| While the Internet brings great convenience to people,it also faces serious security threats like botnets and phishing.The communication between botnets and the implementation of phishing are closely related to malicious domain names.On the one hand,botnets rely heavily on command and control(C&C)channels to remotely execute malicious actions.DGA-based botnets generate many domain names using a domain generation algorithm(DGA).Traditional machine learning schemes benefit from analyzing the linguistic distinctions between legitimate and DGA-based domain names.However,it is difficult to identify the ones based on wordlists or pseudo-random generated.On the other hand,because some characters in different languages in IDNs look similar,cyber attackers often use IDNs to create domain names that look visually similar to legitimate domain names to engage in phishing activities.This type of phishing is called a homograph attack.Most of the currently proposed methods detect typosquatting domain names.However,few methods for detecting homonym attacks use similar characters from different languages to replace English characters in legitimate domain names.Some existing work suffers from a high false alarm rate,low accuracy,and high computational cost.Therefore,the following research is carried out in this paper to address these issues.(1)For DGA domain names based on word lists and pseudo-random types,an efficient CNN-LSTM-based detection model is proposed,which enables DGA malicious domain name detection using only a set of simple,easy-to-compute character features.We evaluate our model with two open-source datasets and real DNS traffic collected from China Education and Research Network(CERNET).Experimental results show that the algorithm can identify covert communication channels without the need for reverse engineering and before the zombie hosts successfully connect to the C&C server,greatly improving the detection accuracy and detection efficiency.(2)In response to the current problems about the low accuracy and high false alarm rate of homomorphic domain name detection,a Siamese neural network-based detection method for the homomorphic domain name is proposed,which can quickly and accurately detect homomorphic domain names that counterfeit legitimate domain names.In this paper,domain names are transformed into images,and the similarity between the two is calculated by Siamese neural networks,which can identify domain names based on homonyms.The experimental results show that the method in this paper reduces the false alarm rate while improving accuracy,and it can accurately identify homograph-based domain names in internationalized domain names and the spelling errors present in phishing pages. |
PDF Full Text Request