| CPC H04L 63/1425 (2013.01) [H04L 63/0236 (2013.01); H04L 63/145 (2013.01); H04L 63/1416 (2013.01)] | 9 Claims |
|
1. Method for the detection of a domain generation algorithm (DGA) in a computer communication network comprising at least one resolution server for resolving domain name system (DNS) requests emanating from at least one client terminal, characterized in that the computer communication network further comprises a detection module coupled to the at least one resolution server and configured to analyze the DNS requests according to the following steps:
for each DNS request, associate the requested domain name and the identity of the requesting client terminal to form a tuple;
combine the tuples into homogeneous partitions according to a community detection technique; and
deduce for each homogeneous partition all the client terminals using the same DGA; and
measure a quality of clustering according to a calculation of a modularity of the tuples in detected communities,
wherein the community detection technique is carried out from a first bipartite graph comprising:
a) a plurality of client terminal nodes;
b) a plurality of domain nodes;
c) a plurality of edges each representing a DNS query from a first client terminal node to a first domain node, the first domain node being connectable to multiple client terminal nodes, and the first client terminal node being connectable to multiple domain nodes; and
d) the community detection of tuples in the bipartite graph being capable of generating distinct partitions distributed in at least a second bipartite graph including tuples representing a coherent set of client terminals making DNS queries on a set of domains.
|