摘要
针对现有僵尸网络检测方法检测精度不高和检测时间开销较大的问题,提出一种基于改进Transformer和强化学习的僵尸网络域名生成算法(Domain Generation Algorithm,DGA)的域名检测方法。首先,利用深度可分离卷积替换ResNet和ResNeXt网络中的卷积块,通过减少网络模型参数来降低模型的时间开销;其次,利用改进后的ResNet和ResNeXt网络将域名字符串映射到深度特征空间,构造多尺度特征,强化特征的表达能力;再次,利用长短期记忆神经网络(Long Short-Term Memory,LSTM)对Transformer网络进行改进,在保持字符间相对位置的同时,进一步建立上下文的长距离依赖编码,并在此基础上引入注意力机制,强化模型对关键特征的捕获能力;最后,引入强化学习对模型进行微调,提高DGA域名的检测精度。在多个DGA域名数据集上进行测试验证,结果表明该模型在保持检测时间开销较小的基础上,具有更高的检测精度。
Aiming at the problems of low detection accuracy and large detection time overhead of existing botnet detection methods, a domain name detection method based on improved Transformer and reinforcement learning Domain Generation Algorithm(DGA) is proposed.Firstly, the deep separable convolution is used to replace the convolution blocks in ResNet and ResNeXt networks, and the time overhead of the model is reduced by reducing the network model parameters.Secondly, the improved ResNet and ResNeXt networks are used to map domain name strings into the deep feature space to construct multi-scale features, which is helpful for enhancing the ability of the feature expression.Thirdly, the Transformer network is improved by using the Long Short-Term Memory(LSTM) neural network.While maintaining the relative position between characters, the long-distance dependent coding of context is further established.On this basis, the attention mechanism is introduced to strengthen the model’s ability to capture key features.Finally, reinforcement learning is introduced to fine-tune the model to improve the detection accuracy of DGA domain name.Through testing and verification on multiple DGA domain data sets, the results show that the model has higher detection accuracy while maintaining less detection time overhead.
作者
马永忠
夏保丽
MA Yongzhong;XIA Baoli(School of Information Media,Yinchuan University of Energy,Yinchuan,Ningxia,750100,China)
出处
《广西科学》
CAS
北大核心
2023年第1期139-148,共10页
Guangxi Sciences
基金
银川能源学院校级科研项目(2022KYZ9):“银川能源学院网络安全问题分析与防护对策研究”资助。
