Abstract
In the last decade, the use of fast flux technique has become established as a common practice to organise botnets in Fast Flux Service Networks (FFSNs), which are platforms able to sustain illegal online services with very high availability. In this paper, we report on an effective fast flux detection algorithm based on the passive analysis of the Domain Name System (DNS) traffic of a corporate network. The proposed method is based on the near-real-time identification of different metrics that measure a wide range of fast flux key features; the metrics are combined via a simple but effective mathematical and data mining approach. The proposed solution has been evaluated in a one-month experiment over an enterprise network, with the injection of pcaps associated with different malware campaigns, that leverage FFSNs and cover a wide variety of attack scenarios. An in-depth analysis of a list of fast flux domains confirmed the reliability of the metrics used in the proposed algorithm and allowed for the identification of many IPs that turned out to be part of two notorious FFSNs, namely Dark Cloud and SandiFlux, to the description of which we therefore contribute. All the fast flux domains were detected with a very low false positive rate; a comparison of performance indicators with previous works show a remarkable improvement.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
E5-2690 2.9 GHz \(\times \) 2 (2 sockets \(\times \) 16 cores) 16 x 8GB RAM, 1.1TB HDD.
- 2.
The filter mentioned in Table 2 detects a CDN only when it has a sufficient history.
- 3.
Hereafter, the left and right hand sides of the arrow represent the quantity before and after the rescaling respectively.
- 4.
We set \(s=2.5\) and \(n_0=3\); the first is the average \(n_\mathrm{AS}\) for the top 4 largest CDNs detected in the validation set, while the latter is half the minimum of \(n_\mathrm{AS}\) detected for a fast flux in the validation set.
- 5.
We set \(s=40\) in agreement with Ref. [35], which states that a typical FFSN has a set of IPs distributed among 30–60 ASs, and \(n_0=5\), which is the maximum number of ASs detected for a CDN in the validation set.
- 6.
To each IP \(n_1.n_2.n_3.n_4\) we associated \(x=256^3\, n_1 + 256^2\, n_2 + 256\, n_3 + n_4\).
- 7.
The values of s were set based on information retrieved from the literature ([35] and references therein) and the validation set. More in detail, we chose \(s_\mathrm{IP}=24\), \(s_\mathrm{net}=12\), \(s_\mathrm{AS}=6\), and \(s_\mathrm{al}=10\).
- 8.
The weights reflect the importance of the corresponding metric in the correct classification in the validation set; the optimal values are \(w_\mathrm{IP}=w_\mathrm{net}=0.03\), \(w_\mathrm{AS}=0.13\), \(w_\mathrm{al}=0.09\), \(w_{f}=0.54\), and \(w_{d}=0.18\).
- 9.
The values of s were set based on information retrieved from the literature and the validation set. More in detail, we chose \(s_\mathrm{IP}=s_\mathrm{net}=1\) and \(s_\mathrm{AS}=s_\mathrm{al}=0.5\).
- 10.
The weights reflect the importance of the corresponding metric in the validation set; the optimal values are \(w'_\mathrm{IP}=0.07\), \(w'_\mathrm{net}=0.23\), and \(w'_\mathrm{AS}=0.7\).
- 11.
An optimisation procedure on the validation set produced similar weight for the three quantities: \(w_\mathrm{stat}=0.27\), \(w_\mathrm{dyn}=0.38\), and \(w_\mathrm{al}=0.35\).
- 12.
Some domains are reported in Table 4, others in Fig. 2; the remaining domains are odqndpqowdnqwpodn.com, moncompte-carrefour.org, 0768.ru, allianzbank.org, commerzb.co, db-ag.co, druhok.com, form.xbeginner.org, ihalbom.com, ingdirectverifica.com, lloyds-personal.com, mein-advanzia.info, point.charitablex.org, postofficegreat.com, ransomware.bit, redluck0.com, safe.bintrust.org, sunyst.co, dfplajngru.com, mer.arintrueed.org, www.ico-teleqram.net, clo.arotamarid.org, www.translationdoor.com, vr-b.co, vr-b.cc.
- 13.
An analysis on some pcaps associated with iuzngzhl.com, arlfbqcc.com, and vpvqskazjvco.com revealed that the corresponding real IPs are based on the SandiFlux FFSN described below.
References
https://www.acs.org.au/content/dam/acs/acs-publications/ACS_Cybersecurity_Guide.pdf
http://blog.talosintelligence.com/2017/07/threat-roundup-0630-0707.html
Alieyan, K., Almomani, A., Manasrah, A., Kadhum, M.M.: A survey of botnet detection based on DNS. Neural Comput. Appl. 28(7), 1541–1558 (2017)
Almomani, A.: Fast-flux hunter: a system for filtering online fast-flux botnet. Neural Comput. Appl. 29(7), 483–493 (2018)
Berger, A., D’Alconzo, A., Gansterer, W.N., Pescapé, A.: Mining agile DNS traffic using graph analysis for cybercrime detection. Comput. Netw. 100, 28–44 (2016)
Bisio, F., Saeli, S., Lombardo, P., Bernardi, D., Perotti, A., Massa, D.: Real-time behavioral DGA detection through machine learning. In: 2017 International Carnahan Conference on Security Technology (ICCST), pp. 1–6. IEEE (2017)
Chahal, P.S., Khurana, S.S.: TempR: application of stricture dependent intelligent classifier for fast flux domain detection. Int. J. Comput. Netw. Inf. Secur. 8(10), 37 (2016)
Crowder, W., Dunker, N.: Dark cloud network facilitates crimeware. https://www.riskanalytics.com/wp-content/uploads/2017/10/Dark_Cloud_Network_Facilitates_Crimeware.pdf
Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS (2008)
Hsu, C.-H., Huang, C.-Y., Chen, K.-T.: Fast-flux bot detection in real time. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 464–483. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_24
Jiang, C.B., Li, J.S.: Exploring global IP-usage patterns in fast-flux service networks. JCP 12(4), 371–379 (2017)
Katz, O., Perets, R., Matzliach, G.: Digging deeper - an in-depth analysis of a fast flux network (2017). https://www.akamai.com/us/en/multimedia/documents/white-paper/digging-deeper-in-depth-analysis-of-fast-flux-network.pdf
Lin, H.T., Lin, Y.Y., Chiang, J.W.: Genetic-based real-time fast-flux service networks detection. Comput. Netw. 57(2), 501–513 (2013)
Martinez-Bea, S., Castillo-Perez, S., Garcia-Alfaro, J.: Real-time malicious fast-flux detection using DNS and bot related features. In: 2013 Eleventh Annual International Conference on Privacy, Security and Trust (PST), pp. 369–372. IEEE (2013)
Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: 2008 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, pp. 24–31. IEEE (2008)
Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FluXOR: detecting and monitoring fast-flux service networks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 186–206. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70542-0_10
Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Dependable Secure Comput. 9(5), 714–726 (2012)
Ruohonen, J., Leppänen, V.: Investigating the agility bias in DNS graph mining. In: 2017 IEEE International Conference on Computer and Information Technology (CIT), pp. 253–260. IEEE (2017)
Salusky, W., Danford, R.: Know your enemy: fast-flux service networks. Honeynet Proj. 1–24 (2007)
Soltanaghaei, E., Kharrazi, M.: Detection of fast-flux botnets through DNS traffic analysis. Scientia Iranica. Trans. D Comput. Sci. Eng. Electr. 22(6), 2389 (2015)
Stevanovic, M., Pedersen, J.M., D’Alconzo, A., Ruehrup, S.: A method for identifying compromised clients based on DNS traffic analysis. Int. J. Inf. Secur. 16(2), 115–132 (2017)
Zhou, S.: A survey on fast-flux attacks. Inf. Secur. J. Glob. Perspect. 24(4–6), 79–97 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Lombardo, P., Saeli, S., Bisio, F., Bernardi, D., Massa, D. (2018). Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic. In: Chen, L., Manulis, M., Schneider, S. (eds) Information Security. ISC 2018. Lecture Notes in Computer Science(), vol 11060. Springer, Cham. https://doi.org/10.1007/978-3-319-99136-8_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-99136-8_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99135-1
Online ISBN: 978-3-319-99136-8
eBook Packages: Computer ScienceComputer Science (R0)