Overview#
During a post-incident review at a European defence contractor, analysts pulled DNS logs from an endpoint that had been beaconing for eleven days without triggering any signature-based alert. The queried domains looked random: xqrztmfblp[.]net, apqwdcvkjh[.]com, lmntbxqrpz[.]org. Each resolved, then rotated, then resolved again. The pattern was unmistakable to a DGA analyst, but no blocklist had caught it. DGA Detective would have flagged the first query within milliseconds, classifying the pattern as a Dridex variant with 0.97 confidence.
Domain Generation Algorithms are used by malware to periodically generate thousands of potential command-and-control domain names. An infected host queries them until one resolves, evading static blocklist defences entirely. Argus integrates DGA Detective to automate DGA classification of domains surfaced in Suricata alerts, MISP feeds, and sandbox analysis results, turning suspicious DNS activity into decisive verdicts that analysts can act on immediately.
Key Features#
Per-Domain ML Analysis#
Submit any domain name to analyzeDgaDomain and Argus queries the DGA Detective service for a probabilistic classification. The result includes an is_dga boolean, confidence score (0.0 to 1.0), detected DGA family name where matched, and an array of feature scores covering n-gram entropy, vowel-consonant ratio, digit density, and domain length. These features let analysts understand why a domain was classified as DGA rather than presenting an opaque verdict they cannot challenge or explain to a decision-maker.
DGA Family Identification#
Where the detected DGA pattern matches a known malware family's domain generation algorithm, the family field identifies it: Dridex, Emotet, Qakbot, Conficker, and others, including custom unnamed families. Family identification enables direct correlation with existing threat intelligence and points analysts toward applicable response playbooks without requiring manual research.
Batch Analysis and Inventory#
Query all previously analysed domains via dgaDetectiveResults with optional filtering by is_dga status. This supports bulk analysis workflows where DNS query logs from a sensor are submitted and the DGA-positive subset is extracted for further investigation, separating confirmed C2 candidates from clean traffic quickly.
Clearance-Filtered Results#
Domain analysis results carry secrecy_level tags, supporting classified network monitoring scenarios where the DNS traffic being analysed originates from classified environments and visibility must be restricted to cleared personnel.
Use Cases#
- C2 Beaconing Detection: When Suricata flags anomalous DNS query volumes or algorithmically named domains, DGA Detective provides a definitive classification to separate C2 communication from legitimate CDN or cloud service domains, reducing false positives that fatigue analyst queues.
- Sandbox Analysis Enrichment: After CAPE Sandbox detonates a sample and captures DNS queries it issued, DGA Detective classifies each queried domain, turning a list of strange-looking names into confirmed or rejected DGA indicators with family attribution.
- MISP Event Quality Control: Before publishing DNS-based IOCs to a MISP feed, DGA Detective screens domains to prevent legitimate algorithmically named CDN or cloud domains from polluting community intelligence feeds and damaging trust with partner organisations.
- Proactive Infrastructure Blocking: Identify DGA domains queried in the last 24 hours from DNS logs and pre-emptively block the parent DGA family's known seed pools at network egress, reducing the window of exposure for other hosts that may be infected but have not yet beaconed.
Integration#
Available via GraphQL: dgaDetectiveResults, dgaDetectiveStats (queries); analyzeDgaDomain (mutation). All operations require authentication and organisation scoping.
Works alongside Suricata (DNS alert analysis), CAPE Sandbox (sample DNS behaviour), BigPhish (phishing DGA analysis), and MISP (IOC quality control before sharing).
Open Standards#
- DNS (RFC 1034/RFC 1035): Domain names submitted for analysis are parsed and validated as per the DNS specification; the capability processes DNS query logs from sensors and resolves domain strings exactly as defined in the DNS protocol.
- Suricata EVE JSON: Suricata alert feeds are ingested via the Suricata EVE JSON log format, with batch parsing and normalisation used to extract DNS alert events that are then forwarded to the DGA classification engine.
- MISP (Malware Information Sharing Platform): DNS-based IOCs are consumed from and published to MISP instances using the MISP REST event/attribute model, including MISP distribution levels, attribute types, and UUIDs, to support community feed quality control.
- STIX 2.1 (OASIS): Threat intelligence derived from DGA verdicts is represented and exchanged as STIX 2.1 Indicator and Report SDOs, with TLP marking-definitions (TLP:WHITE through TLP:RED and TLP:AMBER+STRICT) applied to control sharing visibility.
- MITRE ATT&CK (T1568.002): DGA family identification maps detected malware families to the ATT&CK sub-technique for Domain Generation Algorithms, enabling direct linkage to adversary TTPs stored against threat actor records.
- OAuth 2.0 Bearer Token (RFC 6750): All calls to the external DGA Detective analysis service use an Authorization Bearer token header, and all GraphQL operations enforce authentication via the platform's token-based access control.
- GraphQL (June 2018 Specification): The entire DGA Detective capability surface, including the
analyzeDgaDomainmutation and thedgaDetectiveResultsanddgaDetectiveStatsqueries, is exposed through a typed GraphQL schema with field-level permission enforcement.
Last Reviewed: 2026-03-18 Last Updated: 2026-04-14