当前位置:
X-MOL 学术
›
IEEE Trans. Inform. Forensics Secur.
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Khaos: An Adversarial Neural Network DGA With High Anti-Detection Ability
IEEE Transactions on Information Forensics and Security ( IF 6.8 ) Pub Date : 2019-12-18 , DOI: 10.1109/tifs.2019.2960647 Xiaochun Yun , Ji Huang , Yipeng Wang , Tianning Zang , Yuan Zhou , Yongzheng Zhang
IEEE Transactions on Information Forensics and Security ( IF 6.8 ) Pub Date : 2019-12-18 , DOI: 10.1109/tifs.2019.2960647 Xiaochun Yun , Ji Huang , Yipeng Wang , Tianning Zang , Yuan Zhou , Yongzheng Zhang
A botnet is a network of remote-controlled devices that are infected with malware controlled by botmasters in order to launch cyber attacks. To evade detection, the botmaster frequently changes the domain name of his Command and Control (C&C) server. Notice that most of these types of domain names are generated by domain generation algorithms (DGAs). In this paper, we propose Khaos, a novel DGA with high anti-detection ability based on neural language models and the Wasserstein Generative Adversarial Network (WGAN). The key insight of our research is that real domain names are composed of readable syllables and acronyms, and thus we can arrange syllables and acronyms using neural language models to mimic real domain names. In Khaos, we first find the most common n-grams in real domain names, then tokenize these domain names into n-grams, and finally synthesize new domain names after learning arrangements of n-grams from real domain names. We carry out experiments using a variety of state-of-the-art DGA detection approaches: the statistics-based, the distribution-based, the LSTM-based and the graph-based detection approach. Our experimental results show that the average distance for detecting Khaos under the distribution-based detection approach is 0.64, the AUCs of Khaos under the statistics-based and the LSTM-based detection approach are 0.76 and 0.57, respectively, and the precision of Khaos under the graph-based detection approach is 0.68. Our work proves that the existing detection approaches have big troubles in detecting Khaos, and Khaos has better anti-detection ability than state-of-the-art DGAs. In addition, we find that training the existing detection approach on a dataset including the domain names generated by Khaos can improve its detection ability.
中文翻译:
Khaos:具有高抗检测能力的对抗神经网络DGA
僵尸网络是一种由远程控制设备组成的网络,这些设备感染了由僵尸程序控制的恶意软件,从而发起了网络攻击。为了逃避检测,僵尸管理员经常更改其命令与控制(C&C)服务器的域名。请注意,大多数这些类型的域名都是由域生成算法(DGA)生成的。在本文中,我们基于神经语言模型和Wasserstein生成对抗网络(WGAN),提出了一种具有高抗检测能力的新型DGA Khaos。我们研究的关键见解是,真实域名是由可读的音节和首字母缩写词组成的,因此,我们可以使用神经语言模型来模仿真实的域名来排列音节和首字母缩写词。在Khaos中,我们首先在真实域名中找到最常见的n-gram,然后将这些域名标记为n-gram,然后从实际域名中学习n-gram的排列,最后合成新域名。我们使用多种最新的DGA检测方法进行实验:基于统计的,基于分布的,基于LSTM的和基于图形的检测方法。我们的实验结果表明,基于分布的检测方法下检测Khaos的平均距离为0.64,基于统计的检测方法和基于LSTM的检测方法下Khaos的AUC分别为0.76和0.57,而基于统计量的检测方法下Khaos的精度基于图的检测方法为0.68。我们的工作证明,现有的检测方法在检测Khaos方面存在很大的麻烦,并且Khaos具有比最新的DGA更好的抗检测能力。此外,
更新日期:2020-04-22
中文翻译:
Khaos:具有高抗检测能力的对抗神经网络DGA
僵尸网络是一种由远程控制设备组成的网络,这些设备感染了由僵尸程序控制的恶意软件,从而发起了网络攻击。为了逃避检测,僵尸管理员经常更改其命令与控制(C&C)服务器的域名。请注意,大多数这些类型的域名都是由域生成算法(DGA)生成的。在本文中,我们基于神经语言模型和Wasserstein生成对抗网络(WGAN),提出了一种具有高抗检测能力的新型DGA Khaos。我们研究的关键见解是,真实域名是由可读的音节和首字母缩写词组成的,因此,我们可以使用神经语言模型来模仿真实的域名来排列音节和首字母缩写词。在Khaos中,我们首先在真实域名中找到最常见的n-gram,然后将这些域名标记为n-gram,然后从实际域名中学习n-gram的排列,最后合成新域名。我们使用多种最新的DGA检测方法进行实验:基于统计的,基于分布的,基于LSTM的和基于图形的检测方法。我们的实验结果表明,基于分布的检测方法下检测Khaos的平均距离为0.64,基于统计的检测方法和基于LSTM的检测方法下Khaos的AUC分别为0.76和0.57,而基于统计量的检测方法下Khaos的精度基于图的检测方法为0.68。我们的工作证明,现有的检测方法在检测Khaos方面存在很大的麻烦,并且Khaos具有比最新的DGA更好的抗检测能力。此外,
京公网安备 11010802027423号