TempR: Application of Stricture Dependent Intelligent Classifier for Fast Flux Domain Detection

Full Text (PDF, 369KB), PP.37-44

Views: 0 Downloads: 0

Author(s)

Prabhjot Singh Chahal 1,* Surinder Singh Khurana 1

1. Central University of Punjab, India

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2016.10.05

Received: 15 Feb. 2016 / Revised: 11 May 2016 / Accepted: 15 Jul. 2016 / Published: 8 Oct. 2016

Index Terms

Content Distribution Network, Domain Name System, Fast-flux Networks, Machine learning, Botnet, Malware

Abstract

Fast-flux service networks (FFSN) helps the cyber-criminals to hide the servers used for malicious activities behind a wall of proxies (bots). It provides the reliability and detection evasion to a malicious server. FFSN use a large pool of IP addresses for proxies. Detection of FFSN is difficult as few benign technologies like Content distribution networks and round robin DNS have similar working characteristics. Many approaches have been proposed to detect FFSN and fast flux domains. However, due to dynamic behavior of FFSN, these techniques suffer from a significant number of false positives. In this paper, we present a Temporal and Real time detections based approach (TempR) to detect fast flux domains. The features of fast flux domains and benign domains have been collected and classified using intelligent classifiers. Our technique illustrates 96.99% detection accuracy with the recent behavior of fast flux domains.

Cite This Paper

Prabhjot Singh Chahal, Surinder Singh Khurana, "TempR: Application of Stricture Dependent Intelligent Classifier for Fast Flux Domain Detection", International Journal of Computer Network and Information Security(IJCNIS), Vol.8, No.10, pp.37-44, 2016. DOI:10.5815/ijcnis.2016.10.05

Reference

[1]M. Feily, A. Shahrestani and S. Ramadass, "A Survey of Botnet and Botnet Detection," in Third International Conference on Emerging Security Information, Systems and Technologies, Athens, Glyfada, 2009.
[2]K. Govind, S. Selvakumar,"Auto-Pattern Programmable Kernel Filter (Auto-PPKF) for Suppression of Bot Generated Traffic", IJCNIS, vol.6, no.1, pp.48-54, 2014. DOI: 10.5815/ijcnis.2013.01.07
[3]E. Passerini, R. Paleari, L. Martignoni and D. Bruschi, "FluXOR: detecting and monitoring fast-flux service networks," in Detection of intrusions and malware, and vulnerability assessment, 2008.
[4]Z. Futai, Z. Siyu and R. Weixiong, "Hybrid Detection and Tracking of Fast-Flux Botnet on Domain Name System Traffic," Communications, China, vol. 10, no. 11, pp. 81-94, 2013.
[5]K. Pathan and R. Buyya, "A Taxonomy and Survey of Content Delivery Networks," Grid Computing and Distributed Systems Laboratory, University of Melbourne, 2007.
[6]T. Holz, C. Gorecki, K. Rieck and F. C. Freiling, "Measuring and Detecting Fast-Flux Service Networks," in NDSS, 2007.
[7]H.-T. Lin, Y.-Y. Lin and J.-W. Chiang, "Genetic-based Real-time Fast-Flux Service Networks Detection," Computer Networks, vol. 57, no. 2, pp. 501-513, 2013.
[8]B. N. Al-Duwairi and A. T. Al-hammouri, "Fast flux watch: A mechanism for online detection of fast flux networks," Journal of advanced research, vol. 5, no. 4, pp. 473-479, 2014.
[9]W. Xu, X. Wang and H. Xie, "New Trends in FastFlux Networks," in Black Hat Conference, 2013
[10]S.-Y. Huang, C.-H. Mao and H.-M. Lee, "Fast-flux Service Network Detection Based on Spatial Snapshot Mechanism for Delay-free Detection," in ASIACCS '10, 2010.
[11]A. Kamal, A. ALmomani, A. Manasrah, and M.M. Kadhum. "A survey of botnet detection based on DNS." Neural Computing and Applications (2015): 1-18.
[12]C. H. Hsu, C. Y. Huang and K. T. Chen, "Fast flux bot detection in real time," in 13th International Symposium, RAID 2010, Ottawa, Canada, 2010.
[13]"Alexa Top 500 Global Sites," Alexa Internet, Inc., [Online]. Available: http://www.alexa.com/topsites. [Accessed January 2015].
[14]"DNS Blackhole blocklist," DNS-BH project, [Online]. Available: http://www.malwaredomains.com/. [Accessed February 2015].
[15]"URLblacklist.com," [Online]. Available: http://urlblacklist.com/cgi-bin/commercialdownload.pl? type=download&file=bigblacklist. [Accessed February 2015].
[16]"DNS-BH – Malware Domain Blocklist," Jaunuary 2015. [Online]. Available: http://www.malwaredomains.com/.
[17]"MDL- Downlaodable Lists," [Online]. Available: http://www.malwaredomainlist.com/forums/index.php?topic=3270.0. [Accessed February 2015].
[18]"Zeus Tracker," zeustracker.abuse.ch, [Online]. Available: https://zeustracker.abuse.ch/blocklist.php. [Accessed January 2015].