Domain generation algorithms detection with feature extraction and Domain Center construction

Network attacks using Command and Control (C&C) servers have increased significantly. To hide their C&C servers, attackers often use Domain Generation Algorithms (DGA), which automatically generate domain names for C&C servers. Researchers have constructed many unique feature sets and de...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	PloS one 2023-01, Vol.18 (1), p.e0279866-e0279866
Hauptverfasser:	Sun, Xinjie, Liu, Zhifang
Format:	Artikel
Sprache:	eng
Schlagworte:	Access control Algorithms Biology and Life Sciences Blacklisting Classification Command and control Command and control systems Computer and Information Sciences Deep learning Domain names Engineering and Technology Feature extraction Identification and classification Machine Learning Malware Methods Neural networks Neural Networks, Computer Physical Sciences Prevention Records Research and Analysis Methods Reverse engineering Servers Spyware URLs
Online-Zugang:	Volltext
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	e0279866
container_issue	1
container_start_page	e0279866
container_title	PloS one
container_volume	18
creator	Sun, Xinjie Liu, Zhifang
description	Network attacks using Command and Control (C&C) servers have increased significantly. To hide their C&C servers, attackers often use Domain Generation Algorithms (DGA), which automatically generate domain names for C&C servers. Researchers have constructed many unique feature sets and detected DGA domains through machine learning or deep learning models. However, due to the limited features contained in the domain name, the DGA detection results are limited. In order to overcome this problem, the domain name features, the Whois features and the N-gram features are extracted for DGA detection. To obtain the N-gram features, the domain name whitelist and blacklist substring feature sets are constructed. In addition, a deep learning model based on BiLSTM, Attention and CNN is constructed. Additionally, the Domain Center is constructed for fast classification of domain names. Multiple comparative experiment results prove that the proposed model not only gets the best Accuracy, Precision, Recall and F1, but also greatly reduces the detection time.
doi_str_mv	10.1371/journal.pone.0279866
format	Article
fullrecord	<record><control><sourceid>gale_plos_</sourceid><recordid>TN_cdi_plos_journals_2770256643</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><galeid>A734887722</galeid><doaj_id>oai_doaj_org_article_3b81fd1f8e04403e9f8f3c4cb183846b</doaj_id><sourcerecordid>A734887722</sourcerecordid><originalsourceid>FETCH-LOGICAL-c641t-2a888df56066a19be52249928a6765917a653e1cba6c803ed779af8a3b05c00b3</originalsourceid><addsrcrecordid>eNqNk9tq3DAQhk1padK0b1BaQ6G0F7vVwZbkm0LYnhYCgZ7uihjLY6-D19pIcg9vX3nXCeuSi-ILm1_f_OOZ0STJU0qWlEv65soOroduubM9LgmThRLiXnJKC84WghF-_-j7JHnk_RUhOY_Qw-SEC0kEUcVp8uOd3ULbpw326CC0tk-ha6xrw2br0woDmr34KwppjRAGhyn-Dg4OOvRVOlmssA_oUmN7H9ywP36cPKih8_hkep8l3z68_7r6tLi4_LhenV8sjMhoWDBQSlV1LogQQIsSc8ayomAKhBR5QSWInCM1JQijCMdKygJqBbwkuSGk5GfJ84PvrrNeT53xmklJWC5ExiOxPhCVhSu9c-0W3B9todV7wbpGgwut6VDzUtG6orVCkmUxW1GrmpvMlFRxlYkx29sp21BusTKxbgfdzHR-0rcb3difulCKqYJEg1eTgbPXA_qgt6032HXQox0O_01prFlG9MU_6N3VTVQDsYC2r-04oNFUn0ueKSUlY5Fa3kHFp8JtG8eGdRv1WcDrWUBkQpx9A4P3ev3l8_-zl9_n7MsjdoPQhY233TBeGT8HswNonPXeYX3bZEr0uAU33dDjFuhpC2LYs-MB3QbdXHv-Fz7ZAp8</addsrcrecordid><sourcetype>Open Website</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2770256643</pqid></control><display><type>article</type><title>Domain generation algorithms detection with feature extraction and Domain Center construction</title><source>MEDLINE</source><source>DOAJ Directory of Open Access Journals</source><source>EZB-FREE-00999 freely available EZB journals</source><source>PubMed Central</source><source>Free Full-Text Journals in Chemistry</source><source>Public Library of Science (PLoS)</source><creator>Sun, Xinjie ; Liu, Zhifang</creator><creatorcontrib>Sun, Xinjie ; Liu, Zhifang</creatorcontrib><description>Network attacks using Command and Control (C&C) servers have increased significantly. To hide their C&C servers, attackers often use Domain Generation Algorithms (DGA), which automatically generate domain names for C&C servers. Researchers have constructed many unique feature sets and detected DGA domains through machine learning or deep learning models. However, due to the limited features contained in the domain name, the DGA detection results are limited. In order to overcome this problem, the domain name features, the Whois features and the N-gram features are extracted for DGA detection. To obtain the N-gram features, the domain name whitelist and blacklist substring feature sets are constructed. In addition, a deep learning model based on BiLSTM, Attention and CNN is constructed. Additionally, the Domain Center is constructed for fast classification of domain names. Multiple comparative experiment results prove that the proposed model not only gets the best Accuracy, Precision, Recall and F1, but also greatly reduces the detection time.</description><identifier>ISSN: 1932-6203</identifier><identifier>EISSN: 1932-6203</identifier><identifier>DOI: 10.1371/journal.pone.0279866</identifier><identifier>PMID: 36706089</identifier><language>eng</language><publisher>United States: Public Library of Science</publisher><subject>Access control ; Algorithms ; Biology and Life Sciences ; Blacklisting ; Classification ; Command and control ; Command and control systems ; Computer and Information Sciences ; Deep learning ; Domain names ; Engineering and Technology ; Feature extraction ; Identification and classification ; Machine Learning ; Malware ; Methods ; Neural networks ; Neural Networks, Computer ; Physical Sciences ; Prevention ; Records ; Research and Analysis Methods ; Reverse engineering ; Servers ; Spyware ; URLs</subject><ispartof>PloS one, 2023-01, Vol.18 (1), p.e0279866-e0279866</ispartof><rights>Copyright: © 2023 Sun, Liu. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.</rights><rights>COPYRIGHT 2023 Public Library of Science</rights><rights>2023 Sun, Liu. This is an open access article distributed under the terms of the Creative Commons Attribution License: http://creativecommons.org/licenses/by/4.0/ (the “License”), which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited. Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><rights>2023 Sun, Liu 2023 Sun, Liu</rights><rights>2023 Sun, Liu. This is an open access article distributed under the terms of the Creative Commons Attribution License: http://creativecommons.org/licenses/by/4.0/ (the “License”), which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited. Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-LOGICAL-c641t-2a888df56066a19be52249928a6765917a653e1cba6c803ed779af8a3b05c00b3</cites><orcidid>0000-0002-4056-7373</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://www.ncbi.nlm.nih.gov/pmc/articles/PMC9882890/pdf/$$EPDF$$P50$$Gpubmedcentral$$Hfree_for_read</linktopdf><linktohtml>$$Uhttps://www.ncbi.nlm.nih.gov/pmc/articles/PMC9882890/$$EHTML$$P50$$Gpubmedcentral$$Hfree_for_read</linktohtml><link.rule.ids>230,314,723,776,780,860,881,2096,2915,23845,27901,27902,53766,53768,79342,79343</link.rule.ids><backlink>$$Uhttps://www.ncbi.nlm.nih.gov/pubmed/36706089$$D View this record in MEDLINE/PubMed$$Hfree_for_read</backlink></links><search><creatorcontrib>Sun, Xinjie</creatorcontrib><creatorcontrib>Liu, Zhifang</creatorcontrib><title>Domain generation algorithms detection with feature extraction and Domain Center construction</title><title>PloS one</title><addtitle>PLoS One</addtitle><description>Network attacks using Command and Control (C&C) servers have increased significantly. To hide their C&C servers, attackers often use Domain Generation Algorithms (DGA), which automatically generate domain names for C&C servers. Researchers have constructed many unique feature sets and detected DGA domains through machine learning or deep learning models. However, due to the limited features contained in the domain name, the DGA detection results are limited. In order to overcome this problem, the domain name features, the Whois features and the N-gram features are extracted for DGA detection. To obtain the N-gram features, the domain name whitelist and blacklist substring feature sets are constructed. In addition, a deep learning model based on BiLSTM, Attention and CNN is constructed. Additionally, the Domain Center is constructed for fast classification of domain names. Multiple comparative experiment results prove that the proposed model not only gets the best Accuracy, Precision, Recall and F1, but also greatly reduces the detection time.</description><subject>Access control</subject><subject>Algorithms</subject><subject>Biology and Life Sciences</subject><subject>Blacklisting</subject><subject>Classification</subject><subject>Command and control</subject><subject>Command and control systems</subject><subject>Computer and Information Sciences</subject><subject>Deep learning</subject><subject>Domain names</subject><subject>Engineering and Technology</subject><subject>Feature extraction</subject><subject>Identification and classification</subject><subject>Machine Learning</subject><subject>Malware</subject><subject>Methods</subject><subject>Neural networks</subject><subject>Neural Networks, Computer</subject><subject>Physical Sciences</subject><subject>Prevention</subject><subject>Records</subject><subject>Research and Analysis Methods</subject><subject>Reverse engineering</subject><subject>Servers</subject><subject>Spyware</subject><subject>URLs</subject><issn>1932-6203</issn><issn>1932-6203</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>EIF</sourceid><sourceid>BENPR</sourceid><sourceid>DOA</sourceid><recordid>eNqNk9tq3DAQhk1padK0b1BaQ6G0F7vVwZbkm0LYnhYCgZ7uihjLY6-D19pIcg9vX3nXCeuSi-ILm1_f_OOZ0STJU0qWlEv65soOroduubM9LgmThRLiXnJKC84WghF-_-j7JHnk_RUhOY_Qw-SEC0kEUcVp8uOd3ULbpw326CC0tk-ha6xrw2br0woDmr34KwppjRAGhyn-Dg4OOvRVOlmssA_oUmN7H9ywP36cPKih8_hkep8l3z68_7r6tLi4_LhenV8sjMhoWDBQSlV1LogQQIsSc8ayomAKhBR5QSWInCM1JQijCMdKygJqBbwkuSGk5GfJ84PvrrNeT53xmklJWC5ExiOxPhCVhSu9c-0W3B9todV7wbpGgwut6VDzUtG6orVCkmUxW1GrmpvMlFRxlYkx29sp21BusTKxbgfdzHR-0rcb3difulCKqYJEg1eTgbPXA_qgt6032HXQox0O_01prFlG9MU_6N3VTVQDsYC2r-04oNFUn0ueKSUlY5Fa3kHFp8JtG8eGdRv1WcDrWUBkQpx9A4P3ev3l8_-zl9_n7MsjdoPQhY233TBeGT8HswNonPXeYX3bZEr0uAU33dDjFuhpC2LYs-MB3QbdXHv-Fz7ZAp8</recordid><startdate>20230127</startdate><enddate>20230127</enddate><creator>Sun, Xinjie</creator><creator>Liu, Zhifang</creator><general>Public Library of Science</general><general>Public Library of Science (PLoS)</general><scope>CGR</scope><scope>CUY</scope><scope>CVF</scope><scope>ECM</scope><scope>EIF</scope><scope>NPM</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>IOV</scope><scope>ISR</scope><scope>3V.</scope><scope>7QG</scope><scope>7QL</scope><scope>7QO</scope><scope>7RV</scope><scope>7SN</scope><scope>7SS</scope><scope>7T5</scope><scope>7TG</scope><scope>7TM</scope><scope>7U9</scope><scope>7X2</scope><scope>7X7</scope><scope>7XB</scope><scope>88E</scope><scope>8AO</scope><scope>8C1</scope><scope>8FD</scope><scope>8FE</scope><scope>8FG</scope><scope>8FH</scope><scope>8FI</scope><scope>8FJ</scope><scope>8FK</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AEUYN</scope><scope>AFKRA</scope><scope>ARAPS</scope><scope>ATCPS</scope><scope>AZQEC</scope><scope>BBNVY</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>BHPHI</scope><scope>C1K</scope><scope>CCPQU</scope><scope>D1I</scope><scope>DWQXO</scope><scope>FR3</scope><scope>FYUFA</scope><scope>GHDGH</scope><scope>GNUQQ</scope><scope>H94</scope><scope>HCIFZ</scope><scope>K9.</scope><scope>KB.</scope><scope>KB0</scope><scope>KL.</scope><scope>L6V</scope><scope>LK8</scope><scope>M0K</scope><scope>M0S</scope><scope>M1P</scope><scope>M7N</scope><scope>M7P</scope><scope>M7S</scope><scope>NAPCQ</scope><scope>P5Z</scope><scope>P62</scope><scope>P64</scope><scope>PATMY</scope><scope>PDBOC</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope><scope>PYCSY</scope><scope>RC3</scope><scope>7X8</scope><scope>5PM</scope><scope>DOA</scope><orcidid>https://orcid.org/0000-0002-4056-7373</orcidid></search><sort><creationdate>20230127</creationdate><title>Domain generation algorithms detection with feature extraction and Domain Center construction</title><author>Sun, Xinjie ; Liu, Zhifang</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c641t-2a888df56066a19be52249928a6765917a653e1cba6c803ed779af8a3b05c00b3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Access control</topic><topic>Algorithms</topic><topic>Biology and Life Sciences</topic><topic>Blacklisting</topic><topic>Classification</topic><topic>Command and control</topic><topic>Command and control systems</topic><topic>Computer and Information Sciences</topic><topic>Deep learning</topic><topic>Domain names</topic><topic>Engineering and Technology</topic><topic>Feature extraction</topic><topic>Identification and classification</topic><topic>Machine Learning</topic><topic>Malware</topic><topic>Methods</topic><topic>Neural networks</topic><topic>Neural Networks, Computer</topic><topic>Physical Sciences</topic><topic>Prevention</topic><topic>Records</topic><topic>Research and Analysis Methods</topic><topic>Reverse engineering</topic><topic>Servers</topic><topic>Spyware</topic><topic>URLs</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Sun, Xinjie</creatorcontrib><creatorcontrib>Liu, Zhifang</creatorcontrib><collection>Medline</collection><collection>MEDLINE</collection><collection>MEDLINE (Ovid)</collection><collection>MEDLINE</collection><collection>MEDLINE</collection><collection>PubMed</collection><collection>CrossRef</collection><collection>Gale In Context: Opposing Viewpoints</collection><collection>Gale In Context: Science</collection><collection>ProQuest Central (Corporate)</collection><collection>Animal Behavior Abstracts</collection><collection>Bacteriology Abstracts (Microbiology B)</collection><collection>Biotechnology Research Abstracts</collection><collection>Nursing & Allied Health Database</collection><collection>Ecology Abstracts</collection><collection>Entomology Abstracts (Full archive)</collection><collection>Immunology Abstracts</collection><collection>Meteorological & Geoastrophysical Abstracts</collection><collection>Nucleic Acids Abstracts</collection><collection>Virology and AIDS Abstracts</collection><collection>Agricultural Science Collection</collection><collection>Health & Medical Collection</collection><collection>ProQuest Central (purchase pre-March 2016)</collection><collection>Medical Database (Alumni Edition)</collection><collection>ProQuest Pharma Collection</collection><collection>Public Health Database</collection><collection>Technology Research Database</collection><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>ProQuest Natural Science Collection</collection><collection>Hospital Premium Collection</collection><collection>Hospital Premium Collection (Alumni Edition)</collection><collection>ProQuest Central (Alumni) (purchase pre-March 2016)</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest One Sustainability</collection><collection>ProQuest Central UK/Ireland</collection><collection>Advanced Technologies & Aerospace Collection</collection><collection>Agricultural & Environmental Science Collection</collection><collection>ProQuest Central Essentials</collection><collection>Biological Science Collection</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>Natural Science Collection</collection><collection>Environmental Sciences and Pollution Management</collection><collection>ProQuest One Community College</collection><collection>ProQuest Materials Science Collection</collection><collection>ProQuest Central Korea</collection><collection>Engineering Research Database</collection><collection>Health Research Premium Collection</collection><collection>Health Research Premium Collection (Alumni)</collection><collection>ProQuest Central Student</collection><collection>AIDS and Cancer Research Abstracts</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Health & Medical Complete (Alumni)</collection><collection>Materials Science Database</collection><collection>Nursing & Allied Health Database (Alumni Edition)</collection><collection>Meteorological & Geoastrophysical Abstracts - Academic</collection><collection>ProQuest Engineering Collection</collection><collection>ProQuest Biological Science Collection</collection><collection>Agricultural Science Database</collection><collection>Health & Medical Collection (Alumni Edition)</collection><collection>Medical Database</collection><collection>Algology Mycology and Protozoology Abstracts (Microbiology C)</collection><collection>Biological Science Database</collection><collection>Engineering Database</collection><collection>Nursing & Allied Health Premium</collection><collection>Advanced Technologies & Aerospace Database</collection><collection>ProQuest Advanced Technologies & Aerospace Collection</collection><collection>Biotechnology and BioEngineering Abstracts</collection><collection>Environmental Science Database</collection><collection>Materials Science Collection</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection><collection>Environmental Science Collection</collection><collection>Genetics Abstracts</collection><collection>MEDLINE - Academic</collection><collection>PubMed Central (Full Participant titles)</collection><collection>DOAJ Directory of Open Access Journals</collection><jtitle>PloS one</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Sun, Xinjie</au><au>Liu, Zhifang</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Domain generation algorithms detection with feature extraction and Domain Center construction</atitle><jtitle>PloS one</jtitle><addtitle>PLoS One</addtitle><date>2023-01-27</date><risdate>2023</risdate><volume>18</volume><issue>1</issue><spage>e0279866</spage><epage>e0279866</epage><pages>e0279866-e0279866</pages><issn>1932-6203</issn><eissn>1932-6203</eissn><abstract>Network attacks using Command and Control (C&C) servers have increased significantly. To hide their C&C servers, attackers often use Domain Generation Algorithms (DGA), which automatically generate domain names for C&C servers. Researchers have constructed many unique feature sets and detected DGA domains through machine learning or deep learning models. However, due to the limited features contained in the domain name, the DGA detection results are limited. In order to overcome this problem, the domain name features, the Whois features and the N-gram features are extracted for DGA detection. To obtain the N-gram features, the domain name whitelist and blacklist substring feature sets are constructed. In addition, a deep learning model based on BiLSTM, Attention and CNN is constructed. Additionally, the Domain Center is constructed for fast classification of domain names. Multiple comparative experiment results prove that the proposed model not only gets the best Accuracy, Precision, Recall and F1, but also greatly reduces the detection time.</abstract><cop>United States</cop><pub>Public Library of Science</pub><pmid>36706089</pmid><doi>10.1371/journal.pone.0279866</doi><tpages>e0279866</tpages><orcidid>https://orcid.org/0000-0002-4056-7373</orcidid><oa>free_for_read</oa></addata></record>
fulltext	fulltext
identifier	ISSN: 1932-6203
ispartof	PloS one, 2023-01, Vol.18 (1), p.e0279866-e0279866
issn	1932-6203 1932-6203
language	eng
recordid	cdi_plos_journals_2770256643
source	MEDLINE; DOAJ Directory of Open Access Journals; EZB-FREE-00999 freely available EZB journals; PubMed Central; Free Full-Text Journals in Chemistry; Public Library of Science (PLoS)
subjects	Access control Algorithms Biology and Life Sciences Blacklisting Classification Command and control Command and control systems Computer and Information Sciences Deep learning Domain names Engineering and Technology Feature extraction Identification and classification Machine Learning Malware Methods Neural networks Neural Networks, Computer Physical Sciences Prevention Records Research and Analysis Methods Reverse engineering Servers Spyware URLs
title	Domain generation algorithms detection with feature extraction and Domain Center construction
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-04T21%3A24%3A18IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-gale_plos_&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Domain%20generation%20algorithms%20detection%20with%20feature%20extraction%20and%20Domain%20Center%20construction&rft.jtitle=PloS%20one&rft.au=Sun,%20Xinjie&rft.date=2023-01-27&rft.volume=18&rft.issue=1&rft.spage=e0279866&rft.epage=e0279866&rft.pages=e0279866-e0279866&rft.issn=1932-6203&rft.eissn=1932-6203&rft_id=info:doi/10.1371/journal.pone.0279866&rft_dat=%3Cgale_plos_%3EA734887722%3C/gale_plos_%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2770256643&rft_id=info:pmid/36706089&rft_galeid=A734887722&rft_doaj_id=oai_doaj_org_article_3b81fd1f8e04403e9f8f3c4cb183846b&rfr_iscdi=true