Abstract
Flux domain is one of the most active threat vectors and its behavior keeps changing to evade existing detection measures. In order to differentiate the malicious flux domains from legitimate ones such as content delivery network (CDN) and network time protocol (NTP) services that have similar behavior, a novel time series model is created with a set of features that are not only focused on domain name system (DNS) time-to-live (TTL) but on loyalty and entropy of DNS resource records. An offline system is built with big data technology for training the model in a semi-supervised mode. In addition, an online platform is designed and developed to support large throughput real-time DNS streaming data processing with advanced analytics technologies. The feature extraction, classification, accuracy and performance are discussed based on large amount of real world DNS data in this paper.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
SSAC Advisory on Fast Flux Hosting and DNS, ICANN Security and Stability Advisory Committee (2008)
Holz, T., Gorecki, C., Rieck, K., Freiling, F.: Measuring and Detecting Fast-flux Service Networks. In: Proceedings of the Network & Distributed System Security Symposium (2008)
Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: fluXOR: Detecting and monitoring fast-flux service networks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 186–206. Springer, Heidelberg (2008)
Nazario, J., Holz, T.: As the Net Churns: Fast-flux Botnet Observations. In: Proceedings of the 3rd International Conference on Malicious and Unwanted Software (2008)
Konte, M., Feamster, N., Jung, J.: Dynamics of Online Scam Hosting Infrastructure. In: Moon, S.B., Teixeira, R., Uhlig, S. (eds.) PAM 2009. LNCS, vol. 5448, pp. 219–228. Springer, Heidelberg (2009)
Hu, X., Knysz, M., Shin, K.G.: Rb-seeker: Auto-detection of Redirection Botnets. In: Annual Network & Distributed System Security Symposium (2009)
Hsu, C.-H., Huang, C.-Y., Chen, K.-T.: Fast-flux Bot Detection in Real Time. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 464–483. Springer, Heidelberg (2010)
Perdisci, R., Corona, I., Giacinto, G.: Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis. IEEE Transactions on Dependable and Secure Computing 9(5), 714–726 (2012)
The Honeynet Project: Know Your Enemy: Fast-flux Service Networks (2007), http://old.honeynet.org/papers/ff/fast-flux.html
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a Dynamic Reputation System for DNS. In: Proceedings of the 19th USENIX Conference on Security (2010)
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In: Proceedings of the ISOC Network and Distributed System Security Symposium (2011)
Antonakakis, M., Perdisi, R., Lee, W., Vasiloglou, N., Dagon, D.: Detecting Malware Domains at the Upper DNS Hierarchy. In: Proceedings of the 20th USENIX Conference on Security (2011)
ISC Security Information Exchange, http://www.isc.org/
Farsight Security, Inc.: https://www.farsightsecurity.com/
Storm, http://storm-project.net/
Kafka, https://kafka.apache.org/
HBase: http://hbase.apache.org/
Chang, F., Dean, J., Ghemawat, S., Hsieh, W. C., Wallach, D. A., Burrows, M., Chandra, T., Fikes, A., Gruber, R.: Bigtable: A Distributed Storage System for Structured Data. Google, Inc. (2006)
Hadoop: http://hadoop.apache.org/
Alexa Internet, Inc.: http://www.alexa.com/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Yu, B., Smith, L., Threefoot, M. (2014). Semi-supervised Time Series Modeling for Real-Time Flux Domain Detection on Passive DNS Traffic. In: Perner, P. (eds) Machine Learning and Data Mining in Pattern Recognition. MLDM 2014. Lecture Notes in Computer Science(), vol 8556. Springer, Cham. https://doi.org/10.1007/978-3-319-08979-9_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-08979-9_20
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08978-2
Online ISBN: 978-3-319-08979-9
eBook Packages: Computer ScienceComputer Science (R0)