基于深度学习的域名查询行为向量空间嵌入

周昌令; 栾兴龙; 肖建国

doi:10.11959/j.issn.1000-436x.2016064

您当前的位置：

首页 >

文章列表页 >

基于深度学习的域名查询行为向量空间嵌入

学术论文 | 更新时间：2024-06-05

- 基于深度学习的域名查询行为向量空间嵌入
- Vector space embedding of DNS query behaviors by deep learning
- 通信学报 2016年37卷第3期页码：165-174
- 作者机构：
  
  1. 北京大学计算中心，北京100871
  2. 北京大学信息科学技术学院，北京100871
  3. 北京大学计算机科学技术研究所，北京100871
- 作者简介：
  
  [ "周昌令（1977-），男，重庆人，北京大学博士生，主要研究方向为网络与信息安全、无线网络、网络流量分析及网络管理等。" ]
  [ "栾兴龙（1989-），男，山东烟台人，北京大学硕士生，主要研究方向为网络流量分析、自然语言主题模型等。" ]
  [ "肖建国（1957-），男，辽宁鞍山人，北京大学教授，主要研究方向为图像处理、文本挖掘和网络信息处理。" ]
- 基金信息：
  
  国家发展改革委2011年国家信息安全专项基金资助项目(CNGI-12-03-001);国家高技术研究发展计划（“863计划”）基金资助项目(2015AA011403)
- DOI：10.11959/j.issn.1000-436x.2016064
  中图分类号： TP393.07
- 网络出版日期：2016-03，
  
  纸质出版日期：2016-03-25
- 稿件说明：
移动端阅览
周昌令, 栾兴龙, 肖建国. 基于深度学习的域名查询行为向量空间嵌入[J]. 通信学报, 2016,37(3):165-174.

Chang-ling ZHOU, Xing-long LUAN, Jian-guo XIAO. Vector space embedding of DNS query behaviors by deep learning[J]. Journal on communications, 2016, 37(3): 165-174.
周昌令, 栾兴龙, 肖建国. 基于深度学习的域名查询行为向量空间嵌入[J]. 通信学报, 2016,37(3):165-174. DOI： 10.11959/j.issn.1000-436x.2016064.

Chang-ling ZHOU, Xing-long LUAN, Jian-guo XIAO. Vector space embedding of DNS query behaviors by deep learning[J]. Journal on communications, 2016, 37(3): 165-174. DOI： 10.11959/j.issn.1000-436x.2016064.

摘要

提出一种新的分析 DNS 查询行为的方法，用深度学习机制将被查询域名和请求查询的主机分别映射到向量空间，域名或主机的关联分析转化成向量的运算。通过对2组真实的校园网DNS 日志数据集的处理，发现该方法很好地保持了关联特性，使用降维处理以及聚类分析，不仅可以让人直观地发现隐含的关联关系，还有助于发现网络中的异常问题如botnet等。

Abstract

A novel approach to analyze DNS query behaviors was introduced.This approach embeds queried domains or querying hosts to vector space by deep learning mechan then the relationship between querying of domains or hosts was mapped to vector space operations.By processing two real campus network DNS log datasets

it is found that this method maintains relationships very well.After doing mension reduction and clustering analysis

researchers can not only easily explore hidden relationships intuitively

but also discover abnormal network events like botnet.

关键词

Keywords

references

MOGHADDAM S , HELMY A . Spatio-temporal modeling of wireless users Internet access patterns using self-organizing maps [C ] // 2011 Proceedings IEEE INFOCOM . c 2011 : 496 - 500 .

CAGLAYAN A , TOOTHAKER M , DRAPAEAU D , et al . Behavioral analysis of fast flux service networks [C ] // 2010 43rd Hawaii Interna-tional Conference on System Sciences . c 2009 : 1 - 9 .

BILGE L , KIRDA E , KRUEGEL C , et al . EXPOSURE:finding mali-cious domains using passive DNS analysis [C ] // NDSS . c 2011 : 1 - 17 .

ANTONAKAKIS M , PERDISCI R . From throw-away traffic to bots:detecting the rise of DGA-based malware [C ] // The 21st USENIX Se-curity Symposium . c 2012 : 24 .

CHOI H , LEE H , LEE H , et al . Botnet detection by monitoring group activities in DNS traffic [C ] // 7th IEEE International Confe-rence on Computer and Information Technology (CIT 2007). c 2007 : 715 - 720 .

CHEN Y , ANTONAKAKIS M . DNS noise:measuring the pervasive-ness of disposable domains in modern DNS traffic [C ] // Dependable Systems and Networks (DSN),44th Annual IEEE/IFIP International Conference on . c 2014 : 598 - 609 .

CALLAHAN T , ALLMAN M , RABINOVICH M . On modern DNS behavior and properties [J ] . ACM SIGCOMM Computer Commu ica-tion Review , 2013 , 43 ( 3 ): 7 .

MIKOLOV T , CHEN K , CORRADO G , et al . Efficient estimation of word representations in vector space [J ] . arXiv Preprint arXiv.1301.3781.20B .

WIKIPEDIA . Embedding [EB/OL ] . https://en.wikipedia.org/wiki/1301.3781.2013.Embedding https://en.wikipedia.org/wiki/1301.3781.2013.Embedding , 2015 .

HINTON G E . Learning distributed representations of concepts [C ] // The Eighth Annual Conference of the Cognitive Science Society . c 1986 : 1 - 12 .

LECUN Y , BENGIO Y , HINTON G . Deep learning [J ] . Nature , 2015 , 521 ( 7553 ): 436 - 444 .

REHUREK R . Word2vec in python,part two:optimizing .[EB/OL ] . http://radimrehurek.com/2013/09/word2vec-in-python-part-two-ptimizing/ http://radimrehurek.com/2013/09/word2vec-in-python-part-two-ptimizing/ , 2015 .

MIKOLOV T , SUTSKEVER I , CHEN K , et al . Distributed represen-tations of words and phrases and their compositionality [C ] // Advances in Neural Information Processing Systems . c 2013 : 3111 - 3119 .

MAATEN L V D , HINTON G . Visualizing data using t-SNE [J ] . Journal of Machine Learning Research , 2008 , 9 : 2579 - 2605 .

JAIN A , MURTY M , FLYNN P . Data clustering:a review [J ] . ACM Computing Surveys (CSUR), 1999 , 31 ( 3 ): 264 - 323 .

WIKIPEDIA . Complete-linkage clustering - wikipedia,the free en-cyclopedia [EB/OL ] . https://en.wikipedia.org/w/index.php?title=Complete-lin-kage_clustering＆oldid=625941679 https://en.wikipedia.org/w/index.php?title=Complete-lin-kage_clustering＆oldid=625941679 , 2015 .

BRODER A , MITZENMACHER M . Network applications of bloom filters:a survey [J ] . Internet Mathematics , 2004 , 1 ( 4 ): 485 - 509 .

FJELLSKAL E B . Passive DNS tool .[EB/OL ] . https://github.com/gamelinux/passivedns https://github.com/gamelinux/passivedns , 2015 .

马云龙，姜彩萍，张千里，等 . 基于IPFIX 的DNS异常行为检测方法 [J ] . 通信学报， 2014 , 35 ( z1 ): 5 - 9 .

MA Y L , JIANG C P , ZHANG Q L , et al . DNS abnormal behavior detec-tion based on IPFIX [J ] . Journal on Communications , 2014 , 35 ( z1 ): 5 - 9 .

BOSTOCK M . Data driven documents .[EB/OL ] . http://d3js.org/ http://d3js.org/ .

GAO H , YEGNESWARAN V , CHEN Y , et al . An empirical reexami-nation of global DNS behavior [J ] . ACM SIGCOMM Computer Com-munication Review , 2013 , 43 ( 4 ): 267 - 278 .

CISCO . Cisco IOS NetFlow [EB/OL ] . http://www.cisco.com/go/netflow http://www.cisco.com/go/netflow .

WIKIPEDIA . Entropy (information theory)-wikipedia,the free encyc-lopedia [EB/OL ] . https://en.wikipedia.org/w/index.php?title=Entropy(in-formation?theory)＆oldid=674556523 https://en.wikipedia.org/w/index.php?title=Entropy(in-formation?theory)＆oldid=674556523 . 2015 .

HERRMANN D , BANSE C , FEDERRATH H . Behaviorbased track-ing:exploiting characteristic patterns in DNS traffic [J ] . Computers＆Security , 2013 , 39 : 17 - 33 .

袁春阳，李青山，王永建 . 基于行为与域名查询关联的僵尸网络聚类联动监测 [J ] . 计算机应用研究， 2012 , 29 ( 3 ): 1084 - 1087 .

YUAN C Y , LI Q S , WANG Y J . Linkage monitoring of clus for botnet based on relevance of behavior and domain inqui y [J ] . Applica-tion Research of Computers , 2012 , 29 ( 3 ): 1084 - 1087 .

KRISHNAN S , TAYLOR T , MONROSE F , et al . Crossing the thre-shold:detecting network malfeasance via sequential hypothesis test-ing [C ] // 2013 43rd Annual IEEE/IFIP International Conference on De-pendable Systems and Networks (DSN). c 2013 : 1 - 12 .

ZOU W Y , SOCHER R , CER D , et al . Bilingual word embeddings for phrase-based machine translation [C ] // 2013 Conference on Empirical Methods in Natural Language Processing (EMNLP 2013). c 2013 : 1393 - 1398 .

LEVY O , GOLDBERG Y . Linguistic regularities in sparse and explicit word representations [C ] // Proceedings of the 18th Conference on Computational Natural Language Learning (CoNLL 2014), c 2014 .

WIKIPEDIA . Pointwise mutual information — Wikipedia,the free encyclopedia [EB/OL ] . http://en.wikipedia.org/w/index.php?title=Pointwise?mutual?information＆oldid=650473510 http://en.wikipedia.org/w/index.php?title=Pointwise?mutual?information＆oldid=650473510 .

PEROZZI B , SKIENA S . DeepWalk:online learning of social Re-presentations [C ] // The 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining . c 2014 : 701 - 710 .

TANG J , QU M , WANG M , et al . LINE:Largescale Information Network Embedding [J ] . arXiv preprint arXiv:1503.03578 , 2015 .

浏览量

2202

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

超大规模太赫兹系统深度学习信道估计算法

基于机器学习的加密流量分类研究综述

基于深度学习的SDN异常流量分布式检测方法

基于Ngram-TFIDF的深度恶意代码可视化分类方法

基于后门攻击的恶意流量逃逸方法