Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.cose.2019.04.015

IF: 5.105

2019-01-01

Computers & Security

Abstract:Botnets have become one of the main threats to cyberspace security currently. More and more bots utilize the domain generation algorithm (DGA) to generate malicious domain names to communicate with Command & Control (C&C) servers. A well-designed DGA can bypass the traditional detection methods such as sinkhole and rule filtering, which raises new challenges to cyberspace security. In the field of machine learning, the n-gram is a semantic model that characterizes the relationship among neighboring morphemes while deep convolutional neural networks have a robust capability in processing information with translation-invariant properties. In this paper, we combined n-gram and a deep convolutional neural network and then proposed a novel n-gram combined character based domain classification (n-CBDC) model. The n-CBDC model runs in an end-to-end way that doesn’t require hand-extracted features or domain name system (DNS) contextual information; it only needs to input the domain name itself and can automatically estimate the probability that the domain name was generated by DGAs. Experiments on real-world data show that the proposed method can effectively detect domain names generated by DGAs with 98.69% average detection rate and 0.9829 average F-measure, and significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89% detection rate. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.

Shaofang Zhou,Lanfen Lin,Junkun Yuan,Feng Wang,Zhaoting Ling,Jia Cui

DOI: https://doi.org/10.1109/isi.2019.8823200

2019-01-01

Abstract:Attackers often use domain generation algorithms (DGAs) to create various kinds of pseudorandom domains dynamically and select a part of them to connect with command and control servers, therefore it is important to automatically detect the algorithmically generated domains (AGDs). AGDs can be broken down into two categories: character-based domains and wordlist-based domains. Recently, methods based on machine learning and deep learning have been widely explored. However, much of the previous work perform well in detecting one kind of DGA families but poorly in classifying another kind. A general detection system which is applicable to both kinds of domains still remains a challenge. To address this problem, we propose a novel real-time detection method with high accuracy as well as high coverage. We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.

Xin Fang,Xiaoqing Sun,Jiahai Yang,Xinran Liu

DOI: https://doi.org/10.48550/arXiv.2009.09959

2020-09-21

Abstract:DGA-based botnet, which uses Domain Generation Algorithms (DGAs) to evade supervision, has become a part of the most destructive threats to network security. Over the past decades, a wealth of defense mechanisms focusing on domain features have emerged to address the problem. Nonetheless, DGA detection remains a daunting and challenging task due to the big data nature of Internet traffic and the potential fact that the linguistic features extracted only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel DGA detection system which employs an incremental word-embeddings method to capture the interactions between end hosts and domains, characterize time-series patterns of DNS queries for each IP address and therefore explore temporal similarities between domains. We carefully modify the Word2Vec algorithm and leverage it to automatically learn dynamic and discriminative feature representations for over 1.9 million domains, and develop an simple classifier for distinguishing malicious domains from the benign. Given the ability to identify temporal patterns of domains and update models incrementally, the proposed scheme makes the progress towards adapting to the changing and evolving strategies of DGA domains. Our system is evaluated and compared with the state-of-art system FANCI and two deep-learning methods CNN and LSTM, with data from a large university's network named TUNET. The results suggest that our system outperforms the strong competitors by a large margin on multiple metrics and meanwhile achieves a remarkable speed-up on model updating.

Cryptography and Security

Yang Chen,Shuai Zhang,Jing Liu,Bo Li

DOI: https://doi.org/10.1109/smartcloud.2018.00039

2018-01-01

Abstract:Domain generation algorithms, called DGAs, are used to generate a lot of pseudo-random domain names. The malware can connect to a command & control(C2) server through these domains, which will cause large threats to network security. Most of previous researches are based on large sets of domains or manual feature extractions. To tackle this issue, current studies pay more attention to deep learning, such as LSTM. However, it is difficult to learn reasonable expression when the domain is long. In this paper, we propose a LSTM model incorporating with attention mechanism, in which attention will focus on more important substrings in domains and improve the expression of domains. The experimental results in real-life datasets demonstrate our model has a priority in both false alarm rate decreased to 1.29% and false negative rate reduced to 0.76%. Furthermore, our model also has a better performance in multilabel detection.

yongzheng zhang,jun xiao

DOI: https://doi.org/10.1007/978-3-662-43908-1_17

2014-01-01

Abstract:To achieve the goals of concealment and migration, some Bot Nets, such as Conficker, Srizbis and Torpig, use Domain Generation Algorithm (DGA) to produce a large number of random domain names dynamically. Then a small subset of these domain names would be selected for actual C&C. Compared with normal domain names, these domain names generated by DGA have significant difference in length, character frequency, etc. Current researches mainly use clustering-classification methods to Detect abnormal domain name. Some of them use NXDomain traffic clustering, other researches based on the classification of string features, such as the distribution of alphanumeric characters and bigram. In fact, domain name has strict hierarchy and each domain level has particular regularities. In this paper, the hierarchical characteristic is introduced into the detection process. We divide the domain name into distinct levels and calculate the characteristic value separately. In each level, we use entropy, bigram and length detections. Because of different efficiency in levels, we design the weigh for each level based on their efficiency. Finally, the level characteristic value of domain name is the weighted average value of levels. Our experiments show that the accuracy of the level-based method is higher than 94 %.

Yu Chen,Sheng Yan,Tianyu Pang,Rui Chen

DOI: https://doi.org/10.1109/SSIC.2018.8556788

2018-01-01

Abstract:Domain Generation Algorithm (DGA) technique has been widely used by botnets as a covert command and control (C &C) channel of issuing control or attack commands through various DGA domains. This method can evade blacklisting detection and bring new challenges to the current detection method. This paper extracts feature set which is helpful to differentiate between malicious DGA domains and benign domains, and uses the Support Vector Machine (SVM) algorithm to train the detection model. Experimental results demonstrate that the detection method proposed in this paper is powerful with a high true positive rate 95% and a low false positive rate 1%.

Xiaodong Zang,Jianbo Cao,Xinchang Zhang,Jian Gong,Guiqing Li

DOI: https://doi.org/10.1007/s11235-023-01073-7

2024-01-01

Telecommunication Systems

Abstract:Botnets are one of the major threats to network security nowadays. To carry out malicious actions remotely, they heavily rely on Command and Control channels. DGA-based botnets use a domain generation algorithm to generate a significant number of domain names. By analyzing the linguistic distinctions between legitimate and DGA-based domain names, traditional machine learning schemes obtain great benefits. However, it is difficult to identify the ones based on wordlists or pseudo-random generated. Accordingly, this paper proposes an efficient CNN-LSTM-based detection model (BotDetector) that uses only a set of simple-to-compute, easy-to-compute character features. We evaluate our model with two open-source benchmark datasets (360 netlab, Bambenek) and real DNS traffic from the China Education and Research Network. Experimental results demonstrate that our algorithm improves by 1.6 % in terms of accuracy and F1-score and reduces the computation time by 9.4 % compared to other state-of-the-art alternatives. Remarkably, our work can identify botnet’s covert communication channels that use domain names based on word lists or pseudo-random generation without any help of reverse engineering.

Ryan R. Curtin,Andrew B. Gardner,Slawomir Grzonkowski,Alexey Kleymenov,Alejandro Mosquera,Ryan R. Curtin,Andrew B. Gardner,Slawomir Grzonkowski,Alexey Kleymenov,Alejandro Mosquera

DOI: https://doi.org/10.1145/3339252.3339258

2019-08-26

Abstract:Modern malware typically makes use of a domain generation algorithm (DGA) to avoid command and control domains or IPs being seized or sinkholed. This means that an infected system may attempt to access many domains in an attempt to contact the command and control server. Therefore, the automatic detection of DGA domains is an important task, both for the sake of blocking malicious domains and identifying compromised hosts. However, many DGAs use English wordlists to generate plausibly clean-looking domain names; this makes automatic detection difficult. In this work, we devise a notion of difficulty for DGA families called the smashword score; this measures how much a DGA family looks like English words. We find that this measure accurately reflects how much a DGA family's domains look like they are made from natural English words. We then describe our new modeling approach, which is a combination of a novel recurrent neural network architecture with domain registration side information. Our experiments show the model is capable of effectively identifying domains generated by difficult DGA families. Our experiments also show that our model outperforms existing approaches, and is able to reliably detect difficult DGA families such as matsnu, suppobox, rovnix, and others. The model's performance compared to the state of the art is best for DGA families that resemble English words. We believe that this model could either be used in a standalone DGA domain detector---such as an endpoint security application---or alternately the model could be used as a part of a larger malware detection system.

