基于CNN与LSTM相结合的恶意域名检测模型

Malicious Domain Name Detection Model Based on CNN and LSTM

为提高恶意域名检测准确率,该文提出一种基于卷积神经网络(CNN)与长短期记忆网络(LSTM)相结合的域名检测模型。该模型通过提取域名字符串中不同长度字符组合的序列特征进行恶意域名检测:首先,为避免N-Gram特征稀疏分布的问题,采用CNN提取域名字符串中字符组合特征并转化为维度固定的稠密向量;其次,为充分挖掘域名字符串上下文信息,采用LSTM提取字符组合前后关联的深层次序列特征,同时引入注意力机制为填充字符所处位置的输出特征分配较小权重,降低填充字符对特征提取的干扰,增强对长距离序列特征的提取能力;最后,将CNN提取局部特征与LSTM提取序列特征的优势相结合,获得不同长度字符组合的序列特征进行域名检测。实验表明:该模型较单一采用CNN或LSTM的模型具有更高的召回率和F1分数,尤其对matsnu和suppobox两类恶意域名的检测准确率较单一采用LSTM的模型提高了24.8%和3.77%。

To improve the accuracy of malicious domain name detection,a new detection model based on Convolutional Neural Network(CNN)and Long Short-Term Memory(LSTM)is proposed.The model extracts the sequence features from different length strings to classify the domain name.Firstly,in view of the sparseness of the N-Gram feature,the model utilizes CNN with different kernels to preserve the local association between the characters in the domain name strings and convert it to dense feature vectors.Secondly,in order to mine the context information of the domain name strings,LSTM is used to extract the deep-level sequence features of different character combinations.A sequence feature attention module is designed to assign little weight value to the sequence feature extracted from the padding characters,which decreases the interference by the padding characters and enhances the ability to capture distant sequence features.Finally,combining the advantages of CNN to extract local features and LSTM to extract sequence features,both partial and sequential information are put forward to improving the detection performance.Experimental results show that the recall rate and the F1-score of the proposed model are superior to other comparative models which are solely composed of CNN or LSTM.Particularly,when dealing with the matsnu and suppobox,the proposed model has increased by 24.8%and 3.77%in accuracy compared with the model based on LSTM,respectively.