Git Product home page Git Product logo

dgaintel's Introduction

DGA Intel

Using deep learning to detect DGA domains.

Overview

The DGAIntel Python module allows you to utilize a powerful CNN-LSTM model to predict whether a given domain name was generated by a domain generation algorithm (DGA) or corresponds to a genuine domain. The prediction features are also accesible through this website, but this package allows for direct integration into your workflow.

Requirements

DGAIntel is designed for use with Python 3. It has only two requirements:

- TensorFlow 2.x
- Numpy

Installation

To download dgaintel, simply use Pypi via pip.

$ pip install dgaintel

Alternatively, you could install from source.

$ git clone https://github.com/sudo-rushil/dgaintel
$ cd dgaintel
$ python setup.py install

Verify your installation by running

>>> import dgaintel
>>> dgaintel.get_prediction('microsoft.com')
'microsoft.com is genuine with probability 0.00050'

Examples

Predict DGA

This is simple way of determining whether any given domain, such as 'microsoft.com' is DGA or not, mainly intended for cyber security analysts.

from dgaintel import get_prediction

get_prediction('microsoft.com')

'microsoft.com is genuine with probability 0.00050'

Predict DGA probability

This allows for getting the probability, or probabilities, that a domain or list of domains is DGA or not, which is more useful to data scientists.

from dgaintel import get_prob

# For single domain
prob = get_prob('microsoft.com')
print(prob)

# For multiple domains
probs = get_prob(['microsoft.com', 'wikipedia.com', 'vlurgpeddygdy.com'])
print(probs)

# To get just the scores
raw_probs = list(get_prob(['microsoft.com', 'wikipedia.com', 'vlurgpeddygdy.com'], raw=True))
print(raw_probs)

0.00050

[('microsoft.com', 0.00050), ('wikipedia.com', 0.00033), ('vlurgpeddygdy.com', 0.97601)]

[0.00050845, 0.00033092, 0.00144754]

Predict by file

This is for inputing a file containing a list of domains to get predictions on all of them at once, which is helpful for data analysts.

Say you have a domain file domains.txt.

microsoft.com
wikipedia.com
vlurgpeddygdy.com

Then, you can run the following code in the same directory.

from dgaintel import get_prediction

# Print to console
get_prediction('domains.txt')

# Write to file
get_prediction('domains.txt', to_file='domain_predictions.txt')

microsoft.com is genuine with probability 0.00050

wikipedia.com is genuine with probability 0.00033

vlurgpeddygdy.com is DGA with probability 0.97601

If you read the new file domain_predictions.txt, you will see the following.

microsoft.com is genuine with probability 0.0005084535223431885
wikipedia.com is genuine with probability 0.00033092446392402053
vlurgpeddygdy.com is DGA with probability 0.9760094285011292

Prediction analysis

This is an example function that integrates dgaintel with whois for performing basic prediction analysis, which is important for cyber security investigators.

from dgaintel import get_prob
from whois import query

def analyze(domain, out=True):
    prob = get_prob(domain)
    whois = query(domain)
    dga = False
    if prob >= 0.5: dga = True

    domain_analysis = {'domain_name': domain,
                       'dga': dga,
                       'registrar': whois.registrar if whois else None,
                       'creation date' : whois.creation_date if whois else None,
                       'expiration date': whois.expiration_date if whois else None}

    if out:
        print()
        for key, val in domain_analysis.items():
            print('{}: {}'.format(key, val))
        print()
        return None

    return domain_analysis

analyze('microsoft.com')

# Get analysis dictionary in python itself
analysis = analyze('microsoft.com', out=False)

name: microsoft.com

dga: False

registrar: MarkMonitor Inc.

creation date: 1991-05-02 04:00:00

expiration date: 2021-05-03 04:00:00

Predictions with Whitelisting

This example shows how the class interface to DGAIntel allows for certain TLDs to be whitelisted, preventing them from raising errors in a given ecosystem.

