Integrating an Attention Mechanism and Deep Neural Network for Detection of DGA Domain Names

Ren, Fangli; Jiang, Zhengwei; Liu, Jian

doi:10.1109/ictai.2019.00121

Cited by 11 publications

(4 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In subsequent research, ref. [25,26,[30][31][32][33] chose to cut out a few sample categories to improve the detection accuracy of other categories. But in network security, the uncommon DGA categories with few samples are the ones that we should be cautious about because hackers use uncommon DGA to increase the probability of successful intrusion.…”

Section: Dga Detectionmentioning

confidence: 99%

KDTM: Multi-Stage Knowledge Distillation Transfer Model for Long-Tailed DGA Detection

Fan,

Ma,

Liu

et al. 2024

Mathematics

View full text Add to dashboard Cite

As the most commonly used attack strategy by Botnets, the Domain Generation Algorithm (DGA) has strong invisibility and variability. Using deep learning models to detect different families of DGA domain names can improve the network defense ability against hackers. However, this task faces an extremely imbalanced sample size among different DGA categories, which leads to low classification accuracy for small sample categories and even classification failure for some categories. To address this issue, we introduce the long-tailed concept and augment the data of small sample categories by transferring pre-trained knowledge. Firstly, we propose the Data Balanced Review Method (DBRM) to reduce the sample size difference between the categories, thus a relatively balanced dataset for transfer learning is generated. Secondly, we propose the Knowledge Transfer Model (KTM) to enhance the knowledge of the small sample categories. KTM uses a multi-stage transfer to transfer weights from the big sample categories to the small sample categories. Furthermore, we propose the Knowledge Distillation Transfer Model (KDTM) to relieve the catastrophic forgetting problem caused by transfer learning, which adds knowledge distillation loss based on the KTM. The experimental results show that KDTM can significantly improve the classification performance of all categories, especially the small sample categories. It can achieve a state-of-the-art macro average F1 score of 84.5%. The robustness of the KDTM model is verified using three DGA datasets that follow the Pareto distributions.

show abstract

Section: Dga Detectionmentioning

confidence: 99%

KDTM: Multi-Stage Knowledge Distillation Transfer Model for Long-Tailed DGA Detection

Fan,

Ma,

Liu

et al. 2024

Mathematics

View full text Add to dashboard Cite

show abstract

“…Bharathi et al [14] proposed to take a string of characters as the input given in the domain names and classify them as either benign or malicious domain names using deep learning architectures such as Long-Short-Term Memory (LSTM) and bidirectional LSTM. Ren et al [15] applied a deep neural network model with an attention mechanism (ATT-CNN-BiLSTM) for the detection and classification of DGA domain names. The main thought behind their ensemble model is that the validity of the context inherent in domains could contain sufficient information with which to distinguish DGA domain names, especially the wordlist-based ones.…”

Section: Related Workmentioning

confidence: 99%

Birds of a Feather Flock Together: Generating Pornographic and Gambling Domain Names Based on Character Composition Similarity

Cheng

Jiang

Zhang

et al. 2022

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

Cybercriminals often register many pornographic or gambling domains (known as abusive domains) with similar character compositions in bulk to reduce their investment in buying domains and make it easier for clients to remember and spread them. Therefore, this study combines the ideas of text similarity and text generation and proposes an abusive domain generation model based on GRU for rapidly generating new abusive domain names from known ones. Additionally, we develop a two-layer detection system for pornography and gambling domains using fastText and CNN models to obtain an abusive domain dataset for model training and validation. In the end, our detection system identifies pornographic and gambling domains with 99% precision while balancing correctness and speed. By inputting 40,000 random keywords into the abusive domain generation model, we obtained 130,220 online domains that served web pages, of which about 66% were pornographic or gambling domains. The results show that by exploiting cybercriminals’ behaviors in registering abusive domain names, such as bulk registration of similar domain names, we can prospectively acquire a large number of new abusive domains based on known ones. This study demonstrates that predicting new abusive domains not only expands the domain blacklist but also allows researchers to target the generated suspicious domains and dispose of them in time before they show abusive behavior.

show abstract

“…Thus, NER in CTI plays a major role in supporting and achieving cybersecurity research. Researches about NER in CTI have been widely pursued in recent years, and they can be summarized in the following three categories: rules-based [2], [3], [4], [5], [6], statistical characteristicsbased [7], [8], [9], [10], [11] and deep learning-based [12], [13], [14], [15], [16], [17], [18], [19].…”

Section: Introductionmentioning

confidence: 99%

“…Deep neural networks like recurrent neural networks(RNN) [21] and convolutional neural networks(CNN) [22] with their variants learn intricate features and discover the semantic information automatically from raw data via non-linear activation functions in multiple processing layers [23]. These neural models can be trained in an end-to-end paradigm by gradient descent, and they have been widely used for NER in CTI such as [17], [16], [18], [13].…”

Section: Introductionmentioning

confidence: 99%

Multi-features based Semantic Augmentation Networks for Named Entity Recognition in Threat Intelligence

Li¹,

Li²,

Wang³

et al. 2022

Preprint

View full text Add to dashboard Cite

Extracting cybersecurity entities such as attackers and vulnerabilities from unstructured network texts is an important part of security analysis. However, the sparsity of intelligence data resulted from the higher frequency variations and the randomness of cybersecurity entity names makes it difficult for current methods to perform well in extracting security-related concepts and entities. To this end, we propose a semantic augmentation method which incorporates different linguistic features to enrich the representation of input tokens to detect and classify the cybersecurity names over unstructured text. In particular, we encode and aggregate the constituent feature, morphological feature and part of speech feature for each input token to improve the robustness of the method. More than that, a token gets augmented semantic information from its most similar K words in cybersecurity domain corpus where an attentive module is leveraged to weigh differences of the words, and from contextual clues based on a large-scale general field corpus. We have conducted experiments on the cybersecurity datasets DNRTI and MalwareTextDB, and the results demonstrate the effectiveness of the proposed method.

show abstract

Integrating an Attention Mechanism and Deep Neural Network for Detection of DGA Domain Names

Cited by 11 publications

References 13 publications

KDTM: Multi-Stage Knowledge Distillation Transfer Model for Long-Tailed DGA Detection

KDTM: Multi-Stage Knowledge Distillation Transfer Model for Long-Tailed DGA Detection

Birds of a Feather Flock Together: Generating Pornographic and Gambling Domain Names Based on Character Composition Similarity

Multi-features based Semantic Augmentation Networks for Named Entity Recognition in Threat Intelligence

Contact Info

Product

Resources

About