高级检索

    陈立皇, 程华, 房一泉. 基于注意力机制的DGA域名检测算法[J]. 华东理工大学学报(自然科学版), 2019, 45(3): 478-485. DOI: 10.14135/j.cnki.1006-3080.20180326002
    引用本文: 陈立皇, 程华, 房一泉. 基于注意力机制的DGA域名检测算法[J]. 华东理工大学学报(自然科学版), 2019, 45(3): 478-485. DOI: 10.14135/j.cnki.1006-3080.20180326002
    CHEN Lihuang, CHENG Hua, FANG Yiquan. Detecting Domain Generation Algorithm Based on Attention Mechanism[J]. Journal of East China University of Science and Technology, 2019, 45(3): 478-485. DOI: 10.14135/j.cnki.1006-3080.20180326002
    Citation: CHEN Lihuang, CHENG Hua, FANG Yiquan. Detecting Domain Generation Algorithm Based on Attention Mechanism[J]. Journal of East China University of Science and Technology, 2019, 45(3): 478-485. DOI: 10.14135/j.cnki.1006-3080.20180326002

    基于注意力机制的DGA域名检测算法

    Detecting Domain Generation Algorithm Based on Attention Mechanism

    • 摘要: DGA域名 (Domain Generation Algorithm)检测是恶意C&C通信检测的关键技术之一。已有的检测方法通常基于域名构成的随机性进行检测,存在误报率高等问题,对于低随机性DGA域名的检测准确率较低,主要是因为此类方法未能有效提取低随机性DGA域名中的部分高随机性,为此提出了域名的多字符随机性提取方法。采用门控循环单元(GRU)实现多字符组合编码及其随机性提取;引入注意力机制,加强域名中部分高随机性特征。构建了基于注意力机制的循环神经网络的DGA域名检测算法(ATT-GRU),提升了低随机性DGA域名识别的有效性。实验结果表明,ATT-GRU算法在检测DGA域名上取得了比传统方法更高的检测精确率和更低的误报率。

       

      Abstract: Domain generation algorithms (DGA) is one of the domain name detection key technologies for malicious C&C (command and control server) communication detection. Many existing detection methods, e.g., machine learning methods based on statistical features and deep learning methods based on recurrent neural networks, are usually based on the randomness of the domain name and have higher false positive rate and lower detection for these domain names with low random features. A main reason is that those methods cannot effectively extract some of the high randomness from the low-random domain names. This usually makes normal domain names be falsely reported as DGA domain names and increases the unnecessary consumption of the safety system and reduces its reliability. Aiming at the above shortcoming, this paper proposes a multi-character random extraction method for domain name. The gated recurrent unit (GRU) is utilized to encode multi-character combination and extract the randomness of the domain name. At the same time, the attention mechanism is introduced to extract the randomness of characters in the domain name and strengthen the high random features in the domain name. Besides, DGA domain name detection algorithm based on the attention-based recurrent neural network ATT-GRU is proposed to improve the identification validity on the low random DGA domain name. Finally, it is verified from experiments results that the ATT-GRU algorithm can achieve better accuracy and lower false positive rate than the traditional algorithm in detecting DGA domain name.

       

    /

    返回文章
    返回