融合注意力机制与并行混合网络的DGA域名检测

摘要/Abstract

摘要： 基于统计特征的DGA域名检测方法依赖复杂的特征工程，而现有端到端的深度学习方法在DGA域名家族的多分类任务中性能表现不佳。针对上述问题，提出一种融合注意力机制与并行混合网络的DGA域名检测方法。首先，引入深层金字塔卷积神经网络，提取域名深层语义信息，并使用通道注意力块SENet进行改进构建DPCNN-SE，自适应学习通道间关系，抑制无用特征的传递；同时，将自注意力机制与双向长短时记忆网络结合构建BiLSTM-SA网络，捕获域名数据中最具代表性的全局时序特征；最后，融合2个网络提取的特征，输入softmax层输出分类结果。实验结果表明，该方法在域名家族的多分类任务中相比CNN、LSTM的单一模型，F1值分别提高了10.30个百分点、10.18个百分点；相较于现有的混合网络方法Bilbo和BiGRU-MCNN，F1值分别提高了5.97个百分点、4.87个百分点，并且具有更低的计算复杂度。

关键词: DGA域名检测, 特征融合, 端到端, 长短记忆神经网络, 卷积神经网络

Abstract: Statistical feature-based DGA domain name detection methods relies on complex feature engineering， while the existing end-to-end deep learning methods perform poorly in the multi-classification tasks. To address these problems， a DGA domain name detection method combining attention mechanisms and parallel hybrid networks is proposed. Firstly, deep pyramid convolutional neural networks is introduced to extract deep semantic information of domain names, and DPCNN-SE is proposed by improving DPCNN using the channel attention block called SENet, which can learn inter-channel relationships adaptively and suppress the transmission of useless features. Meanwhile, the self-attention mechanism and the bidirectional long short-term memory network are combined to construct the BiLSTM-SA network to capture the most representative global temporal features in domain name data. Finally, the features extracted by the two networks are fused and fed into the softmax layer to output the classification results. The experimental results show that the method increases the F1-score by 10.30 percentage points and 10.18 percentage points in the multi-classification task of domain name family compared with the single model of CNN and LSTM， respectively; the F1-score increases by 5.97 percentage points and 4.87 percentage points， respectively， compared with the existing hybrid model method Bilbo and BiGRU-MCNN， and has lower computational complexity.

Key words: DGA domain name detection, feature fusion, end-to-end, long short-term memory neural network, convolutional neural network

刘立婷, 欧毓毅. 融合注意力机制与并行混合网络的DGA域名检测[J]. 计算机与现代化, 2022, 0(09): 119-126.

LIU Li-ting, OU Yu-yi. DGA Domain Name Detection Combining Attention Mechanisms and Parallel Hybrid Network[J]. Computer and Modernization, 2022, 0(09): 119-126.

参考文献［25］

［1］	ZHAUNIAROVICH Y, KHALIL I, YU T, et al. A survey on malicious domains detection through DNS data analysis［J］. ACM Computing Surveys, 2018,51（4）:1-36
［2］	KHARRAZ A, ROBERTSON W, BALIAROTTI D, et al. Cutting the gordian knot: A look under the hood of ransomware attacks［C］// Springer International Publishing. 2016:3-24.
［3］	PATSAKIS C, CASINO F, KATOS V. Encrypted and covert DNS queries for botnets: Challenges and countermeasures［J］. Computers & Security, 2020,88:101614.
［4］	MARK WARD. Cryptolocker Victims to Get Files Back for Free［EB/OL］. （2014-08-06）［2021-12-05］. https://www.bbc.com/news/techn-ology-28661463．
［5］	WIKIBOOKS. Conficker［EB/OL］. ［2021-12-05］. https://en.wikipedia.org/wiki/Conficker.
［6］	BADER J. The DGA of Ramnit［EB/OL］. ［2021-12-05］. https://johannesbader.ch/2014/12/the-dga-of-ramnit/.
［7］	沙泓州,刘庆云,柳厅文,等. 恶意网页识别研究综述［J］. 计算机学报, 2016,39（3）:529-542.
［8］	YADAV S, REDDY A K K, REDDY A L N, et al. Detecting algorithmically generated domain-flux attacks With DNS traffic analysis［J］. IEEE/ACM Transactions on Networking, 2012,20（5）:1663-1677.〖HJ1mm〗
［9］	张维维,龚俭,刘茜,等. 基于词素特征的轻量级域名检测算法［J］. 软件学报, 2016,27（9）:2348-2364.
［10］	王媛媛,吴春江,刘启和,等. 恶意域名检测研究与应用综述［J］. 计算机应用与软件, 2019,36（9）:310-316.
［11］	YANG L H, ZHAI J T, LIU W W, et al. Detecting word-based algorithmically generated domains using semantic analysis［J］. Symmetry, 2019,11（2）:176.
［12］	SELVI J, RODRGUEZ R J. SORIA-OLIVAS E. Detection of algorithmically generated malicious domain names using masked N-grams［J］. Expert Systems with Applications, 2019,124:156-163.
［13］	TONG V, NGUYEN G. A method for detecting DGA botnet based on semantic and cluster analysis［C］// Proceedings of the 7th Symposium on Information and Communication Technology. 2016:272-277.
［14］	WOODBRIDGE J, ANDERSON H S, AHUJA A, et al. Predicting domain generation algorithms with long short-term memory networks［J］. arXiv preprint arXiv:1611.00791, 2016.
［15］	QIAO Y C, ZHANG B, ZHANG W Z, et al. DGA domain name classification method based on long short-term memory with attention mechanism［J］. Applied Sciences, 2019,9（20）:4205.
［16］	YANG L H, LIU G J, WANG J W, et al. Fast3DS: A real-time full-convolutional malicious domain name detection system［J］. Journal of Information Security and Applications, 2021,61:102933.
［17］	HIGHNAM K, PUZIO D, LUO S, et al. Real-time detection of dictionary dga network traffic using deep learning［J］. SN Computer Science, 2021,2（2）:1-17.
［18］	CHEN Y J, PANG B, SHAO G L, et al. DGA-based botnet detection toward imbalanced multiclass learning［J］. Tsinghua Science and Technology, 2021,26（4）:387-402.
［19］	王志强,李舒豪,池亚平,等. 基于深度学习的恶意DGA域名检测［J］. 计算机工程与设计, 2021,42（3）:601-606.
［20］	CHEN C Q, PAN L L, XIE X L. DGA domain name detection based on BiGRU-MCNN［C］// Proceedings of the 2019 4th International Conference on Intelligent Information Processing. 2019:315-319.
［21］	杜鹏,丁世飞. 基于混合词向量深度学习模型的DGA域名检测方法［J］. 计算机研究与发展, 2020,57（2）:433-446.
［22］	HU J, SHEN L, SUN G. Squeeze-and-excitation networks［C］// Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition. 2018:7132-7141.
［23］	JOHNSON R, ZHANG T. Deep pyramid convolutional neural networks for text categorization［C］// Proceedings of the 55th Annual Meeting of the Association for Computational Linguistics. 2017:562-570.
［24］	HE K M, ZHANG X Y, REN S Q, et al. Identity mappings in deep residual networks［C］// European Conference on Computer Vision. 2016:630-645.
［25］	SAXE J, BERLIN K. EXpose: A character-level convolutional neural network with embeddings for detecting malicious URLs， file paths and registry keys［J］. arXiv preprint arXiv:1702.08568, 2017.

