兰州理工大学学报 ›› 2023, Vol. 49 ›› Issue (6): 100-106.

• 自动化技术与计算机技术 • 上一篇    下一篇

基于生成对抗网络的恶意域名训练数据生成方法

刘伟山*1,2, 马旭琦1,3, 汪航1, 吴子琰1   

  1. 1.国家计算机网络应急技术处理协调中心 甘肃分中心, 甘肃 兰州 730000;
    2.兰州理工大学 机电工程学院, 甘肃 兰州 730050;
    3.兰州大学 信息科学与工程学院, 甘肃 兰州 730000
  • 收稿日期:2022-01-14 出版日期:2023-12-28 发布日期:2024-01-05
  • 通讯作者: 刘伟山(1989-),男,甘肃武威人,工程师.Email:wsliu1503@163.com

A generation method of malicious domain name training data based on generating adversarial network

LIU Wei-shan1,2, MA Xu-qi1,3, WANG Hang1, WU Zi-yan1   

  1. 1. GSCERT, Lanzhou 730000, China;
    2. School of Mechanical and Electrical Engineering, Lanzhou Univ. of Tech., Lanzhou 730050, China;
    3. School of Information Science & Engineering, Lanzhou University, Lanzhou 730000, China
  • Received:2022-01-14 Online:2023-12-28 Published:2024-01-05

摘要: 当前攻击者广泛采用域名生成算法(DGA)生成大量的随机域名来躲避检测.针对现有的DGA域名检测模型均是在已经公开的数据集上进行训练构建,无法对未知恶意域名进行有效检测的情况,利用真实域名数据训练自编码器,并将自编码器和生成对抗网络相结合,构造了一种新的DGA域名生成模型.实验表明,该模型产生的序列与Alexa域名在长度和字符分布等特征都很接近,而且能够有效降低基于长短期记忆网络的DGA域名分类器的性能.这些生成序列很好地丰富了恶意域名数据集,对其进一步利用,显著提升了现有DGA域名检测器的性能.

关键词: 恶意域名, DGA, 自编码器, 生成对抗网络

Abstract: Domain generation algorithm(DGA) is widely used by cyber attackers to generate a large number of random domain names to evade detection at present. While the existing DGA domain name detection can not effectively detect unknown malicious domains, because these models are all trained and constructed on publicly available datasets. In this paper, an autoencoder(AE) is first trained using real domain names, and then it is combined with the generative adversarial network(GAN) to construct a new DGA domain name generating model. Experiment results show that the sequences generated by this model are similar to the Alexa domain names in terms of length and character distribution, and it also can effectively reduce the performance of the DGA domain name classifier based on a long short-term memory (LSTM) network. These generated sequences enrich the malicious domain name dataset, which can significantly improve the performance of existing DGA domain name detectors with further utilization.

Key words: malicious domains, DGA, AE, GAN

中图分类号: