Despite the decline in the popularity of some remote access trojans (RATs), such as DCRAT (–59%), NjRAT (–33%), and AsyncRAT (–29%), their overall share of botnet activity remains significant (30.45%). RATs allow attackers to gain full control over an infected system, making them very effective in spying campaigns or data theft. For example, Remcos, which has seen a 72% increase, is actively used to steal credentials, including corporate ones. Cybercriminals can send commands to an infected computer to obtain sensitive information, such as passwords or files.

Overall, the slowdown in the growth of botnets is a positive development, but it does not diminish the relevance of the global implementation of more stringent cyber defense measures. Botnets remain difficult to detect, and their activity is constantly adapting to new defense methods, which requires a comprehensive approach to solving problems.

Domain Generation Algorithms (DGAs) are tools that allow attackers to dynamically create thousands of unique domains to support command-and-control malware servers [ 2 ]. These algorithms work based on various approaches, such as arithmetic calculations, hashing, or the use of dictionaries. Their main goal is to avoid blocking and ensure stable communication between infected devices and control servers even in the event of a partial infrastructure blockage [ 3 ]. One of the main advantages of DGAs is the ability to create a large number of domains in a short time due to the specifics of their formation, as shown in Fig. 2. Attackers can generate thousands of addresses every day, which makes them much harder to detect and block. Moreover, the dynamic nature of generation avoids predictability, making such domains more resistant to traditional detection methods. Another important feature is the minimal dependence on physical infrastructure. Thanks to DGA, even after blocking some servers, attackers can quickly switch to new domains.

DGAs are implemented using various algorithms that can be classified according to the approach to domain creation [ 4 ].

One of the most common methods is arithmetic-based algorithms. In this case, domains are generated using mathematical formulas that take into account parameters such as date, time, or other variables. For example, the Conficker virus used this approach to create pseudo-random domains, such as ‘fgavropgu.com’, which ensured the stability of its command-and-control infrastructure.

Another approach is based on the use of hash functions. In this case, the algorithm generates domains by calculating a hash of input data, such as strings of text or IP addresses [ 5 ]. This allows the creation of more complex and less predictable domain names that are difficult to detect. The Bamital virus used this method to create domains, for example, ‘47faeb4f1b75a48499ba14e9b1cd895a.org’, ensuring the high resilience of its infrastructure.

Another great approach is dictionary-based algorithms. In this case, a database of words that make up names is used to generate domains, making them look more natural and less suspicious to detection systems. For example, the Matsnu virus generated domains such as ‘catpeakfearinterview.com’ using this approach. This technique can significantly reduce the number of false positives from cyber defense systems [ 6 ].

DGAs are widely used to organize various types of attacks. In addition to botnets, these algorithms are used in Ransomware, which transmits encryption keys via dynamically generated domains. They are also used in phishing campaigns when the seemingly familiar look of domains helps to deceive users, which makes DGA one of the key tools in the modern arsenal of cybercriminals. Traditional methods of detecting abnormal domains are based on analyzing static characteristics of domain names and behavioral features of network traffic. One of the most common approaches is the use of blacklists that store known malicious domains. While this method is effective for combating already identified threats, it has significant limitations, as it is unable to respond to new, previously unknown DGA domains. Another approach is to use regular expressions to detect abnormal patterns in domains, such as analyzing domain name length, frequency of character usage, or non-standard structures. However, this method demonstrates limited effectiveness when dealing with modern DGAs, which can create domains with a fairly standardized look, in particular, based on dictionaries.

Behavioral methods are more adaptive to dynamic threats and are based on analyzing network traffic, DNS query frequency, domain lifecycle, and domain relationships. For example, traffic analysis systems can detect anomalous activity if a particular domain receives a significant number of simultaneous requests from many IP addresses. However, these methods also have weaknesses, as they depend on a large amount of historical data and may have a high false positive rate. As a result, traditional detection methods remain effective only for a limited range of tasks and need to be supplemented by modern approaches, including those based on artificial intelligence and machine learning models [ 7–9 ].

The introduction of artificial intelligence (AI) technologies in cybersecurity has significantly improved the efficiency of detecting dynamically generated domains (DGAs), as AI’s ability to automatically process large amounts of data and identify hidden patterns ensures high accuracy in detecting new threats that cannot be identified using static approaches [ 10 ].

