Pelayo-Benedet, Tomás; Rodríguez, Ricardo J.
Poster: The Simpler, the Stealthier: A Framework for Evaluating Adversarial Domain Generation Algorithm Models Proceedings Article
In: Proceedings of the 23rd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2026.
Abstract | BibTeX | Tags: Adversarial Machine Learning, Benchmarking, Botnet Detection, domain generation algorithms, Evasion Attacks
@inproceedings{PelayoBenedet2026,
title = {Poster: The Simpler, the Stealthier: A Framework for Evaluating Adversarial Domain Generation Algorithm Models},
author = {Tomás Pelayo-Benedet and Ricardo J. Rodríguez},
year = {2026},
date = {2026-01-01},
booktitle = {Proceedings of the 23rd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment},
abstract = {Adversarial Domain Generation Algorithms (DGAs) pose a growing threat to botnet detection systems; however, the lack of a standardized evaluation makes comparing existing models virtually impossible. We present an open-source benchmarking framework that evaluates four adversarial DGA models (DeepDGA, CharBot, Deception, and MaskDGA) in a unified environment, assessing lexical characteristics, detection evasion against LSTM and CNN classifiers, and computational cost. Our results show that CharBot and Deception consistently outperform the other two models: both achieve evasion rates above 75% with a training time of less than two seconds. DeepDGA and MaskDGA, despite their complexity, exhibit evasion rates below 21% in all cases. These findings highlight that lexical similarity to benign domains is related to evasion success, and that computational cost does not necessarily translate into effectiveness.},
keywords = {Adversarial Machine Learning, Benchmarking, Botnet Detection, domain generation algorithms, Evasion Attacks},
pubstate = {published},
tppubtype = {inproceedings}
}
Adversarial Domain Generation Algorithms (DGAs) pose a growing threat to botnet detection systems; however, the lack of a standardized evaluation makes comparing existing models virtually impossible. We present an open-source benchmarking framework that evaluates four adversarial DGA models (DeepDGA, CharBot, Deception, and MaskDGA) in a unified environment, assessing lexical characteristics, detection evasion against LSTM and CNN classifiers, and computational cost. Our results show that CharBot and Deception consistently outperform the other two models: both achieve evasion rates above 75% with a training time of less than two seconds. DeepDGA and MaskDGA, despite their complexity, exhibit evasion rates below 21% in all cases. These findings highlight that lexical similarity to benign domains is related to evasion success, and that computational cost does not necessarily translate into effectiveness.
Selvi, Jose; Rodríguez, Ricardo J; Soria-Olivas, Emilio
Towards Optimal LSTM Neural Networks for Detecting Algorithmically Generated Domain Names Journal Article
In: IEEE Access, vol. 9, pp. 126446–126456, 2021.
Abstract | Links | BibTeX | Tags: deep learning, domain generation algorithms, LSTM, malware
@article{SRS-ACCESS-21,
title = {Towards Optimal LSTM Neural Networks for Detecting Algorithmically Generated Domain Names},
author = {Jose Selvi and Ricardo J Rodríguez and Emilio Soria-Olivas},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRS-ACCESS-21.pdf},
doi = {10.1109/ACCESS.2021.3111307},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {IEEE Access},
volume = {9},
pages = {126446--126456},
abstract = {Malware detection is a problem that has become particularly challenging over the last decade. A common strategy for detecting malware is to scan network traffic for malicious connections between infected devices and their command and control (C&C) servers. However, malware developers are aware of this detection method and begin to incorporate new strategies to go unnoticed. In particular, they generate domain names instead of using static Internet Protocol addresses or regular domain names pointing to their C&C servers. By using a domain generation algorithm, the effectiveness of the blacklisting of domains is reduced, as the large number of domain names that must be blocked greatly increases the size of the blacklist. In this paper, we study different Long Short-Term Memory neural network hyperparameters to find the best network configuration for algorithmically generated domain name detection. In particular, we focus on determining whether the (complex) feature engineering efforts required when using other deep learning techniques, such as Random Forest, can be avoided. In this regard, we have conducted a comparative analysis to study the effect of using different network sizes and configurations on network performance metrics. Our results show an accuracy of 97:62% and an area under the receiver operating characteristic curve of 0:9956 in the test dataset, indicating that it is possible to obtain good classification results despite avoiding the feature engineering process and additional readjustments required in other machine learning techniques.},
keywords = {deep learning, domain generation algorithms, LSTM, malware},
pubstate = {published},
tppubtype = {article}
}
Malware detection is a problem that has become particularly challenging over the last decade. A common strategy for detecting malware is to scan network traffic for malicious connections between infected devices and their command and control (C&C) servers. However, malware developers are aware of this detection method and begin to incorporate new strategies to go unnoticed. In particular, they generate domain names instead of using static Internet Protocol addresses or regular domain names pointing to their C&C servers. By using a domain generation algorithm, the effectiveness of the blacklisting of domains is reduced, as the large number of domain names that must be blocked greatly increases the size of the blacklist. In this paper, we study different Long Short-Term Memory neural network hyperparameters to find the best network configuration for algorithmically generated domain name detection. In particular, we focus on determining whether the (complex) feature engineering efforts required when using other deep learning techniques, such as Random Forest, can be avoided. In this regard, we have conducted a comparative analysis to study the effect of using different network sizes and configurations on network performance metrics. Our results show an accuracy of 97:62% and an area under the receiver operating characteristic curve of 0:9956 in the test dataset, indicating that it is possible to obtain good classification results despite avoiding the feature engineering process and additional readjustments required in other machine learning techniques.