Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security

ISC 2018: Information Security pp 463–480Cite as

Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11060))

Abstract

In the last decade, the use of fast flux technique has become established as a common practice to organise botnets in Fast Flux Service Networks (FFSNs), which are platforms able to sustain illegal online services with very high availability. In this paper, we report on an effective fast flux detection algorithm based on the passive analysis of the Domain Name System (DNS) traffic of a corporate network. The proposed method is based on the near-real-time identification of different metrics that measure a wide range of fast flux key features; the metrics are combined via a simple but effective mathematical and data mining approach. The proposed solution has been evaluated in a one-month experiment over an enterprise network, with the injection of pcaps associated with different malware campaigns, that leverage FFSNs and cover a wide variety of attack scenarios. An in-depth analysis of a list of fast flux domains confirmed the reliability of the metrics used in the proposed algorithm and allowed for the identification of many IPs that turned out to be part of two notorious FFSNs, namely Dark Cloud and SandiFlux, to the description of which we therefore contribute. All the fast flux domains were detected with a very low false positive rate; a comparison of performance indicators with previous works show a remarkable improvement.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    E5-2690 2.9 GHz \(\times \) 2 (2 sockets \(\times \) 16 cores) 16 x 8GB RAM, 1.1TB HDD.

  2. 2.

    The filter mentioned in Table 2 detects a CDN only when it has a sufficient history.

  3. 3.

    Hereafter, the left and right hand sides of the arrow represent the quantity before and after the rescaling respectively.

  4. 4.

    We set \(s=2.5\) and \(n_0=3\); the first is the average \(n_\mathrm{AS}\) for the top 4 largest CDNs detected in the validation set, while the latter is half the minimum of \(n_\mathrm{AS}\) detected for a fast flux in the validation set.

  5. 5.

    We set \(s=40\) in agreement with Ref. [35], which states that a typical FFSN has a set of IPs distributed among 30–60 ASs, and \(n_0=5\), which is the maximum number of ASs detected for a CDN in the validation set.

  6. 6.

    To each IP \(n_1.n_2.n_3.n_4\) we associated \(x=256^3\, n_1 + 256^2\, n_2 + 256\, n_3 + n_4\).

  7. 7.

    The values of s were set based on information retrieved from the literature ([35] and references therein) and the validation set. More in detail, we chose \(s_\mathrm{IP}=24\), \(s_\mathrm{net}=12\), \(s_\mathrm{AS}=6\), and \(s_\mathrm{al}=10\).

  8. 8.

    The weights reflect the importance of the corresponding metric in the correct classification in the validation set; the optimal values are \(w_\mathrm{IP}=w_\mathrm{net}=0.03\), \(w_\mathrm{AS}=0.13\), \(w_\mathrm{al}=0.09\), \(w_{f}=0.54\), and \(w_{d}=0.18\).

  9. 9.

    The values of s were set based on information retrieved from the literature and the validation set. More in detail, we chose \(s_\mathrm{IP}=s_\mathrm{net}=1\) and \(s_\mathrm{AS}=s_\mathrm{al}=0.5\).

  10. 10.

    The weights reflect the importance of the corresponding metric in the validation set; the optimal values are \(w'_\mathrm{IP}=0.07\), \(w'_\mathrm{net}=0.23\), and \(w'_\mathrm{AS}=0.7\).

  11. 11.

    An optimisation procedure on the validation set produced similar weight for the three quantities: \(w_\mathrm{stat}=0.27\), \(w_\mathrm{dyn}=0.38\), and \(w_\mathrm{al}=0.35\).

  12. 12.

    Some domains are reported in Table 4, others in Fig. 2; the remaining domains are odqndpqowdnqwpodn.com, moncompte-carrefour.org, 0768.ru, allianzbank.org, commerzb.co, db-ag.co, druhok.com, form.xbeginner.org, ihalbom.com, ingdirectverifica.com, lloyds-personal.com, mein-advanzia.info, point.charitablex.org, postofficegreat.com, ransomware.bit, redluck0.com, safe.bintrust.org, sunyst.co, dfplajngru.com, mer.arintrueed.org, www.ico-teleqram.net, clo.arotamarid.org, www.translationdoor.com, vr-b.co, vr-b.cc.

  13. 13.

    An analysis on some pcaps associated with iuzngzhl.com, arlfbqcc.com, and vpvqskazjvco.com revealed that the corresponding real IPs are based on the SandiFlux FFSN described below.

References

  1. https://www.acs.org.au/content/dam/acs/acs-publications/ACS_Cybersecurity_Guide.pdf

  2. https://www.proofpoint.com/us/threat-insight/post/sandiflux-another-fast-flux-infrastructure-used-malware-distribution-emerges

  3. https://www.hybrid-analysis.com/

  4. https://packettotal.com/

  5. https://www.reverse.it/

  6. https://virustotal.com/

  7. http://www.aramisec.com

  8. https://www.malware-traffic-analysis.net/

  9. https://tools.ietf.org/html/rfc1035

  10. http://www.forbes.com

  11. http://www.alexa.com

  12. https://dev.maxmind.com/geoip/

  13. http://blog.talosintelligence.com/2017/07/threat-roundup-0630-0707.html

  14. https://www.torproject.org/docs/tor-manual.html.en

  15. https://www.cert.pl/en/news/single/nymaim-revisited/

  16. Alieyan, K., Almomani, A., Manasrah, A., Kadhum, M.M.: A survey of botnet detection based on DNS. Neural Comput. Appl. 28(7), 1541–1558 (2017)

    Article  Google Scholar 

  17. Almomani, A.: Fast-flux hunter: a system for filtering online fast-flux botnet. Neural Comput. Appl. 29(7), 483–493 (2018)

    Article  Google Scholar 

  18. Berger, A., D’Alconzo, A., Gansterer, W.N., Pescapé, A.: Mining agile DNS traffic using graph analysis for cybercrime detection. Comput. Netw. 100, 28–44 (2016)

    Article  Google Scholar 

  19. Bisio, F., Saeli, S., Lombardo, P., Bernardi, D., Perotti, A., Massa, D.: Real-time behavioral DGA detection through machine learning. In: 2017 International Carnahan Conference on Security Technology (ICCST), pp. 1–6. IEEE (2017)

    Google Scholar 

  20. Chahal, P.S., Khurana, S.S.: TempR: application of stricture dependent intelligent classifier for fast flux domain detection. Int. J. Comput. Netw. Inf. Secur. 8(10), 37 (2016)

    Google Scholar 

  21. Crowder, W., Dunker, N.: Dark cloud network facilitates crimeware. https://www.riskanalytics.com/wp-content/uploads/2017/10/Dark_Cloud_Network_Facilitates_Crimeware.pdf

  22. Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS (2008)

    Google Scholar 

  23. Hsu, C.-H., Huang, C.-Y., Chen, K.-T.: Fast-flux bot detection in real time. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 464–483. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_24

    Chapter  Google Scholar 

  24. Jiang, C.B., Li, J.S.: Exploring global IP-usage patterns in fast-flux service networks. JCP 12(4), 371–379 (2017)

    Google Scholar 

  25. Katz, O., Perets, R., Matzliach, G.: Digging deeper - an in-depth analysis of a fast flux network (2017). https://www.akamai.com/us/en/multimedia/documents/white-paper/digging-deeper-in-depth-analysis-of-fast-flux-network.pdf

  26. Lin, H.T., Lin, Y.Y., Chiang, J.W.: Genetic-based real-time fast-flux service networks detection. Comput. Netw. 57(2), 501–513 (2013)

    Article  Google Scholar 

  27. Martinez-Bea, S., Castillo-Perez, S., Garcia-Alfaro, J.: Real-time malicious fast-flux detection using DNS and bot related features. In: 2013 Eleventh Annual International Conference on Privacy, Security and Trust (PST), pp. 369–372. IEEE (2013)

    Google Scholar 

  28. Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: 2008 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, pp. 24–31. IEEE (2008)

    Google Scholar 

  29. Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FluXOR: detecting and monitoring fast-flux service networks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 186–206. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70542-0_10

    Chapter  Google Scholar 

  30. Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Dependable Secure Comput. 9(5), 714–726 (2012)

    Google Scholar 

  31. Ruohonen, J., Leppänen, V.: Investigating the agility bias in DNS graph mining. In: 2017 IEEE International Conference on Computer and Information Technology (CIT), pp. 253–260. IEEE (2017)

    Google Scholar 

  32. Salusky, W., Danford, R.: Know your enemy: fast-flux service networks. Honeynet Proj. 1–24 (2007)

    Google Scholar 

  33. Soltanaghaei, E., Kharrazi, M.: Detection of fast-flux botnets through DNS traffic analysis. Scientia Iranica. Trans. D Comput. Sci. Eng. Electr. 22(6), 2389 (2015)

    Google Scholar 

  34. Stevanovic, M., Pedersen, J.M., D’Alconzo, A., Ruehrup, S.: A method for identifying compromised clients based on DNS traffic analysis. Int. J. Inf. Secur. 16(2), 115–132 (2017)

    Article  Google Scholar 

  35. Zhou, S.: A survey on fast-flux attacks. Inf. Secur. J. Glob. Perspect. 24(4–6), 79–97 (2015)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. aizoOn Technology Consulting, Strada del Lionetto 6, 10146, Turin, Italy

    Pierangelo Lombardo, Salvatore Saeli, Federica Bisio, Davide Bernardi & Danilo Massa

Authors
  1. Pierangelo Lombardo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Salvatore Saeli
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Federica Bisio
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Davide Bernardi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Danilo Massa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pierangelo Lombardo .

Editor information

Editors and Affiliations

  1. University of Surrey, Guildford, United Kingdom

    Liqun Chen

  2. University of Surrey, Guildford, United Kingdom

    Mark Manulis

  3. University of Surrey, Guildford, United Kingdom

    Steve Schneider

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lombardo, P., Saeli, S., Bisio, F., Bernardi, D., Massa, D. (2018). Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic. In: Chen, L., Manulis, M., Schneider, S. (eds) Information Security. ISC 2018. Lecture Notes in Computer Science(), vol 11060. Springer, Cham. https://doi.org/10.1007/978-3-319-99136-8_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-99136-8_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-99135-1

  • Online ISBN: 978-3-319-99136-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation