Research On Malicious Domain Name Detection Method Based On Deep Learning And Similarity

Malicious domain names play a key role when zombie hosts obtain the IP address of command and control servers,posing a great threat to computer systems.Compared with the command and control server IP address acquisition method based on limited domain name,the method based on the domain name generation algorithm has higher detection difficulty.The attacker designs an algorithm to generate a malicious domain name list,and the zombie host traverses the domain name list to search for the IP address of the command and control server to conduct malicious communication behaviors.Detecting malicious domain names in DNS requests has a great effect on the analysis of botnets to curb malicious attacks.In order to improve the effect of domain name detection,a malicious domain name detection method based on deep learning and similarity is proposed in this thesis.The main research work of this thesis is as follows:(1)Aiming at the limitations of existing methods in feature extraction,a detection method based on multi-dimensional features and bidirectional GRU is proposed.This method extracts features from multiple dimensions,uses a bidirectional GRU as a weak learner,and divides the features into four categories.Each type of feature corresponds to a weak learner,and the classification result is jointly determined by the output results of the four weak learners and the decision threshold.Experimental results on three domain name datasets show that the method has higher accuracy than detection methods based only on a single feature.(2)Aiming at the problem that manual annotation cannot handle massive data,a screening and clustering method of the initial domain name set is proposed.The method extracts the network features of domain names,and uses the single-classification algorithm to filter out the malicious domain names to form the initial domain name set.Since the character similarity of malicious domain names in the initial domain name set family is relatively higher,the similarity of malicious domain names of the initial domain name set can be calculated,and the domain names can be clustered according to the similarity.The experimental results show that the method has good screening accuracy and clustering accuracy.(3)The heterogeneous network formed by the host query domain name contains node information,and it is necessary to use efficient modeling methods and similarity algorithms to obtain node similarity information.Therefore,this thesis proposes a bipartite graph modeling method,and uses the improved node similarity algorithm to calculate the similarity of domain name nodes on the bipartite graph,and finally realizes the classification of domain names according to the similarity.Experimental results show that the method has an accuracy of 99.78% on datasets containing multiple malicious domains.