Mapping the Web’s Undercurrent: Domain Embeddings from DNS Traffic

by

Author: Denis Avetisyan

A new approach leverages graph neural networks and transformer models to extract meaningful representations of domain names from DNS queries, enhancing network security and visibility.

The proposed DNS-GT method operates through a sequential workflow, with each stage distinguished by a red visual cue, processing input data-indicated in green-to generate corresponding output also represented in green.
The proposed DNS-GT method operates through a sequential workflow, with each stage distinguished by a red visual cue, processing input data-indicated in green-to generate corresponding output also represented in green.

DNS-GT learns robust domain and host embeddings from DNS traffic to improve network intrusion detection and provide contextual understanding of network activity.

Despite advancements in network intrusion detection, reliance on labeled data and limited generalization remain significant challenges. This paper introduces ‘DNS-GT: A Graph-based Transformer Approach to Learn Embeddings of Domain Names from DNS Queries’-a novel model leveraging Transformer networks and graph neural networks to learn robust domain name embeddings directly from DNS traffic sequences. By capturing contextual relationships within DNS queries, DNS-GT enhances representation learning for improved downstream tasks like botnet detection and domain classification. Could this approach unlock new possibilities for applying large-scale language models to bolster cybersecurity and network monitoring?

The Inherent Limitations of Superficial DNS Analysis

Network security relies heavily on the analysis of Domain Name System (DNS) traffic, as it represents the initial step in most internet communications. However, simply observing raw DNS data – a constant stream of queries and responses – often proves insufficient for identifying genuine threats. Traditional security approaches frequently focus on identifying known malicious domains or patterns, which are easily bypassed by attackers employing techniques like domain generation algorithms or fast-flux hosting. The sheer volume of DNS traffic, coupled with the increasing sophistication of evasion tactics, overwhelms these systems, leading to a high rate of false positives and missed detections. Extracting actionable intelligence requires moving beyond basic signature matching to develop methods capable of discerning the intent behind DNS requests and correlating them with broader threat landscapes.

Traditional network security relies heavily on identifying malicious patterns – specific strings or sequences within DNS traffic. However, this approach often proves inadequate against increasingly sophisticated threats. Effective threat detection now necessitates a deeper understanding of the semantics of domain names themselves; it’s no longer sufficient to simply recognize known bad actors. Analyzing a domain’s age, registration details, historical behavior, and linguistic characteristics-essentially, its meaning and context-provides crucial insights. This semantic analysis can reveal newly created domains mimicking legitimate brands (typosquatting), domains associated with command-and-control servers, or those exhibiting behavioral anomalies indicative of malicious intent, even if they don’t match any pre-defined signatures. By moving beyond syntax to meaning, security systems can proactively identify and neutralize threats that would otherwise slip through conventional defenses, bolstering overall network resilience.

The proposed methodology learns DNS query representations through a training process and data pipeline where stages are color-coded by function-input/output (green), data (yellow), operations (red), and learnable neural networks (blue).
The proposed methodology learns DNS query representations through a training process and data pipeline where stages are color-coded by function-input/output (green), data (yellow), operations (red), and learnable neural networks (blue).

Encoding Domain Meaning: The Foundation of Semantic Analysis

Domain Name Embeddings are vector representations of domain names, designed to capture semantic meaning for use in machine learning models. These embeddings translate domain names-typically treated as discrete categorical features-into continuous vector spaces, allowing algorithms to understand relationships and similarities between domains. The creation of these vectors involves analyzing characteristics of domain names, such as character sequences, length, and common prefixes/suffixes, and mapping these attributes to numerical values. This process enables advanced network analysis techniques, including clustering, classification, and anomaly detection, by providing a quantifiable representation of domain name characteristics that can be processed computationally.

Traditional word embedding techniques, such as Word2Vec, are trained on general-purpose text corpora and thus lack specific knowledge of domain name semantics. Domain names possess a unique structure – consisting of multiple lexical parts separated by periods – and carry contextual information related to purpose, registration date, and associated services. Word2Vec treats each character or substring as an independent token, failing to capture the relationships between these parts or the broader meaning conveyed by the fully qualified domain name. Consequently, embeddings generated by Word2Vec often lack the discriminatory power necessary for accurate domain classification or effective botnet detection, as they do not adequately represent the specific characteristics inherent in domain name composition and usage.

Domain name embeddings function as feature vectors within machine learning models used for both domain classification and botnet detection. For domain classification, these embeddings provide a numerical representation of a domain’s characteristics, improving the accuracy of categorizing domains into predefined groups, such as those related to e-commerce, social media, or malware. In botnet detection, the embeddings facilitate the identification of malicious domains associated with botnet command and control servers by clustering domains with similar embedding vectors, indicating potential coordinated malicious activity. This approach enhances detection rates compared to relying solely on lexical features or blacklists, as embeddings capture semantic similarities even between previously unseen domains.

A t-SNE visualization of the domain name embedding space reveals that blacklisted domains (red) are readily distinguishable from commonly observed benign domains (green), which cluster centrally.
A t-SNE visualization of the domain name embedding space reveals that blacklisted domains (red) are readily distinguishable from commonly observed benign domains (green), which cluster centrally.

DNS-GT: A Graph-Enhanced Transformer for Principled Domain Intelligence

DNS-GT is a newly developed Transformer architecture designed to analyze Domain Name System (DNS) data by integrating Graph Neural Networks (GNNs). This architecture moves beyond traditional sequential processing of DNS records by representing DNS data as a graph, allowing the model to capture relationships between domains, subdomains, and associated attributes. The GNN component processes this graph structure, generating node embeddings that represent contextual information within the DNS landscape. These embeddings are then incorporated into the Transformer’s self-attention mechanism, enabling DNS-GT to learn more nuanced and comprehensive representations of domain intelligence from the input DNS data.

DNS-GT employs self-attention mechanisms to weigh the importance of different elements within the DNS input sequence – such as subdomain labels and record types – allowing the model to prioritize features most relevant to domain intelligence tasks. Simultaneously, Graph Neural Networks (GNNs) are utilized to create contextual representations by modeling the relationships between these DNS elements as a graph; nodes represent DNS components and edges define their connections. This combination enables DNS-GT to not only identify salient features via self-attention, but also to understand how those features interact within the broader DNS context, leading to more robust and informative domain embeddings.

DNS-GT generates domain name embeddings that achieve a ROC-AUC of 0.848 on domain classification tasks. This performance metric indicates a significantly improved ability to distinguish between different domain types compared to baseline models. The ROC-AUC score represents the probability that a randomly chosen malicious domain will be assigned a higher risk score than a randomly chosen benign domain, with 0.848 representing a high degree of separability. Evaluations demonstrate that the combined strengths of the Transformer architecture and Graph Neural Networks contribute to the creation of more informative and discriminative domain name embeddings, leading to enhanced classification accuracy.

This graph attention network architecture processes input features <span class="katex-eq" data-katex-display="false">\mathbf{X}</span> (green) through learned neural networks (blue) and tensor operations (yellow) to generate outputs, as visualized by the network's internal state (red).
This graph attention network architecture processes input features \mathbf{X} (green) through learned neural networks (blue) and tensor operations (yellow) to generate outputs, as visualized by the network’s internal state (red).

Visualizing Semantic Coherence: Validating the Model’s Understanding

The application of t-distributed stochastic neighbor embedding (t-SNE) to the generated domain name embeddings yielded visually distinct clusters, providing compelling evidence of the model’s capacity to discern semantic relationships between domains. This dimensionality reduction technique mapped high-dimensional embedding vectors into a two-dimensional space, where domains with similar characteristics – such as shared keywords, associated services, or malicious intent – consistently grouped together. The resulting visualizations demonstrated that the model doesn’t simply memorize domain names, but rather learns a representation that captures underlying meaning, enabling it to generalize to previously unseen domains and effectively differentiate between benign and malicious entities based on contextual similarity.

