Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network

LIU Xiao-yang; LIU Jia-miao; LIU Chao; ZHANG Yi-hao

doi:10.12263/DZXB.20200619

您当前的位置：

首页 >

文章列表页 >

Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network

CORRESPONDENCE | 更新时间：2025-12-08

- Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network
- ACTA ELECTRONICA SINICA Vol. 50, Issue 1, Pages: 250-256(2022)
- 作者机构：
  
  1.重庆理工大学计算机科学与工程学院，重庆 400054
  2.重庆理工大学人工智能学院，重庆 401135
- 作者简介：
- 基金信息：
- DOI：10.12263/DZXB.20200619
  CLC： TN915;
- Received：28 June 2020，
  
  Revised：2021-02-20，
  
  Published：25 January 2022
- 稿件说明：
移动端阅览
刘小洋,刘加苗,刘超等.融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法[J].电子学报,2022,50(01):250-256.

LIU Xiao-yang,LIU Jia-miao,LIU Chao,et al.Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network[J].ACTA ELECTRONICA SINICA,2022,50(01):250-256.
刘小洋,刘加苗,刘超等.融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法[J].电子学报,2022,50(01):250-256. DOI： 10.12263/DZXB.20200619.

LIU Xiao-yang,LIU Jia-miao,LIU Chao,et al.Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network[J].ACTA ELECTRONICA SINICA,2022,50(01):250-256. DOI： 10.12263/DZXB.20200619.

摘要

本文提出了一种基于字符级滑动窗口的深度残差网络（Sliding Window-Depth Residual Network，SW-DRN），首次将轻量级深度可分离式卷积应用于僵尸网络中DGA（Domain Generation Algorithm）域名检测.SW-DRN采用深度可分离式卷积，相比标准卷积减少了约56%的参数，增强了模型检测效率.采集两种不同来源的数据，分别命名为Real-Dataset和Gen-Dataset.SW-DRN与对照组模型在两个数据集上进行实验，实验结果表明：SW-DRN模型在DGA域名二分类任务中的F-Score评估指标上分别取得了99.23%和97.81%的成绩；并且在少样本DGA域名家族以及域名字符串易混淆DGA域名情形下多分类任务中取得不错的成绩，相比目前已有的DGA域名分类模型在总体F-Score上提升了1.23%和1.01%的性能，增强了DGA域名家族之间的识别；同时还对所提出的模型在生成对抗模型产生域名进行测试，均能得到有效的识别.

Abstract

This paper proposed a character-level sliding window based deep residual network model SW-DRN (Sliding Window-Depth Residual Network)

which was the first to apply light depthwise separable convolution to the DGA(Domain Generation Algorithm) domain name detection. In SW-DRN

the use of depthwise separable convolution reduced the number of model parameters by about 56% compared with standard convolution

which enhanced the efficiency of model detection. Collect data from two different sources

named Real-Dataset and Gen-Dataset. Finally

comparison experiments on the dataset with the proposed DGA domain name detection model by previous researchers. Experimental results on two datasets show that the proposed SW-DRN model has achieved good results of 99.23% and 97.81% on the F-Score evaluation indicator in the DGA domain name binary classification task. Compared with the existing DGA domain name classification model

the SW-DRN has made a 1.23% and 1.01% performance improvement on the F-Score

enhancing the DGA domain name family recognition. At the same time

the proposed model tests in the generative adversarial networks to generate domain names

and it can be effectively identified.

关键词

Keywords

references

ANTONAKAKIS M , PERDISCI R , LEE W , et al . Detecting malware domains at the upper dns hierarchy. USENIX security symposium [C]// Proceedings of the 20th USENIX conference on Security . San Francisco, USA : ACM , 2011 : 1 - 16 .

YADAV S , REDDY A K K , REDDY A L N , et al . Detecting algorithmically generated domain-flux attacks with DNS traffic analysis [J]. IEEE/ACM Transactions on Networking , 2012 , 20 ( 5 ): 1663 - 1677 .

ANTONAKAKIS M , PERDISCI R , NADJI Y , et al . From throw-away traffic to bots: Detecting the rise of DGA-based malware [C]// Proceedings of the 21st USENIX Conference on Security Symposium . Washington, USA : ACM , 2012 : 491 - 506 .

WOODBRIDGE J , ANDERSON H S , AHUJA A , et al . Predicting domain generation algorithms with long short-term memory networks [J]. [2020] . https://arxiv.org/abs/1611.00791 https://arxiv.org/abs/1611.00791 .

VINAYAKUMAR R , SOMAN K P , POORNACHANDRAN P , et al . Evaluating deep learning approaches to characterize and classify the DGAs at scale [J]. Journal of Intelligent & Fuzzy Systems , 2018 , 34 ( 3 ): 1265 - 1276 .

吕品 , 李全刚 , 柳厅文 , 等 . 基于双向LSTM的误植域名滥用检测方法 [J]. 电子学报 , 2018 , 46 ( 9 ): 2081 - 2086 .

LU P , LI Q G , LIU T W , et al . Towards typosquatting abuse detection using bi-directional LSTM [J]. Acta Electronica Sinica , 2018 , 46 ( 9 ): 2081 - 2086 . (in Chinese)

TRAN D , MAC H , TONG V , et al . A LSTM based framework for handling multiclass imbalance in DGA botnet detection [J]. Neurocomputing , 2018 , 275 : 2401 - 2413 .

HIGHNAM K , PUZIO D , LUO S , et al . Real-time detection of dictionary DGA network traffic using deep learning [J]. SN Computer Science , 2021 , 2 ( 2 ): 1 - 17 .

杜鹏 , 丁世飞 . 基于混合词向量深度学习模型的DGA域名检测方法 [J]. 计算机研究与发展 , 2020 , 57 ( 2 ): 433 - 446 .

DU P , DING S F . A DGA domain name detection method based on deep learning models with mixed word embedding [J]. Journal of Computer Research and Development , 2020 , 57 ( 2 ): 433 - 446 . (in Chinese)

HE K M , ZHANG X Y , REN S Q , et al . Deep residual learning for image recognition [C]// 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) . Las Vegas, USA : IEEE , 2016 : 770 - 778 .

HOWARD A G , ZHU M L , CHEN B , et al . MobileNets: Efficient convolutional neural networks for mobile vision applications [EB/OL]. ( 2017 )[2020]. https://arxiv.org/abs/1704.04861 https://arxiv.org/abs/1704.04861 .

TRAN D , MAC H , TONG V , et al . A LSTM based framework for handling multiclass imbalance in DGA botnet detection [J]. Neurocomputing , 2018 , 275 : 2401 - 2413 .

VINAYAKUMAR R , SOMAN K P , POORNACHANDRAN P , et al . DBD: Deep Learning DGA-based Botnet Detection [M]// Deep Learning Applications for Cyber Security . Cham : Springer International Publishing , 2019 : 127 - 149 .

YU B , PAN J , HU J M , et al . Character level based detection of DGA domain names [C]// 2018 International Joint Conference on Neural Networks (IJCNN) . Rio, Brazil : IEEE , 2018 : 1 - 8 .

QIAO Y C , ZHANG B , ZHANG W Z , et al . DGA domain name classification method based on long short-term memory with attention mechanism [J]. Applied Sciences , 2019 , 9 ( 20 ): 4205 .

ANDERSON H S , WOODBRIDGE J , FILAR B . DeepDGA: Adversarially-tuned domain generation and detection [C]// Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security . New York, USA : ACM , 2016 : 13 - 21 .

SIDI L , NADLER A , SHABTAI A . MaskDGA: A black-box evasion technique against DGA classifiers and adversarial defenses [EB/OL]. ( 2019 )[2020]. https://arxiv.org/abs/1902.08909 https://arxiv.org/abs/1902.08909 .

PECK J , NIE C , SIVAGURU R , et al . CharBot: A simple and effective method for evading DGA classifiers [J]. IEEE Access , 2019 , 7 : 91759 - 91771 .

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Image Classification Network of Gating Mechanism

Task Decoupling Guided Low-Light Image Enhancement

Few-Shot SAR Target Recognition Method Based on Feature Fusion Attention and Meta-ResNet

Intrusion Detection Method Based on Capsule Network for Industrial Internet

Lightweight and Low Complexity CSI Feedback Method for FDD Massive MIMO Systems

Related Author

LIU Wan-jun

JIANG Wen-tao

YUAN Heng

GAO Yuan

NIU Yu-zhen

CHEN Ming-ming

LI Yue-zhou

ZHAO Tie-song

Related Institution

School of Software, Liaoning Technical University

College of Computer and Data Science， Fuzhou University

Fujian Key Laboratory of Network Computing and Intelligent Information Processing， Fuzhou University

Big Data Intelligence Engineering Research Center of the Ministry of Education， Fuzhou University

College of Physics and Information Engineering， Fuzhou University

⁰