This will be a three-part blog series on building a DGA classifier and
will be split into three logical phases of building a classifier: 1)
Data preparation (this) 2) Feature engineering and 3) Model selection.
And before I get too far into this, I want to give a huge thank you to
Click Security for releasing a DGA
classifier
in python as part of their very nice Data Hacking github
repo. If you would
rather see how a classifer is build in python, they did a great job of
laying out the steps in the code and an in depth ipython notebook.
Initially I didn’t deviate much from their work, but as I rolled around
in the data I was experimenting with several different features only to
end up reducing my feature set down to a relatively simple set of 3.

The DGA package and sample data is available from the DGA github
repository.

A little background on DGA

DGA stands for Domain Generating Algorithm and these algorithms are
part of the evolution of malware communications. In the beginning
malware would be hardcoded with IP address(es) or domain names and the
botnet could be disrupted by going after whatever was hardcoded. The
purpose of the DGA is to be deterministic, yet generate a whole lot of
random (hard to guess) domains, of which the bot maintainer only has to
register one (or a handful) to enable the malware to phone home. If the
domain or IP is taken down, a new name from the algorithm can be used by
the botnet maintainer with a new IP address and the botnet maintained.

The purpose of building a DGA classifier isn’t specifically for
takedowns of botnets, but to discover and detect the use on our network
or services. If we can you have a list of domains resolved and accessed
at your organization, it is possible now to see which of those are
potentially generated and used by malware.

And where we are headed

My goal was to create a DGA classifier that was first and foremost easy
to use. So I created a package that could be loaded and used in other
code without having to think about the machine learning behind the
classifier. Hopefully it doesn’t get any easier than this:

Install the package:

devtools::install("jayjacobs/dga")

library(dga)

# known good domains:
good <- c("facebook.com", "google.com", "sina.com.cn", 
          "twitter.com", "yandex.ru", "msn.com")
# DGA domains generated by cryptolocker
bad <- c("kqcrotywqigo.ru", "rlvukicfjceajm.ru", "ibxaoddvcped.ru", 
         "tntuqxxbvxytpif.ru", "heksblnvanyeug.ru", "kbmqwdsrfzfqpdp.ru")

# classify the domains as either "legit" or "dga"
dgaPredict(c(good, bad))

##               name class prob
## 1         facebook legit 1.00
## 2           google legit 1.00
## 3             sina legit 1.00
## 4          twitter legit 1.00
## 5           yandex legit 1.00
## 6              msn legit 1.00
## 7     kqcrotywqigo   dga 1.00
## 8   rlvukicfjceajm   dga 1.00
## 9     ibxaoddvcped   dga 1.00
## 10 tntuqxxbvxytpif   dga 1.00
## 11  heksblnvanyeug   dga 0.98
## 12 kbmqwdsrfzfqpdp   dga 1.00

The function returns the domain name it extracted from the names, the
classification assigned and the probability the classifier used to
classify. You can see from the output, that all of these domains were
clearly classified (with high probability).

So that’s what these posts are going to walk through… what steps did
we go through to answer the deceptively simple question of “Is this
domain legitimate or generating by an algorithm?”

Getting and Cleaning the Data

The first major step in any classifer is getting training data. If that
term is new to you, think of training data like the answer key to a
test. We want the list of the questions (domain/host names) and the
associated answer (whether each is “legit” or “dga”). This is also
called “supervised” data, “labeled” data or “ground truth” data. In some
cases (seems like most cases in infosec), establishing reliable training
data is a huge challenge, but in this case we’re lucky. All we need is a
list of good/legitimate domains and a second list of domains generated
by an algorithm and we should be able to get that. In the example from
click
security,
they offer several data sets that we could copy, but we’ll seek out our
own list because classifiers like this are very sensitive to the choices
you make when gathering the training data.

Alexa

For samples of legitimate domains, an obvious choice is to go to the
Alexa list of top web sites. But it’s not ready for our use as is. If
you grab the top 1 Million Alexa
domains and parse
it, you’ll find just over 11 thousand are full URLs and not just
domains, and there are thousands of domains with subdomains that don’t
help us (we are only classifying on domains here). So after I remove the
URLs, de-duplicated the domains and clean it up, I end up with the Alexa
top 965,843.

“Real World” Data from OpenDNS

After reading the post from Frank Denis at OpenDNS titled “Why Using
Real World Data Matters For Building Effective Security
Models”,
I grabbed their 10,000 Top
Domains
and their 10,000 Random
samples.
If we compare that to the top Alexa domains, 6,901 of the top ten
thousand are in the alexa data and 893 of the random domains are in the
Alexa data. I will clean that up as I make the final training data set.

DGA domains

The Click Security version wasn’t very clear in where they got their bad
domains so I decided to collect my own and this was rather fun. Because
I work with some interesting characters (who know interesting
characters), I was able to collect several data sets from recent
botnets: “Cryptolocker”, two seperate “Game-Over Zues” algorithms, and
an anonymous collection of malicious (and algorithmically generated)
domains. In the end, I was able to collect 73,598 algorithmically
generated domains.

Creating the labeled data set

Once we clean up the various sources we want a simple, labeled data set
consisting of five columns: the full domain, the 2nd-level domain,
top-level domain, the main class, which is either legitimate (“legit”)
or from a domain generating algorithm (“dga”) and finally a subclass
(either the specific botnet or legit source). I have quite a bit of data
here and I will use all of the data in the final model (assuming I have
enough memory to process it). However this much data will create a lot
of waiting for you and some rather large files to be posting in a blog.
So, the dataset I’m making available is 10,000 domains. The “legit”
domains are composed of the top 1,000 alexa domains, along with 4k
randomly sampled alexa and opendns domains. The “dga” domains are
randomly sampled from the 70,000+ domains I have in my collection.
Working with a total of 10,000 samples should be enough to get some good
results while reducing the processing times in the next two parts. This
is a sample of the data in the sampledga data set available in the DGA package.

library(dga)
data(sampledga)
set.seed(2)
rbind(head(sampledga, 5), 
      sampledga[sample(which(sampledga$subclass=="opendns"), 5), ],
      sampledga[sample(which(sampledga$subclass=="cryptolocker"), 5), ])

##                        host           domain tld class     subclass
## 1                google.com           google com legit        alexa
## 2              facebook.com         facebook com legit        alexa
## 3               youtube.com          youtube com legit        alexa
## 4                 yahoo.com            yahoo com legit        alexa
## 5                 baidu.com            baidu com legit        alexa
## 976585           xt12365.cn          xt12365  cn legit      opendns
## 967852          adobesc.com          adobesc com legit      opendns
## 980838           lotustv.cc          lotustv  cc legit      opendns
## 981307 hqcowichanvalley.com hqcowichanvalley com legit      opendns
## 983055            online.ms           online  ms legit      opendns
## 25721     brclxtulykdemb.ru   brclxtulykdemb  ru   dga cryptolocker
## 24225     sdixbryxaxqrmf.ru   sdixbryxaxqrmf  ru   dga cryptolocker
## 25479     syipowvqvktasf.ru   syipowvqvktasf  ru   dga cryptolocker
## 15776    chaksikvqltbdeo.ru  chaksikvqltbdeo  ru   dga cryptolocker
## 7948        jpmwlfhrjbly.ru     jpmwlfhrjbly  ru   dga cryptolocker

The sample data is available in the DGA github
repository and stay
tuned for the next part as I get into “feature engineering”.