异构并行的DGA域名检测方法

Heterogeneous Parallel DGA Domain Name Detection Model

现有的DGA域名检测方式存在检测时间开销大、检测精度不高以及基于单词的DGA域名检测效果不佳等问题。经过研究发现,将域名先按照典型特征分类再进行更细致的特征提取,对于模型的准确率有一定的正向作用,且多类并行可以降低检测时间,此外对于较难检测的基于单词的DGA域名可以进行针对性处理。因此,文中提出了一种基于Word ninja分词技术的三路异构并行的DGA域名检测模型。先将域名分为三类,再针对每一类进行检测模型结构的搭建。对于字符级域名,通过人工提取特征来进行域名的有效分类。对于词根词缀级域名,采用FastTest进行子词之间、字符之间以及上下文之间关系的特征提取,再作为词向量嵌入。对于单词级域名,采用Word2Vec理解和处理词的含义和词之间的关系。最后,将文中方法和当前流行方法、多路异构并行模型和单路模型的检测结果进行比较评估,实验结果证明了提前分类的必要性以及多路并行的有效性。

The existing DGA domain name detection method has some problems,such as high detection time,low detection accuracy and poor detection effect of word-based DGA domain name.In this study,it is found that classifying domain names according to typical features before extracting more detailed features has a certain positive effect on the accuracy of the model,and multi-class parallel can reduce the detection time.In addition,targeted processing can be carried out for word-based DGA domain names that are difficult to detect.Therefore,this paper proposes a three-way heterogeneous parallel DCA domain name detection model based on Word ninja segmentation technology.First,the domain name is divided into three categories,and then the detection model structure is built for each category.For character-level domain names,the effective classification of domain names is carried out by manually extracting features.For root-affix domain names,FastTest is used to extract the features between subwords,characters and contexts,and then embed them as word vectors.For word-level domain names,Word2Vec is used to understand and deal with the meaning of words and the relationship between words.Finally,the proposed method is compared with the detection results of current popular methods,heterogeneous parallel model and single model.The experimental results prove the necessity of advance classification and the effectiveness of multi-parallel model.