This presentation delves deep into the challenges posed by Domain Generating Algorithms (DGAs) employed by malware developers. DGAs generate numerous unique domains daily, which are then utilized as a sort of rendezvous point with C&C servers. The set of domains that can be created is enormous, making it impossible to detect comprehensively with primitive methods such as Cyber Threat Intelligence (CTI) feeds.

In the presentation we explore various techniques to classify DGA-generated domains, moving beyond simplistic approaches. The discussion begins with an explanation of Shannon’s entropy, a method to quantify randomness in a string. Although promising we quickly become aware of its limitations in this context. The presentation then introduces the concept of neural networks, explaining their basic structure and training mechanisms. We find our initial detection models with fully connected neural networks yield a significant improvement over entropy-based methods. Our analysis then continues, exploring more sophisticated architectures. We discuss a wide range of other neural networks such as Convolutional neural networks (CNNs), Recurrent Neural Networks (RNNs) and Bidirectional Long Short-Term Memory (Bi-LSTM) architectures. We analyse the inner workings of each, and we try to apply the characteristics of their architectures to the problem at hand.

The presentation offers a comprehensive introduction to neural networks including a detailed exploration of a complex cybersecurity problem. We discuss the benefits of neural network-based techniques over traditional approaches and also consider the drawbacks of this solution. All the while encouraging the cybersecurity community to embrace innovative machine learning techniques for more accurate threat detection.

ABOUT THE SPEAKER

Daniel Griffiths started his journey at Black Cell as a Level 1 SOC Analyst and climbed the ranks to his current role of Deputy SOC Manager. His main responsibility is to oversee the day-to-day operations of the Fusion Center and to spearhead incident response when the need arises.