Fine-tuning Large Language Models for DGA and DNS Exfiltration Detection

• URL: http://arxiv.org/abs/2410.21723v2
• Date: Thu, 07 Nov 2024 18:57:27 GMT
• Title: Fine-tuning Large Language Models for DGA and DNS Exfiltration Detection
• Authors: Md Abu Sayed, Asif Rahman, Christopher Kiekintveld, Sebastian Garcia,
• Abstract summary: Large Language Models (LLMs) have demonstrated their proficiency in real-time detection tasks. Our work validates the effectiveness of fine-tuned LLMs for detecting DGAs and DNS exfiltration attacks.
• Score: 1.350128573715538
• License:
• Abstract: Domain Generation Algorithms (DGAs) are malicious techniques used by malware to dynamically generate seemingly random domain names for communication with Command & Control (C&C) servers. Due to the fast and simple generation of DGA domains, detection methods must be highly efficient and precise to be effective. Large Language Models (LLMs) have demonstrated their proficiency in real-time detection tasks, making them ideal candidates for detecting DGAs. Our work validates the effectiveness of fine-tuned LLMs for detecting DGAs and DNS exfiltration attacks. We developed LLM models and conducted comprehensive evaluation using a diverse dataset comprising 59 distinct real-world DGA malware families and normal domain data. Our LLM model significantly outperformed traditional natural language processing techniques, especially in detecting unknown DGAs. We also evaluated its performance on DNS exfiltration datasets, demonstrating its effectiveness in enhancing cybersecurity measures. To the best of our knowledge, this is the first work that empirically applies LLMs for DGA and DNS exfiltration detection.

Related papers

• LLMs for Domain Generation Algorithm Detection [0.0]
  This work analyzes the use of large language models (LLMs) for detecting domain generation algorithms (DGAs) We show how In-Context Learning (ICL) and Supervised Fine-Tuning (SFT) can improve detection. In particular, the SFT-based LLM DGA detector outperforms state-of-the-art models using attention layers, achieving 94% accuracy with a 4% false positive rate (FPR)
  arXiv  Detail & Related papers  (2024-11-05T18:01:12Z)
• Disentangling Masked Autoencoders for Unsupervised Domain Generalization [57.56744870106124]
  Unsupervised domain generalization is fast gaining attention but is still far from well-studied. Disentangled Masked Auto (DisMAE) aims to discover the disentangled representations that faithfully reveal intrinsic features. DisMAE co-trains the asymmetric dual-branch architecture with semantic and lightweight variation encoders.
  arXiv  Detail & Related papers  (2024-07-10T11:11:36Z)
• DGInStyle: Domain-Generalizable Semantic Segmentation with Image Diffusion Models and Stylized Semantic Control [68.14798033899955]
  Large, pretrained latent diffusion models (LDMs) have demonstrated an extraordinary ability to generate creative content. However, are they usable as large-scale data generators, e.g., to improve tasks in the perception stack, like semantic segmentation? We investigate this question in the context of autonomous driving, and answer it with a resounding "yes"
  arXiv  Detail & Related papers  (2023-12-05T18:34:12Z)
• The Unreasonable Effectiveness of Large Language-Vision Models for Source-free Video Domain Adaptation [56.61543110071199]
  Source-Free Video Unsupervised Domain Adaptation (SFVUDA) task consists in adapting an action recognition model, trained on a labelled source dataset, to an unlabelled target dataset. Previous approaches have attempted to address SFVUDA by leveraging self-supervision derived from the target data itself. We take an approach by exploiting "web-supervision" from Large Language-Vision Models (LLVMs), driven by the rationale that LLVMs contain a rich world prior surprisingly robust to domain-shift.
  arXiv  Detail & Related papers  (2023-08-17T18:12:05Z)
• Explaining Machine Learning DGA Detectors from DNS Traffic Data [11.049278217301048]
  This work addresses the problem of Explainable ML in the context of botnet and DGA detection. It is the first to concretely break down the decisions of ML classifiers when devised for botnet/DGA detection.
  arXiv  Detail & Related papers  (2022-08-10T11:34:26Z)
• Detecting Algorithmically Generated Domains Using a GCNN-LSTM Hybrid Neural Network [10.617124610646488]
  Domain generation algorithm (DGA) is used by botnets to build a stealthy command and control (C&C) communication channel. AGD detection algorithms provide a lightweight, promising solution in response to the existing DGA techniques. In this paper, a GCNN (gated convolutional neural network)-LSTM (long short-term memory) Hybrid Neural Network (GLHNN) for AGD detection is proposed.
  arXiv  Detail & Related papers  (2022-08-06T05:15:45Z)
• On Certifying and Improving Generalization to Unseen Domains [87.00662852876177]
  Domain Generalization aims to learn models whose performance remains high on unseen domains encountered at test-time. It is challenging to evaluate DG algorithms comprehensively using a few benchmark datasets. We propose a universal certification framework that can efficiently certify the worst-case performance of any DG method.
  arXiv  Detail & Related papers  (2022-06-24T16:29:43Z)
• Decompose to Adapt: Cross-domain Object Detection via Feature Disentanglement [79.2994130944482]
  We design a Domain Disentanglement Faster-RCNN (DDF) to eliminate the source-specific information in the features for detection task learning. Our DDF method facilitates the feature disentanglement at the global and local stages, with a Global Triplet Disentanglement (GTD) module and an Instance Similarity Disentanglement (ISD) module. By outperforming state-of-the-art methods on four benchmark UDA object detection tasks, our DDF method is demonstrated to be effective with wide applicability.
  arXiv  Detail & Related papers  (2022-01-06T05:43:01Z)
• CMT in TREC-COVID Round 2: Mitigating the Generalization Gaps from Web to Special Domain Search [89.48123965553098]
  This paper presents a search system to alleviate the special domain adaption problem. The system utilizes the domain-adaptive pretraining and few-shot learning technologies to help neural rankers mitigate the domain discrepancy. Our system performs the best among the non-manual runs in Round 2 of the TREC-COVID task.
  arXiv  Detail & Related papers  (2020-11-03T09:10:48Z)
• Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning [5.915780927888678]
  Botnets and malware avoid detection by static rules engines when using domain generation algorithms (DGAs) for callouts to unique, dynamically generated web addresses. Common DGA detection techniques fail to reliably detect DGA variants that combine random dictionary words to create domain names that closely mirror legitimate domains. We create a novel hybrid neural network, Bilbo the bagging model, that analyses domains and scores the likelihood they are generated by such algorithms and therefore are potentially malicious.
  arXiv  Detail & Related papers  (2020-03-28T14:57:22Z)
• Inline Detection of DGA Domains Using Side Information [5.253305460558346]
  Domain Generation Algorithms (DGAs) are popular methods for generating pseudo-random domain names. In recent years, machine learning based systems have been widely used to detect DGAs. We train and evaluate state-of-the-art deep learning and random forest (RF) classifiers for DGA detection using side information that is harder for adversaries to manipulate than the domain name itself.
  arXiv  Detail & Related papers  (2020-03-12T11:00:30Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.