CN115391568A - Entity classification method, system, terminal and storage medium based on knowledge graph - Google Patents

Abstract

The present application provides a knowledge map-based entity classification method, system, terminal and storage medium. The method includes: establishing a DNS knowledge graph based on DNS hierarchical relationships and query resolution relationships, wherein the DNS knowledge graph includes at least one preset label corresponding to a domain name; splitting the DNS knowledge graph into entities and relationships, and aligning the entity attributes Merge the entities and relationships to obtain the fused DNS knowledge map; vectorize the entities and relations of the fused DNS knowledge map to obtain the DNS knowledge map vector, where the DNS knowledge map vector includes the knowledge map vector corresponding to each domain name ;Take the knowledge map vector corresponding to the domain name as the input, and the preset label corresponding to the domain name as the output, train the neural network model, and obtain the entity classification model; classify and detect the domain name according to the entity classification model. The application can improve the accuracy and speed of domain name classification and detection.

Description

Entity classification method, system, terminal and storage medium based on knowledge graph

technical field

The present application relates to the technical field of computer network security, and in particular to a knowledge graph-based entity classification method, system, terminal and storage medium.

Background technique

With the rapid development of network technology and the Internet, both network users and data traffic in the network are showing an exponential growth trend, and the network user group is also more extensive. All kinds of network facilities have encountered great challenges in terms of reliability and security. As far as the current stage is concerned, the security of the Internet is in a relatively severe situation, and this situation will continue to exist for a long time.

Domain Name System (DNS), as the infrastructure of Internet communication, obtains the IP address of the resource to be accessed by analyzing the domain name. The main application scenarios are web page access and email sending and receiving. According to the "my country's Internet Network Security Situation in the First Half of 2019" released by the China National Computer Network Emergency Response Technology Coordination Center, CNCERT independently detected about 46,000 counterfeit pages targeting websites in my country in the first half of 2019. Most malicious behavior is closely related to the domain name system, and the need for detection of malicious domain names is also increasing.

At present, to distinguish whether a domain name is a malicious domain name, it is generally determined whether it is a malicious domain name by judging the domain name log structure. However, in the traditional technology, it is usually one-to-one to detect whether a domain name is a malicious domain name, which takes a long time. Moreover, domain names with the same attribute are not processed, which makes domain name detection inaccurate. Therefore, how to distinguish malicious domain names is imminent.

Contents of the invention

The present application provides a knowledge graph-based entity classification method, system, terminal and storage medium to solve the problem of inaccurate domain name classification and detection in the prior art.

In the first aspect, the present application provides a knowledge graph-based entity classification method, including: establishing a DNS knowledge graph based on DNS hierarchical relationships and query resolution relationships, wherein the DNS knowledge graph includes at least one preset label corresponding to a domain name , the preset labels include malicious and non-malicious;

Splitting the DNS knowledge graph into entities and relationships, and merging the entities and the relationships according to the alignment of entity attributes to obtain a fused DNS knowledge graph;

Vectorizing entities and relationships of the fused DNS knowledge graph to obtain a DNS knowledge graph vector, wherein the DNS knowledge graph vector includes knowledge graph vectors corresponding to each domain name;

Using the knowledge map vector corresponding to the domain name as an input, and using the preset label corresponding to the domain name as an output, training a neural network model to obtain an entity classification model;

According to the entity classification model, the domain name is classified and detected.

In a possible implementation, the DNS knowledge map is established based on the hierarchical relationship and query resolution relationship of DNS, including:

Based on the hierarchical relationship of DNS, establish a DNS domain name hierarchical map, and add the preset label to the DNS domain name hierarchical map;

Based on DNS query analysis relationship, establish DNS query response graph and passive DNS graph;

Combining the DNS query response graph with the passive DNS graph to create a DNS flow graph, and adding the preset label to the DNS flow graph;

The DNS knowledge graph is established by combining the DNS domain name hierarchical graph and the DNS flow graph through rule alignment.

In a possible implementation manner, the entity includes a head entity and a tail entity;

Said splitting the DNS knowledge graph into entities and relationships, and merging the entities and the relationships according to the alignment of entity attributes to obtain the fused DNS knowledge graph, including:

Using triplet mode, the client IP address of the DNS knowledge graph is used as the head entity, the Qname attribute of the DNS knowledge graph is used as the relationship, and the domain name of the DNS knowledge graph is used as the tail entity;

By means of entity attribute alignment, the head entity, the relationship and the tail entity are fused to obtain a fused DNS knowledge graph.

In a possible implementation manner, the DNS knowledge graph includes triples corresponding to at least one type of domain name, and the entities and relationships of the fused DNS knowledge graph are vectorized to obtain a DNS knowledge graph vector that includes :

For each type of domain name, arbitrarily select the head entity of a triple in this type of domain name as the starting node, and calculate the entity distance between the tail entity of the current triple and the head entity of the first triple;

Judging whether the entity distance between the tail entity of the current triple group and the head entity of the first triple group is not greater than the preset entity distance;

If the entity distance between the tail entity of the current triple group and the head entity of the first triple group is not greater than the preset entity distance, then the head entity of the first triple group and the tail entity of the current triple group Entities are linked, and the first triplet is used as the current triplet;

Repeat the current step until the head entity of the current triple is the starting node, and obtain the entity and relationship of the domain name;

Vectorize the entities and relationships corresponding to each domain name to obtain the knowledge graph vector corresponding to each domain name;

Wherein, the first triplet is an unlinked triplet among the triplets corresponding to this type of domain name.

In a possible implementation manner, after determining whether the entity distance between the tail entity of the current triplet and the head entity of the first triplet is not greater than the preset entity distance, the steps include:

Step 1: If the entity distance between the tail entity of the current triplet and the head entity of the first triplet is greater than the preset entity distance, then perform step 2;

Step 2: replace the head entity of the first triple with the head entity of the second triple, sample the tail entity of the second triple to replace the tail entity of the first triple, and replace the The first triplet of is used as a negative sampling triplet; the second triplet is any triplet that has been linked in this type of domain name;

Step 3: judging whether the entity distance between the tail entity of the current triplet and the head entity of the negative sampling triplet is not greater than the preset entity distance;

Step 4: If the entity distance between the tail entity of the current triplet and the head entity of the negative sampling triplet is not greater than the preset entity distance, then connect the head entity of the negative sampling triplet to the current The tail entities of the triples are linked, and the negative sampling triples are used as the current triples;

Step 5: If the entity distance between the tail entity of the current triplet and the head entity of the negative sampling triplet is greater than the preset entity distance, return to step 2, and repeat steps 2 to 5 until the current three The entity distance between the tail entity of the tuple and the head entity of the negative sampling triple satisfies the preset entity distance.

In a possible implementation manner, the vectorization of entities and relationships of the fused DNS knowledge graph to obtain a DNS knowledge graph vector includes:

TransE algorithm is used to vectorize the entity and relationship of the fused DNS knowledge graph to obtain the DNS knowledge graph vector.

In a possible implementation manner, the knowledge map vector corresponding to the domain name is used as an input, and the preset label corresponding to the domain name is used as an output to train a neural network model to obtain an entity classification model, including:

The knowledge map vector corresponding to the domain name is used as an input, and the preset label corresponding to the domain name is used as an output to train the BiLSTM neural network, and the trained BiLSTM neural network model is used as the entity classification model.

In the second aspect, the present application provides a knowledge map-based entity classification system, which includes: an establishment module, a fusion module, a vectorization module, a training module, and a detection module;

The establishment module is configured to establish a DNS knowledge graph based on DNS hierarchical relationships and query resolution relationships, wherein the DNS knowledge graph includes at least one preset label corresponding to a domain name, and the preset label includes malicious and non-malicious;

The fusion module is configured to split the DNS knowledge graph into entities and relationships, and fuse the entities and the relationships according to entity attribute alignment to obtain a fused DNS knowledge graph;

The vectorization module is configured to vectorize entities and relationships of the fused DNS knowledge graph to obtain a DNS knowledge graph vector, wherein the DNS knowledge graph vector includes knowledge graph vectors corresponding to each domain name;

The training module is used to use the knowledge map vector corresponding to the domain name as an input, and use the preset label corresponding to the domain name as an output to train a neural network model to obtain an entity classification model;

The detection module is configured to classify and detect domain names according to the entity classification model.

In a third aspect, the present application provides a terminal, including a memory, a processor, and a computer program stored in the memory and operable on the processor. When the processor executes the computer program, the above-mentioned In one aspect, the steps of the method described in any possible implementation manner.

In a fourth aspect, the present application provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the above-mentioned any possible implementation manner of the first aspect is implemented. steps of the method described above.

The present application provides a knowledge graph-based entity classification method, system, terminal, and storage medium, and establishes a DNS knowledge graph through DNS-based hierarchical relationships and query resolution relationships, wherein the DNS knowledge graph includes at least one preset label corresponding to a domain name, The preset labels include malicious and non-malicious, so that the domain name can correspond to the preset labels, and then the DNS knowledge map is split into entities and relationships, and the entities and relationships are fused according to the alignment of entity attributes to obtain the fused DNS Knowledge map, and then vectorize the entities and relationships of the fused DNS knowledge map to obtain the DNS knowledge map vector, wherein the DNS knowledge map vector includes the knowledge map vector corresponding to each domain name, and the knowledge map vector corresponding to the domain name is used as the input , use the preset label corresponding to the domain name as the output, train the neural network model, obtain the entity classification model, and classify and detect the domain name according to the entity classification model. In this way, domain name classification detection can be made more accurate, and the detection speed can be improved.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the accompanying drawings that need to be used in the descriptions of the embodiments or the prior art will be briefly introduced below. Obviously, the accompanying drawings in the following description are only for the present application For some embodiments, those of ordinary skill in the art can also obtain other drawings based on these drawings without paying creative efforts.

Fig. 1 is the implementation flowchart of the entity classification method based on knowledge map provided by the embodiment of the present application;

Fig. 2 is the embedding structure diagram of the entity classification method based on the knowledge map provided by the embodiment of the present application;

FIG. 3 is a detection structure diagram of a knowledge graph-based entity classification method provided in an embodiment of the present application;

Fig. 4 is a schematic structural diagram of an entity system based on a knowledge map provided by an embodiment of the present application;

FIG. 5 is a schematic diagram of a terminal provided by an embodiment of the present application.

Detailed ways

In the following description, specific details such as specific system structures and technologies are presented for the purpose of illustration rather than limitation, so as to thoroughly understand the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments without these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.

In order to make the purpose, technical solution and advantages of the present application clearer, specific embodiments will be described below in conjunction with the accompanying drawings.

Fig. 1 is the implementation flowchart of the entity classification method based on the knowledge map provided by the embodiment of the present application, which is described in detail as follows:

In S101, a DNS knowledge graph is established based on DNS hierarchical relationships and query resolution relationships, wherein the DNS knowledge graph includes at least one preset label corresponding to a domain name, and the preset labels include malicious and non-malicious.

Among them, DNS (Domain Name System, Domain Name System) is a service of the Internet. As a distributed database that maps domain names and IP addresses to each other, it can make it easier for people to access the Internet. DNS uses UDP port 53. Currently, the length limit for each level of domain name is 63 characters, and the total length of the domain name cannot exceed 253 characters.

The hierarchical relationship of DNS is a hierarchical relationship, which can be regarded as a tree structure. The domain name system does not distinguish between nodes in the tree and leaf nodes, but are collectively called nodes. Different nodes can use the same mark. All node tags can only be composed of 3 types of characters: 26 English letters (a~z), 10 Arabic numerals (0~9) and English hyphens (-), and the length of the tag must not exceed 22 characters. A node's domain name is composed of token connections from the node to all nodes of the root, separated by dots. The domain name of the top-level node is called the top-level domain name (TLD, Top-Level Domain), the domain name of the second-level node is called the second-level domain name, and so on.

The implementation process of DNS query resolution relationship includes:

First, according to the hierarchical structure of the Domain Name System domain name space, it is divided into different regions by subtrees, and each region can be regarded as a manageable power entity responsible for this part of the nodes in the hierarchy. For example, the top-level area of the entire domain is managed by ICANN, and some country domain names and their subordinate nodes constitute their own areas. For example, the .cn domain is managed by CNNIC. The .cn domain is divided into some smaller areas, for example, .fudan.edu.cn is managed by Fudan University Network Center.

