融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法

doi:10.12263/DZXB.20200619

摘要/Abstract

摘要：

本文提出了一种基于字符级滑动窗口的深度残差网络（Sliding Window-Depth Residual Network，SW-DRN），首次将轻量级深度可分离式卷积应用于僵尸网络中DGA（Domain Generation Algorithm）域名检测.SW-DRN采用深度可分离式卷积，相比标准卷积减少了约56%的参数，增强了模型检测效率.采集两种不同来源的数据，分别命名为Real-Dataset和Gen-Dataset.SW-DRN与对照组模型在两个数据集上进行实验，实验结果表明：SW-DRN模型在DGA域名二分类任务中的F-Score评估指标上分别取得了99.23%和97.81%的成绩；并且在少样本DGA域名家族以及域名字符串易混淆DGA域名情形下多分类任务中取得不错的成绩，相比目前已有的DGA域名分类模型在总体F-Score上提升了1.23%和1.01%的性能，增强了DGA域名家族之间的识别；同时还对所提出的模型在生成对抗模型产生域名进行测试，均能得到有效的识别.

关键词: 域名生成算法, 字符级向量, 残差网络, 深度可分离式卷积

Abstract:

This paper proposed a character-level sliding window based deep residual network model SW-DRN (Sliding Window-Depth Residual Network), which was the first to apply light depthwise separable convolution to the DGA(Domain Generation Algorithm) domain name detection. In SW-DRN, the use of depthwise separable convolution reduced the number of model parameters by about 56% compared with standard convolution, which enhanced the efficiency of model detection. Collect data from two different sources, named Real-Dataset and Gen-Dataset. Finally, comparison experiments on the dataset with the proposed DGA domain name detection model by previous researchers. Experimental results on two datasets show that the proposed SW-DRN model has achieved good results of 99.23% and 97.81% on the F-Score evaluation indicator in the DGA domain name binary classification task. Compared with the existing DGA domain name classification model, the SW-DRN has made a 1.23% and 1.01% performance improvement on the F-Score, enhancing the DGA domain name family recognition. At the same time, the proposed model tests in the generative adversarial networks to generate domain names, and it can be effectively identified.

Key words: domain generation algorithm, character-level vector, residual network, depthwise separable convolution

中图分类号:

TN915

刘小洋, 刘加苗, 刘超, 张宜浩. 融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法[J]. 电子学报, 2022, 50(1): 250-256.

LIU Xiao-yang, LIU Jia-miao, LIU Chao, ZHANG Yi-hao. Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network[J]. Acta Electronica Sinica, 2022, 50(1): 250-256.

图/表 10

参考文献 18

1	ANTONAKAKIS M, PERDISCI R, LEE W, et al. Detecting malware domains at the upper dns hierarchy. USENIX security symposium[C]//Proceedings of the 20th USENIX conference on Security. San Francisco, USA: ACM, 2011: 1-16.
2	YADAV S, REDDY A K K, REDDY A L N, et al. Detecting algorithmically generated domain-flux attacks with DNS traffic analysis[J]. IEEE/ACM Transactions on Networking, 2012, 20(5): 1663-1677.
3	ANTONAKAKIS M, PERDISCI R, NADJI Y, et al. From throw-away traffic to bots: Detecting the rise of DGA-based malware[C]//Proceedings of the 21st USENIX Conference on Security Symposium. Washington, USA: ACM, 2012: 491-506.
4	WOODBRIDGE J, ANDERSON H S, AHUJA A, et al. Predicting domain generation algorithms with long short-term memory networks[J]. [2020]. .
5	VINAYAKUMAR R, SOMAN K P, POORNACHANDRAN P, et al. Evaluating deep learning approaches to characterize and classify the DGAs at scale[J]. Journal of Intelligent & Fuzzy Systems, 2018, 34(3): 1265-1276.
6	吕品, 李全刚, 柳厅文, 等. 基于双向LSTM的误植域名滥用检测方法[J]. 电子学报, 2018, 46(9): 2081-2086.
	LU P, LI Q G, LIU T W, et al. Towards typosquatting abuse detection using bi-directional LSTM[J]. Acta Electronica Sinica, 2018, 46(9): 2081-2086. (in Chinese)
7	TRAN D, MAC H, TONG V, et al. A LSTM based framework for handling multiclass imbalance in DGA botnet detection[J]. Neurocomputing, 2018, 275: 2401-2413.
8	HIGHNAM K, PUZIO D, LUO S, et al. Real-time detection of dictionary DGA network traffic using deep learning[J]. SN Computer Science, 2021, 2(2): 1-17.
9	杜鹏, 丁世飞. 基于混合词向量深度学习模型的DGA域名检测方法[J]. 计算机研究与发展, 2020, 57(2): 433-446.
	DU P, DING S F. A DGA domain name detection method based on deep learning models with mixed word embedding[J]. Journal of Computer Research and Development, 2020, 57(2): 433-446. (in Chinese)
10	HE K M, ZHANG X Y, REN S Q, et al. Deep residual learning for image recognition[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Las Vegas, USA: IEEE, 2016: 770-778.
11	HOWARD A G, ZHU M L, CHEN B, et al. MobileNets: Efficient convolutional neural networks for mobile vision applications[EB/OL]. (2017)[2020]. .
12	TRAN D, MAC H, TONG V, et al. A LSTM based framework for handling multiclass imbalance in DGA botnet detection[J]. Neurocomputing, 2018, 275: 2401-2413.
13	VINAYAKUMAR R, SOMAN K P, POORNACHANDRAN P, et al. DBD: Deep Learning DGA-based Botnet Detection[M]//Deep Learning Applications for Cyber Security. Cham: Springer International Publishing, 2019: 127-149.
14	YU B, PAN J, HU J M, et al. Character level based detection of DGA domain names[C]//2018 International Joint Conference on Neural Networks (IJCNN). Rio, Brazil: IEEE, 2018: 1-8.
15	QIAO Y C, ZHANG B, ZHANG W Z, et al. DGA domain name classification method based on long short-term memory with attention mechanism[J]. Applied Sciences, 2019, 9(20): 4205.
16	ANDERSON H S, WOODBRIDGE J, FILAR B. DeepDGA: Adversarially-tuned domain generation and detection[C]//Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. New York, USA: ACM, 2016: 13-21.
17	SIDI L, NADLER A, SHABTAI A. MaskDGA: A black-box evasion technique against DGA classifiers and adversarial defenses[EB/OL]. (2019)[2020]. .
18	PECK J, NIE C, SIVAGURU R, et al. CharBot: A simple and effective method for evading DGA classifiers[J]. IEEE Access, 2019, 7: 91759-91771.

实际类	预测类
实际类	DGA域名	合法域名
DGA域名	TP	FN
合法域名	FP	TN

实际类	预测类
实际类	DGA域名	合法域名
DGA域名	TP	FN
合法域名	FP	TN

模型名	Acc	precision	recall	F-score
LSTM	99.14	99.14	99.12	99.13
GRU	98.82	98.80	98.81	98.80
CNN-LSTM	99.09	99.08	99.07	99.07
Shallow-CNN	98.66	98.66	98.62	98.64
LSTM- Attention	99.15	99.14	99.14	99.14
SW-DRN	99.24	99.25	99.21	99.23

模型名	Acc	precision	recall	F-score
LSTM	99.14	99.14	99.12	99.13
GRU	98.82	98.80	98.81	98.80
CNN-LSTM	99.09	99.08	99.07	99.07
Shallow-CNN	98.66	98.66	98.62	98.64
LSTM- Attention	99.15	99.14	99.14	99.14
SW-DRN	99.24	99.25	99.21	99.23

模型名	Acc	precision	recall	F-score
LSTM	97.35	97.36	97.36	97.35
GRU	96.14	96.19	96.17	96.14
CNN-LSTM	97.21	97.21	97.22	97.21
Shallow-CNN	96.92	96.93	96.93	96.92
LSTM- Attention	92.42	92.45	92.44	92.42
SW-DRN	97.81	97.81	97.82	97.81