Selvi, Jose; Rodríguez, Ricardo J; Soria-Olivas, Emilio
Towards Optimal LSTM Neural Networks for Detecting Algorithmically Generated Domain Names Journal Article
In: IEEE Access, vol. 9, pp. 126446–126456, 2021.
Abstract | Links | BibTeX | Tags: deep learning, domain generation algorithms, LSTM, malware
@article{SRS-ACCESS-21,
title = {Towards Optimal LSTM Neural Networks for Detecting Algorithmically Generated Domain Names},
author = {Jose Selvi and Ricardo J Rodríguez and Emilio Soria-Olivas},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRS-ACCESS-21.pdf},
doi = {10.1109/ACCESS.2021.3111307},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {IEEE Access},
volume = {9},
pages = {126446--126456},
abstract = {Malware detection is a problem that has become particularly challenging over the last decade. A common strategy for detecting malware is to scan network traffic for malicious connections between infected devices and their command and control (C&C) servers. However, malware developers are aware of this detection method and begin to incorporate new strategies to go unnoticed. In particular, they generate domain names instead of using static Internet Protocol addresses or regular domain names pointing to their C&C servers. By using a domain generation algorithm, the effectiveness of the blacklisting of domains is reduced, as the large number of domain names that must be blocked greatly increases the size of the blacklist. In this paper, we study different Long Short-Term Memory neural network hyperparameters to find the best network configuration for algorithmically generated domain name detection. In particular, we focus on determining whether the (complex) feature engineering efforts required when using other deep learning techniques, such as Random Forest, can be avoided. In this regard, we have conducted a comparative analysis to study the effect of using different network sizes and configurations on network performance metrics. Our results show an accuracy of 97:62% and an area under the receiver operating characteristic curve of 0:9956 in the test dataset, indicating that it is possible to obtain good classification results despite avoiding the feature engineering process and additional readjustments required in other machine learning techniques.},
keywords = {deep learning, domain generation algorithms, LSTM, malware},
pubstate = {published},
tppubtype = {article}
}
Malware detection is a problem that has become particularly challenging over the last decade. A common strategy for detecting malware is to scan network traffic for malicious connections between infected devices and their command and control (C&C) servers. However, malware developers are aware of this detection method and begin to incorporate new strategies to go unnoticed. In particular, they generate domain names instead of using static Internet Protocol addresses or regular domain names pointing to their C&C servers. By using a domain generation algorithm, the effectiveness of the blacklisting of domains is reduced, as the large number of domain names that must be blocked greatly increases the size of the blacklist. In this paper, we study different Long Short-Term Memory neural network hyperparameters to find the best network configuration for algorithmically generated domain name detection. In particular, we focus on determining whether the (complex) feature engineering efforts required when using other deep learning techniques, such as Random Forest, can be avoided. In this regard, we have conducted a comparative analysis to study the effect of using different network sizes and configurations on network performance metrics. Our results show an accuracy of 97:62% and an area under the receiver operating characteristic curve of 0:9956 in the test dataset, indicating that it is possible to obtain good classification results despite avoiding the feature engineering process and additional readjustments required in other machine learning techniques.