Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.cose.2019.04.015

IF: 5.105

2019-01-01

Computers & Security

Abstract:Botnets have become one of the main threats to cyberspace security currently. More and more bots utilize the domain generation algorithm (DGA) to generate malicious domain names to communicate with Command & Control (C&C) servers. A well-designed DGA can bypass the traditional detection methods such as sinkhole and rule filtering, which raises new challenges to cyberspace security. In the field of machine learning, the n-gram is a semantic model that characterizes the relationship among neighboring morphemes while deep convolutional neural networks have a robust capability in processing information with translation-invariant properties. In this paper, we combined n-gram and a deep convolutional neural network and then proposed a novel n-gram combined character based domain classification (n-CBDC) model. The n-CBDC model runs in an end-to-end way that doesn’t require hand-extracted features or domain name system (DNS) contextual information; it only needs to input the domain name itself and can automatically estimate the probability that the domain name was generated by DGAs. Experiments on real-world data show that the proposed method can effectively detect domain names generated by DGAs with 98.69% average detection rate and 0.9829 average F-measure, and significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89% detection rate. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.

Shaofang Zhou,Lanfen Lin,Junkun Yuan,Feng Wang,Zhaoting Ling,Jia Cui

DOI: https://doi.org/10.1109/isi.2019.8823200

2019-01-01

Abstract:Attackers often use domain generation algorithms (DGAs) to create various kinds of pseudorandom domains dynamically and select a part of them to connect with command and control servers, therefore it is important to automatically detect the algorithmically generated domains (AGDs). AGDs can be broken down into two categories: character-based domains and wordlist-based domains. Recently, methods based on machine learning and deep learning have been widely explored. However, much of the previous work perform well in detecting one kind of DGA families but poorly in classifying another kind. A general detection system which is applicable to both kinds of domains still remains a challenge. To address this problem, we propose a novel real-time detection method with high accuracy as well as high coverage. We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.

Ling Ding,Peng Du,Haiwei Hou,Jian Zhang,Di Jin,Shifei Ding

DOI: https://doi.org/10.1016/j.bdr.2023.100395

IF: 3.3

2023-05-13

Big Data Research

Abstract:One of the severest threats to cyber security is botnet, which typically uses domain names generated by Domain Generation Algorithms (DGAs) to communicate with their Command and Control (C&C) infrastructure. DGA detection and classification play an important role of assisting cyber security researchers to detect botnet C&C servers. However, many of the existing DGA detection models only focus on single scale word embedding method, and very few models are specially designed to extract more effective features for DGA detection from multiple scales word embedding. To alleviate above questions, first we propose a hybrid word embedding method, which combines character level embedding and bigram level embedding to make full use of the domain names information, and then, we design a deep neural network with hybrid embedding method to distinguish DGA domains from known legitimate domains. Finally, we evaluate our hybrid embedding method and the proposed model on ONIST dataset and compare our methods with several state-of-the-art DGA classification methods.

computer science, information systems, artificial intelligence, theory & methods

Xin Fang,Xiaoqing Sun,Jiahai Yang,Xinran Liu

DOI: https://doi.org/10.48550/arXiv.2009.09959

2020-09-21

Abstract:DGA-based botnet, which uses Domain Generation Algorithms (DGAs) to evade supervision, has become a part of the most destructive threats to network security. Over the past decades, a wealth of defense mechanisms focusing on domain features have emerged to address the problem. Nonetheless, DGA detection remains a daunting and challenging task due to the big data nature of Internet traffic and the potential fact that the linguistic features extracted only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel DGA detection system which employs an incremental word-embeddings method to capture the interactions between end hosts and domains, characterize time-series patterns of DNS queries for each IP address and therefore explore temporal similarities between domains. We carefully modify the Word2Vec algorithm and leverage it to automatically learn dynamic and discriminative feature representations for over 1.9 million domains, and develop an simple classifier for distinguishing malicious domains from the benign. Given the ability to identify temporal patterns of domains and update models incrementally, the proposed scheme makes the progress towards adapting to the changing and evolving strategies of DGA domains. Our system is evaluated and compared with the state-of-art system FANCI and two deep-learning methods CNN and LSTM, with data from a large university's network named TUNET. The results suggest that our system outperforms the strong competitors by a large margin on multiple metrics and meanwhile achieves a remarkable speed-up on model updating.

Cryptography and Security

Rui Pan,Jian Chen,Hanyuan Ma,Xiaoshan Bai

DOI: https://doi.org/10.1109/icis54925.2022.9882343

2022-01-01

Abstract:The detection of DGA domain name has become a central topic in network security in recent years. With DGA (Domain Generation Algorithm), a large number of pseudo-random domain names could be generated and used in DDoS (Distributed Denial of Service) attacks, reflection amplification attacks and other network attacks. Traditional deep learning algorithms based on character feature have the advantages of automatic feature extraction and shorter training time in DGA domain name detection. But for wordlist-based DGA domain name, the accuracy is lower. In order to improve the detection accuracy, semantic features of domain name are extracted to extend character features for the first time. Experiment results show that using extended character feature in Bi-LSTM (Bi-Directional Long Short-Term Memory) could improve the detection performance. In multi-classification, micro average of F1 score reaches up to 98.72%.

Jianbing Liang,Shuhui Chen,Ziling Wei,Shuang Zhao,Wei Zhao,Jianbing Liang,Shuhui Chen,Ziling Wei,Shuang Zhao,Wei Zhao

DOI: https://doi.org/10.1016/j.cose.2022.102803

2022-09-01

Abstract:The botnet relies on the Command and Control (C&C) channels to conduct its malicious activities remotely. The Domain Generation Algorithm (DGA) is often used by botnets to hide their Command and Control (C&C) server and evade take-down attempts, which allows the bot to generate a large number of domain names until it finds its C&C server. The lengths of domain names generated by DGAs are different. Our research finds that the length of the domain name has an impact on the performance of the DGA domain name detection model. In other words, the model is sensitive to the length of the domain name. In this case, attackers can evade detection simply by designing domain names of specific lengths. Moreover, the detection accuracy of DGA domain names still needs to be further improved. To solve these problems, three feature extraction methods adapted to the length of the domain name are proposed in this paper. For extra-short domain names, we use the attention-based method to extract features, which can make use of the character-level semantic feature. For moderate-length domain names, a two-dimensional structure, namely Right Shifted Tensor (RST), is constructed to make the domain name present apparent features similar to images. For the extra-long domain name, the effective classification of domain names can be achieved by manually crafted easy-to-calculate features. Then, different detection structures are designed based on these tree feature extraction methods to form a heterogeneous DGA detection model, namely HAGDetector. In addition, the public suffix is an important part of the domain name. We further analyze the public suffix to evaluate its impact on the detection of DGA domain names. Finally, the experiments are conducted to assess the validity of HAGDetector, as well as compare our approach with the current state-of-the-art and highlight the impact of the domain name length. The experimental results show that our method greatly improves the detection performance.

computer science, information systems

Nguyen Tan Cam,Nguyen Ngoc Man

DOI: https://doi.org/10.1007/s10586-024-04363-0

2024-03-29

Cluster Computing

Abstract:Recent developments in information technology have brought numerous benefits but have also created risks for information security. One notable threat is the domain generated by the algorithm (DGA) technique used by botnets, which allows them to automatically generate and register multiple domains to evade detection and control from network security systems. To address this issue, we conducted research on a domain classification model specific to botnet-generated domains. We developed three domain classification models: bigrams, long short-term memory networks (LSTM), and a combination of LSTM and one-hot encoding. In this study, we implemented an ensemble model using a domain classification system, named UIT-DGADetector. To optimize the system, we employed Kafka to queue and streamline the requests, thereby reducing the load on the classification server. The deployed system operates well and achieves a high accuracy rate in predicting the domain types. However, this model still has limitations in predicting Word-based DGA botnets. The process must be optimized to reduce the waiting time in the queue. This study aims to contribute to network security and information protection, particularly by addressing the issue of DGA botnets.

computer science, information systems, theory & methods

Kate Highnam,Domenic Puzio,Song Luo,Nicholas R. Jennings

DOI: https://doi.org/10.48550/arXiv.2003.12805

2020-03-28

Abstract:Botnets and malware continue to avoid detection by static rules engines when using domain generation algorithms (DGAs) for callouts to unique, dynamically generated web addresses. Common DGA detection techniques fail to reliably detect DGA variants that combine random dictionary words to create domain names that closely mirror legitimate domains. To combat this, we created a novel hybrid neural network, Bilbo the `bagging` model, that analyses domains and scores the likelihood they are generated by such algorithms and therefore are potentially malicious. Bilbo is the first parallel usage of a convolutional neural network (CNN) and a long short-term memory (LSTM) network for DGA detection. Our unique architecture is found to be the most consistent in performance in terms of AUC, F1 score, and accuracy when generalising across different dictionary DGA classification tasks compared to current state-of-the-art deep learning architectures. We validate using reverse-engineered dictionary DGA domains and detail our real-time implementation strategy for scoring real-world network logs within a large financial enterprise. In four hours of actual network traffic, the model discovered at least five potential command-and-control networks that commercial vendor tools did not flag.

Cryptography and Security,Machine Learning

Dan Zhao,Hao Li,Xiuwen Sun,Yazhe Tang

DOI: https://doi.org/10.1016/j.future.2023.01.027

IF: 7.307

2023-06-01

Future Generation Computer Systems

Abstract:Botnets are machines that are increasingly controlled by cybercriminals to perform various attacks. Traditional methods of defense, such as blocklisting, become ineffective because illegitimate domain names are sprung out by the domain generation algorithm (DGA) periodically and rapidly to maintain command and control (C&C) on servers. Deep learning and machine learning are candidate solutions to the problem. Deep learning methods leverage high accuracy but cost more time. Machine learning methods are qualified with high training speed in the context of frequent retraining to obtain high accuracy. However, the existing machine learning solutions cannot precisely capture the linguistic characteristics of domain names, which causes many false positives. For a comprehensive understanding of strings of domain names, we present the DOmain Linguistic PHonIcs detectioN (DOLPHIN) method, a novel method that can detect DGA-based botnets. Considering the context of detecting and the correspondence between pronunciations and spellings of words, we design DOLPHIN patterns. They are the classifications of variable-length vowels and consonants following the principles of phonics. Based on DOLPHIN patterns, a novel matching automation is used to reconstruct domain names with the components of variable-length vowels and consonants. From those domain names, DOLPHIN extracts phonics-based features. We implement DOLPHIN in supervised learning methods and compare them to the foremost methods FANCI, HAGDetector, and LSTM.MI. The experimental results show that, compared to FANCI with random forests, DOLPHIN can achieve a higher detection accuracy of 0.0265 with lower FPR and FNR without bringing much overhead. DOLPHIN is also able to generalize to other sources of data in the real world with the FPR decreasing by 0.0801 (62.97%) compared with FANCI. DOLPHIN can cooperate with most linguistic features and brings an improvement in performance compared to that of the existing linguistic feature-based methods.

computer science, theory & methods

Mingkai Tong,Xiaoqing Sun,Jiahai Yang,Hui Zhang,Shuang Zhu,Xinran Liu,Heng Liu

DOI: https://doi.org/10.1007/978-3-030-29551-6_41

2019-01-01

Abstract:Modern malware typically uses domain generation algorithm (DGA) to avoid blacklists. However, it still leaks trace by causing excessive Non-existent domain responses when trying to contact with the command and control (C&C) servers. In this paper, we propose a novel system named D3N to detect DGA domains by analyzing NXDomains with deep learning methods. The experiments show that D3N yields 99.7% TPR and 1.9% FPR, outperforming FANCI in both accuracy and efficiency. Besides, our real-world evaluation in a large-scale network demonstrates that D3N is robust in different networks.

Huiju Lee,Jeong Do Yoo,Seonghoon Jeong,Huy Kang Kim

DOI: https://doi.org/10.1109/access.2024.3454242

IF: 3.9

2024-09-10

IEEE Access

Abstract:Attackers are known to utilize domain generation algorithms (DGAs) to generate domain names for command and control (C&C) servers and facilitate the distribution of uniform resource locators within malicious software. DGAs pose a significant threat to cybersecurity owing to their ability to dynamically generate unpredictable domain names. Extensive research is currently underway to detect the domain names created using DGAs. However, the high false positive rates when handling benign domain names in non-English languages pose a challenge. Thus, this study proposes a DGA detection method that effectively embeds non-English domain names to focus on Chinese domain names, which are referred to as domain names composed of Pinyin. The proposed method segments domain names into meaningful subwords for effective vector representation. Consequently, the FastText model learns the context information of the segmented subwords and embeds the domain name. Further, the deep learning-based detection model learns the vectorized domain names and determines whether a particular domain name is DGA-generated. We labeled the Chinese domain names among the benign domain names for our experiment. The experimental results show that the proposed method outperforms existing methods across all performance metrics on the entire test dataset. Notably, the proposed method minimizes the false positive rate, thereby enhancing detection reliability. In addition, it exhibits high performance, achieving a recall of 0.9873 and 0.9886 for Chinese and English domain names, respectively. This demonstrates that the proposed method consistently delivers high performance across various metrics and languages.

computer science, information systems,telecommunications,engineering, electrical & electronic

Baoyu Fan,Han Ma,Yue Liu,Xiaochen Yuan,Wei Ke

DOI: https://doi.org/10.3390/math12050626

IF: 2.4

2024-02-21

Mathematics

Abstract:As the most commonly used attack strategy by Botnets, the Domain Generation Algorithm (DGA) has strong invisibility and variability. Using deep learning models to detect different families of DGA domain names can improve the network defense ability against hackers. However, this task faces an extremely imbalanced sample size among different DGA categories, which leads to low classification accuracy for small sample categories and even classification failure for some categories. To address this issue, we introduce the long-tailed concept and augment the data of small sample categories by transferring pre-trained knowledge. Firstly, we propose the Data Balanced Review Method (DBRM) to reduce the sample size difference between the categories, thus a relatively balanced dataset for transfer learning is generated. Secondly, we propose the Knowledge Transfer Model (KTM) to enhance the knowledge of the small sample categories. KTM uses a multi-stage transfer to transfer weights from the big sample categories to the small sample categories. Furthermore, we propose the Knowledge Distillation Transfer Model (KDTM) to relieve the catastrophic forgetting problem caused by transfer learning, which adds knowledge distillation loss based on the KTM. The experimental results show that KDTM can significantly improve the classification performance of all categories, especially the small sample categories. It can achieve a state-of-the-art macro average F1 score of 84.5%. The robustness of the KDTM model is verified using three DGA datasets that follow the Pareto distributions.

mathematics

Xiaoyan Hu,Hao Chen,Miao Li,Guang Cheng,Ruidong Li,Hua Wu,Yali Yuan

DOI: https://doi.org/10.1109/tifs.2023.3293956

IF: 7.231

2023-08-05

IEEE Transactions on Information Forensics and Security

Abstract:Botnets extensively leverage Domain Generation Algorithms (DGAs) to establish reliable communication channels between bots and Command and Control (C&C) servers. Numerous character-level DGA classifiers have been extensively studied to detect and classify domain names generated by DGAs. Meanwhile, a series of adversarial domain generation algorithms have been proposed to evade DGA classifiers. Although the existing domain name generation algorithms have progressed against DGA classifier, their anti-detection abilities are still weak. This paper proposes a Bidirectional Long Short-Term Memory (BiLSTM) network-based adversarial DGA with high anti-detection ability, referred to as ReplaceDGA. ReplaceDGA requires no knowledge of the targeted DGA classifiers. It first builds a prediction model for benign domain names using the BiLSTM network to model the semantic relationship hidden within benign domain names and then replaces two characters of each input benign domain name based on the prediction model to maximize the similarity between the benign and generated domain names. Our experimental results validate that ReplaceDGA successfully evades various character-level DGA classifiers even after they are retrained by domain names generated by ReplaceDGA and outperforms the state-of-the-art adversarial DGAs in anti-detection ability, repetition rate, and collision rate. Our study of ReplaceDGA promotes the urgent need for developing more comprehensive and robust DGA classifiers that consider other factors besides character-level information of domain names.

computer science, theory & methods,engineering, electrical & electronic

Ryan R. Curtin,Andrew B. Gardner,Slawomir Grzonkowski,Alexey Kleymenov,Alejandro Mosquera,Ryan R. Curtin,Andrew B. Gardner,Slawomir Grzonkowski,Alexey Kleymenov,Alejandro Mosquera

DOI: https://doi.org/10.1145/3339252.3339258

2019-08-26

Abstract:Modern malware typically makes use of a domain generation algorithm (DGA) to avoid command and control domains or IPs being seized or sinkholed. This means that an infected system may attempt to access many domains in an attempt to contact the command and control server. Therefore, the automatic detection of DGA domains is an important task, both for the sake of blocking malicious domains and identifying compromised hosts. However, many DGAs use English wordlists to generate plausibly clean-looking domain names; this makes automatic detection difficult. In this work, we devise a notion of difficulty for DGA families called the smashword score; this measures how much a DGA family looks like English words. We find that this measure accurately reflects how much a DGA family's domains look like they are made from natural English words. We then describe our new modeling approach, which is a combination of a novel recurrent neural network architecture with domain registration side information. Our experiments show the model is capable of effectively identifying domains generated by difficult DGA families. Our experiments also show that our model outperforms existing approaches, and is able to reliably detect difficult DGA families such as matsnu, suppobox, rovnix, and others. The model's performance compared to the state of the art is best for DGA families that resemble English words. We believe that this model could either be used in a standalone DGA domain detector---such as an endpoint security application---or alternately the model could be used as a part of a larger malware detection system.

Jian-wei Liu,Feng Gao,Run-kun Lu,Yuan-feng Lian,Dian-zhong Wang,Xiong-lin Luo,Chu-ran Wang

DOI: https://doi.org/10.1007/978-3-030-30487-4_15

2019-01-01

Abstract:The Recently proposed CapsNet has attracted the attention of many researchers. It is a potential alternative to convolutional neural networks (CNNs) and achieves significant increase in performance on some simple datasets like MNIST. However, CapsNet gets a poor performance on more complex datasets like CIFAR-10. To address this problem, we focus on the improvement of the original CapsNet from both the network structure and the dynamic routing mechanism. A new CapsNet architecture aiming at complex data called Capsule Network based on Deep Dynamic Routing Mechanism (DDRM-CapsNet) is proposed. For the purpose of extracting better features, we increase the number of convolutional layers before capsule layer in the encoder. We also improve the dynamic routing mechanism in the original CapsNet by expanding it into two stages and increasing the dimensionality of the final output vector. To verify the efficacy of our proposed network on complex data, we conduct experiments with a single model without using any ensembled methods and data augmentation techniques on five real-world complex datasets. The experimental results demonstrate that our proposed method achieves better accuracy results than the baseline and can still improve the reconstruction performance on the premise of using the same decoder structure as the original CapsNet.

Yifan Yang,Xionglve Li,Tao Yang,Bingnan Hou,Lingbin Zeng,Zhiping Cai,Wenyuan Kuang

DOI: https://doi.org/10.1093/comjnl/bxae072

2024-07-29

The Computer Journal

Abstract:Abstract Botnets currently use domain-generation algorithms to produce fast-flux domains that enable them to evade detection. Accurately categorizing these botnet domains is crucial to develop cybersecurity solutions against botnet threats. However, existing methods, requiring labeled data, are ineffective against new botnets. To address this issue, we propose Domain2Vec, a metric learning-based approach that can explore new botnets. Domain2Vec integrates a framework of metric learning, which uses individual domains from known botnets for categorization of unknown botnet domains. The training involves an attention-based encoder, and it includes a constraint to ensure that samples with the same labels are closer in the embedding space. The categorization uses the encoder to project domain names into appropriate representations (numerical vectors), even for domains from new botnets. Finally, Domain2Vec uses numerical vectors to explore botnets. Experiments showed that Domain2Vec performs well on domain retrieval and clustering tasks without labeled data, outperforming the state of the art by 13% and 100%, respectively. Real-world tests demonstrate that Domain2Vec can effectively identify unreported malicious domains and monitor botnet activities.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Yao Lai,Guolou Ping,Yuexin Wu,Chenhui Lu,Xiaojun Ye

DOI: https://doi.org/10.3233/faia200301

2020-01-01

Abstract:Botnet has become one of the most frequent attack patterns in cyberspace, and most of them are concerned with Domain Generation Algorithms (DGAs). Therefore, many researchers have proposed various machine learning models for DGA domain name detection, but how to detect unknown classes of DGA domain names (unknown DGAs) is still a challenging problem. In fact, the problem of detecting unknown classes is also called open set recognition problem. To tackle this issue, we propose a novel classification model OpenSMax which can not only detect various DGA domain names but also classify them into known and unknown classes of DGAs. In this model, we use the one-hot encoding method and the Long Short-Term Memory (LSTM) model to extract the features of the Top Level Domain (TLD) and the Second Level Domain (SLD) respectively. Then, these two feature categories are concatenated and propagated forwards by two fully connected layers for known DGA domain name detection and classification. Finally, both the openmax layer (the layer before the softmax layer) and the softmax layer are used to build One-Class Support Vector Machine (SVM) models for unknown classes recognition. In our experiments, OpenSMax model outperforms the state-of-art methods both in known and unknown DGA domain names detection tasks. Also, OpenSMax provides a bounded open space risk in theory, and therefore it formally provides an effective solution for unknown DGA domain name detection.

