Botintime - Phoenix: DGA-based Botnet Tracking and Intelligence presented at BlueHat 2014

by Stefano Zanero,


Summary : Its common knowledge that a malicious domain automatically generated will not become popular and also an attacker will register a domain with a Top Level Domain that does not require clearance. Hence, we use phoenix which filters out domains likely to be generated by humans. The core of Phoenix is its ability to separate DGA from non-DGA domains, using linguistic features.