融合字符级滑动窗口和深度残差网络的僵尸网络DGA域名检测方法

Novel Botnet DGA Domain Detection Method Based on Character Level Sliding Window and Deep Residual Network

本文提出了一种基于字符级滑动窗口的深度残差网络(Sliding Window-Depth Residual Network,SWDRN),首次将轻量级深度可分离式卷积应用于僵尸网络中DGA(Domain Generation Algorithm)域名检测.SW-DRN采用深度可分离式卷积,相比标准卷积减少了约56%的参数,增强了模型检测效率.采集两种不同来源的数据,分别命名为Real-Dataset和Gen-Dataset.SW-DRN与对照组模型在两个数据集上进行实验,实验结果表明:SW-DRN模型在DGA域名二分类任务中的F-Score评估指标上分别取得了99.23%和97.81%的成绩;并且在少样本DGA域名家族以及域名字符串易混淆DGA域名情形下多分类任务中取得不错的成绩,相比目前已有的DGA域名分类模型在总体FScore上提升了1.23%和1.01%的性能,增强了DGA域名家族之间的识别;同时还对所提出的模型在生成对抗模型产生域名进行测试,均能得到有效的识别.

This paper proposed a character-level sliding window based deep residual network model SW-DRN(Slid⁃ing Window-Depth Residual Network),which was the first to apply light depthwise separable convolution to the DGA(Do⁃main Generation Algorithm)domain name detection.In SW-DRN,the use of depthwise separable convolution reduced the number of model parameters by about 56%compared with standard convolution,which enhanced the efficiency of model detection.Collect data from two different sources,named Real-Dataset and Gen-Dataset.Finally,comparison experiments on the dataset with the proposed DGA domain name detection model by previous researchers.Experimental results on two datasets show that the proposed SW-DRN model has achieved good results of 99.23%and 97.81%on the F-Score evalua⁃tion indicator in the DGA domain name binary classification task.Compared with the existing DGA domain name classifica⁃tion model,the SW-DRN has made a 1.23%and 1.01%performance improvement on the F-Score,enhancing the DGA do⁃main name family recognition.At the same time,the proposed model tests in the generative adversarial networks to gener⁃ate domain names,and it can be effectively identified.