A Two-Stream Network Based on Capsule Networks and Sliced Recurrent Neural Networks for DGA Botnet Detection
- PDF / 1,764,397 Bytes
- 28 Pages / 439.37 x 666.142 pts Page_size
- 59 Downloads / 198 Views
A Two‑Stream Network Based on Capsule Networks and Sliced Recurrent Neural Networks for DGA Botnet Detection Xinjun Pei1 · Shengwei Tian2 · Long Yu3 · Huanhuan Wang2 · Yongfang Peng2 Received: 4 October 2019 / Revised: 1 May 2020 / Accepted: 7 July 2020 © Springer Science+Business Media, LLC, part of Springer Nature 2020
Abstract With the development of Internet technology, botnets have become a major threat to most of the computers over the Internet. Most sophisticated bots use Domain Generation Algorithms (DGAs) to automatically generate a large number of pseudorandom domain names in Domain Name Service (DNS) domain fluxing, which can allow malware to communicate with Command and Control (C&C) server. To cope with this challenge, we built a novel Two-Stream network-based deep learning framework (named TS-ASRCaps) that uses multimodal information to reflect the properties of DGAs. Furthermore, we proposed an Attention Sliced Recurrent Neural Network (ATTSRNN) to automatically mine the underlying semantics. We also used a Capsule Network (CapsNet) with dynamic routing to model high-level visual information. Finally, we emphasized how the multimodal-based model outperforms other state-of-the-art models for the classification of domain names. To the best of our knowledge, this is the first work that the multimodal deep learning have been empirically investigated for DGA botnet detection. Keywords Two-stream network · Capsule network · Sliced recurrent neural network · Attention · Domain Generation Algorithms
1 Introduction Most of the network security configurations allow the DNS data to pass through. Attackers often embed malware commands in DNS data and manage installed malware through the C&C server. Most of these malwares like botnets use Domain Generation Algorithms (DGAs) to dynamically generate a large number of pseudorandom domain names. These domain names are called algorithmically-generated domains (AGDs), some of which are selected as the masks of malware commands * Shengwei Tian [email protected] Extended author information available on the last page of the article
13
Vol.:(0123456789)
Journal of Network and Systems Management
and used to connect with C&C server. In order to completely shut down such a botnet, defenders need to intercept all AGDs generated by the malware. Existing solutions are largely based on the linguistic features to build the models for DGA botnet detection. Unfortunately, using linguistic properties has a potential drawback because they may be bypassed by the malware authors, while deriving a new set of features is rather challenging. Some techniques incorporate contextual information (such as manual features [1, 2]) to further improve performance. However, this is a time consuming process and costly measure task, which cannot meet the needs of many real-world security applications that require real-time detection and prevention [3]. To address this challenge, we proposed a lightweight semantics and visual feature extraction, and conducted a set of experiments for confi
Data Loading...
