2.1.5. Overview of the Gdgadetect engine

2.1.5.1. Introduction to the DGA Algorithm

The GBox includes an engine capable of detecting domain names generated by the Domain Generation Algorithm (DGA).
The presence of DGA-generated domain names on a network is a strong indicator of being compromised.
Indeed, malware can use HTTP requests to automatically generated domain names to contact their command and control servers. They are also called CnC, C&C, or C2.
These domain names contain different properties than legitimate domain names.
Conventional detection approaches, such as blacklists, are not relevant in the case of continuously renewed domains.
Simple entropy calculations result in a large number of false positives.

2.1.5.2. Analyse

Learning is based on a pre-trained model, whose architecture is based on a deep neural network of the LSTM type (Long Short Term Memory networks).


2.1.5.3. Displaying DGA alerts

The analysis is carried out on the `Quick analysis` page.
Depending on the result, a green or red icon indicates whether it is a DGA or not.

2.1.5.4. Viewing the Gdgadetect status

Viewing the current state of the engine is shown in the `Analysers` screen of the Web UI.


2.1.5.5. Gdgadetect update

The engine does not receive any updates.


2.1.5.6. Configuring Gdgadetect

The engine is not configurable.