6 comments

[ 613 ms ] story [ 1862 ms ] thread

    # I'm SURE there's a better way to store all the counts but not sure...
I'm seeing the progress with which this comment came to life.
If the goal is to actually detect DGA activity vs just playing around with data, check out https://www.usenix.org/conference/usenixsecurity12/technical... for a much more effective approach.

The key difference is the use of sets of (NXDomain) domains vs single domains. With a few additonal features, the boost in signal is sufficient to allow classification as individual DGAs with essentially no false positives.

The project discussed in this paper requires having access to all of the passive DNS data in an entire ISP's network, which isn't that practical for many researchers.

OP's machine learning is arguably even more impressive, because it has a decent success rate based entirely on open source data and the domain names themselves, with no other corroborating information (like a NXDOMAIN response).

You only need large quantities of pDNS data for the discovery portion. For classification all you need are collections of domains produced by the same algorithm ( which are readily available for the widely-known DGAs.) The domains being NX isn't so much corroboration as fundament -- the NX-producing search over multiple domains is the observable behavioral distinction between AGD vs static C&C discovery.

(I've worked with both Antonakakis and Yadav, and implemented the production version of Damballa's AGD classifier as per Antonakakis).

I've always thought that this would be the way to do it. Run a smart DNS proxy/server that does pattern matching on the DNS query/response traffic using both traffic profile and query contents as features, then when you see something that matches for a given time window, stop service for that client and complain.
That said, cool notebook!