Skip to content

stefanDeveloper/heiDGAF

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

100 Commits

.github/workflows

.github/workflows

 
 

data

data

 
 

docs

docs

 
 

example

example

 
 

heidgaf

heidgaf

 
 

heidgaf_log_collector

heidgaf_log_collector

 
 

pipeline_prototype

pipeline_prototype

 
 

test

test

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

.readthedocs.yml

.readthedocs.yml

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

docker-compose.yml

docker-compose.yml

 
 

pyproject.toml

pyproject.toml

 
 

requirements.txt

requirements.txt

 
 

tests.py

tests.py

 
 

Repository files navigation

heiDGAF - Domain Generation Algorithms Finder

ML based DNS analyzer to detect Domain Generation Algorithms (DGAs) tunneling, and data exfiltration of malicious actors.

Live Notebook live notebook
Latest Release latest release
Supported Versions python3
Project License License
Continuous Integration Linux WorkFlows MacOS WorkFlows Windows WorkFlows

Getting Started

python -m venv .venv
pip install .

heidgaf -h

Run your analysis:

heidgaf inspect -r data/...

Train your own model:

heidgaf train -m xg -d all

Data

Currently, we support the data format scheme provided by the DNS-Collector:

  • {{ .timestamp }}
  • {{ .return_code }}
  • {{ .client_ip }}
  • {{ .server_ip }}
  • {{ .query }}
  • {{ .type }}
  • {{ .answer }}
  • {{ .size }}b

For training our models, we rely on the following data sets:

However, we compute all feature separately and only rely on the domain and class. Currently, we are only interested in binary classification, thus, the class is either benign or malicious.

Exploratory Data Analysis (EDA)

In the folder ./example we conducted a Exploratory Data Analysis (EDA) to verify the features of interest for our application.

Literature

Based on the following work, we implement heiDGAF to find malicious behaviour such as tunneling or data exfiltration in DNS requests.

  • EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis

    A passiv DNS pipeline for finding malicious domains using J48 decision tree algorithm.

  • Real-Time Detection System for Data Exfiltration over DNS Tunneling Using Machine Learning

    Propose a hybrid DNS tunneling detection system using Tabu-PIO for feature selection.

  • Classifying Malicious Domains using DNS Traffic Analysis

  • DeepDGA: Adversarially-Tuned Domain Generation and Detection

    DeepDGA detecting (and generating) domains on a per-domain basis which provides a simple and flexible means to detect known DGA families. It uses GANs to bypass detectors and shows the effectiveness of such solutions.

  • Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection

  • SHAP Interpretations of Tree and Neural Network DNS Classifiers for Analyzing DGA Family Characteristics

  • FANCI : Feature-based Automated NXDomain Classification and Intelligence

Similar Projects

About

heiDGAF - a machine learning based DNS analyzer to detect DGAs

heidgaf.readthedocs.io

Topics

dns machine-learning cybersecurity network-analysis dga

Resources

Readme

License

EUPL-1.2 license
Activity

Stars

3 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages