Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis

Perdisci, Roberto; Corona, Igino; Giacinto, Giorgio
December 2012
IEEE Transactions on Dependable & Secure Computing;Dec2012, Vol. 9 Issue 5, p714
Academic Journal
In this paper, we present FluxBuster, a novel passive DNS traffic analysis system for detecting and tracking malicious flux networks. FluxBuster applies large-scale monitoring of DNS traffic traces generated by recursive DNS (RDNS) servers located in hundreds of different networks scattered across several different geographical locations. Unlike most previous work, our detection approach is not limited to the analysis of suspicious domain names extracted from spam emails or precompiled domain blacklists. Instead, FluxBuster is able to detect malicious flux service networks in-the-wild, i.e., as they are "accessed” by users who fall victim of malicious content, independently of how this malicious content was advertised. We performed a long-term evaluation of our system spanning a period of about five months. The experimental results show that FluxBuster is able to accurately detect malicious flux networks with a low false positive rate. Furthermore, we show that in many cases FluxBuster is able to detect malicious flux domains several days or even weeks before they appear in public domain blacklists.


Related Articles

  • Peer To Peer Association in Content Distribution Network. Aruna, A.; Amrita, D. // International Journal of Advanced Research in Computer Science;Jan/Feb2014, Vol. 5 Issue 1, p145 

    The difficult issue of process and implementing an efficient law for load reconciliation in Content Delivery Networks (CDNs). We tend to base our proposal on a proper study of a CDN system, disbursed through the exploitation of a fluid flow model characterization of the network of SERVERS....

  • Analyzing influence of network topology on designing ISP-operated CDN. Kamiyama, Noriaki; Mori, Tatsuya; Kawahara, Ryoichi; Harada, Shigeaki; Hasegawa, Haruhisa // Telecommunication Systems;Feb2013, Vol. 52 Issue 2, p969 

    The transmission bandwidth consumed by delivering rich content, such as movie files, is enormous, so it is urgent for ISPs to design an efficient delivery system minimizing the amount of network resources consumed. To serve users rich content economically and efficiently, an ISP itself should...

  • Classification of Malicious Domain Names using Support Vector Machine and Bi-gram Method. Davuth, Nhauo; Sung-Ryul Kim // International Journal of Security & Its Applications;Jan2013, Vol. 7 Issue 1, p51 

    Everyday there are millions of domains registered and some of them are related to malicious activities. Recently, domain names have been used to operate malicious networks such as botnet and other types of malicious software (malware). Studies have revealed that it was challenging to keep track...

  • Chasing the DNS Zone-Location Problem. GERBER, BOYD // Windows IT Pro;May2010, Vol. 16 Issue 5, p17 

    The article offers information how to avoid zone replication conflicts on Active Directory (AD)-integrated Domain Name System (DNS) servers on Windows Server 2003. The author discusses how a problem might occur when changes are made to the zone settings that affect the location of the DNS zones....

  • BotCVD: Visual Analysis of DNS Traffic for Botnet Detection. Hongling Jiang; Yiwei Liu; Xiuli Shao // Advances in Information Sciences & Service Sciences;May2012, Vol. 4 Issue 8, p264 

    Botnets become one of the serious threats to the Internet. In this paper, we design a light-weighted approach-BotCVD (Bot Cluster Visual Detector) to detect botnet by visually analyzing DNS traffic. To avoid the confusion of the normal DNS traffic, BotCVD analyzes the features of server-host...

  • Secrets of Windows Server 2008. McCown, Sean // NetworkWorld Asia;Apr2008, Vol. 4 Issue 3, p26 

    The article offers information on the Windows Server 2008, popularly known by its codename Longhorn, from Microsoft Corp. It then discusses the impact Longhorn's final version to the user or to the organization. Accordingly, Windows Server 2008 is significant release for Microsoft and represents...

  • DNS-AD Rescue. Rux, Eric B. // Windows IT Pro;Feb2007, Vol. 13 Issue 2, p27 

    The article suggests solutions to Domain Name Service (DNS)-Active Directory (AD) annoyances. Some of the AD and DNA problems include domain controllers did not point to a DNS server, AD DNS Resource Records were missing and DNS was not set to accept dynamic updates. It is recommended to have a...

  • Nepenthes Honeypots Based Botnet Detection. Kumar, Sanjeev; Sehgal, Rakesh; Singh, Paramdeep; Chaudhary, Ankit // Journal of Advances in Information Technology;Nov2012, Vol. 3 Issue 4, p215 

    the numbers of the botnet attacks are increasing day by day and the detection of botnet spreading in the network has become very challenging. Bots are having specific characteristics in comparison of normal malware as they are controlled by the remote master server and usually don't show their...

  • A DISTRIBUTED MECHANISM FOR ECONOMIC MANAGEMENT OF TRANSMISSION INFRASTRUCTURE IN HYBRID CDN-P2P NETWORKS. GARMEHI, Mehran; ANALOUI, Morteza // Economic Computation & Economic Cybernetics Studies & Research;2014, Vol. 48 Issue 3, p195 

    Hybrid CDN-P2P networks blend CDN and P2P technology to benefit from the complementary advantages of these technologies. In these networks, a critical challenge is to construct and maintain multicasting trees to distribute the content from distribution servers to the edge servers, clients and...


Read the Article


Sorry, but this item is not currently available from your library.

Try another library?
Sign out of this library

Other Topics