Hostnames as an Injection Surface: Scaling Detection with Geometry

The Problem: Obfuscation vs. Latency 

Hostnames are attacker-controlled strings processed by DNS resolvers, logging frameworks, and template engines. Attackers know that strict string matching is easy to evade.

A simple payload like shown here on the left can be mutated into thousands of valid variants using nested expansions, homoglyphs, and encoding layers, as shown on the right.

We categorized these threats into three distinct classes: 

1. Parser/Template Ambiguity (PA): Fragments executing as code (e.g., Log4Shell). 
2. Trust-Boundary Confusion (TB): Hijacking password reset flows via Host header manipulation. 
3. Downstream Execution (DE): Triggering SSRF or RCE via internal APIs. 

To detect these without slowing down traffic, we moved away from regex and token matching entirely. Instead, we asked: What is the geometric shape of an attack? 

The Architecture: Contrastive Cone Divergence (CCD) 

CCD is built on two co-designed components: a Class-Aware Encoder that maps strings to a unit sphere, and a Geometric Scorer that partitions that sphere into "cones" to calculate risk. 

Overview of the hostname-injection detector. Hostnames are encoded into unit-vector embeddings, summarized as sparse “cone sketches” over a fixed angular partition of the embedding sphere, and scored by comparing cross-entropy to a benign baseline versus the closest malicious-family prior. High scores indicate hostnames that are both unlikely under benign traffic and structurally similar to at least one learned malicious family. 

1. CAHO: Learning Obfuscation-Stable Embeddings 

Class-Aware Hostname Obfuscation (CAHO) training. Benign hostnames are augmented with mild, structure-preserving transforms to reflect natural variability, while malicious hostnames are obfuscated using attacker-style transformations (e.g., encoding/escaping/confusables). Contrastive learning pulls together each sample and its class-appropriate variants (positives) while pushing apart samples from the opposite class (negatives), producing embeddings that are stable under malicious obfuscation without collapsing benign diversity. 

Standard contrastive learning pushes different samples apart. In security, however, an attack and its obfuscated variant (e.g., curl vs. c${lower:u}rl) share the same semantic intent. If we push them apart, we lose the signal. 

We developed Class-Aware Hostname Obfuscation (CAHO). During training, we subject malicious samples to aggressive "obfuscation orbits"—generating rich variations of attacks—while keeping benign samples relatively stable. This forces the model to learn an embedding space where: 

• Attack variants collapse: The vector for a raw attack and its highly obfuscated cousin map to nearly the same point. 

• Benign samples disperse: Normal traffic retains its natural structural diversity. 

The result is a geometric manifold where attacks form tight, dense clusters, while benign traffic spreads out. This reduces intra-class embedding variance by 4.6× compared to standard contrastive learning. 

Representation quality in embedding space. Nearest-neighbor distance distributions compare benign and malicious neighborhoods under different encoding/learning strategies. CAHO yields lower class overlap (better separation) by reducing within-class variance for obfuscated malicious variants while preserving benign structure, improving both open-set detection and family-level discrimination.

2. The Scorer: Neyman–Pearson Optimality 

Geometric interpretation of CCD scoring. The first term measures how surprising a query’s cone sketch is under the benign baseline (open-set “weirdness”), while the second term measures how well it matches the closest malicious-family prior (closed-set “fit”). The score gap S(u) increases when a hostname is both benign-atypical and malicious-like, enabling a simple threshold decision (e.g., S(u) > 0). 

Once mapped to the sphere (Sᵈ⁻¹), we don't just measure Euclidean distance. We partition the sphere into thousands of angular regions, or "cones". 

For every query, we calculate the Contrastive Cone Divergence score. This score compares how well the query matches the "benign baseline" distribution versus known "malicious priors" (clusters of known attack types). 

Mathematically, this score implements the Generalized Likelihood-Ratio Test (GLRT). This is significant because, under the Neyman–Pearson lemma, the GLRT is the optimal statistical test for deciding between two hypotheses at a fixed false-positive rate. By grounding our scoring in this theorem, we ensure that for a given error budget (e.g., 1 false alarm in 10,000), we are achieving the maximum possible detection power.

Operating-point behavior under fixed false-positive constraints. Empirical results show that thresholding the likelihood-ratio-shaped CCD score tracks target false positive rates while improving power (true positive rate) as the operating point is adjusted. This supports the interpretation of CCD as a statistically principled test once the cone-sketch statistic is fixed. 

Privacy-First Training: No Tenant Data Required 

A major hurdle in security ML is privacy. Training on production logs risks leaking PII or sensitive tenant identifiers. 

CCD was designed to be privacy-native. We train exclusively on synthetic data generated via expert-curated taxonomies and LLMs, combined with aggregated, privacy-safe statistics from benign traffic. We do not use raw tenant data for training. 

Impact of distribution matching on the synthetic-to-real gap. By massaging our synthetic data to match certain statistical metrics of real data (like TLD diversity or median hostname length), we can improve our downstream model’s detection accuracy without needing to rely on real-privacy concerning data from our tenants/customers. By looking at only 3 statistics, we are able to reduce the gap between synthetic and real data trained models by half. 

Does synthetic training hurt accuracy? Surprisingly, not as much as we originally thought: 

• Real-Data Training: 93.5% True Positive Rate (TPR). 

• Synthetic-Only Training: 91.1% TPR. 

The gap is only 2.4 percentage points. This allows us to deploy powerful models without ever exposing sensitive customer data to the training pipeline. 

Certified Robustness 

In security, "it works most of the time" isn't good enough. We need guarantees. CCD introduces Instance-Level Robustness Certificates. 

Because our embedding space is mathematically bounded (Lipschitz continuous), we can calculate exactly how much an edit to the input string moves the vector. We combine deterministic margins with randomized smoothing to certify that a detected attack will remain detected even if the attacker applies up to K DNS-legal edits (insertions, deletions, casing swaps). 

We achieve 98% certification coverage at edit budget K=6. This moves us from probabilistic detection to certified robustness against adaptive adversaries. 

Results: Speed and Accuracy 

We evaluated CCD on more than 15.6 million hostnames from 743 organizations over a 22-month period. The performance metrics highlight why geometric approaches are the future of edge security: 

Accuracy: CCD achieves 93.5% TPR at a strict false-positive rate of 10^{-4}      

• Latency: Median inference time is 601 µs. This is compatible with workloads handling tens of millions of queries. 

• Efficiency: CCD matches the accuracy of LLM-scale models while being 100–1000× faster and requiring bounded memory rather than having memory requirements that scale with tenant size. 

Accuracy and latency comparison across detector families. Left: change in true positive rate at a fixed operating point (ΔTPR @ FPR = 10⁻⁴) relative to the CCD baseline (negative values indicate worse-than-CCD detection), grouped by model class: locally deployed LLM classifiers, BERT-based URL encoders, CNN-based URL/host models, one-class deep anomaly detectors, sentence-embedding + classical detectors, and classical character n-gram TF-IDF models. Right: median per-item evaluation latency on a log scale (lower is faster). CCD matches LLM-level detection accuracy within confidence intervals while running ~10²–10³× faster. Error bars show 95% bootstrap confidence intervals over n = 743 tenants. 

As shown above, CCD consistently dominates the speed-accuracy Pareto frontier, outperforming deep learning baselines (Deep SAD, URLNet) by 6–8 percentage points while running orders of magnitude faster than Transformers. 

Surviving Shift: Robustness Across Time and Tenants

One of the most painful challenges in deploying ML at the edge is Drift. In a multi-tenant environment, the distribution of "benign" traffic is never static. It shifts across two axes: 

1. Temporal Drift: Traffic patterns change over weeks or months due to seasonal events or API updates. 

1. Domain (Data) Drift: Every tenant is unique. A model trained on e-commerce traffic might fail miserably when deployed to a SaaS API gateway because the structural "vocabulary" of their hostnames differs. 

Deep learning models typically require expensive, frequent retraining to handle these shifts. If they don't get it, they "rot" — their decision boundaries become misaligned, leading to false positives. 

CCD solves this by decoupling the representation (the fixed embedding space) from the calibration (the benign prior, P_B​). 

1. Temporal Drift: Zero Degradation Over 5 Months 

We evaluated "Frozen" models versus models using our adaptive calibration strategy over a 5-month horizon. The results were stark. 

Over a 5-month period, traditional models "rot" as traffic patterns change (lines sloping down). CCD (black line) maintains near-perfect detection stability by simply updating the benign prior (P_B​)—a cheap, CPU-only operation. 

While classical ML models (like TF-IDF) and standard deep learning models (like One-Class SVMs) showed moderate to severe decay in True Positive Rate (TPR) as time went on, CCD maintained a near-zero degradation slope through the entire window. By simply updating the "Benign Prior"—a cheap streaming pass that re-counts how benign traffic lands in our cone partition—CCD stays effective without touching the core neural weights. 

2. Domain Drift: Adapting to New Tenants 

The same mechanism protects against Data Drift when moving between organizations. We categorized tenants by how different their traffic was from our training set (using Jensen–Shannon divergence). 

As the divergence increased—meaning the new tenant looked nothing like our training data—convolutional neural networks and one-class models degraded rapidly. CCD, however, maintained the shallowest degradation slope. Because the geometry of attacks (the "tight clusters") remains constant, CCD only needs to learn the new "shape" of the benign traffic to maintain high accuracy. 

 As we deploy for tenants that look increasingly different from our training data, CCD maintains its accuracy significantly better than Convolutional Neural Networks (URLNet) or BERT-based encoders. 

The Operational Advantage: 40 Seconds vs. 9 Hours 

Wall-clock time on a single CPU core to adapt each model to a new 2-week benign window. CCD only needs to process the new P_B window (10^5 hostnames), whereas DomURLs_BERT and URLNet retrain or fine-tune on the full benign corpus (~10^8 hostnames) with no cached embeddings, re-embedding the dataset and updating model parameters and thresholds. Times are order-of-magnitude estimates based on typical CPU throughput for MiniLM, BERT-like transformers, and character-level CNNs, and highlight CCD's substantially lower adaptation cost. 

The difference in maintenance cost is orders of magnitude. As shown in our benchmarks, adapting a BERT-based URL model to a new window of traffic required approximately 9 hours of fine-tuning. 

Adapting CCD to that same window took just 40 seconds on a single CPU core. 

This capability transforms the operational lifecycle of the detector. Instead of a monthly "retraining fire drill," CCD allows for a "set it and forget it" reliability profile. We can recalibrate the system per-tenant in seconds to account for both time and data shifts, keeping the True Positive Rate flat without the overhead of constant model retraining. 

Conclusion 

Hostnames are a deceptively complex attack surface. By treating them as a geometric problem rather than a pattern-matching one, CCD delivers a detector that is robust to obfuscation, mathematically optimal, and fast enough for the modern edge.