A Survey on Fast-flux Attacks

Zhou, Shijie

doi:10.1080/19393555.2015.1058994

Cited by 10 publications

(14 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…2, an important question is whether there even is a saturation point for the visualized cumulative counts. While the plots allow to question whether the saturation was reached with q = 3000, the answer should still be negative; the counts should not grow without bound [7]. That is, the elaborated sampling bias should not be expected to tend to infinity.…”

Section: The Agility Biasmentioning

confidence: 99%

Investigating the Agility Bias in DNS Graph Mining

Ruohonen¹,

Leppänen²

2017

2017 IEEE International Conference on Computer and Information Technology (CIT)

View full text Add to dashboard Cite

The concept of agile domain name system (DNS) refers to dynamic and rapidly changing mappings between domain names and their Internet protocol (IP) addresses. This empirical paper evaluates the bias from this kind of agility for DNS-based graph theoretical data mining applications. By building on two conventional metrics for observing malicious DNS agility, the agility bias is observed by comparing bipartite DNS graphs to different subgraphs from which vertices and edges are removed according to two criteria. According to an empirical experiment with two longitudinal DNS datasets, irrespective of the criterion, the agility bias is observed to be severe particularly regarding the effect of outlying domains hosted and delivered via content delivery networks and cloud computing services. With these observations, the paper contributes to the research domains of cyber security and DNS mining. In a larger context of applied graph mining, the paper further elaborates the practical concerns related to the learning of large and dynamic bipartite graphs.

show abstract

Section: The Agility Biasmentioning

confidence: 99%

Investigating the Agility Bias in DNS Graph Mining

Ruohonen¹,

Leppänen²

2017

2017 IEEE International Conference on Computer and Information Technology (CIT)

View full text Add to dashboard Cite

show abstract

“…A relevant metric for the detection of malicious fast flux is the number of IPs returned in a single A query. In particular, we consider the maximum m al of such value: a malicious fast flux is believed to typically have a m al larger than a legitimate fast flux [22,35].…”

Section: Metrics Identificationmentioning

confidence: 99%

“…Cumulative Number of Public Networks. Since the botnet underlying a malicious fast flux contains infected machines which are typically distributed quite randomly in different networks, the same is expected to be true for the IPs retrieved by the related queries [22,35]. For this reason a malicious fast flux typically has a number of public networks (n net ) larger than a legitimate CDN.…”

Section: Metrics Identificationmentioning

confidence: 99%

“…Change in the Set of Public Networks. While CDNs typically use IPs taken from the same few public networks, malicious fast flux frequently introduce IPs from new networks [22,35]. We measure the change in the set of public networks by means of c net = n net /n c net − 1, where n c net is the network-analogous of n c IP .…”

Section: Metrics Identificationmentioning

confidence: 99%

“…Change in the Answer Length. Another relevant indicator is the change in the number of IPs retrieved in each query [22,35].…”

Section: Metrics Identificationmentioning

confidence: 99%

See 2 more Smart Citations

Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic

Lombardo¹,

Saeli²,

Bisio³

et al. 2018

Developments in Language Theory

View full text Add to dashboard Cite

In the last decade, the use of fast flux technique has become established as a common practice to organise botnets in Fast Flux Service Networks (FFSNs), which are platforms able to sustain illegal online services with very high availability. In this paper, we report on an effective fast flux detection algorithm based on the passive analysis of the Domain Name System (DNS) traffic of a corporate network. The proposed method is based on the near-real-time identification of different metrics that measure a wide range of fast flux key features; the metrics are combined via a simple but effective mathematical and data mining approach. The proposed solution has been evaluated in a one-month experiment over an enterprise network, with the injection of pcaps associated with different malware campaigns, that leverage FFSNs and cover a wide variety of attack scenarios. An in-depth analysis of a list of fast flux domains confirmed the reliability of the metrics used in the proposed algorithm and allowed for the identification of many IPs that turned out to be part of two notorious FFSNs, namely Dark Cloud and SandiFlux, to the description of which we therefore contribute. All the fast flux domains were detected with a very low false positive rate; a comparison of performance indicators with previous works show a remarkable improvement.

show abstract

Finding Fast Flux Traffic in DNS Haystack

Surjanto¹,

Lim

2020

Critical Information Infrastructures Security

View full text Add to dashboard Cite

A Survey on Fast-flux Attacks

Cited by 10 publications

References 45 publications

Investigating the Agility Bias in DNS Graph Mining

Investigating the Agility Bias in DNS Graph Mining

Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic

Finding Fast Flux Traffic in DNS Haystack

Contact Info

Product

Resources

About