Skip to content
/ DGA-Detector Public

Detect domains generated by Domain Generation Algorithms (DGA)

License

AGPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Erxathos/DGA-Detector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
img
img
 
 
models
models
 
 
src/dga_detector
src/dga_detector
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

Natural Language Processing - DGA Detector

This is a Flask web application designed to predict whether a domain name is real or potentially generated by a Domain Generation Algorithm (DGA).

To make predictions, the app uses the ALBERT (A Lite BERT) model, which can capture the semantic meaning of URLs. The model extracts embeddings, 9,000 embeddings trained a logistic regression model. The classification model (models/base_lr.pkl) is then used to classify embeddings of a domain name and determine whether it is legitimate or not.

There are two endpoints:

  • GET /get_prediction/<url_string> to predict the classification of a single domain name passed as URL-encoded string in the route. The URL is passed as an argument in the route without defining the protocol. If a domain name is invalid, an HTTP status code of 422 is returned.

  • POST /get_predictions - to predict the classification of multiple domain names passed as a JSON payload in the form of {"url_string":"any text google.com any text otherlink.com http://morelinks.org"}. The URLs can be passed with or without "http" and "https". If no valid domain name is found, an HTTP status code of 422 is returned.

In both cases, a JSON object will be returned as the response. The key is the domain name, and the value is the relevant classification results.

DGA detection using HTTP GET

Example response:

{
    "google.com": {
        "classification": "legit",
        "p_dga": 0.0051598137498390685,
        "p_legit": 0.9948401862501609,
    }
}

Setup Instruction

Clone the repository

git clone https://github.com/Erxathos/DGA-Detector.git

Install poetry

pip3 install poetry

Install dependencies

poetry install

Try it

Start the server inside the poetry environment with gunicorn or flask

poetry run flask --app dga_detector.api run

The initial run may require some time as it downloads the ALBERT model in the background.

Send requests

curl http://localhost:5000/get_prediction/google.com

curl -H "Content-Type: application/json" -X POST -d '{"url_string": "www.google.com or lkfgjldfjldjlg.com"}' http://localhost:5000/get_predictions

Performance

On my laptop's CPU, it takes approximately 70ms to complete a GET request for http://localhost:5000/get_prediction/google.com

Test it

Run the unit tests for modules covered with pytest:

pytest

Validity of the URLs

The URL parser relies on tldextract and urlextract to identify and validate URLs. To function correctly, these libraries require caching of top level domains. The parser also excludes IP addresses (v4 and v6).

What is not done / not published

  • Training code
  • Train on the full data set
  • Docker image
  • Deploy
  • Database
  • Caching
  • Monitoring
  • Scheduled auto-retrain

About

Detect domains generated by Domain Generation Algorithms (DGA)

Topics

machine-learning classification api-rest dga-detection

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages