当前位置:
X-MOL 学术
›
Cybersecurity
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
A DGA domain names detection modeling method based on integrating an attention mechanism and deep neural network
Cybersecurity Pub Date : 2020-02-28 , DOI: 10.1186/s42400-020-00046-6 Fangli Ren , Zhengwei Jiang , Xuren Wang , Jian Liu
Cybersecurity Pub Date : 2020-02-28 , DOI: 10.1186/s42400-020-00046-6 Fangli Ren , Zhengwei Jiang , Xuren Wang , Jian Liu
Command and control (C2) servers are used by attackers to operate communications. To perform attacks, attackers usually employee the Domain Generation Algorithm (DGA), with which to confirm rendezvous points to their C2 servers by generating various network locations. The detection of DGA domain names is one of the important technologies for command and control communication detection. Considering the randomness of the DGA domain names, recent research in DGA detection applyed machine learning methods based on features extracting and deep learning architectures to classify domain names. However, these methods are insufficient to handle wordlist-based DGA threats, which generate domain names by randomly concatenating dictionary words according to a special set of rules. In this paper, we proposed a a deep learning framework ATT-CNN-BiLSTM for identifying and detecting DGA domains to alleviate the threat. Firstly, the Convolutional Neural Network (CNN) and bidirectional Long Short-Term Memory (BiLSTM) neural network layer was used to extract the features of the domain sequences information; secondly, the attention layer was used to allocate the corresponding weight of the extracted deep information from the domain names. Finally, the different weights of features in domain names were put into the output layer to complete the tasks of detection and classification. Our extensive experimental results demonstrate the effectiveness of the proposed model, both on regular DGA domains and DGA that hard to detect such as wordlist-based and part-wordlist-based ones. To be precise,we got a F1 score of 98.79% for the detection and macro average precision and recall of 83% for the classification task of DGA domain names.
中文翻译:
基于注意力机制和深度神经网络的DGA域名检测建模方法
攻击者使用命令和控制 (C2) 服务器来操作通信。为了执行攻击,攻击者通常使用域生成算法 (DGA),通过生成各种网络位置来确认其 C2 服务器的会合点。DGA域名检测是指挥控制通信检测的重要技术之一。考虑到 DGA 域名的随机性,DGA 检测的最新研究应用基于特征提取和深度学习架构的机器学习方法对域名进行分类。然而,这些方法不足以处理基于词表的 DGA 威胁,这些威胁通过根据一组特殊规则随机连接字典词来生成域名。在本文中,我们提出了一个深度学习框架 ATT-CNN-BiLSTM,用于识别和检测 DGA 域以减轻威胁。首先利用卷积神经网络(CNN)和双向长短期记忆(BiLSTM)神经网络层提取域序列信息的特征;其次,注意力层用于分配从域名中提取的深层信息的相应权重。最后,将域名中不同权重的特征放入输出层,完成检测和分类任务。我们广泛的实验结果证明了该模型在常规 DGA 域和难以检测的 DGA(例如基于词表和基于部分词表的域)上的有效性。准确地说,我们得到了 98 的 F1 分数。
更新日期:2020-02-28
中文翻译:
基于注意力机制和深度神经网络的DGA域名检测建模方法
攻击者使用命令和控制 (C2) 服务器来操作通信。为了执行攻击,攻击者通常使用域生成算法 (DGA),通过生成各种网络位置来确认其 C2 服务器的会合点。DGA域名检测是指挥控制通信检测的重要技术之一。考虑到 DGA 域名的随机性,DGA 检测的最新研究应用基于特征提取和深度学习架构的机器学习方法对域名进行分类。然而,这些方法不足以处理基于词表的 DGA 威胁,这些威胁通过根据一组特殊规则随机连接字典词来生成域名。在本文中,我们提出了一个深度学习框架 ATT-CNN-BiLSTM,用于识别和检测 DGA 域以减轻威胁。首先利用卷积神经网络(CNN)和双向长短期记忆(BiLSTM)神经网络层提取域序列信息的特征;其次,注意力层用于分配从域名中提取的深层信息的相应权重。最后,将域名中不同权重的特征放入输出层,完成检测和分类任务。我们广泛的实验结果证明了该模型在常规 DGA 域和难以检测的 DGA(例如基于词表和基于部分词表的域)上的有效性。准确地说,我们得到了 98 的 F1 分数。
京公网安备 11010802027423号