Lightweight malicious domain name detection model based on separable convolution

doi:10.11959/j.issn.2096-109x.2020084

Abstract

Abstract:

The application of artificial intelligence in the detection of malicious domain names needs to consider both accuracy and calculation speed,which can make it closer to the actual application.Based on the above considerations,a lightweight malicious domain name detection model based on separable convolution was proposed.The model uses a separable convolution structure.It first applies depthwise convolution on every input channel,and then performs pointwise convolution on all output channels.This can effectively reduce the parameters of convolution process without impacting the effectiveness of convolution feature extraction,and realize faster convolution process while keeping high accuracy.To improve the detection accuracy considering the imbalance of the number and difficulty of positive and negative samples,a focal loss function was introduced in the training process of the model.The proposed algorithm was compared with three typical deep-learning-based detection models on a public data set.Experimental results denote that the proposed algorithm achieves detection accuracy close to the state-of-the-art model,and can significantly improve model inference speed on CPU.

Key words: separable convolution, domain generation algorithm, deep learning, cyber security

CLC Number:

TP309

Luhui YANG,Huiwen BAI,Guangjie LIU,Yuewei DAI. Lightweight malicious domain name detection model based on separable convolution[J]. Chinese Journal of Network and Information Security, 2020, 6(6): 112-120.

Figures/Tables 10

References 16

[1]	YADAV S , REDDY A K K , REDDY A L N ,et al. Detecting algorithmically generated malicious domain names[C]// Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement 2010. 2010: 48-61.
[2]	YADAV S , REDDY A K K , REDDY A L N ,et al. Detecting algorithmically generated domain-flux attacks with DNS traffic analysis[J]. IEEE/ACM Transactions on Networking, 2012,20(5): 1663-1677.
[3]	BILGE L , SEN S , BALZAROTTI D ,et al. EXPOSURE:a passive DNS analysis service to detect and report malicious domains[J]. ACM Transactions on Information and System Security (TISSEC), 2014,16(4): 1-28.
[4]	YANG L , ZHAI J , LIU W ,et al. Detecting word-based algorithmically generated domains using semantic analysis[J]. Symmetry, 2019,11(2):176.
[5]	SCHIAVONI S , MAGGI F , CAVALLARO L ,et al. Tracking and characterizing botnets using automatically generated domains[J]. Computer Science, 2013(2): 217-248.
[6]	SCHIAVONI S , MAGGI F , CAVALLARO L ,et al. Phoenix:DGA-based botnet tracking and intelligence[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment. 2014: 192-211.
[7]	WOODBRIDGE J , ANDERSON H S , AHUJA A ,et al. Predicting domain generation algorithms with long short-term memory networks[J]. arXiv preprint arXiv:1611.00791, 2016
[8]	YU B , GRAY D L , PAN J ,et al. Inline DGA detection with deep networks[C]// 2017 IEEE International Conference on Data Mining Workshops (ICDMW). 2017.
[9]	YU B , PAN J , HU J ,et al. Character level based detection of DGA domain names[C]// 2018 International Joint Conference on Neural Networks (IJCNN). 2018: 1-8.
[10]	TRAN D , MAC H , TONG V ,et al. A LSTM based framework for handling multiclass imbalance in DGA botnet detection[J]. Neurocomputing, 2018,275: 2401-2413.
[11]	QIAO Y , ZHANG B , ZHANG W ,et al. DGA domain name classification method based on long short term memory with attention mechanism[J]. Applied Sciences, 20199:4205.
[12]	LECUN Y , BOSER B , DENKER J S ,et al. Backpropagation applied to handwritten zip code recognition[J]. Neural Computation, 1989,1(4): 541-551.
[13]	KIM Y . Convolutional neural networks for sentence classification[J]. arXiv preprint arXiv:1408.5882, 2014
[14]	ZHANG X , ZHAO J , LECUN Y . Character-level convolutional networks for text classification[C]// Advances in Neural Information Processing Systems. 2015: 649-657.
[15]	HOWARD A G , ZHU M , CHEN B ,et al. Mobilenets:efficient convolutional neural networks for mobile vision applications[J]. arXiv:1704.04861, 2017
[16]	LIN T Y , GOYAL P , GIRSHICK R ,et al. Focal loss for dense object detection[J]. IEEE Transactions on Pattern Analysis ＆ Machine Intelligence, 2017,(99): 2999-3007.

层类型	输入大小	输出大小	参数设置
输入层（Imput）	1×128	128×128
量化层（Embedding）	128×128	128×128
一维可分离卷积层（SeparableConv1D）	128×128	128×128	Kernel_size=5，Stride=1
随机失活层（Dropout）	128×128	128×128	Dropout_rate=0.5
展开层（Flatten）	128×128	1×16384
全连接层（Dense）	1×16384	1×128
随机失活层（Dropout）	1×128	1×128	Dropout_rate=0.5
全连接层（Dense）	1×128	1×1
激活层（Activation）	1×1	1×1	Activation= ‘sigmoid’

层类型	输入大小	输出大小	参数设置
输入层（Imput）	1×128	128×128
量化层（Embedding）	128×128	128×128
一维可分离卷积层（SeparableConv1D）	128×128	128×128	Kernel_size=5，Stride=1
随机失活层（Dropout）	128×128	128×128	Dropout_rate=0.5
展开层（Flatten）	128×128	1×16384
全连接层（Dense）	1×16384	1×128
随机失活层（Dropout）	1×128	1×128	Dropout_rate=0.5
全连接层（Dense）	1×128	1×1
激活层（Activation）	1×1	1×1	Activation= ‘sigmoid’

样本标签	样本描述	数量/个
合法域名	样本来自思科收集的DNS请求白名单	400 000
恶意域名	20种恶意软件生成的DGA样本，具体类型如下：Gameover、Murofet、Dircrypt、Tinba、Necurs、Ramdo、Ranbyus、Cryptolocker、Emotet、Corebot、Banjori、Qakbot、Rovnix、Kraken、Ramnit、Locky、Pykspa、Simda、Symmi、Virut	100 000

样本标签	样本描述	数量/个
合法域名	样本来自思科收集的DNS请求白名单	400 000
恶意域名	20种恶意软件生成的DGA样本，具体类型如下：Gameover、Murofet、Dircrypt、Tinba、Necurs、Ramdo、Ranbyus、Cryptolocker、Emotet、Corebot、Banjori、Qakbot、Rovnix、Kraken、Ramnit、Locky、Pykspa、Simda、Symmi、Virut	100 000

算法	召回率	平均准确率	AUC	CPU推理时间/ms
文献[8]算法	94.06%	96.61%	0.9968	1.05
文献[7]算法	95.36%	96.97%	0.9960	2.07
文献[10]算法	96.26%	97.51%	0.9971	2.09
本文算法	96.75%	97.46%	0.9971	0.60