1
A Machine Learning Based Approach to Detect Malicious Fast Flux Domain
Write My Essay: Instant Help With Assignments
Submit a "do my paper" request and proceed to do whatever your heart desires.
Get Help Now!Sathish A.P. Kumar and B.Xu, “A Machine Learning Based Approach to Detect Malicious Fast Flux Networks”, in Proceedings of 2018 IEEE International Symposium Series on Computational Intelligence (IEEE SSCI), Bangalore, 2018
• Introduction
• Research Objectives
• Malicious Fast Flux Detection Approach
• Preliminary Experimentation and Results
• Summary and Future Work
2
Project 2 – Outline
3
Fast Flux Domain
Flux Agent
Web Client
Web Server
Fast Flux Domain Security Issues – Introduction
• Fast flux Domain (FFD) is rapid Internet Protocol (IP) address changes of a domain name managed by the DNS;
– Rapid changes in the IP address can be used to avoid being detected and/or blocked.
• Fast flux methods can be applied for legal uses
– load balancing technique for high- availability needs and high-volume websites.
• However, they are actively being used for malicious and collaborative attacks
– Data leaks, DDoS, spam, phishing, and malware delivery.
– FFD can be applied to improve the lifetime and robustness of botnets, which can cause widespread damage.
Research Objectives
– Differentiate malicious FFDs from legitimate services.
– Determine the optimal combination of features for FFD identification and classification.
– Examine the techniques that can provide low false positive rate • To increase the overall effectiveness of the algorithms in detecting and
classifying the FFD.
– Design and develop time series model • Based on a set of prominent features to detect FFD behavior changes
4
5
DNS Queries
Benign Feature Extraction and Selection
Is Benign?
Is Flux Blacklisted?
No
Fast Flux SLD Feature Extraction
Is Flux SLD
Flux FQDN Feature Extraction
Is Flux FQDN
No
Yes
Domain is BenignDomain is Fast Flux No
No
Yes
Yes
Yes
Malicious Fast Flux Detection Approach
– Time series model-based FFD classification and detection approach
• To differentiate malicious FFDs from legitimate services
• Focused on DNS TTL and loyalty and entropy of DNS resource records
– ML approaches are applied on the data gathered from logs (web gateway, network and SIEM etc.,)
– Collect and use a set of consecutive DNS messages against the FQDN (Fully Qualified Domain Name) to determine whether is a flux domain or not.PresenterPresentation NotesFocused on DNS TTL and loyalty and entropy of DNS resource records
Experimentation
6
• Used 1% of the total Farsight (Security) data records to generate the training set.
• The feature datasets are used to train our SVM model.
• The trained model is applied to classify the 99% of the real domain datasets.
• Python is used to implement the SVM algorithmPresenterPresentation NotesExtracted and selected seven features in the true fast flux domains: Ent_Ips, meanED, MaxCount, MaxTime, IPs, and StDevTime These FF features are used to train machine learning algorithms
Experimental Results
• Detection Latency – Most of FFD detected in less than 7 days
– Most of the FFD can be captured during 10 to 100 messages
• Detection Accuracy – SVM model classified
» 5282 FFD with 88.03% classification accuracy
» 88,000 non-FFD with 97.35% classification accuracy
7
Experimental Results – Identified FFD
8
… …
img.lediaocha.com.w.kunlunar.com huishouimages.anewlives.cn.w.kunluna.com
img1.zsgjs.com.y.kunlunle.com zhibo.ifensi.com.w.alikunlun.com ad.zhediandian.cn.w.kunlunle.com
…. …. dface.dface.cn.w.alikunlun.com
cachepackage.mobileanjian.com.m.alikunlun.net img.qipeiren.com.w.kunlunca.com down.5dktc.com.w.alikunlun.com img.rourougo.com.w.kunlunar.com
shop.341.cn.w.kunlunar.com …. ….
sckean.com.w.kunlunaq.com img3.xfwed.com.w.alikunlun.com
taxi-1click.ru … …
Experimental Results – Detection of Benign vs Malicious FFD
9
0
10
20
30
40
50
60
0 200 400 600 800 1000
Rate: IPs / ASN
0 5
10 15 20 25 30 35 40 45
0 20 40 60 80 100
Rate: IPs / ASN
IPs/ASN Rate for benign FFD
IPs/ASN Rate for malicious FFD
• IPs/ASN rate for benign FFD is much higher compared to IPs/ASN rate for malicious FFD
• IPs – This feature represents IP addresses used by each domain
– For instance, the domain instancematch.ru has two IP addresses
• Autonomous system number count (ASN) is the number of autonomous system numbers (ASN) each domain has. – For eg., Domain gamegamerunger.com
had 40 ASN
Summary and Future Work
• Designed and implemented real-time malicious fast flux domain detection solution based on machine learning techniques
• Proposed solution would be able » to handle bot herders » Sophisticated server is not necessary to implement our approach
• Future Plan: Augment/Improve the detection methodology approach with deep learning technologies to improve the FF classification accuracy, speed and scalability
10
- A Machine Learning Based Approach to Detect Malicious Fast Flux Domain
- Project 2 – Outline
- Fast Flux Domain Security Issues – Introduction
- Research Objectives
- Malicious Fast Flux Detection Approach
- Experimentation
- Experimental Results
- Experimental Results – Identified FFD
- Experimental Results – Detection of Benign vs Malicious FFD
- Summary and Future Work
Get Help for All Your Academic Writing Assignments. We are here to make your academic life more successful and less stressful. Over 10 years, we deliver the promised services. Think wise, buy custom essay! Just tell us “Quickly write my essay!” and provide us with the details of the order and instructions – we will make sure it will be completed on time by our professional writing team
Are you finding it difficult to write your essays, research papers or term papers. Hold on – expert help is on the way!