A machine learning approach for detecting fast flux phishing hostnames

Abstract

Attackers are increasingly using Fast Flux Service Networks (FFSNs), networks of compromised machines, to host phishing websites. In FFSNs, the machines rapidly change such that blacklisting them does not entirely stop the networks from operating the websites. This increases the longevity of the websites thus becoming more harmful. Existing solutions for detecting the websites are limited with relatively low or moderate prediction performances, high prediction time and use of less diversified features which increases their susceptibility to detection evasions. This paper proposes a Machine Learning (ML) based approach for detecting phishing websites hosted in FFSNs using a novel set of 56 features. Compared with previous works, the approach achieves high accuracy, a low detection time and uses highly diversified features to enhance resilience to detection evasion. The effectiveness of the features for prediction was evaluated in the context of binary and multi-class classification tasks using multiple traditional and deep learning ML algorithms. The proposed approach achieves an accuracy of 98.42% and 97.81% for binary and multi-class classification tasks respectively. Our results showed that temporal and DNS based features are the strongest predictors while network and host related features are the weakest. Our approach is a significant step towards tracking of core components of FFSNs with an aim of shutting down the entire phishing ecosystem.