融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法

doi:10.12263/DZXB.20200619

摘要/Abstract

摘要：

本文提出了一种基于字符级滑动窗口的深度残差网络（Sliding Window-Depth Residual Network，SW-DRN），首次将轻量级深度可分离式卷积应用于僵尸网络中DGA（Domain Generation Algorithm）域名检测.SW-DRN采用深度可分离式卷积，相比标准卷积减少了约56%的参数，增强了模型检测效率.采集两种不同来源的数据，分别命名为Real-Dataset和Gen-Dataset.SW-DRN与对照组模型在两个数据集上进行实验，实验结果表明：SW-DRN模型在DGA域名二分类任务中的F-Score评估指标上分别取得了99.23%和97.81%的成绩；并且在少样本DGA域名家族以及域名字符串易混淆DGA域名情形下多分类任务中取得不错的成绩，相比目前已有的DGA域名分类模型在总体F-Score上提升了1.23%和1.01%的性能，增强了DGA域名家族之间的识别；同时还对所提出的模型在生成对抗模型产生域名进行测试，均能得到有效的识别.

长摘要
针对当前的网络安全态势逐渐加剧的，大量僵尸主机构成的僵尸网络威胁着整个互联网的稳定，僵尸网络控制依靠 DGA (Domain Generation Algorithm)域名解析连接，而目前的DGA域名检测模型性能不足以及在多分类任务中对小样本DGA域名识别率低下和对高随机性、易混淆的DGA域名识别困难的情况下，提出了一种基于字符级滑动窗口的深度残差网络模型(SW-DRN, Sliding Window-Depth Residual Network)。首先，为了增加实验可靠性采集两种不同来源的数据，收集来自互联网中真实DGA域名数据集；其次对获取的域名数据集进行欠采样缓和数据不平衡处理以及域名字符串用字符级编码向量表示；然后把字符级编码向量依次输入到提出的SW-DRN模型中，接着用多尺寸滑动窗口感知不同的特征图后汇入可变长的深度残差神经网络进行复杂、抽象的特征提取；最后通过在数据集上与先前研究人员所提出DGA域名检测模型进行对比实验。实验结果表明：提出的SW-DRN模型在DGA域名二分类任务中的F-Score评估指标上分别取得了99.19%和97.71%良好的成绩；而且在小样本DGA域名家族以及域名字符串高随性、易混淆DGA域名情形下多分类任务中取得了惊人的成绩，相比目前已有DGA域名分类模型在macro F-Score上做出了3.34%和4.8%性能上的提升；提出SW-DRN模型不仅提高了DGA域名分类性能，同时还为小样本的DGA域名家族识别提供一种新的研究方法。

关键词: 域名生成算法, 字符级向量, 残差网络, 深度可分离式卷积

Abstract:

This paper proposed a character-level sliding window based deep residual network model SW-DRN (Sliding Window-Depth Residual Network), which was the first to apply light depthwise separable convolution to the DGA(Domain Generation Algorithm) domain name detection. In SW-DRN, the use of depthwise separable convolution reduced the number of model parameters by about 56% compared with standard convolution, which enhanced the efficiency of model detection. Collect data from two different sources, named Real-Dataset and Gen-Dataset. Finally, comparison experiments on the dataset with the proposed DGA domain name detection model by previous researchers. Experimental results on two datasets show that the proposed SW-DRN model has achieved good results of 99.23% and 97.81% on the F-Score evaluation indicator in the DGA domain name binary classification task. Compared with the existing DGA domain name classification model, the SW-DRN has made a 1.23% and 1.01% performance improvement on the F-Score, enhancing the DGA domain name family recognition. At the same time, the proposed model tests in the generative adversarial networks to generate domain names, and it can be effectively identified.

Extended Abstract
In view of the current situation of network security, consisting of a large number of bots botnet threatens the stability of the entire Internet, botnet control relies on the DGA (Domain Generation Algorithm) domain name resolution (DNS) connections, on which the DGA domain detection model and performance of small sample in the classification task more DGA domain name recognition rate is low and the high randomness, it is easy to confuse the DGA domain name recognition difficult circumstances. This paper presents a new kind of SW-DRN (Sliding Window-Depth residual network) model based on character-level sliding windows. First of all, in order to increase the reliability of the experiment, data from two different sources are collected. Dataset 01 is defined as a real DGA domain name from the Internet. Meanwhile, Dataset 02 is synthesized by the algorithm of DGA domain name. Secondly, the data set of acquired domain name is under-sampled to mitigate data imbalance and the domain name string is represented by character coding vector. The character-level coding vectors are successively input into the proposed SW-DRN model. The model reduces the computational burden of the model by embedding layer to compress character encoding vector dimension. Then the multi-size sliding window is used to perceive different feature graphs and then the feature is merged into the variable length depth residual neural network for complex and abstract feature extraction. Finally, compared with the DGA domain name detection model proposed by previous researchers through the data set. The experimental results show that the proposed SW-DRN model achieves 99.19% and 97.71% good performance in the F-Score evaluation index of DGA domain name binary classification task. Moreover, in the case of small sample DGA domain name families and domain name strings with high randomness and confusion, the multi-classification task has achieved amazing results. Compared with the existing DGA domain name classification model, the performance of macro F-Score has improved by 3.34% and 4.8%. It greatly enhances the category recognition between DGA domain names. The proposed SW-DRN model not only improves the classification performance of DGA domain names. It also provides a new method for small sample DGA domain name identification.

Key words: domain generation algorithm, character-level vector, residual network, depthwise separable convolution

中图分类号:

TN915

刘小洋, 刘加苗, 刘超, 等. 融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法[J]. 电子学报, 2022, 50(1): 250-256.

Xiao-yang LIU, Jia-miao LIU, Chao LIU, et al. Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network[J]. Acta Electronica Sinica, 2022, 50(1): 250-256.

图/表 10

参考文献 18

1	ANTONAKAKISM, PERDISCIR, LEEW, et al. Detecting malware domains at the upper dns hierarchy. USENIX security symposium[C]//Proceedings of the 20th USENIX conference on Security. San Francisco, USA: ACM, 2011: 1-16.
2	YADAVS, REDDYA K K, REDDYA L N, et al. Detecting algorithmically generated domain-flux attacks with DNS traffic analysis[J]. IEEE/ACM Transactions on Networking, 2012, 20(5): 1663-1677.
3	ANTONAKAKISM, PERDISCIR, NADJIY, et al. From throw-away traffic to bots: Detecting the rise of DGA-based malware[C]//Proceedings of the 21st USENIX Conference on Security Symposium. Washington, USA: ACM, 2012: 491-506.
4	WOODBRIDGEJ, ANDERSONH S, AHUJAA, et al. Predicting domain generation algorithms with long short-term memory networks[J]. [2020]. .
5	VINAYAKUMARR, SOMANK P, POORNACHANDRANP, et al. Evaluating deep learning approaches to characterize and classify the DGAs at scale[J]. Journal of Intelligent & Fuzzy Systems, 2018, 34(3): 1265-1276.
6	吕品, 李全刚, 柳厅文, 等. 基于双向LSTM的误植域名滥用检测方法[J]. 电子学报, 2018, 46(9): 2081-2086.
	LUP, LIQ G, LIUT W, et al. Towards typosquatting abuse detection using bi-directional LSTM[J]. Acta Electronica Sinica, 2018, 46(9): 2081-2086. (in Chinese)
7	TRAND, MAC H, TONGV, et al. A LSTM based framework for handling multiclass imbalance in DGA botnet detection[J]. Neurocomputing, 2018, 275: 2401-2413.
8	HIGHNAMK, PUZIOD, LUOS, et al. Real-time detection of dictionary DGA network traffic using deep learning[J]. SN Computer Science, 2021, 2(2): 1-17.
9	杜鹏, 丁世飞. 基于混合词向量深度学习模型的DGA域名检测方法[J]. 计算机研究与发展, 2020, 57(2): 433-446.
	DUP, DINGS F. A DGA domain name detection method based on deep learning models with mixed word embedding[J]. Journal of Computer Research and Development, 2020, 57(2): 433-446. (in Chinese)
10	HEK M, ZHANGX Y, RENS Q, et al. Deep residual learning for image recognition[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Las Vegas, USA: IEEE, 2016: 770-778.
11	HOWARDA G, ZHUM L, CHENB, et al. MobileNets: Efficient convolutional neural networks for mobile vision applications[EB/OL]. (2017)[2020]. .
12	TRAND, MAC H, TONGV, et al. A LSTM based framework for handling multiclass imbalance in DGA botnet detection[J]. Neurocomputing, 2018, 275: 2401-2413.
13	VINAYAKUMARR, SOMANK P, POORNACHANDRANP, et al. DBD: Deep Learning DGA-based Botnet Detection[M]//Deep Learning Applications for Cyber Security. Cham: Springer International Publishing, 2019: 127-149.
14	YUB, PANJ, HUJ M, et al. Character level based detection of DGA domain names[C]//2018 International Joint Conference on Neural Networks (IJCNN). Rio, Brazil: IEEE, 2018: 1-8.
15	QIAOY C, ZHANGB, ZHANGW Z, et al. DGA domain name classification method based on long short-term memory with attention mechanism[J]. Applied Sciences, 2019, 9(20): 4205.
16	ANDERSONH S, WOODBRIDGEJ, FILARB. DeepDGA: Adversarially-tuned domain generation and detection[C]//Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. New York, USA: ACM, 2016: 13-21.
17	SIDIL, NADLERA, SHABTAIA. MaskDGA: A black-box evasion technique against DGA classifiers and adversarial defenses[EB/OL]. (2019)[2020]. .
18	PECKJ, NIEC, SIVAGURUR, et al. CharBot: A simple and effective method for evading DGA classifiers[J]. IEEE Access, 2019, 7: 91759-91771.

实际类	预测类
实际类	DGA域名	合法域名
DGA域名	TP	FN
合法域名	FP	TN

实际类	预测类
实际类	DGA域名	合法域名
DGA域名	TP	FN
合法域名	FP	TN

模型名	Acc	precision	recall	F-score
LSTM	99.14	99.14	99.12	99.13
GRU	98.82	98.80	98.81	98.80
CNN-LSTM	99.09	99.08	99.07	99.07
Shallow-CNN	98.66	98.66	98.62	98.64
LSTM- Attention	99.15	99.14	99.14	99.14
SW-DRN	99.24	99.25	99.21	99.23

模型名	Acc	precision	recall	F-score
LSTM	99.14	99.14	99.12	99.13
GRU	98.82	98.80	98.81	98.80
CNN-LSTM	99.09	99.08	99.07	99.07
Shallow-CNN	98.66	98.66	98.62	98.64
LSTM- Attention	99.15	99.14	99.14	99.14
SW-DRN	99.24	99.25	99.21	99.23

模型名	Acc	precision	recall	F-score
LSTM	97.35	97.36	97.36	97.35
GRU	96.14	96.19	96.17	96.14
CNN-LSTM	97.21	97.21	97.22	97.21
Shallow-CNN	96.92	96.93	96.93	96.92
LSTM- Attention	92.42	92.45	92.44	92.42
SW-DRN	97.81	97.81	97.82	97.81