Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.cose.2019.04.015

IF: 5.105

2019-01-01

Computers & Security

Abstract:Botnets have become one of the main threats to cyberspace security currently. More and more bots utilize the domain generation algorithm (DGA) to generate malicious domain names to communicate with Command & Control (C&C) servers. A well-designed DGA can bypass the traditional detection methods such as sinkhole and rule filtering, which raises new challenges to cyberspace security. In the field of machine learning, the n-gram is a semantic model that characterizes the relationship among neighboring morphemes while deep convolutional neural networks have a robust capability in processing information with translation-invariant properties. In this paper, we combined n-gram and a deep convolutional neural network and then proposed a novel n-gram combined character based domain classification (n-CBDC) model. The n-CBDC model runs in an end-to-end way that doesn’t require hand-extracted features or domain name system (DNS) contextual information; it only needs to input the domain name itself and can automatically estimate the probability that the domain name was generated by DGAs. Experiments on real-world data show that the proposed method can effectively detect domain names generated by DGAs with 98.69% average detection rate and 0.9829 average F-measure, and significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89% detection rate. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.

Shaofang Zhou,Lanfen Lin,Junkun Yuan,Feng Wang,Zhaoting Ling,Jia Cui

DOI: https://doi.org/10.1109/isi.2019.8823200

2019-01-01

Abstract:Attackers often use domain generation algorithms (DGAs) to create various kinds of pseudorandom domains dynamically and select a part of them to connect with command and control servers, therefore it is important to automatically detect the algorithmically generated domains (AGDs). AGDs can be broken down into two categories: character-based domains and wordlist-based domains. Recently, methods based on machine learning and deep learning have been widely explored. However, much of the previous work perform well in detecting one kind of DGA families but poorly in classifying another kind. A general detection system which is applicable to both kinds of domains still remains a challenge. To address this problem, we propose a novel real-time detection method with high accuracy as well as high coverage. We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.

Mingkai Tong,Xiaoqing Sun,Jiahai Yang,Hui Zhang,Shuang Zhu,Xinran Liu,Heng Liu

DOI: https://doi.org/10.1007/978-3-030-29551-6_41

2019-01-01

Abstract:Modern malware typically uses domain generation algorithm (DGA) to avoid blacklists. However, it still leaks trace by causing excessive Non-existent domain responses when trying to contact with the command and control (C&C) servers. In this paper, we propose a novel system named D3N to detect DGA domains by analyzing NXDomains with deep learning methods. The experiments show that D3N yields 99.7% TPR and 1.9% FPR, outperforming FANCI in both accuracy and efficiency. Besides, our real-world evaluation in a large-scale network demonstrates that D3N is robust in different networks.

Xin Fang,Xiaoqing Sun,Jiahai Yang,Xinran Liu

DOI: https://doi.org/10.48550/arXiv.2009.09959

2020-09-21

Abstract:DGA-based botnet, which uses Domain Generation Algorithms (DGAs) to evade supervision, has become a part of the most destructive threats to network security. Over the past decades, a wealth of defense mechanisms focusing on domain features have emerged to address the problem. Nonetheless, DGA detection remains a daunting and challenging task due to the big data nature of Internet traffic and the potential fact that the linguistic features extracted only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel DGA detection system which employs an incremental word-embeddings method to capture the interactions between end hosts and domains, characterize time-series patterns of DNS queries for each IP address and therefore explore temporal similarities between domains. We carefully modify the Word2Vec algorithm and leverage it to automatically learn dynamic and discriminative feature representations for over 1.9 million domains, and develop an simple classifier for distinguishing malicious domains from the benign. Given the ability to identify temporal patterns of domains and update models incrementally, the proposed scheme makes the progress towards adapting to the changing and evolving strategies of DGA domains. Our system is evaluated and compared with the state-of-art system FANCI and two deep-learning methods CNN and LSTM, with data from a large university's network named TUNET. The results suggest that our system outperforms the strong competitors by a large margin on multiple metrics and meanwhile achieves a remarkable speed-up on model updating.

Cryptography and Security

Jianbing Liang,Shuhui Chen,Ziling Wei,Shuang Zhao,Wei Zhao,Jianbing Liang,Shuhui Chen,Ziling Wei,Shuang Zhao,Wei Zhao

DOI: https://doi.org/10.1016/j.cose.2022.102803

2022-09-01

Abstract:The botnet relies on the Command and Control (C&C) channels to conduct its malicious activities remotely. The Domain Generation Algorithm (DGA) is often used by botnets to hide their Command and Control (C&C) server and evade take-down attempts, which allows the bot to generate a large number of domain names until it finds its C&C server. The lengths of domain names generated by DGAs are different. Our research finds that the length of the domain name has an impact on the performance of the DGA domain name detection model. In other words, the model is sensitive to the length of the domain name. In this case, attackers can evade detection simply by designing domain names of specific lengths. Moreover, the detection accuracy of DGA domain names still needs to be further improved. To solve these problems, three feature extraction methods adapted to the length of the domain name are proposed in this paper. For extra-short domain names, we use the attention-based method to extract features, which can make use of the character-level semantic feature. For moderate-length domain names, a two-dimensional structure, namely Right Shifted Tensor (RST), is constructed to make the domain name present apparent features similar to images. For the extra-long domain name, the effective classification of domain names can be achieved by manually crafted easy-to-calculate features. Then, different detection structures are designed based on these tree feature extraction methods to form a heterogeneous DGA detection model, namely HAGDetector. In addition, the public suffix is an important part of the domain name. We further analyze the public suffix to evaluate its impact on the detection of DGA domain names. Finally, the experiments are conducted to assess the validity of HAGDetector, as well as compare our approach with the current state-of-the-art and highlight the impact of the domain name length. The experimental results show that our method greatly improves the detection performance.

computer science, information systems

Ling Ding,Peng Du,Haiwei Hou,Jian Zhang,Di Jin,Shifei Ding

DOI: https://doi.org/10.1016/j.bdr.2023.100395

IF: 3.3

2023-05-13

Big Data Research

Abstract:One of the severest threats to cyber security is botnet, which typically uses domain names generated by Domain Generation Algorithms (DGAs) to communicate with their Command and Control (C&C) infrastructure. DGA detection and classification play an important role of assisting cyber security researchers to detect botnet C&C servers. However, many of the existing DGA detection models only focus on single scale word embedding method, and very few models are specially designed to extract more effective features for DGA detection from multiple scales word embedding. To alleviate above questions, first we propose a hybrid word embedding method, which combines character level embedding and bigram level embedding to make full use of the domain names information, and then, we design a deep neural network with hybrid embedding method to distinguish DGA domains from known legitimate domains. Finally, we evaluate our hybrid embedding method and the proposed model on ONIST dataset and compare our methods with several state-of-the-art DGA classification methods.

computer science, information systems, artificial intelligence, theory & methods

Huiju Lee,Jeong Do Yoo,Seonghoon Jeong,Huy Kang Kim

DOI: https://doi.org/10.1109/access.2024.3454242

IF: 3.9

2024-09-10

IEEE Access

Abstract:Attackers are known to utilize domain generation algorithms (DGAs) to generate domain names for command and control (C&C) servers and facilitate the distribution of uniform resource locators within malicious software. DGAs pose a significant threat to cybersecurity owing to their ability to dynamically generate unpredictable domain names. Extensive research is currently underway to detect the domain names created using DGAs. However, the high false positive rates when handling benign domain names in non-English languages pose a challenge. Thus, this study proposes a DGA detection method that effectively embeds non-English domain names to focus on Chinese domain names, which are referred to as domain names composed of Pinyin. The proposed method segments domain names into meaningful subwords for effective vector representation. Consequently, the FastText model learns the context information of the segmented subwords and embeds the domain name. Further, the deep learning-based detection model learns the vectorized domain names and determines whether a particular domain name is DGA-generated. We labeled the Chinese domain names among the benign domain names for our experiment. The experimental results show that the proposed method outperforms existing methods across all performance metrics on the entire test dataset. Notably, the proposed method minimizes the false positive rate, thereby enhancing detection reliability. In addition, it exhibits high performance, achieving a recall of 0.9873 and 0.9886 for Chinese and English domain names, respectively. This demonstrates that the proposed method consistently delivers high performance across various metrics and languages.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaoyan Hu,Hao Chen,Miao Li,Guang Cheng,Ruidong Li,Hua Wu,Yali Yuan

DOI: https://doi.org/10.1109/tifs.2023.3293956

IF: 7.231

2023-08-05

IEEE Transactions on Information Forensics and Security

Abstract:Botnets extensively leverage Domain Generation Algorithms (DGAs) to establish reliable communication channels between bots and Command and Control (C&C) servers. Numerous character-level DGA classifiers have been extensively studied to detect and classify domain names generated by DGAs. Meanwhile, a series of adversarial domain generation algorithms have been proposed to evade DGA classifiers. Although the existing domain name generation algorithms have progressed against DGA classifier, their anti-detection abilities are still weak. This paper proposes a Bidirectional Long Short-Term Memory (BiLSTM) network-based adversarial DGA with high anti-detection ability, referred to as ReplaceDGA. ReplaceDGA requires no knowledge of the targeted DGA classifiers. It first builds a prediction model for benign domain names using the BiLSTM network to model the semantic relationship hidden within benign domain names and then replaces two characters of each input benign domain name based on the prediction model to maximize the similarity between the benign and generated domain names. Our experimental results validate that ReplaceDGA successfully evades various character-level DGA classifiers even after they are retrained by domain names generated by ReplaceDGA and outperforms the state-of-the-art adversarial DGAs in anti-detection ability, repetition rate, and collision rate. Our study of ReplaceDGA promotes the urgent need for developing more comprehensive and robust DGA classifiers that consider other factors besides character-level information of domain names.

computer science, theory & methods,engineering, electrical & electronic

Ricardo J M Maia,Dustin Ray,Sikha Pentyala,Rafael Dowsley,Martine De Cock,Anderson C A Nascimento,Ricardo Jacobi

DOI: https://doi.org/10.1371/journal.pone.0304476

IF: 3.7

2024-08-28

PLoS ONE

Abstract:Domain Generation Algorithms (DGAs) are used by malware to generate pseudorandom domain names to establish communication between infected bots and command and control servers. While DGAs can be detected by machine learning (ML) models with great accuracy, offering DGA detection as a service raises privacy concerns when requiring network administrators to disclose their DNS traffic to the service provider. The main scientific contribution of this paper is to propose the first end-to-end framework for privacy-preserving classification as a service of domain names into DGA (malicious) or non-DGA (benign) domains. Our framework achieves these goals by carefully designed protocols that combine two privacy-enhancing technologies (PETs), namely secure multi-party computation (MPC) and differential privacy (DP). Through MPC, our framework enables an enterprise network administrator to outsource the problem of classifying a DNS (Domain Name System) domain as DGA or non-DGA to an external organization without revealing any information about the domain name. Moreover, the service provider's ML model used for DGA detection is never revealed to the network administrator. Furthermore, by using DP, we also ensure that the classification result cannot be used to learn information about individual entries of the training data. Finally, we leverage post-training float16 quantization of deep learning models in MPC to achieve efficient, secure DGA detection. We demonstrate that by using quantization achieves a significant speed-up, resulting in a 23% to 42% reduction in inference runtime without reducing accuracy using a three party secure computation protocol tolerating one corruption. Previous solutions are not end-to-end private, do not provide differential privacy guarantees for the model's outputs, and assume that model embeddings are publicly known. Our best protocol in terms of accuracy runs in about 0.22s.

Nguyen Tan Cam,Nguyen Ngoc Man

DOI: https://doi.org/10.1007/s10586-024-04363-0

2024-03-29

Cluster Computing

Abstract:Recent developments in information technology have brought numerous benefits but have also created risks for information security. One notable threat is the domain generated by the algorithm (DGA) technique used by botnets, which allows them to automatically generate and register multiple domains to evade detection and control from network security systems. To address this issue, we conducted research on a domain classification model specific to botnet-generated domains. We developed three domain classification models: bigrams, long short-term memory networks (LSTM), and a combination of LSTM and one-hot encoding. In this study, we implemented an ensemble model using a domain classification system, named UIT-DGADetector. To optimize the system, we employed Kafka to queue and streamline the requests, thereby reducing the load on the classification server. The deployed system operates well and achieves a high accuracy rate in predicting the domain types. However, this model still has limitations in predicting Word-based DGA botnets. The process must be optimized to reduce the waiting time in the queue. This study aims to contribute to network security and information protection, particularly by addressing the issue of DGA botnets.

computer science, information systems, theory & methods

Arthur Drichel,Ulrike Meyer

DOI: https://doi.org/10.1145/3607199.3607231

2023-09-25

Abstract:The problem of revealing botnet activity through Domain Generation Algorithm (DGA) detection seems to be solved, considering that available deep learning classifiers achieve accuracies of over 99.9%. However, these classifiers provide a false sense of security as they are heavily biased and allow for trivial detection bypass. In this work, we leverage explainable artificial intelligence (XAI) methods to analyze the reasoning of deep learning classifiers and to systematically reveal such biases. We show that eliminating these biases from DGA classifiers considerably deteriorates their performance. Nevertheless we are able to design a context-aware detection system that is free of the identified biases and maintains the detection rate of state-of-the art deep learning classifiers. In this context, we propose a visual analysis system that helps to better understand a classifier's reasoning, thereby increasing trust in and transparency of detection methods and facilitating decision-making.

Cryptography and Security,Machine Learning

Baoyu Fan,Han Ma,Yue Liu,Xiaochen Yuan,Wei Ke

DOI: https://doi.org/10.3390/math12050626

IF: 2.4

2024-02-21

Mathematics

Abstract:As the most commonly used attack strategy by Botnets, the Domain Generation Algorithm (DGA) has strong invisibility and variability. Using deep learning models to detect different families of DGA domain names can improve the network defense ability against hackers. However, this task faces an extremely imbalanced sample size among different DGA categories, which leads to low classification accuracy for small sample categories and even classification failure for some categories. To address this issue, we introduce the long-tailed concept and augment the data of small sample categories by transferring pre-trained knowledge. Firstly, we propose the Data Balanced Review Method (DBRM) to reduce the sample size difference between the categories, thus a relatively balanced dataset for transfer learning is generated. Secondly, we propose the Knowledge Transfer Model (KTM) to enhance the knowledge of the small sample categories. KTM uses a multi-stage transfer to transfer weights from the big sample categories to the small sample categories. Furthermore, we propose the Knowledge Distillation Transfer Model (KDTM) to relieve the catastrophic forgetting problem caused by transfer learning, which adds knowledge distillation loss based on the KTM. The experimental results show that KDTM can significantly improve the classification performance of all categories, especially the small sample categories. It can achieve a state-of-the-art macro average F1 score of 84.5%. The robustness of the KDTM model is verified using three DGA datasets that follow the Pareto distributions.

mathematics

Rui Pan,Jian Chen,Hanyuan Ma,Xiaoshan Bai

DOI: https://doi.org/10.1109/icis54925.2022.9882343

2022-01-01

Abstract:The detection of DGA domain name has become a central topic in network security in recent years. With DGA (Domain Generation Algorithm), a large number of pseudo-random domain names could be generated and used in DDoS (Distributed Denial of Service) attacks, reflection amplification attacks and other network attacks. Traditional deep learning algorithms based on character feature have the advantages of automatic feature extraction and shorter training time in DGA domain name detection. But for wordlist-based DGA domain name, the accuracy is lower. In order to improve the detection accuracy, semantic features of domain name are extracted to extend character features for the first time. Experiment results show that using extended character feature in Bi-LSTM (Bi-Directional Long Short-Term Memory) could improve the detection performance. In multi-classification, micro average of F1 score reaches up to 98.72%.

Ting Wang,Xin Hu,Jiyong Jang,Shouling Ji,Marc Stoecklin,Teryl Taylor

DOI: https://doi.org/10.1109/icdcs.2016.77

2016-01-01

Abstract:Recent years have witnessed a rampant use of domain generation algorithms (DGAs) in major botnet crimewares, which tremendously strengthens a botnet's capability to evade detection or takedown. Despite a plethora of existing studies on detecting DGA-generated domains in DNS traffic, remediating such threats still relies on vetting the DNS behavior of each individual device. Yet, in large networks featuring complicated DNS infrastructures, we often lack the capability or the resource to exhaustively investigate every part of the networks to identify infected devices in a timely manner. It is therefore of great interest to first assess the population distribution of DGA-bots inside the networks and to prioritize the remediation efforts. In this paper, we present BotMeter, a novel tool that accurately charts the DGA-bot population landscapes in large networks. Specifically, we embrace the prevalent yet challenging setting of hierarchical DNS infrastructures with caching and forwarding mechanisms enabled, whereas DNS traffic is observable only at certain upper-level vantage points. We establish a new taxonomy of DGAs that captures their characteristic DNS dynamics. This allows us to develop a rich library of rigorous analytical models to describe the complex relationships between bot populations and DNS lookups observed at vantage points. We provide results from extensive empirical studies using both synthetic data and real DNS traces to validate the efficacy of BotMeter.

Ryan R. Curtin,Andrew B. Gardner,Slawomir Grzonkowski,Alexey Kleymenov,Alejandro Mosquera,Ryan R. Curtin,Andrew B. Gardner,Slawomir Grzonkowski,Alexey Kleymenov,Alejandro Mosquera

DOI: https://doi.org/10.1145/3339252.3339258

2019-08-26

Abstract:Modern malware typically makes use of a domain generation algorithm (DGA) to avoid command and control domains or IPs being seized or sinkholed. This means that an infected system may attempt to access many domains in an attempt to contact the command and control server. Therefore, the automatic detection of DGA domains is an important task, both for the sake of blocking malicious domains and identifying compromised hosts. However, many DGAs use English wordlists to generate plausibly clean-looking domain names; this makes automatic detection difficult. In this work, we devise a notion of difficulty for DGA families called the smashword score; this measures how much a DGA family looks like English words. We find that this measure accurately reflects how much a DGA family's domains look like they are made from natural English words. We then describe our new modeling approach, which is a combination of a novel recurrent neural network architecture with domain registration side information. Our experiments show the model is capable of effectively identifying domains generated by difficult DGA families. Our experiments also show that our model outperforms existing approaches, and is able to reliably detect difficult DGA families such as matsnu, suppobox, rovnix, and others. The model's performance compared to the state of the art is best for DGA families that resemble English words. We believe that this model could either be used in a standalone DGA domain detector---such as an endpoint security application---or alternately the model could be used as a part of a larger malware detection system.

Xiaoqing Sun,Jiahai Yang,Zhiliang Wang,Heng Liu

DOI: https://doi.org/10.1109/noms47738.2020.9110462

2020-01-01

Abstract:As a fundamental component of the Internet, Domain Name System (DNS) is widely abused by attackers in various cybercrimes, making malicious domain detection an essential task in network defenses. However, some well-crafted attacks with tricky techniques can not only bypass blacklists but also make some machine learning-based detection systems infeasible. In this paper, we design HGDom, an accurate and robust malicious domain detection system based on a heterogeneous graph convolutional network method. First, we jointly analyze domain features as well as the complex relations among domains, clients, and IP addresses. To capture richer information, we introduce a Heterogeneous Information Network (HIN) to model the DNS scene. Then, we propose a novel representation method named MAGCN. With a meta-path-based attention mechanism, it can handle node features and the graph structure in HIN at the same time. To our best knowledge, this is the first work to apply GCN in cyber security analysis. Comprehensive experiments over DNS data from TUNET and CERNET2 are conducted to validate the effectiveness and superiority of our proposed methods. The comparison results show that HGDom outperforms state-of-the-art approaches with promising performance. Besides, the system is decided to be deployed in production to assist with network security management for CERNET2.

Kate Highnam,Domenic Puzio,Song Luo,Nicholas R. Jennings

DOI: https://doi.org/10.48550/arXiv.2003.12805

2020-03-28

Abstract:Botnets and malware continue to avoid detection by static rules engines when using domain generation algorithms (DGAs) for callouts to unique, dynamically generated web addresses. Common DGA detection techniques fail to reliably detect DGA variants that combine random dictionary words to create domain names that closely mirror legitimate domains. To combat this, we created a novel hybrid neural network, Bilbo the `bagging` model, that analyses domains and scores the likelihood they are generated by such algorithms and therefore are potentially malicious. Bilbo is the first parallel usage of a convolutional neural network (CNN) and a long short-term memory (LSTM) network for DGA detection. Our unique architecture is found to be the most consistent in performance in terms of AUC, F1 score, and accuracy when generalising across different dictionary DGA classification tasks compared to current state-of-the-art deep learning architectures. We validate using reverse-engineered dictionary DGA domains and detail our real-time implementation strategy for scoring real-world network logs within a large financial enterprise. In four hours of actual network traffic, the model discovered at least five potential command-and-control networks that commercial vendor tools did not flag.

Cryptography and Security,Machine Learning

Md Abu Sayed,Asif Rahman,Christopher Kiekintveld,Sebastian Garcia

2024-10-29

Abstract:Domain Generation Algorithms (DGAs) are malicious techniques used by malware to dynamically generate seemingly random domain names for communication with Command & Control (C&C) servers. Due to the fast and simple generation of DGA domains, detection methods must be highly efficient and precise to be effective. Large Language Models (LLMs) have demonstrated their proficiency in real-time detection tasks, making them ideal candidates for detecting DGAs. Our work validates the effectiveness of fine-tuned LLMs for detecting DGAs and DNS exfiltration attacks. We developed LLM models and conducted comprehensive evaluation using a diverse dataset comprising 59 distinct real-world DGA malware families and normal domain data. Our LLM model significantly outperformed traditional natural language processing techniques, especially in detecting unknown DGAs. We also evaluated its performance on DNS exfiltration datasets, demonstrating its effectiveness in enhancing cybersecurity measures. To the best of our knowledge, this is the first work that empirically applies LLMs for DGA and DNS exfiltration detection.

Cryptography and Security

Xiaoyang Liu,Jiamiao Liu

DOI: https://doi.org/10.1007/s00521-022-06904-3

2022-01-31

Neural Computing and Applications

Abstract:For the current mainstream DGA domain name detection methods, scalars are almost used to represent numerical features, resulting in the loss of the spatial feature information of domain name characters. This paper proposes a sequence capsule network based on the k-means routing algorithm, LSTM-CapsNet, which only uses DGA domain name text information for detection. The model uses a bidirectional LSTM unit to extract basic features for the capsule network and uses the k-means algorithm to cluster vector features to implement routing functions. In order to verify the proposed LSTM-CapsNet model, data from two different sources are collected to ensure the reliability of the experiment, covering the DGA domain name dataset from the real network defined as Real-Dataset, and the DGA domain name obtained through the domain name generation algorithm is defined as Gen-Dataset. The current DGA domain name detection method of state-of-the-art proposed by researchers is compared and tested on two data sets. The experimental results show that the proposed model has achieved 99.17% and 97.75% of the F-score evaluation indicators in the DGA domain name recognition of the two datasets; at the same time, the recognition of the DGA domain name family has been very competitive. Compared with the existing DGA domain name family classification model, the F-score value of the proposed model exceeds 89% in Gen-Dataset multi-class recognition. This model not only improves the ability of DGA domain name recognition and DGA domain name family recognition but also has an outstanding ability to find real-time aspects in model testing.

computer science, artificial intelligence

Benedikt Holmes,Arthur Drichel,Ulrike Meyer

DOI: https://doi.org/10.48550/arXiv.2110.05849

2021-10-12

Cryptography and Security

Abstract:The goal of Domain Generation Algorithm (DGA) detection is to recognize infections with bot malware and is often done with help of Machine Learning approaches that classify non-resolving Domain Name System (DNS) traffic and are trained on possibly sensitive data. In parallel, the rise of privacy research in the Machine Learning world leads to privacy-preserving measures that are tightly coupled with a deep learning model's architecture or training routine, while non deep learning approaches are commonly better suited for the application of privacy-enhancing methods outside the actual classification module. In this work, we aim to measure the privacy capability of the feature extractor of feature-based DGA detector FANCI (Feature-based Automated Nxdomain Classification and Intelligence). Our goal is to assess whether a data-rich adversary can learn an inverse mapping of FANCI's feature extractor and thereby reconstruct domain names from feature vectors. Attack success would pose a privacy threat to sharing FANCI's feature representation, while the opposite would enable this representation to be shared without privacy concerns. Using three real-world data sets, we train a recurrent Machine Learning model on the reconstruction task. Our approaches result in poor reconstruction performance and we attempt to back our findings with a mathematical review of the feature extraction process. We thus reckon that sharing FANCI's feature representation does not constitute a considerable privacy leakage.