Guangli Wu,Xingyue Wang,Qian Lu,Hanlin Zhang

DOI: https://doi.org/10.1016/j.eswa.2024.123384

IF: 8.5

2024-02-11

Expert Systems with Applications

Abstract:A botnet is a group of hijacked devices that conduct various cyberattacks, which is one of the most dangerous threats on the internet. Individuals or organizations can effectively detect botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting the deterministic behavioral features, which highly rely on statistical features and existing botnet interaction structures, resulting in unsatisfactory detection accuracy, especially for unknown botnet traffic. The botnet detection method based on the original traffic bytes has more advantages in this regard, especially the use of mining payload information in the traffic to enhance the identification of abnormal botnet behavior is the focus of this study. In this paper, we propose a dual-mode botnet detection scheme, which takes the original traffic bytes as the object, one is to encode the implicit semantic relationship between the traffic bytes through a multi-layer Transformer encoder, and the other is the network traffic Image representation, the spatial relationship of traffic bytes is captured by a deep neural network, and then botnet detection is achieved by maximizing the mutual information between the two. We conduct comprehensive experiments with both known botnets and unknown botnets to evaluate our scheme. Experimental results show that for known botnets, our approach achieves 99.84% and 91.92% detection accuracy with CTU-13 and ISCX-2014 datasets, respectively, which is 3.04% and 2.54% more accurate compared with the state-of-art (DL). For unknown datasets, our scheme is 10.19% more accurate than the existing traffic representation.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Mingkai Tong,Guo Li,Runzi Zhang,Jianxin Xue,Wenmao Liu,Jiahai Yang

DOI: https://doi.org/10.1109/trustcom50675.2020.00070

2020-01-01

Abstract:Domain-Flux technique has been widely used by attackers to maintain a botnet for many years and the core of it is the adoption of domain generation algorithm (DGA). To combat attackers, there are lots of works in DGA domain detection area recently. But they usually collect quite limited data and conduct experiments in a closed dataset, meaning that the DGA data and the benign data they collected can not well represent the real distribution between them. Moreover, they handle the domains roughly and use the origin data to train the classifier directly, which is also not adequate to classify these two types of domains with lots of false positives and false negatives happening during the real-world deployment. In this paper, we conduct the first large-scale DGA domain analysis in traffic level and argue that the preprocessing stage is also vital for the final classifier, which is usually ignored by the existing works. We collect the largest amount of DGA domain data than prior works and collect DNS log offered by a big company, whose DNS data covers most important industries in China. Based on this data, we analyze the distribution of DGA domains in traffic and give quantifiable results showing that NXDomain (domain not exist) is more suitable for DGA detection. Moreover, we give detailed preprocessing steps to handle the original domains. Our experiment shows that with the preprocessing stage mentioned above, classifier performs better in DGA detection task. Our research indicates that improving the classification algorithm is far from enough in DGA detection and the preprocessing stage is also the key component in bringing the DGA detection methods from lab to product.

Ru Zeng,Yan Song

DOI: https://doi.org/10.1109/tii.2021.3128412

IF: 12.3

2022-07-01

IEEE Transactions on Industrial Informatics

Abstract:Routing algorithm in most existing Capsule Networks (CapsNets) is always a challenging problem due to its heavy computational burden. To address this issue, we propose a fast routing algorithm, where the high-level capsules are activated by the statistical characteristic of votes from low-level capsule vectors. In this way, the votes and their distribution are both considered, and iterations in the traditional dynamic routing algorithm are eliminated. The comparison experiment on MNIST dataset reveals that CapsNet with fast routing promotes time efficiency of CapsNet with dynamic routing (DR) by 71.2, as well as improves classification accuracy by 6. Moreover, improved dense blocks (IDB) are developed to make a powerful feature extraction, where layer position is utilized to calculate its filters to encourage feature reuse, while reducing redundant features. Finally, the proposed CapsNet with fast routing and IDB, namely fast routing CapsNet (FR-CapsNet), outperforms state-of-the-art capsule models in multiple benchmark datasets.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial