Presentation is loading. Please wait.

Presentation is loading. Please wait.

FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international.

Similar presentations


Presentation on theme: "FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international."— Presentation transcript:

1 FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2008) Date: 2011/02/14 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang E-mail: b94570036@mail.ntou.edu.tw 1

2 Outline Introduction Characterizing Fast-Flux Service Networks Combining the Features for Detection Architecture and Implementation of the System Experimental Results Conclusion 2

3 Introduction Malware –With malicious intents –Be “installed” on the machines => bots –spam mails, DDoS attacks, and phishing websites Fast-Flux Service Networks –Round-Robin DNS (RRDNS). Content Distribution Networks (CDNs) Network Load-balanced FluXOR system –Detect and monitor fast-flux service networks –9 distinguishing features 3

4 Comparison of Normal Network and Fast-Flux Network 4

5 Characterizing Fast-Flux Service Networks 5

6 Features Characterizing the Domain Name Domain age (F1) –Benign domain => long age –Malicious domain => short period of time Less than five weeks Domain registrar (F2) –Register through a limited number of registrars –A lax legislation 6

7 Features Characterizing the Degree of Availability of the Network Number of distinct DNS “A” records (F3) –Query and return multiple “A” records –Fast-Flux mother-ship will update –“A” records ↑, Fast-Flux ↑ Time-to-live DNS resource records (F4) –Agents are update very frequently –Short time-to-live (TTL) –TTL ↑, Fast-Flux ↓ 7

8 Features Characterizing the Heterogeneity of the Agents Number of distinct networks (F5) –Agents are around the world=>different networks –Benign => same network –distinct networks ↑, Fast-Flux ↑ Number of distinct autonomous system (F6) –distinct networks, physically close => same AS –Benign => same AS –Fast-Flux => different AS 8

9 Features Characterizing the Heterogeneity of the Agents (cont.) Number of distinct resolved qualified domain name (F7) –Own by the same company or organization Number of distinct assigned network names(F8) –Multiple network addresses =>same network name Number of distinct organizations (F9) –Same organization can own multiple network names 9

10 Features Characterizing the Heterogeneity of the Agents (cont.) 10 98

11 Combining the Features for Detection A short period of time => 3 hours –75 benign and 215 malicious naive Bayesian classifier –Training data Malicious (spam mail), benign (spam and non-spam mail) 11

12 Architecture and Implementation of the System Three components –Collectors(1~n), monitors(1~n), detector(1) 12

13 Components Collectors –Current (emails), Future (Web crawlers, honeypots) Monitors –Suspicious and malicious hostname –Query name servers and WHOIS servers Detector –naive Bayesian classifier 13

14 Experimental Results Run FluXOR system –Beginning ~ middle of January –Monitors and detector on the same machine –Collectors on the mail server of the lab 14

15 Detection Accuracy Extract the features –after one, two, three hours –Training dataset (50 benign + 75 malicious) –Cross-validation with 5 and 10 folds Filter the benign –Only two or less IP addresses Some fast- flux networks –After 1 hours (3~5 IPs), after 3 hours (7~8 IPs) –After several days (hundred of hosts) Zero false-positives 15

16 Empirical Analysis of the Fast-Flux Service Networks Phenomenon 16

17 Conclusion - Advantages Distinguishing features –DNS information such as domain age and registrar Long TTL time improvement –1~3 hours Effectiveness result –Accuracy rate is 100% 17

18 Conclusion - Limitations Delay detection problem –Wait 1~3 hours for extracting the features Long TTL time problem –If TTL time of Fast-Flux network is more longer Efficiency problem –A large number of WHOIS queries 18

19 19


Download ppt "FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international."

Similar presentations


Ads by Google