CL-GAN: A GAN-based continual learning model for generating and detecting AGDs

•A joint model based on GAN is proposed to generate and detect AGDs.•The paper designs the generator for AGDs based on a T5 model with specifically built prompt noises.•Using knowledge distillation, CL-GAN can continue to learn to generate and detect the AGDs from new DGA families. Botnets often use Domain Generation Algorithms (DGAs) to generate lots of Algorithmically Generated Domains (AGDs), which seem real, to hide their attacks. So, knowing the DGAs is very helpful for the precise and fast detection of AGDs, which is essential for network security. However, the detection of AGDs still needs further improvement due to existing problems. First, various DGAs change at any time, bringing the need for models to fit quickly in the pattern of new DGAs. Second, the mechanisms of different DGAs are divergent. Therefore, it requires a strong ability of models to learn the DGAs well. Third, most AGDs are blind to people, so models trained on available data are difficulty having generalized detection ability. To solve these problems, the paper proposes CL-GAN: A GAN-based Continual Learning Model for Generating and Detecting AGDs. CL-GAN is based on Generative Adversarial Networks (GAN) and includes three parts: a Generator to learn the DGAs, a Discriminator to detect the AGDs and a Teacher to provide existing learned knowledge. Further, CL-GAN also constructs prompt noises to enhance the ability to generate AGDs of the Generator. The paper conducts experiments on the domains from 360DGA and Alexa Top 1M. Compared with existing models, the results show the generality and effectiveness of CL-GAN and its life-long ability to detect AGDs.