Weakly Supervised Deep Learning for the Detection of Domain Generation Algorithms

Yu, Bin; Pan, Jie; Gray, Daniel L.; Hu, Jiaming; Choudhary, Chhaya; Nascimento, Anderson C. A.; Cock, Martine De

doi:10.1109/access.2019.2911522

Cited by 29 publications

(20 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [18], an iterative semi-supervised random forest classifier was constructed to separate dedicated and public IP addresses. In [48], the authors proposed a deep neural networks to classify domain names as benign or malicious, as part of DGAs. These methods, however, have not considered the problem of identifying new malicious domains related to an observed campaign, as considered in this paper.…”

Section: ) Algorithmic Methodsmentioning

confidence: 99%

IMDoC: Identification of Malicious Domain Campaigns via DNS and Communicating Files

Lazar

Cohen

Freund³

et al. 2021

IEEE Access

View full text Add to dashboard Cite

Cyber attacks have become more sophisticated and frequent over the years. Detecting the components operated during a cyber attack and relating them to a specific threat actor is one of the main challenges facing cyber security systems. Reliable detection of malicious components and identification of the threat actor is imperative to mitigate security issues by Security Operations Center (SOC) analysts. The Domain Name System (DNS) plays a significant role in most cyber attacks observed nowadays in that domains act as a Command and Control (C&C) in coordinated bot network attacks or impersonate legitimate websites in phishing attacks. Thus, DNS analysis has become a popular tool for malicious domain identification. In this collaborative research associating Ben-Gurion University and IBM, we develop a novel algorithm to detect malicious domains and relate them to a specific malware campaign in a large-scale real-data DNS traffic environment, dubbed Identification of Malicious Domain Campaigns (IMDoC) algorithm. Its novelty resides in developing a framework that combines the existence of communicating files for the observed domains and their DNS request patterns in a real production environment. The analysis was conducted on real data from Quad9 (9.9.9.9) DNS recursive resolvers combined with malicious communicating files extracted from VirusTotal, and confirms the strong performance of the algorithm on a real large-scale data production environment. INDEX TERMS Cyber security, domain name system (DNS), clustering methods, detection algorithms.

show abstract

Section: ) Algorithmic Methodsmentioning

confidence: 99%

IMDoC: Identification of Malicious Domain Campaigns via DNS and Communicating Files

Lazar

Cohen

Freund³

et al. 2021

IEEE Access

View full text Add to dashboard Cite

show abstract

“…However, this model still cannot effectively distinguish between word-based algorithmically generated domain names and legitimate ones. They also studied the problem of how to supply sufficient labeled training data for deep learning-based DGA classifiers [ 25 ]. Zeng et al.…”

Section: Related Workmentioning

confidence: 99%

Detection of Algorithmically Generated Domain Names Using the Recurrent Convolutional Neural Network with Spatial Pyramid Pooling

Liu

Zhang

Chen

et al. 2020

Entropy

View full text Add to dashboard Cite

Domain generation algorithms (DGAs) use specific parameters as random seeds to generate a large number of random domain names to prevent malicious domain name detection. This greatly increases the difficulty of detecting and defending against botnets and malware. Traditional models for detecting algorithmically generated domain names generally rely on manually extracting statistical characteristics from the domain names or network traffic and then employing classifiers to distinguish the algorithmically generated domain names. These models always require labor intensive manual feature engineering. In contrast, most state-of-the-art models based on deep neural networks are sensitive to imbalance in the sample distribution and cannot fully exploit the discriminative class features in domain names or network traffic, leading to decreased detection accuracy. To address these issues, we employ the borderline synthetic minority over-sampling algorithm (SMOTE) to improve sample balance. We also propose a recurrent convolutional neural network with spatial pyramid pooling (RCNN-SPP) to extract discriminative and distinctive class features. The recurrent convolutional neural network combines a convolutional neural network (CNN) and a bi-directional long short-term memory network (Bi-LSTM) to extract both the semantic and contextual information from domain names. We then employ the spatial pyramid pooling strategy to refine the contextual representation by capturing multi-scale contextual information from domain names. The experimental results from different domain name datasets demonstrate that our model can achieve 92.36% accuracy, an 89.55% recall rate, a 90.46% F1-score, and 95.39% AUC in identifying DGA and legitimate domain names, and it can achieve 92.45% accuracy rate, a 90.12% recall rate, a 90.86% F1-score, and 96.59% AUC in multi-classification problems. It achieves significant improvement over existing models in terms of accuracy and robustness.

show abstract

“…G ij E ij y j |θ i (11) Then in the M-step, we define the expectations of log S(y, γ |θ) as M function as following:…”

Section: ) Probability Fusion Modulementioning

confidence: 99%

“…Similarly, we also update the gating parameterĜ i under the constraint 3 i=1 G ij = 1. The overall process of two-step loops from Equation (11) to (14) is terminated if any parameters move will no longer lead to further minimization of the M function, leading to the final estimation of labeling result. Therefore, the next iteration parameters are rewritten as Equation (14).…”

Section: ) Probability Fusion Modulementioning

confidence: 99%

“…To distinguish fine-grained categories with very similar outline, it requires specialized knowledge focusing on feature representation of discriminative object parts to expand the application of existing DNNs on FGVC. According to whether the method requires additional part location annotation, current stage-of-the-arts can be divided into two groups: strongly-supervised learning (SSL) [10] and weaklysupervised learning (WSL) [11]. In the training process, the former requires additional location information apart from image-level category labels, such as bounding-boxes or key-points of discriminative parts.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Probability Fusion Decision Framework of Multiple Deep Neural Networks for Fine-Grained Visual Classification

Zheng¹,

Kong²,

Jin³

et al. 2019

IEEE Access

View full text Add to dashboard Cite

Fine-grained visual classification tasks often suffer from that the subordinate categories within a basic-level category have low inter-class discrepancy and high intra-class variances, which is still challenging research for traditional deep neural networks (DNNs). However, different models extract local parts' features in isolation and neglect the inherent correlations and distribution in high-dimensional space, which limit the single model to achieve better accuracy. In this paper, we propose a novel probability fusion decision framework (named as PFDM-Net) for fine-grained visual classification. More specifically, it first employs data-augmented tricks to enlarge the dataset and pretrain the basic VGG19 and ResNet networks on high-quality images datasets to learn common and domain knowledge simultaneously while fine-tuning with professional skill. Next, refined multiple DNNs with transfer learning are applied to design a multistream feature extractor, which utilizes the mixture-granularity information to exploit high-dimensionality features for distinguishing interclass discrepancy and tolerating intra-class variances. Finally, a probability fusion module equipped with gating network and probability fusion layer is developed to fuse different components model with Gaussian distribution as a unified probability representation for the ultimate finegrained recognition. The input of this module is the various features of multi-models and the output is the fused classification probability. The end-to-end implementation of our framework contain an inner loop about the EM algorithm within an outer loop with the gradient back-propagation optimization of the whole network. Experimental results demonstrate the outperforming performance of PFDM-Net with higher classification accuracy on different fine-grained datasets compared with the state-of-the-arts methods. More discussions are provided to indicate the potential applications in combination with other work. INDEX TERMS Deep neural network, weakly-supervised learning, multi-steam feature extractor, probability fusion module.

show abstract

Weakly Supervised Deep Learning for the Detection of Domain Generation Algorithms

Cited by 29 publications

References 16 publications

IMDoC: Identification of Malicious Domain Campaigns via DNS and Communicating Files

IMDoC: Identification of Malicious Domain Campaigns via DNS and Communicating Files

Detection of Algorithmically Generated Domain Names Using the Recurrent Convolutional Neural Network with Spatial Pyramid Pooling

Probability Fusion Decision Framework of Multiple Deep Neural Networks for Fine-Grained Visual Classification

Contact Info

Product

Resources

About