计算机科学 ›› 2023, Vol. 50 ›› Issue (12): 337-342.doi: 10.11896/jsjkx.221000179
李晓冬, 宋元凤, 李育强
LI Xiaodong, SONG Yuanfeng, LI Yuqiang
摘要: Domain-Flux是僵尸网络中常用的一种命令与控制信道隐蔽技术,其能有效躲避网络安全设备的检测。针对现有检测方法中对Domain-Flux域名信息提取不全面,无法有效捕获词典类域名关键分类特征的问题,提出了一种融合字词双通道的Domain-Flux僵尸网络检测方法。在字符向量和词根向量两个通道上分别采用卷积神经网络(CNN)和双向长短期记忆网络(BiLSTM)提取局部特征和全局特征,丰富输入域名的特征信息,提升分类性能。其中,字符向量通道针对随机字符域名提取局部空间特征,而词根向量通道基于TF-IDF算法,引入类内因子将词根重要性加权到词向量中,然后提取域名单词组合序列前后的时序特征。实验结果表明,与单一采用TextCNN或BiLSTM的模型相比,融合字词双通道的模型检测准确率分别提高7.12%和5.86%,针对词典类Domain-Flux的检测也具有更高的精确率。
中图分类号:
[1]国家互联网应急中心(CNCERT/CC).CNCERT互联网安全威胁报告[EB/OL].https://www.cert.org.cn/publish/main/45/2022/20220222162441001864709/20220222162441001864709_html. [2]HUSSAIN F,ABBAS G S,PIRES M I,et al.A Two-Fold Ma-chine Learning Approach to Prevent and Detect IoT Botnet Attacks[J].IEEE Access,2021(9):163412-163430. [3]WU D,CUI X,LIU Q,et al.Research on Ubiquitous Botnet[J].Netinfo Security,2018(7):16-28. [4]GUO X M,LIANG G J,XIA L L.Domain-Flux Malicious Domain Name Detection and Analysis Based on HMM[J].Netinfo Security,2021,21(12):1-8. [5]XIAO Q,SU K Y.Bonet Traffic Detection Based on RandomForest Algorithm[J].Microelectronics & Computer,2019,26(3):43-47. [6]IBRAHIM H N W,ANUAR S,SELAMAT A,et al.Multilayer Framework for Botnet Detection Using Machine Learning Algorithms[J].IEEE Access,2021(9):48753-48768. [7]HOSTIADI P D,AHMAD T.Sliding Time Analysis in TrafficSegmentation for Botnet Activity Detection[C]//2022 5th International Conference on Computing and Informatics(ICCI).IEEE,2022:286-291. [8]YADAV J,THAKUR J.BotEye:Botnet Detection TechniqueVia Traffic Flow Analysis Using Machine Learning Classifiers[C]//2020 Sixth International Conference on Parallel,Distributed and Grid Computing(PDGC).IEEE,2020:154-159. [9]LOPES A G,MAROTTA M A,LADEIRA M,et al.Botnet Detection Based on Network Flow Analysis Using Inverse Statistics[C]//2022 17th Iberian Conference on Information Systems and Technologies(CISTI).IEEE,2022:1-6. [10]ALGELAL Z M,ALDHAHER E,ABDUL-WADOOD D N,et al.Botnet Detection Using Ensemble Classifiers of Network Flow[J].International Journal of Electrical and Computer Engineering(IJECE),2020,10(3):2543-2550. [11]XIAO L S,LONG C,DU G Y,et al.Botnet Detection Based on Flow Summary[J].Computer Systems & Applications,2021,30(8):186-193. [12]NIU W N,JIANG T Y,ZHANG X S,et al.Fast-flux Botnet Detection Method Based on Spatiotemporal Feature of Network Traffic[J].Journal of Electronics & Information Technology,2020,42(8):1872-1880. [13]ZOU F T,TAN Y,WANG L,et al.Botnet Detection based on Generative Adversarial Network[J].Journal on Communications,2021,42(7):95-106. [14]LIN H G,ZHANG Y L,GUO N X,et al.P2P Botnet Detection Method Based on Graph Neural Network[J].Advanced Engineering Sciences,2022,54(2):65-72. [15]WOODBRIDGE J,ANDERSON H S,AHUJA A,et al.Predicting Domain Generation Algorithms with Long Short-term Memory Networks[J].arXiv:1611.00791,2016. [16]LIU X Y,LIU J M,LIU C,et al.Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network[J].Acta Electronica Singca,2022,50(1):250-256. [17]LANG B,XIE C,CHEN S,et al.Fast-Flux Malicious DomainName Detection Method Based on Multimodal Feature Fusion[J].Netinfo Security,2022,22(4):20-29. [18]JING L,HE T T.Chinese Text Classification Model Based on Improved TF-IDF and ABLCNN[J].Computer Science,2021,48(S2):170-175. [19]Alexa sites[EB/OL].https://www.alexa.com/topsites/. [20]DGA domain list[EB/OL].https://data.netlab.360.com/dag/. |
|