DGA域名检测方法的分析与实践.docx

摘 要 文章首先介绍了DGA域名的研究背景和价值，DGA域名的特点和基本定义。然后使用目前主流的智能算法：XGBoost、朴素贝叶斯、多层感知器和循环神经网络结合几种特征提取的方法，包括N-Gram模型、统计域名特征模型和字符序列模型进行特征提取和相关算法进行实验，并对结果进行对比分析，获取较优特征提取和算法组合。实验结果表明，基于2-Gram特征模型的多层感知器对DGA域名检测的效果最佳。 虽然主流的检测方法在检测DGA域名已获得不错的成效，但是仍存在几大问题：模型检测能力仍有提升空间、缺乏演化性训练数据和检测模型的自身安全防御。本论文在实验选出最优的特征提取和算法组合基础上，对该组合中的重要超参数进行调优对比，获得更高检测能力的模型。最后，针对主流的检测技术缺乏具有演化价值的训练数据与检测模型自身安全问题，本论文提出一种通过改进型WGAN字符域名生成器生成对抗性域名的方法扩充有效训的练集。此方法生成了对抗性域名，相比传统GAN模型更加符合人类命名习惯，因此，增加这些含有对抗性因子的训练集，提高模型对未知域名的判别命中率，从而增强模型自身防御能力。 关键词：DGA；机器学习；深度学习；WGAN Abstract The article first introduces the research background and value of DGA domain names, the characteristics and basic definition of DGA domain names. Then use the current mainstream intelligent algorithms: XGBoost, Naive Bayes, Multilayer Perceptron and Recurrent Neural Network to combine several feature extraction methods, including N-Gram model, statistical domain name feature model and character sequence model for feature extraction and experiment.The results are compared and analyzed to obtain better feature extraction and algorithm combination. According to the experiment , Multilayer Perceptron based on 2-gram feature model has the best effect on DGA domain name detection. Although mainstream detection methods have achieved good results in detecting DGA domain names, there are still several major problems: model detection capabilities still have room for improvement, lack of evolutionary training data, and self-defense of detection models. This paper is based on the Multilayer Perceptron of the 2-gram feature model, and compares the important Hyperparameters in the combination to obtain a model with higher detection ability. Finally, in view of the lack of evolutionary training data and detection model's own security issues in mainstream detection technologies, this thesis proposes an improved training set by using an improved WGAN character domain name generator to generate adversarial domain names. This method generates adversarial domain names that are