��ʱ

�˹��徲|AI�徲Ӧ�ã�DGA��

DGA��о��徲Ȧ��۵��Ż��Ű��DGA��Ҫ��ʹ�ú��ս��ʵ��DGA��ҹ�ģ��͵��һֱ��͸��º��ò��ʵ��ڻ�еѧϰ��DGA��Ҫ��ֹ��һȱ��ʵ��ʵʱ��ѳ�ΪDGA��о��ƫ��

��

�˹��徲|AI�徲Ӧ�ã�DGA��

��ʱ�䣺2021-08-05

��4491

��

01 �侰

��ʵ��Դ��ʱͨѶ��ʽ��ǵ��Ĵ��˼��ı㵱��Ȼ��Щ��Ҳ�ᱻ��ʬ��磨botnet��ǵ�䷶��ʬ��ɴ��ܿ��ʬ��bot��һ��Ϳ��C2��Command &Control��bot��C2��໥ͨѶ�Ա�ת��Ϊ��ֹC2��뷨��ɹ��bot��C2��ͨѶ��Ϊ��㷨DGA��Domain Generation Algorithm��һ��ӵ�˵��ʹ��DGA�㷨��ӣ��ʱ�䡢��ȣ��㷨��AGD��Algorithmically Generated Domain��Ȼ��ֻ��Ҫʹ��һ��C2ͨѶ��Ϊ�˷��Ҫ��AGD��м��ֹ��˫��Դ�Ĳ�س��DGA��ձ��ձ�ʹ��MITRE ATT&CK C2ս��T1568.002��ռ�¼��ʮ��ʹ��DGA��յ�APT��֯��ñ�APT41��Aria-body��2008��Kraken��Conficker��Ϊ��ƹ��ּ��ϵͳ�ļ��Щ��ж��DGA��µ��ձ��Ԥ��AGD��ĿԼռ��9.9%��1/5��ڻ��DGA�Ľ�ʬ��磨Լռ��ע��1.8%��

Ŀ��DGA��о��徲Ȧ��۵��Ż��Ű��DGA��Ҫ��ʹ�ú��ս��ʵ��DGA��ҹ�ģ��͵��һֱ��͸��º��ò��ʵ��ڻ�еѧϰ��DGA��Ҫ��ֹ��һȱ��ʵ��ʵʱ��ѳ�ΪDGA��о��ƫ��

��Ľ��DGA��֪ʶ��DGA��Ҫ��״�Լ��DGA��ƻ��

02 ��

2.1 DGA��ԭ��

DGA��һ��㷨��ֶ��ڵ�α��α��ζ��ַ��ƺ��ṹ��Ԥ��ȷ��˿��ظ��͸��

��ǲ��ֻ��һС��ᱻע��Թ��ܿ��C2��ͨѶ��Ӷ��Ϣ��ʹ��һ��ֳ��ֹʱ��߻��DGA��б��ע��ʹ��DGA��й��ԭ��ͼ1[1]��ʾ��

��ͨ��DGA�㷨��ڱ�ѡ��ܿض˶��ͳһ��DGA�㷨��ͬ�ı�ѡ��б��й��ʱ��ѡ��ע��ܿض�ͨ��ʻ�ȡ��ע��C2��ݴ��

2.2 DGA��

2.2.1 ƾ֤��Ӿ��з��

��ǹ��ߺͿͻ��˶��DGA�㷨��֮һ��ӵó��DGA��Ƿ��

DGAʹ�õ��ڡ��罻��ȴʡ��DGAƾ֤��һ��ַ�ǰ׺��TLD��com��org�ȣ��

һ��ƽ��˵��ӿɰ��·��з��ࣺ

��ʱ��ӣ�DGA�㷨ʹ��ʱ��Ϣ��Ϊ��루�磺�ܿ��ϵͳʱ��http��Ӧ��ʱ��ȣ��

�Ƿ��ȷ��ԣ��DGA�㷨��ȷ��AGD��Ա��ǰ��Ҳ��һЩDGA�㷨��ǲ�ȷ��ģ��磺Bedep��ŷ��ο��Ϊ��Torpig��Twitter��Ҫ��Ϊ��ֻ��ȷ׼ʱ�䴰��ע��Ż��Ч��

ƾ֤��ӵķ��Ҫ��DGA��Է�Ϊ��4�ࣺ

TID(time-independent and deterministic)��ʱ�䲻��ȷ��

TDD(time-dependent and deterministic)��ʱ��ȷ��

TDN(time-dependent and non-deterministic)��ʱ��ȷ��

TIN(time-independent and non-deterministic)��ʱ�䲻��ȷ��

2.2.2 ƾ֤��㷨��з��

��DGA��㷨һ��ƽ��Է�Ϊ��4�ࣺ

��㷨��һ��ASCII��ֵ�ֵ��Ӷ��DGA��ʢ�ж��

��ڹ�ϣ��ù�ϣֵ��16��ֱ��DGA��ʹ�õĹ�ϣ�㷨�У�MD5��SHA256��

��ڴ��飺�÷��ר�д��ѡ��ʾ��̭��ַ��ϵ��ɻ��Ը�ǿ��Ƕ�ڶ��л��ߴӹ��з��

��ϣ��һ��ʼ��ַ��ϵ��

2.3 DGA��

DGA��ʹ�ú��ձ��֪��DGA��40��±�ö��4��DGA��TLD��򣩡�SLD��򣩺��

��1 ��DGA��

03 ��״

3.1 ��

��DGA�㷨��ʱ��Ժ�ȷ��ǵ��ǿɻ�ȡ�Ϳ��õ��Ӷ��п��ܵ�Ч��ڴ��ص��Զ�ÿ��㷨��Ӷ��ȡ��ں�ʱ��DGA��

��˼��췢��Ķ��ֵ��Ŀʱ��Ҫ��ǲ��е��Ե��ԭ��һ�Ǻ��ĸ��ԶԶ�ϲ��DGA��Ǳ��е�DGA��Ż��ܿ��C2��ͨѶ��[2]��Դ��DGA��ʵ��1.2%��DGA��ں��ֱ��DGA��Ҫ�첢��ɽ��

��ڻ�еѧϰ��DGA��Ҫ��󲿷��ֱ�Ӵ��ȫ��FQDN��Fully Qualified Domain Name��ȡ��FQDN��Ϊһ��ַ��ȡ��ȡ��ء�NGram��Ҫ�첻��Ϣ��ʱ�䡢��õ��ʵ��ʵʱ��

��ڹŰ��еѧϰ�㷨��ѧϰ��DGA��ȡ��˲��Ч��Ű��еѧϰ�㷨��Ϊ��ѧϰ��޼��ѧϰ��㷨��DGA��Ӧ��

3.2 ��ڼ��ѧϰ�ļ��

��õļ��ѧϰ�㷨�о��ɭ��[3]ʹ�þ��DGA��Ķ��ʹ�õ��ȡ��ַ��Ԫ��ĸ��ĸ��֣��NGram��[4]Ҳ��ʹ�þ��㷨��ж��ʹ�õ��Ϊ��Ⱥ��Խ�˵��ֵ��ɭ��ڽ��Ĺ��ձ�ʹ��ɭ��óͷ��DGA�Ľ�ʬ��[5]��ʹ��ɭ��㷨��ʹ�õ��ࣺ��ṹ��ͨ��

3.3 ��޼��ѧϰ�ļ��

��ھ��ɭ�ֵ�ģ��ڼ��ѧϰ��Ҫ��Ż��޼��ѧϰ��м��ѧϰ��һ��Ҫ��ǲ��Ҫ��ǵ��ݼ��֪��K-Means�㷨��һ��ӳ��õ��޼��ѧϰ�㷨��ձ�Ӧ��DGA��[6]ʹ��KMeans��DGA��Ķ��ʹ��ĳ��ȡ��غ�NGram��[7]ʹ��KMeans��DGA��ʹ��˿ɶ��ԣ�NGram��Ϣ�ء��ṹ��ȡ��ַ��ȣ��ʮ��ֻ��޼��㷨��DGA��KMeans��־��Ҫ�죺��ģ�ӣ�MM��HC��ǵ�ʹ�ú��Ч��

3.4 ��ѧϰ�ļ��

��ѧϰҲ��DGA��ձ��Ӧ��ѭ��磨RNNs��Ƿ��Ӱ��磨LSTM��;��磨CNN��Ӧ�õ��DGA��磺��[8]ʹ��LSTM��DGA��ࡢDGA��[9]�о��˾��LSTM�ı��Ҳ��ж��Ͷ��[10]��RNN��LSTM��CNN��CNN-LSTM��Ͼ��DGA��Ͷ��Ч��ѧϰ�ڶ��־��ڶ��д��Ҫ��׼ȷ�Ⱥ��ٻ��ʷ��涼ȡ��ɵ�Ч��Ҫ˵��ѧϰ��Ȼ��ṩ�ܺõķ��Ч��̫��ϵ��ǲ�͸��ȱ��͸��յ��޷��㷨��΢��Ҳ�޷�ڹ��Ч��Ե��ԭ��

��ֵ��һ��о�ʹ��ѧϰ�㷨��ȡ��Ȼ��ʹ�÷��㷨��з��[7]ʹ��CNN��Щ��ɾ��ɭ�ַ��з��

04 �ƻ�

��һ�ּ��Ӹ�Ч��DGA��ƻ��üƻ��ȡ��ַ��DGA��ʵ��ע�üƻ��üƻ��ϸ��ģ��ʾ��ͼ��ͼ2��ʾ��ǽ��ص��̺�ģ��ǶȾ��

4.1 ��

��ƻ�ʹ��20��Ϊ��ࣺһ��Ϊ��ַ��糤�ȡ��ء��ַ��һ��ΪNLP-nGrams��ص��Щ��󶼷�Ӧ��Ӧ��ʵ��ж��Ҫ��SEO��Ż��볤�ȣ�ԼĪ12-13��ַ��Լ��׶��׼ǡ��ص��

��ƻ��ÿ��ֱ��ͼ��ܾ��ٲ��ͼ��о��

��:

��DGA��һ��Ҫ��ͼ3��ͼ��Կ��DGA��ĳ��ȸ��

��:

�ط�Ӧ��ַ��DGA��㷨��α��ַ��Ը��ȸ��ͼ4Ϊ��DGA��ܱ��ͼ��

��ַ�ת�Ƹ��:

�ַ�ת�Ƹ��ʿ��Է�Ӧ��Ŀɶ��ʹ��Ӣ��ͳ��N-Gram��ת�Ƹ��DGA��N-Gramת�Ƹ��ϲ��ϴ��

�ַ��:

�ַ��Ҳ��DGA��ĳ��ַ��֡�Ԫ��ĸ��ĸ��

nGram:

��ƻ��nGram��ƽ��ֵ�ͷ��׼ΪӢ��DGA��Ӣ��ϲ��ϴ��nGram��ʵ��

4.2 ģ��

��ƻ�ʹ�õ�ѵ��ȪԴ�ڹ��ݼ��ڰ��ģ�Ӽ��Ч��±��ʾ��

��2 ģ�Ӽ��Ч��

��ϱ��ݿ��Կ��㷨�ļ��Ч��𲻴��ʾ��ִ�96%��

05 ��

��ڻ�еѧϰ��DGA��Ҫ��һ��Ȼ��Ҫƾ֤��ξ��Ż��DGA��ƻ��ܹ��ִ�Ϻõļ��Ч��Ǽƻ��Ի��ڴ��DGA��Ч��Ż��ռ��⽫��Ϊ��о��ص��ƻ��DGA��еĶ��о��ǽ��һ��DGA��ж��о��ע��

�ο��

[1]Patsakis,Constantinos,and FranCasino. "Hydras and IPFS: a decentralised playground for malware."International Journal of Information Security (2019): 1-13.

