信息网络安全 ›› 2021, Vol. 21 ›› Issue (10): 41-47.doi: 10.3969/j.issn.1671-1122.2021.10.006

• 入选论文 • 上一篇    下一篇

基于融合CNN与LSTM的DGA恶意域名检测方法

徐国天(), 盛振威   

  1. 中国刑事警察学院,沈阳 110854
  • 收稿日期:2021-06-17 出版日期:2021-10-10 发布日期:2021-10-14
  • 通讯作者: 徐国天 E-mail:xu_guo_tian888@163.com
  • 作者简介:徐国天(1978—),男,辽宁,副教授,硕士,主要研究方向为网络空间安全、电子数据取证|盛振威(1997—),男,湖北,硕士研究生,主要研究方向为网络空间安全
  • 基金资助:
    中央高校基本科研业务费(3242017013);公安部软科学计划(2020LLYJXJXY031);公安部技术研究计划(2016JSYJB06);辽宁省自然科学基金(2019-ZD-0167);辽宁省自然科学基金(20180550841);辽宁省自然科学基金(2015020091);辽宁省社会科学规划基金(L16BFX012);辽宁网络安全执法协同创新中心资助项目(WXZX-201807010);辽宁省教育厅科学研究经费(LJK20072)

DGA Malicious Domain Name Detection Method Based on Fusion of CNN and LSTM

XU Guotian(), SHENG Zhenwei   

  1. Criminal Investigation Police University of China, Shenyang 110854, China
  • Received:2021-06-17 Online:2021-10-10 Published:2021-10-14
  • Contact: XU Guotian E-mail:xu_guo_tian888@163.com

摘要:

目前,恶意域名生成算法被广泛应用于各类网络攻击中,针对恶意域名检测中存在的特征工程效率低、域名编码维度过高、部分域名信息特征丢失等问题,文章提出一种基于融合卷积神经网络和长短期记忆网络的恶意域名检测深度学习模型。模型采用词向量嵌入方式对域名字符进行编码,构建一个密集向量,利用单词之间的相关性来进行相应编码。该方法有效解决了独热编码带来的稀疏矩阵和维度灾难等问题,缩短了字符的编码时间、提高了编码效率。该模型不仅可以提取域名信息中局部特征,还能有效提取域名字符间上下文关联性特征。实验结果表明,与传统恶意域名检测模式相比,文章方法可以获得更好的分类效果和检测率。

关键词: 恶意域名, 卷积神经网络, 长短时记忆网络, 深度学习

Abstract:

At present, the malicious domain generation algorithm (DGA) is widely used in all kinds of network attacks. In order to solve the problems in DGA malicious domain name detection, such as low efficiency of feature engineering, too high domain name coding dimension, and partial domain name information feature loss, etc. This paper proposed a deep learning model for malicious domain name detection based on convolution neural networks and long short-term memory network. In the model, word vector embedding is used to encode domain name characters, and a dense vector is constructed, which is encoded by the correlation between words. This method could effectively solve the problems of sparse matrix and dimension disaster caused by single hot coding, shorten the character coding time and improve the coding efficiency. This model could not only extract the local features of domain name information, but also effectively extract the contextual relevance features between domain name characters. The experimental results show that compared with the traditional malicious domain name detection mode, the article method can obtain better classification effect and detection rate.

Key words: malicious domain name, convolutional neural network, short and long time memory network, deep learning

中图分类号: