A DGA domain name detection method based on Transformer

Abstract

Abstract:

Existing DGA detection methods have achieved high detection accuracy, but there is a problem of high false alarm rate in abbreviated domain names. The main reason is that the abbreviated domain names have high randomness among characters and it is difficult for the existing detection methods to distinguish abbreviated domain names from DGA domain names. After analyzing the character characteristics of the abbreviated domain names, the detection of domain name character dependence is realized based on self-attention mechanism. Then, LSTM is used to improve the encoding way of Transformer model to better capture the location information of characters in domain names. A DGA domain name detection method (MHA) is constructed based on Transformer model. Experimental results show that the algorithm can effectively distinguish DGA domain names from abbreviated domain names, and get higher accuracy and lower false alarm rate.

Key words: abbreviated domain name, transformer model, self-attention mechanism, character dependence

ZHANG Xin,CHENG Hua,FANG Yi-quan.

A DGA domain name detection method based on Transformer

[J]. Computer Engineering & Science.

References ［10］

［1］	Kharraz A,Robertson W,Balzarotti D,et al.Cutting the gordian knot:A look under the hood of ransomware attacks［C］∥Proc of International Conference on Detection of Intrusions and Malware and Vulnerability Assessment,2015:3-24.
［2］	Plohmann D,Yakdan K,Klatt M.A comprehensive measurement study of domain generating malware［C］∥Proc of the 25th USENIX Security Symposium,
20	16:263-278.
［3］	Tong V, Nguyen G.A method for detecting DGA botnet based on semantic and cluster analysis［C］∥Proc of the 7th Symposium on Information and Communication Technology,2016:272-277.
［4］	Wang T S,Lin H T,Cheng W T,et al.DBod:Clustering and detecting DGA-based botnets using DNS traffic analysis［J］.Computers & Security,2017,64:1-15.
［5］	Woodbridge J,Anderson H S,Ahuja A,et al.Predicting domain generation algorithms with long short-term memory networks［EB/OL］.［2016-11-02］.https://arxiv.org/pdf/1611.00791.pdf.
［6］	Curtin R R,Gardner A B,Grzonkowski S,et al.Detecting DGA domains with recurrent neural networks and side information［EB/OL］.［2018-10-04］.https://arxiv.org/pdf/1810.02023.pdf.
［7］	Chen Li-huang,Cheng Hua,Fang Yi-quan. Detecting domain generation algorithm based on attention mechanism［J］.Journal of East China University of Science and Technology (Natural Science Edition),2019,45(3):478-485.（in Chinese）
［8］	Vaswani A,Shazeer N,Parmar N,et al.Attention is all you need［EB/OL］.［2017-01-12］.https://arxiv.org/pdf/1706.03762.pdf.
［9］	Melamud O,Dagan I,Goldberger J.A simple language model based on PMI matrix approximations［EB/OL］.［2017-07-17］.https://arxiv.org/pdf/1707.05266.pdf.
［10］	Ma Yu-ke,Cheng Hua,Kou Xiao-huai,et al.Probabilistic feature association algorithm for soft information ［J］.Journal of East China University of
	Science and Technology (Natural Science Edition),2017,43(1):84-89.（in Chinese）
［11］	Wang C,Li M,Smola A J.Language models with transformers［EB/OL］.［2019-04-20］.https://arxiv.org/abs/1904.09408.
	附中文参考文献：
［7］	陈立皇，程华，房一泉．基于注意力机制的DGA域名检测算法［J］．华东理工大学学报(自然科学版),2019,45(3):478-485.
［10］	马宇舸,程华,寇晓淮,等.软信息的概率特征关联算法［J］.华东理工大学学报(自然科学版),2017,43(1):84-89.

[1]	YU Zi-cheng, LING Jie. A DGA domain name detection method based on Transformer and multi-feature fusion [J]. Computer Engineering & Science, 2023, 45(08): 1416-1423.
[2]	WANG Jian, JIANG Lin, WANG Lin-qin, YU Zheng-tao, ZHANG Song, GAO Sheng-xiang, . A low-resource Lao text regularization task based on BiLSTM [J]. Computer Engineering & Science, 2023, 45(07): 1292-1299.
[3]	PU Zi-jun, ZHANG Shou-ming. A sound event localization and detection algorithm based on feature fusion and Transformer model [J]. Computer Engineering & Science, 2023, 45(06): 1097-1105.
[4]	WANG Yang, CHEN Zhi-bin. A dynamic graph transformer model for solving CVRP [J]. Computer Engineering & Science, 2023, 45(05): 859-868.
[5]	YUAN Ye, LIAO Wei. A text similarity calculation method based on multiple related information interaction [J]. Computer Engineering & Science, 2022, 44(07): 1313-1320.
[6]	WANG Xi, ZHANG Kai, LI Jun-hui, KONG Fang. Image caption generation based on residual dense hierarchical information [J]. Computer Engineering & Science, 2022, 44(01): 84-91.