FANCI: Feature-based Automated NXDomain Classification and Intelligence

A new era of DNS security in the face of DGA-based threats


The TCPWave edge: Reinventing DNS security with FANCI.

As cybersecurity threats continue to evolve, keeping pace with them becomes paramount for businesses of all sizes. At the forefront of this battle is the problem of Domain Generation Algorithms (DGA), utilized by malware to produce vast quantities of domain names for establishing Command and Control (C2) channels, effectively bypassing traditional domain blocklisting techniques. To counter this growing challenge, TCPWave introduces FANCI, or Feature-based Automated NXDomain Classification and Intelligence, a cutting-edge system engineered to detect DGA-based malware through monitoring non-existent domain (NXD) responses in DNS traffic.

Enhanced DNS Security

  • Empower your business with FANCI, TCPWave's innovative solution offering advanced DNS security against DGA-based threats.

Precise Threat Analysis

  • FANCI's machine learning algorithms deliver accurate and efficient threat analysis, identifying potential DGA-based dangers in your DNS traffic.

Robust Malware Detection

  • Experience unrivaled malware detection with FANCI, minimizing misclassification risks and reliably identifying DGA-based malware.

Adaptability & Resilience

  • With FANCI's remarkable adaptability, equip your business to tackle both known and emerging DGAs, enhancing your cybersecurity resilience.
Enhanced DNS Security through Machine Learning

FANCI employs cutting-edge machine learning algorithms to delve into negative DNS responses and meticulously categorize the Non-existent Domains (NXDs) found therein. This advanced system classifies NXDs into two distinctive categories, those linked with Domain Generation Algorithms (DGA-NXDs) and the benign ones. The secret to FANCI's success lies in its feature-based approach where unique characteristics are extracted from each NXD for a precise analysis, thus eliminating the need for any additional contextual data. This method ensures a meticulous and efficient evaluation of potential DGA-based threats, making FANCI an invaluable addition to the arsenal against cyber threats.

Stringent Testing for Proven Performance

To ensure the credibility and effectiveness of FANCI, TCPWave embarked on rigorous testing using malicious data derived from 59 DGAs, which were readily available in the DGArchive. In addition, the testing was supplemented with real-world data, culled from the internal networks of a large university campus and a major corporation. The results were impressive, with FANCI demonstrating high classification accuracy along with a low false positive rate. This indicates a strong detection capability of DGA-based malware and a minimal chance of misclassification, thus proving FANCI's reliability in protecting against DNS threats.

Adapting to Unknown Threats

Apart from its reliability, FANCI also excels in its adaptability. Despite the ever-evolving threat landscape, FANCI has shown a remarkable capability in identifying and dealing with previously unknown DGAs. This means that FANCI is not just adept at countering known threats but is also proficient in evolving with new, unidentified DGAs. This adaptability, coupled with its precise analysis, makes FANCI an agile and effective solution to the problem of DGA-based malware, underlining its invaluable contribution to the realm of DNS security.


With the introduction of FANCI, TCPWave reaffirms its dedication to providing superior DNS security solutions. Leveraging advanced machine learning technologies, FANCI provides an effective line of defense against the increasing threat of DGA-based malware. TCPWave continues to empower businesses by safeguarding their network infrastructure, ensuring the integrity of their DNS traffic, and mitigating the risks associated with advanced cybersecurity threats. With solutions like FANCI, TCPWave stands ready to face the challenges of the evolving digital landscape.