DNS-GT: A Graph-based Transformer Approach to Learn Embeddings of Domain Names from DNS Queries

TL;DR

DNS-GT is a novel Transformer-based approach that learns contextual embeddings of domain names from DNS query sequences, improving intrusion detection and domain classification tasks.

Contribution

It introduces a self-supervised Transformer model for DNS data that captures query context, enhancing representation learning for security applications.

Findings

Outperforms baseline methods in domain classification.

Achieves higher accuracy in botnet detection.

Demonstrates effective learning of DNS query behavior.

Abstract

Network intrusion detection systems play a crucial role in the security strategy employed by organisations to detect and prevent cyberattacks. Such systems usually combine pattern detection signatures with anomaly detection techniques powered by machine learning methods. However, the commonly proposed machine learning methods present drawbacks such as over-reliance on labeled data and limited generalization capabilities. To address these issues, embedding-based methods have been introduced to learn representations from network data, such as DNS traffic, mainly due to its large availability, that generalise effectively to many downstream tasks. However, current approaches do not properly consider contextual information among DNS queries. In this paper, we tackle this issue by proposing DNS-GT, a novel Transformer-based model that learns embeddings for domain names from sequences of DNS queries. The model is first pre-trained in a self-supervised fashion in order to learn the general behavior of DNS activity. Then, it can be finetuned on specific downstream tasks, exploiting interactions with other relevant queries in a given sequence. Our experiments with real-world DNS data showcase the ability of our method to learn effective domain name representations. A quantitative evaluation on domain name classification and botnet detection tasks shows that our approach achieves better results compared to relevant baselines, creating opportunities for further exploration of large-scale language models for intrusion detection systems. Our code is available at: https://github.com/m-altieri/DNS-GT.