基于Transformer和多特征融合的DGA域名检测方法*余子丞,凌捷(广东工业大学计算机学院,广东广州510006)摘要:针对域名生成算法生成的恶意域名隐蔽性高,现有方法在恶意域名检测上准确率不高的问题,提出一种基于Transformer和多特征融合的DGA域名检测方法。该方法使用Transformer编码器捕获域名字符的全局信息,通过并行深度卷积神经网络获取不同粒度的长距离上下文特征,同时引入双向长短期记忆网络BiLSTM和自注意力机制Self-Attention结合浅层CNN得到浅层时空特征,融合长距离上下文特征和浅层时空特征进行DGA域名检测。实验结果表明,所提方法在恶意域名检测方法上有更好的性能。相对于CNN、LSTM、L-PCAL和SW-DRN,所提方法在二分类实验中准确率分别提升了1.72%,1.10%,0.75%和0.34%;在多分类实验中准确率分别提升了1.75%,1.29%,0.88%和0.83%。关键词:域名生成算法;Transformer模型;深度卷积神经网络;双向长短期记忆网络;自注意力机制中图分类号:TP393文献标志码:Adoi:10.3969/j.issn.1007-130X.2023.08.010ADGAdomainnamedetectionmethodbasedonTransformerandmulti-featurefusionYUZi-cheng,LINGJie(SchoolofComputerScienceandTechnology,GuangdongUniversityofTechnology,Guangzhou510006,China)Abstract:Toaddresstheproblemofhighconcealmentofmaliciousdomainnamesgeneratedbydo-maingenerationalgorithms(DGAs)andlowaccuracyofexistingmethodsinmulti-classificationofmali-ciousdomainnames,aDGAdomainnamedetectionmethodbasedonTransformerandmulti-featurefu-sionisproposed.ThemethodusestheTransformerencodertocapturetheglobalinformationofdomainnamecharacters,andobtainslong-distancecontextualfeaturesatdifferentgranularitiesthroughaparal-leldeepconvolutionalneuralnetwork(DCNN).Atthesametime,BiLSTMandself-attentionmecha-nismareintroducedtocombineshallowCNNtoobtainshallowspatiotemporalfeatures.Finally,thelong-distancecontextfeaturesandshallowspatiotemporalfeaturesarecombinedfordomainnamedetec-tion.Theexperimentalresultsshowthattheproposedmethodhasbetterperformanceinmaliciousdo-mainnamedetection.ComparedwithCNN,LSTM,L-PCAL,andSW-DRN,theproposedmethodim-provestheaccuracyby1.72%,1.10%,0.75%,and0.34%inthebinaryclassificationexperimentandby1.75%,1.29%,0.88%,and0.83%inthemulti-classi...