[2]K��hrer M, Rossow C, Holz T (2014) Paint it black: evaluating the effectiveness of malware blacklists. In: RAID 2014: research in attacks, intrusions and defenses, June, pp 1�C21. Springer International Publishing.

[3]Ahluwalia A, Traore I, Ganame K, Agarwal N (2017) Detecting broad length algorithmically generated domains. In: Intelligent, secure, and dependable systems in distributed and cloud environments, chap. 2, pp 19�C34. Springer International Publishing.

[4]Truong D, Cheng G (2016) Detecting domain-flux botnet based on DNS traffic features in managed network. Security Communication Networks 9(14):2338�C2347.

[5]Luo X, Wang L, Xu Z, Yang J, Sun M, Wang J (2017) DGASensor: fast detection for DGA-based malwares. In: 5th international conference on communications and broadband networking, pp 47�C53.

[6]Bisio F, Saeli S, Lombardo P, Bernardi D, Perotti A, Massa D (2017) Real-time behavioral DGA detection through machine learning. In: 2017 international carnahan conference on security technology, pp 1�C6.

[7]Pu Y, Chen X, Pu Y, Shi J (2015) A clustering approach for detecting auto-generated Botnet domains. In: Applications and techniques in information security, pp 269�C279.

[8]Woodbridge J, Anderson HS, Ahuja A, Grant D (2016) Predicting domain generation algorithms with long short-term memory networks. CoRR abs/1611.0.

[9]Tran D, Mac H, Tong V, Tran HA, Nguyen LG (2018) A LSTM based framework for handling multiclass imbalance in DGA Botnet detection. Neurocomputing 275:2401�C2413.

[10]Vinayakumar R, Soman K, Poornachandran P, Sachin Kumar S (2018) Evaluating deep learning approaches to characterize and classify the DGAs at scale. J Intell Fuzzy Syst 34(3):1265�C1276.

��Ȩ��

ת��ע��

��Ȩ��Υ�߱ؾ��

Ҫ��ʱ�ǩ��: ��ʱ �˹��徲 AI�徲Ӧ�� DGA��

��һƪ ��ʱ��ˣ��徲��̸

��һƪ ��Cλ20��ǽ��λһ��ƻ��~

��˶�

��Ʒ�� ʽ��ʱ��в��ϵͳ��ܷ��·�ʽ

2025-06-25

��æ��

��̬ ��ʱ��ʽ��Ϊ��Ϊ��ý��ƻ��ͬ�项

2025-06-24

��æ��

�Ƽ��

��ʱ��ǽһ��25��κ��г��һ

��

��һ��ҵ��ʱ��ࡶ2025-2026��й��һ��ҵ�о��桷

��

��ʱһ��12��CNNVDһ��֧�ֵ�λ�ƺ�

��

��ʱ�뻪Ϊ��ʽ��ȫ��Ž��+�徲��Ʒ��

��

��ʱһ��ѡCICSVD��ҹ�ҵ��Ϣ�徲��Ա��λ

��

��ʱ��һ��ͨ��֤��

��

�Ƽ��Ʒ

��ƻ�

��ѯ

��ѯ>
��֧��>
�Ʒ��֧��>
��ǰ֧��>

��

��֧��>
��ǰ֧��>
��ѵӪҵ>
�徲��>

�ͻ��

400-777-0777
7*24Сʱ��

��ϵ��

servicing@topsec.com.cn

ɨ��ע

��վ��ͼ