<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">bsuir</journal-id><journal-title-group><journal-title xml:lang="ru">Доклады БГУИР</journal-title><trans-title-group xml:lang="en"><trans-title>Doklady BGUIR</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1729-7648</issn><issn pub-type="epub">2708-0382</issn><publisher><publisher-name>БГУИР</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.35596/1729-7648-2021-19-2-91-99</article-id><article-id custom-type="elpub" pub-id-type="custom">bsuir-3039</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>ЭЛЕКТРОНИКА, РАДИОФИЗИКА, РАДИОТЕХНИКА, ИНФОРМАТИКА</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>ELECTRONICS, RADIOPHYSICS, RADIOENGINEERING, INFORMATICS</subject></subj-group></article-categories><title-group><article-title>Обнаружение DGA доменов и предотвращение botnet средствами Q-обучения для POMDP</article-title><trans-title-group xml:lang="en"><trans-title>DGA domain detection and botnet prevention  using Q-learning for POMDP</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Бубнов</surname><given-names>Я. В.</given-names></name><name name-style="western" xml:lang="en"><surname>Bubnov</surname><given-names>Y. V.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Бубнов Яков Васильевич - магистр технических наук, аспирант кафедры электронных вычислительных машин</p><p>220013, г. Минск, ул. П. Бровки, 6</p><p>тел. +375-29-757-28-23</p></bio><bio xml:lang="en"><p>Bubnov Yakov Vasil’evich - M.Sc., Postgraduate student at the Electronic Computing Machines Department </p><p>220013, Minsk, P. Brovka str., 6</p><p>tel. +375-29-757-28-23</p></bio><email xlink:type="simple">girokompass@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Иванов</surname><given-names>Н. Н.</given-names></name><name name-style="western" xml:lang="en"><surname>Ivanov</surname><given-names>N. N.</given-names></name></name-alternatives><bio xml:lang="ru"><p>к.ф.-м.н., доцент, доцент кафедры электронных вычислительных машин </p></bio><bio xml:lang="en"><p>PhD, Associate Professor, Associate Professor at the Electronic Computing Machines Department</p></bio><xref ref-type="aff" rid="aff-2"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Белорусский государственный университет информатики и радиоэлектроники</institution></aff><aff xml:lang="en"><institution>Belarusian State University  of Informatics and Radioelectronics</institution></aff></aff-alternatives><aff-alternatives id="aff-2"><aff xml:lang="ru"><institution>Белорусский государственный университет информатики и электроники</institution></aff><aff xml:lang="en"><institution>Belarusian State University  of Informatics and Radioelectronics</institution></aff></aff-alternatives><pub-date pub-type="collection"><year>2021</year></pub-date><pub-date pub-type="epub"><day>27</day><month>03</month><year>2021</year></pub-date><volume>19</volume><issue>2</issue><fpage>91</fpage><lpage>99</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Бубнов Я.В., Иванов Н.Н., 2021</copyright-statement><copyright-year>2021</copyright-year><copyright-holder xml:lang="ru">Бубнов Я.В., Иванов Н.Н.</copyright-holder><copyright-holder xml:lang="en">Bubnov Y.V., Ivanov N.N.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://doklady.bsuir.by/jour/article/view/3039">https://doklady.bsuir.by/jour/article/view/3039</self-uri><abstract><p> Предлагается эффективный метод предотвращения эксплуатации узлов компьютерной сети для организации botnet. Под botnet подразумевается совокупность устройств, объединенных через сеть Интернет с целью организации DDoS-атак, кражи данных, рассылки спама и других вредоносных действий. Описанный метод подразумевает детектирование сгенерированных доменных имен  в DNS-запросах с помощью нейронной сети с параллельной организацией сверточных и двунаправленных рекуррентных слоев. Эффективность метода базируется на предположении, что для создания botnet используют генерируемые доменные имена для объединения. Эксперименты подтверждают, что предлагаемая нейронная сеть превосходит точность существующих аналогов на наборе данных UMUDGA. Вычисляется оценка качества распознавания сгенерированных доменных имен с помощью ROC-анализа для обученной нейронной сети. В статье также формулируется модель управления детекторами с помощью частично наблюдаемого марковского процесса принятия решений для блокировки зараженных узлов компьютерной сети. Предлагается поиск оптимальной политики для сформулированной модели средствами Q-обучения ценностных агентов. Производится сравнительный анализ по средней, минимальной и максимальной ценности принимаемых агентами действий в процессе взаимодействия с окружением. </p></abstract><trans-abstract xml:lang="en"><p> An effective method for preventing the operation of computer network nodes for organizing a botnet is proposed. A botnet is a collection of devices connected via the Internet for the purpose of organizing DDoS attacks, stealing data, sending spam and other malicious actions. The described method implies the detection of generated domain names in DNS queries using a neural network with parallel organization of convolutional and bidirectional recurrent layers. The effectiveness of the method is based on the assumption that generated domain names are used to create a botnet for merging. Experiments confirm that the proposed neural network is superior to the accuracy of existing counterparts on the UMUDGA dataset. The estimation of the quality of recognition of generated domain names using ROC analysis is calculated for a trained neural network. The article also formulates a model for controlling detectors using a partially observable Markov decisionmaking process to block infected nodes of a computer network. The search for the optimal policy for the formulated model by means of Q-learning of value agents is proposed. A comparative analysis of the average, minimum and maximum value of actions taken by agents in the process of interacting with the environment is carried out.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>алгоритм генерирования доменов</kwd><kwd>защита компьютерных сетей</kwd><kwd>рекуррентная нейронная сеть</kwd><kwd>частично наблюдаемый марковский процесс принятия решений</kwd><kwd>Q-обучение</kwd></kwd-group><kwd-group xml:lang="en"><kwd>domain generation algorithm</kwd><kwd>computer network security</kwd><kwd>recurrent neural network</kwd><kwd>partially observable Markov decision process</kwd><kwd>Q-learning</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Kolias C., Kambourakis G., Stavrou A., Voas J. DDoS in the IoT: Mirai and Other Botnets. Computer. 2017;50:80-84.</mixed-citation><mixed-citation xml:lang="en">Kolias C., Kambourakis G., Stavrou A., Voas J. DDoS in the IoT: Mirai and Other Botnets. Computer. 2017;50:80-84.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Patsakis C., Casino F., Katos V. Encrypted and covert DNS queries for botnets: Challenges and countermeasures. Computers &amp; Security. 2020;88:101614.</mixed-citation><mixed-citation xml:lang="en">Patsakis C., Casino F., Katos V. Encrypted and covert DNS queries for botnets: Challenges and countermeasures. Computers &amp; Security. 2020;88:101614.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Watson D., Zalmout N., Habash N. Utilizing Character and Word Embeddings for Text Normalization with Sequence-to-Sequence Models. Proceedings of the 2018 Conference on Empirical Methods in Natural Language Processing. Brussels, Belgium: Association for Computational Linguistics; 2018: 837-843 DOI:10.18653/v1/D18-1097.</mixed-citation><mixed-citation xml:lang="en">Watson D., Zalmout N., Habash N. Utilizing Character and Word Embeddings for Text Normalization with Sequence-to-Sequence Models. Proceedings of the 2018 Conference on Empirical Methods in Natural Language Processing. Brussels, Belgium: Association for Computational Linguistics; 2018: 837-843 DOI:10.18653/v1/D18-1097.</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Basaldella M., Antolli E., Serra G., Tasso C. Bidirectional LSTM Recurrent Neural Network for Keyphrase Extraction. Digital Libraries and Multimedia Archives (eds. Serra, G. &amp; Tasso, C.) Cham: Springer International Publishing; 2018: 180-187. DOI:10.1007/978-3-319-73165-0_18.</mixed-citation><mixed-citation xml:lang="en">Basaldella M., Antolli E., Serra G., Tasso C. Bidirectional LSTM Recurrent Neural Network for Keyphrase Extraction. Digital Libraries and Multimedia Archives (eds. Serra, G. &amp; Tasso, C.) Cham: Springer International Publishing; 2018: 180-187. DOI:10.1007/978-3-319-73165-0_18.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Mnih V., Kavukcuoglu K., Silver D., Rusu A.A., Veness J., Bellemare M.G., Graves A., Riedmiller M., Fidjeland A.K., Ostrovski G., Petersen S., Beattie C., Sadik A., Antonoglou I., King H., Kumaran D., Wierstra D., Legg S., Hassabis D. Human-level control through deep reinforcement learning. Nature. 2015;518:529-533.</mixed-citation><mixed-citation xml:lang="en">Mnih V., Kavukcuoglu K., Silver D., Rusu A.A., Veness J., Bellemare M.G., Graves A., Riedmiller M., Fidjeland A.K., Ostrovski G., Petersen S., Beattie C., Sadik A., Antonoglou I., King H., Kumaran D., Wierstra D., Legg S., Hassabis D. Human-level control through deep reinforcement learning. Nature. 2015;518:529-533.</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Wang Z., Schaul T., Hessel M., Van Hasselt H., Lanctot M., De Freitas N. Dueling network architectures for deep reinforcement learning. Proceedings of the 33rd International Conference on International Conference on Machine Learning. Vol. 48. New York, NY, USA: JMLR.org; 2016: 1995-2003.</mixed-citation><mixed-citation xml:lang="en">Wang Z., Schaul T., Hessel M., Van Hasselt H., Lanctot M., De Freitas N. Dueling network architectures for deep reinforcement learning. Proceedings of the 33rd International Conference on International Conference on Machine Learning. Vol. 48. New York, NY, USA: JMLR.org; 2016: 1995-2003.</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Lillicrap T.P., Hunt J.J., Pritzel A., Heess N., Erez T., Tassa Y., Silver D., Wierstra D. Continuous control with deep reinforcement learning. Proceedings of the 4th International Conference on Learning Representations. San Juan, Puerto Rico; 2016.</mixed-citation><mixed-citation xml:lang="en">Lillicrap T.P., Hunt J.J., Pritzel A., Heess N., Erez T., Tassa Y., Silver D., Wierstra D. Continuous control with deep reinforcement learning. Proceedings of the 4th International Conference on Learning Representations. San Juan, Puerto Rico; 2016.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Zago M., Gil Pérez M., Martínez Pérez G. UMUDGA: A dataset for profiling DGA-based botnet. Computers &amp; Security. 2020;92:101719.</mixed-citation><mixed-citation xml:lang="en">Zago M., Gil Pérez M., Martínez Pérez G. UMUDGA: A dataset for profiling DGA-based botnet. Computers &amp; Security. 2020;92:101719.</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Woodbridge J., Anderson H.S., Ahuja A., Grant D. Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Computing Research Repository. 2016; 1-13 arXiv:1611.00791.</mixed-citation><mixed-citation xml:lang="en">Woodbridge J., Anderson H.S., Ahuja A., Grant D. Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Computing Research Repository. 2016; 1-13 arXiv:1611.00791.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Vosoughi S., Vijayaraghavan P., Roy D. Tweet2Vec: Learning Tweet Embeddings Using Character-level CNN-LSTM Encoder-Decoder. Proceedings of the 39th International ACM SIGIR conference on Research and Development in Information Retrieval. New York, NY, USA: Association for Computing Machinery; 2016: 1041-1044. DOI:10.1145/2911451.2914762.</mixed-citation><mixed-citation xml:lang="en">Vosoughi S., Vijayaraghavan P., Roy D. Tweet2Vec: Learning Tweet Embeddings Using Character-level CNN-LSTM Encoder-Decoder. Proceedings of the 39th International ACM SIGIR conference on Research and Development in Information Retrieval. New York, NY, USA: Association for Computing Machinery; 2016: 1041-1044. DOI:10.1145/2911451.2914762.</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Highnam K., Puzio D., Luo S., Jennings N.R. Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning. Computing Research Repository. 2020; 1-12 arXiv:2003.12805.</mixed-citation><mixed-citation xml:lang="en">Highnam K., Puzio D., Luo S., Jennings N.R. Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning. Computing Research Repository. 2020; 1-12 arXiv:2003.12805.</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
