with the monitoring threads; The monitoring thread includes: The monitoring thread to be invoked is determined by matching the business information carried in the Internet data access request with the blacklist rules, the whitelist rules, and the risk classification rules.

[0007] Furthermore, the method also includes: The monitoring thread is associated with the domain name interface to configure or update at least one of the blacklist rules, whitelist rules, and risk classification rules in the monitoring thread through the domain name interface.

[0008] Furthermore, determining the risk level of a user's access domain name based on at least one of the blacklist rules, whitelist rules, and risk grading rules in the monitoring thread includes: Determine whether the domain name accessed by the user matches the blacklist rule; If the blacklist rule is matched, then the domain name accessed by the user is determined to match the whitelist rule; If the blacklist rule is not matched, the risk level is determined to be high risk. If the whitelist rule is matched, the risk level is determined to be low risk. If the whitelist rule does not match, the risk level of the user's access domain name is determined based on the risk grading rule. The risk grading rule is used to characterize the rule content for risk grading based on at least one of domain name characteristics, request characteristics, and user characteristics. The risk levels include low risk, high risk, and medium risk.

[0009] Furthermore, before retrieving the risk prediction model corresponding to the risk level, the method further includes: Obtain domain reputation samples, historical behavior samples, and IP address samples labeled with different risks, and create a risk prediction model including a convolutional neural network and a recurrent neural network. The convolutional neural network includes an input layer and a feature extraction layer, and the recurrent neural network includes a feature fusion layer and an output layer. The domain name reputation sample, the historical behavior sample, and the IP address sample are used as input parameters and sequentially input into the convolutional neural network and the recurrent neural network to complete the model training of the risk prediction model.

[0010] Furthermore, the method also includes: If the risk level is high, the internet data access request will be intercepted, and the domain reputation sample, historical behavior sample, and IP address sample will be updated based on the user's access domain.

[0011] Furthermore, after predicting the domain reputation, historical behavior, and IP address associated with the user's access domain based on the risk prediction model to obtain the risk prediction result, the method further includes: If the risk prediction result is a malicious domain name risk result, then the Internet data access request will be intercepted, and the blacklist rules and the risk classification rules will be updated according to the malicious domain name risk result. If the risk prediction result is a normal domain name risk result, the Internet data access request is allowed, and the whitelist rules and the risk classification rules are updated according to the normal domain name risk result.

[0012] According to another aspect of this application, an Internet risk prediction device based on domain name analysis is provided, comprising: The invocation module is used to invoke the monitoring thread in response to Internet data access requests; The determination module is used to determine the risk level of a user's access domain name based on at least one of the blacklist rules, whitelist rules, and risk classification rules in the monitoring thread. The prediction module is used to retrieve the risk prediction model corresponding to the risk level if the risk level is low or medium, and predict the domain reputation, historical behavior and IP address associated with the user's access domain based on the risk prediction model to obtain the risk prediction result. The risk prediction model is constructed based on a hybrid convolutional neural network and recurrent neural network.

[0013] Furthermore, the device also includes: an acquisition module and a configuration module. The acquisition module is used to acquire blacklist rules, whitelist rules, and risk classification rules corresponding to different domain name services, and to create at least one monitoring thread; The configuration module is used to configure the blacklist rules, the whitelist rules, and the risk classification rules to correspond to the monitoring thread; The retrieval module is specifically used to match the business information carried by the Internet data access request with the blacklist rules, the whitelist rules, and the risk classification rules to determine the monitoring thread to be retrieved.

[0014] Furthermore, The configuration module is also used to associate the monitoring thread with the domain name interface so that at least one of the blacklist rules, whitelist rules and risk classification rules in the monitoring thread can be configured or updated through the domain name interface.

[0015] Furthermore, The determining module is specifically used to determine whether the domain name accessed by the user matches the blacklist rule; if it matches the blacklist rule, it determines that the domain name accessed by the user matches the whitelist rule; if it does not match the blacklist rule, it determines that the risk level is high risk; if it matches the whitelist rule, it determines that the risk level is low risk; if it does not match the whitelist rule, it determines the risk level corresponding to the domain name accessed by the user based on the risk grading rule, wherein the risk grading rule is used to characterize the rule content for risk grading based on at least one of domain name characteristics, request characteristics, and user characteristics; wherein the risk level includes low risk, high risk, and medium risk.

[0016] Furthermore, the device also includes: A module is created to acquire domain reputation samples, historical behavior samples, and IP address samples labeled with different risks, and to create a risk prediction model including a convolutional neural network and a recurrent neural network. The convolutional neural network includes an input layer and a feature extraction layer, and the recurrent neural network includes a feature fusion layer and an output layer. The training module is used to input the domain name reputation sample, the historical behavior sample, and the IP address sample as input parameters into the convolutional neural network and the recurrent neural network in sequence to complete the model training of the risk prediction model.

[0017] Furthermore, the device also includes: The update module is used to intercept the Internet data access request if the risk level is high, and update the domain name reputation sample, historical behavior sample and IP address sample based on the user access domain name.

[0018] Furthermore, The update module is further configured to: if the risk prediction result is a malicious domain risk result, then intercept the Internet data access request and update the blacklist rules and the risk classification rules according to the malicious domain risk result; if the risk prediction result is a normal domain risk result, then allow the Internet data access request and update the whitelist rules and the risk classification rules according to the normal domain risk result.

[0019] According to another aspect of this application, a computer-readable storage medium is provided, wherein at least one executable instruction is stored therein, the executable instruction causing a processor to perform operations corresponding to the above-described Internet risk prediction method based on domain name analysis.

[0020] According to another aspect of this application, a computer device is provided, comprising: a processor, a memory, a communication interface, and a communication bus, wherein the processor, the memory, and the communication interface communicate with each other through the communication bus; The memory is used to store at least one executable instruction, which causes the processor to perform the operation corresponding to the above-described Internet risk prediction method based on domain name analysis.

[0021] By employing the above technical solutions, the technical solutions provided in the embodiments of this application have at least the following advantages: This application provides an internet risk prediction method, apparatus, device, and medium based on domain name analysis. Compared with the prior art, the embodiments of this application, in response to an internet data access request, invoke a monitoring thread; determine the risk level of the user's accessed domain name based on at least one of the blacklist rules, whitelist rules, and risk grading rules in the monitoring thread; if the risk level is low risk or medium risk, invoke the risk prediction model corresponding to the risk level, and predict the domain name reputation, historical behavior, and IP address associated with the user's accessed domain name based on the risk prediction model to obtain the risk prediction result. The risk prediction model is constructed based on a hybrid convolutional neural network and recurrent neural network, achieving the goal of combining machine learning and big data analysis technologies to intelligently analyze and predict domain name behavior, thereby improving the accuracy of risk identification.

[0022] The above description is only an overview of the technical solution of this application. In order to better understand the technical means of this application and to implement it in accordance with the contents of the specification, and to make the above and other objects, features and advantages of this application more obvious and understandable, the following are specific embodiments of this application. Attached Figure Description

[0023] Various other advantages and benefits will become apparent to those skilled in the art upon reading the following detailed description of preferred embodiments. The accompanying drawings are for illustrative purposes only and are not intended to limit the scope of this application. Furthermore, the same reference numerals denote the same parts throughout the drawings. In the drawings: Figure 1 A flowchart of an Internet risk prediction method based on domain name analysis provided in an embodiment of this application is shown; Figure 2 This paper illustrates a block diagram of an internet risk prediction device based on domain name analysis, as provided in an embodiment of this application. Figure 3 A schematic diagram of the structure of a computer device provided in an embodiment of this application is shown. Detailed Implementation

[0024] Exemplary embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

[0025] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0026] The embodiments of this invention can acquire and process relevant data based on artificial intelligence technology. Artificial intelligence (AI) refers to the theories, methods, technologies, and application systems that use digital computers or machines controlled by digital computers to simulate, extend, and expand human intelligence, perceive the environment, acquire knowledge, and use that knowledge to obtain optimal results.

