Feature Overview
Cisco Secure Access and Cisco Talos are enhancing our Domain Generation Algorithm (DGA) detection, the capability that helps identify algorithmically generated domains used by malware, botnets, and command-and-control infrastructure.
The original release introduced AI-driven recognition of DGA-style domain names. This release materially improves the detection approach by adding graph-embedded time-series evidence from Cisco Talos DNS Security before lexical scoring is applied.
Instead of evaluating a suspicious domain in isolation, enhanced DGA detection analyzes when domains spike, which sources are driving the spike, and how those domains relate to one another through shared populations. It first identifies synchronized spike shapes and population sets, then applies an AI model tuned for DNS names to recognize generated lexical patterns.
For customers, the outcome is a stronger predictive signal for newly observed DGA activity: Secure Access can block or surface suspicious generated-domain infrastructure based on behavioral evidence, not only on whether an individual domain already has reputation.
How this improves Security Efficacy
Initial DGA Detection | Enhanced DGA Detection | Customer impact |
AI-focused scoring of domain-name randomness and lexical texture. | Behavior-first graph detection that correlates synchronized client activity before AI lexical scoring. | Earlier detection of DGA campaigns that use new or previously unseen domains. |
Useful for identifying domains that look algorithmically generated. | Builds shared-population sets across related spiking domains and infected-client cohorts. | Higher-confidence decisions because each domain is supported by behavioral and lexical evidence. |
Why it matters: DGAs help malware keep command-and-control channels alive. | Why it matters now: DGA detection can predictively connect rotating domains into a campaign-like neighborhood. | Faster investigations with context about affected clients, related domains, and spike timing. |
Packaging and Licensing
Enhanced DGA detection is delivered through the Cisco Secure Access SIA and DNS Defense licenses (powered by Cisco Talos DNS Security). Customers with Secure Access receive this benefit through existing threat-category enforcement and reporting workflows; no separate deployment or license is required when the Malware threat category is enforced in policy.
Key Benefits
- Predictive DGA detection: Identifies suspicious generated-domain infrastructure using shared behavior and spike timing, even when a specific domain is newly observed.
- Higher-confidence protection: Combines synchronized behavior, compact cluster formation, and AI-based lexical analysis into a single detection decision.
- Broader generated-domain coverage: Recognizes multiple DGA-family textures, including hex-dense, consonant-heavy, digit-mixed, and long mixed labels.
Use Cases
- Block malware command-and-control attempts that rotate through DGA-generated domains.
- Find compromised populations where DNS activity repeatedly converges on the same suspicious domain neighborhood.
- Detect emerging DGA campaigns before traditional domain reputation alone can classify each domain.
- Differentiate benign traffic spikes from malware-like activity by combining time-series behavior with protocol and lexical evidence.
Best Practices
- Enable Malware threat-category enforcement
- Review custom destination allow lists periodically so exceptions do not override updated Talos intelligence.
- Correlate Secure Access events with endpoint, email, firewall, and XDR telemetry to validate impact and identify affected users or devices.
Documentation and Resources
