Interpretability-Guided Adaptation for Robust DGA Detection with Large Language Models

Read the full article See related articles

Listed in

This article is not in any list yet, why not save it to one of your lists.
Log in to save this article

Abstract

Detecting malicious domains generated by Domain Generation Algorithms (DGAs) remains a significant challenge, particularly for wordlist-based DGAs that mimic legitimate domain patterns. In this work, we present an interpretable and adaptable DGA detection framework that employs Large Language Models, specifically LLaMA 3 8B. Our approach integrates Supervised Fine-Tuning, In-Context Learning (ICL), and SHAP-based explainability to enhance both performance and transparency. We evaluate our system on a large-scale dataset comprising 68 DGA families, including difficult wordlist-based variants, as well as benign domains from the Tranco dataset. The fine-tuned model surpasses existing state-of-the-art detectors in accuracy and false positive rate, especially on challenging word-based DGAs. Moreover, we demonstrate how SHAP can identify failure cases and guide lightweight updates via ICL, improving detection without full retraining. This combination of interpretability and adaptability offers a practical approach for maintaining high-performance DGA detection systems over time, establishing LLMs as effective and explainable tools for real-world cybersecurity applications.

Article activity feed