DomURLs_BERT: Pre-trained BERT-based Model for Malicious Domains and URLs Detection and Classification
摘要
Detecting and classifying suspicious or malicious domain names and URLs is a fundamental task in cybersecurity. To leverage such indicators of compromise, cybersecurity vendors and practitioners often maintain and update blacklists of known malicious domains and URLs. However, blacklists frequently fail to identify emerging and obfuscated threats. Over the past few decades, there has been significant interest in developing machine learning models that automatically detect malicious domains and URLs, addressing the limitations of blacklist maintenance and updates. In this paper, we introduce DomURLs_BERT, a pre-trained BERT-based encoder adapted for encoding domain names and URLs. DomURLs_BERT is pre-trained using the masked language modeling objective on a large multilingual corpus of URLs, domain names, and domain generation algorithms (DGA) dataset. We fine-tune DomURLs_BERT on several binary and multi-class classification tasks involving domain names and URLs, covering phishing, malware, DGA, and DNS tunneling. The evaluation results show that the proposed encoder outperforms state-of-the-art character-based deep learning models and cybersecurity-focused BERT models across multiple classification tasks and datasets, achieving accuracies of 99.11%, 98.80%, 98.98%, 98.51%, 100%, and 99.80% for binary classification on the UMUDGA, UTL_DGA, DNS Tunneling, Grambedding, LNU_Phish, and PhiUSIIL datasets, respectively. The pre-training dataset, DomURLs_BERT encoder, and source code for experiments are publicly available at https://github.com/AbdelkaderMH/DomURLs_BERT.