Neural Computing and Applications

, Volume 29, Issue 7, pp 483–493 | Cite as

Fast-flux hunter: a system for filtering online fast-flux botnet

  • Ammar Almomani
Original Article


Fast-flux networks is a domain name system (DNS) technique used by botnets, which is hiding some attack like phishing and malware delivery sites behind associate dynamical network of compromised hosts acting as proxies, that sometimes hosts malicious content. Detection of fast-flux networks continues to be a difficult issue attributable to the similar behavior between these networks and alternative legitimate infrastructures, like server farms and content distribution networks. This study seeks to improve the detection and prediction of the unknown “zero-day” online fast-flux botnet. This improvement will be achieved using a new system called the fast-flux hunter (FFH), which supports a new adaptive evolving fuzzy neural network algorithm. The FFH system is a hybrid between the supervised and unsupervised online knowledge-based learning systems. The core mechanism of the FFH is based on the inherent feature of the fast-flux networks. It uses a collection of DNS traffic information. The FFH is able to scan over 7615 domain records and extract 14 distinct features for each domain. The FFH decreases the classification method’s error rate. The FFH has a detection accuracy rate of approximately 98 % and is compatible with life-long learning systems, footprint-consuming memory, and high-speed systems.


Botnets Fast-flux networks (FFN) Zero-day attack Evolving fuzzy neural network (EFuNN) Online detection 



This work was supported by Al-Balqa Applied University, Al-huson University College, Dept. of Information Technology, 50, Irbid, Jordan.


  1. 1.
    Alieyan K, ALmomani A, Manasrah A, Kadhum MM (2015) A survey of botnet detection based on DNS. Neural Comput Appl 1–18. doi: 10.1007/s00521-015-2128-0
  2. 2.
    Caglayan A, Toothaker M, Drapeau D, Burke D, Eaton G (2012) Behavioral analysis of botnets for threat intelligence. IseB 10(4):491–519CrossRefGoogle Scholar
  3. 3.
    Otgonbold T (2014) ADAPT: an anonymous, distributed, and active probing-based technique for detecting malicious fast-flux domains. IOWA STATE UNIVERSITY, A graduate theses and dissertations. Paper 14225, pp 1–57.
  4. 4.
    ALmomani A, Wan T, Manasrah A, Altaher A, Backlizet M, Ramadas S (2013) An enhanced online phishing e-mail detection framework based on evolving connectionist system. Int J Innov Comput Inf Control (IJICIC) 9(3):169–175Google Scholar
  5. 5.
    Konte M, Feamster N, Jung J (2009) Dynamics of online scam hosting infrastructure. In: Passive and active network measurement, vol 5448. Springer, pp 219–228Google Scholar
  6. 6.
    Holz T, Gorecki C, Rieck K, Freiling FC (2008) Measuring and detecting fast-flux service networks. In: Proceedings of the network and distributed system security symposium, NDSS, pp 1–12Google Scholar
  7. 7.
    Al-Duwairi BN, Al-Hammouri AT (2014) Fast flux watch: a mechanism for online detection of fast flux networks. J Adv Res 5(4):473–479CrossRefGoogle Scholar
  8. 8.
    Kasabov N (2001) Evolving fuzzy neural networks for supervised/unsupervised online knowledge-based learning. Syst Man Cybern Part B Cybern IEEE Trans 31(6):902–918CrossRefGoogle Scholar
  9. 9.
    Koo T-M, Chang H-C, Chuang C-C (2012) Detecting and analyzing fast-flux service networks. Adv Inf Sci Serv Sci 4(10):183–190Google Scholar
  10. 10.
    Koo T-M, Chang H-C, Su W-H (2012) Building a P2P botnet based on a new key management scheme. Adv Inf Sci Serv Sci 4(5)Google Scholar
  11. 11.
    Wu J, Zhang L, Liang J, Qu S, Ni Z A (2010) Comparative study for fast-flux service networks detection. In: Networked computing and advanced information management (NCM), 2010 sixth international conference on IEEE, pp 346–350Google Scholar
  12. 12.
    Hu X, Knysz M, Shin KG (2011) Measurement and analysis of global IP-usage patterns of fast-flux botnets. In: INFOCOM, 2011 proceedings IEEE, pp 2633–2641Google Scholar
  13. 13.
    Almomani A, Gupta B, Atawneh S, Meulenberg A, Almomani E (2013) A survey of phishing email filtering techniques. Commun Surv Tutor IEEE 15(4):2070–2090CrossRefGoogle Scholar
  14. 14.
    Perdisci R, Corona I, Dagon D, Lee W (2009) Detecting malicious flux service networks through passive analysis of recursive dns traces. In: Computer security applications conference. ACSAC’09. Annual, 2009. IEEE, pp 311–320Google Scholar
  15. 15.
    Hsu C-H, Huang C-Y, Chen K-T (2010) Fast-flux bot detection in real time. In: Recent advances in intrusion detection, vol 6307. Springer, pp 464–483Google Scholar
  16. 16.
    Martinez-Bea S, Castillo-Perez S, Garcia-Alfaro J (2013) Real-time malicious fast-flux detection using DNS and bot related features. In: 2013 Eleventh annual international conference on privacy, security and trust (PST), pp 369–372Google Scholar
  17. 17.
    Caglayan A, Toothaker M, Drapeau D, Burke D, Eaton G (2009) Real-time detection of fast flux service networks. In: Conference for homeland security, CATCH’09. Cybersecurity applications & technology, IEEE, pp 285–292Google Scholar
  18. 18.
    Almomani A, Wan T-C, Altaher A, Manasrah A, Almomani E, Anbar M, Aomari E, Ramadass S (2012) Evolving fuzzy neural network for phishing emails detection. J Comput Sci 8(7):10–99Google Scholar
  19. 19.
    Kasabov N (2007) Evolving connectionist systems: the knowledge engineering approach. Springer, NewYorkzbMATHGoogle Scholar
  20. 20.
    Szab o DO G, Malomsok S (2010) ISOT botnet dataset. University of Victoria, 2015.
  21. 21.
    Mathworks (2012) 29-9-2015.
  22. 22.
    Almomani A, Obeidat A, Alsaedi K, Obaida MA-H, Al-Betar M (2015) Spam e-mail filtering using ECOS algorithms. Indian J Sci Technol 8(S9):260–272CrossRefGoogle Scholar

Copyright information

© The Natural Computing Applications Forum 2016

Authors and Affiliations

  1. 1.Department of Information Technology, Al-huson University CollegeAl- Balqa Applied UniversityIrbidJordan

Personalised recommendations