摘要
现代僵尸网络广泛采用域名生成算法(domain generation algorithm,DGA),以生成大量随机域名。通过这些域名,僵尸主机可以与其命令和控制(command and control,C&C)服务器通信,并躲避黑名单和逆向工程等传统防御措施。近年来,基于循环神经网络(recurrent neural network,RNN)的深度学习模型,如长短时记忆(long short-term memory,LSTM)和门控循环单元(gated recurrent unit,GRU),被引入到DGA域名的实时检测中,这些模型只需使用域名,而无需人工的特征提取或附加信息。为了尽可能充分地提取域名序列内部的信息,提出了一种由并行的卷积神经网络(parallel convolutional neural network,PCNN)和含注意力机制的双向GRU(bidirectional GRU,BiGRU)组成的集成模型。与只学习单向时序信息的GRU不同,BiGRU学习双向时序信息。PCNN可以设置不同的卷积核大小,学习域名的局部序列信息。注意力机制用于对域名序列进行加权,学习域名字符组合在域名中的重要程度,挑选出关键的全局时序特征,有效增强捕获关键特征的能力。实验结果表明,提出的集成模型的F1分数最高,为0.9343,次优模型为0.9241,最低的卷积神经网络(convolutional neural network,CNN)模型仅为0.8546。相比单一结构的CNN和LSTM模型,以及结合注意力机制的LSTM模型,集成模型具有更好的多分类效果。
Domain generation algorithms(DGAs)are widely used in modern botnets to generate a large number of domain names through which bots can communicate with their command and control(C&C)servers,and avoid traditional defensive measures such as blacklist and reverse engineering.In recent years,recurrent neural network(RNN)based on deep learning models,such as long short-term memory(LSTM)and gated recurrent unit(GRU),have been introduced to detect DGA domains in real time using only domain names without manual feature extraction or additional information.In order to extract the information inside domain name sequence as far as possible,this paper propose an ensemble model,which consists of the parallel convolutional neural network(PCNN)layer and the BiGRU with attention mechanism layer.BiGRU learns bidirectional time serial information as opposed to unidirectional time serial information learned by GRU.PCNN can set different convolution kernel sizes to learn local sequence information of domain names.The attention mechanism is used to weight the domain name sequence,learn the importance of the domain name character combination in the domain name,select the key global time serial features,and effectively enhance the ability to capture the key features.Experimental results show that the proposed ensemble model achieved highest F 1-scores of 0.9343,while the sub optimal model achieved 0.9241,and the CNN model achieved lowest 0.8546.Compared with CNN and LSTM models with single structure and LSTM model with attention mechanism,the ensemble model has better multi-classification effect.
作者
王天宇
王春东
WANG Tianyu;WANG Chundong(School of Computer Science and Engineering,Tianjin University of Technology,Tianjing 300384,China)
出处
《天津理工大学学报》
2024年第5期94-101,共8页
Journal of Tianjin University of Technology
基金
科技助力经济2020重点专项(SQ2020YFF0413781)。
关键词
域名生成算法
恶意域名检测
深度学习
注意力机制
domain generation algorithm
malicious domain names detection
deep learning
attention mechanism
