A Game-Based Adversarial DGA Detection Scheme Using Multi-Level Incremental Random Forest

Security vendors can take down botnets by detecting the malicious domain names crafted by attackers. However, the adversarial Domain Generation Algorithms (DGAs) greatly challenge the existing domain detection schemes, in particular, adversarial DGAs can actively compromise arbitrarily specified domain detection systems by crafting the adversarial domain names. To resist adversarial DGAs, we propose a game theory-based defending strategy, which launches adversarial DGA and trains an incremental domain detector alternately. While we find the game-based strategy cannot achieve the expected detection accuracy due to two problems: the failure of incremental training and the problem of the catastrophic forgetting. To this end, we propose a multi-level incremental random forest model, which settles the above problems by splitting the leaf nodes of the decision trees and increasing the levels of the original random forest. The experimental results on the real-life dataset demonstrate the proposed detection method significantly outperforms the competing schemes when detecting adversarial DGAs (improves the detection AUC by 42%) and presents comparable performance when defending against non-adversarial DGAs.