Second, each zone must have a corresponding domain name server, and the information contained in each zone is stored on the domain name server. There can be two or more domain name servers in a zone, so that even if one domain name server fails, the other domain name server can still provide information normally. A domain name server can also govern multiple regions at the same time. After receiving the request from the user, the domain name server inquires its own resource record collection, and returns the final answer that the user wants to get, or when the desired answer cannot be found in its own resource record collection, returns a link pointing to another domain name server. pointer, the user will continue to make requests to that domain name server. Therefore, the domain name server does not need to record the information of all subordinate domain names and hosts. For the subdomain (if it exists), you only need to know the domain name server of the subdomain.

A resource record is a binding of a domain name to a value, which includes the following fields: domain name, value, type, category, and lifetime. The domain name field and the value field are used to represent the parsed content and the result returned by parsing, respectively. The type field represents the type of value: type A means that the value field is an IP address, which is the final answer that the user wants; type NS means that the value field is the domain name of another domain name server, and the domain name server can know how to resolve the domain name field. The specified domain name; the type CNAME means that the value field is an alias of the host specified by the domain name; the type MX means that the value field is the domain name of a mail server that receives mail for the domain specified by the domain name field; type PTR It is used for reverse resolution of domain names, etc. Classification fields allow specifying other record types. The lifetime field is used to indicate how long the resource record is valid. In order to reduce the domain name resolution time, the domain name server will cache some previously queried resource records from other domain name servers. Since these resource records will become invalid due to changes, the domain name server has set a lifetime, and expired resource records will be cleared out of the cache.

The root domain name server knows the domain name servers of all top-level domain names. Corresponding to each top-level domain name, it has two resource records: one is the NS resource record, the domain name field is the top-level domain name, and the value field is the name server of the top-level domain name resolution. The domain name; the other is an A resource record, which is used to indicate the IP address corresponding to the domain name of the domain name server. Using these two records comprehensively, you can know which IP address domain name server should continue to search for a certain domain name under the domain. The second-level domain name server similarly stores pointers to each third-level domain name server. A, CNAME, MX and other types of resource records will appear in the domain name server of the third layer. Each name server has an address record for the root name server.

Finally, a user who needs domain name resolution first sends the resolution request to the local domain name server. If the local domain name server can resolve, the result will be obtained directly, otherwise the local domain name server will send a request to the root domain name server. According to the pointer returned by the root domain name server, query the domain name server of the next layer, and so on, and finally obtain the IP address of the domain name to be resolved.

Knowledge map, known as knowledge domain visualization or knowledge domain mapping map in the library and information industry, is a series of different graphics showing the relationship between knowledge development process and structure, using visualization technology to describe knowledge resources and their carriers, mining, analyzing and constructing , Mapping and displaying knowledge and their interconnections.

Knowledge map is a combination of theories and methods of applied mathematics, graphics, information visualization technology, information science and other disciplines with metrology citation analysis, co-occurrence analysis and other methods, and uses the visual map to vividly display the core structure of the subject, Modern theories that develop history, frontier fields, and overall knowledge structure to achieve multidisciplinary integration. Knowledge graph, which can provide practical and valuable references for subject research.

The characteristics of the knowledge map include: the more users search and the wider the scope, the more information and content the search engine can obtain; giving new meaning to strings, not just strings; integrating all disciplines to facilitate Coherence when users search; find out more accurate information for users, make more comprehensive summaries and provide more in-depth relevant information; systematically display the knowledge system related to keywords to users; learn useful information from the entire Internet The information allows users to obtain more relevant public resources.

In the embodiment of the present application, a DNS knowledge map is established according to the DNS hierarchical relationship and query resolution relationship, wherein the DNS knowledge map includes at least one domain name and a preset label corresponding to the domain name.

In the embodiment of the present application, the preset labels include malicious labels and non-malicious labels, wherein the non-malicious label is a good label, which means that the domain name that owns the label is a good domain name, that is, a domain name that will not harm the network; a malicious label, It means that the domain name with this label is a bad domain name, that is, a domain name that will have a bad impact on the network.

In a possible implementation, the DNS knowledge map is established based on the hierarchical relationship and query resolution relationship of DNS, which may include:

Based on the hierarchical relationship of DNS, establish a DNS domain name hierarchical map, and add preset labels to the DNS domain name hierarchical map;

Based on DNS query analysis relationship, establish DNS query response graph and passive DNS graph;

Combine the DNS query response graph with the passive DNS graph to create a DNS flow graph and add preset labels to the DNS flow graph;

Combine DNS domain name hierarchical graph and DNS flow graph through rule alignment to establish DNS knowledge graph.

Among them, the DNS domain name hierarchical diagram is based on the hierarchical relationship of DNS, and is established through the structure and hierarchical characteristics of the domain name itself. Add preset labels to each domain name.

The DNS query response graph and the passive DNS graph are based on the DNS query resolution relationship, which is established according to the DNS request process. Then, according to the established DNS query response graph and passive DNS graph, combine the two to obtain a DNS flow graph, and add a preset label to each domain name in the DNS flow graph.

Among them, in the DNS domain name hierarchical diagram and the DNS flow diagram, the main common point that can be found is domain name information. The Qname attribute of the query part in the DNS flow graph is closely related to the domain name information.

Through the rule alignment method, the DNS domain name hierarchical graph and the DNS flow graph are combined to obtain the DNS knowledge graph.

In S102, the DNS knowledge graph is split into entities and relationships, and the entities and relationships are fused according to entity attribute alignment to obtain a fused DNS knowledge graph.

In the embodiment of the present application, the entity attribute alignment method is adopted to fuse the DNS knowledge graph to obtain the fused DNS knowledge graph.

Among them, the alignment of entity attributes is a method to connect different subgraphs in the same way that entities and attribute values are the same.

In a possible implementation, the entity may include a head entity and a tail entity;

Split the DNS knowledge graph into entities and relationships, and fuse the entities and relationships according to the alignment of entity attributes to obtain the fused DNS knowledge graph, which can specifically include:

Using the triplet method, the client IP address of the DNS knowledge graph is used as the head entity, the Qname attribute of the DNS knowledge graph is used as the relationship, and the domain name of the DNS knowledge graph is used as the tail entity;

Through the alignment of entity attributes, the head entity, relationship and tail entity are fused to obtain the fused DNS knowledge graph.

Among them, a triple refers to a set of the shape ((x, y), z), often abbreviated as (x, y, z). It is mainly a compression method used to store sparse matrices, also called triple table. Assuming that the triple table is represented by a sequential storage structure, a compressed storage method of the sparse matrix is obtained, that is, the triple table, referred to as the triple table. Due to its own sparse nature, the memory cost of sparse matrices can be greatly saved through compression. The specific operation is: form a triplet (i, j, v) with the row, column and its value of the non-zero element, and then store these triplets according to a certain rule. This method can save storage space.

In the embodiment of the present application, according to the introduction of the above triples, it can be known that x is equivalent to the head entity, y is equivalent to the relationship, and z is equivalent to the tail entity.

Using the triplet method, the client IP address in the DNS flow graph in the DNS knowledge graph is used as the head entity, and the Qname attribute in the DNS flow graph in the DNS knowledge graph is used as the relationship, and the DNS domain name in the DNS knowledge graph is divided into The corresponding domain name of the layer map is used as the tail entity, that is, according to the head entity + relationship = tail entity in the triplet mode, the client IP address + Qname attribute in the DNS flow diagram = the corresponding domain name of the DNS domain name hierarchical map, so that it is guaranteed This ensures the consistency of the entire DNS knowledge graph. Through entity attribute alignment, the client IP address, Qname attribute in the DNS flow graph and the corresponding domain name in the DNS domain name hierarchical graph are fused to obtain the fused DNS knowledge graph.

In a possible implementation, the DNS knowledge graph includes triples corresponding to at least one type of domain name, and the entities and relationships of the fused DNS knowledge graph are vectorized, and the obtained DNS knowledge graph vector includes:

For each type of domain name, arbitrarily select the head entity of a triple in this type of domain name as the starting node, and calculate the entity distance between the tail entity of the current triple and the head entity of the first triple;

Judging whether the entity distance between the tail entity of the current triple group and the head entity of the first triple group is not greater than the preset entity distance;

If the entity distance between the tail entity of the current triple group and the head entity of the first triple group is not greater than the preset entity distance, link the head entity of the first triple group with the tail entity of the current triple group, and take the first triplet as the current triplet;

Repeat the current step until the head entity of the current triple is the starting node, and obtain the entity and relationship of the domain name;

Vectorize the entities and relationships corresponding to each domain name to obtain the knowledge graph vector corresponding to each domain name;

Wherein, the first triplet is an unlinked triplet among the triplets corresponding to this type of domain name.

In the embodiment of this application, the entity between DNS knowledge graphs adopts the concept of distance, and using the characteristics of directed graphs, the process of obtaining the entities and relationships of domain names includes: for each type of domain name, arbitrarily selecting one of the domain names of this type The head entity of the triplet is used as the starting node, and the preset entity distance is set to calculate the entity distance between the tail entity of the current triplet and the head entity of the first triplet, by judging the tail entity of the current triplet Whether the entity distance from the head entity of the first triple is not greater than the preset entity distance, if not, link the head entity of the first triple with the tail entity of the current triple, and link the A triplet is used as the current triplet, and the above operations are repeated until the head entity of the current triplet is the starting node, and the entities and relationships of the domain name are obtained.

Then, vectorize the entities and relationships corresponding to each domain name to obtain the knowledge graph vector corresponding to each domain name.

For example, for a certain type of domain name, this type of domain name contains domain names A, B, C, and D. Here, the default entity distance is set to 1, and the head entity of domain name A is the starting node, then the next domain name of domain name A is searched. , when it is determined to be domain name B, then calculate the entity distance between the tail entity of domain name A and the head entity of domain name B, when the entity distance is not greater than 1, link the head entity of domain name B with the tail entity of domain name A, Use domain name B as the current domain name, and look for the next domain name until domain name D is the last domain name, and calculate the entity distance between the tail entity of domain name D and the head entity of domain name A, if the entity distance is not greater than 1, It is considered that the calculation of this type of domain name is completed, and the entity and relationship of the domain name are obtained.

In a possible implementation manner, after judging whether the entity distance between the tail entity of the current triplet and the head entity of the first triplet is not greater than the preset entity distance, the steps include:

Step 1: If the entity distance between the tail entity of the current triplet and the head entity of the first triplet is greater than the preset entity distance, then perform step 2;

Step 2: Use the head entity of the second triplet to replace the head entity of the first triplet, sample the tail entity of the second triplet to replace the tail entity of the first triplet, and replace the first triplet The tuple is used as a negative sampling triplet; the second triplet is any triplet that has been linked in this type of domain name;

Step 3: Determine whether the entity distance between the tail entity of the current triplet and the head entity of the negative sampling triplet is not greater than the preset entity distance;

Step 4: If the entity distance between the tail entity of the current triplet and the head entity of the negative sampling triplet is not greater than the preset entity distance, then the head entity of the negative sampling triplet and the tail entity of the current triplet are linked, and take the negative sampled triplet as the current triplet;

Step 5: If the entity distance between the tail entity of the current triplet and the head entity of the negative sampling triplet is greater than the preset entity distance, return to step 2 and repeat steps 2 to 5 until the current triplet The entity distance between the tail entity of and the head entity of the negative sampling triple satisfies the preset entity distance.

In the embodiment of this application, if some entities cannot be linked after the entity distance calculation is completed, that is, the entity distance between the tail entity of the current triplet and the head entity of the first triplet is greater than the preset entity distance, the distance between the two is considered to be infinite.

In the embodiment of the present application, in the process of triplet training, the head entity and tail entity of the second triplet are randomly selected to replace the head entity and tail entity of the first triplet respectively, and the replaced first triplet The triplet is used as a negative sampling triplet, where the second triplet is any triplet that has been linked in this type of domain name, and then judge the tail entity of the current triplet and the head of the negative sampling triplet Whether the preset distance between entities is not greater than the preset entity distance, if not, link the head entity of the negative sampling triplet with the tail entity of the current triplet, and use the negative sampling triplet as The current triplet; if it is greater than, re-select the linked triplet group to replace the first triplet until the tail entity of the current triplet is between the head entity of the replaced negative sampling triplet The entity distance of is not greater than the preset distance.

