A Two-Stream Network Based on Capsule Networks and Sliced Recurrent Neural Networks for DGA Botnet Detection

Abstract

With the development of Internet technology, botnets have become a major threat to most of the computers over the Internet. Most sophisticated bots use Domain Generation Algorithms (DGAs) to automatically generate a large number of pseudo-random domain names in Domain Name Service (DNS) domain fluxing, which can allow malware to communicate with Command and Control (C&C) server. To cope with this challenge, we built a novel Two-Stream network-based deep learning framework (named TS-ASRCaps) that uses multimodal information to reflect the properties of DGAs. Furthermore, we proposed an Attention Sliced Recurrent Neural Network (ATTSRNN) to automatically mine the underlying semantics. We also used a Capsule Network (CapsNet) with dynamic routing to model high-level visual information. Finally, we emphasized how the multimodal-based model outperforms other state-of-the-art models for the classification of domain names. To the best of our knowledge, this is the first work that the multimodal deep learning have been empirically investigated for DGA botnet detection.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

References

  1. 1.

    Yang L, Liu G, Zhai J, Dai Y, Yan Z, Zhou Y, Huang W. A novel detection method for word-based DGA. International Conference on Cloud Computing and Security, 472–483 (2018)

  2. 2.

    Antonakakis M, Perdisci R, Nadji Y, Vasiloglou N, Dagon D. From throw-away traffic to bots: detecting the rise of DGA-based malware. Usenix Security Symposium, 491–506 (2012)

  3. 3.

    Krishnan S, Taylor T, Monrose F, Mchugh J. Crossing the threshold: detecting network malfeasance via sequential hypothesis testing. IEEE/IFIP International Conference on Dependable Systems & Networks, 1–12 (2013)

  4. 4.

    Yu B, Gray D L, Pan J, Cock M D, Nascimento A C. Inline DGA detection with deep networks. IEEE International Conference on Data Mining Workshops, 683–692 (2017)

  5. 5.

    Catania C, García S, Torres P. Deep convolutional neural networks for DGA detection. Argentine Congress of Computer Science ,327–340 (2018)

  6. 6.

    Tran, D., Mac, H., Tong, V., Tran, H.A., Nguyen, L.G.: A LSTM based framework for handling multiclass imbalance in DGA botnet detection. Neurocomputing 275, 2401–2413 (2018)

    Article  Google Scholar 

  7. 7.

    Schiavoni S, Maggi F, Cavallaro L, Zanero S. Phoenix: DGA-based botnet tracking and intelligence. International Conference on detection of intrusions and malware, and vulnerability assessment, 192–211 (2014)

  8. 8.

    Mowbray M, Hagen J. Finding domain-generation algorithms by looking at length distribution. IEEE international symposium on software reliability engineering workshops (2014) 395–400

  9. 9.

    Sivaguru R, Choudhary C, Yu B, Tymchenko V, Nascimento A, Cock M D. An evaluation of DGA classifiers. IEEE International Conference on Big Data, (2018) 5058–5067

  10. 10.

    Li, Y., Xiong, K., Chin, T., Hu, C.: A machine learning framework for domain generation algorithm-based malware detection. IEEE Access 7, 32765–32782 (2019)

    Article  Google Scholar 

  11. 11.

    Wang Z, Jia Z, Zhang B. A detection scheme for DGA domain names based on SVM. International Conference on mathematics, modelling, simulation and algorithms, (2018)

  12. 12.

    Tong V, Nguyen G. A method for detecting DGA botnet based on semantic and cluster analysis. Seventh Symposium on information and communication technology, 272–277 (2016)

  13. 13.

    Dahal B, Kim Y. AutoEncoded domains with mean activation for DGA botnet detection. IEEE International Conference on global security, safety and sustainability, 208–212 (2019)

  14. 14.

    Luo X, Wang L, Xu Z, Yang J, Sun M, Wang J. Dgasensor: Fast detection for dga-based malwares. International Conference on communications and broadband networking, 47–53 (2017)

  15. 15.

    Koh JJ, Rhodes B. Inline detection of domain generation algorithms with context-sensitive word embeddings. IEEE International Conference on Big Data, 2966–2971 (2018)

  16. 16.

    Yang M, Wen Q. Detecting android malware by applying classification techniques on images patterns. IEEE International Conference on cloud computing and big data analysis, 344–347 (2017)

  17. 17.

    Su J, Vasconcellos V D, Prasad S, Daniele S, Feng Y, Sakurai K. Lightweight classification of IoT malware based on image recognition. IEEE Annual computer software and applications conference, 664–669 (2018)

  18. 18.

    Dey A, Bhattacharya S, Chaki N. Byte label malware classification using image entropy. Advanced computing and systems for security, 17–29 (2019)

  19. 19.

    Yen, Y.S., Sun, H.M.: An android mutation malware detection based on deep learning using visualization of importance from codes. Microelectron Reliab. 93, 109–114 (2019)

    Article  Google Scholar 

  20. 20.

    Li S, Li W, Cook C, Zhu C, Gao, Y. Independently recurrent neural network (indrnn): building a longer and deeper rnn. IEEE Conference on computer vision and pattern recognition, 5457–5466 (2018)

  21. 21.

    Li B, Cheng Z, Xu Z, Ye W. Long text analysis using sliced recurrent neural networks with breaking point information enrichment. IEEE International Conference on acoustics, speech and signal processing, 7550–7554 (2019)

  22. 22.

    Yu Z, Liu G. Sliced recurrent neural networks. International Conference on computational linguistics, 2953–2964 (2018)

  23. 23.

    Bahdanau D, Cho K, Bengio Y. Neural machine translation by jointly learning to align and translate. International Conference on learning representations (2014)

  24. 24.

    Sabour S, Frosst N, Hinton G E. Dynamic routing between capsules. Advances in neural information processing systems, 3856–3866 (2017)

  25. 25.

    Wang S, Zhou G, Lu J, Zhang F. A Novel Malware Detection and Classification Method Based on Capsule Network. International Conference on artificial intelligence and security, 573–584 (2019)

  26. 26.

    Kim, J., Jang, S., Park, E., Choi, S.: Text classification using capsules. Neurocomputing 376, 214–221 (2020)

    Article  Google Scholar 

  27. 27.

    “Does Alexa have a list of its top-ranked websites?” Amazon. https://support.alexa.com/hc/en-us/articles/200449834-Does-Alexa-have-a-list-of-its-top-ranked-websites-. Accessed 20 July 2019

  28. 28.

    “OSINT feeds from Bambenek consulting,” Bambenek Consulting. http://osint.bambenekconsulting.com/feeds/. Accessed 20 July 2019.

  29. 29.

    Lab, accessed: 2019-07–20. . https://data.netlab.360.com/dga/

  30. 30.

    Abakumov A. https://github.com/andrewaeva/DGA. Accessed 20 July 2019

  31. 31.

    Yu B, Pan J, Hu J, Nascimento A, Cock M D. Character level based detection of DGA domain names. International Joint Conference on neural networks, 1–8 (2018)

  32. 32.

    Zhang X, Zhao J, LeCun Y. Character-level convolutional networks for text classification. Advances in neural information processing systems, 649–657 (2015)

  33. 33.

    Vosoughi S, Vijayaraghavan P, Roy D. Tweet2vec: Learning tweet embeddings using character-level cnn-lstm encoder-decoder. International ACM SIGIR Conference on research and development in information retrieva, 1041–1044 (2016)

Download references

Acknowledgments

The authors would like to thank the Editor-in-Chief, the Associate Editor, and the reviewers for their insightful comments and suggestions. This work was supported by the Research Innovation Project of Graduate Student in Xinjiang Uygur Autonomous Region (XJ2019G065), the CERNET Innovation Project (NGII20170420, NGII20190412) and the Xinjiang Uygur Autonomous Region Cyber Security and Informatization Project (XJWX-1-Z-2019-1021).

Author information

Affiliations

Authors

Corresponding author

Correspondence to Shengwei Tian.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Pei, X., Tian, S., Yu, L. et al. A Two-Stream Network Based on Capsule Networks and Sliced Recurrent Neural Networks for DGA Botnet Detection. J Netw Syst Manage 28, 1694–1721 (2020). https://doi.org/10.1007/s10922-020-09554-9

Download citation

Keywords

  • Two-stream network
  • Capsule network
  • Sliced recurrent neural network
  • Attention
  • Domain Generation Algorithms