| IoT botnets have grown into a major threat to personal,corporate,and national security.Domain Generation Algorithm(DGA)is one of the key communication technologies of botnets.Many dynamically changing algorithmically generated domains(AGDs)make botnets highly concealed and robust.Therefore,accurate identification of AGDs is the effective way to defend against botnet attacks.However,there are several challenges in DGA domain name detection research,such as detecting new types of DGA domain names,addressing imbalanced performance in multiclassification tasks,and achieving real-time applications.This paper focuses on the detection of word-based AGDs,addressing the imbalance in multi-classification tasks performance,and real-time application in IoT.The main contributions of this paper are as follows:(1)We propose a AGDs detection algorithm that combines character and word feature learning.The domain names are represented as text vectors by passing them through character embedding layers and word embedding layers.The word embedding sequence is input into a Small BERT model to learn semantic and syntactic features.The character embedding sequence is input into CNN module to learn features related to character combinations and randomness in the domain names.The output sequences from the Small BERT and CNN modules are merged,and a multi-head self-attention layer is used to extract important features at different positions in the merged sequence.Finally,the algorithm outputs binary and multi-classification results.The experimental results show that the algorithm effectively improves the detection performance of wordbased AGDs,addresses the issue of performance imbalance in multi-classification tasks,and maintaining good performance in binary classification tasks.The algorithm utilizes the Small BERT model,which has fewer parameters,achieving a balance between computational efficiency and model performance,making it suitable to be applied in the IoT.(2)We design and implement a AGDs detection system.To address the real-time application challenges in the IoT environment,we combine the proposed AGDs detection method with edge cloud computing architecture to achieve real-time AGDs detection.System modules include DNS request proxy,domain name detection,domain name filtering,log recording,and log collection,which are deployed at the edge.And the log storage,IoT device information management,and visualization monitoring modules are deployed in the cloud.The domain name filtering module intercepts AGDs resolution requests from IoT terminal devices.The log collection module transmits DNS request log data from edge devices to the cloud database.The visualization monitoring module provides abnormal information alerts for local IoT devices,an overview and trend display of the abnormal domain name resolution requests.This article explains the implementation approaches for each module of the system and validates them through functional testing. |
PDF Full Text Request