new: [dga] First version of the DGA taxonomy based on https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf

A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann, Fraunhofer FKIE; Khaled Yakdan, University of Bonn; Michael Klatt, DomainTools; Johannes Bader; Elmar Gerhards-Padilla, Fraunhofer FKIE
2022-05-12 16:40:44 +02:00 · 2022-05-12 16:40:44 +02:00 · a71490fab7
parent 259752b073
commit a71490fab7
2 changed files with 63 additions and 2 deletions
--- a/MANIFEST.json
+++ b/MANIFEST.json
@ -89,7 +89,7 @@
      "version": 5
    },
    {
-      "description": "La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital.",
+      "description": "La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú.",
      "name": "cnsd",
      "version": 20220426
    },
@ -198,6 +198,11 @@
      "name": "deception",
      "version": 1
    },
+    {
+      "description": "A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others.",
+      "name": "dga",
+      "version": 1
+    },
    {
      "description": "DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors",
      "name": "dhs-ciip-sectors",
@ -695,5 +700,5 @@
    }
  ],
  "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/",
-  "version": "20220505"
+  "version": "20220512"
 }
--- a/dga/machinetag.json
+++ b/dga/machinetag.json
@ -0,0 +1,56 @@
+{
+  "namespace": "dga",
+  "expanded": "Domain-Generation Algorithms",
+  "description": "A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others.",
+  "version": 1,
+  "predicates": [
+    {
+      "value": "generation-scheme",
+      "expanded": "Generation scheme used for the DGA"
+    },
+    {
+      "value": "seeding",
+      "expanded": "Seeding scheme used for the DGA"
+    }
+  ],
+  "values": [
+    {
+      "predicate": "generation-scheme",
+      "entry": [
+        {
+          "value": "arithmetic",
+          "expanded": "Arithmetic",
+          "description": "Calculate a sequence of values that either have a direct ASCII representation usable for a domain name or designate an offset in one or more hard- coded arrays, constituting the alphabet of the DGA. "
+        },
+        {
+          "value": "hash",
+          "expanded": "Hash",
+          "description": "Use the hexdigest representation of a hash to produce the domain."
+        },
+        {
+          "value": "wordlist",
+          "expanded": "Wordlist",
+          "description": " Concatenate a sequence of words from one or more wordlists, resulting in less randomly appealing and thus more camouflaging domains"
+        },
+        {
+          "value": "permutation",
+          "expanded": "Permutation",
+          "description": "derive all possible AGDs (Algorithmically-Generated Domain) through permutation of an initial domain name."
+        }
+      ]
+    },
+    {
+      "predicate": "seeding",
+      "entry": [
+        {
+          "value": "time-dependent",
+          "expanded": "Time dependent"
+        },
+        {
+          "value": "deterministic",
+          "expanded": "Deterministic"
+        }
+      ]
+    }
+  ]
+}