DGA Domain Name Generation Method of BiLSTM Model  Based on Bayesian HPO

Journal of Information Security Reserach ›› 2025, Vol. 11 ›› Issue (10): 950-.

DGA Domain Name Generation Method of BiLSTM Model Based on Bayesian HPO

Li Bowen1, Qiao Yanchen1, Wang Jigang2,  Lu Keyu1, Zhang Yu1,3, and Zhang Weizhe1,3

1(Department of New Networks, Pengcheng Laboratory, Shenzhen, Guangdong 518055)
2(ZTE Corporation, Shenzhen, Guangdong 518057)
3(School of Cyberspace Science, Harbin Institute of Technology, Harbin 150001)

Online:2025-10-15 Published:2025-10-17

基于贝叶斯超参数优化的BiLSTM模型DGA域名生成方法

李博文1乔延臣1王继刚2陆柯羽1张宇1,3张伟哲1,3

1(鹏城实验室新型网络研究部广东深圳518055)
2(中兴通讯股份有限公司广东深圳518057)
3(哈尔滨工业大学网络空间安全学院哈尔滨150001)

通讯作者: 乔延臣博士，副研究员,博士生导师.主要研究方向为网络空间安全、互联网体系结构. qiaoych@pcl.ac.cn
作者简介:李博文硕士，助理工程师.主要研究方向为网络空间安全、互联网体系结构. libw@pcl.ac.cn 乔延臣博士，副研究员,博士生导师.主要研究方向为网络空间安全、互联网体系结构. qiaoych@pcl.ac.cn 王继刚博士，研究员.主要研究方向为网络空间安全、工业网络安全. wang.jigang@zte.com.cn 陆柯羽博士，工程师.主要研究方向为网络空间安全、域名体系安全. luky@pcl.ac.cn 张宇博士，教授，博士生导师.主要研究方向为网络空间安全、互联网体系结构. yuzhang@hit.edu.cn 张伟哲博士，教授，博士生导师.主要研究方向为网络空间安全、高性能计算、嵌入式计算和云计算. weizhe.zhang@pcl.ac.cn

Abstract

Abstract: In recent years, domain generation algorithms (DGA) have been extensively utilized in network attacks to dynamically generate large quantities of random domain names for malicious software communications, posing a severe challenge for security defenses. As DGA structures grow increasingly complex, traditional domain classification methods that rely on manually extracted features struggle to adapt to new variants in a timely manner. Although generationbased deep models can automatically capture latent patterns from data, their large parameter sizes and intricate hyperparameter tuning often hinder stable performance across diverse DGA. To tackle these issues, this paper proposes a DGA domain generation approach based on a bidirectional long shortterm memory (BiLSTM) model enhanced by Bayesian hyperparameter optimization(Bayesian HPO). By automating the tuning of critical hyperparameter, our method significantly reduces manual intervention and training overhead, while strengthening the robustness and generalization capability of the model against various DGA. Experimental results demonstrate that the proposed approach achieves excellent generation accuracy on multiple DGA families, providing a proactive, forwardlooking defense strategy for network security.

Key words: domain generation algorithm, BiLSTM, Bayesian hyperparameter optimization, DGA domain name generation, network security

摘要： 近年来，域名生成算法(domain generation algorithm, DGA)在网络攻击中被广泛使用，为恶意软件通信动态生成大量随机域名，给安全防御带来严峻挑战.随着DGA结构日益复杂，传统依赖手动提取特征的域名分类方法难以及时适配新型变种；而基于生成的深度模型虽然能从数据分布中自动捕捉潜在规律，却常因参数规模庞大与调参难度高而无法在面对多样化DGA时保持稳定表现.为了应对这一挑战，提出了一种基于贝叶斯超参数优化(Bayesian hyperparameter optimization, Bayesian HPO)的双向长短期记忆网络(bidirectional long shortterm memory, BiLSTM)模型的DGA域名生成方法，预测并生成用于僵尸网络中恶意行为的拦截DGA域名黑名单.贝叶斯超参数优化技术通过自动调优关键超参数显著减轻了人工干预与训练成本，并提升了模型对不同DGA的鲁棒性与泛化能力.实验结果表明，该方法在多种DGA域名上均展现了优秀的生成准确率，可以为网络安全提供一种主动、防御前移的新思路.

关键词: 域名生成算法, 双向长短期记忆网络, 贝叶斯超参数优化, DGA域名生成, 网络安全

CLC Number:

TP393.08

李博文, 乔延臣, 王继刚, 陆柯羽, 张宇, 张伟哲, . 基于贝叶斯超参数优化的BiLSTM模型DGA域名生成方法[J]. 信息安全研究, 2025, 11(10): 950-.

