FANCI : Feature-based Automated NXDomain Classification and Intelligence


Samuel Schüppen, RWTH Aachen University; Dominik Teubert, Siemens CERT; Patrick Herrmann and Ulrike Meyer, RWTH Aachen University


FANCI is a novel system for detecting infections with domain generation algorithm (DGA) based malware by monitoring non-existent domain (NXD) responses in DNS traffic. It relies on machine-learning based classification of NXDs (i.e., domain names included in negative DNS responses), into DGA-related and benign NXDs. The features for classification are extracted exclusively from the individual NXD that is to be classified. We evaluate the system on malicious data generated by 59 DGAs from the DGArchive, data recorded in a large university’s campus network, and data recorded on the internal network of a large company. We show that the system yields a very high classification accuracy at a low false positive rate, generalizes very well, and is able to identify previously unknown DGAs.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Presentation Audio

@inproceedings {217480,
author = {Samuel Sch{\"u}ppen and Dominik Teubert and Patrick Herrmann and Ulrike Meyer},
title = {{FANCI} : Feature-based Automated NXDomain Classification and Intelligence},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
isbn = {978-1-931971-46-1},
address = {Baltimore, MD},
pages = {1165--1181},
url = {},
publisher = {{USENIX} Association},