from dgaintel import Intel

intel = Intel(['cloud.com'])

print(intel.get_prob(['www.cloud.com',
                        'dfsadkcda.cloud.com',
                        'www.cloud.org',
                        'www.dkfjsdakfj.org']))

[('www.cloud.com', 0.0), ('dfsadkcda.cloud.com', 0.0), ('www.cloud.org', 0.00045579672), ('www.dkfjsdakfj.org', 0.99884665)]

Documentation

DGAIntel has support for polymorphism; to input domains to run predictions on, you can use a single domain name, a list of domain names, or a text file with line-separated domain names. The text file has the format

microsoft.com
wikipedia.com
vlurgpeddygdy.com
...

Additionally, the Tensorflow Keras model running in the backend supports input batching, meaning there is a significant increase in speed for running predictions on lists or files rather than individual domains. This was tested in Jupyter.

from dgaintel import get_prob

# List of 10 domain names
l = ['microsoft.com', 'squarespace.com', 'hsfkjdshfjasdhfk.com', 'fdkhakshfda.com', 'foilfencersarebad.com', 'foilfencersarebad.com', 'foilfencersarebad.com', 'discojjfdsf.com', 'fasddafhkj.com', 'wikipedai.com']
# One domain
%%timeit
get_prob(l[0])

286 ms ± 4.99 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)

# Ten domains
%%timeit
get_prob(l)

290 ms ± 7.23 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)

# Hundred domains
%%timeit
get_prob(l*10)

333 ms ± 4.71 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)

# Thousand domains
%%timeit
get_prob(l*100)

584 ms ± 14.8 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)

This demonstrates that increasing the number of domain names one runs the prediction by 1000x only increases the inference time by less than 2x. Therefore, this model is easily adaptable to large-scale predictions.

API

The get_prediction function will either print the predictions or write them to a user-specified file.

from dgaintel import get_prediction

get_prediction('microsoft.com')
get_prediction(['microsoft.com', 'wikipedia.com', 'vlurgpeddygdy.com'])
get_prediction('domains.txt')
get_prediction('domains.txt', to_file='domain_predictions.txt')

The get_prob function will perform the inference and provide the prediction floats. It is helpful if you want to use the prediction scores directly in your workflow.

from dgaintel import get_prob

get_prob('microsoft.com') # 0.00050851
get_prob(['microsoft.com', 'wikipedia.com', 'vlurgpeddygdy.com']) # [('microsoft.com', 0.00050), ('wikipedia.com', 0.00033), ('vlurgpeddygdy.com', 0.0.97601)]
get_prob('domains.txt') # [('microsoft.com', 0.00050), ('wikipedia.com', 0.00033), ('vlurgpeddygdy.com', 0.97601)]
get_prob(['microsoft.com', 'wikipedia.com', 'google.com'], raw=True) # array([0.00050, 0.00033, 0.0.97601], dtype=float32)

The Intel interface allows DGAIntel to avoid checking certain domains with known TLDs to ensure enterprise functions are not compromised.

from dgaintel import Intel

intel = Intel(['microsoft.com'])
intel.get_prob('microsoft.com') # 0.0
intel.get_prob(['microsoft.com', 'wikipedia.com', 'vlurgpeddygdy.com']) # [('microsoft.com', 0.0), ('wikipedia.com', 0.00033), ('vlurgpeddygdy.com', 0.0.97601)]
intel.get_prob('domains.txt') # [('microsoft.com', 0.0), ('wikipedia.com', 0.00033), ('vlurgpeddygdy.com', 0.97601)]
intel.get_prob(['microsoft.com', 'wikipedia.com', 'google.com'], raw=True) # array([0.0, 0.00033, 0.0.97601], dtype=float32)

dgaintel's People

Contributors

sudo-rushil avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

thinkwelltwd fangod 1530426574 ffontaine starrysec

dgaintel's Issues

Character limit

What is the character limit per line when I am using a .txt file that has all of my domains I am checking? Also, is there a list of characters that I cannot start the line with? I am running into issues on getting this to run on my longer list. Thank you!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.