DRIFT: Drift-Resilient Invariant-Feature Transformer for DGA Detection

TL;DR

This paper introduces DRIFT, a Transformer-based framework that learns invariant features to improve long-term DGA detection performance amidst evolving domain generation algorithms.

Contribution

The paper presents a novel drift-resilient Transformer model with hybrid tokenization and multi-task self-supervised pre-training for robust DGA detection.

Findings

Significantly reduces temporal degradation in DGA classification.

Outperforms state-of-the-art baselines in long-term detection tasks.

Effective in maintaining detection accuracy over a 9-year longitudinal study.

Abstract

Domain Generation Algorithms (DGAs) evolve continuously to evade botnet detection, posing a persistent challenge for dependable network defense. While deep learning-based detectors achieve strong performance under static conditions, they suffer severe degradation when facing temporal drift. Through a 9-year longitudinal study (2017-2025), we empirically show that state-of-the-art character- and word-based DGA classifiers rapidly lose effectiveness as new DGA variants emerge. To address this problem, we propose a drift-resilient Transformer-based framework that learns invariant representations through a hybrid tokenization strategy and multi-task self-supervised pre-training. The model integrates (i) character-level encoding to capture stochastic morphological patterns and (ii) subword-level encoding for word-based DGAs. Three pre-training tasks enable the model to learn robust structural and contextual features prior to supervised fine-tuning. Comprehensive evaluations demonstrate that our method significantly mitigates temporal degradation and consistently outperforms state-of-the-art baselines in forward-chaining experiments. The proposed approach offers a dependable foundation for long-term DGA defense in evolving threat landscapes. Our code is available at: https://github.com/snsec-net/2026-DSN-DRIFT.