Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
527
Views
0
Helpful
0
Comments

Introducing AI-Driven DGA Detection for Enhanced Security

Curtis Wiseman
Cisco Employee
Cisco Employee

‎04-04-2025 10:10 AM - edited ‎04-04-2025 12:02 PM

We're thrilled to unveil our latest advancement in security efficacy with the release of our AI-driven Domain Generation Algorithm (DGA) detection capability, now integrated within Secure Access and Umbrella.

Why DGAs Matter

In the realm of network security, attackers often aim to maintain command and control (C2) communications between compromised devices. DGAs are algorithms utilized by various malware families to generate numerous domains, facilitating these C2 communications via DNS. Given that over 90% of malware exploits DNS for C2 initiation, understanding and mitigating DGAs via DNS is a key enforcement point.

The Scope of the Challenge

There are over 50 malware families that employ DGA techniques for evasion and command and control (C2).  Additionally, there are approximately 300,000 new domain registrations every day. This sheer volume presents a significant challenge for traditional reputation-based systems, underscoring the necessity for advanced detection techniques like artificial intelligence to distinguish signal from noise.

Detecting DGAs

While some DGAs can be reverse-engineered from malware to block specific DNS requests, this method requires access to malware samples or code iterations, and it cannot address unknown DGAs in real-time. Hence, there is a need for systems that can quickly and accurately identify malicious DGAs.

Our AI DGA Detection Solution

One approach to DGA detection capitalizes on unique lexical characteristics inherent to these DGA algorithms.  Collaborating closely with our Talos threat research team, we've leveraged insights in data exfiltration analysis from our AI-driven DNS tunneling detection to enhance our DGA detection.

Leveraging this knowledge and fine-tuning the AI model for DGA detection has led to a 30% increase in real detections (harmonic mean of precision and recall) as well as a 50% improvement in accuracy, reducing both false positives and false negatives.

How do I enablese this new DGA detection?

By default Secure Access and Umbrella both ship with the Malware Threat category enabled in your security settings; so you are already protected by this enhanced detection!

We’ve added and will continue to update the Malware category with all of these DGA detections.

We're excited to bring this enhanced security feature to you, ensuring more precise and rapid protection against DGA-based threats.

Secure Access Threat Categories

https://docs.sse.cisco.com/sse-user-guide/docs/manage-threat-categories

Umbrella Security Categories

https://docs.umbrella.com/deployment-umbrella/docs/dns-security-categories

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents