Analyzing the Real-World Applicability of DGA Classifiers

TL;DR

This paper evaluates DGA classifiers' practical applicability, focusing on robustness, explainability, and real-time performance, and introduces a novel residual neural network-based classifier for improved detection and generalization.

Contribution

The paper introduces a new residual neural network classifier for DGA detection and provides a comprehensive evaluation of existing and new classifiers in practical scenarios.

Findings

The new classifier generalizes well to unseen networks.

It is robust against adversarial attacks.

It operates in real-time with high speed.

Abstract

Separating benign domains from domains generated by DGAs with the help of a binary classifier is a well-studied problem for which promising performance results have been published. The corresponding multiclass task of determining the exact DGA that generated a domain enabling targeted remediation measures is less well studied. Selecting the most promising classifier for these tasks in practice raises a number of questions that have not been addressed in prior work so far. These include the questions on which traffic to train in which network and when, just as well as how to assess robustness against adversarial attacks. Moreover, it is unclear which features lead a classifier to a decision and whether the classifiers are real-time capable. In this paper, we address these issues and thus contribute to bringing DGA detection classifiers closer to practical use. In this context, we propose one novel classifier based on residual neural networks for each of the two tasks and extensively evaluate them as well as previously proposed classifiers in a unified setting. We not only evaluate their classification performance but also compare them with respect to explainability, robustness, and training and classification speed. Finally, we show that our newly proposed binary classifier generalizes well to other networks, is time-robust, and able to identify previously unknown DGAs.