Interpretability-Guided Adaptation for Robust DGA Detection with Large Language Models

Interpretability-Guided Adaptation for Robust DGA Detection with Large Language Models | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Interpretability-Guided Adaptation for Robust DGA Detection with Large Language Models Reynier Leyva La O, Carlos A. Catania, Tatiana S. Parlanti This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-6843586/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Detecting malicious domains generated by Domain Generation Algorithms (DGAs) remains a significant challenge, particularly for wordlist-based DGAs that mimic legitimate domain patterns. In this work, we present an interpretable and adaptable DGA detection framework that employs Large Language Models, specifically LLaMA 3 8B. Our approach integrates Supervised Fine-Tuning, In-Context Learning (ICL), and SHAP-based explainability to enhance both performance and transparency. We evaluate our system on a large-scale dataset comprising 68 DGA families, including difficult wordlist-based variants, as well as benign domains from the Tranco dataset. The fine-tuned model surpasses existing state-of-the-art detectors in accuracy and false positive rate, especially on challenging word-based DGAs. Moreover, we demonstrate how SHAP can identify failure cases and guide lightweight updates via ICL, improving detection without full retraining. This combination of interpretability and adaptability offers a practical approach for maintaining high-performance DGA detection systems over time, establishing LLMs as effective and explainable tools for real-world cybersecurity applications. DGA detection Large Language Models In-Context Learning Supervised Fine-Tuning SHAP explainability Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-6843586","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":467956779,"identity":"2a68d026-3f9c-49d7-9322-2df365e9dc0e","order_by":0,"name":"Reynier Leyva La O","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABQ0lEQVRIie3Sv0vDQBTA8Scnd8srWV+JNP/ChYBWqM2/0hLIVgwIIii0UGiXomuK/0SlUNdAoE4tuFU6aMmog0XooojXH4omLa6C+Q65cMcncI8ApKX9xcTimVcvNbXyz225XNg6stwkAAxiBH8lVPpOYDPZq7O+jmdkaNnHcuQdF2ytxiaR5xVzNojbyIPiYYzshNzVsU9m+7LStfyhyyjgluVLx0LAI8sHZ7/2kxDD3azPaaszrvT0TCPkcP/EdZRBuQWovgZMQpxos6z/TnbnbnD9qggaAS5IdUWqSYKcpg0qd0aZHlOE5IqUEIS6JoRJwq389JycdqvS1XHoSnN+F5SO2QqRqUvdJIioT0alWeHgQgyuXlBNLBeoieFb0RDNphrdyWmcqLZpzfDnMZRfv0Hs5HkDAfGw6SQtLS3tX/UBI+lblEMBG5oAAAAASUVORK5CYII=","orcid":"","institution":"National Scientific and Technical Research Council","correspondingAuthor":true,"prefix":"","firstName":"Reynier","middleName":"Leyva La","lastName":"O","suffix":""},{"id":467956780,"identity":"f867d6ee-e98d-4c8c-b5e5-46402530c011","order_by":1,"name":"Carlos A. Catania","email":"","orcid":"","institution":"National University of Cuyo","correspondingAuthor":false,"prefix":"","firstName":"Carlos","middleName":"A.","lastName":"Catania","suffix":""},{"id":467956781,"identity":"8e3319a2-6cdc-42ce-8433-ef39c57ef8e1","order_by":2,"name":"Tatiana S. Parlanti","email":"","orcid":"","institution":"National University of Cuyo","correspondingAuthor":false,"prefix":"","firstName":"Tatiana","middleName":"S.","lastName":"Parlanti","suffix":""}],"badges":[],"createdAt":"2025-06-07 15:08:22","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-6843586/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-6843586/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":96518352,"identity":"797ee424-85f8-4829-bce8-ee1d9413fc37","added_by":"auto","created_at":"2025-11-22 10:08:49","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":844588,"visible":true,"origin":"","legend":"","description":"","filename":"InterpretabilityGuidedDGADetectionwithLLMs.pdf","url":"https://assets-eu.researchsquare.com/files/rs-6843586/v1_covered_23c45da4-0e7d-4749-af29-cdddd19d1f74.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Interpretability-Guided Adaptation for Robust DGA Detection with Large Language Models\n","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":true,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"DGA detection, Large Language Models, In-Context Learning, Supervised Fine-Tuning, SHAP explainability","lastPublishedDoi":"10.21203/rs.3.rs-6843586/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-6843586/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eDetecting malicious domains generated by Domain Generation Algorithms (DGAs) remains a significant challenge, particularly for wordlist-based DGAs that mimic legitimate domain patterns. In this work, we present an interpretable and adaptable DGA detection framework that employs Large Language Models, specifically LLaMA 3 8B. Our approach integrates Supervised Fine-Tuning, In-Context Learning (ICL), and SHAP-based explainability to enhance both performance and transparency.\u0026nbsp;\u003c/p\u003e\n\u003cp\u003eWe evaluate our system on a large-scale dataset comprising 68 DGA families, including difficult wordlist-based variants, as well as benign domains from the Tranco dataset. The fine-tuned model surpasses existing state-of-the-art detectors in accuracy and false positive rate, especially on challenging word-based DGAs. Moreover, we demonstrate how SHAP can identify failure cases and guide lightweight updates via ICL, improving detection without full retraining. This combination of interpretability and adaptability offers a practical approach for maintaining high-performance DGA detection systems over time, establishing LLMs as effective and explainable tools for real-world cybersecurity applications.\u003c/p\u003e","manuscriptTitle":"Interpretability-Guided Adaptation for Robust DGA Detection with Large Language Models","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-06-13 02:32:58","doi":"10.21203/rs.3.rs-6843586/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"120425a9-3f6f-444c-9df1-6d430bcfc87b","owner":[],"postedDate":"June 13th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[],"tags":[],"updatedAt":"2025-11-22T10:08:18+00:00","versionOfRecord":[],"versionCreatedAt":"2025-06-13 02:32:58","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-6843586","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-6843586","identity":"rs-6843586","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}