E-ISSN: 2026-8033  |  P-ISSN: 1011-7024

Open Access, Peer Reviewed

Journal of Applied
Finance & Research

An international, peer-reviewed publication in finance, economics, and management.

Printed Journal   |   Refereed Journal   |   Peer Reviewed Journal
Peer Reviewed Journal

Journal of Applied Finance & Research

Open Access, Peer Reviewed, Refereed

E-ISSN: 2026-8033  |  P-ISSN: 1011-7024

Vol. 9  ,  Issue 1  ,  2026

Detecting Domain Generation Algorithms in Enterprise Protective DNS Logs: Lexical Entropy and Temporal Clustering Approaches

AUTHORS

Louis Adebajo

Pages 1 to 24  ,  © 2026 Journal of Applied Finance & Research

Abstract

Domain Generation Algorithms (DGAs) remain a persistent and operationally consequential evasion technique used by malware authors to maintain command and control channels against domain takedown enforcement. Despite well known academic detection methods, operational detection inside enterprise protective DNS telemetry continues to lag, primarily because production detection pipelines must operate at scale, with low false positive tolerance, and against an adversary population that rotates DGA designs faster than classifier retraining cycles. This paper describes an operational DGA detection pipeline deployed in production within a commercial protective DNS environment between Q2 2024 and Q1 2026. The pipeline combines two complementary detection strategies: a lexical entropy classifier that scores individual NXDOMAIN responses, and a temporal clustering analyser that groups NXDOMAIN sequences from individual client endpoints into candidate DGA generated campaigns. We describe the pipeline architecture across both branches, the threshold tuning methodology used to manage false positive volume at production scale, and the operational lessons from running the pipeline against approximately twelve billion DNS queries per day. The pipeline produced 134 confirmed DGA family identifications over the 21 month window, with a sustained false positive rate below 0.4 percent on the temporal clustering branch and a branch productivity asymmetry of approximately 2.2 to 1 in favour of temporal clustering, a result at variance with the weight of academic emphasis on per query lexical classification.

Keywords

  • domain generation algorithm
  • DGA detection
  • protective DNS
  • NXDOMAIN analysis
  • lexical entropy
  • temporal clustering
  • threat intelligence
  • production deployment
  • operational research

1. Introduction

Domain Generation Algorithms (DGAs) emerged in the late 2000s in response to the operational fragility of malware command and control infrastructure that depended on a small set of hard coded domain names. Once such a domain was identified and removed through registrar or hosting provider action, the associated campaign was effectively disrupted [1]. The DGA paradigm inverts this fragility: rather than embedding a limited set of domains, the malware author programs the implant to generate a substantially larger candidate set algorithmically, typically seeded by date, time, or a slowly rotating shared secret, and registers only a small subset of the generated candidates at any given moment [1, 2]. Defenders observing the resulting traffic therefore see protracted bursts of NXDOMAIN responses interspersed with occasional successful resolutions that correspond to the small registered subset.

DGA detection is a well studied problem in the academic literature [1, 2, 5], with high quality classifiers reported against curated test sets at accuracies above ninety five percent [5, 8]. Operational detection, however, continues to lag. The reasons are structural rather than methodological: production protective DNS environments process tens of billions of queries per day, false positive tolerance is materially lower than in academic evaluation [7], and adversaries actively iterate DGA design, introducing wordlist concatenation, dictionary based generation, and other lexical camouflage techniques in order to defeat published classifiers [3, 4].

This paper describes an operational DGA detection pipeline deployed in production between Q2 2024 and Q1 2026. The pipeline does not claim algorithmic novelty over the academic literature [2, 5, 8]; rather, it documents the engineering and threshold tuning decisions required to operate at production scale against an iterating adversary. We additionally report that, in production deployment, a per endpoint temporal clustering branch out produced a per query lexical entropy branch by a factor of approximately 2.2 to 1 in confirmed DGA family identifications, a result at variance with the weight of academic emphasis on per query lexical classification [2, 5, 8] and with material implications for how protective DNS operators should prioritise their detection engineering investment.

The remainder of the paper is organised as follows. Section 2 reviews the DGA threat surface and the academic detection literature. Section 3 describes the pipeline architecture across the two detection branches and the operational pipeline integration. Section 4 reports operational results over the 21 month deployment window. Section 5 discusses the branch productivity result, limitations, and responsible disclosure considerations. Section 6 concludes and identifies future work.

2. Background and Threat Context

The DGA threat surface has evolved through three broadly defined generations [1, 6]. We briefly characterise each, as the generation classification is operationally relevant to detection strategy selection.

2.1 First Generation: Pseudo-Random Generation

First generation DGAs (Conficker, Kraken, Zeus variants) employed straightforward pseudo random domain generation seeded by date [1], producing domains whose lexical statistics differed visibly from human registered domains, characterised by high consonant density, near uniform character distribution, and conspicuously absent vowels. Entropy based classifiers [2] operate effectively against this generation, and the academic literature on first generation DGA detection is correspondingly mature. The Conficker family in particular has been studied extensively [1, 6] and supplies much of the labelled training data used in subsequent DGA detection work [5].

2.2 Second Generation: Dictionary-Based Generation

Second generation DGAs (Matsnu, Suppobox, Banjori) incorporated dictionary based generation, drawing words from English language corpora and concatenating them to produce domains that were lexically indistinguishable from many legitimate registrations, and which therefore defeated entropy only classifiers [2, 5]. Second generation DGAs accordingly pushed the detection literature toward more expressive lexical features, such as n gram language models and character level recurrent neural networks [8], and toward enrichment with non lexical signals such as registration metadata and passive DNS context [7].

2.3 Third Generation: Hybrid and Multilingual Variants

Third generation DGAs build domains from multilingual wordlists [3], mix dictionary generation with pseudo random suffixes, and rotate seed material in ways that further frustrate static classifier approaches [4]. Some third generation variants additionally rotate the DGA implementation itself, not merely the seed, between malware updates, which entails that classifier retraining cycles must keep pace with malware update cycles to sustain detection efficacy [4, 8]. This is operationally infeasible at the monthly retraining cadence on which we, and most comparable operators, run.

2.4 The Persistent Structural Signature

Across all three generations a structural signature persists: the implant generates large candidate sets, queries them in burst sequences, and the great majority of those queries return NXDOMAIN responses [1, 7]. The temporal clustering branch of our pipeline targets this structural signature directly and is therefore generation agnostic in a way that lexical entropy classification is not. This observation motivates the architectural decision to maintain both branches in production and, as discussed in Section 5, to weight detection engineering investment toward the temporal clustering branch.

3. Pipeline Architecture

The production pipeline is organised as two parallel detection branches sharing a downstream triage and enrichment pathway. We describe each branch in turn, followed by the threshold tuning regime that binds them to a production false positive budget, and the operational integration that closes the loop between detection and enforcement.

3.1 Lexical Entropy Branch

The lexical entropy branch scores individual queries against a feature vector comprising Shannon entropy of the second level label, vowel to consonant ratio, longest consonant run length, n gram likelihood against a baseline of legitimate registered domains, and digit character density [2, 5]. A gradient boosted decision tree classifier is trained on a labelled training set of approximately 1.2 million queries drawn from a mixture of confirmed DGA samples, sourced from internal historical detections and DGArchive [6], and a sampled background of legitimate queries derived from passive DNS observations [7].

The classifier is retrained on a monthly cadence using a rolling labelled data window. Threshold selection on the classifier output score is performed against a target false positive rate of 0.5 percent on a held out validation set, and the operationally deployed threshold is recalibrated at each retraining cycle [5]. We deliberately retain a relatively lenient per query false positive target on this branch because downstream aggregation and de duplication absorb the bulk of the per query alert volume; the binding operational constraint is alert volume after aggregation, not per query flag rate.

The lexical entropy branch is effective against first generation DGAs [1, 2] and against the pseudo random components of mixed design DGAs. It is, by acknowledged design limitation, weak against dictionary based DGAs that produce domains with legitimate domain like lexical statistics [3, 8]. We do not treat this as a defect to be remedied at the per query level; rather, it motivates the parallel temporal clustering branch, which is generation agnostic.

3.2 Temporal Clustering Branch

The temporal clustering branch operates at the per endpoint level rather than the per query level. For each client endpoint, the pipeline maintains a rolling window of the most recent NXDOMAIN responses [7]. When the NXDOMAIN rate from a single endpoint exceeds a configurable burst threshold, operationally tuned at approximately one NXDOMAIN per second sustained over a sixty second window, or one hundred NXDOMAINs in any ninety second window, the burst is captured as a candidate DGA campaign and forwarded to enrichment.

Enrichment aggregates lexical statistics across the captured burst, namely mean entropy, dispersion of vowel to consonant ratios, and n gram likelihood distribution, and compares the aggregate signature against a maintained library of known DGA family signatures sourced from DGArchive [6] and from prior internal detections. Matches above a configurable similarity threshold trigger a high confidence alert with the candidate DGA family attribution [3]; non matching bursts that nevertheless exhibit structurally DGA like aggregate lexical statistics trigger an unattributed DGA alert for manual review.

The temporal clustering branch is, by design, generation agnostic: it depends on the structural signature of DGA operation, the burst NXDOMAIN behaviour from individual endpoints, rather than on per domain lexical statistics [1, 7]. It is therefore the more robust branch against adversary iteration [4], and is the branch that produces the bulk of operationally actionable detections. A second design property worth noting is that the branch is parameter tunable rather than retraining dependent: the burst thresholds and similarity thresholds can be adjusted in production without a model retraining cycle, which affords a faster operational response time than the lexical entropy branch.

3.3 Threshold Tuning and False Positive Management

Operational false positive management is the single most important engineering consideration in deploying this pipeline at production scale. A 0.1 percent false positive rate against twelve billion daily queries is twelve million false alerts, which is manifestly unworkable [5, 7]. We accordingly tune the lexical entropy branch against a target false positive rate of 0.5 percent, where the per query alert volume is amenable to downstream aggregation and de duplication, and the temporal clustering branch against a target rate below 0.4 percent, where the alert volume is intrinsically lower due to the burst detection prerequisite but each alert receives proportionally more analyst attention.

Threshold recalibration is performed at each monthly retraining cycle for the lexical branch and on an event triggered basis for the clustering branch, with the trigger being either a sustained drift in the post triage confirmation rate or the appearance of a novel DGA family in the upstream intelligence stream [6]. Both branches share a common operational rule that no threshold change is deployed without a forty eight hour shadow evaluation window, during which the new threshold is applied to live traffic in observation mode only.

3.4 Operational Pipeline Integration

The two branches share a downstream operational pipeline: detected candidates flow into a triage queue where a Tier 2 analyst confirms, attributes, and routes the detection. Confirmed detections feed back into three downstream consumers, namely the customer facing block list, the published threat intelligence feed, and the labelled training data for the next lexical entropy classifier retraining cycle [5, 6]. The feedback loop between confirmed detections and classifier retraining is operationally important: it is the mechanism by which the lexical entropy branch keeps pace, partially, with adversary iteration of DGA design [4, 8].

4. Operational Results

Over the 21 month operational window from Q2 2024 to Q1 2026, the pipeline produced 134 confirmed DGA family identifications. Of these, 81 were attributed to known DGA families with high confidence on the basis of signature match against the maintained library [6], 39 were attributed at lower confidence, and 14 were classified as unattributed DGA, namely domains exhibiting structural DGA signatures without matching any known family library entry.

Of the 14 unattributed DGA detections, subsequent investigation attributed seven to previously undocumented DGA variants of known malware families [3, 4], typically variants in which the seed rotation schedule or the wordlist source had changed; four were attributed to new malware families that had not previously been catalogued in DGArchive [6]; and three remained unattributed at the close of the operational window.

The temporal clustering branch was responsible for 92 of the 134 detections (68.7 percent), and the lexical entropy branch for the remaining 42 (31.3 percent). The two branches proved complementary rather than redundant: only 11 of the 134 detections were flagged by both branches independently, indicating that each branch surfaces a partially distinct sub population of DGA activity. This pattern is consistent with the design intent: the lexical entropy branch is sensitive to per query lexical anomaly even when burst rate is sub threshold [2, 5], while the temporal clustering branch captures structural signature bursts even when individual queries are lexically unremarkable [7].

Sustained false positive rates over the deployment window trended slowly downward on both branches. We attribute this trend partly to threshold refinement at each retraining cycle, partly to ongoing maintenance of the known family signature library [6], and partly, we suspect, to gradual hardening of upstream categoriser rules that intercept some classes of false positive before they reach the DGA detection branches.

5. Discussion

We discuss the branch productivity result, the principal limitations and threats to validity that condition it, and the responsible disclosure considerations that bore on the decision to publish.

5.1 Branch Productivity Analysis

The relative productivity of the temporal clustering branch over the lexical entropy branch in operational deployment was, prior to deployment, an open question. The academic literature on DGA detection is heavily weighted toward per query lexical classification [2, 5, 8], and we entered deployment with an internal expectation that the lexical branch would be the primary detection source. In practice, the temporal clustering branch proved approximately 2.2 times more productive, more robust to adversary lexical camouflage [3, 4], and easier to maintain: its dependence on structural traffic patterns rather than on a trained classifier means it does not require retraining cycles and does not degrade as adversaries iterate DGA lexical design.

We are not the first operators to observe this branch productivity asymmetry, and variations on the observation appear in operational reports from other protective DNS providers, although the public literature does not consistently reflect it [7]. Our hypothesis for the gap between literature and operational practice is that academic evaluation benchmarks measure per query classification accuracy against labelled corpora [5, 8], which structurally favours per query approaches; the metric most operational deployments actually care about is confirmed DGA campaigns per unit analyst effort, which structurally favours burst detection approaches because each detected burst corresponds to a single campaign rather than to thousands of individual queries to be aggregated.

5.2 Limitations and Threats to Validity

The effectiveness of the temporal clustering branch depends on the observability of per endpoint NXDOMAIN rates, which in turn depends on protective DNS architecture decisions about how queries are anonymised, aggregated and stored [7]. Operators whose architecture does not preserve per endpoint attribution at the resolution layer will be unable to deploy this branch in its full form. Operators who anonymise client endpoints at the resolution layer, a common privacy preservation pattern in consumer protective DNS deployments, face a particular constraint here, since per endpoint aggregation collapses under anonymisation.

The 134 detection figure is the count of confirmed detections over the deployment window. It is not a measure of detection recall: we cannot, in production, measure the count of DGA campaigns we missed, since the population of DGA campaigns active against our customer base is unknown [1, 6]. The relevant comparison would be against a parallel pipeline running an alternative detection methodology, which we have not run. The branch productivity asymmetry we report, 2.2 times in favour of temporal clustering, is therefore a statement about the relative output of two branches running concurrently in production, not a statement about which branch detects a larger fraction of true positives [5].

5.3 Responsible Disclosure Considerations

We are conscious that publishing detailed operational detection methodology may, in principle, inform adversary counter design [4]. Two considerations led us to publish nevertheless. First, the methodology is broadly known in the academic literature [1, 2, 5, 8] and is not novel; the contribution of this paper is operational rather than algorithmic. The thresholds and tuning specifics we report are calibrated to one operator traffic profile and would not transfer directly to another operator pipeline. Second, our experience is that adversary iteration of DGA design is rapid regardless of defender publication [3, 4], and the marginal information transfer from this paper is small relative to the value of disseminating operationally validated detection patterns within the practitioner community.

6. Conclusion and Future Work

We have presented an operational DGA detection pipeline deployed in a commercial protective DNS environment between Q2 2024 and Q1 2026. The pipeline combines lexical entropy classification [2, 5] at the per query level with temporal clustering analysis [7] at the per endpoint level, and produced 134 confirmed DGA family identifications over the operational window with a sustained false positive rate below 0.4 percent on the higher productivity branch. We have argued that the temporal clustering approach is more robust to adversary iteration [3, 4] than per query lexical classification, that the two approaches are complementary rather than redundant, and that the academic literature weighting toward per query classification [2, 5, 8] under represents the operational productivity of burst detection approaches.

Future work falls in three directions. First, we plan to introduce a graph based enrichment stage that correlates contemporaneous DGA bursts across multiple endpoints [3] to support faster attribution of campaign level DGA activity. Second, we are exploring whether large language model embeddings of DGA generated domains can support attribution of dictionary based DGA variants more effectively than current n gram likelihood approaches [8]. Third, we intend to integrate the pipeline structured detection output with downstream protective DNS category rule deployment [6] to close the loop from detection to enforcement automatically, removing the manual analyst confirmation step for high confidence detections.

References

  1. [1]Plohmann, D., Yakdan, K., Klatt, M., Bader, J., & Gerhards-Padilla, E. (2016). A comprehensive measurement study of domain generating malware. USENIX Security Symposium.
  2. [2]Yadav, S., Reddy, A. K. K., Reddy, A. L. N., & Ranjan, S. (2010). Detecting algorithmically generated malicious domain names. ACM Internet Measurement Conference.
  3. [3]Schiavoni, S., Maggi, F., Cavallaro, L., & Zanero, S. (2014). Phoenix: DGA based botnet tracking and intelligence. DIMVA.
  4. [4]Anderson, H. S., Woodbridge, J., & Filar, B. (2016). DeepDGA: Adversarially tuned domain generation and detection. ACM Workshop on Artificial Intelligence and Security.
  5. [5]Sivaguru, R., Choudhary, C., Yu, B., Tymchenko, V., Nascimento, A., & De Cock, M. (2018). An evaluation of DGA classifiers. IEEE International Conference on Big Data.
  6. [6]Plohmann, D. (2018). DGArchive: A collaborative malware research catalogue. Fraunhofer FKIE Technical Resource.
  7. [7]Bilge, L., Sen, S., Balzarotti, D., Kirda, E., & Kruegel, C. (2014). EXPOSURE: A passive DNS analysis service to detect and report malicious domains. ACM Transactions on Information and System Security, 16(4).
  8. [8]Woodbridge, J., Anderson, H. S., Ahuja, A., & Grant, D. (2016). Predicting domain generation algorithms with long short term memory networks. arXiv preprint arXiv:1611.00791.
Pages: 1 to 24Views: 12Downloads: 4