The newly developed domain name embeddings demonstrate a significant advancement in network intelligence, achieving a peak F1-score of 0.654 – the highest performance attained across all tested configurations. This improvement isn’t limited to simply categorizing domains; the refined embeddings substantially enhance the identification of malicious activity associated with known blacklisted domains. The robust performance indicates the model’s capacity to discern subtle patterns indicative of harmful intent, offering a more accurate and reliable method for proactively mitigating online threats and bolstering network security compared to previous approaches. This enhanced accuracy translates directly into a more resilient infrastructure, capable of effectively defending against evolving cyberattacks.

Analysis reveals that an overwhelming majority – 98% – of domain names demonstrate substantial shifts in their embedding representations depending on the context of their DNS queries, indicating a nuanced understanding of domain behavior captured by the model. This context-dependent variation is particularly pronounced when examining benign domains, which consistently exhibit lower distances between their own repeated embeddings (intra-distance) than the distances to embeddings of other, unrelated domains (inter-distance). This pattern suggests DNS-GT effectively differentiates legitimate online entities, recognizing consistent behavioral signatures, and validating its capacity to discern meaningful distinctions in the complex landscape of internet domains; a key component of its overall effectiveness.

The refined domain intelligence cultivated through advanced embedding techniques directly contributes to a paradigm shift in network security. Rather than reacting to threats as they emerge, systems can now anticipate and neutralize malicious activity by identifying patterns and anomalies within domain name representations. This proactive stance minimizes potential damage and reduces the attack surface, fostering a more resilient network infrastructure capable of withstanding increasingly sophisticated cyberattacks. By accurately classifying domains and flagging potentially harmful ones, the technology enables automated blocking of malicious content, intelligent traffic filtering, and enhanced threat hunting capabilities, ultimately reducing the burden on security teams and strengthening overall network defenses.

Domain name embeddings appearing in sequence exhibit significantly higher cosine similarity and lower Euclidean distance compared to randomly sampled domains, suggesting a meaningful semantic relationship between sequentially occurring domain names.
Domain name embeddings appearing in sequence exhibit significantly higher cosine similarity and lower Euclidean distance compared to randomly sampled domains, suggesting a meaningful semantic relationship between sequentially occurring domain names.

The pursuit of robust domain embeddings, as detailed in DNS-GT, echoes a fundamental tenet of computational rigor. Robert Tarjan once stated, “A good algorithm must be provably correct.” This sentiment aligns perfectly with the paper’s methodology; DNS-GT doesn’t simply aim for working intrusion detection, but instead strives for a model grounded in the mathematical relationships within DNS traffic. By leveraging graph neural networks and Transformer architectures, the authors seek a solution whose efficacy isn’t merely empirical, but inherently logical and demonstrable – a pursuit of provable correctness in the realm of network security.

What Lies Ahead?

The presented work, while demonstrating a functional application of graph-based Transformers to DNS traffic analysis, merely scratches the surface of a deeper, more fundamental question: can network behavior truly be understood through embedding spaces, or is this simply a sophisticated form of pattern matching? The efficacy of DNS-GT hinges on the representational power of these embeddings; however, a rigorous mathematical proof of their completeness – their ability to capture all relevant information within the DNS query space – remains conspicuously absent. Future research must move beyond empirical validation and towards formal verification.

A critical limitation lies in the static nature of the graph construction. DNS is, by its very nature, a dynamic system. A truly elegant solution would incorporate temporal aspects, allowing the graph to evolve alongside network activity. Furthermore, the reliance on DNS queries as the sole input source feels… provincial. Integration with other network telemetry – flow data, packet payloads – could yield a more holistic, and therefore more robust, representation.

The pursuit of ‘intrusion detection’ is, perhaps, a misdirection. The true value of DNS-GT may not lie in identifying malicious actors, but in providing a mathematically sound foundation for characterizing network behavior. Such a framework, devoid of subjective labels like ‘attack’ or ‘normal’, would allow for a more objective, and ultimately more insightful, understanding of the complex systems upon which modern networks are built.

Original article: https://arxiv.org/pdf/2603.11200.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-03-14 19:04