[0027] Foundational technologies for artificial intelligence generally include sensors, dedicated AI chips, cloud computing, distributed storage, big data processing, operating / interactive systems, and mechatronics. AI software technologies mainly encompass computer vision, robotics, biometrics, speech processing, natural language processing, and machine learning / deep learning.

[0028] Based on this, in one embodiment, the present invention provides an Internet risk prediction method based on domain name analysis. Taking the application of this method to computer devices such as servers as an example, the server can be an independent server or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (CDN), and big data and artificial intelligence platforms, such as intelligent financial systems, intelligent medical systems, digital medical platforms, etc.

[0029] This application provides an internet risk prediction method based on domain name analysis, such as... Figure 1 As shown, the method includes: 101. In response to an Internet data access request, the monitoring thread is invoked.

[0030] In this embodiment, the internet data access request can be triggered by the user browsing web pages or by a business system automatically generating a request to obtain corresponding internet data. The applicable scenarios for this data access request include, but are not limited to, business scenarios such as insurance products, securities products, and wealth management products. After receiving the internet data access request, the current execution end invokes the monitoring thread. This monitoring thread is a pre-created, smallest unit used for risk prediction monitoring, and can be created based on different risk prediction needs; this embodiment does not impose specific limitations.

[0031] 102. Determine the risk level of the domain name accessed by the user based on at least one of the blacklist rules, whitelist rules, and risk classification rules in the monitoring thread.

[0032] In this embodiment, each monitoring thread is pre-configured with at least one of the following: a blacklist rule, a whitelist rule, and a risk grading rule. This allows for the initial risk level classification after the monitoring thread is invoked, using the rules within that thread. Risk levels can include low, medium, and high risk. Blacklist rules refer to rules that include different blacklists and corresponding high or medium risk levels. Whitelist rules refer to rules that include different whitelists and corresponding low or medium risk levels. In this case, there is no duplication in the blacklist and whitelist rules for medium risk level assessment. Risk grading rules refer to risk grading rules other than those based on blacklists and whitelists. These rules are user-defined and are not specifically limited in this embodiment. Furthermore, the user-accessed domain name refers to the domain information carried in the HTTP request header when a user accesses a domain name (such as www.example.com) through a browser or client on a financial or medical page. This information can be directly retrieved from various web frameworks and is not specifically limited in this embodiment.

[0033] It should be noted that, in order to ensure the effectiveness of the initial risk level assessment, at least one of the blacklist rules, whitelist rules, and risk classification rules can be assessed in a sequential order. Once a risk level is determined, subsequent rule assessments will not be executed. For example, when the risk level is determined to be high risk, internet data access requests triggered by financial or medical web pages can be directly blocked. This application embodiment does not impose specific limitations.

[0034] 103. If the risk level is low or medium, the risk prediction model corresponding to the risk level is retrieved, and the domain reputation, historical behavior, and IP address associated with the user's access domain are predicted based on the risk prediction model to obtain the risk prediction result.

[0035] In this embodiment, when the risk level is low or medium, to further improve the risk prediction of internet data, the current execution end uses artificial intelligence to assess the risk of domain names and determine the risk prediction result. Different risk levels can be pre-trained with models of varying prediction accuracy and computational power. In this case, the risk prediction model is constructed using a hybrid of convolutional neural networks (CNNs) and recurrent neural networks (RNNs). The CNN includes convolutional layers, activation layers, pooling layers, and fully connected layers. Here, the domain name's associated reputation, historical behavior, and IP address can be first converted into a numerical matrix that the CNN can compute, and then local features are extracted using each layer. The RNN includes an input layer, hidden layers, and an output layer. After the CNN outputs the extracted domain name features, these features are sequentially input into the RNN. The hidden states capture the contextual dependencies of characters, and the last hidden state is used as the domain name's feature vector, or the hidden states from all steps are concatenated. Finally, the feature vector is input into the output layer to complete the domain name prediction, indicating whether the prediction result is malicious or normal.

[0036] In another embodiment of this application, for further definition and explanation, before the step of invoking the monitoring thread, the method further includes: Obtain the blacklist rules, whitelist rules, and risk classification rules corresponding to different domain name services, and create at least one monitoring thread; Configure the blacklist rules, whitelist rules, and risk classification rules to correspond with the monitoring thread.

[0037] To ensure a singular and unalterable risk prediction path, the current execution terminal pre-obtains blacklist rules, whitelist rules, and risk classification rules corresponding to different domain name services. This can be based on direct input by technical personnel or generated from blacklists and whitelists based on already marked high-risk domains; this embodiment does not impose specific limitations. Simultaneously, the current execution terminal creates at least one monitoring thread. This thread can be created using thread creation modules in Python or Java, specifically tailored to the domain name service; this embodiment also does not impose specific limitations.

[0038] In this embodiment of the application, the corresponding step of invoking the monitoring thread includes: The monitoring thread to be invoked is determined by matching the business information carried in the Internet data access request with the blacklist rules, the whitelist rules, and the risk classification rules.

[0039] To ensure the effectiveness of targeted monitoring of domain name services, the current execution end pre-creates multiple threads. Therefore, when an access request is received and a thread is invoked, the business information carried in the internet data access request can be matched with multiple blacklist rules, whitelist rules, and risk classification rules to accurately match the corresponding monitoring thread. The business information can include the business content corresponding to the data accessed through the domain name request, such as insurance or loan services in the financial sector, or appointment booking or examination booking services in the medical field. Different businesses can be pre-matched with different blacklist rules, whitelist rules, and risk classification rules; this application embodiment does not impose specific limitations.

[0040] For example, when the business information is insurance business, the blacklist rule a, whitelist rule a, and risk classification rule a that match the insurance business are determined. Then, the monitoring thread a that contains the blacklist rule a, whitelist rule a, and risk classification rule a is called so that the risk level of the user access domain name generated by the execution of insurance business can be judged based on the monitoring thread a.

[0041] In another embodiment of this application, for further definition and explanation, the steps also include: The monitoring thread is associated with the domain name interface to configure or update at least one of the blacklist rules, whitelist rules, and risk classification rules in the monitoring thread through the domain name interface.

[0042] To meet the dynamic configuration requirements of various rules and flexibly achieve the risk prediction objectives for different domain name businesses, after configuring the current execution thread and corresponding rules, the monitoring thread can also be associated with the domain name interface. This allows technical personnel to configure or update at least one of the blacklist rules, whitelist rules, and risk classification rules in the monitoring thread through the domain name interface. For example, the domain name interface can be configured through DomainConfigController to obtain a REST API or Dubbo interface; this embodiment does not impose specific limitations.

[0043] In one specific embodiment, the current execution end can be embedded in a domain name analysis system. After the monitoring thread is created, it is associated with the domain name interface corresponding to the domain name analysis system, so that technical users can call the domain name interface API through the domain name analysis system to configure or update blacklist rules, whitelist rules and risk classification rules.

[0044] In another embodiment of this application, for further definition and explanation, the step of determining the risk level of a user's access domain name based on at least one of the blacklist rules, whitelist rules, and risk grading rules in the monitoring thread includes: Determine whether the domain name accessed by the user matches the blacklist rule; If the blacklist rule is matched, then the domain name accessed by the user is determined to match the whitelist rule; If the blacklist rule is not matched, the risk level is determined to be high risk. If the whitelist rule is matched, the risk level is determined to be low risk. If the whitelist rule is not matched, the risk level corresponding to the user's access domain name is determined based on the risk grading rule.

[0045] To ensure the effectiveness of the initial risk level assessment, the current execution end first checks whether the user's accessed domain name matches the blacklist rule when determining the risk level. If it matches, it indicates that the user's accessed domain name carries an extremely high risk and is therefore classified as high-risk, allowing for blocking. If it does not match the blacklist rule, it further checks whether it matches the whitelist rule. If it matches the whitelist rule, it indicates a low-risk situation. If it does not match the whitelist rule, a final risk grading rule assessment is performed. At this point, the risk grading rule is used to characterize the rule content for risk grading based on at least one of the following: domain name characteristics, request characteristics, and user characteristics.

[0046] In some embodiments, the risk grading rule can be that the more requests made, the lower the risk level. Alternatively, the risk level can be determined sequentially based on the correlation between the user's occupation and financial products or medical health in the user characteristics. Or, the risk level can be matched according to the number of requests made to a specific IP or website name in the domain characteristics. The risk levels include low risk, high risk, and medium risk. This application embodiment does not specifically consider these risk levels.

[0047] In another embodiment of this application, for further definition and explanation, before retrieving the risk prediction model corresponding to the risk level, the method further includes: Obtain domain reputation samples, historical behavior samples, and IP address samples labeled with different risks, and create a risk prediction model that includes convolutional neural networks and recurrent neural networks; The domain name reputation sample, the historical behavior sample, and the IP address sample are used as input parameters and sequentially input into the convolutional neural network and the recurrent neural network to complete the model training of the risk prediction model.

[0048] To achieve domain name sharing prediction based on artificial intelligence, the current execution terminal pre-acquires domain name reputation samples, historical behavior samples, and IP address samples labeled with different risks, and creates a risk prediction model. This risk prediction model includes convolutional neural networks (CNNs) and recurrent neural networks (RNNs). Since a single CNN includes convolutional layers, activation layers, pooling layers, and fully connected layers, and a single RNN includes an input layer, hidden layers, and an output layer, in this embodiment, when CNNs and RNNs are mixed, their hierarchical divisions can be redefined. The CNN includes an input layer and a feature extraction layer, while the RNN includes a feature fusion layer and an output layer. In the constructed risk prediction model, the feature extraction layer has all the functions of the convolutional layer, activation layer, pooling layer, and fully connected layer, and the feature fusion layer has all the functions of the hidden layer. Therefore, feature extraction and feature fusion analysis can be performed separately.

[0049] In some specific embodiments, after reconstructing the hybrid model, domain reputation samples, historical behavior samples, and IP address samples are used as input parameters and sequentially fed into the convolutional neural network and the recurrent neural network to complete the training of the risk prediction model. The domain reputation samples, historical behavior samples, and IP address samples can be obtained from historical data recorded in the domain name analysis system; this application does not impose specific limitations on these parameters.

[0050] In another embodiment of this application, for further definition and explanation, the steps also include: If the risk level is high, the internet data access request will be intercepted, and the domain reputation sample, historical behavior sample, and IP address sample will be updated based on the user's access domain.

[0051] To ensure the security of internet data, when the current execution end determines the risk level to be high, it can intercept internet data access requests and update the domain reputation sample, historical behavior sample, and IP address sample based on the user's access domain name in order to retrain the risk prediction model.

[0052] It should be noted that in this embodiment of the application, when the risk level is low risk or high risk, the execution steps retrieve the risk prediction model corresponding to the risk level and the subsequent steps. When the risk level is high risk, it can be directly intercepted to ensure the security of Internet data. This embodiment of the application does not make specific limitations.

[0053] In another embodiment of this application, for further definition and explanation, after the step of predicting the domain reputation, historical behavior, and IP address associated with the user-accessed domain based on the risk prediction model and obtaining the risk prediction result, the method further includes: If the risk prediction result is a malicious domain name risk result, then the Internet data access request will be intercepted, and the blacklist rules and the risk classification rules will be updated according to the malicious domain name risk result. If the risk prediction result is a normal domain name risk result, the Internet data access request is allowed, and the whitelist rules and the risk classification rules are updated according to the normal domain name risk result.

[0054] To meet the requirements of domain name flexibility risk prediction, after receiving the risk prediction result, the current execution terminal performs the corresponding access operation based on the prediction result. In some embodiments, if the risk prediction result is a malicious domain name risk result, the internet data access request is blocked, and the blacklist rules and risk classification rules are updated according to the malicious domain name risk result. In some embodiments, if the risk prediction result is a normal domain name risk result, the internet data access request is allowed, and the whitelist rules and risk classification rules are updated according to the normal domain name risk result.

[0055] In some specific embodiments, the current execution end can also implement a distributed prediction service based on the Dubbo framework, supporting high concurrency and large-scale data processing. Through the distributed architecture, it can handle a large number of domain name requests, improving performance and stability.

[0056] This application provides an internet risk prediction method based on domain name analysis. Compared with the prior art, this application responds to internet data access requests by invoking a monitoring thread; determining the risk level of the user's accessed domain name based on at least one of the blacklist rules, whitelist rules, and risk grading rules in the monitoring thread; if the risk level is low or medium risk, then the risk prediction model corresponding to the risk level is invoked, and the domain name reputation, historical behavior, and IP address associated with the user's accessed domain name are predicted based on the risk prediction model to obtain the risk prediction result. The risk prediction model is constructed based on a hybrid convolutional neural network and recurrent neural network, achieving the goal of combining machine learning and big data analysis technologies to intelligently analyze and predict domain name behavior, thereby improving the accuracy of risk identification.

[0057] Furthermore, as a response to the above Figure 1 The implementation of the method shown in this application provides an Internet risk prediction device based on domain name analysis, such as... Figure 2 As shown, the device includes: The retrieval module 21 is used to retrieve the monitoring thread in response to an Internet data access request; The determination module 22 is used to determine the risk level of the domain name accessed by the user based on at least one of the blacklist rules, whitelist rules and risk classification rules in the monitoring thread; The prediction module 23 is used to retrieve the risk prediction model corresponding to the risk level if the risk level is low or medium, and to predict the domain reputation, historical behavior and IP address associated with the user's access domain based on the risk prediction model to obtain the risk prediction result. The risk prediction model is constructed based on a hybrid convolutional neural network and a recurrent neural network.

[0058] Furthermore, the device also includes: an acquisition module and a configuration module. The acquisition module is used to acquire blacklist rules, whitelist rules, and risk classification rules corresponding to different domain name services, and to create at least one monitoring thread; The configuration module is used to configure the blacklist rules, the whitelist rules, and the risk classification rules to correspond to the monitoring thread; The retrieval module is specifically used to match the business information carried by the Internet data access request with the blacklist rules, the whitelist rules, and the risk classification rules to determine the monitoring thread to be retrieved.

[0059] Furthermore, The configuration module is also used to associate the monitoring thread with the domain name interface so that at least one of the blacklist rules, whitelist rules and risk classification rules in the monitoring thread can be configured or updated through the domain name interface.

[0060] Furthermore, The determining module is specifically used to determine whether the domain name accessed by the user matches the blacklist rule; if it matches the blacklist rule, it determines that the domain name accessed by the user matches the whitelist rule; if it does not match the blacklist rule, it determines that the risk level is high risk; if it matches the whitelist rule, it determines that the risk level is low risk; if it does not match the whitelist rule, it determines the risk level corresponding to the domain name accessed by the user based on the risk grading rule, wherein the risk grading rule is used to characterize the rule content for risk grading based on at least one of domain name characteristics, request characteristics, and user characteristics; wherein the risk level includes low risk, high risk, and medium risk.

[0061] Furthermore, the device also includes: A module is created to acquire domain reputation samples, historical behavior samples, and IP address samples labeled with different risks, and to create a risk prediction model including a convolutional neural network and a recurrent neural network. The convolutional neural network includes an input layer and a feature extraction layer, and the recurrent neural network includes a feature fusion layer and an output layer. The training module is used to input the domain name reputation sample, the historical behavior sample, and the IP address sample as input parameters into the convolutional neural network and the recurrent neural network in sequence to complete the model training of the risk prediction model.

[0062] Furthermore, the device also includes: The update module is used to intercept the Internet data access request if the risk level is high, and update the domain name reputation sample, historical behavior sample and IP address sample based on the user access domain name.

[0063] Furthermore, The update module is further configured to: if the risk prediction result is a malicious domain risk result, then intercept the Internet data access request and update the blacklist rules and the risk classification rules according to the malicious domain risk result; if the risk prediction result is a normal domain risk result, then allow the Internet data access request and update the whitelist rules and the risk classification rules according to the normal domain risk result.

[0064] This application provides an internet risk prediction device based on domain name analysis. Compared with the prior art, this application responds to internet data access requests by invoking a monitoring thread; determining the risk level of the user's accessed domain name based on at least one of the blacklist rules, whitelist rules, and risk grading rules in the monitoring thread; if the risk level is low or medium risk, then the risk prediction model corresponding to the risk level is invoked, and the domain name reputation, historical behavior, and IP address associated with the user's accessed domain name are predicted based on the risk prediction model to obtain the risk prediction result. The risk prediction model is constructed based on a hybrid convolutional neural network and recurrent neural network, achieving the goal of combining machine learning and big data analysis technologies to intelligently analyze and predict domain name behavior, thereby improving the accuracy of risk identification.

[0065] According to one embodiment of this application, a computer-readable storage medium is provided, the storage medium storing at least one executable instruction that can execute the Internet risk prediction method based on domain name analysis in any of the above method embodiments.

[0066] Figure 3The diagram shows a structural schematic of a computer device according to one embodiment of the present application. The specific embodiments of the present application do not limit the specific implementation of the terminal.

[0067] like Figure 3 As shown, the computer device may include: a processor 302, a communications interface 304, a memory 306, and a communications bus 308.

[0068] The processor 302, communication interface 304, and memory 306 communicate with each other via communication bus 308.

[0069] Communication interface 304 is used to communicate with other network elements such as clients or other servers.

[0070] The processor 302 is used to execute program 310, specifically to execute the relevant steps in the above-described embodiment of the Internet risk prediction method based on domain name analysis.

[0071] Specifically, program 310 may include program code that includes computer operation instructions.

[0072] Processor 302 may be a central processing unit (CPU), an application-specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of this application. The terminal includes one or more processors, which may be processors of the same type, such as one or more CPUs; or they may be processors of different types, such as one or more CPUs and one or more ASICs.

[0073] Memory 306 is used to store program 310. Memory 306 may include high-speed RAM memory, and may also include non-volatile memory, such as at least one disk storage device.

[0074] Specifically, program 310 can be used to cause processor 302 to perform the following operations: In response to an internet data access request, the monitoring thread is invoked; The risk level of the domain name accessed by the user is determined based on at least one of the blacklist rules, whitelist rules, and risk classification rules in the monitoring thread. If the risk level is low or medium, the risk prediction model corresponding to the risk level is retrieved, and the domain reputation, historical behavior, and IP address associated with the user's access domain are predicted based on the risk prediction model to obtain the risk prediction result. The risk prediction model is constructed based on a hybrid convolutional neural network and recurrent neural network.

[0075] Obviously, those skilled in the art should understand that the modules or steps of this application described above can be implemented using general-purpose computing devices. They can be centralized on a single computing device or distributed across a network of multiple computing devices. Optionally, they can be implemented using computer-executable program code, thereby storing them in a storage device for execution by a computing device. In some cases, the steps shown or described can be performed in a different order than those presented here, or they can be fabricated as separate integrated circuit modules, or multiple modules or steps can be fabricated as a single integrated circuit module. Thus, this application is not limited to any particular combination of hardware and software.

[0076] It should be noted that any AI models, software tools, or components not belonging to this company appearing in the embodiments of this application are merely illustrative examples and do not represent actual use. All user personal information involved in the embodiments of this application has been authorized (with the knowledge and consent) by the relevant parties or has been fully authorized by all parties, and the executing entity may obtain it through various legal and compliant means. The collection, storage, use, processing, transmission, provision, and disclosure of the information, data, and signals involved all comply with the relevant laws and regulations of the relevant countries and regions, and do not violate public order and good morals.

[0077] The above description is merely a preferred embodiment of this application and is not intended to limit this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application.

Claims

1. A method for predicting internet risks based on domain name analysis, characterized in that, include: In response to an internet data access request, the monitoring thread is invoked; The risk level of the domain name accessed by the user is determined based on at least one of the blacklist rules, whitelist rules, and risk classification rules in the monitoring thread. If the risk level is low or medium, the risk prediction model corresponding to the risk level is retrieved, and the domain reputation, historical behavior, and IP address associated with the user's access domain are predicted based on the risk prediction model to obtain the risk prediction result. The risk prediction model is constructed based on a hybrid convolutional neural network and recurrent neural network.

2. The method according to claim 1, characterized in that, Before invoking the monitoring thread, the method further includes: Obtain the blacklist rules, whitelist rules, and risk classification rules corresponding to different domain name services, and create at least one monitoring thread; Configure the blacklist rules, whitelist rules, and risk classification rules to correspond with the monitoring threads; The monitoring thread includes: The monitoring thread to be invoked is determined by matching the business information carried in the Internet data access request with the blacklist rules, the whitelist rules, and the risk classification rules.

3. The method according to claim 2, characterized in that, The method further includes: The monitoring thread is associated with the domain name interface to configure or update at least one of the blacklist rules, whitelist rules, and risk classification rules in the monitoring thread through the domain name interface.

4. The method according to claim 3, characterized in that, The determination of the risk level of a user's access domain name based on at least one of the blacklist rules, whitelist rules, and risk grading rules in the monitoring thread includes: Determine whether the domain name accessed by the user matches the blacklist rule; If the blacklist rule is matched, then the domain name accessed by the user is determined to match the whitelist rule; If the blacklist rule is not matched, the risk level is determined to be high risk. If the whitelist rule is matched, the risk level is determined to be low risk. If the whitelist rule does not match, the risk level of the user's access domain name is determined based on the risk grading rule. The risk grading rule is used to characterize the rule content for risk grading based on at least one of domain name characteristics, request characteristics, and user characteristics. The risk levels include low risk, high risk, and medium risk.

5. The method according to claim 4, characterized in that, Before retrieving the risk prediction model corresponding to the risk level, the method further includes: Obtain domain reputation samples, historical behavior samples, and IP address samples labeled with different risks, and create a risk prediction model including a convolutional neural network and a recurrent neural network. The convolutional neural network includes an input layer and a feature extraction layer, and the recurrent neural network includes a feature fusion layer and an output layer. The domain name reputation sample, the historical behavior sample, and the IP address sample are used as input parameters and sequentially input into the convolutional neural network and the recurrent neural network to complete the model training of the risk prediction model.

6. The method according to claim 5, characterized in that, The method further includes: If the risk level is high, the internet data access request will be intercepted, and the domain reputation sample, historical behavior sample, and IP address sample will be updated based on the user's access domain.

7. The method according to any one of claims 1-6, characterized in that, After predicting the domain reputation, historical behavior, and IP address associated with the user's access domain based on the risk prediction model to obtain the risk prediction result, the method further includes: If the risk prediction result is a malicious domain name risk result, then the Internet data access request will be blocked, and the blacklist rules and the risk classification rules will be updated according to the malicious domain name risk result. If the risk prediction result is a normal domain name risk result, the Internet data access request is allowed, and the whitelist rules and the risk classification rules are updated according to the normal domain name risk result.

8. An Internet risk prediction device based on domain name analysis, characterized in that, include: The invocation module is used to invoke the monitoring thread in response to Internet data access requests; The determination module is used to determine the risk level of a user's access domain name based on at least one of the blacklist rules, whitelist rules, and risk classification rules in the monitoring thread. The prediction module is used to retrieve the risk prediction model corresponding to the risk level if the risk level is low or medium, and predict the domain reputation, historical behavior, and IP address associated with the user's access domain based on the risk prediction model to obtain the risk prediction result. The risk prediction model is constructed based on a hybrid convolutional neural network and a recurrent neural network.

9. A computer-readable storage medium having a computer program / instructions stored thereon, characterized in that, When the computer program / instructions are executed by the processor, they implement the steps of the method of claim 1.

10. A computer device, comprising a memory, a processor, and a computer program stored in the memory, characterized in that, The processor executes the computer program to implement the steps of the method of claim 1.