writerschalet

A Machine Learning Based Approach to Detect Malicious Fast Flux Domain

1

A Machine Learning Based Approach to Detect Malicious Fast Flux Domain

Write My Essay: Instant Help With Assignments

Submit a "do my paper" request and proceed to do whatever your heart desires.

Get Help Now!

Sathish A.P. Kumar and B.Xu, “A Machine Learning Based Approach to Detect Malicious Fast Flux Networks”, in Proceedings of 2018 IEEE International Symposium Series on Computational Intelligence (IEEE SSCI), Bangalore, 2018

• Introduction

• Research Objectives

• Malicious Fast Flux Detection Approach

• Preliminary Experimentation and Results

• Summary and Future Work

2

Project 2 – Outline

3

Fast Flux Domain

Flux Agent

Web Client

Web Server

Fast Flux Domain Security Issues – Introduction

• Fast flux Domain (FFD) is rapid Internet Protocol (IP) address changes of a domain name managed by the DNS;

– Rapid changes in the IP address can be used to avoid being detected and/or blocked.

• Fast flux methods can be applied for legal uses

– load balancing technique for high- availability needs and high-volume websites.

• However, they are actively being used for malicious and collaborative attacks

– Data leaks, DDoS, spam, phishing, and malware delivery.

– FFD can be applied to improve the lifetime and robustness of botnets, which can cause widespread damage.

Research Objectives

– Differentiate malicious FFDs from legitimate services.

– Determine the optimal combination of features for FFD identification and classification.

– Examine the techniques that can provide low false positive rate • To increase the overall effectiveness of the algorithms in detecting and

classifying the FFD.

– Design and develop time series model • Based on a set of prominent features to detect FFD behavior changes

4

5

DNS Queries

Benign Feature Extraction and Selection

Is Benign?

Is Flux Blacklisted?

No

Fast Flux SLD Feature Extraction

Is Flux SLD

Flux FQDN Feature Extraction

Is Flux FQDN

No

Yes

Domain is BenignDomain is Fast Flux No

No

Yes

Yes

Yes

Malicious Fast Flux Detection Approach

– Time series model-based FFD classification and detection approach

• To differentiate malicious FFDs from legitimate services

• Focused on DNS TTL and loyalty and entropy of DNS resource records

– ML approaches are applied on the data gathered from logs (web gateway, network and SIEM etc.,)

– Collect and use a set of consecutive DNS messages against the FQDN (Fully Qualified Domain Name) to determine whether is a flux domain or not.PresenterPresentation NotesFocused on DNS TTL and loyalty and entropy of DNS resource records

Experimentation

6

• Used 1% of the total Farsight (Security) data records to generate the training set.

• The feature datasets are used to train our SVM model.

• The trained model is applied to classify the 99% of the real domain datasets.

• Python is used to implement the SVM algorithmPresenterPresentation NotesExtracted and selected seven features in the true fast flux domains: Ent_Ips, meanED, MaxCount, MaxTime, IPs, and StDevTime These FF features are used to train machine learning algorithms

Experimental Results

• Detection Latency – Most of FFD detected in less than 7 days

– Most of the FFD can be captured during 10 to 100 messages

• Detection Accuracy – SVM model classified

» 5282 FFD with 88.03% classification accuracy

» 88,000 non-FFD with 97.35% classification accuracy

7

Experimental Results – Identified FFD

8

… …

img.lediaocha.com.w.kunlunar.com huishouimages.anewlives.cn.w.kunluna.com

img1.zsgjs.com.y.kunlunle.com zhibo.ifensi.com.w.alikunlun.com ad.zhediandian.cn.w.kunlunle.com

…. …. dface.dface.cn.w.alikunlun.com

cachepackage.mobileanjian.com.m.alikunlun.net img.qipeiren.com.w.kunlunca.com down.5dktc.com.w.alikunlun.com img.rourougo.com.w.kunlunar.com

shop.341.cn.w.kunlunar.com …. ….

sckean.com.w.kunlunaq.com img3.xfwed.com.w.alikunlun.com

taxi-1click.ru … …

Experimental Results – Detection of Benign vs Malicious FFD

9

0

10

20

30

40

50

60

0 200 400 600 800 1000

Rate: IPs / ASN

0 5

10 15 20 25 30 35 40 45

0 20 40 60 80 100

Rate: IPs / ASN

IPs/ASN Rate for benign FFD

IPs/ASN Rate for malicious FFD

• IPs/ASN rate for benign FFD is much higher compared to IPs/ASN rate for malicious FFD

• IPs – This feature represents IP addresses used by each domain

– For instance, the domain instancematch.ru has two IP addresses

• Autonomous system number count (ASN) is the number of autonomous system numbers (ASN) each domain has. – For eg., Domain gamegamerunger.com

had 40 ASN

Summary and Future Work

• Designed and implemented real-time malicious fast flux domain detection solution based on machine learning techniques

• Proposed solution would be able » to handle bot herders » Sophisticated server is not necessary to implement our approach

• Future Plan: Augment/Improve the detection methodology approach with deep learning technologies to improve the FF classification accuracy, speed and scalability

10

  • A Machine Learning Based Approach to Detect Malicious Fast Flux Domain
  • Project 2 – Outline
  • Fast Flux Domain Security Issues – Introduction
  • Research Objectives
  • Malicious Fast Flux Detection Approach
  • Experimentation
  • Experimental Results
  • Experimental Results – Identified FFD
  • Experimental Results – Detection of Benign vs Malicious FFD
  • Summary and Future Work

Get Help for All Your Academic Writing Assignments. We are here to make your academic life more successful and less stressful. Over 10 years, we deliver the promised services. Think wise, buy custom essay! Just tell us “Quickly write my essay!” and provide us with the details of the order and instructions – we will make sure it will be completed on time by our professional writing team

Are you finding it difficult to write your essays, research papers or term papers. Hold on – expert help is on the way!

PLACE YOUR ORDER