Botnet Attack Detection Using A Hybrid Supervised Fast-Flux Killer System
Keywords:FFKA, botnet detection, DeSNN
A Fast Flux Service Network (FFSN) domain name system method is a technique used on botnet that bot herders used to support malicious botnet actions to rapidly change the domain name IP addresses and to increase the life of malicious servers. While several methods for the detection of FFSN domains are suggested, they are still suffering from relatively low accuracy with the zero-day domain in particular. Throughout the current research, a system that’s deemed new is proposed. The latter system is called (the Fast Flux Killer System) and is abbreviated as (FFKS)). It allows one to have the FF-Domains “zero-day”, via a deployment built on (ADeSNN). It is a hybrid, which consists of two stages. The online phase according to the learning outcomes from the offline phase works on detecting the zero-day domains while the offline phase helps in enhancing the classification performance of the system in the online phase. This system will be compared to a previously published work that was based on a supervised detection method using the same ADeSNN algorithm to have the FFSNs domains detected, also to show better performance in detecting malicious domains. A public data set for the impacts of the hybrid ADeSNN algorithm is employed in the experiment. When hybrid ADeSNN was used over the supervised one, the experiments showed better accuracy. The detection of zero-day fast-flux domains is highly accurate (99.54%) in a mode considered as an online one.
G. I. Shidaganti, A. S. Inamdar, S. V. Rai, A. M. J. I. J. o. C. A. Rajeev, and Computing, “Scef: A model for prevention of ddos attacks from the cloud,” vol. 10, no. 3, pp. 67–80, 2020.
A. Dahiya and B. B. J. F. G. C. S. Gupta, “A reputation score policy and Bayesian game theory based incentivized mechanism for DDoS attacks mitigation and cyber defense,” vol. 117, pp. 193–204, 2021.
K. Bhushan, B. B. J. J. o. A. I. Gupta, and H. Computing, “Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment,” vol. 10, no. 5, pp. 1985–1997, 2019.
M. Chhabra, B. Gupta, and A. Almomani, “A novel solution to handle DDOS attack in MANET,” 2013.
K. Alieyan, A. Almomani, M. Anbar, M. Alauthman, R. Abdullah, and B. Gupta, “DNS rule-based schema to botnet detection,” Enterprise Information Systems, pp. 1–20, 2019.
K. Alieyan, M. Anbar, A. Almomani, R. Abdullah, and M. Alauthman, “Botnets Detecting Attack Based on DNS Features,” in 2018 International Arab Conference on Information Technology (ACIT), 2018, pp. 1–4: IEEE.
K. Alieyan, A. Almomani, R. Abdullah, and M. Anbar, “A Rule-based System to Detect Botnets based on DNS,” in 2018 8th IEEE International Conference on Control System, Computing and Engineering (ICCSCE), 2018, pp. 115–120: IEEE.
A. Almomani, O. M. Dorgham, M. Alauthman, M. Al-Refai, and N. Aslam, “Botnet Behavior and Detection Techniques: A Review,” Computer and Cyber Security: Principles, Algorithm, Applications, and Perspectives, p. 223, 2018.
A. Almomani, M. Alauthman, M. Alweshah, O. Dorgham, and F. Albalas, “A comparative study on spiking neural network encoding schema: implemented with cloud computing,” Cluster Computing, vol. 22, no. 2, pp. 419–433, 2019.
N. Kasabov, K. Dhoble, N. Nuntalid, and G. Indiveri, “Dynamic evolving spiking neural networks for on-line spatio-and spectro-temporal pattern recognition,” Neural Networks, vol. 41, pp. 188–201, 2013.
A. Al-Nawasrah, A. A. Almomani, S. Atawneh, M. J. I. J. o. C. A. Alauthman, and Computing, “A Survey of Fast Flux Botnet Detection With Fast Flux Cloud Computing,” vol. 10, no. 3, pp. 17–53, 2020.
A. A.-N. Ammar Almomani, Mohammad Alauthman,Mohammed Azmi Al-Betar, Farid Meziane., “Botnet Detection Used Fast-Flux Technique, Based on Adaptive Dynamic Evolving Spiking Neural Network Algorithm,” ed. Journal International Journal of Ad Hoc and Ubiquitous Computing, 2020.
A. Al-Nawasrah, A. Al-Momani, F. Meziane, and M. Alauthman, “Fast flux botnet detection framework using adaptive dynamic evolving spiking neural network algorithm,” in 2018 9th International Conference on Information and Communication Systems (ICICS), 2018, pp. 7–11: IEEE.
