US Patent 10326736 Feature-based classification of individual domain queries

In one embodiment, a device in a network determines a first set of domain generation algorithm (DGA) predictions for a particular domain name by analyzing one or more extracted lexical features of the particular domain name using a first ensemble of decision trees. The device determines a second set of DGA predictions for the particular domain name by analyzing one or more extracted cluster features of a cluster of related domain names to which the particular domain name belongs using a second ensemble of decision trees. The device predicts a DGA associated with the particular domain name based on the first and second sets of DGA predictions. The device causes performance of a security action based on the predicted DGA associated with the particular domain.