A DGA domain names detection modeling method based on integrating an attention mechanism and deep neural network

Ren, Fangli; Jiang, Zhengwei; Wang, Xuren; Liu, Jian

doi:10.1186/s42400-020-00046-6

Cited by 36 publications

(18 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The experiments demonstrate that our model achieves perfect performance. Future work will consider the optimization of its performance and compare it with the recent work [ 37 , 38 , 39 ] to evaluate the strength of the model.…”

Section: Discussionmentioning

confidence: 99%

Detection of Algorithmically Generated Domain Names Using the Recurrent Convolutional Neural Network with Spatial Pyramid Pooling

Liu

Zhang

Chen

et al. 2020

Entropy

View full text Add to dashboard Cite

Domain generation algorithms (DGAs) use specific parameters as random seeds to generate a large number of random domain names to prevent malicious domain name detection. This greatly increases the difficulty of detecting and defending against botnets and malware. Traditional models for detecting algorithmically generated domain names generally rely on manually extracting statistical characteristics from the domain names or network traffic and then employing classifiers to distinguish the algorithmically generated domain names. These models always require labor intensive manual feature engineering. In contrast, most state-of-the-art models based on deep neural networks are sensitive to imbalance in the sample distribution and cannot fully exploit the discriminative class features in domain names or network traffic, leading to decreased detection accuracy. To address these issues, we employ the borderline synthetic minority over-sampling algorithm (SMOTE) to improve sample balance. We also propose a recurrent convolutional neural network with spatial pyramid pooling (RCNN-SPP) to extract discriminative and distinctive class features. The recurrent convolutional neural network combines a convolutional neural network (CNN) and a bi-directional long short-term memory network (Bi-LSTM) to extract both the semantic and contextual information from domain names. We then employ the spatial pyramid pooling strategy to refine the contextual representation by capturing multi-scale contextual information from domain names. The experimental results from different domain name datasets demonstrate that our model can achieve 92.36% accuracy, an 89.55% recall rate, a 90.46% F1-score, and 95.39% AUC in identifying DGA and legitimate domain names, and it can achieve 92.45% accuracy rate, a 90.12% recall rate, a 90.86% F1-score, and 96.59% AUC in multi-classification problems. It achieves significant improvement over existing models in terms of accuracy and robustness.

show abstract

Section: Discussionmentioning

confidence: 99%

Detection of Algorithmically Generated Domain Names Using the Recurrent Convolutional Neural Network with Spatial Pyramid Pooling

Liu

Zhang

Chen

et al. 2020

Entropy

View full text Add to dashboard Cite

show abstract

“…The following subsections provide more details on the ML models in Section 3.1, on the DL models in Section 3.2, on other methods in Section 3.3, and on the datasets used in the reviewed studies in Section 3.4. [37] RNN Alexa/DGArchive (63 DGAs), Bambenek (11 DGAs) Koh and Rhodes [38] LSTM OpenDNS/Bader, Abakumov Tran et al [39] LSTM.MI Alexa/Bambenek (37 DGAs) Vinayakumar et al [40] LSTM, GRU, IRNN, RNN, CNN, hybrid (CNN-LSTM) Alexa, OpenDNS/Bambenek, Bader (17 DGAs) Xu et al [41] CNN-based Alexa/DGArchive (16 DGAs) Yu et al [42] LSTM, BiLSTM, stacked CNN, parallel CNN, hybrid (CNN-LSTM) Alexa/Bambenek Akarsh et al [43] LSTM OpenDNS, Alexa/20 public DGAs Qiao et al [44] LSTM Alexa/Bambenek Liu et al [45] Hybrid (BiLSTM-CNN) Alexa/Netlab (50 DGAs), Bambenek (30 DGAs) Ren et al [46] CNN, LSTM, CNN-BiLSTM, ATT-CNN-BiLSTM, SVM Alexa/Bambenek, Netlab (19 DGAs) Sivaguru et al [31] hybrid (RF-LSTM.MI) Alexa, private/DGArchive Vij et al [47] LSTM Alexa/11 DGAs Cucchiarelli et al [34] BiLSTM, LSTM.MI, hybrid (CNN-BiLSTM) Alexa/Netlab (25 DGAs) Highnam et al [48] hybrid (CNN-LSTM-ANN) Alexa/DGArchive (3 DGAs) Namgung et al [49] CNN, LSTM, BiLSTM, hybrid (CNN-BiLSTM) Alexa/Bambenek Yilmaz et al [50] LSTM Majestic/DGArchive (68 DGAs) [53] 2020 Alexa/various Yan et al [54] 2020 Passive DNS data/public blacklists Yin et al [55] 2020 Alexa/Bader (19 DGAs)…”

Section: Literature Reviewmentioning

confidence: 99%

Detection of DGA-Generated Domain Names with TF-IDF

Vranken

Alizadeh

2022

Electronics

View full text Add to dashboard Cite

Botnets often apply domain name generation algorithms (DGAs) to evade detection by generating large numbers of pseudo-random domain names of which only few are registered by cybercriminals. In this paper, we address how DGA-generated domain names can be detected by means of machine learning and deep learning. We first present an extensive literature review on recent prior work in which machine learning and deep learning have been applied for detecting DGA-generated domain names. We observe that a common methodology is still missing, and the use of different datasets causes that experimental results can hardly be compared. We next propose the use of TF-IDF to measure frequencies of the most relevant n-grams in domain names, and use these as features in learning algorithms. We perform experiments with various machine-learning and deep-learning models using TF-IDF features, of which a deep MLP model yields the best results. For comparison, we also apply an LSTM model with embedding layer to convert domain names from a sequence of characters into a vector representation. The performance of our LSTM and MLP models is rather similar, achieving 0.994 and 0.995 AUC, and average F1-scores of 0.907 and 0.891 respectively.

show abstract

“…The detection of DGA domains has gotten a lot of interest in recent years. This is a challenging task due to the ability of DGA domains to overcome blacklist filtration [31]. The features identified as influential in detection malicious domains are extracted from DGA domains.…”

Section: Model Verificationmentioning

confidence: 99%

Improved Detection of Malicious Domain Names Using Gradient Boosted Machines and Feature Engineering

Alhogail¹,

Al-Turaiki

2022

ITC

View full text Add to dashboard Cite

Malicious domain names have been commonly used in recent years to launch different cyber-attacks. There are a large number of malicious domains that are registered every day and some of which are only active for brief periods of time. Therefore, the automated malicious domain names detection is needed to provide security for individuals and organisations. As new technologies continue to emerge, the detection of malicious domain names remains a challenging task. In this study, we propose a model to effectively detect malicious domain names. This is done by evaluating the performance of several machine learning algorithms and feature importance measures using a recent DNS dataset. Based on the empirical evaluation, the gradient boosted machines GBM classiﬁcation with a combination of lexical and host-based features produce the most accurate detection rates of 98.8% accuracy and a low false positive rate of 0.003. In terms of feature importance, measures used in this study agree on the importance of six features, ﬁve of which are lexical in nature. Furthermore, to make the best out of these relevant features, we apply automatic feature engineering. Our results show that preprocessing the dataset using deep feature synthesis and then reducing the dimensionality improves the classiﬁcations performance as compared to using raw features. The results of this study are then veriﬁed using a challenging category of domain names, the domain generation algorithm dataset, and consistent results are obtained.

show abstract

A DGA domain names detection modeling method based on integrating an attention mechanism and deep neural network

Cited by 36 publications

References 18 publications

Detection of Algorithmically Generated Domain Names Using the Recurrent Convolutional Neural Network with Spatial Pyramid Pooling

Detection of Algorithmically Generated Domain Names Using the Recurrent Convolutional Neural Network with Spatial Pyramid Pooling

Detection of DGA-Generated Domain Names with TF-IDF

Improved Detection of Malicious Domain Names Using Gradient Boosted Machines and Feature Engineering

Contact Info

Product

Resources

About