DGA Detection
Goal
Detects network traffic that is directed to domains generated using a DGA algorithm.
This is meant to detect traffic directed to Command and control networks from infected machines.
Description
This is a deep learning model implemented using Keras and TensorFlow as compute backend. More concretely, it is an attention based sentiment analysis classifier that, given a domain, produces the probability of it being generated by DGA.
Characteristics
Data involved
For this use case we will use Netskope data that includes any kind of url. More concretely, we analyse the following fields:
netskope.events.url
Netskope.alerts.url
One thing to remark is that we only use the domain, excluding subdomain and TLD from the analysis. We exclude the subdomain as many legit domains use DGA algorithms, e. g., “fhbfyuer.instances.aws.com”. And exclude the tld as the dga algorithms are independent from the tld.
Alert Generation
It can generate 2 different types of alerts depending on the output:
Medium alert with 60 confidence.
High alert with confidence 90.
Both Alerts are generated depending on the confidence of the model in the provided url being DGA generated
Raw outputs of the model
A float value in the range (0, 1) that indicates the probability of the input being a DGA generated domain
Last updated