基于迁移学习的小样本DGA恶意域名检测方法  被引量：4

作　　者：顾兆军[1,2] 杨文瑾 周景贤[1] GU Zhaojun;YANG Wenjin;ZHOU Jingxian(Information Security Evaluation Center,Civil Aviation University of China,Tianjin 300300,China;Institute of Computer Science and Technology,Civil Aviation University of China,Tianjin 300300,China;Institute of Sino-European Aeronautical Engineering,Civil Aviation University of China,Tianjin 300300,China)

机构地区：[1]中国民航大学信息安全测评中心,天津300300 [2]中国民航大学计算机科学与技术学院,天津300300 [3]中国民航大学中欧航空工程师学院,天津300300

出　　处：《计算机工程与应用》2021年第14期103-109,共7页Computer Engineering and Applications

基　　金：国家自然科学基金(61601467);民航安全能力建设资金项目(PESA2018082,PESA2019074);中央高校中国民航大学专项(3122018C036)。

摘　　要：域名生成算法(DGA)存在变化多、部分类别样本难获取的特点,使得采用传统机器学习的恶意域名检测模型准确性不高。提出一种基于迁移学习和多核CNN的小样本DGA恶意域名检测模型。该模型将目标域名映射到向量空间中,使用样本充足的DGA种类进行预训练,并迁移预训练得到的参数到小样本检测模型。采用多核CNN小样本分类模型根据发音习惯进行域名特征提取并分类。通过实验对比发现,无知识迁移的小样本分类模型只有11类域名准确率超过92%,经过迁移学习的多核CNN模型20类准确率超过92%,11类准确率超过97%,检测效果接近数据充足时的分类效果。The Domain name Generation Algorithm(DGA)is easy to evolve, and some category of samples are difficult to obtain, which makes the detection of malicious domain names using traditional machine learning models inaccurate. A small sample DGA malicious domain name detection model based on transfer learning and multi-core CNN is proposed.The model maps the domain name into the vector space, and then uses the DGA with sufficient samples for pre-training,and migrates the pre-trained parameters to the small sample detection model. Finally, the multi-core CNN classification model of small data DGA extracts the characters of domain according to pronunciation habits, and determines whether the domain is a DGA domain. By comparison, the small sample classification model without knowledge transfer has only 11 types of domain names with an accuracy of more than 92%. The classification results of the multi-core CNN model after transfer learning has 20 types of DGA with an accuracy more than 92% and the 11 types more than 97%. Through knowledge transfer, the classification effect of the model trained by insufficient DGA data can be close to the model trained by sufficient data.

关 键 词：恶意域名 卷积神经网络 迁移学习 域名生成算法 小样本学习 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]