Use of Shannon Entropy Estimation for DGA Detection

Syed Suleman Qutb
2 min readNov 23, 2020

--

For threat hunters and security researchers, Advanced Persistent Threats (APTs) are always one step ahead especially in case of cyber-attacks involving Domain Generation Algorithms (DGAs) in which attackers circumvent defenders by drafting thousands of FQDN using quick random seeds that maintains communication between a virus or ransomware with its C&C (command & control) servers. Taking down these malicious FQDN is a challenging task, as Cybersecurity professionals have to identify these domains one by one that are often up for only limited periods of time having rapid rotation of DGA seeds. Thus, signature-based detection is near to impossible.

To cater this problem, we used machine learning approach using Splunk’s URL toolbox Shannon calculator. The approach focuses on identifying anomalies in evolving FQDN patterns by using Shannon’s Entropy. We selected Shannon’s entropy, as it serves as a good metric to quantifying the entropy (uncertainty / information content) of a given domain name. If the entropy score of domains exceeds the defined threshold value (i.e. >4.2 in our case) then it can serve as a useful indicator to identify DGA-based FQDN. Hence, the higher the entropy index, the more likely a given DNS was algorithmically generated. The SPL query we implemented is appended as under:

This solution helps us in identification of Domain Generation Algorithms (explained in MITRE ATT&CK T1483) at real time, and it has been implemented in our EUNOMATIX MLDETECT app. For more details and functionality of our ML based detection framework, please contact EUNOMATIX, info@eunomatix.com.

--

--

Syed Suleman Qutb

Cybersecurity Solutions Architect @ EUNOMATIX, USA. EUNOMATIX specializes in out-of-the-box Cyber Detection & Preemption.