For example, for a certain type of domain name, this type of domain name contains domain names A, B, C, and D. Here, the default entity distance is set to 1, and the head entity of domain name A is the starting node, then the next domain name of domain name A is searched. , when it is determined to be domain name B, then calculate the entity distance between the tail entity of domain name A and the head entity of domain name B as 15, when the entity distance is greater than 1, it is considered that the distance between the tail entity of domain name A and the head entity of domain name B The distance is infinite, choose a domain name C, the domain name C is a domain name that has been linked, replace the head entity of domain name C with the head entity of domain name B, replace the tail entity of domain name C with the tail entity of domain name B, Use the replaced domain name B as a negative sampling triplet, and calculate the entity distance between the tail entity of the domain name A and the head entity of the negative sampling triplet as 0.7, and if the entity distance is less than 1, then the replaced negative sampling triplet The head entity of the tuple is linked with the tail entity of the domain name A, and the negative sampling triplet is used as the current triplet; if the selected domain name C replaces the domain name B, the negative sampling triplet obtained after replacing the domain name B still cannot meet the requirements, Then re-select until the requirements are met.

In the embodiment of this application, it is necessary to perform data processing on the fused DNS knowledge map, mainly to filter some repeated and redundant data in the DNS knowledge map, to merge the same entities, and to add some Features such as frequency and duration make the data in the fused DNS knowledge graph cleaner. For example, the host initiates requests to the www.google.com domain name at different time periods, and the request parameters are the same, it is considered that the two requests are the same, and such requests are merged. However, this operation will not affect the data content of the fused DNS knowledge graph.

In S103, vectorize entities and relationships of the fused DNS knowledge graph to obtain a DNS knowledge graph vector, wherein the DNS knowledge graph vector includes knowledge graph vectors corresponding to each domain name.

In a possible implementation manner, the entities and relationships of the fused DNS knowledge graph are vectorized to obtain a DNS knowledge graph vector, including:

The TransE algorithm is used to vectorize the entities and relationships of the fused DNS knowledge graph to obtain the DNS knowledge graph vector.

Among them, the TransE algorithm is an algorithm used to represent the embedded representation of nodes and relationships in the graph structure. It is based on the distributed vector representation of entities and relationships. The algorithm is inspired by word2vec and uses the translation invariance of word vectors.

In the embodiment of the present application, the TransE algorithm is used to vectorize the entities and relationships of the fused DNS knowledge graph to obtain DNS knowledge graph vectors, which serve as the basis for subsequent training of the neural network model.

Specifically, referring to Figure 2, since the TransE algorithm is an algorithm for embedding representations, the process consists of two parts, one part is triplet embedding, and the other part is attribute embedding, and attribute embedding is implemented according to triplets. For the triplet embedding part, the TransE algorithm is used for training, and the training goal is to make the head entity + relation = tail entity as much as possible. Since the head entity or tail entity is randomly replaced, however, in the DNS knowledge map in the embodiment of this application, it may cause the problem that the randomly replaced entity is very close to the entity being trained. During the training process, we found that the replaced There may be only one entity between the entity and the entity currently being trained. The main reason is that the result of graph fusion based on regular alignment will reduce the distance between a large number of entities, or it may connect entities that are not the same.

In S104, the knowledge map vector corresponding to the domain name is used as an input, and the preset label corresponding to the domain name is used as an output to train a neural network model to obtain an entity classification model.

In a possible implementation, the knowledge map vector corresponding to the domain name is used as an input, and the preset label corresponding to the domain name is used as an output to train a neural network model to obtain an entity classification model, including:

The knowledge map vector corresponding to the domain name is used as the input, and the preset label corresponding to the domain name is used as the output to train the BiLSTM neural network, and the trained BiLSTM neural network model is used as the entity classification model.

In the embodiment of the present application, the training model obtained by training the BiLSTM neural network is used as the entity classification model.

Among them, BiLSTM (Bi-directional Long Short-Term Memory, two-way long and short-term memory network), which is composed of forward LSTM and backward LSTM, is used to process context information. In LSTM, there is a code that cannot use information from the back to the front. This is due to the serial structure of the LSTM structure itself. The result is that when performing some fine-grained classification tasks, the learning ability for interaction is weaker. BiLSTM consists of a forward LSTM using past information and a backward LSTM using future information. Each node in BiLSTM is an LSTM neuron. During the training process, each training sequence is divided into two independent recurrent neural networks, forward and backward, and finally connected to the same output layer. The detection module will eventually use BiLSTM for feature extraction. At the current moment, two-way information can be used at the same time, so it will be more accurate than the one-way LSTM prediction.

Wherein, the input volume of the BiLSTM neural network is in the form of a vector, so in the embodiment of the present application, the knowledge map vector corresponding to the domain name is used as the input volume of the BiLSTM neural network.

In the embodiment of this application, the knowledge map vector corresponding to the domain name is used as the input of the BiLSTM neural network, and the preset label corresponding to the domain name is used as the output of the BiLSTM neural network to train the BiLSTM neural network, and the trained BiLSTM neural network The network model acts as an entity classification model.

Specifically, the knowledge map vector corresponding to the domain name is used as the input of the BiLSTM neural network, and the malicious or non-malicious label corresponding to the domain name is used as the output of the BiLSTM neural network to train the BiLSTM neural network to obtain an entity classification model.

Specifically, referring to Figure 3, the entity classification model sequentially passes through the BiLSTM layer, Attention layer, Dropout layer, Flatten layer, Dense layer, and Softmax layer, and finally outputs the detection result. The explanation of each layer is as follows:

The main function of the BiLSTM layer is to be able to learn the context of the vector in the sequence, including the forward vector and the backward vector, so as to better extract features for classification.

The Attention layer was first used in image processing. The goal is to place the computer's attention on the places that need attention in the image when processing the image. That is to say, the attention distribution of each scene in the image is different. It can be considered that the weight of some pixels will be greater than the weight of other pixels. However, in the training of text sequences, there will be certain problems. First of all, when the input sequence length is extremely long, it is difficult for the model to perform better vector representation. Secondly, when the sequence is input, all contexts will be compressed to a certain fixed length as the sequence progresses, resulting in limited model capabilities. The implementation mechanism of Attention is to retain the coding results of the BiLSTM layer, and then selectively learn these inputs and associate the output sequence with them.

The Dropout layer is equivalent to randomly generating small models in the overall network to simulate integrated learning. The direct effect is to reduce the number of intermediate features and reduce redundancy, so as to increase the orthogonality between the features of each layer. During model training, it is shown that some nodes are randomly output to zero, and the weights are not updated at the same time. The parameter of this layer is mainly a probability, which means that the node is stopped with this probability. The function of adding the Dropout layer is to be able to prevent model overfitting.

The function of the Flatten layer is to convert multi-dimensional vectors into one-dimensional vectors without affecting the size of the batch.

The Dense layer is the most commonly used fully connected layer. The purpose of the fully connected layer is to perform a nonlinear transformation on the output of the upper layer.

The Softmax layer finally maps multiple scalars to a probability distribution such that its output returns between (0, 1). Through the output of the Softmax function, the detection of the entire module is completed.

In S105, the domain name is classified and detected according to the entity classification model.

According to the entity classification model trained in S104, input the knowledge graph vector corresponding to the domain name to be detected into the entity classification model, perform domain name classification detection, and finally output whether malicious or non-malicious, that is, the domain name to be detected is a malicious domain name Or a non-malicious domain name.

The present application provides a knowledge graph-based entity classification method, which establishes a DNS knowledge graph through DNS-based hierarchical relationships and query resolution relationships, wherein the DNS knowledge graph includes at least one preset label corresponding to a domain name, and the preset labels include malicious and non- Malicious, you can realize that the domain name corresponds to the preset label, then split the DNS knowledge graph into entities and relationships, and fuse the entities and relationships according to the alignment of entity attributes to obtain the fused DNS knowledge graph, and then analyze the fused DNS knowledge graph. The entities and relationships of the DNS knowledge graph are vectorized to obtain the DNS knowledge graph vector. The DNS knowledge graph vector includes the knowledge graph vector corresponding to each domain name. The knowledge graph vector corresponding to the domain name is used as input, and the domain name corresponds to the preset The label is used as the output, and the neural network model is trained to obtain the entity classification model, and the domain name is classified and detected according to the entity classification model. In this way, domain name classification detection can be made more accurate, and the detection speed can be improved.

It should be understood that the sequence numbers of the steps in the above embodiments do not mean the order of execution, and the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation to the implementation process of the embodiment of the present application.

The following are system embodiments of the present application, and for details that are not exhaustively described therein, reference may be made to the corresponding method embodiments above.

Figure 4 shows a schematic structural diagram of a knowledge graph-based entity classification system provided by the embodiment of the present application. For the convenience of illustration, only the parts related to the embodiment of the present application are shown, and the details are as follows:

As shown in Figure 4, the entity classification system 4 based on the knowledge map includes: an establishment module 41, a fusion module 42, a vectorization module 43, a training module 44 and a detection module 45;

The establishment module 41 is used to establish a DNS knowledge graph based on DNS hierarchical relationships and query resolution relationships, wherein the DNS knowledge graph includes at least one preset label corresponding to a domain name, and the preset label includes malicious and non-malicious;

The fusion module 42 is used to split the DNS knowledge graph into entities and relationships, and fuse the entities and relationships according to the alignment of entity attributes to obtain the fused DNS knowledge graph;

A vectorization module 43, configured to vectorize entities and relationships of the fused DNS knowledge graph to obtain a DNS knowledge graph vector, wherein the DNS knowledge graph vector includes knowledge graph vectors corresponding to each domain name;

The training module 44 is used to use the knowledge map vector corresponding to the domain name as an input, and use the preset label corresponding to the domain name as an output to train a neural network model to obtain an entity classification model;

The detection module 45 is configured to classify and detect domain names according to the entity classification model.

The present application provides a knowledge graph-based entity classification system, which establishes a DNS knowledge graph through DNS-based hierarchical relationships and query resolution relationships. The DNS knowledge graph includes at least one preset label corresponding to a domain name, and the preset labels include malicious and non- Malicious, you can realize that the domain name corresponds to the preset label, then split the DNS knowledge graph into entities and relationships, and fuse the entities and relationships according to the alignment of entity attributes to obtain the fused DNS knowledge graph, and then analyze the fused DNS knowledge graph. The entities and relationships of the DNS knowledge graph are vectorized to obtain the DNS knowledge graph vector. The DNS knowledge graph vector includes the knowledge graph vector corresponding to each domain name. The knowledge graph vector corresponding to the domain name is used as input, and the domain name corresponds to the preset The label is used as the output, and the neural network model is trained to obtain the entity classification model, and the domain name is classified and detected according to the entity classification model. In this way, domain name classification detection can be made more accurate, and the detection speed can be improved.

In a possible implementation, the establishment module 41 can specifically be used for:

Based on the hierarchical relationship of DNS, establish a DNS domain name hierarchical map, and add preset labels to the DNS domain name hierarchical map;

Based on DNS query analysis relationship, establish DNS query response graph and passive DNS graph;

Combine the DNS query response graph with the passive DNS graph to create a DNS flow graph and add preset labels to the DNS flow graph;

Combine DNS domain name hierarchical graph and DNS flow graph through rule alignment to establish DNS knowledge graph.

In a possible implementation manner, entities may include a head entity and a tail entity.

In a possible implementation manner, the fusion module 42 can specifically be used for:

Using the triplet method, the client IP address of the DNS knowledge graph is used as the head entity, the Qname attribute of the DNS knowledge graph is used as the relationship, and the domain name of the DNS knowledge graph is used as the tail entity;

Through the alignment of entity attributes, the head entity, relationship and tail entity are fused to obtain the fused DNS knowledge graph.

In a possible implementation, the DNS knowledge graph includes triples corresponding to at least one type of domain name, and the vectorization module 43 can specifically be used for:

For each type of domain name, arbitrarily select the head entity of a triple in this type of domain name as the starting node, and calculate the entity distance between the tail entity of the current triple and the head entity of the first triple;

Judging whether the entity distance between the tail entity of the current triple group and the head entity of the first triple group is not greater than the preset entity distance;

If the entity distance between the tail entity of the current triple group and the head entity of the first triple group is not greater than the preset entity distance, link the head entity of the first triple group with the tail entity of the current triple group, and take the first triplet as the current triplet;

Repeat the current step until the head entity of the current triple is the starting node, and obtain the entity and relationship of the domain name;

Vectorize the entities and relationships corresponding to each domain name to obtain the knowledge graph vector corresponding to each domain name;

Wherein, the first triplet is an unlinked triplet among the triplets corresponding to this type of domain name.

In a possible implementation, the vectorization module 43 can also be used for:

Step 1: If the entity distance between the tail entity of the current triplet and the head entity of the first triplet is greater than the preset entity distance, then perform step 2;

Step 2: Use the head entity of the second triplet to replace the head entity of the first triplet, sample the tail entity of the second triplet to replace the tail entity of the first triplet, and replace the first triplet The tuple is used as a negative sampling triplet; the second triplet is any triplet that has been linked in this type of domain name;

Step 3: Determine whether the entity distance between the tail entity of the current triplet and the head entity of the negative sampling triplet is not greater than the preset entity distance;

Step 4: If the entity distance between the tail entity of the current triplet and the head entity of the negative sampling triplet is not greater than the preset entity distance, then the head entity of the negative sampling triplet and the tail entity of the current triplet are linked, and take the negative sampled triplet as the current triplet;

Step 5: If the entity distance between the tail entity of the current triplet and the head entity of the negative sampling triplet is greater than the preset entity distance, return to step 2 and repeat steps 2 to 5 until the current triplet The entity distance between the tail entity of and the head entity of the negative sampling triple satisfies the preset entity distance.

In a possible implementation, the vectorization module 43 can also be used for:

The TransE algorithm is used to vectorize the entities and relationships of the fused DNS knowledge graph to obtain the DNS knowledge graph vector.

In a possible implementation, the training module 44 can specifically be used for:

The knowledge map vector corresponding to the domain name is used as the input, and the preset label corresponding to the domain name is used as the output to train the BiLSTM neural network, and the trained BiLSTM neural network model is used as the entity classification model.

FIG. 5 is a schematic diagram of a terminal provided by an embodiment of the present application. As shown in FIG. 5 , the terminal 5 of this embodiment includes: a processor 50 , a memory 51 , and a computer program 52 stored in the memory 51 and operable on the processor 50 . When the processor 50 executes the computer program 52, it implements the steps in the above embodiments of the knowledge graph-based entity classification method, such as S101 to S105 shown in FIG. 1 . Alternatively, when the processor 50 executes the computer program 52, the functions of the modules/units in the above-mentioned system embodiments are implemented, for example, the functions of the modules 41 to 45 shown in FIG. 4 .

Exemplarily, the computer program 52 can be divided into one or more modules/units, and the one or more modules/units are stored in the memory 51 and executed by the processor 50 to complete this application. The one or more modules/units may be a series of computer program instruction segments capable of accomplishing specific functions, and the instruction segments are used to describe the execution process of the computer program 52 in the terminal 5 . For example, the computer program 52 can be divided into the modules 41 to 45 shown in FIG. 4 .

The terminal 5 may be a computing device such as a desktop computer, a notebook, a palmtop computer, or a cloud server. The terminal 5 may include, but not limited to, a processor 50 and a memory 51 . Those skilled in the art can understand that FIG. 5 is only an example of the terminal 5, and does not constitute a limitation on the terminal 5. It may include more or less components than those shown in the illustration, or combine some components, or different components, such as The terminal may also include an input and output device, a network access device, a bus, and the like.

The so-called processor 50 may be a central processing unit (Central Processing Unit, CPU), and may also be other general-purpose processors, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.

The storage 51 may be an internal storage unit of the terminal 5 , such as a hard disk or a memory of the terminal 5 . The memory 51 may also be an external storage device of the terminal 5, such as a plug-in hard disk equipped on the terminal 5, a smart memory card (Smart Media Card, SMC), a secure digital (Secure Digital, SD) card, Flash Card (Flash Card), etc. Further, the memory 51 may also include both an internal storage unit of the terminal 5 and an external storage device. The memory 51 is used to store the computer program and other programs and data required by the terminal. The memory 51 can also be used to temporarily store data that has been output or will be output.

Those skilled in the art can clearly understand that for the convenience and brevity of description, only the division of the above-mentioned functional units and modules is used for illustration. In practical applications, the above-mentioned functions can be assigned to different functional units, Completion of modules means that the internal structure of the device is divided into different functional units or modules to complete all or part of the functions described above. Each functional unit and module in the embodiment may be integrated into one processing unit, or each unit may exist separately physically, or two or more units may be integrated into one unit, and the above-mentioned integrated units may adopt hardware It can also be implemented in the form of software functional units. In addition, the specific names of the functional units and modules are only for the convenience of distinguishing each other, and are not used to limit the protection scope of the present application. For the specific working process of the units and modules in the above system, reference may be made to the corresponding process in the foregoing method embodiments, and details will not be repeated here.

In the above-mentioned embodiments, the descriptions of each embodiment have their own emphases, and for parts that are not detailed or recorded in a certain embodiment, refer to the relevant descriptions of other embodiments.

Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

In the embodiments provided in this application, it should be understood that the disclosed device/terminal and method may be implemented in other ways. For example, the device/terminal embodiments described above are only illustrative. For example, the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods, such as multiple units or Components may be combined or integrated into another system, or some features may be omitted, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

If the integrated module/unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, all or part of the processes in the methods of the above embodiments in the present application can also be completed by instructing related hardware through computer programs. The computer programs can be stored in a computer-readable storage medium, and the computer When the program is executed by the processor, the steps in the above embodiments of the knowledge graph-based entity classification method can be realized. Wherein, the computer program includes computer program code, and the computer program code may be in the form of source code, object code, executable file or some intermediate form. The computer-readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a USB flash drive, a removable hard disk, a magnetic disk, an optical disk, a computer memory, and a read-only memory (Read-Only Memory, ROM) , random access memory (Random Access Memory, RAM), electric carrier signal, telecommunication signal and software distribution medium, etc. It should be noted that the content contained in the computer-readable medium may be appropriately increased or decreased according to the requirements of legislation and patent practice in the jurisdiction. For example, in some jurisdictions, computer-readable media Excluding electrical carrier signals and telecommunication signals.

The above-described embodiments are only used to illustrate the technical solutions of the present application, rather than to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still implement the foregoing embodiments Modifications to the technical solutions described in the examples, or equivalent replacements for some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the application, and should be included in the Within the protection scope of this application.

Claims (10)

1. A method for classifying entities based on knowledge graph is characterized by comprising the following steps:

establishing a DNS (domain name system) knowledge graph based on a hierarchical relation and a query analysis relation of a DNS, wherein the DNS knowledge graph comprises preset labels corresponding to at least one domain name, and the preset labels comprise malice and non-malice;

splitting the DNS knowledge graph into entities and relations, and fusing the entities and the relations according to an entity attribute alignment mode to obtain a fused DNS knowledge graph;

vectorizing the entities and the relations of the fused DNS knowledge graph to obtain DNS knowledge graph vectors, wherein the DNS knowledge graph vectors comprise knowledge graph vectors corresponding to all domain names;

training a neural network model by taking the knowledge graph vector corresponding to the domain name as an input quantity and taking a preset label corresponding to the domain name as an output quantity to obtain an entity classification model;

and carrying out classification detection on the domain name according to the entity classification model.

2. The method of classifying entities based on a knowledge-graph of claim 1, wherein the establishing a DNS knowledge-graph based on a DNS hierarchy relationship and a query resolution relationship comprises:

establishing a DNS domain name hierarchical diagram based on the hierarchical relationship of DNS, and adding the preset label to the DNS domain name hierarchical diagram;

establishing a DNS query response graph and a passive DNS graph based on the query resolution relation of the DNS;

combining the DNS query response graph with the passive DNS graph to establish a DNS flow graph, and adding the preset label to the DNS flow graph;

and combining the DNS domain name hierarchical diagram with the DNS flow diagram in a rule alignment mode to establish the DNS knowledge graph.

3. The method of knowledge-graph-based entity classification of claim 1, wherein the entities comprise head entities and tail entities;

the splitting of the DNS knowledge graph into entities and relations and the fusion of the entities and the relations according to an entity attribute alignment mode to obtain a fused DNS knowledge graph comprises the following steps:

using a triple mode to take the IP address of the client of the DNS knowledge graph as the head entity, the Qname attribute of the DNS knowledge graph as the relation, and the domain name of the DNS knowledge graph as the tail entity;

and fusing the head entity, the relation and the tail entity in an entity attribute alignment mode to obtain a fused DNS knowledge graph.

4. The method for classifying entities based on a knowledge graph according to claim 1, wherein the DNS knowledge graph includes triples corresponding to at least one class of domain name, and the vectorizing of the entities and relationships of the fused DNS knowledge graph to obtain DNS knowledge graph vectors includes:

for each type of domain name, randomly selecting a head entity of a triple in the type of domain name as an initial node, and calculating an entity distance between a tail entity of a current triple and a head entity of a first triple;

judging whether the entity distance between the tail entity of the current triple and the head entity of the first triple is not greater than a preset entity distance;

if the entity distance between the tail entity of the current triple and the head entity of the first triple is not larger than the preset entity distance, the head entity of the first triple is linked with the tail entity of the current triple, and the first triple is used as the current triple;

repeating the current step until the head entity of the current triple is the starting node to obtain the entity and the relation of the domain name;

vectorizing the entities and the relations corresponding to the domain names to obtain knowledge map vectors corresponding to the domain names;

the first triple is a triple which is not linked in the triple corresponding to the class domain name.

5. The method of claim 4, wherein after determining whether the entity distance between the tail entity of the current triplet and the head entity of the first triplet is not greater than the predetermined entity distance, the method further comprises:

the method comprises the following steps: if the entity distance between the tail entity of the current triple and the head entity of the first triple is larger than the preset entity distance, executing the second step;

step two: replacing the head entity of the first triple by the head entity of the second triple, sampling the tail entity of the second triple to replace the tail entity of the first triple, and taking the replaced first triple as a negative sampling triple; the second triple is any one triple linked in the domain name;

step three: judging whether the entity distance between the tail entity of the current triple and the head entity of the negative sampling triple is not greater than a preset entity distance;

step four: if the entity distance between the tail entity of the current triple and the head entity of the negative sampling triple is not greater than the preset entity distance, linking the head entity of the negative sampling triple and the tail entity of the current triple, and taking the negative sampling triple as the current triple;

step five: and if the entity distance between the tail entity of the current triple and the head entity of the negative sampling triple is greater than the preset entity distance, returning to the step two, and repeatedly executing the step two to the step five until the entity distance between the tail entity of the current triple and the head entity of the negative sampling triple meets the preset entity distance.

6. The method for classifying entities based on a knowledge graph according to claim 1, wherein vectorizing the entities and relationships of the fused DNS knowledge graph to obtain DNS knowledge graph vectors comprises:

and vectorizing the entity and the relation of the fused DNS knowledge graph by adopting a TransE algorithm to obtain the DNS knowledge graph vector.

7. The method for classifying entities based on a knowledge graph according to claim 1, wherein the training of a neural network model with the knowledge graph vector corresponding to the domain name as an input quantity and a preset label corresponding to the domain name as an output quantity to obtain an entity classification model comprises:

and taking the knowledge map vector corresponding to the domain name as an input quantity, taking a preset label corresponding to the domain name as an output quantity, training the BilSTM neural network, and taking the trained BilSTM neural network model as the entity classification model.

8. A system for classification of entities based on a knowledge-graph, the system comprising: the system comprises an establishing module, a fusion module, a vectorization module, a training module and a detection module;

the establishing module is used for establishing a DNS (domain name system) knowledge map based on a hierarchical relation and a query analysis relation of a DNS, wherein the DNS knowledge map comprises preset labels corresponding to at least one domain name, and the preset labels comprise malice and non-malice;

the fusion module is used for splitting the DNS knowledge graph into entities and relations and fusing the entities and the relations according to an entity attribute alignment mode to obtain a fused DNS knowledge graph;

the vectorization module is used for vectorizing the entity and the relation of the fused DNS knowledge graph to obtain a DNS knowledge graph vector, wherein the DNS knowledge graph vector comprises a knowledge graph vector corresponding to each domain name;

the training module is used for training a neural network model by taking the knowledge map vector corresponding to the domain name as an input quantity and taking a preset label corresponding to the domain name as an output quantity to obtain an entity classification model;

and the detection module is used for carrying out classification detection on the domain name according to the entity classification model.

9. A terminal comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor when executing the computer program performs the steps of the method for knowledgegraph-based entity classification of any of claims 1 to 7 above.

10. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for knowledge-graph based entity classification of any one of claims 1 to 7 above.

Images