detector.plugins package#

Submodules#

detector.plugins.dga_detector module#

class detector.plugins.dga_detector.DGADetector(detector_config, consume_topic, produce_topics=None, downstream_detector_topics=None)[source]#

Bases: DetectorBase

Detector implementation for identifying Domain Generation Algorithm (DGA) domains.

This class extends the DetectorBase to provide specific functionality for detecting malicious domains generated by domain generation algorithms. It uses a machine learning model to analyze domain name characteristics and identify potential DGA activity.

The detector extracts various statistical and structural features from domain names to make predictions about whether a domain is likely generated by a DGA.

__init__(detector_config, consume_topic, produce_topics=None, downstream_detector_topics=None)[source]#

Initialize the DGA detector with configuration parameters.

Sets up the detector with the model base URL and passes configuration to the base class for standard detector initialization.

Parameters:
  • detector_config (dict) – Configuration dictionary containing detector-specific parameters including base_url, model, checksum, and threshold.

  • consume_topic (str) – Kafka topic from which the detector will consume messages.

detect() None[source]#

Process messages to detect malicious requests.

This method applies the detection model to each message in the current batch, identifies potential threats based on the model’s predictions, and collects warnings for further processing.

The detection uses a threshold to determine if a prediction indicates malicious activity, and only warnings exceeding this threshold are retained.

Note

This method relies on the implementation of ``predict``of the rspective subclass

predict(message)[source]#

Process a message and predict if the domain is likely generated by a DGA.

Extracts features from the domain name in the message and uses the loaded machine learning model to generate prediction probabilities.

Parameters:

message (dict) – A dictionary containing message data, expected to have a “domain_name” key with the domain to analyze.

Returns:

np.ndarray

Prediction probabilities for each class. Typically a 2D array

where the shape is (1, 2) for binary classification (benign/malicious).

detector.plugins.domainator_attributor module#

class detector.plugins.domainator_attributor.DomainatorAttributor(detector_config, consume_topic, produce_topics=None, downstream_detector_topics=None)[source]#

Bases: DetectorBase

Detector implementation for the attribution of a tool or malware that was used in the data exfiltration and command and control, using the subdomain level labels.

This class extends the DetectorBase to provide specific functionality for identifying the tool sending the malicious queries. It analyzes subdomain similarity characteristics based on grouping of the queries in windows of fixed size, similar to the Domainator detector approach. It can be used both as a standalone detector or as a next stage in a pipeline of detectors, dependent on the provided model.

The identity detector extracts various statistical similarity features from windows of subdomains to make predictions about what tool likely sent the malicious query or what job/behaviour was observed.

__init__(detector_config, consume_topic, produce_topics=None, downstream_detector_topics=None)[source]#

Initialize the Domainator attributor with configuration parameters.

Sets up the detector with the model base URL and passes configuration to the base class for standard detector initialization.

Parameters:
  • detector_config (dict) – Configuration dictionary containing detector-specific parameters including base_url, model, checksum, and threshold.

  • consume_topic (str) – Kafka topic from which the detector will consume messages.

detect()[source]#

Process messages to detect malicious requests.

This method has to be overwritten in the child classes for detectors. The implementation below is tried to be generic. If a detector needs a different approach (e.g. predict on more than one message, buffer messages, etc.) then just overwrite the method and append to self.warnings a warning if a given messag is to be regarded malicious.

Note:

predict(messages)[source]#

Process a window of messages and predict what tool was likely used to sent a potentially malicious exfiltration and communication.

Extracts features from the subdomains in the messages and uses the loaded machine learning model to generate prediction probabilities.

Parameters:

message (list) – A list containing the messages data, expected to have a “domain_name” key with the domain to analyze.

Returns:

np.ndarray

Prediction probabilities for each class. Typically a 2D array

where the shape is (1, 2) for binary classification (benign/malicious).

detector.plugins.domainator_detector module#

class detector.plugins.domainator_detector.DomainatorDetector(detector_config, consume_topic, produce_topics=None, downstream_detector_topics=None)[source]#

Bases: DetectorBase

Detector implementation for identifying data exfiltration and command and control on the subdomain level.

This class extends the DetectorBase to provide specific functionality for detecting malicious queries. It analyzes subdomain similarity characteristics based on grouping of the queries in windows of fixed size, in order to identify potential data exfiltration or command and control.

The detector extracts various statistical similarity features from windows of subdomains to make predictions about whether a query is likely malicious.

__init__(detector_config, consume_topic, produce_topics=None, downstream_detector_topics=None)[source]#

Initialize the Domainator detector with configuration parameters.

Sets up the detector with the model base URL and passes configuration to the base class for standard detector initialization.

Parameters:
  • detector_config (dict) – Configuration dictionary containing detector-specific parameters including base_url, model, checksum, and threshold.

  • consume_topic (str) – Kafka topic from which the detector will consume messages.

detect()[source]#

Process messages to detect malicious requests.

This method has to be overwritten in the child classes for detectors. The implementation below is tried to be generic. If a detector needs a different approach (e.g. predict on more than one message, buffer messages, etc.) then just overwrite the method and append to self.warnings a warning if a given messag is to be regarded malicious.

Note:

predict(messages)[source]#

Process a window of messages and predict if the domain is likely to be used for malicious exfiltration and communication.

Extracts features from the subdomains in the messages and uses the loaded machine learning model to generate prediction probabilities.

Parameters:

message (list) – A list containing the messages data, expected to have a “domain_name” key with the domain to analyze.

Returns:

np.ndarray

Prediction probabilities for each class. Typically a 2D array

where the shape is (1, 2) for binary classification (benign/malicious).

detector.plugins.domainator_utils module#

detector.plugins.domainator_utils.get_domainator_features(queries: list) DataFrame[source]#

Extracts feature vector from domain name for ML model inference.

Computes various statistical and linguistic features from the domain name including label lengths, character frequencies, entropy measures, and counts of different character types across domain name levels.

Parameters:

queries (list) – List of query strings to extract features from.

Returns:

pandas.DataFrame – Feature vector ready for ML model prediction.

detector.plugins.domainator_utils.strip_domain(query: str)[source]#

Extract the domain name from the message for the window grouping

Currently does not differentiate between messages coming from different users.

Returns:

str – Domain name string that the window will be grouped by