计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (12): 337-342.doi: 10.11896/jsjkx.221000179

• 信息安全 • 上一篇    下一篇

一种融合字词双通道的Domain-Flux僵尸网络检测方法

李晓冬, 宋元凤, 李育强   

  1. 电子科技大学信息中心 成都 611731
  • 收稿日期:2022-10-23 修回日期:2023-03-11 出版日期:2023-12-15 发布日期:2023-12-07
  • 通讯作者: 李晓冬(lixiaodong@uestc.edu.cn)

Domain-Flux Botnet Detection Method with Fusion of Character and Word Dual-channel

LI Xiaodong, SONG Yuanfeng, LI Yuqiang   

  1. Information Center,University of Electronic Science and Technology of China,Chengdu 611731,China
  • Received:2022-10-23 Revised:2023-03-11 Online:2023-12-15 Published:2023-12-07
  • About author:LI Xiaodong,born in 1982,postgra-duate,engineer.Her main research in-terests include artificial intelligence,information security and software engineering.

PDF (PC)

2568

摘要: Domain-Flux是僵尸网络中常用的一种命令与控制信道隐蔽技术,其能有效躲避网络安全设备的检测。针对现有检测方法中对Domain-Flux域名信息提取不全面,无法有效捕获词典类域名关键分类特征的问题,提出了一种融合字词双通道的Domain-Flux僵尸网络检测方法。在字符向量和词根向量两个通道上分别采用卷积神经网络(CNN)和双向长短期记忆网络(BiLSTM)提取局部特征和全局特征,丰富输入域名的特征信息,提升分类性能。其中,字符向量通道针对随机字符域名提取局部空间特征,而词根向量通道基于TF-IDF算法,引入类内因子将词根重要性加权到词向量中,然后提取域名单词组合序列前后的时序特征。实验结果表明,与单一采用TextCNN或BiLSTM的模型相比,融合字词双通道的模型检测准确率分别提高7.12%和5.86%,针对词典类Domain-Flux的检测也具有更高的精确率。

关键词: Domain-Flux, 僵尸网络, TF-IDF, 卷积神经网络, 双向长短期记忆网络

Abstract: Domain-Flux is a technique for keeping a malicious botnet in operation by constantly changing the domain name of the botnet owner's command and control(C&C) server,which can effectively evade the detection of network security devices.Aming at the problem that the information extraction of Domain-Flux domain names is not comprehensive and the key classification features cannot be effectively captured in the existing detection methods,this paper proposes a detection model based on fusion cha-racter and word dual-channel.It extracts local features and global features by using convolutional neural network(CNN) and bidirectional long short-term memory network(BiLSTM) on the two channels respectively,which enriches the feature information of input domain names and improves the classification performance.In the character vector channel,the local spatial features are extracted for random character domain names.In the root vector channel,based on the TF-IDF algorithm,Intra-class factor is introduced to weight the root importance into the word vector,and then the temporal features before and after the combination sequence of domain names are extracted.Experimental results show that the detection accuracy of the model based on fusion character and word dual-channel is improved by 7.12% and 5.86% compared with the model of single TextCNN or BiLSTM.It also has higher precision for dictionary-based Domain-Flux detection.

Key words: Domain-Flux, Botnet, Term frequency-inverse document frequency, Convolutional neural network, Bidirectional long-term and short-term memory network

中图分类号: 

  • TP393
[1]国家互联网应急中心(CNCERT/CC).CNCERT互联网安全威胁报告[EB/OL].https://www.cert.org.cn/publish/main/45/2022/20220222162441001864709/20220222162441001864709_html.
[2]HUSSAIN F,ABBAS G S,PIRES M I,et al.A Two-Fold Ma-chine Learning Approach to Prevent and Detect IoT Botnet Attacks[J].IEEE Access,2021(9):163412-163430.
[3]WU D,CUI X,LIU Q,et al.Research on Ubiquitous Botnet[J].Netinfo Security,2018(7):16-28.
[4]GUO X M,LIANG G J,XIA L L.Domain-Flux Malicious Domain Name Detection and Analysis Based on HMM[J].Netinfo Security,2021,21(12):1-8.
[5]XIAO Q,SU K Y.Bonet Traffic Detection Based on RandomForest Algorithm[J].Microelectronics & Computer,2019,26(3):43-47.
[6]IBRAHIM H N W,ANUAR S,SELAMAT A,et al.Multilayer Framework for Botnet Detection Using Machine Learning Algorithms[J].IEEE Access,2021(9):48753-48768.
[7]HOSTIADI P D,AHMAD T.Sliding Time Analysis in TrafficSegmentation for Botnet Activity Detection[C]//2022 5th International Conference on Computing and Informatics(ICCI).IEEE,2022:286-291.
[8]YADAV J,THAKUR J.BotEye:Botnet Detection TechniqueVia Traffic Flow Analysis Using Machine Learning Classifiers[C]//2020 Sixth International Conference on Parallel,Distributed and Grid Computing(PDGC).IEEE,2020:154-159.
[9]LOPES A G,MAROTTA M A,LADEIRA M,et al.Botnet Detection Based on Network Flow Analysis Using Inverse Statistics[C]//2022 17th Iberian Conference on Information Systems and Technologies(CISTI).IEEE,2022:1-6.
[10]ALGELAL Z M,ALDHAHER E,ABDUL-WADOOD D N,et al.Botnet Detection Using Ensemble Classifiers of Network Flow[J].International Journal of Electrical and Computer Engineering(IJECE),2020,10(3):2543-2550.
[11]XIAO L S,LONG C,DU G Y,et al.Botnet Detection Based on Flow Summary[J].Computer Systems & Applications,2021,30(8):186-193.
[12]NIU W N,JIANG T Y,ZHANG X S,et al.Fast-flux Botnet Detection Method Based on Spatiotemporal Feature of Network Traffic[J].Journal of Electronics & Information Technology,2020,42(8):1872-1880.
[13]ZOU F T,TAN Y,WANG L,et al.Botnet Detection based on Generative Adversarial Network[J].Journal on Communications,2021,42(7):95-106.
[14]LIN H G,ZHANG Y L,GUO N X,et al.P2P Botnet Detection Method Based on Graph Neural Network[J].Advanced Engineering Sciences,2022,54(2):65-72.
[15]WOODBRIDGE J,ANDERSON H S,AHUJA A,et al.Predicting Domain Generation Algorithms with Long Short-term Memory Networks[J].arXiv:1611.00791,2016.
[16]LIU X Y,LIU J M,LIU C,et al.Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network[J].Acta Electronica Singca,2022,50(1):250-256.
[17]LANG B,XIE C,CHEN S,et al.Fast-Flux Malicious DomainName Detection Method Based on Multimodal Feature Fusion[J].Netinfo Security,2022,22(4):20-29.
[18]JING L,HE T T.Chinese Text Classification Model Based on Improved TF-IDF and ABLCNN[J].Computer Science,2021,48(S2):170-175.
[19]Alexa sites[EB/OL].https://www.alexa.com/topsites/.
[20]DGA domain list[EB/OL].https://data.netlab.360.com/dag/.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发