[1]	周成诚, 曾庆军, 杨康, 胡家铭, 韩春伟. 基于高效通道注意力模块的运动想象脑电识别[J]. 计算机与现代化, 2023, 0(12): 19-23.
[2]	宁娟, 周庆华, 曾小为. 改进YOLOv7算法在西林瓶轧盖缺陷检测中的应用[J]. 计算机与现代化, 2023, 0(12): 82-86.
[3]	谷明轩, 范冰冰. 基于多模态特征融合的抑郁症识别[J]. 计算机与现代化, 2023, 0(10): 17-22.
[4]	陈俊义. 基于图节点动静态特征的健康事件预测模型[J]. 计算机与现代化, 2023, 0(10): 39-44.
[5]	邢世帅, 刘丹凤, 王立国, 潘月涛, 孟灵鸿, 岳晓晗. 基于空间注意力残差网络的图像超分辨率重建模型[J]. 计算机与现代化, 2023, 0(10): 45-52.
[6]	刘付琪, 张达, 宋建华, 王海东. 基于CNN-BiLSTM的液压系统故障诊断[J]. 计算机与现代化, 2023, 0(09): 10-19.
[7]	吴甜, 刘海华, 童顺延. 基于深度反馈的卷积神经网络的图像分类[J]. 计算机与现代化, 2023, 0(09): 82-86.
[8]	陈嘉敏, 张伯泉, 麦海鹏. 基于特征融合的海马体分割[J]. 计算机与现代化, 2023, 0(08): 1-6.
[9]	孙子雨, 任燃, 魏曦哲. 基于DTW-TCN的股票分类及预测研究[J]. 计算机与现代化, 2023, 0(08): 31-37.
[10]	王鸿, 葛红. 基于注意力机制和语义相似度的跨模态哈希检索[J]. 计算机与现代化, 2023, 0(08): 44-53.
[11]	江蕾, 唐建, 杨超越, 吕婷婷. 基于CWGAN-GP与CNN的轴承故障诊断方法[J]. 计算机与现代化, 2023, 0(07): 1-6.
[12]	许叶彤, 耿信哲, 赵伟强, 张月, 宁海龙, 雷涛. 基于CNN-Transformer混合结构的遥感影像变化检测模型[J]. 计算机与现代化, 2023, 0(07): 79-85.
[13]	朱剑波, 葛明锋, 董文飞. 基于改进EfficientNet的阿尔兹海默症图像分类[J]. 计算机与现代化, 2023, 0(06): 56-61.
[14]	刘甲甲, 胡旭欣, 余萍. 聚合多维注意力特征的单目深度估计方法[J]. 计算机与现代化, 2023, 0(06): 76-81.
[15]	刘静, 陈金广. 基于通道注意力和Transformer的图像标题生成方法[J]. 计算机与现代化, 2023, 0(05): 8-12.