References

［1］Yadav S, Reddy A K, Reddy A L N, et al. Detecting algorithmically generated domainflux attacks with DNS traffic analysis［J］. IEEEACM TransNetw, 2012, 20(6): 16631677［2］Schiavoni S, Maggi F, Cavallaro L, et al. Phoenix: DGAbased botnet tracking and intelligence［C］ Detection of Intrusions and Malware, and Vulnerability Assessment. Berlin: Springer, 2014: 192211［3］Woodbridge J, Anderson H S,Ahuja A, et al. Predicting domain generation algorithms with long shortterm memory networks［J］. arXiv preprint, arXiv:1611.00791, 2016［4］Yu B, Gray D L, Pan J, et al. Inline DGA detection with deep networks［C］  Proc of the 2017 IEEE Int Conf on Data Min Workshops. Piscataway, NJ: IEEE, 2017: 683692 ［5］LeCun Y, Bottou L, Bengio Y, et al. Gradientbased learning applied to document recognition［J］. Proceedings of the IEEE, 1998, 86(11): 22782324［6］Yu W, Rui P, Zuchao W, et al. A classification method based on CNNBiLSTM for difficult detecting DGA domain name［C］ Proc of the 13th IEEE Int Conf on Electron Information and Emergency Communication (ICEIEC). Piscataway, NJ: IEEE, 2023［7］Namgung J, Son S, Moon Y. Efficient deep learning models for DGA domain detection［J］. Applied Sciences, 2021, 11(19): 8887881［8］Natarajan M, Dharani R, Murali S, et al. Performance analysis of DGAdriven botnets using artificial neural networks［C］ Proc of the 10th Int Conf on Reliability Infocom Technologies and Optimization (ICRITO). Piscataway, NJ: IEEE, 2022［9］Tuan T A, Long H V, Taniar D. On detecting and classifying DGA botnets and their families［J］. Computers & Security, 2022, 113: 102549［10］Vranken H, Alizadeh H. Detection of DGAgenerated domain names with TFIDF［JOL］. Electronics, 2022 ［20250305］. https:doi.org10.3390electronics11030414［11］Ning Y, Gao M, Yan W, et al. ABayesian optimizationbased LSTM model for DGA domain name identification approach［J］. Journal of Physics: Conference Series, 2022, 2303(1): 012015［12］Gers F A, Schmidhuber J, Cummins F. Learning to forget: Continual prediction with LSTM［J］. Neural Computation, 2000, 12(10): 24512472［13］Rumelhart D E, Hinton G E, Williams R J. Learning representations by backpropagating errors［J］. Nature, 1986, 323(6088): 533536［14］Elman J L. Finding structure in time［J］. Cognitive Science, 1990, 14(2): 179211［15］Hochreiter S. The vanishing gradient problem during learning recurrent neural nets and problem solutions［J］. International Journal of Uncertainty Fuzziness & Knowledgebased Systems, 1998, 6(2): 107116［16］Cambria E, Bebo W. Jumping NLP curves: A review of natural language processing research［J］. IEEE Computational Intellegence Magazine, 2014, 9(2): 4857［17］Ou X, Yan P, Zhang Y. Moving object detection method via ResNet18 with encoderdecoder structure in complex scenes［J］. IEEE Access, 2019, 7: 163856163868［18］Ahmed E, Yassin B, Ameen R, et al. A new cryptography algorithm based on ASCII code［C］ Proc of the 19th Int Conf on Sciences of Electronics, Technologies of Information and Telecommunications. Piscataway, NJ: IEEE, 2019: 16［19］Bambenek J. OSINT feeds from Bambenek Consulting［EBOL］. 2019 ［20250315］. http:osint.bambenekconsulting.comfeeds

[1]	. A Malicious TLS Traffic Detection Method with Multimodal Features [J]. Journal of Information Security Reserach, 2025, 11(2): 130-.
[2]	. Encrypted Traffic Detection Technology for Multisession Coordinated #br# Attack Based on Deep Learning#br# [J]. Journal of Information Security Reserach, 2025, 11(1): 66-.
[3]	. Network Traffic Measurement Based on Multilayer Sketch in SDN [J]. Journal of Information Security Reserach, 2024, 10(9): 840-.
[4]	. Research on Risk Analysis of Opensource Software Supply Chain Security [J]. Journal of Information Security Reserach, 2024, 10(9): 862-.
[5]	. Research Advance and Challenges of Fuzzing Techniques [J]. Journal of Information Security Reserach, 2024, 10(7): 668-.
[6]	. Intelligent Fuzzy Testing Method Based on Sequence Generative Adversarial Networks [J]. Journal of Information Security Reserach, 2024, 10(6): 490-.
[7]	. Design of Vulnerability Tracking and Disposal Platform Based on Fine Management of Massive Assets [J]. Journal of Information Security Reserach, 2024, 10(6): 568-.
[8]	. Research on Data Reuse Model of Classified Protection of Cybersecurity Based on Data Mining [J]. Journal of Information Security Reserach, 2024, 10(4): 353-.
[9]	. Research on Banking DAO Digital Security Operation System [J]. Journal of Information Security Reserach, 2024, 10(4): 360-.
[10]	. Analysis of Security Blind Area of Large LAN#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(4): 335-.
[11]	. An Adaptive Network Attack Analysis Method Based on Federated Learning [J]. Journal of Information Security Reserach, 2024, 10(12): 1091-.
[12]	. Research and Analysis of Named Entity Recognition Technology in #br# Threat Intelligence#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(12): 1122-.
[13]	. Abnormal Traffic Detection in the Internet of Things Based on Imbalanced Data [J]. Journal of Information Security Reserach, 2024, 10(11): 1012-.
[14]	. Research and Implementation of Intelligent Permission Management [J]. Journal of Information Security Reserach, 2024, 10(10): 912-.
[15]	. Zerotrust Dynamic Authentication to Resist APT Identity Compromise [J]. Journal of Information Security Reserach, 2024, 10(10): 928-.