Fast Flux Domain Detection Using DNS Traffic

There are many attacks possible that affect the services of DNS server, one such type of attack is Distributed Denial of Service (DDoS). So to avoid such attacks, DNS servers use various types of techniques like load balancing, Round Robin DNS, Content Distribution Networks, etc. But cybercriminals use these techniques to hide their actual and network location from the outside world. One such type of technique is Fast-Flux Service Networks, which is like proxies to the cybercriminals that makes them untraceable. FFSN is a major threat to internet security and used in many illegal scams like phishing websites, malware delivery, illegal adult content, and etc. Fast flux service networks have some limitation as attackers do not have control over the compromised PC’s physically.

For the detection of FFSN, broadly two approaches have been proposed, namely, (i) Using passive network traffic, and (ii) Using active network traffic. The problem of detection with active network traffic is that they predict CDN domain as FFSN domain because initially, FFSN looks like CDN. Further, there are many machine learning algorithms have been used to detect FFSN. In this research, we emphasize on two problems, namely, (i) Features used for detecting the FFSN which helps us to distinguish FFSN from the other network efficiently, and (ii) Find the best classifier for detection of FFSN.

This work shows how relevant features extracted from the network traffic help us to distinguish FFSN from benign domains. Further, we try to propose the best threshold values for each feature that efficiently detect FFSN while distinguishing it from other benign domains. In this work, we have used five different machine learning algorithms, namely, Decision Tree, Random Forest, SVM, KNN, and Boosted Tree. Then, we compare the performance of these five machine learning algorithms to find out which is the best one to detect fast flux domain from passive DNS network traffic.