ML based DNS analyzer to detect Domain Generation Algorithms (DGAs) tunneling, and data exfiltration of malicious actors.
Live Notebook | |
Latest Release | |
Supported Versions | |
Project License | |
Continuous Integration |
python -m venv .venv
pip install .
heidgaf -h
Run your analysis:
heidgaf inspect -r data/...
Train your own model:
heidgaf train -m xg -d all
Currently, we support the data format scheme provided by the DNS-Collector:
{{ .timestamp }}
{{ .return_code }}
{{ .client_ip }}
{{ .server_ip }}
{{ .query }}
{{ .type }}
{{ .answer }}
{{ .size }}b
For training our models, we rely on the following data sets:
- CICBellDNS2021
- DGTA Benchmark
- DNS Tunneling Queries for Binary Classification
- UMUDGA - University of Murcia Domain Generation Algorithm Dataset
- Real-CyberSecurity-Datasets
However, we compute all feature separately and only rely on the domain
and class
.
Currently, we are only interested in binary classification, thus, the class
is either benign
or malicious
.
In the folder ./example
we conducted a Exploratory Data Analysis (EDA) to verify the features of interest for our application.
Based on the following work, we implement heiDGAF to find malicious behaviour such as tunneling or data exfiltration in DNS requests.
-
EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis
A passiv DNS pipeline for finding malicious domains using J48 decision tree algorithm.
-
Real-Time Detection System for Data Exfiltration over DNS Tunneling Using Machine Learning
Propose a hybrid DNS tunneling detection system using Tabu-PIO for feature selection.
-
Classifying Malicious Domains using DNS Traffic Analysis
-
DeepDGA: Adversarially-Tuned Domain Generation and Detection
DeepDGA detecting (and generating) domains on a per-domain basis which provides a simple and flexible means to detect known DGA families. It uses GANs to bypass detectors and shows the effectiveness of such solutions.
-
Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection
-
SHAP Interpretations of Tree and Neural Network DNS Classifiers for Analyzing DGA Family Characteristics
-
FANCI : Feature-based Automated NXDomain Classification and Intelligence
- Deep Lookup is a deep learning approach for DNS detection.
- DGA Detective is a temporal convolutional network approach for DNS detection.
- DGA Detector is a NLP approach for DNS detection.
- DNS Tunneling Detection