Techniques
Sample rules
Detect DGA domains using pretrained model in DSDL
- source: splunk
- technicques:
- T1568.002
Description
The following analytic uses a pre trained deep learning model to detect Domain Generation Algorithm (DGA) generated domains. The model is trained independently and is then made available for download. One of the prominent indicators of a domain being DGA generated is if the domain name consists of unusual character sequences or concatenated dictionary words. Adversaries often use clever techniques to obfuscate machine generated domain names as human generated. Predicting DGA generated domain names requires analysis and building a model based on carefully chosen features. The deep learning model we have developed uses the domain name to analyze patterns of character sequences along with carefully chosen custom features to predict if a domain is DGA generated. The model takes a domain name consisting of second-level and top-level domain names as input and outputs a dga_score. Higher the dga_score, the more likely the input domain is a DGA domain. The threshold for flagging a domain as DGA is set at 0.5.
Detection logic
| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, DNS.query
| `drop_dm_object_name(DNS)`
| rename query AS domain
| fields IPs, src, domain, firstTime, lastTime
| apply pretrained_dga_model_dsdl
| rename pred_dga_proba AS dga_score
| where dga_score>0.5
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table src, domain, IPs, firstTime, lastTime, dga_score
| `detect_dga_domains_using_pretrained_model_in_dsdl_filter`