| CPC G06F 21/554 (2013.01) [G06F 2221/033 (2013.01)] | 19 Claims |
|
1. An electronic device for differentiating between benign Domain Name System (DNS) data and malicious DNS data included in DNS traffic, the electronic device comprising:
a communication interface configured to send and receive network traffic including the DNS traffic;
a memory configured to store malicious DNS detection software comprising machine executable instructions, wherein each of the DNS traffic includes a subdomain and a domain name; and
processor circuitry configured to execute the machine executable instructions to classify the DNS traffic by:
modifying the subdomain for each of the DNS traffic received by the communication interface to have a normalized length;
analyzing the DNS traffic using a trained autoencoder configured to receive input DNS data and output an encoding result signal, such that the autoencoder successfully encodes the input DNS data when the input DNS data is benign DNS data and the autoencoder fails to encode the input DNS data when the input DNS data is malicious DNS data, wherein the encoding result signal is determined based on a success of the encoding of the input DNS data; and
labeling the analyzed DNS traffic as malicious or benign based on the encoding result signal output by the trained autoencoder; and
outputting the label of the analyzed DNS traffic;
wherein the memory is further configured to store training DNS data, wherein:
the training DNS data comprises DNS training samples;
each DNS training sample includes DNS data and a label identifying the DNS data as malicious or benign; and
the DNS data traffic includes a subdomain and a domain name; and
wherein the processor circuitry is further configured to execute the machine executable instructions to classify the DNS traffic by:
generating input training data from the stored training DNS data by modifying the subdomain for each of the DNS data included in the training DNS data to have a normalized length; and
training the autoencoder, using the generated input training data and a modified loss function configured to have a small malicious weight for failing to encode malicious DNS data, to have a benign weight when failing to encode benign DNS data, and to have a large malicious weight when successfully encoding malicious DNS data, wherein the large malicious weight is larger than the small malicious weight.
|