基于多模态特征融合的Fast-Flux恶意域名检测方法  被引量：7

作　　者：郎波[1] 谢冲 陈少杰 刘宏宇 LANG Bo;XIE Chong;CHEN Shaojie;LIU Hongyu(State Key Laboratory of Software Development Environment,Beihang University,Beijing 100191,China)

机构地区：[1]北京航空航天大学软件开发环境国家重点实验室,北京100191

出　　处：《信息网络安全》2022年第4期20-29,共10页Netinfo Security

基　　金：软件开发环境国家重点实验室探索性课题[SKLSDE-2020ZX-02]。

摘　　要：Fast-Flux恶意域名是僵尸网络通信中的一种重要载体,通过快速变换域名解析的IP抵御检测。目前,恶意域名检测系统大多基于传统机器学习模型,需要对数据进行复杂处理和特征提取,并且需要借助大量第三方数据源,导致检测的实时性较差。域名解析是一个复杂的过程,并且具有丰富的特征,文章设计了基于多模态特征融合的Fast-Flux恶意域名检测方法。首先利用GCN模块提取空间特征,采用BiLSTM模块提取域名文本特征,然后利用MLP模块提取侧信息特征,最后利用神经网络将这3种特征进行融合。在Fast-Flux-Attack-Datasets公开数据集上进行实验,实验结果表明,该方法的精确率达99.94%、召回率达99.76%、准确率达99.69%,总体效果优于当前同类方法。文章所提方法有效融合了域名解析的多模态特征,明显提升了检测效果,对于提高僵尸网络检测能力具有重要意义。Fast-Flux malicious domain name is an important technique in Botnet communication which aims to resist detection by quickly changing the resolved IP address of the domain.At present,most of the malicious domain name detection methods are based on the traditional machine learning models.These methods need complex data processing,feature extraction,and the help of a large amount of third-party data,which greatly reduces the efficiency of detection.Domain name resolution is a very complex process with rich features,this paper designed a Fast-Flux malicious domain name detection method based on multi-modal feature fusion using deep learning.Firstly,a GCN module was used to extract spatial features,and a BiLSTM module was used to extract text features.Secondly,an MLP module was used to extract side information features.Thirdly,the three kinds of features were fused using neural networks structure.This paper has conducted experiments on the Fast-Flux-Attack-Datasets,the experimental results show that this method achieves the accuracy of 99.94%with recall of 99.76%and precision of 99.69%,which is better than the state-of-the-art methods at present.The method effectively fuses multimodal features,and promotes the performance of Fast-Flux domain name detection,and is meaningful for enhancing the capability of Botnet detection.

关 键 词：Fast-Flux恶意域名检测 僵尸网络 GCN 多模态特征 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]