Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.cose.2019.04.015

IF: 5.105

2019-01-01

Computers & Security

Abstract:Botnets have become one of the main threats to cyberspace security currently. More and more bots utilize the domain generation algorithm (DGA) to generate malicious domain names to communicate with Command & Control (C&C) servers. A well-designed DGA can bypass the traditional detection methods such as sinkhole and rule filtering, which raises new challenges to cyberspace security. In the field of machine learning, the n-gram is a semantic model that characterizes the relationship among neighboring morphemes while deep convolutional neural networks have a robust capability in processing information with translation-invariant properties. In this paper, we combined n-gram and a deep convolutional neural network and then proposed a novel n-gram combined character based domain classification (n-CBDC) model. The n-CBDC model runs in an end-to-end way that doesn’t require hand-extracted features or domain name system (DNS) contextual information; it only needs to input the domain name itself and can automatically estimate the probability that the domain name was generated by DGAs. Experiments on real-world data show that the proposed method can effectively detect domain names generated by DGAs with 98.69% average detection rate and 0.9829 average F-measure, and significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89% detection rate. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.

Shaofang Zhou,Lanfen Lin,Junkun Yuan,Feng Wang,Zhaoting Ling,Jia Cui

DOI: https://doi.org/10.1109/isi.2019.8823200

2019-01-01

Abstract:Attackers often use domain generation algorithms (DGAs) to create various kinds of pseudorandom domains dynamically and select a part of them to connect with command and control servers, therefore it is important to automatically detect the algorithmically generated domains (AGDs). AGDs can be broken down into two categories: character-based domains and wordlist-based domains. Recently, methods based on machine learning and deep learning have been widely explored. However, much of the previous work perform well in detecting one kind of DGA families but poorly in classifying another kind. A general detection system which is applicable to both kinds of domains still remains a challenge. To address this problem, we propose a novel real-time detection method with high accuracy as well as high coverage. We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.

Amr M. H. Saeed,Danghui Wang,Hamas A. M. Alnedhari,Kuizhi Mei,Jihe Wang

DOI: https://doi.org/10.1007/978-3-030-97774-0_12

2022-01-01

Abstract:Botnets are the most commonly used mechanisms for current cyberattacks such as DDoS, ransomware, email spamming, phishing data, etc. Botnets deploy the Domain Generation Algorithm (DGA) to conceal domain names of Command & Control (C&C) servers by generating several fake domain names. A sophisticated DGA can circumvent the traditional detection methods and successfully communicate with the C&C. Several detection methods like DNS sinkhole, DNS filtering and DNS logs analysis have been intensively studied to neutralize DGA. However, these methods have a high noise rate and require a massive amount of computational resources. To tackle this issue, several researchers leveraged Machine learning (ML) and Deep Learning (DL) algorithms to develop lightweight and cost-effective detection methods. The purpose of this paper is to investigate and evaluate the DGA detection methods based on ML/DL published in the last three years. After analyzing the relevant literature strengths and limitations, we conclude that low detection speed, encrypted DNS sensitivity, data imbalance sensitivity, and low detection accuracy with variant or unknown DGA are most likely the current research trends and opportunities. As far as we know, this survey is the first of its kind to discuss DGA detection techniques based on ML/DL in-depth, as well as analysis of their limitations and future trends.

Nguyen Tan Cam,Nguyen Ngoc Man

DOI: https://doi.org/10.1007/s10586-024-04363-0

2024-03-29

Cluster Computing

Abstract:Recent developments in information technology have brought numerous benefits but have also created risks for information security. One notable threat is the domain generated by the algorithm (DGA) technique used by botnets, which allows them to automatically generate and register multiple domains to evade detection and control from network security systems. To address this issue, we conducted research on a domain classification model specific to botnet-generated domains. We developed three domain classification models: bigrams, long short-term memory networks (LSTM), and a combination of LSTM and one-hot encoding. In this study, we implemented an ensemble model using a domain classification system, named UIT-DGADetector. To optimize the system, we employed Kafka to queue and streamline the requests, thereby reducing the load on the classification server. The deployed system operates well and achieves a high accuracy rate in predicting the domain types. However, this model still has limitations in predicting Word-based DGA botnets. The process must be optimized to reduce the waiting time in the queue. This study aims to contribute to network security and information protection, particularly by addressing the issue of DGA botnets.

computer science, information systems, theory & methods

Noura Fahad Almujahid,Mohd Anul Haq,Mohammed Alshehri

DOI: https://doi.org/10.7717/peerj-cs.2131

2024-06-24

PeerJ Computer Science

Abstract:The advent of Internet technologies has resulted in the proliferation of electronic trading and the use of the Internet for electronic transactions, leading to a rise in unauthorized access to sensitive user information and the depletion of resources for enterprises. As a consequence, there has been a marked increase in phishing, which is now considered one of the most common types of online theft. Phishing attacks are typically directed towards obtaining confidential information, such as login credentials for online banking platforms and sensitive systems. The primary objective of such attacks is to acquire specific personal information to either use for financial gain or commit identity theft. Recent studies have been conducted to combat phishing attacks by examining domain characteristics such as website addresses, content on websites, and combinations of both approaches for the website and its source code. However, businesses require more effective anti-phishing technologies to identify phishing URLs and safeguard their users. The present research aims to evaluate the effectiveness of eight machine learning (ML) and deep learning (DL) algorithms, including support vector machine (SVM), k-nearest neighbors (KNN), random forest (RF), Decision Tree (DT), Extreme Gradient Boosting (XGBoost), logistic regression (LR), convolutional neural network (CNN), and DL model and assess their performances in identifying phishing. This study utilizes two real datasets, Mendeley and UCI, employing performance metrics such as accuracy, precision, recall, false positive rate (FPR), and F-1 score. Notably, CNN exhibits superior accuracy, emphasizing its efficacy. Contributions include using purpose-specific datasets, meticulous feature engineering, introducing SMOTE for class imbalance, incorporating the novel CNN model, and rigorous hyperparameter tuning. The study demonstrates consistent model performance across both datasets, highlighting stability and reliability.

computer science, information systems, artificial intelligence, theory & methods

Ryan R. Curtin,Andrew B. Gardner,Slawomir Grzonkowski,Alexey Kleymenov,Alejandro Mosquera,Ryan R. Curtin,Andrew B. Gardner,Slawomir Grzonkowski,Alexey Kleymenov,Alejandro Mosquera

DOI: https://doi.org/10.1145/3339252.3339258

2019-08-26

Abstract:Modern malware typically makes use of a domain generation algorithm (DGA) to avoid command and control domains or IPs being seized or sinkholed. This means that an infected system may attempt to access many domains in an attempt to contact the command and control server. Therefore, the automatic detection of DGA domains is an important task, both for the sake of blocking malicious domains and identifying compromised hosts. However, many DGAs use English wordlists to generate plausibly clean-looking domain names; this makes automatic detection difficult. In this work, we devise a notion of difficulty for DGA families called the smashword score; this measures how much a DGA family looks like English words. We find that this measure accurately reflects how much a DGA family's domains look like they are made from natural English words. We then describe our new modeling approach, which is a combination of a novel recurrent neural network architecture with domain registration side information. Our experiments show the model is capable of effectively identifying domains generated by difficult DGA families. Our experiments also show that our model outperforms existing approaches, and is able to reliably detect difficult DGA families such as matsnu, suppobox, rovnix, and others. The model's performance compared to the state of the art is best for DGA families that resemble English words. We believe that this model could either be used in a standalone DGA domain detector---such as an endpoint security application---or alternately the model could be used as a part of a larger malware detection system.

Reynier Leyva La O,Carlos A. Catania,Tatiana Parlanti

2024-11-06

Abstract:This work analyzes the use of large language models (LLMs) for detecting domain generation algorithms (DGAs). We perform a detailed evaluation of two important techniques: In-Context Learning (ICL) and Supervised Fine-Tuning (SFT), showing how they can improve detection. SFT increases performance by using domain-specific data, whereas ICL helps the detection model to quickly adapt to new threats without requiring much retraining. We use Meta's Llama3 8B model, on a custom dataset with 68 malware families and normal domains, covering several hard-to-detect schemes, including recent word-based DGAs. Results proved that LLM-based methods can achieve competitive results in DGA detection. In particular, the SFT-based LLM DGA detector outperforms state-of-the-art models using attention layers, achieving 94% accuracy with a 4% false positive rate (FPR) and excelling at detecting word-based DGA domains.

Computation and Language,Cryptography and Security

Hamed Alqahtani,Gulshan Kumar

DOI: https://doi.org/10.1016/j.engappai.2024.109410

IF: 8

2024-10-06

Engineering Applications of Artificial Intelligence

Abstract:This comprehensive review navigates the complex domain of Domain Generation Algorithms (DGAs) and their detection using Artificial Intelligence (AI), revealing both opportunities and challenges in the evolving cybersecurity landscape. AI techniques have significantly advanced DGA detection, with recent advancements in machine learning and deep learning models demonstrating promising results. For instance, deep learning models have achieved up to 95% accuracy in detecting DGA-generated domains, representing a substantial improvement over traditional methods. Despite these advancements, ethical considerations and the constant evolution of DGA techniques present ongoing challenges. The review highlights key obstacles in the DGA detection landscape, such as the dynamic nature of algorithms, polymorphic DGAs, data imbalance, and limitations in real-time detection. It proposes a detailed classification framework to provide researchers and practitioners with in-depth insights into the practical applications and limitations of DGA detection solutions. The study contributes by identifying the potential of various techniques, proposing a taxonomy for organizing these methods, and offering a thorough review of the AI-based DGA detection literature. A comparative analysis of AI techniques evaluates their effectiveness, with findings showing that ensemble methods and hybrid models have improved detection performance by 10%–15% over single-model approaches. Future research directions are emphasized, focusing on enhancing accuracy, interpretability, and resilience against adversarial threats. Key areas for exploration include adversarial techniques in DGA generation, the development of robust defenses, the incorporation of continuous learning techniques, and improving interpretability for practical implementation. Building trust in AI-based DGA detection systems remains crucial for their successful deployment in an increasingly adaptive cybersecurity landscape.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Arthur Drichel,Benedikt Holmes,Justus von Brandt,Ulrike Meyer

DOI: https://doi.org/10.1145/3474374.3486915

2021-09-24

Abstract:Domain generation algorithms (DGAs) prevent the connection between a botnet and its master from being blocked by generating a large number of domain names. Promising single-data-source approaches have been proposed for separating benign from DGA-generated domains. Collaborative machine learning (ML) can be used in order to enhance a classifier's detection rate, reduce its false positive rate (FPR), and to improve the classifier's generalization capability to different networks. In this paper, we complement the research area of DGA detection by conducting a comprehensive collaborative learning study, including a total of 13,440 evaluation runs. In two real-world scenarios we evaluate a total of eleven different variations of collaborative learning using three different state-of-the-art classifiers. We show that collaborative ML can lead to a reduction in FPR by up to 51.7%. However, while collaborative ML is beneficial for DGA detection, not all approaches and classifier types profit equally. We round up our comprehensive study with a thorough discussion of the privacy threats implicated by the different collaborative ML approaches.

