What is the DGA score?

Hi OPN forum,

I’m trying to understand the DGA analyzer (Logistic Regression) in the Dragonfly MLE.

Right now, I span network traffic to Suricata, which logs the DNS replies to Dragonfly. Dragonfly pushes the DNS replies to the analyzer dga-lr-mle.lua for inspection. That works pretty well.

Finally I receive a log record for every DNS reply, including some kind of DGA score. For example:

{  
   "dns":{  
      "rrtype":"A",
      "rcode":"NOERROR",
      "id":55711,
      "type":"answer",
      "ttl":300,
      "rdata":"172.217.20.77",
      "rrname":"accounts.google.com"
   },
   "src_port":53,
   "event_type":"dns",
   "proto":"UDP",
   "flow_id":3.6006712178656e+14,
   "timestamp":"2019-01-21T12:15:22.230122+0100",
   "dest_port":55752,
   "analytics":{  
      "dga":{  
         "source":"dga\/dga-lr-mle.lua",
         "score":"0.24948360932931501"
      }
   },
   "src_ip":"208.67.222.222",
   "dest_ip":"10.84.110.4",
   "in_iface":"vtnet0"
}

My question is: what does this “score”-value express?
Is it the likelihood that the DNS name was generated by a DGA?

For comparison, let me include some other DNS replies including their score:

I’m running the latest version of OPNids 18.9.

Thanks for pointing me in the right direction.

Cheers,
Thomas

Hi Thomas,

Sorry for the delay.

My question is: what does this “score”-value express?
Is it the likelihood that the DNS name was generated by a DGA?

Yes, the DGA score does represent the likelihood or probability that the domain was generated by a Domain Generation Algorithm. You can read more about how we created the DGA algorithm on the OPNids blog: