|
|
1.INTRODUCTIONDNS (Domain Name System), which achieves the conversion between IP address and domain name, is the infrastructure of the Internet. With the development of the digital economy, the safety of DNS becomes more and more important. Meanwhile, many malware families use DGA (Domain Generation Algorithm) domain names to take DDoS (Distributed Denial of Service) attacks, which threatens to network security and even economy development1. A large number of pseudo-random domain names (hundreds to tens of thousands per day) could be generated through DGAs, which makes network defenses difficult2-3. So detection of DGA domain name has become an important research in network security. Domain name is similar to natural language text. Zhang et al discovered the pseudo-randomness of DGA domain names4. Koh et al proposed a novel approach that combined context-sensitive word embeddings with a simple fully-connected classifier to perform classification of domain names based on word-level information5. Word-level word embedding needs to be pre-trained on a large unrelated corpus, which makes the model training time longer. Character-level word embedding could reduce the dependence on training data. Pan et al proved that using semantic features in Bi-LSTM (Bi-Directional Long Short-Term Memory) could improve the detection performance in multi-classification6. With DGAs, network attacks are developing rapidly. Deep learning algorithms have the advantage of automatic feature extraction, and methods based on neural network have been explored7. Saxe et al proposed the eXpose neural network, which could extract features and make classification through character-level embeddings simultaneously8. Shahzad et al presented a DGA classifier that leveraged a structure based on RNN (Recurrent Neural Network), which could detect DGA domain name without contextual information or manually created features9. By using different character features in word embedding, this paper took the comparison of two-classification models based on neural network for detecting DGA domain name. 2.TWO-CLASSIFICATION MODELSTwo-classification methods are shown in Figures 1-2. which consists of word embedding layer, neural network layer, and two-classification layer. First, character features of domain name are extracted and mapped into word vector. Then, Bi-LSTM or CNN (Convolutional Neural Network) is employed to make automatic feature extraction. Finally, a fully connected neural network is used to make two-classification10. 2.1Word embeddingAs deep learning algorithm cannot directly process text, domain names need to be transformed into numeric data. Word embedding is a processing method in NLP (Natural Language Processing), and the model takes character-level word embedding. Domain name is composed of 38 legal characters (a-z, 0-9, “-”, “.”), which could be used as character features in word embedding. After removing Top Level Domain (such as “.com”, “.net” and “.org”), domain name could be divided into single character. Domain name is also a kind of short text. And semantic features of domain name, which include bigram class and part of speech (such as noun class, verb class, adjective class and other part of speech), could be extracted to extend character features6. Through one-hot encoding, character features could be transformed into feature sequence, then mapped into word vector. The word vector is represented by a n × L dimensional matrix, where n is the length of feature sequence, and L is the dimension of word vector11. 2.2Bi-directional long short-term memoryBi-LSTM is a variant of RNN models and has been widely used in text analysis. Bi-LSTM consists backward and forward hidden layers to access the preceding and succeeding context of sequence, which also improves the contexts available to the network12. There are two independent LSTM in Bi-LSTM. xt is the input, and ht is based on the outputs of forward LSTM and backward LSTM. The structure of forward LSTM and backward LSTM are the same, as shown in Figure 3. When new information is added, some old information needs to be forgot through forget gate f. Output of ft is between 0 and 1, where 0 means “completely discarding” and 1 means “completely keeping”. it is input gate, which is used to decide what information needs to be updated. ot is output gate, and a sigmoid function is employed to determine the output.
2.3Convolutional neural networkThrough word embedding, domain names are mapped from a sparse, 1-of-V encoding (here V is the vocabulary size) to a lower dimensional vector space. In essence, word vector is feature extractors that encode character features of domain names in their dimensions13. CNN is widely used not only in image processing and speech recognition, but also in NLP. As shown in Figure 4, CNN consists of convolution layer, pooling layer and concatenation layer. In this paper, four parallel convolution layers are used to extract features. CNN, which is also a kind of the standard neural network, could extract features and reduce the dimensions of the input. The convolution kernel w will perform a convolution operation with the input matrix each time to obtain local features. where f is the nonlinear activation function, xi is word vector, k is the size of the convolution kernel, b is bias term and n is the length of feature sequence14. Maximum pooling is employed to capture the most obvious feature. Through pooling layer, feature invariance could be enhanced and the dimension of data could be reduced. Finally, outputs of four pooling layers are concatenated into a vector in concatenation layer. 4.EXPERIMENT AND ANALYSIS4.1Experiment designData used in the experiment came from publicly resources such as Alexa and 360 Netlab (Network Security Research Lab). There were one million normal domain names and one million DGA domain names. Dataset was divided into training set, test set and validation set by 6:2:2. According to detection models in chapter 2, four experiment groups were designed to compare the performance between CNN and Bi-LSTM in detection of DGA domain name.
4.2Experiment settingsAccording to parameters mentioned in chapter 2, settings for word embedding were as follows:
4.3Experiment results and analysisIn two-classification, precision, recall and F1 score were evaluation indicators. Experiment results were given in Table 1, where 0 represented normal domain name and 1 represented DGA domain name. Table 1.Precision, Recall and F1 score in two-classification.
CNN (SF) performed better than CNN (CF) and Bi-LSTM (SF) performed better than Bi-LSTM (CF), showing that with the use of semantic features, the performance of CNN and Bi-LSTM in two-classification was improved. F1 score of Bi-LSTM (SF) and CNN (SF) were almost the same, which were 0.9932 and 0.9938, respectively. And precision of Bi-LSTM (SF) and CNN (SF) were almost the same also, which were 0.9947 and 0.9955, respectively. The results indicated that in two-classification, the detection effect of CNN model was similar to Bi-LSTM model. 5.CONCLUSIONDetection of DGA domain name has become an important research in network security in recent years. As character-level word embedding could reduce the dependence on training data and deep learning algorithms have the advantage of automatic feature extraction. This paper used different character features in word embedding, and compared the performance between CNN and Bi-LSTM for detecting DGA domain name. Four experiment groups were designed to compare the performance between CNN and Bi-LSTM in detection of DGA domain name. And this paper used normal domain names and DGA domain names from Alexa and 360 Netlab as datasets. Experiment on publicly datasets has shown that by using semantic features, F1 score of Bi-LSTM increased by 1.3%, and the gap of F1 score between CNN and Bi-LSTM had narrowed to 0.6%. In summary, using character features including semantic features could improve the performance of neural network, especially for Bi-LSTM. And F1 score of CNN and Bi-LSTM are both nearly 100%, so there is little difference between CNN model and Bi-LSTM model in two-classification of DGA domain name. ACKNOWLEDGMENTSThis work is supported by 2020 Industrial Internet Innovation and Development Project: Network Identifier Construction Project. REFERENCESGhosh, I., Kumar, S., Bhatia, A., et al,
“Using auxiliary inputs in deep learning models for detecting DGA-based domain names,”
in 2021 International Conference on Information Networking,
391
–396
(2021). Google Scholar
Sivaguru, R., Peck, J., Olumofin, F., et al,
“Inline detection of DGA domains using side information,”
IEEE Access, 8 141910
–141922
(2020). https://doi.org/10.1109/ACCESS.2020.3013494 Google Scholar
Woodbridge, J., Anderson, H., Ahuja, A. et al,
“Predicting domain generation algorithms with long short-term memory networks,”
arXiv:1611.00791,
(2016). Google Scholar
Zhang, Y.,
“Automatic algorithmically generated domain detection with deep learning methods,”
in 2020 IEEE 3rd International Conference on Automation, Electronics and Electrical Engineering,
463
–469
(2020). Google Scholar
Koh, J. and Rhodes, B.,
“Inline detection of domain generation algorithms with context-sensitive word embeddings,”
in 2018 IEEE International Conference on Big Data,
2966
–2971
(2018). Google Scholar
Pan, R., Chen, J., Ma, H. et al,
“Using extended character feature in Bi-LSTM for DGA domain name detection,”
in IEEE/ACIS 22nd International Conference on Computer and Information,
115
–118
(2022). Google Scholar
Yu, B., Pan, J., Gray, D., et al,
“Weakly supervised deep learning for the detection of domain generation algorithms,”
IEEE Access, 7 51542
–51556
(2019). https://doi.org/10.1109/Access.6287639 Google Scholar
Saxe, J. and Berlin, K.,
“eXpose: A character-level convolutional neural network with embeddings for detecting malicious urls, file paths and registry keys,”
arXiv:1702.08568,
(2017). Google Scholar
Shahzad, H., Satta, A. and Skandaraniyam, J.,
“DGA domain detection using deep learning,”
in 2021 IEEE 5th International Conference on Cryptography, Security and Privacy,
139
–143
(2021). Google Scholar
Wang, Z., Li, S., Chi, Y., et al,
“Deep learning based detection of DGA domain names,”
Computer Engineering and Design(in Chinese), 42 601
–606
(2021). Google Scholar
Du, P. and Ding, F.,
“A DGA domain name detection method based on deep learning models with mixed word embedding,”
Journal of Computer Research and Development, 57 433
–446
(2020). Google Scholar
Tam, S., Said, B. R. and Tanriöver, Ö.,
“A ConvBiLSTM deep learning model-based approach for twitter sentiment classification,”
IEEE Access, 9 41283
–41293
(2021). https://doi.org/10.1109/ACCESS.2021.3064830 Google Scholar
Kim, Y.,
“Convolutional neural networks for sentence classification,”
arXiv:1408.5882,
(2014). Google Scholar
Yang, K., Huang, Z., Wang, X. and Li, X.,
“A blind spectrum sensing method based on deep learning,”
Sensors, 19
(20), 2270
(2019). https://doi.org/10.3390/s19102270 Google Scholar
|
