BlueHat Security Briefing: Fall 2014 Botintime Phoenix: DGA-based Botnet - Stefano Zanero
Botintime - Phoenix: DGA-based Botnet Tracking and Intelligence
Its common knowledge that a malicious domain automatically generated will not become popular and also an attacker will register a domain with a Top Level Domain that does not require clearance. Hence, we use phoenix which filters out domains likely to be generated by humans. The core of Phoenix is its ability to separate DGA from non-DGA domains, using linguistic features.