MalDetect: A Framework to detect Fast Flux Domains

Abstract

Performing passive or active attacks through malware-infected systems (bots) by hiding the identity of an attacker, referred to as fast flux is one of the common threat in the context of security. With the connectivity of millions of unsecured systems to networks, detecting fast-flux based attack is one of the major challenge to the industry. This paper presents, a framework which discriminates fast flux domains from Content Distribution Network (CDN) in real-time. The proposed framework embeds features such as, DNS query response, Geographical-location of IP addresses, network distinction and delay in our framework to detect the fast flux domains. Our model has been evaluated using five different machine learning algorithms and out of which, the Random Forest (RF) algorithm performed the best with an F1 score of 0.9915 and Matthews Correlation Coefficient of 0.9672. We also did experimentation on different feature sets individually to identify the best performing feature set in detecting the fast flux domains. We observed Geographical location-based feature set outperformed than the other feature set with a significant accuracy and precision. � 2018 IEEE.