Cryptography and Security,Machine Learning

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Muhammad Shoaib Akhtar,Tao Feng

DOI: https://doi.org/10.3390/sym14112304

2022-11-04

Symmetry

Abstract:One of the most significant issues facing internet users nowadays is malware. Polymorphic malware is a new type of malicious software that is more adaptable than previous generations of viruses. Polymorphic malware constantly modifies its signature traits to avoid being identified by traditional signature-based malware detection models. To identify malicious threats or malware, we used a number of machine learning techniques. A high detection ratio indicated that the algorithm with the best accuracy was selected for usage in the system. As an advantage, the confusion matrix measured the number of false positives and false negatives, which provided additional information regarding how well the system worked. In particular, it was demonstrated that detecting harmful traffic on computer systems, and thereby improving the security of computer networks, was possible using the findings of malware analysis and detection with machine learning algorithms to compute the difference in correlation symmetry (Naive Byes, SVM, J48, RF, and with the proposed approach) integrals. The results showed that when compared with other classifiers, DT (99%), CNN (98.76%), and SVM (96.41%) performed well in terms of detection accuracy. DT, CNN, and SVM algorithms' performances detecting malware on a small FPR (DT = 2.01%, CNN = 3.97%, and SVM = 4.63%,) in a given dataset were compared. These results are significant, as malicious software is becoming increasingly common and complex.

Johan Note,Maaruf Ali

DOI: https://doi.org/10.33166/aetic.2022.03.003

2022-07-01

Annals of Emerging Technologies in Computing

Abstract:Attacks against computer networks, “cyber-attacks”, are now common place affecting almost every Internet connected device on a daily basis. Organisations are now using machine learning and deep learning to thwart these types of attacks for their effectiveness without the need for human intervention. Machine learning offers the biggest advantage in their ability to detect, curtail, prevent, recover and even deal with untrained types of attacks without being explicitly programmed. This research will show the many different types of algorithms that are employed to fight against the different types of cyber-attacks, which are also explained. The classification algorithms, their implementation, accuracy and testing time are presented. The algorithms employed for this experiment were the Gaussian Naïve-Bayes algorithm, Logistic Regression Algorithm, SVM (Support Vector Machine) Algorithm, Stochastic Gradient Descent Algorithm, Decision Tree Algorithm, Random Forest Algorithm, Gradient Boosting Algorithm, K-Nearest Neighbour Algorithm, ANN (Artificial Neural Network) (here we also employed the Multilevel Perceptron Algorithm), Convolutional Neural Network (CNN) Algorithm and the Recurrent Neural Network (RNN) Algorithm. The study concluded that amongst the various machine learning algorithms, the Logistic Regression and Decision tree classifiers all took a very short time to be implemented giving an accuracy of over 90% for malware detection inside various test datasets. The Gaussian Naïve-Bayes classifier, though fast to implement, only gave an accuracy between 51-88%. The Multilevel Perceptron, non-linear SVM and Gradient Boosting algorithms all took a very long time to be implemented. The algorithm that performed with the greatest accuracy was the Random Forest Classification algorithm.

Xin Fang,Xiaoqing Sun,Jiahai Yang,Xinran Liu

DOI: https://doi.org/10.48550/arXiv.2009.09959

2020-09-21

Abstract:DGA-based botnet, which uses Domain Generation Algorithms (DGAs) to evade supervision, has become a part of the most destructive threats to network security. Over the past decades, a wealth of defense mechanisms focusing on domain features have emerged to address the problem. Nonetheless, DGA detection remains a daunting and challenging task due to the big data nature of Internet traffic and the potential fact that the linguistic features extracted only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel DGA detection system which employs an incremental word-embeddings method to capture the interactions between end hosts and domains, characterize time-series patterns of DNS queries for each IP address and therefore explore temporal similarities between domains. We carefully modify the Word2Vec algorithm and leverage it to automatically learn dynamic and discriminative feature representations for over 1.9 million domains, and develop an simple classifier for distinguishing malicious domains from the benign. Given the ability to identify temporal patterns of domains and update models incrementally, the proposed scheme makes the progress towards adapting to the changing and evolving strategies of DGA domains. Our system is evaluated and compared with the state-of-art system FANCI and two deep-learning methods CNN and LSTM, with data from a large university's network named TUNET. The results suggest that our system outperforms the strong competitors by a large margin on multiple metrics and meanwhile achieves a remarkable speed-up on model updating.

Cryptography and Security

Malak Aljabri,Fahd Alhaidari,Rami Mustafa A Mohammad,Samiha Mirza,Dina H Alhamed,Hanan S Altamimi,Sara Mhd Bachar Chrouf

DOI: https://doi.org/10.1155/2022/3241216

2022-08-25

Abstract:The World Wide Web services are essential in our daily lives and are available to communities through Uniform Resource Locator (URL). Attackers utilize such means of communication and create malicious URLs to conduct fraudulent activities and deceive others by creating deceptive and misleading websites and domains. Such threats open the doors for many critical attacks such as spams, spyware, phishing, and malware. Therefore, detecting malicious URL is crucially important to prevent the occurrence of many cybercriminal activities. In this study, we examined a set of machine learning (ML) and deep learning (DL) models to detect malicious websites using a dataset comprising 66,506 records of URLs. We engineered three different types of features including lexical-based, network-based and content-based features. To extract the most discriminative features in the dataset, we applied several features selection algorithms, namely, correlation analysis, Analysis of Variance (ANOVA), and chi-square. Finally, we conducted a comparative performance evaluation for several ML and DL models considering set of criteria commonly used to evaluate such models. Results depicted that Naïve Bayes (NB) was the best model for detecting malicious URLs using the applied data with an accuracy of 96%. This research has made contribution to the field by conducting significant features engineering and analysis to identify the best features for malicious URLs predictions, compare different models and achieve a high accuracy using a large new URL dataset.

Qianying Shen,Futai Zou

DOI: https://doi.org/10.1007/978-3-030-63086-7_3

2020-01-01

Abstract:Domain generation algorithms (DGA) are widely used by malware families to realize remote control. Researchers have tried to adopt deep learning methods to detect algorithmically generated domains (AGD) automatically based on only domain strings alone. Usually, such methods analyze the structure and semantic features of domain strings since simple AGDs show great difference in these two aspects. Among various types of AGDs, dictionary-based AGDs are unique for its semantic similarity to normal domains, which makes such detections based on only domain strings difficult. In this paper, we observe that the relationship between domains generated based on a same dictionary shows graphical features. We focus on the detection of dictionary-based AGDs and proposes Word-Map which is based on community detection algorithm to detect dictionary-based AGDs. Word-Map achieved an accuracy above 98.5% and recall rate above 99.0% on testing sets.

Wei Wu,Jaime Alvarez,Chengcheng Liu,Hung-Min Sun

DOI: https://doi.org/10.1007/s00542-016-3237-0

2016-01-01

Microsystem Technologies

Abstract:This research focuses on bot detection through implementation of techniques such as traffic analysis, unsupervised machine learning, and similarity analysis between benign traffic data and bot traffic data. In this study, we tested and experimented with different clustering algorithms and recorded their accuracy with our prepared datasets. Later, the best clustering algorithm was used to proceed with the next steps of the methodology such as determination of majority clusters (cluster with most flows), removal of duplicate flows, and calculation of similarity analysis. Results were recorded for the removal of duplicate flows stage, the results indicate how many flows each majority cluster contains and how many duplicate flows were removed from this majority cluster. Next, results for similarity analysis indicate the value of the similarity coefficient for the comparisons between all datasets (bot datasets and benign dataset). With these results we can present some heuristic conclusion for determining possible bot infection in a certain host.

Heba M. Fadhil,Noor Q. Makhool,Muna M. Hummady,Zinah O. Dawood,,,,

DOI: https://doi.org/10.54216/jcim.090106

2022-01-01

Journal of Cybersecurity and Information Management

Abstract:Botnet detection develops a challenging problem in numerous fields such as order, cybersecurity, law, finance, healthcare, and so on. The botnet signifies the group of co-operated Internet connected devices controlled by cyber criminals for starting co-ordinated attacks and applying various malicious events. While the botnet is seamlessly dynamic with developing counter-measures projected by both network and host-based detection techniques, the convention techniques are failed to attain sufficient safety to botnet threats. Thus, machine learning approaches are established for detecting and classifying botnets for cybersecurity. This article presents a novel dragonfly algorithm with multi-class support vector machines enabled botnet detection for information security. For effectual recognition of botnets, the proposed model involves data pre-processing at the initial stage. Besides, the model is utilized for the identification and classification of botnets that exist in the network. In order to optimally adjust the SVM parameters, the DFA is utilized and consequently resulting in enhanced outcomes. The presented model has the ability in accomplishing improved botnet detection performance. A wide-ranging experimental analysis is performed and the results are inspected under several aspects. The experimental results indicated the efficiency of our model over existing methods.

Muhammad Shoaib Akhtar,Tao Feng

DOI: https://doi.org/10.3390/s23020946

IF: 3.9

2023-01-14

Sensors

Abstract:This research study mainly focused on the dynamic malware detection. Malware progressively changes, leading to the use of dynamic malware detection techniques in this research study. Each day brings a new influx of malicious software programmes that pose a threat to online safety by exploiting vulnerabilities in the Internet. The proliferation of harmful software has rendered manual heuristic examination of malware analysis ineffective. Automatic behaviour-based malware detection using machine learning algorithms is thus considered a game-changing innovation. Threats are automatically evaluated based on their behaviours in a simulated environment, and reports are created. These records are converted into sparse vector models for use in further machine learning efforts. Classifiers used to synthesise the results of this study included kNN, DT, RF, AdaBoost, SGD, extra trees and the Gaussian NB classifier. After reviewing the test and experimental data for all five classifiers, we found that the RF, SGD, extra trees and Gaussian NB Classifier all achieved a 100% accuracy in the test, as well as a perfect precision (1.00), a good recall (1.00), and a good f1-score (1.00). Therefore, it is reasonable to assume that the proof-of-concept employing autonomous behaviour-based malware analysis and machine learning methodologies might identify malware effectively and rapidly.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yuchen Liang,Yanan Cheng,Zhaoxin Zhang,Tingting Chai,Chao Li

DOI: https://doi.org/10.3390/app13064061

2023-01-01

Applied Sciences

Abstract:Detecting and controlling illegal websites (gambling and pornography sites) through illegal domain names has been an unsolved problem. Therefore, how to mine and discover potential illegal domain names in advance has become a current research hotspot. This paper studies a method of generating illegal domain names based on the character similarity of domain name structure. Firstly, the K-means algorithm classified illegal domain names with similar structures. Then, put the classified clusters into the adversarial generative network for training. Finally, through a specific result verification method, the experiment shows that the average concentration of the generation algorithm is 23.82%, the effective concentration is 63.54%, and the expansion rate is 7.5. By comparing the results with the enumeration algorithm, the generation algorithm has greatly improved in terms of generation efficiency and accuracy.

Haoran Jiao,Qing Wang,Zhaoshan Fan,Junrong Liu,Dan Du,Ning Li,Yuling Liu

DOI: https://doi.org/10.1109/icccn54977.2022.9868932

2022-01-01

Abstract:Nowadays, malware uses Algorithmically Generated Domains (AGDs) to establish communication with Command and Control (C&C) servers. Dictionary based Domain Generation Algorithm (DGA) selects words from the frequently changed dictionaries to generate AGDs similar to benign domains, which degrades the accuracy of string based detection method. To combat this, we propose a DGA detection method based on DomainGraph and GCN (Graph Convolutional Network) which detects cross-dictionary AGDs based on the association relation between domains instead of lexical features. Starting from the association relation between domains rather than the lexical features of the domain itself, we can detect the unknown AGDs from a known AGD, regardless of the DGA dictionary they use. The proposed method exploits the fact that string association of benign domains is weak, while AGDs' association is strong. DGGCN composes a domain segmentation method, constructs a graph composed of domains (DomainGraph) based on segmentations and adopts GCN to detect AGDs. We conduct the experiments on public datasets under three settings: detecting AGDs generated by familiar dictionaries, unfamiliar dictionaries and confusing dictionaries. The results reveal that DGGCN can detect cross-dictionary AGDs similar to benign domains more accurately and robustly.