Fast flux botnet detection framework using adaptive dynamic evolving spiking neural network algorithm

A botnet, a set of compromised machines controlled distantly by an attacker, is the basis of numerous security threats around the world. Command and Control servers are the backbones of botnet communications, where the bots and botmasters send report and attack orders to each other. Botnets are also categorized according to their C&C protocols. A Domain Name System method known as Fast-Flux Service Network (FFSN) – a special type of botnet – has been engaged by bot herders to cover malicious botnet activities and increase the lifetime of malicious servers by quickly changing the IP addresses of the domain name over time. Although several methods have been suggested for detecting FFSNs, they have low detection accuracy especially with zero-day domain. In this research, we propose a new system called Fast Flux Killer System (FFKS) that has the ability to detect FF-Domains in online mode with an implementation constructed on Adaptive Dynamic evolving Spiking Neural Network (ADeSNN). The proposed system proved its ability to detect FF domains in online mode with high detection accuracy (98.77%) compare with other algorithms, with low false positive and negative rates respectively. It is also proved a high level of performance. Additionally, the proposed adaptation of the algorithm enhanced and helped in the parameters customization process

World-wide cloaking phishing websites detection

Most known anti-phishing tools are based in “black-list” system and http headers, but some phishing sites have been used web cloaking technique to avoid possible detection. These kinds pf phishing websites have an officially and trustful web content at ordinary times but triggered by some specific keyword on search engines. Contrapose this phenomenon, a new method based on anonymous, distributed and active probing-based for detecting cloaking fast-flux phishing websites is presented. This research works on 5 of top 10 world Search engines, which are Bing, Ask, Aol, Lycos and Search. We have two models to detect phishing website. Model A based on local dictionary, search random keywords through all search engines to detect suspicious website; Model B will determine specific URLs whether suspicious or not by our detection system

Fast Flux Domain Detection Using DNS Traffic

There are many attacks possible that affect the services of DNS server, one such type of attack is Distributed Denial of Service (DDoS). So to avoid such attacks, DNS servers use various types of techniques like load balancing, Round Robin DNS, Content Distribution Networks, etc. But cybercriminals use these techniques to hide their actual and network location from the outside world. One such type of technique is Fast-Flux Service Networks, which is like proxies to the cybercriminals that makes them untraceable. FFSN is a major threat to internet security and used in many illegal scams like phishing websites, malware delivery, illegal adult content, and etc. Fast flux service networks have some limitation as attackers do not have control over the compromised PC’s physically. For the detection of FFSN, broadly two approaches have been proposed, namely, (i) Using passive network traffic, and (ii) Using active network traffic. The problem of detection with active network traffic is that they predict CDN domain as FFSN domain because initially, FFSN looks like CDN. Further, there are many machine learning algorithms have been used to detect FFSN. In this research, we emphasize on two problems, namely, (i) Features used for detecting the FFSN which helps us to distinguish FFSN from the other network efficiently, and (ii) Find the best classifier for detection of FFSN. This work shows how relevant features extracted from the network traffic help us to distinguish FFSN from benign domains. Further, we try to propose the best threshold values for each feature that efficiently detect FFSN while distinguishing it from other benign domains. In this work, we have used five different machine learning algorithms, namely, Decision Tree, Random Forest, SVM, KNN, and Boosted Tree. Then, we compare the performance of these five machine learning algorithms to find out which is the best one to detect fast flux domain from passive DNS network traffic

ADAPT: an anonymous, distributed, and active probing-based technique for detecting malicious fast-flux domains

The fast-fluxing has been used by attackers to increase the availability of malicious domains and the robustness against detection systems. Since 2008, researchers have proposed a number of methods to detect malicious fast-flux domains, however they have some common drawbacks in the system design, which are as follows: no anonymity, partial view on the domain, and unable to detect before an attack takes place. Therefore, to overcome these drawbacks, we propose a new technique called ADAPT, which enables a detection system to collect DNS information of a domain anonymously all around the globe in short period of time with less resource using Tor network. In this thesis, we have developed a prototype of ADAPT, which takes its input from domain zone files to detect in-the-wild malicious fast-flux domains. We defined a flux score formula to propose 10 new detection features. The prototype of ADAPT has scanned over 550,000 .net domains, and extracted 20 distinct features for each of the domains. By analyzing the obtained DNS dataset, we observed several new findings and confirmed some new trends reported in the previous researches. Moreover, our experimental result showed that the prototype of ADAPT has a potential to outperform the existing detection systems, with a few modifications and updates in the detection process

Fast flux botnet detection based on adaptive dynamic evolving spiking neural network

A botnet, a set of compromised machines controlled distantly by an attacker, is the basis of numerous security threats around the world. Command and Control (C&C) servers are the backbone of botnet communications, where the bots and botmaster send reports and attack orders to each other, respectively. Botnets are also categorised according to their C&C protocols. A Domain Name System (DNS) method known as Fast-Flux Service Network (FFSN) is a special type of botnet that has been engaged by bot herders to cover malicious botnet activities, and increase the lifetime of malicious servers by quickly changing the IP addresses of the domain name over time. Although several methods have been suggested for detecting FFSNs domains, nevertheless they have low detection accuracy especially with zero-day domain, quite a long detection time, and consume high memory storage. In this research we propose a new system called Fast Flux Killer System (FFKA) that has the ability to detect “zero-day” FF-Domains in online mode with an implementation constructed on Adaptive Dynamic evolving Spiking Neural Network (ADeSNN) and in an offline mode to enhance the classification process which is a novelty in this field. The adaptation includes the initial weight, testing criteria, parameters customization, and parameters adjustment. The proposed system is expected to detect fast flux domains in online mode with high detection accuracy and low false positive and false negative rates respectively. It is also expected to have a high level of performance and the proposed system is designed to work for a lifetime with low memory usage. Three public datasets are exploited in the experiments to show the effects of the adaptive ADeSNN algorithm, two of them conducted on the ADeSNN algorithm itself and the last one on the process of detecting fast flux domains. The experiments showed an improved accuracy when using the proposed adaptive ADeSNN over the original algorithm. It also achieved a high detection accuracy in detecting zero-day fast flux domains that was about (99.54%) in an online mode, when using the public fast flux dataset. Finally, the improvements made to the performance of the adaptive algorithm are confirmed by the experiments