{"id":20904502,"url":"https://github.com/sudo-rushil/dgaintel","last_synced_at":"2025-05-13T05:30:39.727Z","repository":{"id":36362572,"uuid":"223698228","full_name":"sudo-rushil/dgaintel","owner":"sudo-rushil","description":"Repository for code for DGA Intel package.","archived":false,"fork":false,"pushed_at":"2021-10-06T12:30:23.000Z","size":13062,"stargazers_count":10,"open_issues_count":2,"forks_count":5,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-28T19:18:05.689Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://pypi.org/project/dgaintel/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sudo-rushil.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-11-24T05:42:14.000Z","updated_at":"2023-08-24T15:12:33.000Z","dependencies_parsed_at":"2022-09-03T08:52:06.448Z","dependency_job_id":null,"html_url":"https://github.com/sudo-rushil/dgaintel","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sudo-rushil%2Fdgaintel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sudo-rushil%2Fdgaintel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sudo-rushil%2Fdgaintel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sudo-rushil%2Fdgaintel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sudo-rushil","download_url":"https://codeload.github.com/sudo-rushil/dgaintel/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253882643,"owners_count":21978524,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-18T13:17:27.820Z","updated_at":"2025-05-13T05:30:36.920Z","avatar_url":"https://github.com/sudo-rushil.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DGA Intel\n\nUsing deep learning to detect DGA domains.\n\n# Overview\nThe DGAIntel Python module allows you to utilize a powerful CNN-LSTM model to predict whether a given domain name was generated by a domain generation algorithm (DGA) or corresponds to a genuine domain. The prediction features are also accesible through [this website](http://www.dgaintel.com/), but this package allows for direct integration into your workflow.\n\n## Requirements\n\nDGAIntel is designed for use with Python 3. It has only two requirements:\n\n    - TensorFlow 2.x\n    - Numpy\n\n# Installation\n\nTo download dgaintel, simply use Pypi via pip.\n```sh\n$ pip install dgaintel\n```\n\nAlternatively, you could install from source.\n```sh\n$ git clone https://github.com/sudo-rushil/dgaintel\n$ cd dgaintel\n$ python setup.py install\n```\n\nVerify your installation by running\n```Python\n\u003e\u003e\u003e import dgaintel\n\u003e\u003e\u003e dgaintel.get_prediction('microsoft.com')\n'microsoft.com is genuine with probability 0.00050'\n```\n\n# Examples\n\n### Predict DGA\nThis is simple way of determining whether any given domain, such as `'microsoft.com'` is DGA or not, mainly intended for cyber security analysts.\n\n```Python\nfrom dgaintel import get_prediction\n\nget_prediction('microsoft.com')\n```\n\u003e 'microsoft.com is genuine with probability 0.00050'\n\n### Predict DGA probability\nThis allows for getting the probability, or probabilities, that a domain or list of domains is DGA or not, which is more useful to data scientists.\n\n```Python\nfrom dgaintel import get_prob\n\n# For single domain\nprob = get_prob('microsoft.com')\nprint(prob)\n\n# For multiple domains\nprobs = get_prob(['microsoft.com', 'wikipedia.com', 'vlurgpeddygdy.com'])\nprint(probs)\n\n# To get just the scores\nraw_probs = list(get_prob(['microsoft.com', 'wikipedia.com', 'vlurgpeddygdy.com'], raw=True))\nprint(raw_probs)\n```\n\n\u003e 0.00050\n\n\u003e [('microsoft.com', 0.00050), ('wikipedia.com', 0.00033), ('vlurgpeddygdy.com', 0.97601)]\n\n\u003e [0.00050845, 0.00033092, 0.00144754]\n\n### Predict by file\nThis is for inputing a file containing a list of domains to get predictions on all of them at once, which is helpful for data analysts.\n\nSay you have a domain file `domains.txt`.\n```\nmicrosoft.com\nwikipedia.com\nvlurgpeddygdy.com\n```\n\nThen, you can run the following code in the same directory.\n```Python\nfrom dgaintel import get_prediction\n\n# Print to console\nget_prediction('domains.txt')\n\n# Write to file\nget_prediction('domains.txt', to_file='domain_predictions.txt')\n```\n\n\u003e microsoft.com is genuine with probability 0.00050\n\n\u003e wikipedia.com is genuine with probability 0.00033\n\n\u003e vlurgpeddygdy.com is DGA with probability 0.97601\n\nIf you read the new file `domain_predictions.txt`, you will see the following.\n\n```\nmicrosoft.com is genuine with probability 0.0005084535223431885\nwikipedia.com is genuine with probability 0.00033092446392402053\nvlurgpeddygdy.com is DGA with probability 0.9760094285011292\n```\n\n### Prediction analysis\nThis is an example function that integrates dgaintel with [whois](https://pypi.org/project/whois/) for performing basic prediction analysis, which is important for cyber security investigators.