A Literature Review of GNN within the field of Cybersecurity
Author
Westh, Andreas Philip
Term
4. semester
Education
Publication year
2023
Submitted on
2023-11-29
Pages
22
Abstract
Domænenavnesystemet (DNS) er centralt for internettet, men dets decentraliserede og tillidsbaserede struktur gør det sårbart over for misbrug, herunder spoofing, fast flux og domænegenereringsalgoritmer. Denne afhandling præsenterer et kortfattet litteraturreview af, hvordan grafneurale netværk (GNN’er) anvendes til at opdage ondsindede domæner i DNS-data. Det overordnede forskningsspørgsmål er: Hvordan bruges GNN’er aktuelt til at understøtte detektion af ondsindede domæner? Reviewet kortlægger 16 publikationer og giver den nødvendige baggrund for DNS, maskinlæring, GNN’er og data-berigelse. Der fokuseres på designvalg ved modellering af DNS som grafer (f.eks. domæner og navneservere som noder og forespørgsler som kanter), valg af attributter fra DNS-trafik, læringsparadigmer (overvåget og hybride tilgange), berigelse af data med kontekst og udfordringer ved ground truth (fx blacklists med varierende dækning). Litteraturen peger på, at GNN’er kan udnytte relationer på tværs af den decentrale DNS-infrastruktur og har vist lovende robusthed over for forgiftede data og avancerede undvigelsesteknikker, men nøjagtighed, generalisering og datakvalitet er fortsat centrale udfordringer. Arbejdet rapporterer ikke nye eksperimentelle resultater; i stedet syntetiserer det eksisterende viden, fremhæver forbedringer i modeller over tid og skitserer praktiske overvejelser og åbne problemstillinger for design af GNN-baserede anomalidetektionspipelines til DNS.
The Domain Name System (DNS) underpins the Internet, yet its decentralized, trust-based design exposes it to abuse such as spoofing, fast flux, and domain generation algorithms. This thesis offers a concise literature review of how graph neural networks (GNNs) are applied to detect malicious domains in DNS data. The central research question is: How are GNNs currently used to aid malicious domain detection? The review maps 16 publications and provides background on DNS, machine learning, GNNs, and data enrichment. It examines key design choices for modeling DNS as graphs (e.g., domains and resolvers as nodes and queries as edges), feature selection from DNS traffic, learning paradigms (supervised and hybrid approaches), enrichment with contextual signals, and ground-truth challenges (e.g., blacklist coverage and bias). Prior work indicates that GNNs can leverage relationships across the decentralized DNS and show promise against poisoned data and sophisticated evasion, while accuracy, generalization, and data quality remain open challenges. The study does not present new experiments; instead, it synthesizes the state of the art, highlights model improvements reported in the literature, and outlines practical considerations and open issues for designing GNN-based DNS anomaly detection pipelines.
[This summary has been generated with the help of AI directly from the project (PDF)]
Documents