Y. Zhao and Z. Jin, “Quickly Identifying FFSN Domain and CDN Domain with Little Dataset,” 2015.
Y. M. P. Pa, K. Yoshioka, and T. Matsumoto, “Detecting malicious domains and authoritative name servers based on their distinct mappings to IP addresses,” Journal of information processing, vol. 23, no. 5, pp. 623–632, 2015.
H.-T. Lin, Y.-Y. Lin, and J.-W. Chiang, “Genetic-based real-time fast-flux service networks detection,” Computer Networks, vol. 57, no. 2, pp. 501–513, 2/4/ 2013.
F.-H. Hsu, C.-S. Wang, C.-H. Hsu, C.-K. Tso, L.-H. Chen, and S.-H. Lin, “Detect fast-flux domains through response time differences,” Selected Areas in Communications, IEEE Journal on, vol. 32, no. 10, pp. 1947–1956, 2014.
T. Otgonbold, “ADAPT: An anonymous, distributed, and active probing-based technique for detecting malicious fast-flux domains,” 2014.
P. S. Chahal and S. S. Khurana, “TempR: Application of Stricture Dependent Intelligent Classifier for Fast Flux Domain Detection,” International Journal of Computer Network & Information Security, vol. 8, no. 10, 2016.
Z. B. Celik and S. Oktug, “Detection of fast-flux networks using various dns feature sets,” in Computers and Communications (ISCC), 2013 IEEE Symposium on, 2013, pp. 000868–000873: IEEE.
L. Yang and G. Gan, “Research and Detection of Fast-flux Botnet,” in IOP Conference Series: Earth and Environmental Science, 2021, vol. 693, no. 1, p. 012031: IOP Publishing.
D.-T. Truong, D.-T. Tran, and B. J. J. o. I. T. Huynh, “Detecting Malicious Fast-Flux Domains Using Feature-based Classification Techniques,” vol. 21, no. 4, pp. 1061–1072, 2020.
D. Yuan, X. Chang, P.-Y. Huang, Q. Liu, and Z. J. I. T. o. I. P. He, “Self-supervised deep correlation tracking,” vol. 30, pp. 976–985, 2020.
S.-Y. Huang, C.-H. Mao, and H.-M. Lee, “Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection,” presented at the Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, Beijing, China, 2010.
T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling, “Measuring and Detecting Fast-Flux Service Networks,” in NDSS, 2008.
Y. Sheng, Z. Shijie, and W. Sha, “Fast-flux attack network identification based on agent lifespan,” in Wireless Communications, Networking and Information Security (WCNIS), 2010 IEEE International Conference on, 2010, pp. 658–662.
B. Yu, L. Smith, and M. Threefoot, “Semi-supervised Time Series Modeling for Real-Time Flux Domain Detection on Passive DNS Traffic,” in Machine Learning and Data Mining in Pattern Recognition, vol. 8556, P. Perner, Ed. (Lecture Notes in Computer Science: Springer International Publishing, 2014, pp. 258–271.
S. Martinez-Bea, S. Castillo-Perez, and J. Garcia-Alfaro, “Real-time malicious fast-flux detection using DNS and bot related features,” in PST, 2013, pp. 369–372.
M. T. Qassrawi and H. L. Zhang, “Detecting Malicious Fast Flux Domains,” in Applied Mechanics and Materials, 2012, vol. 157, pp. 1264–1273: Trans Tech Publ.
C.-M. Chen, S.-T. Cheng, and J.-H. Chou, “Detection of Fast-Flux Domains,” Journal of Advances in Computer Networks, vol. 1, no. 2, 2013.
C. Castelluccia, M. A. Kaafar, P. Manils, and D. Perito, “Geolocalization of proxied services and its application to fast-flux hidden servers,” in Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference, 2009, pp. 184–189: ACM.
S. Alkhazaleh, A. R. Salleh, and N. Hassan, “Possibility fuzzy soft set,” Advances in Decision Sciences, vol. 2011, 2011.
J. A. Swets, Signal detection theory and ROC analysis in psychology and diagnostics: Collected papers. Psychology Press, 2014.
T. Fawcett, “An introduction to ROC analysis,” Pattern Recognition Letters, vol. 27, no. 8, pp. 861–874, 6// 2006.