Domain Generating Algorithm Detector

machine-learningpython

A Domain Generating Algorithm (DGA) is a program or subroutine that provides malware with new domains on-demand or on the fly. Each bot of a given botnet is shipped with the same DGA.

Advantages of DGA botnet is that if the domain of C&C server is detected and blocked all connections to these addresses, the botnet has not been eliminated completely. Botmaster just registers a new address in domain dataset and the bot will still operate as normal. This strategy improves the robustness of botnet even though one or more CC servers are located and taken down, the bots will finally get the relocated CC server via DNS queries to the next set of automatically generated domains. There are some well-known DGA botnets such as Conficker, Kraken, etc, each of them has its own domain generation algorithm for a list of candidate CC domain.