基于人工特征与深度特征的DGA域名检测算法  被引量：7

作　　者：胡鹏程 刁力力 叶桦[1] 仰燕兰[1] HU Peng-cheng;DIAO Li-li;YE Hua;YANG Yan-lan(School of Automation,Southeast University,Nanjing 210096,China;Core Technology-Research,Trend Micro China Development Center,Nanjing 210012,China)

机构地区：[1]东南大学自动化学院,南京210096 [2]趋势科技核心技术部,南京210012

出　　处：《计算机科学》2020年第9期311-317,共7页Computer Science

摘　　要：当前,各种各样的恶意软件常使用域名生成算法(Domain Generation Algorithms,DGAs)来生成大量的随机域名,然后尝试与C&C服务器建立通信,发动相应的攻击。现有的检测方法基于DGA域名的随机性构建人工特征,利用机器学习方法学习分类模式,但该类算法存在人工构建特征费时费力、检测误报率高等问题;或利用LSTM,GRU等深度学习技术学习DGA域名的序列关系,但该类算法对低随机性的DGA域名的检测准确率较低。文中提出了一种域名通用特征的提取方案,建立了包含41种DGA域名家族的数据集,并设计了基于人工特征与深度特征的检测算法,提高了模型的泛化能力,增加了对DGA域名家族的识别种类。实验结果表明,基于人工特征与深度特征的DGA域名检测算法取得了比传统深度学习方法更高的准确率和更好的泛化能力。Nowadays,various families of malware use domain generation algorithms(DGAs)to generate a large number of pseudo-random domain names to connect to C&C(Command and Control)servers,in order to launch corresponding attacks.There are two existing methods to detect DGA domains.On the one hand,it is a machine learning method based on the randomness of DGA domain name to construct artificial features.This kind of algorithm has the problems of time-consuming and laborious artificial feature engineering and high false alarm rate and so on.On the other hand,LSTM,GRU and other deep learning technologies are used to learn the sequence relationship of DGA domain names.This kind of algorithm has a low detection accuracy for DGA domain names with low randomness.Therefore,this paper proposes a domain name generic feature extraction scheme,establishes a data set containing 41 DGA domain name families,and designs a detection algorithm based on artificial features and depth features that enhances the generalization ability of the model and improves the identification types of DGA domain families.Experimental results show that DGA domain name detection algorithm based on artificial features and depth features has achieved higher accuracy and better generalization ability than traditional deep learning methods.

关 键 词：域名生成算法 域名检测 长短期记忆网络 特征工程 

分 类 号：TP393.0[自动化与计算机技术—计算机应用技术]