Detecting Malicious Fast-Flux Domains Using Feature-based Classification Techniques

Detecting Malicious Fast-Flux Domains Using Feature-based Classification Techniques

In recent years, new generation botnets tend to use an evasion technique based on Domain Name System (DNS) called Fast-Flux Service Network (FFSN) to hide the actual location of their malicious servers. Detection of FFSN continues to be a challenging issue because of the similar behavior between FFSN and other legitimate infrastructures, such as Content Delivery Networks (CDNs) and Round Robin Domain Name System (RRDNS). In this paper, we present a novel approach based on analyzing the passive DNS traffic traces to detect malicious FFSNs. By analyzing DNS traces, we extracted ten key features and employed on the popular machine learning algorithms to build classifiers aim to classify a domain as either malicious flux service or legitimate. The seven among the ten features are first introduced in this study. The effectiveness of selected features is illustrated by comparing the distribution of 95% confidence interval for the mean and standard errors between legit, malware and fast-flux domain names on each feature. The statistical results show that there are discernible biases in the distribution of the feature values between benign and malicious domain names. The experimental results show that our proposed approach achieves the higher detection accuracy and lower false positive rate than the previous methods.