利用域名特征向量间距离检测未知DGAs

2021 28th International Conference on Telecommunications (ICT) Pub Date : 2021-06-01 DOI:10.1109/ICT52184.2021.9511517

Ji Huan, Yongzheng Zhang, Peng Chang, Yupeng Tuo

{"title":"利用域名特征向量间距离检测未知DGAs","authors":"Ji Huan, Yongzheng Zhang, Peng Chang, Yupeng Tuo","doi":"10.1109/ICT52184.2021.9511517","DOIUrl":null,"url":null,"abstract":"Many botnets adopt domain generation algorithms (DGAs) to set up stealthy Command & Control (C2) communication. A DGA generates a great number of domain names and the attacker selects some of them to map to the C2 servers. In this paper, we propose Talos, a DGA detection approach to detect unknown DGAs and also known DGAs accurately. The key insight of Talos is that domain names can be represented by feature vectors satisfying the condition that distances between the feature vectors can reflect whether they are of the same class. Talos uses a neural language model to extract the feature vector of a domain name. After that, Talos determines if the feature vector belongs to a class based on whether it is within the boundary of the class and near the centroid of the class. We evaluate the detection ability of Talos on both unknown and known DGAs. Our experimental results show that Talos achieves recall over 92% on unknown classes and F1-score over 95% on known classes. We also compare Talos with state-of-the-art detection approaches and find that Talos's ability to detect unknown DGAs largely surpasses them.","PeriodicalId":142681,"journal":{"name":"2021 28th International Conference on Telecommunications (ICT)","volume":"20 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Detecting Unknown DGAs Using Distances Between Feature Vectors of Domain Names\",\"authors\":\"Ji Huan, Yongzheng Zhang, Peng Chang, Yupeng Tuo\",\"doi\":\"10.1109/ICT52184.2021.9511517\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Many botnets adopt domain generation algorithms (DGAs) to set up stealthy Command & Control (C2) communication. A DGA generates a great number of domain names and the attacker selects some of them to map to the C2 servers. In this paper, we propose Talos, a DGA detection approach to detect unknown DGAs and also known DGAs accurately. The key insight of Talos is that domain names can be represented by feature vectors satisfying the condition that distances between the feature vectors can reflect whether they are of the same class. Talos uses a neural language model to extract the feature vector of a domain name. After that, Talos determines if the feature vector belongs to a class based on whether it is within the boundary of the class and near the centroid of the class. We evaluate the detection ability of Talos on both unknown and known DGAs. Our experimental results show that Talos achieves recall over 92% on unknown classes and F1-score over 95% on known classes. We also compare Talos with state-of-the-art detection approaches and find that Talos's ability to detect unknown DGAs largely surpasses them.\",\"PeriodicalId\":142681,\"journal\":{\"name\":\"2021 28th International Conference on Telecommunications (ICT)\",\"volume\":\"20 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-06-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2021 28th International Conference on Telecommunications (ICT)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICT52184.2021.9511517\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 28th International Conference on Telecommunications (ICT)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICT52184.2021.9511517","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

许多僵尸网络采用域生成算法(DGAs)建立隐蔽的命令与控制(C2)通信。DGA生成大量域名，攻击者从中选择一部分域名映射到C2服务器。在本文中，我们提出了一种DGA检测方法Talos，它可以准确地检测未知的DGAs和已知的DGAs。Talos的关键见解是，域名可以用满足条件的特征向量来表示，特征向量之间的距离可以反映它们是否属于同一类。Talos使用神经语言模型来提取域名的特征向量。之后，Talos根据特征向量是否在类的边界内，是否在类的质心附近，来判断该特征向量是否属于该类。我们评估了Talos对未知和已知DGAs的检测能力。我们的实验结果表明，Talos在未知类别上的召回率超过92%，在已知类别上的f1得分超过95%。我们还将Talos与最先进的检测方法进行了比较，发现Talos检测未知DGAs的能力在很大程度上超过了它们。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Detecting Unknown DGAs Using Distances Between Feature Vectors of Domain Names

Many botnets adopt domain generation algorithms (DGAs) to set up stealthy Command & Control (C2) communication. A DGA generates a great number of domain names and the attacker selects some of them to map to the C2 servers. In this paper, we propose Talos, a DGA detection approach to detect unknown DGAs and also known DGAs accurately. The key insight of Talos is that domain names can be represented by feature vectors satisfying the condition that distances between the feature vectors can reflect whether they are of the same class. Talos uses a neural language model to extract the feature vector of a domain name. After that, Talos determines if the feature vector belongs to a class based on whether it is within the boundary of the class and near the centroid of the class. We evaluate the detection ability of Talos on both unknown and known DGAs. Our experimental results show that Talos achieves recall over 92% on unknown classes and F1-score over 95% on known classes. We also compare Talos with state-of-the-art detection approaches and find that Talos's ability to detect unknown DGAs largely surpasses them.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2021 28th International Conference on Telecommunications (ICT)

自引率

0.00%

发文量