Department of Electrical Engineering, Institute of Computer and Communication Engineering, National Cheng Kung University, Tainan City 701, Taiwan.

---

Abstract—In recent years, hackers have increasingly used fast-flux techniques to extend the lifetime of malware networks in order to conduct various Advanced Persistent Threat (APT) activities. Such activities typically target nations and or organizations for business or political motives and have the potential to cause immense disruption. Thus, it is essential to study the fast-flux service network and find possible attack behaviors. The literature contains various proposals for FFSN detection. However, these methods are either out of date in terms of the features they use for detection purposes or are unworkable under a new FFSN architecture identified in this study (denoted as N-flux networks), in which the IP addresses are swapped in and out at a speed normally associated with benign domains. Accordingly, the present study proposes a two-stage FFSN detection scheme in which a data mining algorithm is employed initially to detect possible FFSNs and a shared-domain detection algorithm is then applied to identify the nature of the FFSN through an analysis of its malware connections. The feasibility of the proposed scheme is demonstrated by analyzing five real-world datasets. It is shown that the proposed scheme achieves both a higher detection accuracy and a lower detection delay than existing schemes such as GRADE, Flux-Score, FFBD and SSFD.

Index Terms—Advanced persistent threat (APT), fast-flux service network (FFSN), N-flux, data mining.

[PDF]

Cite: Ci-Bin Jiang, Jung-Shian Li, "Exploring Global IP-Usage Patterns in Fast-Flux Service Networks," Journal of Computers vol. 12, no. 4, pp. 371-379, 2017.