A Knowledge Distillation-Based Triple-Branch Framework for Malicious Domain Detection via Cross-Source Feature Fusion

Pu Huang

doi:10.54097/97vy5h70

Authors

Pu Huang

DOI:

https://doi.org/10.54097/97vy5h70

Keywords:

Malicious Domain Detection, Knowledge Distillation, Few-shot Learning, Cross-Source Feature Fusion, Triplet Loss, Attention Mechanism

Abstract

With the continuous expansion of internet applications, malicious domains have become a significant entry point for cyberattacks, posing severe threats to user privacy and corporate security. In practical scenarios, the limited number and complex distribution of malicious domain samples render traditional detection methods—relying on large-scale labelled datasets—ineffective under smallsample conditions, struggling to adapt to rapidly evolving attack techniques. To address this, this paper proposes a malicious domain detection model integrating knowledge distillation with tri-branch cross-source features. Designed for small-sample learning scenarios, this model comprehensively utilises domain semantic features (BERT vectors), manually derived statistical features, and SSL certificate features. It achieves deep semantic representation through branch encoders and employs attention mechanisms for adaptive weighted fusion of multi-source information. Notably, certificate features exhibit significant discriminative power between malicious and benign domains, providing structured security clues that enhance the model’s recognition of novel attack patterns. To further improve generalisation performance and deployment eﬀiciency, this paper introduces a knowledge distillation mechanism. A pre-trained large model (RoBERTa) serves as the teacher model, guiding the student model to learn high-level semantic relationships with limited data through semantic representations and soft labels. Concurrently, Triplet Loss constraints are applied to optimise intra-class cohesion and inter-class separation within the feature space. Experimental results demonstrate that the proposed model achieves outstanding performance on balanced few-shot datasets, attaining Precision, Recall, F1, AUC, and Accuracy scores of 0.9857, 0.9988, 0.9922, 0.9968, and 0.9921 respectively, significantly outperforming conventional methods. This research validates the effectiveness and practical feasibility of a lightweight architecture integrating knowledge distillation and cross-source features for malicious domain detection with small samples, offering novel insights for rapid deployment and continuous protection in cybersecurity systems.

Downloads

Download data is not yet available.

References

[1] N. P. Mankar, P. E. Sakunde, S. Zurange, A. Date, V. Borate, and Y. K. Mali, “Comparative evaluation of machine learning models for malicious url detection,” in 2024 MIT Art, Design and Technology School of Computing International Conference (MITADTSoCiCon), 2024, pp. 1–7.doi: 10.1109/ MITADTSoCiCon60330.2024.10575452.

[2] S. L, V. K, and M. P. M. Y, “Detection of malicious domains in the cyberspace using machine learning & deep learning: A survey,” in 2022 11th International Conference on System Modeling & Advancement in Research Trends (SMART), 2022, pp. 1540–1543. doi: 10.1109/SMART55829. 2022. 1004 7254.

[3] Y. Gao, F. Yuan, C. Cao, M. Su, D. Wang, and Y. Liu, “Few-shot malicious domain detection on heterogeneous graph with meta-learning,” in 2023 26th International Conference on Computer Supported Cooperative Work in Design (CSCWD), 2023, pp. 727–732. doi: 10.1109/CSCWD57460. 2023. 10152 708.

[4] Qing Wang et al., “Research Progress on Malicious Domain Name Detection Methods,” Journal of Information Security, vol. 9, no. 5, pp. 229–249, 2024.

[5] T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling, “Measuring and detecting fast-flux service networks,” in Network and Distributed System Security Symposium, 2008. [Online]. Available: https://api.semanticscholar. org/Corpus ID:267794 245.

[6] M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster, “Building a dynamic reputation system for dns,” in USENIX Security Symposium, 2010. [Online]. Available: https://api. semanticscholar.org/CorpusID:12207566.

[7] J. Woodbridge, H. Anderson, A. Ahuja, and D. Grant, “Predicting domain generation algorithms with long short-term memory networks,” ArXiv, vol. abs/1611.00791, 2016. [Online]. Available: https://api.semanticscholar. org/ Corpus ID:16560076.

[8] R. Vinayakumar, K. P. Soman, P. Poornachandran, S. Akarsh, and M. Elhoseny, “Improved dga domain names detection and categorization using deep learning architectures with classical machine learning algorithms,” Advanced Sciences and Technologies for Security Applications, 2019. [Online]. Available: https://api.semanticscholar. org/Corpus ID:196 179921.

[9] L. Bilge, E. Kirda, C. Krügel, and M. Balduzzi, “Exposure: Finding malicious domains using passive dns analysis,” in Network and Distributed System Security Symposium, 2011. [Online]. Available: https://api. semanticscholar. org/ Corpus ID: 16609213.

[10] A. Sauer, S. Asaadi, and F. Küch, “Knowledge distillation meets few-shot learning: An approach for few-shot intent classification within and across domains,” in NLP4CONVAI, 2022. [Online]. Available: https://api.semanticscholar. org/ Corpus ID:248780145.

[11] L. Zhang, H. Tan, and M. Huang, “A few-shot learning for predicting radar receiver interference response based on distillation meta-learning,” IEEE Access, vol. 12, pp. 195 076–195 084, 2024. [Online]. Available: https://api.semanticscholar. org/ CorpusID:274881534.

[12] X. Fu, X. Zhang, J. Fu, B. Wu, and J. Zhang, “Deep metric learning based approach for network intrusion detection,” Journal of Physics: Conference Series, vol. 2504, 2023. [Online]. Available: https://api.semanticscholar.org/ CorpusID: 258998103.

[13] A. Cucchiarelli, C. Morbidoni, L. Spalazzi, and M. Baldi, “Algorithmically generated malicious domain names detection based on n-grams features,” Expert Systems with Applications, vol. 170, p. 114 551, 2021, issn: 0957-4174. doi: https:// doi.org/ 10.1016/j.eswa.2020.114551.

[14] P. P. S. Prasad, “Phishing url detection using xgboost and custom feature engineering,” International Journal for Research in Applied Science and Engineering Technology, 2025. [Online]. Available: https://api.semanticscholar. org/ CorpusID:278373294.

[15] G. Pradeepa and R. Devi, “Lightweight approach for malicious domain detection using machine learning,” Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2022. [Online]. Available: https://api.semanticscholar. org/CorpusID:249139884.

[16] F. Alhayan et al., “Artificial intelligence-driven cybersecurity: Enhancing malicious domain detection using attention-based deep learning model with optimization algorithms,” Scientific Reports, vol. 15, 2025. [Online]. Available: https://api. semanticscholar. org/CorpusID:279897233.

[17] S. A. Mangi, N. S. Rajper, A. Shaikh, N. Maitlo, and N. A. Shaikh, “Eﬀicient malicious domain detection using a distributed deep forest algorithm.” [Online]. Available: https: // api . semanticscholar.org/CorpusID:281156774.