Abstract:Fast-flux" refers to rapidly assigning different IP addresses to the same domain name. Although there are some legitimate uses for this technique, recently it has become a favorite tool for cyber criminals to launch collaborative attacks. After it was first observed by Honeynet, it was reported that fast-flux has been used in phishing, malware spreading, spam, and other malicious activities linked to criminal organizations. Combining with peer-to-peer networking, distributed command and control, web-based load… Show more
“…2, an important question is whether there even is a saturation point for the visualized cumulative counts. While the plots allow to question whether the saturation was reached with q = 3000, the answer should still be negative; the counts should not grow without bound [7]. That is, the elaborated sampling bias should not be expected to tend to infinity.…”
The concept of agile domain name system (DNS) refers to dynamic and rapidly changing mappings between domain names and their Internet protocol (IP) addresses. This empirical paper evaluates the bias from this kind of agility for DNS-based graph theoretical data mining applications. By building on two conventional metrics for observing malicious DNS agility, the agility bias is observed by comparing bipartite DNS graphs to different subgraphs from which vertices and edges are removed according to two criteria. According to an empirical experiment with two longitudinal DNS datasets, irrespective of the criterion, the agility bias is observed to be severe particularly regarding the effect of outlying domains hosted and delivered via content delivery networks and cloud computing services. With these observations, the paper contributes to the research domains of cyber security and DNS mining. In a larger context of applied graph mining, the paper further elaborates the practical concerns related to the learning of large and dynamic bipartite graphs.
“…2, an important question is whether there even is a saturation point for the visualized cumulative counts. While the plots allow to question whether the saturation was reached with q = 3000, the answer should still be negative; the counts should not grow without bound [7]. That is, the elaborated sampling bias should not be expected to tend to infinity.…”
The concept of agile domain name system (DNS) refers to dynamic and rapidly changing mappings between domain names and their Internet protocol (IP) addresses. This empirical paper evaluates the bias from this kind of agility for DNS-based graph theoretical data mining applications. By building on two conventional metrics for observing malicious DNS agility, the agility bias is observed by comparing bipartite DNS graphs to different subgraphs from which vertices and edges are removed according to two criteria. According to an empirical experiment with two longitudinal DNS datasets, irrespective of the criterion, the agility bias is observed to be severe particularly regarding the effect of outlying domains hosted and delivered via content delivery networks and cloud computing services. With these observations, the paper contributes to the research domains of cyber security and DNS mining. In a larger context of applied graph mining, the paper further elaborates the practical concerns related to the learning of large and dynamic bipartite graphs.
“…A relevant metric for the detection of malicious fast flux is the number of IPs returned in a single A query. In particular, we consider the maximum m al of such value: a malicious fast flux is believed to typically have a m al larger than a legitimate fast flux [22,35].…”
Section: Metrics Identificationmentioning
confidence: 99%
“…Cumulative Number of Public Networks. Since the botnet underlying a malicious fast flux contains infected machines which are typically distributed quite randomly in different networks, the same is expected to be true for the IPs retrieved by the related queries [22,35]. For this reason a malicious fast flux typically has a number of public networks (n net ) larger than a legitimate CDN.…”
Section: Metrics Identificationmentioning
confidence: 99%
“…Change in the Set of Public Networks. While CDNs typically use IPs taken from the same few public networks, malicious fast flux frequently introduce IPs from new networks [22,35]. We measure the change in the set of public networks by means of c net = n net /n c net − 1, where n c net is the network-analogous of n c IP .…”
Section: Metrics Identificationmentioning
confidence: 99%
“…Change in the Answer Length. Another relevant indicator is the change in the number of IPs retrieved in each query [22,35].…”
In the last decade, the use of fast flux technique has become established as a common practice to organise botnets in Fast Flux Service Networks (FFSNs), which are platforms able to sustain illegal online services with very high availability. In this paper, we report on an effective fast flux detection algorithm based on the passive analysis of the Domain Name System (DNS) traffic of a corporate network. The proposed method is based on the near-real-time identification of different metrics that measure a wide range of fast flux key features; the metrics are combined via a simple but effective mathematical and data mining approach. The proposed solution has been evaluated in a one-month experiment over an enterprise network, with the injection of pcaps associated with different malware campaigns, that leverage FFSNs and cover a wide variety of attack scenarios. An in-depth analysis of a list of fast flux domains confirmed the reliability of the metrics used in the proposed algorithm and allowed for the identification of many IPs that turned out to be part of two notorious FFSNs, namely Dark Cloud and SandiFlux, to the description of which we therefore contribute. All the fast flux domains were detected with a very low false positive rate; a comparison of performance indicators with previous works show a remarkable improvement.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.