Gravity Falls: A Comparative Analysis of Domain-Generation Algorithm (DGA) Detection Methods for Mobile Device Spearphishing

from arxiv, Disclaimer: The views expressed are those of the authors and do not necessarily reflect the official policy or position of the U.S. Department of Defense or the U.S. Government. References to external sites do not constitute endorsement. Cleared for release on 24 FEB 2026 (DOPSR 26-T-0771). Gravity Falls Dataset DOI: 10.5281/zenodo.17624554

Mobile devices are frequent targets of eCrime threat actors through SMS spearphishing (smishing) links that leverage Domain Generation Algorithms (DGA) to rotate hostile infrastructure. Despite this, DGA research and evaluation largely emphasize malware C2 and email phishing datasets, leaving limited evidence on how well detectors generalize to smishing-driven domain tactics outside enterprise perimeters. This work addresses that gap by evaluating traditional and machine-learning DGA detectors against Gravity Falls, a new semi-synthetic dataset derived from smishing links delivered between 2022 and 2025. Gravity Falls captures a single threat actor's evolution across four technique clusters, shifting from short randomized strings to dictionary concatenation and themed combo-squatting variants used for credential theft and fee/fine fraud. Two string-analysis approaches (Shannon entropy and Exp0se) and two ML-based detectors (an LSTM classifier and COSSAS DGAD) are assessed using Top-1M domains as benign baselines. Results are strongly tactic-dependent: performance is highest on randomized-string domains but drops on dictionary concatenation and themed combo-squatting, with low recall across multiple tool/cluster pairings. Overall, both traditional heuristics and recent ML detectors are ill-suited for consistently evolving DGA tactics observed in Gravity Falls, motivating more context-aware approaches and providing a reproducible benchmark for future evaluation.

翻译：移动设备常成为网络犯罪威胁行为者通过短信鱼叉式网络钓鱼（smishing）链接的攻击目标，这些链接利用域名生成算法（DGA）轮换恶意基础设施。尽管如此，DGA的研究与评估主要聚焦于恶意软件C2和电子邮件钓鱼数据集，对于检测器在企业边界外如何有效泛化至smishing驱动的域名策略，现有证据有限。本研究通过评估传统与基于机器学习的DGA检测器在Gravity Falls数据集上的表现来填补这一空白——该数据集为2022年至2025年间捕获的smishing链接衍生的新型半合成数据集。Gravity Falls记录了一个威胁行为者在四个技术集群中的演进过程：从短随机字符串逐步转向字典拼接及主题组合抢注变体，这些技术被用于凭证窃取与费用/罚款欺诈。研究采用两种字符串分析方法（香农熵与Exp0se）和两种基于机器学习的检测器（LSTM分类器与COSSAS DGAD），并以Top-1M域名作为良性基线进行评估。结果显示出强烈的策略依赖性：检测器在随机字符串域名上表现最佳，但在字典拼接和主题组合抢注域名上性能下降，且多个工具/集群配对的召回率较低。总体而言，无论是传统启发式方法还是近期机器学习检测器，均难以适应Gravity Falls中观察到的持续演变的DGA策略，这推动了对更具情境感知能力方法的需求，并为未来评估提供了可复现的基准。