One of the key areas of AI application is the analysis of the structural characteristics of domain names. In particular, machine learning algorithms allow us to identify such features as the frequency distribution of characters, domain length, morphological features, and the use of special characters. Classification models such as Random Forest or gradient boosting are used to analyze these characteristics. In addition, natural language processing (NLP) methods can detect DGA domains that mimic natural words [ 11–13 ]. In addition, domain vectorization using Word2Vec or similar tools is used to find hidden patterns in their structure.

Another important approach is modeling network traffic behavioral patterns. This method is based on the analysis of parameters such as the frequency of DNS queries, the frequency of domain accesses, and the distribution of queries by IP address. Recurrent neural networks (RNNs) and Long Short-Term Memory (LSTM) models allow for analyzing time series of traffic and identifying anomalies that may be related to DGA activity. Additionally, clustering algorithms such as k-means help to group domains by behavioral characteristics, which allows you to identify new potentially malicious groups.

Considerable attention is also paid to deep analysis based on neural networks. Deep learning models, such as autoencoders, are used to reduce the dimensionality of data and search for anomalies in the structure of domains [ 14 ]. Generative Adversarial Networks (GANs) allow to creation of synthetic data for model training, in particular, to simulate the behavior of DGA domains. In addition, transformers, which have become popular due to text data processing, are used to analyze complex dependencies in the structure of domains.

The practical implementation of such methods has already found its application in modern cyber defense systems. For example, AI-based tools are integrated into security information and event management systems (SIEM), such as Splunk or IBM QRadar. They allow analysing DNS traffic in real-time and identifying abnormal patterns. Open-source solutions, such as PyDGADetector, use TensorFlow and PyTorch libraries to create customized DGA detection models, making this approach affordable [ 15 ].

The hybrid model proposed to detect domains generated by DGA algorithms uses a combination of three key components: BiLSTM [ 17 ], Self-Attention Mechanism, and Convolutional Neural Networks (CNN) [ 18 ]. This architecture provides a multi-level analysis of input data, taking into account local, global, and the most significant features specific to the domains created by the algorithms [ 19 ].

BiLSTM is the basis of the model, which allows taking into account the context of characters in a sequence both from left to right and from right to left, which ensures the model’s ability to analyze complex patterns in domain names that cannot be analyzed by simple pattern analysis. The use of bidirectional analysis helps to take into account the relationships between characters, which increases the accuracy and reliability of the classification. In addition, BiLSTM’s retention and forgetting mechanisms allow you to focus only on the most relevant features, ignoring irrelevant information [ 20 ].

The self-focus mechanism adds to the model the ability to highlight key features in domain names. It focuses on the most relevant parts of the data, ignoring secondary elements, which reduces noise and improves classification accuracy to detect domains that include random or artificially generated sequences. The self-awareness mechanism makes the model more resilient to challenging conditions and ensures high performance in real-time data processing [ 21 ].

Convolutional Neural Networks (CNNs) perform domain structural analysis by identifying local patterns that are specific to malicious domains. This component of the model extracts information about character frequency, domain name length, and specific sequences, which allows for a better understanding of the structure of the input data. Thanks to dynamic learning, CNNs can adapt to changes in domain patterns and extract important features even from new types of data.

The data preparation process is an important step in ensuring model accuracy. Domain names undergo tokenization—breaking them down into individual characters or bigrams, allowing us to preserve the structure and relationships between the elements of the domain name necessary for model analysis. After tokenization, the data is standardized: domain names are leveled to the same length by adding zero values (padding) or trimming redundant characters [ 22 ].

Filtering is also performed: characters that are not relevant to the classification, such as rare or special characters, are removed. This process helps to reduce the dimensionality of the problem and reduces the load on the model while preserving the key characteristics of the domains [ 23 ]. This approach allows the model to receive clean and standardized data, which is the basis for successful training and accurate prediction.

The model was implemented using TensorFlow and Keras, which provide high flexibility and support for complex architectures. The model architecture is built using a modular approach that allows changing configurations, testing different parameters, and identifying the optimal ones. The model uses convolutional layers with different filter sizes that remove local features and BiLSTM that takes into account contextual dependencies. A self-awareness mechanism is integrated to focus on key sequence features.

The model is trained using the Adam optimizer, which ensures a fast and stable reduction of the loss function. Validation is performed after each epoch, and an early stopping mechanism is used to prevent overfitting. To improve performance and reduce training time, GPU computing is implemented. Thanks to this approach, the model demonstrates high performance and accuracy, which allows it to be effectively used for real-time detection of DGA domains [ 24 ].

The key metrics used to evaluate the model’s performance were accuracy, precision, completeness, and F1 indicators. These indicators are necessary to understand the strengths and weaknesses of the model in separating between positive (fraudulent) and negative (legitimate) classes.

They are calculated based on four possible outcomes: true positive (TP); false positive (FP); true negative (TN); and false negative (FN). TP corresponds to cases when the model correctly predicts a positive class. Thus, in the context of detecting fraudulent domains, this result is true when a resource is correctly identified as fraudulent and it is. FPs correspond to cases when the model incorrectly predicts a positive class. In other words, a false positive occurs when a legitimate domain is mistakenly identified as malicious. TNs are results when the model correctly predicts a negative class. A true negative result occurs when a domain is correctly detected as legitimate and is indeed so. FN are results when a negative class is incorrectly predicted. In other words, a false negative occurs when the model cannot identify a fraudulent resource and incorrectly classifies it as legitimate [ 25 ].

Accuracy is a fundamental metric that measures the overall correctness of an ML model. It quantifies the ratio of correctly predicted cases (both true positive and true negative) to the total number of instances in the dataset, as defined in formula (1). High accuracy indicates the ability of the model to make correct predictions about positive (fraudulent) and negative (legitimate) cases [ 26 ].

Accuracy = TP +TN , (1)

TP +TN + FP + FN

Accuracy measures the correctness of positive predictions made by the model. It quantifies the ratio of true positive predictions to the total number of cases predicted as positive (TP, and FP), as formulated in formula (2). Accuracy is particularly important because it measures the model’s ability to avoid misclassifying legitimate domains as malicious. A value of high accuracy means a low frequency of false positives.

Precision= TP , (2)

TP + FP

Completeness, also known as sensitivity or true positive rate, assesses the ability of a model to identify all positive cases in a dataset. It measures the ratio of true positive predictions to the total number of actual positive cases (true positive and false negative), as formulated in equation (3). A high level of completeness is crucial, as it indicates the model’s ability to detect a significant proportion of actual online threats while minimizing false negatives.

Recall= TP , (3)

TP + FN

The F1 indicator is the harmonic mean of accuracy and completeness, which provides a balanced assessment of the model’s performance, as formulated in the formula (4).

F 1= 2 × Precision × Recall , (4)

Precision+ Recall

This setting is preferred for situations where both high accuracy and completeness are required. F1 is especially necessary when striking a balance between accurately identifying fraudulent websites and minimizing false positives is crucial.

Thus, the use of the described metrics contributes to an objective assessment of the model’s performance and its ability to accurately identify classes of input data [ 27 ].

The accuracy of the model was 99.25%, which indicates a high ability of the model to correctly classify both legitimate and fraudulent domains. The precision reached 99.26%, indicating a minimum number of false positive classifications, which is important in the context of ensuring access to legitimate resources. The model’s completeness was 99.25%, demonstrating the model’s ability to detect real threats without significantly missing fraudulent domains. The F1 score, which takes into account both accuracy and completeness, was 99.25%, highlighting the model’s balance and reliability across the different types of domains shown in Fig. 4.

The learning dynamics confirm the effectiveness of the chosen architecture: throughout ten epochs, there was a steady increase in the accuracy and F1-indicator, which approached one. This indicates the model’s ability to generalize the acquired knowledge for invisible data. The graphs of training and validation metrics show that the model successfully adapts to the data, minimizing classification errors even when the test data sets are varied [ 28 ].

The study compared the hybrid model with traditional algorithms such as Random Forest, Support Vector Machines (SVM), and simple metric-based neural networks, as shown in Fig. 5. The hybrid model outperformed these approaches across all key metrics, demonstrating a significant advantage in detecting complex patterns in domain names. For example, compared to Random Forest, the model’s accuracy increased by more than 15%, and its precision and completeness exceeded the SVM’s results by 10%.

The main advantages of the hybrid model are its ability to integrate local and global data features through a combination of CNN and BiLSTM, as well as a self-focusing mechanism. This allows it to better handle uneven and non-standard domain names, which are typical for DGA. At the same time, the model is more resource-intensive due to the need to use GPUs for optimal training, which may be a limitation for use in low-power environments.

The hybrid model training process was optimized to ensure efficient use of computing resources. The model’s training time of 3 minutes and 46 seconds demonstrates its high performance (Fig. 6), even when processing large amounts of data, which allowed the model to achieve high results in a limited time, which is critical for rapid deployment in real-world systems.

Predictions on the test dataset were performed with an average time of 696 milliseconds per prediction, indicating the model’s ability to operate in real-time, demonstrating the ability to process large datasets at high speed, making it suitable for enterprise networks and critical infrastructures.