Research on DGA Malicious Domain Name Detection Method Based on Transfer Learning and Threat Intelligence

doi:10.3969/j.issn.1671-1122.2023.10.002

Abstract

Abstract:

Domain name generation algorithms have been widely used in various types of cyber attacks, which have the characteristics of rapid sample change, many variants, and difficult to obtain, leading to low detection accuracy and poor warning capability of existing traditional models. To address this situation, a DGA malicious domain detection method based on transfer learning and threat intelligence was proposed, which extracted malicious domain context and semantic relationship features by building a combined model of bidirectional long short-term memory neural network and Transformer, pre-trains by using a publicly available large-sample malicious domain dataset, and transfered the training parameters to a new unknown small-sample malicious domain of APT organizations held by threat intelligence for model detection performance testing. The experimental results show that the model can achieve an average detection accuracy of 96.14% in a small-sample dataset of malicious domains used by APT organizations, and the detection performance is good.

Key words: malicious domain name, transfer learning, threat intelligence, Bi-LSTM, Transformer

CLC Number:

TP309

YE Huanrong, LI Muyuan, JIANG Bo. Research on DGA Malicious Domain Name Detection Method Based on Transfer Learning and Threat Intelligence[J]. Netinfo Security, 2023, 23(10): 8-15.

Figures/Tables 15

References 20

[1]	DAVUTH N, KIM S R. Classification of Malicious Domain Names Using Support Vector Machine and Bi-Gram Method[J]. International Journal of Security and Its Applications, 2013, 7(1): 51-58.
[2]	YADAV S, REDDY A K K, REDDY A L N, et al. Detecting Algorithmically Generated Malicious Domain Names[C]// ACM. Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement. New York: ACM, 2010: 48-61.
[3]	SCHIAVONI S, MAGGI F, CAVALLARO L, et al. Phoenix: DGA-Based Botnet Tracking and Intelligence[C]// Springer. Detection of Intrusions and Malware, and Vulnerability Assessment:11th International Conference. Berlin:Springer, 2014: 192-211.
[4]	TRAN D, MAC H, TONG V, et al. A LSTM Based Framework for Handling Multiclass Imbalance in DGA Botnet Detection[J]. Neurocomputing, 2018, 275: 2401-2413. doi: 10.1016/j.neucom.2017.11.018 URL
[5]	YU Bin, PAN Jie, HU Jiaming, et al. Character Level Based Detection of DGA Domain Names[C]// IEEE. 2018 International Joint Conference on Neural Networks (IJCNN). New York: IEEE, 2018: 1-8.
[6]	ZHANG Xin, CHENG Hua, FANG Yiquan. A DGA Domain Name Detection Method Based on Transformer[J]. Computer Engineering & Science, 2020, 42(3): 411-417.
	张鑫, 程华, 房一泉. 基于Transformer的DGA域名检测方法[J]. 计算机工程与科学, 2020, 42(3): 411-417.
[7]	CAGLAYAN A, TOOTHAKER M, DRAPEAU D, et al. Behavioral Analysis of Botnets for Threat Intelligence[J]. Information Systems and E-Business Management, 2012, 10: 491-519. doi: 10.1007/s10257-011-0171-7 URL
[8]	LI Juntao, SHI Yong, XUE Zhi. APT Detection Based on DNS Traffic and Threat Intelligence[J]. Information Security and Communications, 2016(7): 84-88.
[9]	CHIBA D, AKIYAMA M, YAGI T, et al. DomainChroma: Building Actionable Threat Intelligence from Malicious Domain Names[J]. Computers & Security, 2018, 77: 138-161. doi: 10.1016/j.cose.2018.03.013 URL
[10]	WANG Xin, WU Yang, LU Zhigang. Study on Malicious URL Detection Based on Threat Intelligence Platform[J]. Computer Science, 2018, 45(3): 126-132, 172.
	汪鑫, 武杨, 卢志刚. 基于威胁情报平台的恶意URL检测研究[J]. 计算机科学, 2018, 45(3): 126-132, 172.
[11]	SURYOTRISONGKO H, MUSASHI Y, TSUNEDA A, et al. Robust Botnet DGA Detection: Blending XAI and OSINT for Cyber Threat Intelligence Sharing[J]. IEEE Access, 2022, 10: 34613-34624. doi: 10.1109/ACCESS.2022.3162588 URL
[12]	ALSAEDI M, GHALEB F A, SAEED F, et al. Cyber Threat Intelligence-Based Malicious URL Detection Model Using Ensemble Learning[J]. Sensors, 2022, 22(9): 3373-3382. doi: 10.3390/s22093373 URL
[13]	GU Zhaojun, YANG Wenjin, ZHOU Jingxian. Small Sample DGA Malicious Domain Names Detection Method Based on Transfer Learning[J]. Computer Engineering and Applications, 2021, 57(14): 103-109. doi: 10.3778/j.issn.1002-8331.2004-0209
	顾兆军, 杨文瑾, 周景贤. 基于迁移学习的小样本DGA恶意域名检测方法[J]. 计算机工程与应用, 2021, 57(14): 103-109. doi: 10.3778/j.issn.1002-8331.2004-0209
[14]	ZHAO Fan, ZHAO Hong, CHANG Zhaobin. Small Sample Malicious Domain Names Detection Method Based on Transfer Learning[J]. Computer Engineering and Design, 2022, 43(12): 3381-3387.
	赵凡, 赵宏, 常兆斌. 基于迁移学习的小样本恶意域名检测[J]. 计算机工程与设计, 2022, 43(12): 3381-3387.
[15]	RAJALAKSHMI R, RAMRAJ S, RAMESH Kannan R. Transfer Learning Approach for Identification of Malicious Domain Names[C]// SSCC. International Symposium on Security in Computing and Communication. Springer, 2018: 656-666.
[16]	TRUONG D T, TRAN D T, HUYNH B. Detecting Malicious Fast-Flux Domains Using Feature-Based Classification Techniques[J]. Journal of Internet Technology, 2020, 21(4): 1061-1072.
[17]	HUANG Zhuofan, ZHANG Yangsen, DUAN Ruixue, et al. Research on Malicious URL Identification and Analysis for Network Security[C]// IEEE. 2021 7th IEEE International Conference on Network Intelligence and Digital Content (IC-NIDC). New York: IEEE, 2021: 418-422.
[18]	VASWANI A, SHAZEER N, PARMAR N, et al. Attention is All You Need[J]. Advances in Neural Information Processing Systems, 2017, 30(2): 1-11.
[19]	YANG Peng, ZHAO Guangzhen, ZENG Peng. Phishing Website Detection Based on Multidimensional Features Driven By Deep Learning[J]. IEEE Access, 2019, 7: 15196-15209. doi: 10.1109/ACCESS.2019.2892066
[20]	ZHAO Hong, WANG Le, WANG Weijie. Text Sentiment Analysis Based on Serial Hybrid Model of Bi-Directional Long Short-Term Memory and Convolutional Neural Network[J]. Journal of Computer Applications, 2020, 40(1): 16-22. doi: 10.11772/j.issn.1001-9081.2019060968
	赵宏, 王乐, 王伟杰. 基于BiLSTM-CNN串行混合模型的文本情感分析[J]. 计算机应用, 2020, 40(1): 16-22. doi: 10.11772/j.issn.1001-9081.2019060968

DGA家族	生成域名
nymaim	wguhjjpw.biz、xgtejqzk.info、sknvmfwepis.com
tinba	wscqhnmdmmmm.xyz、jotsclimehig.xyz、jtmyvwdrvmvn.xyz
banjori	xppbalitydevonianizuwb.com、kkhualitydevonianizuwb.com
rovnix	lc7solbykglxko42wu.com、2h7wz2tiwrelojw3k5.biz

APT工具	C&C使用域名
Gh0st	kuziyvhuyeozlz.com、cswdiarwgo.org
CobaltStrike	4747winusptonilineherk.xyz、axydesysk.ml、hljbkusnvb. org
Vidar	sujpcerqsttre88.xyz、kuislayndtavls.online
Ares	tmsirddguztwcbgaeyjo.com、tmxekahcaolryntmhrxpk.biz

类型	描述	样本示例	数量/个
合法域名	Alexa	google.com、amazon.com	1000000
预训练恶意域名集	banjori、rovnix、tinba、pykspa_v1、simda、flubot、bazardoor、ramnit、ranbyus、gameover、mydoom、virutmurofet、necurs等31个家族	isrfbvs.info、vhpkiktk.net、agfsfafsuf.net	1037812
调参恶意域名集	matsnu、vawtrak、pykspa_v2_fake、dircrypt、tordwm、enviserv等20个家族	9c8e924f.top、ufkkuxxedanldohyjyae.com	7289
威胁情报小样本恶意域名集	Donot、APT35等19个APT组织所使用的Moqhao、VileRAT等工具实施C&C的DGA恶意域名	nms*dis.com、eu*tek.info	3236

DGA	数量/个	DGA	数量/个
banjori	483028	wauchos	5940
rovnix	179996	ngioweb	5250
tinba	102108	qakbot	5000
pykspa_v1	44588	symmi	4256
simda	30275	necro	2962
flubot	30000	tempedreve	2786
bazardoor	28410	shifu	2537
ramnit	20064	monerominer	2495
ranbyus	16120	suppobox	2251
gameover	12000	qadars	2200
mydoom	9928	locky	1178
virut	9734	bigviktor	1000
murofet	8560	dyre	1000
necurs	8190	chinad	1000
shiotob	8004	cryptolocker	1000
emotet	5952	—	—

真实	预测
真实	正常	恶意
正常	T_P	F_P
恶意	F_N	T_N