DGA Malicious Domain Name Detection Method Based on Fusion of CNN and LSTM

doi:10.3969/j.issn.1671-1122.2021.10.006

Abstract

Abstract:

At present, the malicious domain generation algorithm (DGA) is widely used in all kinds of network attacks. In order to solve the problems in DGA malicious domain name detection, such as low efficiency of feature engineering, too high domain name coding dimension, and partial domain name information feature loss, etc. This paper proposed a deep learning model for malicious domain name detection based on convolution neural networks and long short-term memory network. In the model, word vector embedding is used to encode domain name characters, and a dense vector is constructed, which is encoded by the correlation between words. This method could effectively solve the problems of sparse matrix and dimension disaster caused by single hot coding, shorten the character coding time and improve the coding efficiency. This model could not only extract the local features of domain name information, but also effectively extract the contextual relevance features between domain name characters. The experimental results show that compared with the traditional malicious domain name detection mode, the article method can obtain better classification effect and detection rate.

Key words: malicious domain name, convolutional neural network, short and long time memory network, deep learning

CLC Number:

TP309

XU Guotian, SHENG Zhenwei. DGA Malicious Domain Name Detection Method Based on Fusion of CNN and LSTM[J]. Netinfo Security, 2021, 21(10): 41-47.

Figures/Tables 12

References 17

[1]	SINGH M, SINGH M, KAUR S. Detecting Bot-infected Machines Using DNS Fingerprinting[J]. Digital Investigation, 2019, 28(2):14-33. doi: 10.1016/j.diin.2018.12.005 URL
[2]	GARCIA S, GRILL M, STIBOREK J, et al. An Empirical Comparison of Botnet Detection Methods[J]. Computers & Security, 2014, 32(45):100-123.
[3]	ZUO Yuanwei. Research on Malicious Domain Name Detection and Defense Based on Deep Learning and SDN Network[D]. Nanjing:Nanjing University of Posts and Telecommunications, 2020.
	左元威. 基于深度学习和SDN网络的恶意域名检测与防御的研究[D]. 南京:南京邮电大学, 2020.
[4]	DRICHEL A, MEYER U, SCHÜPPEN S, et al. Making Use of NXt to Nothing: The Effect of Class Imbalances on DGA Detection Classifiers [C]//ICOSST. Proceedings of the 15th International Conference on Availability, August 12-16, 2020, Lahore, Pakistan. USA: Reliability and Security, 2020: 1-9.
[5]	FEILY M, SHAHRESTANI A, RAMADASS S. A Survey of Botnet and Botnet Detection [C]//IEEE. Third International Conference on Emerging Security Information, June 18-23, 2009, Athens, Greece. New York: IEEE, 2009: 268-273.
[6]	SHARIFNYA R, ABADI M. Dfbotkiller: Domain-flux Botnet Detection Based on the History of Group Activities and Failures in DNS Traffic[J]. Digital Investigation, 2015, 12(5):15-26. doi: 10.1016/j.diin.2014.11.001 URL
[7]	ZHOU Yonglin, LI Qingshan, MIAO Qidi, et al. DGA-based Botnet Detection Using DNS Traffic[J]. J. Internet Serv. Inf. Secur., 2013, 3(3/4):116-123.
[8]	ANTONAKAKIS M, PERDISCI R, NADJI Y, et al. From Throw-away Traffic to Bots: Detecting The Rise of DGA-based Malware [C]//IEEE. 21st USENIX Conference on Security Symposium, Auguest 8-10, 2012, Bellevue, WA, USA. New York: IEEE, 2012: 491-506.
[9]	SHI Yong, CHEN Gong, LI Juntao. Malicious Domain Name Detection Based on Extreme Machine Learning[J]. Neural Processing Letters, 2018, 48(3):1347-1357. doi: 10.1007/s11063-017-9666-7 URL
[10]	JIANG Hongling, DAI Junwei. DGA Malicious Domain Name Detection Method[J]. Journal of Beijing Information Science and Technology University (Natural Science Edition), 2019, 34(5):45-50.
	蒋鸿玲, 戴俊伟. DGA恶意域名检测方法[J]. 北京信息科技大学学报(自然科学版), 2019, 34(5):45-50.
[11]	GU Zhaojun, YANG Wenjin, ZHOU Jingxian. A Small Sample DGA Malicious Domain Name Detection Method Based on Transfer Learning[EB/OL]. http://kns.cnki.net/kcms/detail/11.2127.TP.20200709.0928.008.html,2021-06-11.
	顾兆军, 杨文瑾, 周景贤. 基于迁移学习的小样本DGA恶意域名检测方法[EB/OL]. http://kns.cnki.net/kcms/detail/11.2127.TP.20200709.0928.008.html,2021-06-11.
[12]	TOBIYAMA S, YAMAGUCHI Y, SHIMADA H, et al. Malware Detection with Deep Neural Network Using Process Behavior [C]//IEEE. 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), June 10-14, 2016, Atlanta, USA. New York: IEEE, 2016: 577-582.
[13]	WANG Zhiqiang, LI Shuhao, CHI Yaping, et al. Malicious DGA Domain Name Detection Based on Deep Learning[J]. Computer Engineering and Design, 2021, 42(3):601-606.
	王志强, 李舒豪, 池亚平, 等. 基于深度学习的恶意DGA域名检测[J]. 计算机工程与设计, 2021, 42(3):601-606.
[14]	EBRAHIMI M, SUEN C Y, ORMANDJIEVA O. Detecting Predatory Conversations in Social Media by Deep Convolutional Neural Networks[J]. Digital Investigation, 2016, 18(6):33-49. doi: 10.1016/j.diin.2016.07.001 URL
[15]	LE Q, BOYDELL O, MAC N B, et al. Deep Learning at the Shallow End: Malware Classification for Non-domain Experts[J]. Digital Investigation, 2018, 26(9):118-126.
[16]	ZHANG You, YUAN Hang, WANG Jin, et al. YNU-HPCC at EmoInt-2017: Using a CNN-LSTM Model for Sentiment Intensity Prediction [C]//Association for Computational Linguistics. Proceedings of the 8th Workshop on Computational Approaches to Subjectivity, Sentiment and Social Media Analysis, September 7-11, 2017, Copenhagen, Denmark. USA: Association for Computational Linguistics, 2017: 200-204.
[17]	ZHOU Kang, WAN Liang, DING Hongwei. Malicious Domain Name Detection Based on AN and LSTM[J]. Computer Engineering and Applications, 2020, 56(4):92-98.
	周康, 万良, 丁红卫. 基于AN和LSTM的恶意域名检测[J]. 计算机工程与应用, 2020, 56(4):92-98.

原始域名	向量、正则化嵌入后数据/个
baidu	186737
google	18945
lovehifi	10
…	…

开发环境	环境配置
处理器	AMD Ryzen 5 4500U with Radeon Graphics 2.38 G
内存	16.0 GB
操作系统	Windows 10
IDE	Tensorflow下Jupyter Notebook
开发语言	python
第三方包	Tensorflow、pandas、numpy、keras等

	恶意域名	正常域名	总计
恶意域名（预测）	TP	FP	TP+FP
正常域名（预测）	FN	TN	FN+TN
总计	TP+FN	FP+TN	N

各类模型	准确率/%	损失值	时间/s
CNN	94.07	0.1667	80
LSTM	94.60	0.1743	83
SVM	89.00	0.2422	8
逻辑回归模型	90.70	0.2356	4
CNN-LSTM	97.27	0.1316	84