Malicious domain detection based on semi-supervised learning and parameter optimization

IF 1.5 4区计算机科学 Q3 ENGINEERING, ELECTRICAL & ELECTRONIC

IET Communications Pub Date : 2024-03-05 DOI:10.1049/cmu2.12739

Renjie Liao, Shuo Wang

{"title":"Malicious domain detection based on semi-supervised learning and parameter optimization","authors":"Renjie Liao, Shuo Wang","doi":"10.1049/cmu2.12739","DOIUrl":null,"url":null,"abstract":"<p>Malicious domains provide malware with covert communication channels which poses a severe threat to cybersecurity. Despite the continuous progress in detecting malicious domains with various machine learning algorithms, maintaining up-to-date various samples with fine-labeled data for training is difficult. To handle these issues and improve the detection accuracy, a novel malicious domain detection method named MDND-SS-PO is proposed that combines semi-supervised learning and parameter optimization. The contributions of the study are as follows. First, the method extracts the statistical features of the IP address, TTL value, the NXDomain record, and the domain name query characteristics to discriminate Domain-Flux and Fast-Flux domain names simultaneously. Second, an improved DBSCAN based on the neighborhood division is designed to cluster labeled data and unlabeled data with low time consumption. Then, based on the clustering hypothesis, unlabeled data is tagged with pseudo-label according to the cluster results, which aims to train a supervised classifier effectively. Finally, Gaussian process regression is used to optimize parameter settings of the algorithm. And the Silhouette index and F1 score are introduced to evaluate the optimization results. Experimental results show that the proposed method achieved a precise detection performance of 0.885 when the ratio of labeled data is 5%.</p>","PeriodicalId":55001,"journal":{"name":"IET Communications","volume":"18 6","pages":"386-397"},"PeriodicalIF":1.5000,"publicationDate":"2024-03-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1049/cmu2.12739","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Communications","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1049/cmu2.12739","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}

引用次数: 0

Abstract

Malicious domains provide malware with covert communication channels which poses a severe threat to cybersecurity. Despite the continuous progress in detecting malicious domains with various machine learning algorithms, maintaining up-to-date various samples with fine-labeled data for training is difficult. To handle these issues and improve the detection accuracy, a novel malicious domain detection method named MDND-SS-PO is proposed that combines semi-supervised learning and parameter optimization. The contributions of the study are as follows. First, the method extracts the statistical features of the IP address, TTL value, the NXDomain record, and the domain name query characteristics to discriminate Domain-Flux and Fast-Flux domain names simultaneously. Second, an improved DBSCAN based on the neighborhood division is designed to cluster labeled data and unlabeled data with low time consumption. Then, based on the clustering hypothesis, unlabeled data is tagged with pseudo-label according to the cluster results, which aims to train a supervised classifier effectively. Finally, Gaussian process regression is used to optimize parameter settings of the algorithm. And the Silhouette index and F1 score are introduced to evaluate the optimization results. Experimental results show that the proposed method achieved a precise detection performance of 0.885 when the ratio of labeled data is 5%.

Abstract Image

查看原文本刊更多论文

基于半监督学习和参数优化的恶意域检测

恶意域为恶意软件提供了隐蔽的通信渠道，对网络安全构成了严重威胁。尽管各种机器学习算法在检测恶意域方面不断取得进展，但保持最新的各种样本和用于训练的精细标记数据却十分困难。为了解决这些问题并提高检测精度，我们提出了一种名为 MDND-SS-PO 的新型恶意域检测方法，该方法结合了半监督学习和参数优化。该研究的贡献如下。首先，该方法提取了 IP 地址、TTL 值、NXDomain 记录和域名查询特征的统计特征，从而同时区分出 Domain-Flux 和 Fast-Flux 域名。其次，设计了一种基于邻域划分的改进型 DBSCAN，以较低的时间消耗对已标记数据和未标记数据进行聚类。然后，基于聚类假设，根据聚类结果对未标记数据进行伪标记，从而有效地训练监督分类器。最后，利用高斯过程回归优化算法参数设置。并引入剪影指数和 F1 分数来评价优化结果。实验结果表明，当标记数据比例为 5%时，所提出的方法达到了 0.885 的精确检测性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IET Communications 工程技术-工程：电子与电气

CiteScore

4.30

自引率

6.20%

发文量

220

审稿时长

5.9 months

期刊介绍： IET Communications covers the fundamental and generic research for a better understanding of communication technologies to harness the signals for better performing communication systems using various wired and/or wireless media. This Journal is particularly interested in research papers reporting novel solutions to the dominating problems of noise, interference, timing and errors for reduction systems deficiencies such as wasting scarce resources such as spectra, energy and bandwidth. Topics include, but are not limited to: Coding and Communication Theory; Modulation and Signal Design; Wired, Wireless and Optical Communication; Communication System Special Issues. Current Call for Papers: Cognitive and AI-enabled Wireless and Mobile - https://digital-library.theiet.org/files/IET_COM_CFP_CAWM.pdf UAV-Enabled Mobile Edge Computing - https://digital-library.theiet.org/files/IET_COM_CFP_UAV.pdf