基于CRNet的可读DGA恶意域名检测模型

doi:10.3778/j.issn.1002-8331.2407-0268

摘要/Abstract

摘要： 针对现有域名检测模型对部分可读DGA（domain generation algorithm）恶意域名检测性能不佳的问题，提出一种基于卷积保留网络（convolutional retentive network，CRNet）的可读DGA恶意域名检测模型。首先提出轻量级保留网络（lightweight retentive network，LRN）捕获域名字符串的全局语义特征，充分挖掘可读DGA域名与合法域名之间的上下文特征差异。其中多尺度保留（multi-scale retention，MSR）机制捕获域名字符串的浅层语义信息；为深入挖掘深层语义信息，设计了一种轻量级卷积前馈网络（lightweight convolutional feed forward network， LCFFN），通过在前馈网络（feed forward network，FFN）的两个线性层间引入深度可分离卷积（depthwise separable convolution，DSC）优化特征信息，并采用Delight变换模块降低域名特征表示维度，缓解FFN中相邻层之间语义信息高度冗余的问题。其次采用卷积神经网络（convolutional neural network，CNN）捕获域名字符串中不同字符间的组合特征。最后将LRN与CNN相结合，充分利用域名的全局语义特征和字符组合特征，以提升可读DGA域名检测的效果。在Majestic Million合法域名数据集和360 DGA恶意域名数据集上进行实验，结果表明，相较于当前先进的DGA域名检测模型，CRNet在提升检测效率的同时，对于可读DGA域名检测的F1分数提升了0.59%~3.48%，随机域名检测的F1分数提升了0.32%~1.42%。

关键词: 可读DGA域名, 轻量级保留网络, 轻量级卷积前馈网络, 多尺度保留, 全局语义特征

Abstract: To address the limitations of existing domain name detection models in identifying readable DGA (domain generation algorithm) malicious domains, a convolutional retentive network (CRNet) for detecting such domains is proposed. Firstly, the lightweight retentive network (LRN) is introduced to capture the global semantic features of domain name strings and explore the contextual differences between readable DGA domains and legitimate domains. The multi-scale retention (MSR) mechanism captures shallow semantic information, while the lightweight convolutional feed forward network (LCFFN) is designed to extract deeper features. By incorporating depthwise separable convolution (DSC) between two linear layers in the feed forward network (FFN), feature extraction is optimized, and the Delight transformation module reduces dimensionality, addressing the issue of redundancy between adjacent layers in the FFN. Additionally, a convolutional neural network (CNN) captures character combination features within domain name strings. By combining LRN and CNN, the model effectively leverages both global semantic features and local character combinations, improving the detection of readable DGA domains. Experiments on the Majestic Million legitimate domain dataset and the 360 DGA malicious domain dataset demonstrate that CRNet enhances detection efficiency, achieving F1-Score improvements of 0.59%-3.48% for readable DGA domains and 0.32%-1.42% for random DGA domains compared to state-of-the-art models.

Key words: readable DGA domain names, lightweight retentive network, lightweight convolutional feed forward network, multi-scale retention, global semantic features

赵宏, 丁艳娇, 王伟杰. 基于CRNet的可读DGA恶意域名检测模型[J]. 计算机工程与应用, 2025, 61(22): 278-287.

ZHAO Hong, DING Yanjiao, WANG Weijie. Readable DGA Malicious Domain Name Detection Model Based on CRNet[J]. Computer Engineering and Applications, 2025, 61(22): 278-287.

参考文献

[1] 顾兆军, 杨文瑾, 周景贤. 基于迁移学习的小样本DGA恶意域名检测方法[J]. 计算机工程与应用, 2021, 57(14): 103-109.
GU Z J, YANG W J, ZHOU J X. Small sample DGA malicious domain names detection method based on transfer lear-ning[J]. Computer Engineering and Applications, 2021, 57(14): 103-109.
[2] DIVYA T, AMRITHA P P, VISWANATHAN S. A model to detect domain names generated by DGA malware[J]. Procedia Computer Science, 2022, 215: 403-412.
[3] YOSHIDA K, FUJIWARA K, SATO A, et al. Cardinality anal-ysis to classify malicious domain names[C]//Proceedings of the 2020 IEEE 44th Annual Computers, Software, and Applications Conference. Piscataway: IEEE, 2020: 826-832.
[4] CUCCHIARELLI A, MORBIDONI C, SPALAZZI L, et al. Algo-rithmically generated malicious domain names detection based on n-grams features[J]. Expert Systems with Applications, 2021, 170: 114551.
[5] HOANG X D, VU X H. An improved model for detecting DGA botnets using random forest algorithm[J]. Information Security Journal: A Global Perspective, 2022, 31(4): 441-450.
[6] 马栋林, 张澍寰, 赵宏. 改进Relief-C5.0的恶意域名检测算法[J]. 计算机工程与应用, 2022, 58(11): 100-106.
MA D L, ZHANG S H, ZHAO H. Improved malicious domain name detection algorithm of Relief-C5.0[J]. Computer Engineering and Applications, 2022, 58(11): 100-106.
[7] MORAN B, GIL D. Domain generation algorithm detection using machine learning methods[M]//Cyber security: power and technology. Cham: Springer, 2018: 133-161.
[8] GHALATI N F, GHALATY N F, BARATA J. Towards the detection of malicious URL and domain names using machine learning[C]//Technological Innovation for Life Improvement: Proceedings of the 11th IFIP WG 5.5/SOCOLNET Advanced Doctoral Conference on Computing, Electrical and Industrial Systems. Cham: Springer, 2020: 109-117.
[9] VAN CAN N, TU D N, TUAN T A, et al. A new method to classify malicious domain name using neutrosophic sets in DGA botnet detection[J]. Journal of Intelligent & Fuzzy Systems, 2020, 38(4): 4223-4236.
[10] MU Z C. Predicting domain generation algorithms with N-gram models[C]//Proceedings of the 2022 International Conference on Big Data, Information and Computer Network. Piscataway: IEEE, 2022: 31-38.
[11] 赵宏, 常兆斌, 王伟杰. 基于深度自编码和决策树的恶意域名检测[J]. 微电子学与计算机, 2020, 37(5): 13-17.
ZHAO H, CHANG Z B, WANG W J. Malicious domain name detection based on deep auto-encoder and decision tree[J]. Microelectronics & Computer, 2020, 37(5): 13-17.
[12] SOLEYMANI A, ARABGOL F. A novel approach for det-ecting DGA-based botnets in DNS queries using machine learning techniques[J]. Journal of Computer Networks and Communications, 2021(1): 4767388.
[13] HUANG J Y, ZHANG G D, SHEN Y J. DGA domain name detection based on SVM under grey wolf optimization algorithm[C]//Proceedings of the 2019 IEEE 10th International Conference on Software Engineering and Service Science. Piscataway: IEEE, 2020: 245-248.
[14] WOODBRIDGE J, ANDERSON H S, AHUJA A, et al. Predicting domain generation algorithms with long short-term memory networks[J]. arXiv:1611.00791, 2016.
[15] 张斌, 廖仁杰. 基于CNN与LSTM相结合的恶意域名检测模型[J]. 电子与信息学报, 2021, 43(10): 2944-2951.
ZHANG B, LIAO R J. Malicious domain name detection model based on CNN and LSTM[J]. Journal of Electronics & Information Technology, 2021, 43(10): 2944-2951.
[16] TUAN T A, LONG H V, TANIAR D. On detecting and classifying DGA botnets and their families[J]. Computers & Sec-urity, 2022, 113: 2549-2566.
[17] YANG C, LU T L, YAN S Y, et al. N-Trans: parallel detection algorithm for DGA domain names[J]. Future Internet, 2022, 14(7): 209-224.
[18] 余子丞, 凌捷. 基于Transformer和多特征融合的DGA域名检测方法[J]. 计算机工程与科学, 2023, 45(8): 1416-1423.
YU Z C, LING J. A DGA domain name detection method based on Transformer and multi-feature fusion[J]. Computer Engineering & Science, 2023, 45(8): 1416-1423.
[19] DING L, DU P, HOU H W, et al. Botnet DGA domain name classification using transformer network with hybrid embedding[J]. Big Data Research, 2023, 33: 395-405.
[20] 魏金侠, 龙春, 付豪, 等. 基于增强嵌入特征超图学习的恶意域名检测方法[J]. 计算机研究与发展, 2024, 61(9): 2334-2346.
WEI J X, LONG C, FU H, et al. Malicious domain name det-ection method based on enhanced embedded feature hypergraph learning[J]. Journal of Computer Research and Development, 2024, 61(9): 2334-2346.
[21] XU C Y, SHEN J Z, DU X. Detection method of domain names generated by DGAs based on semantic representation and deep neural network[J]. Computers & Security, 2019, 85: 77-88.
[22] ZHAO K J, GUO W, QIN F L, et al. D3-SACNN: DGA domain detection with self-attention convolutional network[J]. IEEE Access, 2022, 10: 69250-69263.
[23] SUN Y T, DONG L, HUANG S H, et al. Retentive network: a successor to transformer for large language models[J]. arXiv:2307.08621, 2023.
[24] MAJESTIC. Majestic Million[EB/OL]. [2024-06-27]. https://majestic.com/reports/majestic-million.
[25] Qihoo 360 Technology Co.360 DGA feeds[EB/OL]. [2024-06-27]. https://data.netlab.360.com/dga/.