Skip to main content
SpringerLink
Log in

DGA botnet detection method based on capsule network and k-means routing

  • Original Article
  • Published:
Neural Computing and Applications Aims and scope Submit manuscript

Abstract

For the current mainstream DGA domain name detection methods, scalars are almost used to represent numerical features, resulting in the loss of the spatial feature information of domain name characters. This paper proposes a sequence capsule network based on the k-means routing algorithm, LSTM-CapsNet, which only uses DGA domain name text information for detection. The model uses a bidirectional LSTM unit to extract basic features for the capsule network and uses the k-means algorithm to cluster vector features to implement routing functions. In order to verify the proposed LSTM-CapsNet model, data from two different sources are collected to ensure the reliability of the experiment, covering the DGA domain name dataset from the real network defined as Real-Dataset, and the DGA domain name obtained through the domain name generation algorithm is defined as Gen-Dataset. The current DGA domain name detection method of state-of-the-art proposed by researchers is compared and tested on two data sets. The experimental results show that the proposed model has achieved 99.17% and 97.75% of the F-score evaluation indicators in the DGA domain name recognition of the two datasets; at the same time, the recognition of the DGA domain name family has been very competitive. Compared with the existing DGA domain name family classification model, the F-score value of the proposed model exceeds 89% in Gen-Dataset multi-class recognition. This model not only improves the ability of DGA domain name recognition and DGA domain name family recognition but also has an outstanding ability to find real-time aspects in model testing.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Holgado P, Villagrá VA, Vazquez L (2017) Real-time multistep attack prediction based on hidden markov models. IEEE Trans Depend Secure Comput 17(1):134–147

    Article  Google Scholar 

  2. Yun X, Huang J, Wang Y, Zang T, Zhou Y, Zhang Y (2019) Khaos: An adversarial neural network DGA with high anti-detection ability. IEEE Trans Inf Forensics Secur 15:2225–2240

    Article  Google Scholar 

  3. Stone-Gross B, Cova M, Cavallaro L, Gilbert B, Szydlowski M, Kemmerer R, Vigna G (2009) Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM conference on Computer and communications security. pp 635–647

  4. Yin L, Luo X, Zhu C, Wang L, Xu Z, Lu H (2019) ConnSpoiler: disrupting C&C communication of IoT-based botnet through fast detection of anomalous domain queries. IEEE Trans Industr Inf 16(2):1373–1384

    Article  Google Scholar 

  5. Vinayakumar R, Alazab M, Srinivasan S, Pham QV, Padannayil SK, Simran K (2020) A visualized botnet detection system based deep learning for the internet of things networks of smart cities. IEEE Trans Ind Appl 56(4):4436–4456

    Article  Google Scholar 

  6. Dehkordi MJ, Sadeghiyan B (2020) Reconstruction of C&C channel for P2P botnet. IET Commun 14(8):1318–1326

    Article  Google Scholar 

  7. Wang A, Chang W, Chen S, Mohaisen A (2018) A data-driven study of DDoS attacks and their dynamics. IEEE Trans Depend Secure Comput 17(3):648–661

    Google Scholar 

  8. Gu G, Zhang J, Lee W (2008) BotSniffer: detecting botnet command and control channels in network traffic. Wright State University, Dayton

    Google Scholar 

  9. Antonakakis M, Perdisci R, Lee W, Vasiloglou N, Dagon D (2011) Detecting malware domains at the upper dns hierarchy. In: USENIX security symposium. pp 1–16

  10. Lin Y, Liu Z, Sun M (2016) Knowledge representation learning with entities, attributes and relations. Ethnicity 1:41–52

    Google Scholar 

  11. Krizhevsky A, Sutskever I, Hinton GE (2012) Imagenet classification with deep convolutional neural networks. Adv Neural Inf Process Syst 25:1097–1105

    Google Scholar 

  12. Antonakakis M, Perdisci R, Dagon D, Lee W, Feamster N (2010) Building a dynamic reputation system for dns. In: USENIX security symposium. pp 273–290

  13. Bilge L, Kirda E, Kruegel C, Balduzzi M (2011) EXPOSURE: finding malicious domains using passive DNS analysis. In: Ndss. pp 1–17

  14. Yadav S, Reddy AKK, Reddy AN, Ranjan S (2010) Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. pp 48–61

  15. Yadav S, Reddy AKK, Reddy AN, Ranjan S (2012) Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE/ACM Trans Network 20(5):1663–1677

    Article  Google Scholar 

  16. Woodbridge J, Anderson HS, Ahuja A, Grant D (2016) Predicting domain generation algorithms with long short-term memory networks. arXiv:1611.00791

  17. Yu B, Gray DL, Pan J, De Cock M, Nascimento AC (2017) Inline DGA detection with deep networks. In: 2017 IEEE international conference on data mining workshops (ICDMW). pp 683–692

  18. Yu B, Pan J, Hu J, Nascimento A, De Cock M (2018) Character level based detection of DGA domain names. In: 2018 international joint conference on neural networks (IJCNN). pp 1–8

  19. Vinayakumar R, Soman KP, Poornachandran P, Sachin Kumar S (2018) Evaluating deep learning approaches to characterize and classify the DGAs at scale. J Intell Fuzzy Syst 34(3):1265–1276

    Article  Google Scholar 

  20. Lison P, Mavroeidis V (2017) Automatic detection of malware-generated domains with recurrent neural models. arXiv:1709.07102

  21. Yang L, Liu G, Zhai J, Dai Y, Yan Z, Zou Y, Huang W (2018) A novel detection method for word-based DGA. In: International conference on cloud computing and security. pp 472–483

  22. Tran D, Mac H, Tong V, Tran HA, Nguyen LG (2018) A LSTM based framework for handling multiclass imbalance in DGA botnet detection. Neurocomputing 275:2401–2413

    Article  Google Scholar 

  23. Sivaguru R, Choudhary C, Yu B, Tymchenko V, Nascimento A, De Cock M (2018) An evaluation of DGA classifiers. In: 2018 IEEE international conference on big data (big data). pp 5058–5067

  24. Catania C, García S, Torres P (2018) Deep convolutional neural networks for DGA detection. In: Argentine congress of computer science. pp 327–340

  25. Highnam K, Puzio D, Luo S, Jennings NR (2021) Real-time detection of dictionary dga network traffic using deep learning. SN Comput Sci 2(2):1–17

    Article  Google Scholar 

  26. Silva L, Utimura L, Costa K, Silva M, Prado S (2020) Study on machine learning techniques for botnet detection. IEEE Lat Am Trans 18(05):881–888

    Article  Google Scholar 

  27. Sabour S, Frosst N, Hinton GE (2017) Dynamic routing between capsules. arXiv:1710.09829

  28. Zhao W, Ye J, Yang M, Lei Z, Zhang S, Zhao Z (2018) Investigating capsule networks with dynamic routing for text classification. arXiv:1804.00538

  29. Berman DS (2019) DGA CapsNet: 1D application of capsule networks to DGA detection. Information 10(5):157

    Article  Google Scholar 

  30. Hochreiter S, Schmidhuber J (1997) Long short-term memory. Neural Comput 9(8):1735–1780

    Article  Google Scholar 

  31. Lin TY, Goyal P, Girshick R, He K, Dollár P (2017) Focal loss for dense object detection. In: Proceedings of the IEEE international conference on computer vision. pp 2980–2988

  32. Kingma DP, Ba J (2014) Adam: a method for stochastic optimization. arXiv:1412.6980

  33. Netlab DGA Project By Network Security Research Lab at 360. Avaliable online: http://data.netlab.360.com/dga/. Accessed 2 Feb 2020

  34. The Top 1M Sites on the Web. Avaliable online: http://s3.amazonaws.com/alexa-static/top-1m.csv.zip. Accessed 5 Feb 2020

  35. Domain Generation Algorithm(DGA). Available online: https://github.com/baderj/domain_generation_algorithms. Accessed 1 April 2020

  36. Qiao Y, Zhang B, Zhang W, Sangaiah AK, Wu H (2019) DGA domain name classification method based on long short-term memory with attention mechanism. Appl Sci 9(20):4205

    Article  Google Scholar 

  37. Namgung J, Son S, Moon YS (2021) Efficient deep learning models for DGA domain detection. Security and Communication Networks

  38. Vinayakumar R, Soman KP, Poornachandran P, Alazab M, Jolfaei A (2019) DBD: Deep learning DGA-based botnet detection. In: Deep learning applications for cyber security. pp 127–149

Download references

Acknowledgements

The author would like to thank the anonymous reviewers for their valuable comments on our paper.

Funding

All authors acknowledge support from the National Social Science Fund of China (17XXW004).

Author information

Authors and Affiliations

  1. School of Computer Science and Engineering, Chongqing University of Technology, Chongqing, 400054, China

    Xiaoyang Liu & Jiamiao Liu

Authors
  1. Xiaoyang Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jiamiao Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jiamiao Liu.

Ethics declarations

Conflict of interest

The authors declare no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, X., Liu, J. DGA botnet detection method based on capsule network and k-means routing. Neural Comput & Applic 34, 8803–8821 (2022). https://doi.org/10.1007/s00521-022-06904-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00521-022-06904-3

Keywords

Search

Navigation