Research On DGA Detection Algorithm For IoT Botnet

In recent years,the frequent occurrence of IoT botnet incidents has greatly affected the order of production and life.IoT devices such as smart homes,routers,and network cameras have become the hardest hit areas.Botnets widely use domain generation algorithm(DGA)to generate DGA domains to evade blacklist detection.Therefore,deploying DGA detection methods on IoT devices can detect and block botnets in time to protect device functions and users’ data.However,the existing DGA detection methods have some shortcomings.The DGA detection algorithm based on feature engineering searches for features that can be used to distinguish DGA domains from normal domains based on experience.This method has defects of incomplete feature analysis and easy to be bypassed by attackers,which will lead to the accuracy of the detection model is not high.The deep learning-based method can automatically extract high-dimensional features to complete DGA domains detection,but this method requires a large space to deploy the training environment,and requires a large number of datasets to train the model.Due to the limited computing power and storage resources of IoT devices,this method is not suitable for DGA detection of IoT devices.In response to the above problems,the following research work has been carried out in this paper:(1)A DGA detection algorithm based on SDF is proposed.The algorithm has the characteristics of simple deployment,low computing power requirements,small footprint,and high accuracy.It can solve the problem of DGA detection in IoT devices with limited resources.The algorithm is constructed based on the twin deep forest.Based on the twin network idea,the data set is expanded by pairing on the limited training set.The weights of the trees in the deep forest are added and adjusted to fit the model.After experimental comparison,compared with the detection algorithm based on deep forest,the detection effect of the algorithm model under different data scales has been improved.(2)Aiming at the problem that the SDF algorithm model is too large and the increase in accuracy of between cascade forest is small,a DGA detection algorithm based on I-SDF is proposed,which improves the multi-grand scanning and adds the dropout mechanism and dynamic setting of the number of trees in the forest.The experimental results show that the improved model increase the accuracy and reduce the size of the model.Compared with the machine learning model based on feature engineering and the neural network model based on CNN＿LSTM,the algorithm model has better performance under different training set sizes.(3)Combined with the idea of federated learning,a DGA detection algorithm based on distributed I-SDF is proposed.This algorithm can implement distributed training of the ISDF model on multiple IoT devices while protecting domain name privacy.The accuracy of the model trained by the distributed method is better than that of the single-machine training model.In addition,a DGA detection system is designed based on the trained model,which can detect the DGA domain name on the IoT device in real time or time-sharing.