Domain Generation Algorithms (DGA)

Updated 30 January 2026

Domain Generation Algorithms are deterministic procedures that seed pseudo-random domain names for botnet command-and-control communications.
Research in DGA detection focuses on evaluating metrics like TPR, FPR, pAUC, and adversarial costs incurred by minimal character substitutions.
Experimental findings, such as those from CharBot, reveal that slight adversarial perturbations can bypass string-based classifiers, urging a shift toward hybrid detection methods.

A Domain Generation Algorithm (DGA) is a deterministic procedure, often seeded with a secret or time-derived value, that outputs large sets of pseudo-random domain names facilitating resilient rendezvous between botnet clients and command-and-control (C&C) infrastructure. DGAs are foundational to modern malware, piercing static blacklist defense by algorithmically churning through domain candidates that are synchronized across compromised hosts. Classification and evasion of DGAs is a central research topic in cybersecurity, with rapidly evolving offense–defense methodologies, ranging from adversarial string perturbations to deep learning–based detectors, and hybrid systems that incorporate side information.

1. Formal Definition and Taxonomy of DGAs

A DGA is formally defined as a deterministic algorithm $A$ taking a seed $s$ (such as a date or random nonce) and producing a (potentially time-varying) family of domain names $\{d_1, d_2, \ldots\}$ , from which the attacker registers a handful as C&C servers. The infected hosts run the same $A(s)$ to attempt DNS resolution during rendezvous (Peck et al., 2019). DGAs can be classified by generation method:

Dictionary DGAs: Concatenate words sampled from an embedded wordlist (typically English words), yielding high “English-likeness” and elevated smashword scores (Curtin et al., 2018).
Hash/Time-based DGAs: Apply a cryptographic hash (or modular recurrence) over the seed and counter, mapping outputs onto a domain-valid character set.
Permutation DGAs: Permute a fixed alphabet to yield domain candidates.
Statistical/Generative DGAs: Deploy generative models such as GANs (e.g., DeepDGA) to sample domains matching the statistical manifold of benign distributions (Anderson et al., 2016).
Char-based DGAs: Modify benign domains via small edit distance perturbations (e.g., CharBot replaces two characters in Alexa domains).

2. Key Performance Metrics and Evaluation Schemes

DGA detectors $f(\cdot)$ are primarily evaluated as binary classifiers. Research on classifier effectiveness and robustness employs the following metrics (Peck et al., 2019):

True Positive Rate (TPR): $\mathrm{TPR} = \frac{\text{TP}}{\text{TP} + \text{FN}}$ , proportion of malicious domains flagged.
False Positive Rate (FPR): $\mathrm{FPR} = \frac{\text{FP}}{\text{FP} + \text{TN}}$ , fraction of benign domains wrongly flagged.
Partial Area Under ROC Curve (pAUC): $\mathrm{pAUC}_{[0,\alpha]} = \int_{0}^{\mathrm{FPR}=\alpha} \mathrm{TPR}(\tau)\,d(\mathrm{FPR})$ , commonly at $\alpha = 0.001$ ( $0.1\%$ ) and $\alpha = 0.01$ ( $1\%$ ).
Adversarial cost $c(x, \tilde{x})$ : Text-space cost quantified by Levenshtein edit distance, constrained by domain nonexistence ( $c = +\infty$ for registered domains).

Robustness is further assessed by attack-specific false-negative rates and by transferability across benign corpora and train/test splits.

3. CharBot: Minimal Adversarial DGA Design and Evasion

CharBot is a black-box, char-based DGA requiring no detector knowledge, designed to evade state-of-the-art string-based classifiers (Peck et al., 2019).

Algorithm Pseudocode:

Input: Seed date $s$ , list $D$ of legitimate SLDs ( $|D| \geq 10,000$ ), list $T$ of common TLDs.
Initialize PRNG with $s$ .
Sample $d \in D$ .
Pick distinct indices $i, j$ in $d$ .
For $k \in \{i, j\}$ , sample a replacement $c_k$ from DNS-valid alphabet $\Sigma$ , $c_k \neq d[k]$ .
Replace $d[k] \leftarrow c_k$ .
Sample $t \in T$ ; output $d . t$ .

By making only two substitutions in real benign SLDs, CharBot domains preserve higher-order statistics (domain length, n-gram medians, entropy, Gini impurity), rendering them nearly indistinguishable from legitimate traffic to both hand-engineered feature models (FANCI) and deep LSTM detectors.

Experimental Results:

At $0.1\%$ FPR, FANCI: TPR $\approx 0\%$ ; LSTM.MI: TPR $= 5.6\%$ .
At $1\%$ FPR, FANCI: TPR $<3\%$ ; LSTM.MI: TPR $= 15.5\%$ .
Retraining with CharBot samples does not yield viable defense: LSTM.MI TPR rises only to $\approx 55\%$ at $0.1\%$ FPR, at cost of model complexity and partial coverage.

These results demonstrate near-total evasion, establishing CharBot as a minimal, highly efficient adversarial DGA.

4. Experimental Methodology and Quantitative Insights

Datasets used for evaluation:

Benign domains: Alexa Top 1M, Passive DNS queries.
Malicious: 1M Bambenek DGA feeds.

Training:

80/20 train/test splits on Alexa+Bambenek.
Adversarial retraining incorporates 100k CharBot, DeepDGA, and DeceptionDGA samples.

Cross-dataset transfer:

Classifiers trained on Passive DNS+Bambenek behave similarly; CharBot evades detection in all splits, with detection <20% even at strict FPR.

Key empirical findings:

Perturbations of benign distributions suffice for evasion.
Feature-analytic detectors relying exclusively on string-based measurements are fundamentally vulnerable to small, statistically-matched character modifications.

5. Implications for Defenses and Future Research Directions

CharBot's results expose a fundamental limitation of string-only DGA detection: two-character perturbations bypass classifiers across architectures and benign corpora. Mitigating this vulnerability necessitates moving beyond pure lexical features (Peck et al., 2019):

Side-information fusion: Integrate DNS response features (TTL, IP geography, ASNs), query context, WHOIS age, reputation metrics (Sivaguru et al., 2020).
White-box adversarial training: Joint optimization against adversarial perturbations produced during training, hardening classifiers by simulating worst-case domain modifications.
Hybrid detection: Combine string-based classifiers with behavioral anomaly models operating at the network traffic level.

Robust detection mandates incorporating features unlikely to be manipulated absent real DNS infrastructure control, such as resolver-side context. Defenses relying solely on the domain name string are systematically evadable by black-box attacks as simple as CharBot.

6. Historical Significance and Research Impact

CharBot is the simplest and most efficient black-box adversarial attack against DGA classifiers currently proposed (Peck et al., 2019). Its findings have catalyzed a broader research movement emphasizing:

The necessity of adversarial robustness analyses in cybersecurity machine learning.
The limits of string-only and feature-engineered models in the presence of adaptive adversaries.
The practical feasibility and real-time speed of perturbation-based DGAs (CharBot complexity is constant per domain, allowing instantaneous generation of millions of unique candidates).

Designing resilient DGA detection now requires explicit defense against the CharBot paradigm, via adversarial awareness and context-rich feature engineering.