基于Deep-IndRNN的DGA域名检测方法

DGA domain detection method based on Deep Independently Recurrent Neural Network

恶意服务常利用域名生成算法(DGA)逃避域名检测,针对DGA域名隐蔽性强、现有检测方法检测速度较慢、实用性不强等问题,采用深度学习技术,提出了一种基于Deep-IndRNN的DGA域名检测方法。方法运用词袋模型(BoW)将域名向量化,然后通过Deep-IndRNN提取域名字符间特征,并使用Sigmoid函数对域名分类检测。其主要特点在于:通过将Deep-IndRNN的多序列输入拼接为单向量输入,以单步处理代替循环处理,同时结合Deep-IndRNN能保存更长时间记忆的特点,可有效释放深度学习时占用的GPU、CPU等系统资源,且在保证高准确率和精确度的前提下提高训练、检测速度。实验结果表明,基于Deep-IndRNN的DGA域名检测方法在检测任务中具有较高的准确率和精确度,相比于DNN、CNN、LSTM、BiLSTM、CNN-LSTM-Concat等同类检测方法,能显著提高训练、检测速度,是有效可行的。

Domain Generate Algorithm(DGA)was frequently used by malicious services to evade domain detection.In view of the strong concealment of DGA domain,the slow detection speed and the poor real-time performance in existing detection methods,a DGA domain detection method based on Deep Independently Recurrent Neural Network(Deep-IndRNN)was proposed by using deep learning.In this method,domain was firstly vectorized by using the Bag-of-Words(BoW)model.Also,the inter-character features of domain were extracted by using Deep-IndRNN.Furthermore,domain was classified and exported by using Sigmoid function.As the main characteristics of the method,a multi-sequence input of Deep-IndRNN was stitched into a single vector input,and cyclic processing was replaced by single-step processing.Meanwhile,combined with the characteristics of Deep-IndRNN which could save longer memory,it not only effectively released system resources such as GPU and CPU occupied by deep learning,but also greatly improved training and detection speed under the premise of ensuring higher accuracy and precision.Experimental results show that the DGA domain detection method based on Deep-IndRNN has high accuracy and precision in the detection task.Compared with similar detection methods,such as DNN,CNN,LSTM,BiLSTM and CNN-LSTM-Concat,the method proposed in this paper can significantly improve the training and detection speed,and is effective and feasible in practice.