HyperDGA: Comprehensive Learning of High-Order and Global Semantic Associations for DGA Botnet Detection

Domain Generation Algorithm(DGA) is widely used by botnets to evade detection by generating numerous pseudo-random domains to communicate with commandandcontrol servers. While existing Graph Neural Networks attempt to detect DGA botnets by exploiting the feature similarity of these domains to model semantic associations via similarity graphs, they are restricted to binary relationships, causing information decay during multi-hop propagation. To overcome this, we propose HyperDGA. Treating domains as nodes, HyperDGA utilizes K Nearest Neighbors to construct hyperedges, explicitly capturing high order group semantic correlations. Subsequently, a Local Topology Aggregation module employs multi-head node attention-based hypergraph convolution to dynamically assign distinct aggregation weights to intra hyperedge nodes, extracting fine-grained structural features. To mitigate the limited receptive field of hypergraph convolutions, a Global Node Association module integrates the selective state space model, Mamba, to capture long-range dependencies across all nodes. Experiments on two public datasets demonstrate that HyperDGA outperforms all baselines and achieves over 99% accuracy, validating the efficacy of high-order semantic modeling for DGA botnet detection.