To sustain their criminal activity, operators of botnets often employ so called Domain Generation Algorithms (DGAs) that rotate Command and Control (C2) domains at great pace. Blocking or seizing such dynamic and random looking C2 domains is a major challenge for cyber defenders and law enforcement agencies. On any given day, botnet operators will use a particular DGA, the time period and a unique input seed to determine which domain name they need to register to facilitate C2 communications with malware-infected computers. Defenders can typically not identify such C2 domains until they get the chance to analyze live traffic (e.g. in a sandbox). By this point, the criminals will likely have registered the C2 domain for that day and already gained or maintained control over their botnet.
DGAs exploit economic asymmetry, since criminals need to register only one of the programmatically possible C2 domains to maintain control of their botnet while defenders must gain control of every potential C2 domain (not just the small number of C2 domains that criminals actually register) that might come out of that DGA on any given day. A single (or small number of) domain registration(s) suffices for the criminals because each bot will typically cycle through all of the possible C2 domains until it manages to connect to a valid C2 server.
Most of the top global malware-based threats utilize such DGA schemes to make their C2 infrastructure resistant to takedown.
The DGA Detective determines whether a given domain name was created by a DGA (or not) by means of automated binary classification. The classification methodology relies on training a Temporal Convolution Network (TCN) and the tool has been trained on a large dataset of DGA domains and benign domains that was supplied by the Shadowserver Foundation. DGA Detective is distributed as a Python package and as a Docker container. It can classify domains off-line (through a command line interface) or on-line (through an API).