LEXIDNS-RISK: DEPLOYMENT-AWARE LEXICAL RISK MODELING FOR INTERPRETABLE MALICIOUS DOMAIN SCREENING

Wahaj Hassan Soomro; Muhammad Arslan Siddiqui

doi:10.71146/kjmr904

Authors

Wahaj Hassan Soomro Institute of Computer Science, Shah Abdul Latif University, Khairpur Mirs, Sindh, Pakistan. Author
Muhammad Arslan Siddiqui FAST NUCES, Karachi, Sindh, Pakistan. Author https://orcid.org/0000-0002-5752-0520

DOI:

https://doi.org/10.71146/kjmr904

Keywords:

Malicious Domain Detection, DNS-layer screening, Lexical Feature Modeling, Interpretable Machine Learning, Robustness-Aware Cybersecurity

Abstract

Malicious domains are widely used in phishing, malware delivery, command-and-control communication, and DNS-based abuse. This paper evaluates lightweight lexical-feature-based models for first-stage DNS-layer malicious-domain screening. Using a balanced dataset of two million labeled domains, we extract interpretable features from domain strings and compare Logistic Regression, Random Forest, Extra Trees, XGBoost, LightGBM, and a character n-gram TF-IDF baseline. Results show that lexical boosting models achieve strong clean-test performance. LightGBM obtains the best F1-score of approximately 0.997, while XGBoost provides nearly identical accuracy with lower latency and smaller model size. Compared with the TF-IDF baseline, lexical boosting models achieve higher F1-score, lower false-positive rate, and lower inference cost. Feature-importance analysis shows that base-domain length, digit ratio, digit count, token length, and character diversity are the dominant signals. Robustness experiments show that clean-test accuracy alone is insufficient for deployment-oriented evaluation, as several domain perturbations reduce fixed-threshold performance. Threshold recalibration improves some stress cases, but subdomain-noise remains challenging. Overall, lightweight lexical models can support fast and interpretable first-stage DNS-layer screening under controlled evaluation, but external validation and robustness-aware modeling are required before stronger deployment claims can be made.

Downloads

Download data is not yet available.

References

[1] M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster, “Building a dynamic reputation system for DNS,” in Proc. 19th USENIX Security Symposium (USENIX Security 10), Washington, DC, USA, Aug. 2010.

[2] M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou II, and D. Dagon, “Detecting malware domains at the upper DNS hierarchy,” in Proc. 20th USENIX Security Symposium (USENIX Security 11), San Francisco, CA, USA, Aug. 2011.

[3] L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi, “EXPOSURE: Finding malicious domains using passive DNS analysis,” in Proc. Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, Feb. 2011.

[4] M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon, “From throw-away traffic to bots: Detecting the rise of DGA-based malware,” in Proc. 21st USENIX Security Symposium (USENIX Security 12), Bellevue, WA, USA, Aug. 2012, pp. 491–506.

[5] S. Schüppen, D. Teubert, P. Herrmann, and U. Meyer, “FANCI: Feature-based automated NXDomain classification and intelligence,” in Proc. 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD, USA, Aug. 2018, pp. 1165–1181.

[6] J. Ma, L. K. Saul, S. Savage, and G. M. Voelker, “Beyond blacklists: Learning to detect malicious web sites from suspicious URLs,” in Proc. 15th ACM SIGKDD Int. Conf. Knowledge Discovery and Data Mining (KDD), Paris, France, 2009, pp. 1245–1254, doi: 10.1145/1557019.1557153.

[7] D. Sahoo, C. Liu, and S. C. H. Hoi, “Malicious URL detection using machine learning: A survey,” arXiv preprint arXiv:1701.07179, 2017.

[8] J. Woodbridge, H. S. Anderson, A. Ahuja, and D. Grant, “Predicting domain generation algorithms with long short-term memory networks,” arXiv preprint arXiv:1611.00791, 2016.

[9] H. S. Anderson, J. Woodbridge, and B. Filar, “DeepDGA: Adversarially-tuned domain generation and detection,” in Proc. ACM Workshop on Artificial Intelligence and Security (AISec), Vienna, Austria, 2016, pp. 13–21, doi: 10.1145/2996758.2996767.

[10] I. Fette, N. Sadeh, and A. Tomasic, “Learning to detect phishing emails,” in Proc. 16th Int. Conf. World Wide Web (WWW), Banff, AB, Canada, 2007, pp. 649–656, doi: 10.1145/1242572.1242660.

[11] S. A. Mangi, S. Rajper, N. A. Shaikh, and N. Maitlo, “Efficient malicious domain detection using a distributed deep forest algorithm,” Preprints.org, Sep. 2025, doi:10.20944/preprints202509.0573.v1.

[12] I. Hyder, R. A. Shaikh, R. H. Arain, Z. Hussain, and B. Raza, “Audit-ready healthcare fraud screening: Split-safe provider aggregation and explainable boosted risk triage,” Southern Journal of Computer Science, vol. 2, no. 1, pp. 18–28, 2026.

[13] B. Raza, A. Maitlo, Z. H. Shar, and I. Hyder, “Operational Android malware filtering: Calibrated probabilities and distribution-free guarantees,” Kashf Journal of Multidisciplinary Research, vol. 2, no. 12, pp. 58–73, 2025.

[14] B. Raza, S. Rajper, N. A. Shaikh, Z. H. Shar, and I. Hyder, “Parsimonious gesture benchmarking for duplicate-contaminated touchless document interaction,” Spectrum of Engineering Sciences, vol. 4, no. 4, pp. 917–932, 2026, doi: 10.5281/zenodo.19690462.

[15] S. Bibi, F. A. Rajput, M. Younis, S. Bibi, and B. Raza, “Vector+SQL retrieval with selectivity workloads: Measuring tail latency and quality under filtered Top-K,” VFAST Transactions on Software Engineering, vol. 14, no. 1, pp. 335–349, 2026, doi: 10.21015/vtse.v14i1.2353.

[16] B. Yu, J. Pan, J. Hu, A. Nascimento, and M. De Cock, “Character level-based detection of DGA domain names,” in Proc. Int. Joint Conf. Neural Networks (IJCNN), Rio de Janeiro, Brazil, 2018, pp. 1–8.

[17] T. Chen and C. Guestrin, “XGBoost: A scalable tree boosting system,” in Proc. 22nd ACM SIGKDD Int. Conf. Knowledge Discovery and Data Mining (KDD), San Francisco, CA, USA, 2016, pp. 785–794, doi: 10.1145/2939672.2939785.

[18] G. Ke, Q. Meng, T. Finley, T. Wang, W. Chen, W. Ma, Q. Ye, and T.-Y. Liu, “LightGBM: A highly efficient gradient boosting decision tree,” in Advances in Neural Information Processing Systems 30 (NeurIPS), Long Beach, CA, USA, 2017, pp. 3146–3154.

[19] S. M. Lundberg and S.-I. Lee, “A unified approach to interpreting model predictions,” in Advances in Neural Information Processing Systems 30 (NeurIPS), Long Beach, CA, USA, 2017, pp. 4768–4777.

[20] A. Niculescu-Mizil and R. Caruana, “Predicting good probabilities with supervised learning,” in Proc. 22nd Int. Conf. Machine Learning (ICML), Bonn, Germany, 2005, pp. 625–632, doi: 10.1145/1102351.1102430.

[21] C. Guo, G. Pleiss, Y. Sun, and K. Q. Weinberger, “On calibration of modern neural networks,” in Proc. 34th Int. Conf. Machine Learning (ICML), Sydney, Australia, 2017, pp. 1321–1330.

[22] J. Platt, “Probabilistic outputs for support vector machines and comparisons to regularized likelihood methods,” in Advances in Large Margin Classifiers, A. J. Smola, P. Bartlett, B. Schölkopf, and D. Schuurmans, Eds. Cambridge, MA, USA: MIT Press, 1999, pp. 61–74.

[23] L. Breiman, “Random forests,” Machine Learning, vol. 45, no. 1, pp. 5–32, 2001, doi: 10.1023/A:1010933404324.

[24] P. Geurts, D. Ernst, and L. Wehenkel, “Extremely randomized trees,” Machine Learning, vol. 63, no. 1, pp. 3–42, 2006, doi: 10.1007/s10994-006-6226-1.

[25] C.-C. Chang and C.-J. Lin, “LIBSVM: A library for support vector machines,” ACM Transactions on Intelligent Systems and Technology, vol. 2, no. 3, pp. 1–27, 2011, doi: 10.1145/1961189.1961199.