Identifying Fast-Flux Botnet With AGD Names at the Upper DNS Hierarchy

Zang, Xiaodong; Gong, Jian; Mo, Shao-Huang; Jakalan, Ahmad; Ding, D.-S.

doi:10.1109/access.2018.2880884

Cited by 14 publications

(5 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Table 3 presents a comparison between the proposed PASSVM system, which is based on SVM with RBF kernel, with the state-of-the-art mechanisms for fast flux detection. The mechanisms include GRADE [42], FF-Hunter [12], FluxBuster [43] and [39]. The comparison criteria are based on whether the detection is performed online or offline, the capability of performing a detection based on a single DNS record, the time for training and testing, the accuracy, and the used memory that were reported by the authors of the methods.…”

Section: Comparison With the State-of-the-artmentioning

confidence: 99%

“…This requires performing tracerout and real-time measurement of the round trip time for all of the records, which incurs high overhead and has a major problem of possible failure due to filtering of the ICMP messages. The system proposed in [39] analyzes live traffic that is collected from the upper DNS hierarchy by applying literal composition to identify DGA-generated domains. Then it clusters the domains based on their literal features and the edit-distance.…”

Section: Comparison With the State-of-the-artmentioning

confidence: 99%

See 1 more Smart Citation

PASSVM: A Highly Accurate Online Fast Flux Detection System

Al-Duwairi,

Jarrah,

Shatnawi

2020

Preprint

View full text Add to dashboard Cite

Fast Flux service networks (FFSNs) are used by adversaries to achieve a high resilient technique for their malicious servers while keeping them hidden from direct access. In this technique, a large number of botnet machines, that are known as flux agents, work as proxies to relay the traffic between end users and a malicious mothership server which is controlled by an adversary. Various mechanisms have been proposed for detecting FFSNs. Such mechanisms depend on collecting a large amount of DNS traffic traces and require a considerable amount of time to identify fast flux domains. In this paper, we propose an efficient AI-based online fast flux detection system that performs highly accurate and extremely fast detection of fast flux domains. The proposed system, called PASSVM, is based on features that are associated with DNS response messages of a given domain name. The approach relies on features that are stored in two local databases, in addition to features that are extracted from the response DNS messages itself. The information in the databases are obtained from Censys search engine and IP Geolocation service. PASSVM is evaluated using three types of artificial neural networks which are: Multilayer Perceptron (MLP), Radial Basis Function Network (RBF), and Support Vector Machines (SVM). Results show that SVM with RBF kernel outperformed the other two methods with an accuracy of 99.557% and a detection time of less than 18 ms.

show abstract

Section: Comparison With the State-of-the-artmentioning

confidence: 99%

Section: Comparison With the State-of-the-artmentioning

confidence: 99%

PASSVM: A Highly Accurate Online Fast Flux Detection System

Al-Duwairi,

Jarrah,

Shatnawi

2020

Preprint

View full text Add to dashboard Cite

show abstract

“…Some approaches identify infected network nodes by monitoring the DNS traffic and/or the behavior of groups of machines. For example, in [22]- [25] anomaly-based botnet detection mechanisms are proposed by monitoring group activities in DNS traffic of a specific network. Some work focuses on a specific type of attack.…”

Section: Related Workmentioning

confidence: 99%

Multi-observable reputation scoring system for flagging suspicious user sessions

Lalouani

Younis

2020

Computer Networks

View full text Add to dashboard Cite

“…This communication must preserve some degree of unlinkability to thwart any attempts to identify the botmaster. To ensure unlinkability and as a counter-measure against take-down mechanisms, botnets frequently make use of domain fluxing [37,59] through Domain Generation Algorithms (DGAs). DGAs produce a vast amount of domain names, which bots try to communicate with iteratively to find the actual C&C server.…”

Section: Introductionmentioning

confidence: 99%

Intercepting Hail Hydra: Real-Time Detection of Algorithmically Generated Domains

Casino,

Lykousas,

Homoliak

et al. 2020

Preprint

View full text Add to dashboard Cite

A crucial technical challenge for cybercriminals is to keep control over the potentially millions of infected devices that build up their botnets, without compromising the robustness of their attacks. A single, fixed C&C server, for example, can be trivially detected either by binary or traffic analysis and immediately sink-holed or taken-down by security researchers or law enforcement. Botnets often use Domain Generation Algorithms (DGAs), primarily to evade take-down mechanisms. DGAs enlarge the lifespan of a malware campaign, thus enhancing its profitability. They can also contribute to hardening attack attribution. In this work, we introduce HYDRA the most comprehensive and complete available dataset of Algorithmically-Generated Domains (AGD). The dataset contains more than 100 DGA families, including both real-world and adversarial ones. We analyse the dataset and discuss the possibility of differentiating between benign requests (to real domains) and malicious ones (to AGDs) in real-time. The simultaneous study of so many families and variants introduces several challenges; nonetheless, it alleviates biases found in previous literature that deals with small datasets and exploit some characteristic features of particular families. To this end, we thoroughly compare our approach with the current state-of-the-art and highlight some methodological shortcomings in the actual state of practice. The outcomes obtained show that our method significantly outperforms the current state-of-the-art in terms of both accuracy and efficiency.

show abstract

Identifying Fast-Flux Botnet With AGD Names at the Upper DNS Hierarchy

Cited by 14 publications

References 20 publications

PASSVM: A Highly Accurate Online Fast Flux Detection System

PASSVM: A Highly Accurate Online Fast Flux Detection System

Multi-observable reputation scoring system for flagging suspicious user sessions

Intercepting Hail Hydra: Real-Time Detection of Algorithmically Generated Domains

Contact Info

Product

Resources

About