An Improved CNN-LSTM Algorithm for Detection of DGA Domain Name

Recently, zombie networks have utilized domain name generation algorithm (DGA) to generate a large number of malicious domain names for network attacks, posing a threat to network security. The existing DGA domain names are mainly divided into dictionary type and character type. However, traditional deep learning methods cannot simultaneously detect two types of DGA domain names, especially dictionary based DGA domain names. Therefore, this study proposes a network model that combines convolutional neural networks (CNN) and long-short term memory (LSTM) networks - the CNN-LSTM model. The model consists of three parts: character embedding layer, feature extraction layer, and fully connected layer. This model can extract N-grams features of domain name characters through CNN and input the extraction results to LSTM. At the same time, the model can choose to use multiple sets of CNN in combination with LSTM. In addition, based on the extracted features, this model can classify and predict domain names generated by dictionary based DGA. The experimental results show that the proposed model performs best when the convolutional kernel sizes selected by CNN are 3 and 4. In the comparative experiments of four dictionary based DGA families, the CNN-LSTM model showed a 3.0% improvement in accuracy compared to the CNN model, and as the number of sample families increased, the CNN-LSTM model exhibited better stability.