期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于图对比学习的恶意域名检测方法

Malicious Domain Name Detection Method Based on Graph Contrastive Learning
下载PDF
导出
摘要 域名是实施网络犯罪行为的重要环节,现有的恶意域名检测方法一方面难以利用丰富的拓扑和属性信息,另一方面需要大量的标签数据,检测效果受限而成本较高.针对该问题,提出一种基于图对比学习的恶意域名检测方法,以域名和IP地址作为异构图的两类节点并根据其属性建立对应节点的特征矩阵,依据域名之间的包含关系、相似度度量以及域名和IP地址之间对应关系构建3种元路径;在预训练阶段,使用基于非对称编码器的对比学习模型,避免图数据增强操作对图结构和语义的破坏,也降低对计算资源的需求;使用归纳式的图神经网络图编码器HeteroSAGE和HeteroGAT,采用以节点为中心的小批量训练模式来挖掘目标节点和邻居节点的聚合关系,避免直推式图神经网络在动态场景下适用性较差的问题;下游分类检测任务则对比使用了逻辑回归、随机森林等算法.在公开数据上的实验结果表明检测性能相比已有工作提高2–6个百分点. The domain name plays an important role in cybercrimes.Existing malicious domain name detection methods are not only difficult to use with rich topology and attribute information but also require a large amount of label data,resulting in limited detection effects and high costs.To address this problem,this study proposes a malicious domain name detection method based on graph contrastive learning.The domain name and IP address are taken as two types of nodes in a heterogeneous graph,and the feature matrix of corresponding nodes is established according to their attributes.Three types of meta paths are constructed based on the inclusion relationship between domain names,the measure of similarity,and the correspondence between domain names and IP addresses.In the pre-training stage,the contrast learning model based on the asymmetric encoder is applied to avoid the damage to graph structure and semantics caused by graph data augmentation operation and reduce the demand for computing resources.By using the inductive graph neural network graph encoders HeteroSAGE and HeteroGAT,a node-centric mini-batch training strategy is adopted to explore the aggregation relationship between the target node and its neighbor nodes,which solves the problem of poor applicability of the transductive graph neural networks in dynamic scenarios.The downstream classification detection task contrastively utilizes logistic regression and random forest algorithms.Experimental results on publicly available data sets show that detection performance is improved by two to six percentage points compared with that of related works.
作者 张震 张三峰 杨望 ZHANG Zhen;ZHANG San-Feng;YANG Wang(School of Cyber Science and Engineering,Southeast University,Nanjing 211189,China;Key Laboratory of Computer Network and Information Integration of Ministry of Education(Southeast University),Nanjing 211189,China)
机构地区 东南大学网络空间安全学院 教育部计算机网络和信息集成重点实验室(东南大学)
出处 《软件学报》 EI CSCD 北大核心 2024年第10期4837-4858,共22页 Journal of Software
基金 国家自然科学基金(62272100)。
关键词 恶意域名检测 属性异构图 图神经网络 非对称编码 自监督学习 malicious domain name detection attribute heterogeneous graph graph neural network(GNN) asymmetric coding self-supervised learning
分类号 TP393 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献6

二级参考文献51

  • 1王垚,胡铭曾,李斌,闫伯儒.域名系统安全研究综述[J].通信学报,2007,28(9):91-103. 被引量:27
  • 2Porras P,Saidi H,Yegneswaran V, A foray into Conficker’s logic and rendezvous points. In: Lee W, ed. Proc. of the 2nd USENIX Conf. on Large-Scale Exploits and Emergent Threats: Botnets,Spyware, Worms, and More (LEET 2009). Boston: USENIX, 2009. 被引量:1
  • 3Conficker C Analysis. 2009. http://mtc.sri.com/Conficker/addendumC. 被引量:1
  • 4Royal P. Analysis of the Kraken Botnet. 2008. https://www.damballa.com/downloads/r_pubs/KrakenWhitepaper.pdf. 被引量:1
  • 5Stone-Gross B, Cova M,Cavallaro L. Your botnet is my botnet: analysis of a botnet takeover. In: Al-Shaer E, Jha S, Keromytis AD, eds. Proc. of the 16th ACM Conf. on Computer and Communications Security (CCS 2009). Chicago: ACM Press, 2009. 635-647. [doi: 10.1145/1653662.1653738]. 被引量:1
  • 6Chatzis N, Popescu-Zeletin R. Flow level data mining of DNS query streams for email worm detection. In: Corchado E, Zunino R, Gastaldo P, Herrero A, eds. Proc. of the Int’l Workshop on Computational Intelligence in Security for Information Systems (CISIS2008). Berlin, Heidelberg: Springer-Verlag,2009. 186-194. [doi: 10.1007/978-3-540-88181-0—24]. 被引量:1
  • 7Chatzis N, Popescu-Zeletin R. Detection of email worm-infected machines on the local name servers using time series analysis. Journal of Information Assurance and Security, 2009,4(3):292-300. 被引量:1
  • 8Chatzis N, Popescu-Zeletin R, Brownlee N. Email worm detection by wavelet analysis of DNS query streams. In: Dasgupta D, Zhan J, eds, Proc. of the IEEE Symp. on Computational Intelligence in Cyber Security (CICS 2009). Nashville: IEEE, 2009. 53-60. [doi: 10.1 丨 09/CICYBS.2009.4925090]. 被引量:1
  • 9Chatzis N, Brownlee N. Similarity search over DNS query streams for email worm detection. In: A wan I,ed. Proc. of the 2009 Int,l Conf. on Advanced Information Networking and Applications (AINA 2009). Bradford: IEEE, 2009. 588-595. [doi: 10.1109/AINA. 2009.132]. 被引量:1
  • 10Caglayan A, Toothaker M, Drapeau D, Burke D, Eaton G. Real-Time detection of fast flux service networks. In: Walter E, ed. Proc. of the 2009 Cybersecurity Applications & Technology Conf. for Homeland Security (CATCH 2009). Washington: IEEE, 2009.285-292. [doi: 10.1109/CATCH.2009.44]. 被引量:1

共引文献62

软件学报
2024年 第10期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部