采用深度学习的DGA域名检测模型比较
|
摘要
针对DGA域名难以检测的问题,构建了一种面向字符的采用深度学习的DGA域名检测模型,模型由字符嵌入层、特征检测层和分类预测层组成。字符嵌入层实现对输入DGA域名的数字编码;特征检测层采用深度学习模型自动提取特征;分类预测层采用全连接网络进行分类预测。为了选取最优的特征提取模型,分析比较了采用Bidirectional机制、Stack机制和Attention机制的LSTM模型与GRU模型,CNN模型,以及将CNN模型分别与LSTM模型和GRU模型相组合的模型。结果表明,与LSTM和GRU模型相比,采用Stack机制、前向Attention机制结合Bidirectional机制的LSTM和GRU模型,CNN模型,CNN模型与LSTM和GRU相组合的模型可提升模型的检测效果,但采用CNN和Bi-GRU组合构建的DGA域名检测模型可获得最优的检测效果。
For solving the problem of detection diffculty of the DGA domain name,this paper proposed a new DGA domain detection model from the viewpoint of character level by deep learning model.The model consisted of character embedding layer,feature detection layer and classification prediction layer.The character embedding layer realizes the digital encoding of DGA domain.The feature detection layer adopts the deep learning model to extract features automati-cally,and the classification prediction layer adopts neural network for classification prediction.In order to select the optimal model of feature extraction,the LSTM and GRU models using Bidirectional mechanism,Stack mechanism,Attention mechanism,CNN models and CNN models integrated respectively with LSTM and GRU model were compared.The results show that the LSTM and GRU models using Stack mechanism and Attention mechanism integrated with Bidirectional mechanism,CNN models and CNN models integrated with LSTM and GRU model can improve the detection effect.The DGA domain detection model using CNN model integrated with Bi-GRU can obtain the optimum detection effect.
For solving the problem of detection diffculty of the DGA domain name,this paper proposed a new DGA domain detection model from the viewpoint of character level by deep learning model.The model consisted of character embedding layer,feature detection layer and classification prediction layer.The character embedding layer realizes the digital encoding of DGA domain.The feature detection layer adopts the deep learning model to extract features automati-cally,and the classification prediction layer adopts neural network for classification prediction.In order to select the optimal model of feature extraction,the LSTM and GRU models using Bidirectional mechanism,Stack mechanism,Attention mechanism,CNN models and CNN models integrated respectively with LSTM and GRU model were compared.The results show that the LSTM and GRU models using Stack mechanism and Attention mechanism integrated with Bidirectional mechanism,CNN models and CNN models integrated with LSTM and GRU model can improve the detection effect.The DGA domain detection model using CNN model integrated with Bi-GRU can obtain the optimum detection effect.
引文
[1] ABAKUMOV A.DGA[EB/OL].(2017-07-31)[2018-04-13].https://github.com/andrewaeva/ DGA.
[2] SHA H Z,LIU Q Y,LIU T W,et al.Survey on Malicious Webpage Detection Research [J].Chinese Journal of Computers,2016,39(3):529-542.(in Chinese)沙泓州,刘庆云,柳厅文,等.恶意网页识别研究综述[J].计算机学报,2016,39(3):529-542.
[3] ZHAO G,XU K,XU L,et al.Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis[J].IEEE Access,2015,3:1132-1142.
[4] WANG X,WU Y,LU Z G.Study on Malicious URL Detection Based on Threat Intelligence Platform[J].Computer Science,2018,45(3):124-130,170.(in Chinese)汪鑫,武杨,卢志刚.基于威胁情报平台的恶意URL检测研究[J].计算机科学,2018,45(3):124-130,170.
[5] SAHOO D,LIU C H,HOI S.Malicious URL Detection using Machine Learning:A Survey[EB/OL].(2017-03-16)[2018-04-13].https://arxiv.org/abs/ 1701.07179.
[6] WOODBRIDGE J,ANDERSON H,AHUJA A,et al.Predicting Domain Generation Algorithms with Long Short-Term Memory Networks[EB/OL].(2016-11-02)[2018-04-13].https://arxiv.org/abs/ 1611.00791.
[7] SAXE J,BERLIN K.eXpose:A Character-Level Convolutional Neural Network with Embeddings For Detecting Malicious URLs,File Paths and Registry Keys[EB/OL].(2017-02-27)[2018-04-13].https://arxiv.org/abs/1702.08568.
[8] YU B,GRAY D L,PAN J.Inline DGA Detection with Deep Networks [C]//2017 IEEE International Conference on Data Mining Workshops (ICDMW).New Orleans:IEEE Press,2017:2375-9259.
[9] VINAYAKUMAR R,SOMAN K P,POORNACHANDRAN P.Detecting malicious domain names using deep learning approaches at scale[J].Journal of Intelligent and Fuzzy Systems,2018,34(3):1355-1367.
[10] ZENG F,CHANG S,WAN X C.Classification for DGA-Based Malicious Domain Names with Deep Learning Architectures[J].International Journal of Intelligent Information Systems,2017,6(6):67-71.
[11] 陈立皇,程华,房一泉.基于注意力机制的DGA域名检测算法[EB/OL].(2018-06-19)[2018-06-25].http://kns.cnki.net/kcms/detail/31.1691.TQ.20180615.1620.004.html.
[12] ANDERSON H S.DeepDGA:Adversarially-Tuned Domain Generation and Detection [C]//AISec’16 Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security.New York:ACM Press,2016:13-21.
[13] HOCHREITER S,SCHMIDHUBER J.Long short-term memo- ry[J].Neural Computation,1997,9(8):1735-1780.
[14] CHO K,MERRIENBOER B V,GULCEHRE C,et al.Learning phrase representations using RNN encoder-decoder for statistical machine translation [EB/OL].(2014-09-03)[2018-06-13].https://arxiv.org/abs/1406.1078.
[15] FANCOIS C.Deep Learning with Python[M].New York:Manning Publications,2017:192-215.
[16] RAFFEL C,ELLIS P W.Feed-Forward Networks with Attention Can Solve Some Long-Term Memory Problems[EB/OL].(2016-09-20)[2018-04-13].https://arxiv.org/abs/1512.08756.
[17] YANG Z,YANGD,DYER C,et al.Hierarchical Attention Networks for Document Classification [C]//NAACL-HLT 2016:Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics:Human Language Technologies.San Diego:Association for Computational Linguistics,2016:1480-1489.
[18] Wikipedia.Trapezoidal rule[EB/OL].(2018-03-16)[2018-04-13].https://en.wikipedia.org/wiki/ Trapezoidal_rule.
[2] SHA H Z,LIU Q Y,LIU T W,et al.Survey on Malicious Webpage Detection Research [J].Chinese Journal of Computers,2016,39(3):529-542.(in Chinese)沙泓州,刘庆云,柳厅文,等.恶意网页识别研究综述[J].计算机学报,2016,39(3):529-542.
[3] ZHAO G,XU K,XU L,et al.Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis[J].IEEE Access,2015,3:1132-1142.
[4] WANG X,WU Y,LU Z G.Study on Malicious URL Detection Based on Threat Intelligence Platform[J].Computer Science,2018,45(3):124-130,170.(in Chinese)汪鑫,武杨,卢志刚.基于威胁情报平台的恶意URL检测研究[J].计算机科学,2018,45(3):124-130,170.
[5] SAHOO D,LIU C H,HOI S.Malicious URL Detection using Machine Learning:A Survey[EB/OL].(2017-03-16)[2018-04-13].https://arxiv.org/abs/ 1701.07179.
[6] WOODBRIDGE J,ANDERSON H,AHUJA A,et al.Predicting Domain Generation Algorithms with Long Short-Term Memory Networks[EB/OL].(2016-11-02)[2018-04-13].https://arxiv.org/abs/ 1611.00791.
[7] SAXE J,BERLIN K.eXpose:A Character-Level Convolutional Neural Network with Embeddings For Detecting Malicious URLs,File Paths and Registry Keys[EB/OL].(2017-02-27)[2018-04-13].https://arxiv.org/abs/1702.08568.
[8] YU B,GRAY D L,PAN J.Inline DGA Detection with Deep Networks [C]//2017 IEEE International Conference on Data Mining Workshops (ICDMW).New Orleans:IEEE Press,2017:2375-9259.
[9] VINAYAKUMAR R,SOMAN K P,POORNACHANDRAN P.Detecting malicious domain names using deep learning approaches at scale[J].Journal of Intelligent and Fuzzy Systems,2018,34(3):1355-1367.
[10] ZENG F,CHANG S,WAN X C.Classification for DGA-Based Malicious Domain Names with Deep Learning Architectures[J].International Journal of Intelligent Information Systems,2017,6(6):67-71.
[11] 陈立皇,程华,房一泉.基于注意力机制的DGA域名检测算法[EB/OL].(2018-06-19)[2018-06-25].http://kns.cnki.net/kcms/detail/31.1691.TQ.20180615.1620.004.html.
[12] ANDERSON H S.DeepDGA:Adversarially-Tuned Domain Generation and Detection [C]//AISec’16 Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security.New York:ACM Press,2016:13-21.
[13] HOCHREITER S,SCHMIDHUBER J.Long short-term memo- ry[J].Neural Computation,1997,9(8):1735-1780.
[14] CHO K,MERRIENBOER B V,GULCEHRE C,et al.Learning phrase representations using RNN encoder-decoder for statistical machine translation [EB/OL].(2014-09-03)[2018-06-13].https://arxiv.org/abs/1406.1078.
[15] FANCOIS C.Deep Learning with Python[M].New York:Manning Publications,2017:192-215.
[16] RAFFEL C,ELLIS P W.Feed-Forward Networks with Attention Can Solve Some Long-Term Memory Problems[EB/OL].(2016-09-20)[2018-04-13].https://arxiv.org/abs/1512.08756.
[17] YANG Z,YANGD,DYER C,et al.Hierarchical Attention Networks for Document Classification [C]//NAACL-HLT 2016:Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics:Human Language Technologies.San Diego:Association for Computational Linguistics,2016:1480-1489.
[18] Wikipedia.Trapezoidal rule[EB/OL].(2018-03-16)[2018-04-13].https://en.wikipedia.org/wiki/ Trapezoidal_rule.