Reading large dns data from whalebone (JSON) and sample

library(dplyr)
library(readr)
library(tidyr)
library(purrr)
library(jsonlite)
con_out <- file(tmp <- "/home/harpo/Dropbox/ongoing-work/git-repos/dns-threats/dataset/domains_passivedns-2019.04.01_sample.csv", open = "wb")

dga_results<-stream_in(file("/tmp/passivedns-2019.04.01.json"),
                       
  handler = function(df){
  df <- df %>% sample_n(1000)
  query <- df$query
  dga_domain <- df$dga$domain 
  stream_out(data.frame(dga_domain,query), con_out, pagesize = 1000)
}, pagesize = 100000)

close(con_out)

Reading dns data from FING and sample

dns_queries <- read_delim("/home/harpo/passivedns.log.1.gz",delim = "|",col_names = FALSE)
dns_queries_sample<-dns_queries %>% sample_n((nrow(dns_queries)*10)/100)
write_delim(dns_queries_sample %>% select(X5),"/home/harpo/Dropbox/ongoing-work/git-repos/dns-threats/dataset/domains_fing.2019.05.17_sample.csv")

Analysis results

Analysis of FING queries using MC-NN classifier

0 for normal dns 1 for DGA 2 for tunnel

Save domains detected as DGA by MC-NN

many of the same domains detected as DGA by the MC-NN are correctly detected as normal by the Binary DGA (CACIC 2018)

LS0tCnRpdGxlOiAiRE5TIHF1ZXJpZXMgcmVzdWx0cyIKb3V0cHV0OiAKICBodG1sX25vdGVib29rOiAKICAgIGNvZGVfZm9sZGluZzogaGlkZQotLS0KIyBSZWFkaW5nIGxhcmdlIGRucyBkYXRhIGZyb20gd2hhbGVib25lIChKU09OKSBhbmQgc2FtcGxlCmBgYHtyfQpsaWJyYXJ5KGRwbHlyKQpsaWJyYXJ5KHJlYWRyKQpsaWJyYXJ5KHRpZHlyKQpsaWJyYXJ5KHB1cnJyKQpgYGAKCmBgYHtyfQpsaWJyYXJ5KGpzb25saXRlKQpjb25fb3V0IDwtIGZpbGUodG1wIDwtICIvaG9tZS9oYXJwby9Ecm9wYm94L29uZ29pbmctd29yay9naXQtcmVwb3MvZG5zLXRocmVhdHMvZGF0YXNldC9kb21haW5zX3Bhc3NpdmVkbnMtMjAxOS4wNC4wMV9zYW1wbGUuY3N2Iiwgb3BlbiA9ICJ3YiIpCgpkZ2FfcmVzdWx0czwtc3RyZWFtX2luKGZpbGUoIi90bXAvcGFzc2l2ZWRucy0yMDE5LjA0LjAxLmpzb24iKSwKICAgICAgICAgICAgICAgICAgICAgICAKICBoYW5kbGVyID0gZnVuY3Rpb24oZGYpewogIGRmIDwtIGRmICU+JSBzYW1wbGVfbigxMDAwKQogIHF1ZXJ5IDwtIGRmJHF1ZXJ5CiAgZGdhX2RvbWFpbiA8LSBkZiRkZ2EkZG9tYWluIAogIHN0cmVhbV9vdXQoZGF0YS5mcmFtZShkZ2FfZG9tYWluLHF1ZXJ5KSwgY29uX291dCwgcGFnZXNpemUgPSAxMDAwKQp9LCBwYWdlc2l6ZSA9IDEwMDAwMCkKCmNsb3NlKGNvbl9vdXQpCiAgICAgICAgICAgICAgICAgICAKYGBgCgojIFJlYWRpbmcgZG5zIGRhdGEgZnJvbSBGSU5HIGFuZCBzYW1wbGUKYGBge3J9CmRuc19xdWVyaWVzIDwtIHJlYWRfZGVsaW0oIi9ob21lL2hhcnBvL3Bhc3NpdmVkbnMubG9nLjEuZ3oiLGRlbGltID0gInwiLGNvbF9uYW1lcyA9IEZBTFNFKQpkbnNfcXVlcmllc19zYW1wbGU8LWRuc19xdWVyaWVzICU+JSBzYW1wbGVfbigobnJvdyhkbnNfcXVlcmllcykqMTApLzEwMCkKd3JpdGVfZGVsaW0oZG5zX3F1ZXJpZXNfc2FtcGxlICU+JSBzZWxlY3QoWDUpLCIvaG9tZS9oYXJwby9Ecm9wYm94L29uZ29pbmctd29yay9naXQtcmVwb3MvZG5zLXRocmVhdHMvZGF0YXNldC9kb21haW5zX2ZpbmcuMjAxOS4wNS4xN19zYW1wbGUuY3N2IikKYGBgCiMgQW5hbHlzaXMgcmVzdWx0cwpBbmFseXNpcyBvZiBGSU5HIHF1ZXJpZXMgdXNpbmcgTUMtTk4gY2xhc3NpZmllcgoKMCBmb3Igbm9ybWFsIGRucyAKMSBmb3IgREdBCjIgZm9yIHR1bm5lbAoKYGBge3J9CmxpYnJhcnkocmVhZHIpCm1jbm5fZmluZ19yZXN1bHRzPC1zdHJlYW1faW4oZmlsZSgiL2hvbWUvaGFycG8vRHJvcGJveC9vbmdvaW5nLXdvcmsvZ2l0LXJlcG9zL2Rucy10aHJlYXRzL3Jlc3VsdHMvZmluZ19tdWx0aWNsYXNzLmpzb24iKSkKcHJvYmFibGl0eSA8LSBtY25uX2ZpbmdfcmVzdWx0cyRwcm9iYWJpbGl0eQptY25uX2ZpbmdfcmVzdWx0c19kZjwtY2JpbmQobWNubl9maW5nX3Jlc3VsdHMgJT4lIHNlbGVjdCgtcHJvYmFiaWxpdHkpLGFzLmRhdGEuZnJhbWUodChzYXBwbHkocHJvYmFibGl0eSwgZnVuY3Rpb24oeCkgKHhbMTozXSkgKSkpKSAKbmFtZXMobWNubl9maW5nX3Jlc3VsdHNfZGYpPC1jKCJjbGFzcyIsIm1vZGVsaWQiLCJkb21haW4iLCJwcm9iX25vcm1hbCIsInByb2JfZGdhIiwicHJvYl90dW5uZWwiKQptY25uX2ZpbmdfcmVzdWx0c19kZgptY25uX2ZpbmdfcmVzdWx0c19kZiAlPiUgZ3JvdXBfYnkoY2xhc3MpICU+JSBzdW1tYXJpc2Uobj1uKCkpICU+JQogIGdncGxvdCgpKwogIGdlb21fY29sKGFlcyh4PWNsYXNzLHk9bixmaWxsPWFzLmZhY3RvcihjbGFzcykpKSsKICB0aGVtZV9idygpCmBgYAoKIyBTYXZlIGRvbWFpbnMgZGV0ZWN0ZWQgYXMgREdBIGJ5IE1DLU5OCmBgYHtyfQptY25uX2ZpbmdfcmVzdWx0cyAlPiUgZmlsdGVyKGNsYXNzPT0xKSAlPiUgZ3JvdXBfYnkoZG9tYWluKSAlPiUgc3VtbWFyaXNlKG49bigpKSAlPiUgYXJyYW5nZShkZXNjKG4pKSAlPiUgc2VsZWN0KGRvbWFpbikgJT4lIHdyaXRlX2NzdihwYXRoPSJ+L0Ryb3Bib3gvb25nb2luZy13b3JrL2dpdC1yZXBvcy9kbnMtdGhyZWF0cy9yZXN1bHRzL21jLWNubl9kZ2FfZnBfZG9tYWlucy50eHQiKQoKYGBgCgoKCgptYW55IG9mIHRoZSBzYW1lIGRvbWFpbnMgZGV0ZWN0ZWQgYXMgREdBIGJ5IHRoZSBNQy1OTiBhcmUgY29ycmVjdGx5IGRldGVjdGVkIGFzIG5vcm1hbCBieSB0aGUgQmluYXJ5IERHQSAoQ0FDSUMgMjAxOCkKCmBgYHtyfQpiaW5hcnlfZmluZ19yZXN1bHRzPC1zdHJlYW1faW4oZmlsZSgiL2hvbWUvaGFycG8vRHJvcGJveC9vbmdvaW5nLXdvcmsvZ2l0LXJlcG9zL2Rucy10aHJlYXRzL3Jlc3VsdHMvZmluZ19iaW5hcnlfZGdhX2NvbXBhcmVfbWNubi5qc29uIikpCmJpbmFyeV9maW5nX3Jlc3VsdHMKICAgICAgICAgICAgICAgICAgICAgICAgICAgIAoKYGBgCgo=