Giter Site home page Giter Site logo

v1toko / dgad Goto Github PK

View Code? Open in Web Editor NEW

This project forked from cossas/dgad

0.0 0.0 0.0 9.7 MB

DGA Detective - Hunt domains generated by Domain Generation Algorithms to identify malware traffic

Home Page: https://cossas-project.org/portfolio/dgad/

License: Apache License 2.0

Dockerfile 1.30% JavaScript 0.16% Python 98.31% Shell 0.23%

dgad's Introduction

Hunt domains generated by Domain Generation Algorithms to identify malware traffic

All COSSAS projects are hosted on GitLab with a push mirror to GitHub. For issues/contributions check CONTRIBUTING.md

What is it?

Domain generation algorithms (DGAs) are typically used by attackers to create fast changing domains for command & control channels. The DGA detective is able to tell whether a domain is created by such an algorithm or not by using a variety of classification methods such as TCN and LSTM. For example, a domain like wikipedia.com is not generated by an algorithm, whereas ksadjfhlasdkjfsakjdf.com is.

Domain Classification
wikipedia.org OK
ksadjfhlasdkjfsakjdf.com DGA

More information can be found on cossas-project.org.

Installation

To install the DGA Detective, we recommend using a virtual environment:

# recommended: use a virtual environment
python -m venv .venv
source .venv/bin/activate
pip install dgad

How to use?

The DGA Detective can be used a Python package, through a command line interface or remotely through gRPC.

Python package

import dgad
etc.

CLI

usage: dgad [-h] [--domains [DOMAIN [DOMAIN ...]]] [--model MODEL] [--csv CSV] [-q]

optional arguments:
  -h, --help            show this help message and exit
  --domains [DOMAIN [DOMAIN ...]]
                        space separated list of 1 or more domains you want DGA detective to classify
  --model MODEL         the hdf5 keras model file to pass to the classifier
  --csv CSV             csv file containing the domains to classify. This file must have a column 'domain'. The classification will be stored in the same file under a column
                        'classification'
  -q, --quiet           disables stdout

For example, if you want to classify one or several domains:

# classify one domain
$ dgad --domain wikipedia.org
          domain classification
0  wikipedia.org             ok

# classify several domains
$ dgad --domains wikipedia.org ksadjfhlasdkjfsakjdf.com
                     domain classification
0             wikipedia.org             ok
1  ksadjfhlasdkjfsakjdf.com            DGA

But you can also classify a large list of domains:

# classify from/to a csv file
$ dgad --csv your_csv_file.csv

gRPC

Server

To initialize a DGA Detective server listening on port 50054

# listens by default on port 50054
python dgad/grpc/classifier_server.py

# you can override default logging and port like this
LOG_LEVEL=info LISTENING_PORT=55666 python dgad/grpc/classifier_server.py

Client

A client example is provided at dgad/grpc/classifier_client.py

# you can override default destination host and port like this
GRPC_HOST=x.x.x.x GRPC_PORT=55666 python dgad/grpc/classifier_client.py

Contributing

Contributions to the DGA Detective are highly appreciated and more than welcome. Please read CONTRIBUTING.md for more information about our contributions process.

Setup development environment

To create a development environment to make a contribution, follow these steps:

Requirements

Setup

# checkout this repository
git clone [email protected]:cossas/dgad.git
cd dgad

# install project, poetry will spawn a new venv
poetry install

# (optional) install pre-commit hooks
pre-commit install
pre-commit install --hook-type commit-msg

# gRPC code generation
python -m grpc_tools.protoc -I dgad/grpc/protos --python_out=dgad/grpc --grpc_python_out=dgad/grpc dgad/grpc/protos/classification.proto

About

DGA Detective is developed by TNO in the SOCCRATES innovation project. SOCCRATES has received funding from the European Union’s Horizon 2020 Research and Innovation program under Grant Agreement No. 833481.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.