Interpretability-Guided Adaptation for Robust DGA Detection with Large Language Models

Detecting malicious domains generated by Domain Generation Algorithms (DGAs) remains a significant challenge, particularly for wordlist-based DGAs that mimic legitimate domain patterns. In this work, we present an interpretable and adaptable DGA detection framework that employs Large Language Models, specifically LLaMA 3 8B. Our approach integrates Supervised Fine-Tuning, In-Context Learning (ICL), and SHAP-based explainability to enhance both performance and transparency. We evaluate our system on a large-scale dataset comprising 68 DGA families, including difficult wordlist-based variants, as well as benign domains from the Tranco dataset. The fine-tuned model surpasses existing state-of-the-art detectors in accuracy and false positive rate, especially on challenging word-based DGAs. Moreover, we demonstrate how SHAP can identify failure cases and guide lightweight updates via ICL, improving detection without full retraining. This combination of interpretability and adaptability offers a practical approach for maintaining high-performance DGA detection systems over time, establishing LLMs as effective and explainable tools for real-world cybersecurity applications.