基于无监督自适应模糊聚类的多家族恶意域名细粒度检测  被引量：3

作　　者：姜言波[1] 邵增珍[2] JIANG Yan-bo;SHAO Zeng-zhen(Department of information engineering,Shandong Foreign Trade Vocational College,Qingdao 266000,China;College of Information Science and Engineering,Shandong Normal University,Jinan 250014,China)

机构地区：[1]山东外贸职业学院信息工程系,山东青岛266000 [2]山东师范大学信息科学与工程学院,山东济南250014

出　　处：《中国电子科学研究院学报》2023年第7期663-670,共8页Journal of China Academy of Electronics and Information Technology

基　　金：中国博士后科学基金(2016M592697)。

摘　　要：针对现有恶意域名检测方法检测时间开销大、对新出现或新变种的恶意域名检测精度不高的问题,提出一种基于无监督自适应模糊聚类的多家族恶意域名细粒度检测方法。该方法首先利用词向量映射网络(Bidirectional Encoder Representation from Transformers,BERT)将域名字符串映射为词向量矩阵;然后,利用深度自编码网络的编解码模块实现域名字符串向量矩阵的特征提取;最后,引入一种自适应模糊聚类算法实现多家族恶意域名和合法域名在隐空间中的特征聚类。通过在多个家族恶意域名和常见域名数据集上进行测试,实验结果表明所提出算法可以在二分类任务中实现97.71%的准确率,在8个家族的细粒度多分类任务上可以实现96.25%的准确率。综合检测性能优于当前主流的恶意域名检测算法。同时,所提出域名具有较低的时间开销,这为实时过滤恶意域名、预防恶意域名的入侵攻击提供了一种新的手段。Aiming at the problem that existing malicious domain detection methods have high time costs in detection and low accuracy in detecting new or mutated malicious domains,a fine-grained multi-family malicious domain detection method based on unsupervised adaptive fuzzy clustering is proposed.First,the BERT of the word vector mapping network is used to map domain name strings to a word vector matrix.Then,the feature extraction of the domain name string vector matrix is achieved by the encoding and decoding modules of the deep autoencoder network.Finally,an adaptive fuzzy clustering algorithm is introduced to realize feature clustering of multiple malicious domains and legal domains in the latent space.Through testing on multiple malicious domain and common domain datasets,the experimental results show that the proposed model can achieve an accuracy of 97.71% in binary classification tasks and an accuracy of 96.25% in fine-grained multi-classification tasks of 8 families.It has better overall detection performance than current mainstream malicious domain detection algorithms.At the same time,the proposed method has lower time costs,providing a new means for real-time filtering of malicious domains and prevention of malicious domain intrusion attacks.

关 键 词：恶意域名检测 无监督 深度自编码网络 模糊聚类 词向量 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]