Detect Host Compromise with “Domains Generated Algorithmically”

At Black Hat USA this year, Gurucul shared details of our most popular Machine Learning Models. We’ve covered four of them so far, read on to learn about the fifth model we presented at the conference.

Gurucul Machine Learning Model: Domains Generated Algorithmically

How does the Domains Generated Algorithmically (DGA) machine learning model work, what does it do?  This powerful model can detect if a URL has been dynamically generated, which can sometimes be a potential problem. As with many other machine learning models, this one looks for normal vs. abnormal patterns. If a URL has been generated based on DGA operations, it will have an alpha numeric structure and won’t look “normal”. This model examines a URL string and detects if the URL is bogus or malicious, improving the hit rate of predicting the level of potential misuse or malware.

This machine learning model works in a similar fashion to other models. Information – in this case, URLs – are fed into the natural language based engine within Gurucul Risk Analytics to detect algorithmically generated domains.  Gurucul has built a vast library of global domains, and this information is also used to assist in rooting out how close any particular URL is to a real domain. The final step is the suspected rogue URL is compared with third party intelligence to further reduce false positives.

Use Case: Host Compromise

Algorithmically generated domains have quickly become one of the main methods attackers use to remotely communicate with sophisticated malware they’ve created and placed. To stop attackers, you need to detect and block them from establishing command and control of a host or entity. Hackers ceased using hard-coded domain lists and IP addresses long ago, as they are rendered useless once they are detected and blocked. Algorithmically generated domains, by comparison, are an easy technology to implement, they are difficult to block, and are nearly impossible to predict in advance. Additionally, they can be quickly modified if the algorithm is detected and becomes known.

We’ve moved way beyond the old methods of reviewing the reputation of URLs and sites. It’s critical to detect and effectively block problematic URLs uncovered by the Domains Generated Algorithmically machine learning model as quickly as possible. Gurucul Risk Analytics accomplishes this very well with its world class capabilities to predict and prevent host or entity compromise. The massive number of domains that can be programmatically generated makes it incredibly difficult to prevent host compromise without the critical DGA machine learning model in Gurucul Risk Analytics. This capability is absolutely table stakes.

What are the Benefits of Domains Generated Algorithmically?

The benefits of the DGA machine learning model are numerous. With this model, Gurucul Risk Analytics can detect covert or problematic URL-based communications in real-time, to improve the chances of you stopping the bad guys who are seeking to tamper with your company’s online activities.

In a recent POC with a customer, Gurucul Risk Analytics detected a URL that was algorithmically generated. As would be expected, this company’s proxy servers did not have a rule to prevent communication with this rogue URL. Through the keen and quick detection performed by Gurucul Risk Analytics, our customer was able to immediately add a new rule to their proxy servers, signatures were up to date, and the potential damage was mitigated in near real time.

Since the DGA machine learning model is table stakes, you best get a seat at the table. Your first course is to request a demo of Gurucul Risk Analytics.

The post Detect Host Compromise with “Domains Generated Algorithmically” appeared first on Gurucul.



*** This is a Security Bloggers Network syndicated blog from Blog – Gurucul authored by Jane Grafton. Read the original post at: https://gurucul.com/blog/domains-generated-algorithmically