In this short blog, I share seven papers that focus on detecting Dictionary Domain Generation Algorithm (DGA) domains, A.K.A. Word-based DGAs. Dictionary DGAs are algorithms seen in various malware families (suppobox, matsnu, gozi, rovnix, etc.) that are used to periodically generate a large number of domain names that use pseudo-randomly concatenated words from a dictionary. These domains may appear legitimate at first glance and are often able to evade blacklisting as well as traditional DGA detections based on entropy or counts of consonants vs vowels. Below are a small sample of rovnix domains from Unit42’s blogpost.

  • kingwhichtotallyadminis[.]biz
  • thareplunjudiciary[.]net
  • townsunalienable[.]net
  • taxeslawsmockhigh[.]net
  • transientperfidythe[.]biz
  • inhabitantslaindourmock[.]cn
  • thworldthesuffer[.]biz


In a previous post, I also shared details on several models that are capable of effectively detecting dictionary DGA domains as well. Please see Auxiliary Loss Optimization for Hypothesis Augmentation for DGA Domain Detection.

Lastly, if you’re interested in discovering more interesting papers like these, use the method I outlined here.


The “short links” format was inspired by O’Reilly’s Four Short Links series.