Autonomous domain generation algorithm (DGA) detector

What is claimed is: 1. A method, comprising: detecting, by a security device in a computer network, potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network based on at least encryption traffic analysis (ETA) data; detecting, by the security device, potential DGA communications activity by applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host and building a passive DNS map on the fly using the ETA data; correlating, by the security device, the potential DGA searching activity with the potential DGA communications activity by combining an output of the DNS model with an output of the hostname-based classifier and the passive DNS map built using the ETA data, wherein the output of the DNS model is indicative of a number of DNS requests from a particular network node to one or more domain name servers, and wherein the output of the hostname-based classifier is indicative of whether any network communication comprises a malware network communication with one or more DGA domains; and identifying, by the security device, DGA performing malware based on the correlation of the potential DGA searching activity with the potential DGA communications activity. 2. The method as in claim 1 , further comprising: training a first model for the detecting potential DGA searching activity and a second model for the detecting potential DGA communications activity for individual detection improvement based on the correlating and the identifying. 3. The method as in claim 2 , wherein the training comprises: adjusting false positive thresholds of one or both of the first model and a second model. 4. The method as in claim 1 , further comprising: refining the identifying by further correlating with proxy-log-classifier-based DGA detection. 5. The method as in claim 1 , further comprising: performing DGA mitigation in response to identifying DGA performing malware. 6. The method as in claim 5 , wherein the DGA mitigation comprises blocking traffic related to the malware. 7. The method as in claim 5 , wherein the DGA mitigation comprises alerting an administrator to the malware. 8. The method as in claim 1 , further comprising: creating a timeline of detection events based on the potential DGA searching activity and the potential DGA communications activity. 9. The method as in claim 1 , wherein the detecting the potential DGA searching activity is based on network flow data. 10. The method as in claim 1 , wherein the detecting potential DGA communications activity is based on one or more of network flow data, encrypted traffic analysis (ETA) data, DNS data, server name indication (SNI) field in hypertext transfer protocol (HTTP) messages, HTTP proxy logs, hostnames, uniform resource locators (URLs), and user agent information in HTTP messages. 11. The method as in claim 1 , wherein the detecting potential DGA communications activity uses passive DNS mapping without querying external databases. 12. The method as in claim 11 , wherein passive DNS mapping is based on building passive DNS maps on-the-fly using one or both of proxy logs and the ETA data. 13. The method as in claim 1 , wherein the detecting potential DGA searching activity comprises: receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among a plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers; determining a number of internet protocol addresses contacted by the particular host; and determining that malware potentially exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted. 14. The method as in claim 1 , wherein the detecting potential DGA communications activity comprises: obtaining a plurality of sample domain names and labeling each of the plurality of sample domain names as a DGA domain, a non-DGA domain, or a suspicious domain; training a classifier in a first stage based on the plurality of sample domain names; obtaining a plurality of sample proxy logs including proxy logs of the DGA domains and proxy logs of non-DGA domains; training the classifier in a second stage based on the plurality of sample domain names and the plurality of sample proxy logs; obtaining a plurality of live traffic proxy logs; testing the classifier by classifying the plurality of live traffic proxy logs as DGA proxy logs; and identifying network communication as potential malware network communication with the DGA domains based on a trained and tested classifier. 15. An apparatus, comprising: one or more network interfaces to communicate with a computer network; a processor coupled to the network interfaces and configured to execute one or more process; and a memory configured to store a process executable by the processor, the process when executed configured to: detect potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network based on at least encryption traffic analysis (ETA) data; detect potential DGA communications activity by applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host and building a passive DNS map on the fly using the ETA data; correlate the potential DGA searching activity with the potential DGA communications activity by combining an output of the DNS model with an output of the hostname-based classifier and the passive DNS map built using the ETA data, wherein the output of the DNS model is indicative of a number of DNS requests from a particular network node to one or more domain name servers, and wherein the output of the hostname-based classifier is indicative of whether any network communication comprises a malware network communication with one or more PGA domains; and identify DGA performing malware based on the correlation of the potential DGA searching activity with the potential DGA communications activity. 16. The apparatus as in claim 15 , wherein the process, when executed, is further configured to: train a first model for the detecting potential DGA searching activity and a second model for the detecting potential DGA communications activity for individual detection improvement based on the correlating and the identifying. 17. The apparatus as in claim 15 , wherein the process, when executed, is further configured to: refine the identifying by further correlating with proxy-log-classifier-based DGA detection. 18. The apparatus as in claim 15 , wherein the process, when executed, is further configured to: perform DGA mitigation in response to identifying DGA performing malware. 19. A tangible, non-transitory, computer-readable medium storing program instructions that cause a computer to execute a process, comprising: detecting potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect DNS requests made by a host attempting to locate a command and control (C&C) server in