Fast-flux Service Network Detection Based on Spatial Snapshot Mechanism for Delay-free Detection

摘要

Capturing Fast-Flux Service Networks (FFSNs) by tempo ral variances is an intuitive way for seeking to identify rapid changes of DNS records. Unfortunately, the features re gard to temporal variances would lead to the delay detec tion (more than one hour) of FFSN which could cause more damages, such as Botnet propagation and malware deliv ery. In this study, we proposed a delay-free detection sys tem, Spatial Snapshot Fast-flux Detection system (SSFD), for identifying FFSN in real time and alleviating these po tential damages. SSFD is capable to capture the geograph ical pattern of hosts as well as mapping IP addresses in a DNS response into geographic coordinate system for reveal ing FFSNs at the moment. The SSFD benefits from two novel spatial measures proposed in this study spatial dis tribution estimation and spatial service relationship evalu ation. These two measures consider the degree of uniform geographic distribution of infected hosts among FFSN com posed of Bots, Content Distribution Network and general benign services. After that, Bayesian network classifier is applied to identify the FFSNs with the joint probability con sideration against evading our proposed detection technique easily for attackers. Our experiment results indicate that the proposed SSFD system is more effective and efficient (within less than 0.5 second) with lower False. Positive rate than flux-score based detection through one public dataset and two collected datasets.