Research On DGA Domain Names Detection Method Based On Deep Learning

In recent years,the number of malicious attacks in cyberspace is on the rise at a high speed.High frequency and diversified malicious attacks pose a serious threat to the personal data and property security of Internet users.Botnet is a network malicious attack platform with great influence and destructive power at present.It usually uses DNS services to communicate with command and control(C&C)servers.To avoid the defense of blacklist mechanism,attackers usually use the domain generation algorithm(DGA)to generate new domain names for communication connections.Nowadays,the mainstream DGA domains detection technology adopts deep learning methods that can automatically extract features.However,the detection methods based on deep learning still have two problems that need to be solved urgently.First,DGA domain names have the characteristics of short text,and the existing models have low utilization of their text information,resulting in poor multi-classification effect.Second,new DGA families emerge in endlessly.Their generation methods are diversified,and the character randomness is low.They are very similar to benign domain names in character distribution and composition,and the existing detection methods have poor detection effects.This paper focuses on the above two aspects,and the main contributions and innovations are as follows:(1)Some of the current detection methods have low utilization of domain name information,resulting in poor multi-classification effect.Aiming at this problem,a DGA domain name classification model based on deep learning(PCBGA-DGA)is proposed.In this model,parallel convolutional neural network(PCNN)is used to extract local features of domain name sequence,and bidirectional gated recurrent unit combined with attention mechanism(Bi GRU-Att)is used to extract time-seriesdependent features of domain name sequence containing character weight information.The experimental results show that,compared with the traditional deep learning model,this model has a better effect on the multi-classification of DGA domain names,and has obvious advantages in classifying two DGA domain names based on word lists.(2)The existing detection methods are not effective in detecting new DGA domain names.For this problem,this paper proposes a new generation method of DGA domain names(CLR-DGA)and its defense measures.CLR-DGA generates DGA domain names,which are difficult to be detected,by character-level replacement based on benign domain names.Then,based on the CLR-DGA,this paper conducts the research on adversarial attack and defense.In the adversarial attack experiment,CLR-DGA is compared with three known DGAs and two new DGAs,to observe the detection effect of five depth learning classifiers on the above six DGAs.The experimental results show that there are four kinds of classifiers that have the worst performance in detecting CLRDGA.In the adversarial defense experiment,the training data set used in the adversarial attack experiment was expanded with 10000 additional CLR-DGA domain names and10000 benign domain names,and five deep learning classifiers were retrained.The experimental results show that the adversarial training method can enhance the depth learning classifier to resist attacks from CLR-DGA to a certain extent,thereby improving the robustness of the classifier.