{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,4]],"date-time":"2026-03-04T18:10:20Z","timestamp":1772647820534,"version":"3.50.1"},"reference-count":28,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2020,2,28]],"date-time":"2020-02-28T00:00:00Z","timestamp":1582848000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2020,2,28]],"date-time":"2020-02-28T00:00:00Z","timestamp":1582848000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecur"],"published-print":{"date-parts":[[2020,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Command and control (C2) servers are used by attackers to operate communications. To perform attacks, attackers usually employee the Domain Generation Algorithm (DGA), with which to confirm rendezvous points to their C2 servers by generating various network locations. The detection of DGA domain names is one of the important technologies for command and control communication detection. Considering the randomness of the DGA domain names, recent research in DGA detection applyed machine learning methods based on features extracting and deep learning architectures to classify domain names. However, these methods are insufficient to handle wordlist-based DGA threats, which generate domain names by randomly concatenating dictionary words according to a special set of rules. In this paper, we proposed a a deep learning framework ATT-CNN-BiLSTM for identifying and detecting DGA domains to alleviate the threat. Firstly, the Convolutional Neural Network (CNN) and bidirectional Long Short-Term Memory (BiLSTM) neural network layer was used to extract the features of the domain sequences information; secondly, the attention layer was used to allocate the corresponding weight of the extracted deep information from the domain names. Finally, the different weights of features in domain names were put into the output layer to complete the tasks of detection and classification. Our extensive experimental results demonstrate the effectiveness of the proposed model, both on regular DGA domains and DGA that hard to detect such as wordlist-based and part-wordlist-based ones. To be precise,we got a F1 score of 98.79% for the detection and macro average precision and recall of 83% for the classification task of DGA domain names.<\/jats:p>","DOI":"10.1186\/s42400-020-00046-6","type":"journal-article","created":{"date-parts":[[2020,2,28]],"date-time":"2020-02-28T03:03:49Z","timestamp":1582859029000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":45,"title":["A DGA domain names detection modeling method based on integrating an attention mechanism and deep neural network"],"prefix":"10.1186","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5230-8494","authenticated-orcid":false,"given":"Fangli","family":"Ren","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Zhengwei","family":"Jiang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xuren","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jian","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2020,2,28]]},"reference":[{"key":"46_CR1","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1145\/2996758.2996767","volume-title":"Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security","author":"HS Anderson","year":"2016","unstructured":"Anderson, HS, Woodbridge J, Filar B (2016) Deepdga: Adversarially-tuned domain generation and detection In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, 13\u201321.. ACM, Vienna."},{"key":"46_CR2","doi-asserted-by":"crossref","unstructured":"Andrews, M (1998) Negative caching of DNS queries (DNS NCACHE). http:\/\/www.ietf.org\/rfc\/rfc2308.txt. Accessed 1 Oct 2019.","DOI":"10.17487\/rfc2308"},{"key":"46_CR3","first-page":"273","volume-title":"USENIX Security Symposium","author":"M Antonakakis","year":"2010","unstructured":"Antonakakis, M, Perdisci R, Dagon D, Lee W, Feamster N (2010) Building a dynamic reputation system for dns In: USENIX Security Symposium, 273\u2013290.. USENIX, Washington, DC."},{"key":"46_CR4","unstructured":"Bahdanau, D, Cho K, Bengio Y (2014) Neural machine translation by jointly learning to align and translate. arXiv e-prints:arXiv:1409.0473. https:\/\/ui.adsabs.harvard.edu\/abs\/2014arXiv1409.0473B."},{"issue":"4","key":"46_CR5","first-page":"14","volume":"16","author":"L Bilge","year":"2014","unstructured":"Bilge, L, Sen S, Balzarotti D, Kirda E, Kruegel C (2014) Exposure: A passive dns analysis service to detect and report malicious domains. ACM Trans Informa Syst Secur (TISSEC) 16(4):14.","journal-title":"ACM Trans Informa Syst Secur (TISSEC)"},{"key":"46_CR6","doi-asserted-by":"crossref","unstructured":"Curtin, RR, Gardner AB, Grzonkowski S, Kleymenov A, Mosquera A (2018) Detecting dga domains with recurrent neural networks and side information. arXiv e-prints:arXiv:1810.02023. https:\/\/ui.adsabs.harvard.edu\/abs\/2018arXiv181002023C.","DOI":"10.1145\/3339252.3339258"},{"key":"46_CR7","unstructured":"Geffner, J (2013) End-to-end analysis of a domain generating algorithm malware family In: Black Hat USA 2013."},{"key":"46_CR8","doi-asserted-by":"publisher","first-page":"1304","DOI":"10.1109\/INM.2015.7140486","volume-title":"2015 IFIP\/IEEE International Symposium on Integrated Network Management (IM)","author":"M Grill","year":"2015","unstructured":"Grill, M, Nikolaev I, Valeros V, Rehak M (2015) Detecting dga malware using netflow In: 2015 IFIP\/IEEE International Symposium on Integrated Network Management (IM), 1304\u20131309.. IEEE, Ottawa."},{"key":"46_CR9","doi-asserted-by":"publisher","first-page":"2966","DOI":"10.1109\/BigData.2018.8622066","volume-title":"2018 IEEE International Conference on Big Data (Big Data)","author":"JJ Koh","year":"2018","unstructured":"Koh, JJ, Rhodes B (2018) Inline detection of domain generation algorithms with context-sensitive word embeddings In: 2018 IEEE International Conference on Big Data (Big Data), 2966\u20132971.. IEEE, Seattle."},{"key":"46_CR10","doi-asserted-by":"publisher","first-page":"1412","DOI":"10.18653\/v1\/D15-1166","volume-title":"Proceedings of the 2015 conference on empirical methods in natural language processing","author":"M-T Luong","year":"2015","unstructured":"Luong, M-T, Pham H, Manning CD (2015) Effective approaches to attention-based neural machine translation In: Proceedings of the 2015 conference on empirical methods in natural language processing, 1412\u20131421.. ACL, Lisboa."},{"key":"46_CR11","doi-asserted-by":"crossref","first-page":"211","DOI":"10.1145\/3155133.3155166","volume-title":"Proceedings of the Eighth International Symposium on Information and Communication Technology","author":"H Mac","year":"2017","unstructured":"Mac, H, Tran D, Tong V, Nguyen LG, Tran HA (2017) Dga botnet detection using supervised learning methods In: Proceedings of the Eighth International Symposium on Information and Communication Technology, 211\u2013218.. ACM, Nha Trang."},{"issue":"2","key":"46_CR12","first-page":"141","volume":"10","author":"JB Patil","year":"2018","unstructured":"Patil, JB, Dharmaraj R (2018) Feature-based malicious url and attack type detection using multi-class classification. ISeCure 10(2):141\u2013162.","journal-title":"ISeCure"},{"key":"46_CR13","doi-asserted-by":"publisher","first-page":"295","DOI":"10.1007\/978-3-030-00470-5_14","volume-title":"International Symposium on Research in Attacks, Intrusions, and Defenses","author":"M Pereira","year":"2018","unstructured":"Pereira, M, Coleman S, Yu B, DeCock M, Nascimento A (2018) Dictionary extraction and detection of algorithmically generated domain names in passive dns traffic In: International Symposium on Research in Attacks, Intrusions, and Defenses, 295\u2013314.. Springer, Heraklion."},{"key":"46_CR14","first-page":"263","volume-title":"25th {USENIX} Security Symposium ({USENIX} Security 16)","author":"D Plohmann","year":"2016","unstructured":"Plohmann, D, Yakdan K, Klatt M, Bader J, Gerhards-Padilla E (2016) A comprehensive measurement study of domain generating malware In: 25th {USENIX} Security Symposium ({USENIX} Security 16), 263\u2013278.. USENIX, Austin."},{"issue":"4","key":"46_CR15","doi-asserted-by":"publisher","first-page":"423","DOI":"10.1016\/j.jare.2014.01.001","volume":"5","author":"J Raghuram","year":"2014","unstructured":"Raghuram, J, Miller DJ, Kesidis G (2014) Unsupervised, low latency anomaly detection of algorithmically generated domain names by generative probabilistic modeling. J Adv Res 5(4):423\u2013433.","journal-title":"J Adv Res"},{"key":"46_CR16","doi-asserted-by":"crossref","first-page":"95","DOI":"10.1145\/3077136.3080792","volume-title":"Proceedings of the 40th International ACM SIGIR Conference on Research and Development in Information Retrieval","author":"P Ren","year":"2017","unstructured":"Ren, P, Chen Z, Ren Z, Wei F, Ma J, de Rijke M (2017) Leveraging contextual sentence relations for extractive summarization using a neural attention model In: Proceedings of the 40th International ACM SIGIR Conference on Research and Development in Information Retrieval, 95\u2013104.. ACM, Tokyo."},{"key":"46_CR17","unstructured":"Saxe, J, Berlin K (2017) expose: A character-level convolutional neural network with embeddings for detecting malicious urls, file paths and registry keys. arXiv e-prints:arXiv:1702.08568. https:\/\/ui.adsabs.harvard.edu\/abs\/2017arXiv170208568S."},{"key":"46_CR18","first-page":"1","volume-title":"2016 IEEE Global Communications Conference (GLOBECOM)","author":"T Shibahara","year":"2016","unstructured":"Shibahara, T, Yagi T, Akiyama M, Chiba D, Yada T (2016) Efficient dynamic malware analysis based on network behavior using deep learning In: 2016 IEEE Global Communications Conference (GLOBECOM), 1\u20137.. IEEE, Washington, DC."},{"key":"46_CR19","unstructured":"Wang, W, Shirley K (2015) Breaking bad: Detecting malicious domains using word segmentation. arXiv e-prints:arXiv:1506.04111. https:\/\/ui.adsabs.harvard.edu\/abs\/2015arXiv150604111W."},{"key":"46_CR20","unstructured":"Woodbridge, J, Anderson HS, Ahuja A, Grant D (2016) Predicting domain generation algorithms with long short-term memory networks. arXiv e-prints:arXiv:1611.00791. https:\/\/ui.adsabs.harvard.edu\/abs\/2016arXiv161100791W."},{"key":"46_CR21","doi-asserted-by":"crossref","first-page":"48","DOI":"10.1145\/1879141.1879148","volume-title":"Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement","author":"S Yadav","year":"2010","unstructured":"Yadav, S, Reddy AKK, Reddy A, Ranjan S (2010) Detecting algorithmically generated malicious domain names In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, 48\u201361.. ACM, Melbourne."},{"issue":"5","key":"46_CR22","doi-asserted-by":"publisher","first-page":"1663","DOI":"10.1109\/TNET.2012.2184552","volume":"20","author":"S Yadav","year":"2012","unstructured":"Yadav, S, Reddy AKK, Reddy AN, Ranjan S (2012) Detecting algorithmically generated domain-flux attacks with dns traffic analysis. IEEE\/Acm Trans Network 20(5):1663\u20131677.","journal-title":"IEEE\/Acm Trans Network"},{"key":"46_CR23","first-page":"1480","volume-title":"Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies","author":"Z Yang","year":"2016","unstructured":"Yang, Z, Yang D, Dyer C, He X, Smola A, Hovy E (2016) Hierarchical attention networks for document classification In: Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, 1480\u20131489.. ACL, San Diego."},{"key":"46_CR24","doi-asserted-by":"publisher","first-page":"472","DOI":"10.1007\/978-3-030-00009-7_43","volume-title":"International Conference on Cloud Computing and Security","author":"L Yang","year":"2018","unstructured":"Yang, L, Liu G, Zhai J, Dai Y, Yan Z, Zou Y, Huang W (2018) A novel detection method for word-based dga In: International Conference on Cloud Computing and Security, 472\u2013483.. Springer, Haikou."},{"issue":"7","key":"46_CR25","first-page":"15","volume":"39","author":"X Zang","year":"2018","unstructured":"Zang, X, J G, X H (2018) Detecting malicious domain name based on agd. J Commun 39(7):15\u201325.","journal-title":"J Commun"},{"key":"46_CR26","first-page":"130","volume-title":"International Conference on Trustworthy Computing and Services","author":"Y Zhang","year":"2013","unstructured":"Zhang, Y, Zhang Y, Xiao J (2013) Detecting the dga-based malicious domain names In: International Conference on Trustworthy Computing and Services, 130\u2013137.. Springer, Beijing."},{"issue":"4","key":"46_CR27","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1145\/3191329","volume":"51","author":"Y Zhauniarovich","year":"2018","unstructured":"Zhauniarovich, Y, Khalil I, Yu T, Dacier M (2018) A survey on malicious domains detection through dns data analysis. ACM Comput Surveys (CSUR) 51(4):67.","journal-title":"ACM Comput Surveys (CSUR)"},{"key":"46_CR28","doi-asserted-by":"publisher","first-page":"247","DOI":"10.18653\/v1\/D16-1024","volume-title":"Proceedings of the 2016 Conference on Empirical Methods in Natural Language Processing","author":"X Zhou","year":"2016","unstructured":"Zhou, X, Wan X, Xiao J (2016) Attention-based lstm network for cross-lingual sentiment classification In: Proceedings of the 2016 Conference on Empirical Methods in Natural Language Processing, 247\u2013256.. ACL, Texas."}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-020-00046-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1186\/s42400-020-00046-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-020-00046-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,2,27]],"date-time":"2021-02-27T00:26:39Z","timestamp":1614385599000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-020-00046-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,2,28]]},"references-count":28,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,12]]}},"alternative-id":["46"],"URL":"https:\/\/doi.org\/10.1186\/s42400-020-00046-6","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,2,28]]},"assertion":[{"value":"7 October 2019","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"12 February 2020","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"28 February 2020","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"The authors declare that they have no competing interests.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"4"}}