Threat Detection: DGA Detective

Overview#

DGA Detective is a machine learning-based domain analysis tool that classifies domains as Dictionary-Generated (DGA) or legitimate using linguistic pattern analysis and entropy scoring. Domain Generation Algorithms are used by malware to periodically generate thousands of potential C2 domain names, with the infected host querying them until it finds one that resolves -- evading static blocklist defences. Argus integrates DGA Detective to automate DGA classification of domains surfaced in Suricata alerts, MISP feeds, and sandbox analysis results, turning suspicious DNS activity into decisive DGA verdicts.

Key Features#

Per-Domain ML Analysis#

Submit any domain name to

analyzeDomain

and Argus queries the DGA Detective service for a probabilistic DGA classification. The result includes an

is_dga

boolean, confidence score (0.0-1.0), detected DGA family name (if matched to a known family), and an array of feature scores including n-gram entropy, vowel-consonant ratio, digit density, and domain length. These features help analysts understand why a domain was classified as DGA rather than presenting an opaque ML verdict.

DGA Family Identification#

Where the detected DGA pattern matches a known malware family's domain generation algorithm, the

family

field identifies it -- for example,

Dridex

Emotet

Qakbot

Conficker

, or custom unnamed families. Family identification enables direct correlation with existing threat intelligence and suggests applicable playbooks.

Batch Analysis and Inventory#

Query all previously analysed domains via

dgaDetectiveResults

with optional filtering by

is_dga

status. This supports bulk analysis workflows where DNS query logs from a sensor are submitted and the DGA-positive subset is extracted for further investigation.

Clearance-Filtered Results#

Domain analysis results carry

secrecy_level

tags, supporting classified network monitoring scenarios where the DNS traffic being analysed originates from classified environments.

Use Cases#

C2 Beaconing Detection: When Suricata flags anomalous DNS query volumes or algorithmically-named domains, DGA Detective provides a definitive classification to separate C2 communication from legitimate CDN or cloud service domains.
Sandbox Analysis Enrichment: After CAPE Sandbox detonates a sample and captures DNS queries it issued, DGA Detective classifies each queried domain -- turning a list of "strange-looking domains" into confirmed or rejected DGA indicators.
MISP Event Quality Control: Before publishing DNS-based IOCs to a MISP feed, DGA Detective screens domains to prevent legitimate algorithmically-named CDN or cloud domains from polluting community intelligence feeds.
Proactive Infrastructure Blocking: Identify DGA domains queried in the last 24 hours from DNS logs and pre-emptively block the parent DGA family's known seed pools at network egress.

Integration#

Available via GraphQL:

dgaDetectiveResults

dgaDetectiveStats

(queries);

analyzeDomain

(mutation). All operations require authentication and organisation scoping.

Works alongside Suricata (DNS alert analysis), CAPE Sandbox (sample DNS behaviour), BigPhish (phishing DGA analysis), and MISP (IOC quality control before sharing).

Last Reviewed: 2026-03-18

Metadane modulu

Renderowana dokumentacja