Xiaochun Yun,Ji Huang,Yipeng Wang,Tianning Zang,Yuan Zhou,Yongzheng Zhang

DOI: https://doi.org/10.1109/tifs.2019.2960647

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:A botnet is a network of remote-controlled devices that are infected with malware controlled by botmasters in order to launch cyber attacks. To evade detection, the botmaster frequently changes the domain name of his Command and Control (C&C) server. Notice that most of these types of domain names are generated by domain generation algorithms (DGAs). In this paper, we propose Khaos, a novel DGA with high anti-detection ability based on neural language models and the Wasserstein Generative Adversarial Network (WGAN). The key insight of our research is that real domain names are composed of readable syllables and acronyms, and thus we can arrange syllables and acronyms using neural language models to mimic real domain names. In Khaos, we first find the most common n-grams in real domain names, then tokenize these domain names into n-grams, and finally synthesize new domain names after learning arrangements of n-grams from real domain names. We carry out experiments using a variety of state-of-the-art DGA detection approaches: the statistics-based, the distribution-based, the LSTM-based and the graph-based detection approach. Our experimental results show that the average distance for detecting Khaos under the distribution-based detection approach is 0.64, the AUCs of Khaos under the statistics-based and the LSTM-based detection approach are 0.76 and 0.57, respectively, and the precision of Khaos under the graph-based detection approach is 0.68. Our work proves that the existing detection approaches have big troubles in detecting Khaos, and Khaos has better anti-detection ability than state-of-the-art DGAs. In addition, we find that training the existing detection approach on a dataset including the domain names generated by Khaos can improve its detection ability.

Amr M. H. Saeed,Danghui Wang,Hamas A. M. Alnedhari,Kuizhi Mei,Jihe Wang

DOI: https://doi.org/10.1007/978-3-030-97774-0_12

2022-01-01

Abstract:Botnets are the most commonly used mechanisms for current cyberattacks such as DDoS, ransomware, email spamming, phishing data, etc. Botnets deploy the Domain Generation Algorithm (DGA) to conceal domain names of Command & Control (C&C) servers by generating several fake domain names. A sophisticated DGA can circumvent the traditional detection methods and successfully communicate with the C&C. Several detection methods like DNS sinkhole, DNS filtering and DNS logs analysis have been intensively studied to neutralize DGA. However, these methods have a high noise rate and require a massive amount of computational resources. To tackle this issue, several researchers leveraged Machine learning (ML) and Deep Learning (DL) algorithms to develop lightweight and cost-effective detection methods. The purpose of this paper is to investigate and evaluate the DGA detection methods based on ML/DL published in the last three years. After analyzing the relevant literature strengths and limitations, we conclude that low detection speed, encrypted DNS sensitivity, data imbalance sensitivity, and low detection accuracy with variant or unknown DGA are most likely the current research trends and opportunities. As far as we know, this survey is the first of its kind to discuss DGA detection techniques based on ML/DL in-depth, as well as analysis of their limitations and future trends.

You Zhai,Liqun Yang,Jian Yang,Longtao He,Zhoujun Li

DOI: https://doi.org/10.3390/electronics12030736

IF: 2.9

2023-01-01

Electronics

Abstract:Due to the outstanding performance of deep neural networks (DNNs), many researchers have begun to transfer deep learning techniques to their fields. To detect algorithmically generated domains (AGDs) generated by domain generation algorithm (DGA) in botnets, a long short-term memory (LSTM)-based DGA detector has achieved excellent performance. However, the previous DNNs have found various inherent vulnerabilities, so cyberattackers can use these drawbacks to deceive DNNs, misleading DNNs into making wrong decisions. Backdoor attack as one of the popular attack strategies strike against DNNs has attracted widespread attention in recent years. In this paper, to cheat the LSTM-based DGA detector, we propose BadDGA, a backdoor attack against the LSTM-based DGA detector. Specifically, we offer four backdoor attack trigger construction methods: TLD-triggers, Ngram-triggers, Word-triggers, and IDN-triggers. Finally, we evaluate BadDGA on ten popular DGA datasets. The experimental results show that under the premise of 1‰ poisoning rate, our proposed backdoor attack can achieve a 100% attack success rate to verify the effectiveness of our method. Meanwhile, the model’s utility on clean data is influenced slightly.

Chunyu Han,Yongzheng Zhang

DOI: https://doi.org/10.1109/iccsnt.2017.8343724

2017-01-01

Abstract:Domain plays an important role as one of the components on the Internet, so more and more malicious behavior has been conducted by using domains, such as spam, botnet, phishing and the like. DGA (Domain Generation Algorithm), one kind of DNS technology, has been used by domain-flux commonly in botnets. In this paper, we propose a method called CODDULM (C&c domains Of Dga Detection Using Lexical feature and sparse Matrix). Firstly, it finds the NXDomains (Non-existent domains) on the passive DNS traffic to locate the suspicious infected hosts. Secondly, it selects DGA domains by lexical features according to suspicious infected hosts. Lastly, it discovers DGA C&C (Command and Control) domains through SVM (Support Vector Machine algorithm) classifier. At the end of this paper, we conduct the experiment to verify the effect of the method and the high accuracy of it.

Mingkai Tong,Guo Li,Runzi Zhang,Jianxin Xue,Wenmao Liu,Jiahai Yang

DOI: https://doi.org/10.1109/trustcom50675.2020.00070

2020-01-01

Abstract:Domain-Flux technique has been widely used by attackers to maintain a botnet for many years and the core of it is the adoption of domain generation algorithm (DGA). To combat attackers, there are lots of works in DGA domain detection area recently. But they usually collect quite limited data and conduct experiments in a closed dataset, meaning that the DGA data and the benign data they collected can not well represent the real distribution between them. Moreover, they handle the domains roughly and use the origin data to train the classifier directly, which is also not adequate to classify these two types of domains with lots of false positives and false negatives happening during the real-world deployment. In this paper, we conduct the first large-scale DGA domain analysis in traffic level and argue that the preprocessing stage is also vital for the final classifier, which is usually ignored by the existing works. We collect the largest amount of DGA domain data than prior works and collect DNS log offered by a big company, whose DNS data covers most important industries in China. Based on this data, we analyze the distribution of DGA domains in traffic and give quantifiable results showing that NXDomain (domain not exist) is more suitable for DGA detection. Moreover, we give detailed preprocessing steps to handle the original domains. Our experiment shows that with the preprocessing stage mentioned above, classifier performs better in DGA detection task. Our research indicates that improving the classification algorithm is far from enough in DGA detection and the preprocessing stage is also the key component in bringing the DGA detection methods from lab to product.

Luhui Yang,Guangjie Liu,Jinwei Wang,Huiwen Bai,Jiangtao Zhai,Yuewei Dai

DOI: https://doi.org/10.1016/j.jisa.2021.102933

IF: 4.96

2021-09-01

Journal of Information Security and Applications

Abstract:Detecting malicious domain names generated by domain generation algorithms is critical for defending the network against sophisticated attacks. In the past decade, deep-learning-based detection schemes have proven to be the most effective. However, each of these schemes requires sufficient computation time, which makes it difficult for real-time online detection. In this paper, we propose a real-time malicious domain name detection system which is called fast3DS. The proposed system contains a lightweight full-convolutional detection model, as well as a detection pipeline that contains multiple efficient schemes for high-speed data acquisition, filtering, and inference. The proposed detection model uses a parallel depthwise convolutional architecture to replace the standard convolution layer, and a lightweight global average pooling connection architecture is proposed to replace the fully connected layer, which can effectively reduce the parameters and computation time. To compensate for the decrease in accuracy due to model lightweighting, a lightweight attention mechanism is proposed to improve the accuracy of model detection. The proposed detection pipeline employs some industry-leading network traffic processing architecture and deep learning inference acceleration architecture, which can fully utilize the CPU for processing and computing. The experimental results denote that the proposed detection scheme can achieve accuracy close to the state-of-the-art with significantly fewer parameters, and the system can substantially improve the processing capability compared to the conventional detection system.

computer science, information systems

Xiaoyan Hu,Di Li,Miao Li,Guang Cheng,Ruidong Li,Hua Wu

DOI: https://doi.org/10.1016/j.comnet.2024.110770

IF: 5.493

2024-01-01

Computer Networks

Abstract:Many cyber-attacks use Algorithmically Generated Domain (AGD) names to establish connections with command and control servers for subsequent attack behaviors. Identifying and blocking such AGDs helps detect and prevent attacks quickly. Traditional machine or deep learning detection methods rely only on individual domain features and face challenges in accurately distinguishing AGDs that attackers have crafted to evade detection. Thus, researchers leverage the inherent associated features among domains, clients, and resolved IP addresses to detect AGDs. In such research, heterogeneous graph neural networks are extensively employed. However, most existing methods rely on associated features, leading to inaccurate detection of isolated domain nodes. Besides, most existing detection methods employ transductive learning and are time-consuming. This paper proposes an AGD detection method, AHDom, to address these challenges. AHDom models DNS traffic as a Heterogeneous Information Network (HIN) to capture the intricate relationships between domains, clients, and resolved IP addresses. Besides, it extracts character and behavior features as initial attributes of domains to obtain an Attribute HIN (AHIN), enhancing the detection accuracy of isolated domain nodes. Based on the AHIN, it combines meta-path random walk, the inductive learning algorithm GraphSAGE, and the attention mechanism to obtain effective embedding representations of domain nodes. Ultimately, it achieves domain classification based on embedding representations of domain nodes. Our experimental results demonstrate that AHDom is superior to state-of-the-art methods in the performance and efficiency of detecting AGDs. AHDom achieves an average accuracy of 98.74% on our constructed dataset and costs only about 30.23% of the existing best graph neural network approach in the testing time.

Kate Highnam,Domenic Puzio,Song Luo,Nicholas R. Jennings

DOI: https://doi.org/10.48550/arXiv.2003.12805

2020-03-28

Abstract:Botnets and malware continue to avoid detection by static rules engines when using domain generation algorithms (DGAs) for callouts to unique, dynamically generated web addresses. Common DGA detection techniques fail to reliably detect DGA variants that combine random dictionary words to create domain names that closely mirror legitimate domains. To combat this, we created a novel hybrid neural network, Bilbo the `bagging` model, that analyses domains and scores the likelihood they are generated by such algorithms and therefore are potentially malicious. Bilbo is the first parallel usage of a convolutional neural network (CNN) and a long short-term memory (LSTM) network for DGA detection. Our unique architecture is found to be the most consistent in performance in terms of AUC, F1 score, and accuracy when generalising across different dictionary DGA classification tasks compared to current state-of-the-art deep learning architectures. We validate using reverse-engineered dictionary DGA domains and detail our real-time implementation strategy for scoring real-world network logs within a large financial enterprise. In four hours of actual network traffic, the model discovered at least five potential command-and-control networks that commercial vendor tools did not flag.

Cryptography and Security,Machine Learning

Dinh-Tu Truong,Guang Cheng,Ahmad Jakalan,Xiaojun Guo,Aiping Zhou

DOI: https://doi.org/10.6138/jit.2016.17.2.20150811

2016-01-01

Abstract:Modern botnets such as Zeus, Conficker have started employing a technique called domain fluxing to prevent a naive blacklisting approach employed by network administrators. Domain fluxing hots generate a list of Pseudo-Random Domain names (PRD) or base on a predefined algorithm, called Domain name Generation Algorithm (DGA) for botnet operators to command and control (C&C) their hots. It is a pressing issue today to prevent or least reduce their destructive actions. In this paper, we focus on detecting domain-flux botnet within the monitored network based on DNS traffic features. First, we present a method to identify bot-infected machines based on the similar periodic time intervals series of DNS queries. Then, in order to detect C&C Server, we monitor the stream of active DNS queries from bot-infected machines, and introduce a method to extract related feature values aiming to distinguish bot-generated domain names from human generated ones base on a classifier model that we previously trained. We use five various machine learning algorithms to train classifier models and evaluate the effectiveness of detection. The experimental results showed that the proposed method achieves the highest detection efficiency for decision trees algorithms (J48) with the average overall accuracy up to 98.5% and false positive rate is 1.2%.

Huiju Lee,Jeong Do Yoo,Seonghoon Jeong,Huy Kang Kim

DOI: https://doi.org/10.1109/access.2024.3454242

IF: 3.9

2024-09-10

IEEE Access

Abstract:Attackers are known to utilize domain generation algorithms (DGAs) to generate domain names for command and control (C&C) servers and facilitate the distribution of uniform resource locators within malicious software. DGAs pose a significant threat to cybersecurity owing to their ability to dynamically generate unpredictable domain names. Extensive research is currently underway to detect the domain names created using DGAs. However, the high false positive rates when handling benign domain names in non-English languages pose a challenge. Thus, this study proposes a DGA detection method that effectively embeds non-English domain names to focus on Chinese domain names, which are referred to as domain names composed of Pinyin. The proposed method segments domain names into meaningful subwords for effective vector representation. Consequently, the FastText model learns the context information of the segmented subwords and embeds the domain name. Further, the deep learning-based detection model learns the vectorized domain names and determines whether a particular domain name is DGA-generated. We labeled the Chinese domain names among the benign domain names for our experiment. The experimental results show that the proposed method outperforms existing methods across all performance metrics on the entire test dataset. Notably, the proposed method minimizes the false positive rate, thereby enhancing detection reliability. In addition, it exhibits high performance, achieving a recall of 0.9873 and 0.9886 for Chinese and English domain names, respectively. This demonstrates that the proposed method consistently delivers high performance across various metrics and languages.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaoqing Sun,Jiahai Yang,Zhiliang Wang,Heng Liu

DOI: https://doi.org/10.1109/noms47738.2020.9110462

2020-01-01

Abstract:As a fundamental component of the Internet, Domain Name System (DNS) is widely abused by attackers in various cybercrimes, making malicious domain detection an essential task in network defenses. However, some well-crafted attacks with tricky techniques can not only bypass blacklists but also make some machine learning-based detection systems infeasible. In this paper, we design HGDom, an accurate and robust malicious domain detection system based on a heterogeneous graph convolutional network method. First, we jointly analyze domain features as well as the complex relations among domains, clients, and IP addresses. To capture richer information, we introduce a Heterogeneous Information Network (HIN) to model the DNS scene. Then, we propose a novel representation method named MAGCN. With a meta-path-based attention mechanism, it can handle node features and the graph structure in HIN at the same time. To our best knowledge, this is the first work to apply GCN in cyber security analysis. Comprehensive experiments over DNS data from TUNET and CERNET2 are conducted to validate the effectiveness and superiority of our proposed methods. The comparison results show that HGDom outperforms state-of-the-art approaches with promising performance. Besides, the system is decided to be deployed in production to assist with network security management for CERNET2.

Xiaoyan Hu,Hao Chen,Miao Li,Guang Cheng,Ruidong Li,Hua Wu,Yali Yuan

DOI: https://doi.org/10.1109/tifs.2023.3293956

IF: 7.231

2023-08-05

IEEE Transactions on Information Forensics and Security

Abstract:Botnets extensively leverage Domain Generation Algorithms (DGAs) to establish reliable communication channels between bots and Command and Control (C&C) servers. Numerous character-level DGA classifiers have been extensively studied to detect and classify domain names generated by DGAs. Meanwhile, a series of adversarial domain generation algorithms have been proposed to evade DGA classifiers. Although the existing domain name generation algorithms have progressed against DGA classifier, their anti-detection abilities are still weak. This paper proposes a Bidirectional Long Short-Term Memory (BiLSTM) network-based adversarial DGA with high anti-detection ability, referred to as ReplaceDGA. ReplaceDGA requires no knowledge of the targeted DGA classifiers. It first builds a prediction model for benign domain names using the BiLSTM network to model the semantic relationship hidden within benign domain names and then replaces two characters of each input benign domain name based on the prediction model to maximize the similarity between the benign and generated domain names. Our experimental results validate that ReplaceDGA successfully evades various character-level DGA classifiers even after they are retrained by domain names generated by ReplaceDGA and outperforms the state-of-the-art adversarial DGAs in anti-detection ability, repetition rate, and collision rate. Our study of ReplaceDGA promotes the urgent need for developing more comprehensive and robust DGA classifiers that consider other factors besides character-level information of domain names.

computer science, theory & methods,engineering, electrical & electronic