MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses

TL;DR

MaskDGA is a black-box adversarial technique that effectively evades deep learning-based DGA classifiers by perturbing domain names, highlighting vulnerabilities in current detection methods and suggesting the need for more robust features.

Contribution

The paper introduces MaskDGA, a novel black-box adversarial attack method that significantly reduces the accuracy of DGA classifiers without prior knowledge of their architecture.

Findings

MaskDGA reduces classifier F1-score from 0.977 to 0.495.

Adversarial defenses like re-training and distillation offer limited robustness.

Character-level features alone are vulnerable to adversarial perturbations.

Abstract

Domain generation algorithms (DGAs) are commonly used by botnets to generate domain names through which bots can establish a resilient communication channel with their command and control servers. Recent publications presented deep learning, character-level classifiers that are able to detect algorithmically generated domain (AGD) names with high accuracy, and correspondingly, significantly reduce the effectiveness of DGAs for botnet communication. In this paper we present MaskDGA, a practical adversarial learning technique that adds perturbation to the character-level representation of algorithmically generated domain names in order to evade DGA classifiers, without the attacker having any knowledge about the DGA classifier's architecture and parameters. MaskDGA was evaluated using the DMD-2018 dataset of AGD names and four recently published DGA classifiers, in which the average F1-score of the classifiers degrades from 0.977 to 0.495 when applying the evasion technique. An additional evaluation was conducted using the same classifiers but with adversarial defenses implemented: adversarial re-training and distillation. The results of this evaluation show that MaskDGA can be used for improving the robustness of the character-level DGA classifiers against adversarial attacks, but that ideally DGA classifiers should incorporate additional features alongside character-level features that are demonstrated in this study to be vulnerable to adversarial attacks.