Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection

Abstract

Capturing Fast-Flux Service Networks (FFSNs) by temporal variances is an intuitive way for seeking to identify rapid changes of DNS records. Unfortunately, the features regard to temporal variances would lead to the delay detection (more than one hour) of FFSN which could cause more damages, such as Botnet propagation and malware delivery. In this study, we proposed a delay-free detection system, Spatial Snapshot Fast-flux Detection system (SSFD), for identifying FFSN in real time and alleviating these potential damages. SSFD is capable to capture the geographical pattern of hosts as well as mapping IP addresses in a DNS response into geographic coordinate system for revealing FFSNs at the moment. The SSFD benefits from two novel spatial measures proposed in this study -- spatial distribution estimation and spatial service relationship evaluation. These two measures consider the degree of uniform geographic distribution of infected hosts among FFSN composed of Bots, Content Distribution Network and general benign services. After that, Bayesian network classifier is applied to identify the FFSNs with the joint probability consideration against evading our proposed detection technique easily for attackers. Our experiment results indicate that the proposed SSFD system is more effective and efficient (within less than 0.5 second) with lower False Positive rate than flux-score based detection through one public dataset and two collected datasets.