STING: A Stealthy Backdoor Attack on GNN-Based Malicious Domain Detection via DNS Perturbations

Authors

Muhammad Anan, Alfaisal University
Mahmoud Nazzal, Old Dominion UniversityFollow
Abdallah Khreishah, New Jersey Institute of Technology
Issa Khalil, Hamad Bin Khalifa University
Nhathai Phan, New Jersey Institute of Technology
Ahmad Sawalmeh, Alfaisal University

Document Type

Article

Publication Date

2025

DOI

10.1109/OJCOMS.2025.3610784

Publication Title

IEEE Open Journal of the Communications Society

Volume

6

Pages

7823-7841

Abstract

Detecting malicious Internet domains is essential for safeguarding against various online threats. The current approach to detecting malicious domains (MDD) employs a graph neural network (GNN) method, which uses DNS logs to construct heterogeneous graphs for determining the maliciousness of unknown domains. Despite its success, this method is vulnerable to data poisoning attacks where an adversary can manipulate specific graph nodes to implant a backdoor into the model during training. To showcase the vulnerability, we propose a stealthy trigger injection attack on node features and graph structure in MDD, dubbed (STING). The attacker carefully manipulates selected features and edges of its nodes in the graph to create backdoor trigger patterns designed to evade detection by the MDD system, without knowing the model or other parts of the graph. Results from experiments conducted on real-world GNN-based MDD approaches show that the proposed attack is highly effective, with a success rate of over 88% in launching backdoor attacks and only a slight decrease in the model’s accuracy on legitimate domains (not exceeding 4%). Furthermore, the attack bypasses established defenses such as graph purification, adversarial training, and outlier detection, making it a major threat to the security of MDD systems. This study serves as a warning and stresses the importance of continuous vigilance and proactive efforts by both researchers and security experts to secure GNN-based MDD systems and maintain their trustworthiness and stability.

Rights

© 2025 The Authors.

This work is licensed under a Creative Commons Attribution 4.0 International (CC BY 4.0) License.

Original Publication Citation

Anan, M., Nazzal, M., Khreishah, A., Khalil, I., Phan, N., & Sawalmeh, A. (2025). STING: A stealthy backdoor attack on GNN-based malicious domain detection via DNS perturbations. IEEE Open Journal of the Communications Society, 6, 7823-7841. https://doi.org/10.1109/OJCOMS.2025.3610784

Repository Citation

Anan, M., Nazzal, M., Khreishah, A., Khalil, I., Phan, N., & Sawalmeh, A. (2025). STING: A stealthy backdoor attack on GNN-based malicious domain detection via DNS perturbations. IEEE Open Journal of the Communications Society, 6, 7823-7841. https://doi.org/10.1109/OJCOMS.2025.3610784

ORCID

0000-0003-3375-0310 (Nazzal)