A multi-stage cybersecurity pipeline that detects C2 beacons and DGA domains through behavioral DNS analysis, entropy scoring, and real-time VirusTotal threat intelligence.
Traditional IDS/IPS systems rely on static blacklists that cannot catch zero-day threats. This tool takes a different approach — it analyzes the behavior of DNS traffic to surface malicious patterns that signatures miss.
By combining Shannon entropy analysis, timing consistency (jitter) metrics, and global threat intelligence from 70+ antivirus engines, it transforms raw PCAP captures into an executive-ready intelligence dashboard.
┌─────────────────────────────────────────────────────────────────┐
│ DNS THREAT INTELLIGENCE PIPELINE │
├──────────┬──────────────┬────────────────┬──────────────────────┤
│ Stage 1 │ Stage 2 │ Stage 3 │ Stage 4 │
│ │ │ │ │
│ EXTRACT │ ANALYZE │ ENRICH │ VISUALIZE │
│ │ │ │ │
│ .pcap │ Shannon │ VirusTotal │ 3-Panel Executive │
│ → CSV │ Entropy + │ API v3 │ Dashboard │
│ │ Jitter + │ (70+ AV │ │
│ │ Risk Score │ engines) │ • Threat Map │
│ │ (0-100) │ │ • Ranked List │
│ │ │ │ • VT Reputation │
└──────────┴──────────────┴────────────────┴──────────────────────┘
extractor.py analyzer.py enricher.py visualizer.py
| Method | What It Detects | How It Works |
|---|---|---|
| Shannon Entropy | DGA-generated domains | Measures character randomness — high entropy (>3.5) suggests algorithmically generated hostnames |
| Timing Consistency | C2 beacon patterns | Calculates interval standard deviation — low jitter indicates machine-like periodicity (automated malware callbacks) |
| Frequency Analysis | High-volume exfiltration | Counts query volume per domain — abnormal traffic spikes weighted into risk score |
| VirusTotal Enrichment | Known threats | Cross-references top 10 suspicious domains against 70+ global antivirus engines |
Risk Score (0-100) = Entropy Factor (up to 40pts) + Beaconing Factor (up to 60pts)
Whitelisted domains (Google, Microsoft, Discord, etc.) → 90% score reduction
The output is a high-resolution 3-panel executive intelligence report:
- Threat Map (Main): Scatter plot with entropy (X) vs. timing consistency (Y). Bubble size reflects traffic volume. Color gradient maps to risk score.
- Ranked Investigation List: Top 15 domains sorted by composite risk score with event counts.
- VT Reputation Panel: Per-domain verdict —
POSITIVE (THREAT)orNEGATIVE (CLEAN)with engine flagging counts.
- Python 3.9+
- Wireshark / TShark installed and added to
PATH - VirusTotal API key (free tier available)
git clone https://github.com/sedat4ras/dns-threat-intelligence-tool.git
cd dns-threat-intelligence-tool
python -m venv venv && source venv/bin/activate
pip install -r requirements.txtCreate a .env file in the project root:
VT_API_KEY=your_virustotal_api_key_here
# Analyze default PCAP file
python main.py
# Analyze a specific capture
python main.py data/suspicious_traffic.pcapng
# Re-render dashboard only (skip processing)
python src/visualizer.pydns-threat-intelligence-tool/
├── main.py # Pipeline orchestrator
├── src/
│ ├── extractor.py # Stage 1 — PCAP → CSV (Pyshark DNS filter)
│ ├── analyzer.py # Stage 2 — Entropy + jitter + risk scoring
│ ├── enricher.py # Stage 3 — VirusTotal API integration
│ └── visualizer.py # Stage 4 — Executive dashboard rendering
├── data/ # Input PCAP files
├── output/
│ ├── plots/ # Generated dashboard PNGs (300 DPI)
│ └── *.csv # Intermediate pipeline outputs
├── requirements.txt
└── .env # API key configuration
| Component | Technology |
|---|---|
| PCAP Parsing | Pyshark (TShark wrapper) |
| Data Processing | pandas, NumPy |
| Visualization | matplotlib, seaborn |
| Threat Intelligence | VirusTotal API v3 |
| Configuration | python-dotenv |
All findings are generated using independent statistical algorithms and heuristic methodologies. Results are for informational purposes only and do not guarantee definitive outcomes. Final human analysis is always recommended for security-critical decisions.
GitHub: sedat4ras | Email: sudo@sedataras.com