融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法

刘小洋; 刘加苗; 刘超; 张宜浩

doi:10.12263/DZXB.20200619

您当前的位置：

首页 >

文章列表页 >

融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法

科研通信 | 更新时间：2025-12-08

- 融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法
- Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network
- 电子学报 2022年50卷第1期页码：250-256
- 作者机构：
  
  1.重庆理工大学计算机科学与工程学院，重庆 400054
  2.重庆理工大学人工智能学院，重庆 401135
- 作者简介：
  
  [ "刘小洋男，1980年出生，安徽安庆人.博士后.现为重庆理工大学计算机科学与工程学院教授、硕士生导师.主要从事社交网络分析、人工智能、网络安全与数据挖掘等方面的研究工作. E-mail:lxy3103@163.com" ]
  [ "刘加苗（通信作者）男，1994年出生，重庆渝北人.现为重庆理工大学计算机科学与工程学院硕士研究生.主要从事网络安全、恶意流量检测与域名分析等方面的研究工作. E-mail:jiamiaoliu@126.com" ]
- 基金信息：
  
  国家社会科学基金(17XXW004)
- DOI：10.12263/DZXB.20200619
  中图分类号： TN915;
- 收稿：2020-06-28，
  
  修回：2021-02-20，
  
  纸质出版：2022-01-25
- 稿件说明：
移动端阅览
刘小洋,刘加苗,刘超等.融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法[J].电子学报,2022,50(01):250-256.

LIU Xiao-yang,LIU Jia-miao,LIU Chao,et al.Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network[J].ACTA ELECTRONICA SINICA,2022,50(01):250-256.
刘小洋,刘加苗,刘超等.融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法[J].电子学报,2022,50(01):250-256. DOI： 10.12263/DZXB.20200619.

LIU Xiao-yang,LIU Jia-miao,LIU Chao,et al.Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network[J].ACTA ELECTRONICA SINICA,2022,50(01):250-256. DOI： 10.12263/DZXB.20200619.

摘要

本文提出了一种基于字符级滑动窗口的深度残差网络（Sliding Window-Depth Residual Network，SW-DRN），首次将轻量级深度可分离式卷积应用于僵尸网络中DGA（Domain Generation Algorithm）域名检测.SW-DRN采用深度可分离式卷积，相比标准卷积减少了约56%的参数，增强了模型检测效率.采集两种不同来源的数据，分别命名为Real-Dataset和Gen-Dataset.SW-DRN与对照组模型在两个数据集上进行实验，实验结果表明：SW-DRN模型在DGA域名二分类任务中的F-Score评估指标上分别取得了99.23%和97.81%的成绩；并且在少样本DGA域名家族以及域名字符串易混淆DGA域名情形下多分类任务中取得不错的成绩，相比目前已有的DGA域名分类模型在总体F-Score上提升了1.23%和1.01%的性能，增强了DGA域名家族之间的识别；同时还对所提出的模型在生成对抗模型产生域名进行测试，均能得到有效的识别.

Abstract

This paper proposed a character-level sliding window based deep residual network model SW-DRN (Sliding Window-Depth Residual Network)

which was the first to apply light depthwise separable convolution to the DGA(Domain Generation Algorithm) domain name detection. In SW-DRN

the use of depthwise separable convolution reduced the number of model parameters by about 56% compared with standard convolution

which enhanced the efficiency of model detection. Collect data from two different sources

named Real-Dataset and Gen-Dataset. Finally

comparison experiments on the dataset with the proposed DGA domain name detection model by previous researchers. Experimental results on two datasets show that the proposed SW-DRN model has achieved good results of 99.23% and 97.81% on the F-Score evaluation indicator in the DGA domain name binary classification task. Compared with the existing DGA domain name classification model

the SW-DRN has made a 1.23% and 1.01% performance improvement on the F-Score

enhancing the DGA domain name family recognition. At the same time

the proposed model tests in the generative adversarial networks to generate domain names

and it can be effectively identified.

关键词

Keywords

references

ANTONAKAKIS M , PERDISCI R , LEE W , et al . Detecting malware domains at the upper dns hierarchy. USENIX security symposium [C]// Proceedings of the 20th USENIX conference on Security . San Francisco, USA : ACM , 2011 : 1 - 16 .

YADAV S , REDDY A K K , REDDY A L N , et al . Detecting algorithmically generated domain-flux attacks with DNS traffic analysis [J]. IEEE/ACM Transactions on Networking , 2012 , 20 ( 5 ): 1663 - 1677 .

ANTONAKAKIS M , PERDISCI R , NADJI Y , et al . From throw-away traffic to bots: Detecting the rise of DGA-based malware [C]// Proceedings of the 21st USENIX Conference on Security Symposium . Washington, USA : ACM , 2012 : 491 - 506 .

WOODBRIDGE J , ANDERSON H S , AHUJA A , et al . Predicting domain generation algorithms with long short-term memory networks [J]. [2020] . https://arxiv.org/abs/1611.00791 https://arxiv.org/abs/1611.00791 .

VINAYAKUMAR R , SOMAN K P , POORNACHANDRAN P , et al . Evaluating deep learning approaches to characterize and classify the DGAs at scale [J]. Journal of Intelligent & Fuzzy Systems , 2018 , 34 ( 3 ): 1265 - 1276 .

吕品 , 李全刚 , 柳厅文 , 等 . 基于双向LSTM的误植域名滥用检测方法 [J]. 电子学报 , 2018 , 46 ( 9 ): 2081 - 2086 .

LU P , LI Q G , LIU T W , et al . Towards typosquatting abuse detection using bi-directional LSTM [J]. Acta Electronica Sinica , 2018 , 46 ( 9 ): 2081 - 2086 . (in Chinese)

TRAN D , MAC H , TONG V , et al . A LSTM based framework for handling multiclass imbalance in DGA botnet detection [J]. Neurocomputing , 2018 , 275 : 2401 - 2413 .

HIGHNAM K , PUZIO D , LUO S , et al . Real-time detection of dictionary DGA network traffic using deep learning [J]. SN Computer Science , 2021 , 2 ( 2 ): 1 - 17 .

杜鹏 , 丁世飞 . 基于混合词向量深度学习模型的DGA域名检测方法 [J]. 计算机研究与发展 , 2020 , 57 ( 2 ): 433 - 446 .

DU P , DING S F . A DGA domain name detection method based on deep learning models with mixed word embedding [J]. Journal of Computer Research and Development , 2020 , 57 ( 2 ): 433 - 446 . (in Chinese)

HE K M , ZHANG X Y , REN S Q , et al . Deep residual learning for image recognition [C]// 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) . Las Vegas, USA : IEEE , 2016 : 770 - 778 .

HOWARD A G , ZHU M L , CHEN B , et al . MobileNets: Efficient convolutional neural networks for mobile vision applications [EB/OL]. ( 2017 )[2020]. https://arxiv.org/abs/1704.04861 https://arxiv.org/abs/1704.04861 .

TRAN D , MAC H , TONG V , et al . A LSTM based framework for handling multiclass imbalance in DGA botnet detection [J]. Neurocomputing , 2018 , 275 : 2401 - 2413 .

VINAYAKUMAR R , SOMAN K P , POORNACHANDRAN P , et al . DBD: Deep Learning DGA-based Botnet Detection [M]// Deep Learning Applications for Cyber Security . Cham : Springer International Publishing , 2019 : 127 - 149 .

YU B , PAN J , HU J M , et al . Character level based detection of DGA domain names [C]// 2018 International Joint Conference on Neural Networks (IJCNN) . Rio, Brazil : IEEE , 2018 : 1 - 8 .

QIAO Y C , ZHANG B , ZHANG W Z , et al . DGA domain name classification method based on long short-term memory with attention mechanism [J]. Applied Sciences , 2019 , 9 ( 20 ): 4205 .

ANDERSON H S , WOODBRIDGE J , FILAR B . DeepDGA: Adversarially-tuned domain generation and detection [C]// Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security . New York, USA : ACM , 2016 : 13 - 21 .

SIDI L , NADLER A , SHABTAI A . MaskDGA: A black-box evasion technique against DGA classifiers and adversarial defenses [EB/OL]. ( 2019 )[2020]. https://arxiv.org/abs/1902.08909 https://arxiv.org/abs/1902.08909 .

PECK J , NIE C , SIVAGURU R , et al . CharBot: A simple and effective method for evading DGA classifiers [J]. IEEE Access , 2019 , 7 : 91759 - 91771 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

门控机制的图像分类网络

基于任务解耦的低照度图像增强方法

基于特征注意力融合元残差网络的小样本SAR目标识别

基于胶囊网络的工业互联网入侵检测方法

一种轻量化低复杂度的FDD大规模MIMO系统CSI反馈方法