摘要
域名生成算法已被广泛运用在各类网络攻击中,其存在样本变化快、变种多、获取难等特点,导致现有传统模型检测精度不高,预警能力差。针对该情况,文章提出一种基于迁移学习和威胁情报的DGA恶意域名检测方法,通过构建双向长短时记忆神经网络和Transformer的组合模型,提取恶意域名上下文及语义关系特征,利用公开大样本恶意域名数据集进行预训练,迁移训练参数至新型未知小样本恶意域名进行模型检测性能测试。实验结果表明,该模型在多个APT组织使用的恶意域名小样本数据集中能达到96.14%的平均检测精度,检测性能表现良好。
Domain name generation algorithms have been widely used in various types of cyber attacks,which have the characteristics of rapid sample change,many variants,and difficult to obtain,leading to low detection accuracy and poor warning capability of existing traditional models.To address this situation,a DGA malicious domain detection method based on transfer learning and threat intelligence was proposed,which extracted malicious domain context and semantic relationship features by building a combined model of bidirectional long short-term memory neural network and Transformer,pre-trains by using a publicly available large-sample malicious domain dataset,and transfered the training parameters to a new unknown small-sample malicious domain of APT organizations held by threat intelligence for model detection performance testing.The experimental results show that the model can achieve an average detection accuracy of 96.14% in a small-sample dataset of malicious domains used by APT organizations,and the detection performance is good.
作者
叶桓荣
李牧远
姜波
YE Huanrong;LI Muyuan;JIANG Bo(School of Information Network Security,People’s Public Security University of China,Beijing 100038,China;Cyber Police Division of Zigong Municipal Public Security Bureau,Zigong 643000,China;Cyber Police Division of Qingdao Municipal Public Security Bureau,Qingdao 266000,China;Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100085,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China)
出处
《信息网络安全》
CSCD
北大核心
2023年第10期8-15,共8页
Netinfo Security
基金
国家重点研发计划[2021YFF0307203
2019QY1303]
中国科学院战略性先导C类项目[XDC02040100]。
