Analyzing the dynamics behavior of fast-flux dmain name system through visualization

Abstract

As attempts to thwart cyber crime have intensified, so have innovations in how cybercriminals’ provision their infrastructure to dodge detection and take-down. Today, a growing, sophisticated technique called Fast-Flux Service Networks (FFSN) poses a major problem to Internet security. They are increasingly used in many illegal practices including money mule recruitment sites, distribution of malware downloads, illegal adult content and other forms of Internet fraud. Essentially, FFSN were first used as a Domain Name Server (DNS) switching mechanism that combine distributed command and control, web-based load-balancing, and proxy redirection. However, cybercriminals are making use of this technology to cover their tracks and avoid detection. As such, their criminal infrastructures stay up longer to get more victims. These issues are tackled by investigating the dynamics of FFSN by using k-Nearest Neighbor (kNN) classification method and data visualization technique. This combination can assist network administrators and security analyst to recognize the threats more easily and efficiently. In this study, over 500 domains are collected and monitored. By applying kNN classifier to the trained data, the presence of Single-Flux (SF), NS-Flux (NSF), and Double-Flux (DF) are observed. Subsequently, by scrutinizing and visualizing these fluxing domain names, the new types of fluxing designated as NS-Name-Flux(NF) and Nested-NS-Flux (NNF) are discovered. The analysis results of both NF and NNF exposed that FFSN have become extensively sophisticated and dynamic. This exemplifies that visualization is an alternative and effective data exploration method for understanding the complex behaviors of FFSN.