\n\n```Python\nfrom dgaintel import get_prob\nfrom whois import query\n\ndef analyze(domain, out=True):\n    prob = get_prob(domain)\n    whois = query(domain)\n    dga = False\n    if prob \u003e= 0.5: dga = True\n\n    domain_analysis = {'domain_name': domain,\n                       'dga': dga,\n                       'registrar': whois.registrar if whois else None,\n                       'creation date' : whois.creation_date if whois else None,\n                       'expiration date': whois.expiration_date if whois else None}\n\n    if out:\n        print()\n        for key, val in domain_analysis.items():\n            print('{}: {}'.format(key, val))\n        print()\n        return None\n\n    return domain_analysis\n\nanalyze('microsoft.com')\n\n# Get analysis dictionary in python itself\nanalysis = analyze('microsoft.com', out=False)\n```\n\n\u003e name: microsoft.com\n\n\u003e dga: False\n\n\u003e registrar: MarkMonitor Inc.\n\n\u003e creation date: 1991-05-02 04:00:00\n\n\u003e expiration date: 2021-05-03 04:00:00\n\n\n### Predictions with Whitelisting\nThis example shows how the class interface to DGAIntel allows for certain TLDs to be whitelisted, preventing them from raising errors in a given ecosystem.\n\n```Python\nfrom dgaintel import Intel\n\nintel = Intel(['cloud.com'])\n\nprint(intel.get_prob(['www.cloud.com',\n                        'dfsadkcda.cloud.com',\n                        'www.cloud.org',\n                        'www.dkfjsdakfj.org']))\n```\n\n\u003e [('www.cloud.com', 0.0), ('dfsadkcda.cloud.com', 0.0), ('www.cloud.org', 0.00045579672), ('www.dkfjsdakfj.org', 0.99884665)]\n\n\n# Documentation\nDGAIntel has support for polymorphism; to input domains to run predictions on, you can use a single domain name, a list of domain names, or a text file with line-separated domain names. The text file has the format\n\n```\nmicrosoft.com\nwikipedia.com\nvlurgpeddygdy.com\n...\n```\n\nAdditionally, the Tensorflow Keras model running in the backend supports input batching, meaning there is a significant increase in speed for running predictions on lists or files rather than individual domains. This was tested in Jupyter.\n\n```Python\nfrom dgaintel import get_prob\n\n# List of 10 domain names\nl = ['microsoft.com', 'squarespace.com', 'hsfkjdshfjasdhfk.com', 'fdkhakshfda.com', 'foilfencersarebad.com', 'foilfencersarebad.com', 'foilfencersarebad.com', 'discojjfdsf.com', 'fasddafhkj.com', 'wikipedai.com']\n```\n\n```Python\n# One domain\n%%timeit\nget_prob(l[0])\n```\n\n\u003e 286 ms ± 4.99 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)\n\n```Python\n# Ten domains\n%%timeit\nget_prob(l)\n```\n\n\u003e 290 ms ± 7.23 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)\n\n```Python\n# Hundred domains\n%%timeit\nget_prob(l*10)\n```\n\n\u003e 333 ms ± 4.71 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)\n\n```Python\n# Thousand domains\n%%timeit\nget_prob(l*100)\n```\n\n\u003e 584 ms ± 14.8 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)\n\nThis demonstrates that increasing the number of domain names one runs the prediction by 1000x only increases the inference time by less than 2x. Therefore, this model is easily adaptable to large-scale predictions.\n\n## API\nThe `get_prediction` function will either print the predictions or write them to a user-specified file.\n```Python\nfrom dgaintel import get_prediction\n\nget_prediction('microsoft.com')\nget_prediction(['microsoft.com', 'wikipedia.com', 'vlurgpeddygdy.com'])\nget_prediction('domains.txt')\nget_prediction('domains.txt', to_file='domain_predictions.txt')\n```\n\nThe `get_prob` function will perform the inference and provide the prediction floats. It is helpful if you want to use the prediction scores directly in your workflow.\n```Python\nfrom dgaintel import get_prob\n\nget_prob('microsoft.com') # 0.00050851\nget_prob(['microsoft.com', 'wikipedia.com', 'vlurgpeddygdy.com']) # [('microsoft.com', 0.00050), ('wikipedia.com', 0.00033), ('vlurgpeddygdy.com', 0.0.97601)]\nget_prob('domains.txt') # [('microsoft.com', 0.00050), ('wikipedia.com', 0.00033), ('vlurgpeddygdy.com', 0.97601)]\nget_prob(['microsoft.com', 'wikipedia.com', 'google.com'], raw=True) # array([0.00050, 0.00033, 0.0.97601], dtype=float32)\n```\n\nThe `Intel` interface allows DGAIntel to avoid checking certain domains with known TLDs to ensure enterprise functions are not compromised.\n```Python\nfrom dgaintel import Intel\n\nintel = Intel(['microsoft.com'])\nintel.get_prob('microsoft.com') # 0.0\nintel.get_prob(['microsoft.com', 'wikipedia.com', 'vlurgpeddygdy.com']) # [('microsoft.com', 0.0), ('wikipedia.com', 0.00033), ('vlurgpeddygdy.com', 0.0.97601)]\nintel.get_prob('domains.txt') # [('microsoft.com', 0.0), ('wikipedia.com', 0.00033), ('vlurgpeddygdy.com', 0.97601)]\nintel.get_prob(['microsoft.com', 'wikipedia.com', 'google.com'], raw=True) # array([0.0, 0.00033, 0.0.97601], dtype=float32)\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsudo-rushil%2Fdgaintel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsudo-rushil%2Fdgaintel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsudo-rushil%2Fdgaintel/lists"}