White Paper: ENSIGN
Domain Generation Algorithm, otherwise known as DGA, remains a potent technique used by cyber actors in their malware attacks. It begins with an automation programme designed to generate names of domains in a specific fashion, providing instructions and receiving information from malware.
The use of DGAs allow attackers to quickly switch domains during malware attacks and circumvent traditional rule/signature-based security appliances aimed at blacklisting such malicious domains. Since DGAs are built and designed to generate thousands of domains, and remain active only for a limited period of time, efforts to tackle them could at times prove futile. Blacklisting a static list of malicious domains is no longer sufficient, given the unpredictable/non-static nature of a DGA, and the sheer volume of domains it uses.
To address such attacks, we infuse machine learning and deep learning approaches into our advanced cyber analytics capabilities. These techniques facilitate the detection of elusive random domains generated by the malware when it attempts to connect to the attacker from a compromised host. Our proprietary DGA detection model possesses the ability to sieve through large traffic to ascertain the presence of DGA traits. It also determines if successful communications to malicious domains were made.