Analysis And Detection Of Domain Name Generation Algorithm

With the advent of the Internet of Everything era,botnets have increasingly become an important source and platform of network attacks.Therefore,how to effectively identify and combat botnets has become a hot issue in network security research.Since modern botnets mainly adopt the communication mechanism based on the domain name generation algorithm,that is,the domain name generated by a large number of algorithms is used to hide the C&C server address,so as to avoid the security supervision,so the research on DGA domain name detection is an important breakthrough to mine and shut down botnets.Although existing DGA domain detection model has been able to achieve a high detection accuracy,but there are still two problems need to be solved: Firstly,the detection model's training process must rely on the DGA domain,and its training set needs to be continuously supplemented by the new DGA domain name family,but this kind of data acquisition cycle long,difficult to collect,so the model cannot be updated and iterated rapidly to cope with the emerging new DGA domain name families;Secondly,the existing models focus on detecting the DGA domain name family contained in the training set,and cannot effectively identify the new DGA domain name types outside the training set,resulting in poor generalization performance and small application scope.In order to solve the above problems,the work and innovation of this paper are as follows:1)To solve the problem that model training must rely on DGA domain name data,this paper firstly constructs a domain name credibility evaluation model using some historical DGA data to calculate the corresponding credibility score for each normal domain name.Secondly,in the training of the actual classification model,the normal domain name and its reliability are used to replace the DGA domain name related variables.Finally,the training process of the classification model does not need the participation of DGA domain name data,which can accelerate the iteration speed of the model and ensure the timeliness of the model.2)To solve the problem that the existing models have weak generalization ability and can't recognize the new DGA family,this paper considers to build the model from the perspective of model training and feature learning.Since the performance of the model is restricted by the sample set used,the generalization of the model can be effectively enhanced if the model can only fit the characteristics of normal domain names.Based on the above ideas,this paper proposes a DGA detection model Prof DGA which only uses normal domain name training by modifying the loss function.3)This paper designs and implements the proposed model,and conducts comparative experiments with the existing model,and evaluates the model from the aspects of accuracy rate,recall rate,F1 value and so on.Through experimental verification,although the Prof DGA model reduces the accuracy of detection of DGA families in the training set by 9%,the accuracy of detection of unknown DGA families is improved by 30% and the recall rate is improved by 54.2% compared with the existing model,which can effectively discover new DGA domain name families.