Semi-supervised Time Series Modeling for Real-Time Flux Domain Detection on Passive DNS Traffic

Yu, Bin; Smith, Les; Threefoot, Mark

doi:10.1007/978-3-319-08979-9_20

Bin Yu²⁰,
Les Smith²⁰ &
Mark Threefoot²⁰

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 8556))

Included in the following conference series:

International Workshop on Machine Learning and Data Mining in Pattern Recognition

2462 Accesses
8 Citations

Abstract

Flux domain is one of the most active threat vectors and its behavior keeps changing to evade existing detection measures. In order to differentiate the malicious flux domains from legitimate ones such as content delivery network (CDN) and network time protocol (NTP) services that have similar behavior, a novel time series model is created with a set of features that are not only focused on domain name system (DNS) time-to-live (TTL) but on loyalty and entropy of DNS resource records. An offline system is built with big data technology for training the model in a semi-supervised mode. In addition, an online platform is designed and developed to support large throughput real-time DNS streaming data processing with advanced analytics technologies. The feature extraction, classification, accuracy and performance are discussed based on large amount of real world DNS data in this paper.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

SSAC Advisory on Fast Flux Hosting and DNS, ICANN Security and Stability Advisory Committee (2008)
Google Scholar
Holz, T., Gorecki, C., Rieck, K., Freiling, F.: Measuring and Detecting Fast-flux Service Networks. In: Proceedings of the Network & Distributed System Security Symposium (2008)
Google Scholar
Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: fluXOR: Detecting and monitoring fast-flux service networks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 186–206. Springer, Heidelberg (2008)
Chapter Google Scholar
Nazario, J., Holz, T.: As the Net Churns: Fast-flux Botnet Observations. In: Proceedings of the 3rd International Conference on Malicious and Unwanted Software (2008)
Google Scholar
Konte, M., Feamster, N., Jung, J.: Dynamics of Online Scam Hosting Infrastructure. In: Moon, S.B., Teixeira, R., Uhlig, S. (eds.) PAM 2009. LNCS, vol. 5448, pp. 219–228. Springer, Heidelberg (2009)
Chapter Google Scholar
Hu, X., Knysz, M., Shin, K.G.: Rb-seeker: Auto-detection of Redirection Botnets. In: Annual Network & Distributed System Security Symposium (2009)
Google Scholar
Hsu, C.-H., Huang, C.-Y., Chen, K.-T.: Fast-flux Bot Detection in Real Time. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 464–483. Springer, Heidelberg (2010)
Chapter Google Scholar
Perdisci, R., Corona, I., Giacinto, G.: Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis. IEEE Transactions on Dependable and Secure Computing 9(5), 714–726 (2012)
Google Scholar
The Honeynet Project: Know Your Enemy: Fast-flux Service Networks (2007), http://old.honeynet.org/papers/ff/fast-flux.html
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a Dynamic Reputation System for DNS. In: Proceedings of the 19th USENIX Conference on Security (2010)
Google Scholar
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In: Proceedings of the ISOC Network and Distributed System Security Symposium (2011)
Google Scholar
Antonakakis, M., Perdisi, R., Lee, W., Vasiloglou, N., Dagon, D.: Detecting Malware Domains at the Upper DNS Hierarchy. In: Proceedings of the 20th USENIX Conference on Security (2011)
Google Scholar
ISC Security Information Exchange, http://www.isc.org/
Farsight Security, Inc.: https://www.farsightsecurity.com/
Storm, http://storm-project.net/
Kafka, https://kafka.apache.org/
HBase: http://hbase.apache.org/
Google Scholar
Chang, F., Dean, J., Ghemawat, S., Hsieh, W. C., Wallach, D. A., Burrows, M., Chandra, T., Fikes, A., Gruber, R.: Bigtable: A Distributed Storage System for Structured Data. Google, Inc. (2006)
Google Scholar
Hadoop: http://hadoop.apache.org/
Google Scholar
Alexa Internet, Inc.: http://www.alexa.com/
Google Scholar

Download references

Author information

Authors and Affiliations

Infoblox Inc., Santa Clara, California, USA
Bin Yu, Les Smith & Mark Threefoot

Authors

Bin Yu
View author publications
You can also search for this author in PubMed Google Scholar
Les Smith
View author publications
You can also search for this author in PubMed Google Scholar
Mark Threefoot
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Institute of Computer Vision and Applied Computer Sciences, IBaI,, Leipzig, Germany
Petra Perner

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Yu, B., Smith, L., Threefoot, M. (2014). Semi-supervised Time Series Modeling for Real-Time Flux Domain Detection on Passive DNS Traffic. In: Perner, P. (eds) Machine Learning and Data Mining in Pattern Recognition. MLDM 2014. Lecture Notes in Computer Science(), vol 8556. Springer, Cham. https://doi.org/10.1007/978-3-319-08979-9_20

Download citation

DOI: https://doi.org/10.1007/978-3-319-08979-9_20
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08978-2
Online ISBN: 978-3-319-08979-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics