| Summary: | 碩士 === 國立臺灣海洋大學 === 資訊工程學系 === 100 === The rapid development and deployment of Internet creates a paradise for malicious attackers. In addition to traditional attacks like phishing, spam, and botnet, recently modern attackers leverage the fast-flux technique to prevent their attacks from being shutdown by network administrators. The use of fast-flux techniques is able to improve the lifetime and availability of malicious services. A fast-flux domain name is often mapped to a large number of IP addresses of vulnerable personal computers. These computers are spread world-wide so that the fast-flux domain cannot be easily shutdown if only some of them are disconnected from the Internet.
Most existing detection techniques are based on analyzing DNS records. However, these techniques requires a longer period of time to collect sufficient amount of DNS records and therefore they are not able to detect fast-flux domains in real time. Although Hsu et al. proposed a real-time detection solution based on the measurement of network delays, the solution has to send network probe packets actively so that it is not suitable to deploy in a large scale network.
The goal of this paper is to detect fast-flux domains in a passive and efficient manner. Therefore, it is not only applicable to a single host, it can be further used to detect fast-flux domains in a large scale network. By combining features collected from both DNS records and network delays, the proposed solution is able to differentiate benign and malicious domains within several seconds. Our experiments show that the proposed solution has high precision and recall rates (both higher than 0.95) and the error rate is lower than 0.05.
|
|---|
