Abstract
Command and control (C2) servers are used by attackers to operate communications. To perform attacks, attackers usually employee the Domain Generation Algorithm (DGA), with which to confirm rendezvous points to their C2 servers by generating various network locations. The detection of DGA domain names is one of the important technologies for command and control communication detection. Considering the randomness of the DGA domain names, recent research in DGA detection applyed machine learning methods based on features extracting and deep learning architectures to classify domain names. However, these methods are insufficient to handle wordlist-based DGA threats, which generate domain names by randomly concatenating dictionary words according to a special set of rules. In this paper, we proposed a a deep learning framework ATT-CNN-BiLSTM for identifying and detecting DGA domains to alleviate the threat. Firstly, the Convolutional Neural Network (CNN) and bidirectional Long Short-Term Memory (BiLSTM) neural network layer was used to extract the features of the domain sequences information; secondly, the attention layer was used to allocate the corresponding weight of the extracted deep information from the domain names. Finally, the different weights of features in domain names were put into the output layer to complete the tasks of detection and classification. Our extensive experimental results demonstrate the effectiveness of the proposed model, both on regular DGA domains and DGA that hard to detect such as wordlist-based and part-wordlist-based ones. To be precise,we got a F1 score of 98.79% for the detection and macro average precision and recall of 83% for the classification task of DGA domain names.
Highlights
With the rapid development of Internet, cyberspace has become the most popular environment for information exchange for almost all aspects of our daily lives
Based on the aforementioned discussion, we propose a model with attention mechanism for Domain Generation Algorithm (DGA) detection and classification which is called ATT-Convolutional Neural Network (CNN)-bidirectional Long Short-Term Memory (BiLSTM) model
We have considered the problem of DGA domain detection, since many malware imitate the pattern of normal domain names by concatenating pseudo-randomly chosen English dictionary words, to generate domain names and achieve the effect of concealment and confrontation
Summary
With the rapid development of Internet, cyberspace has become the most popular environment for information exchange for almost all aspects of our daily lives. The domain name system (DNS) is an important infrastructure of the Internet, which maps easy-toremember hostnames to boring, hard-to-remember IP addresses It provides critical support services for the normal operation of various domain-based Web applications,. Saxe and Berlin (2017) proposed a model based on CNN to detect DGA domain names. In this work we proposed a deep neural network model with an attention mechanism (ATT-CNN-BiLSTM) for detection and classification of DGA domain names. CNN and BiLSTM can obtain information from past and future states Since this method can capture the text context information more completely compared to single LSTM or CNN model, we apply it in the DGA domain name detection and classification.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
