Fast-Flux Malicious Domain Name Detection Method Based on Multimodal Feature Fusion

doi:10.3969/j.issn.1671-1122.2022.04.003

Abstract

Abstract:

Fast-Flux malicious domain name is an important technique in Botnet communication which aims to resist detection by quickly changing the resolved IP address of the domain. At present, most of the malicious domain name detection methods are based on the traditional machine learning models. These methods need complex data processing, feature extraction, and the help of a large amount of third-party data, which greatly reduces the efficiency of detection. Domain name resolution is a very complex process with rich features, this paper designed a Fast-Flux malicious domain name detection method based on multi-modal feature fusion using deep learning. Firstly, a GCN module was used to extract spatial features, and a BiLSTM module was used to extract text features. Secondly, an MLP module was used to extract side information features. Thirdly, the three kinds of features were fused using neural networks structure. This paper has conducted experiments on the Fast-Flux-Attack-Datasets, the experimental results show that this method achieves the accuracy of 99.94% with recall of 99.76% and precision of 99.69%, which is better than the state-of-the-art methods at present. The method effectively fuses multimodal features, and promotes the performance of Fast-Flux domain name detection, and is meaningful for enhancing the capability of Botnet detection.

Key words: Fast-Flux malicious domain name detection, Botnet, GCN, multimodal feature

CLC Number:

TP309

LANG Bo, XIE Chong, CHEN Shaojie, LIU Hongyu. Fast-Flux Malicious Domain Name Detection Method Based on Multimodal Feature Fusion[J]. Netinfo Security, 2022, 22(4): 20-29.

Figures/Tables 9

References 21

[1]	FEILY M, SHAHRESTANI A, RAMADASS S. A Survey of Botnet and Botnet Detection[C]// IEEE. 2009 Third International Conference on Emerging Security Information, Systems and Technologies. New York: IEEE, 2009: 268-273.
[2]	NAZARIO J, HOLZ T. As the Net Churns: Fast-Flux Botnet Observations[EB/OL]. (2008-10-07)[2020-12-27]. https://ieeexplore.ieee.org/document/4690854 .
[3]	HOLZ T, GORECKI C, RIECK K, et al. Measuring and Detecting Fast-Flux Service Networks[EB/OL]. (2008-01-01)[2021-01-22]. https://www.researchgate.net/publication/221655419_Measuring_and_Detecting_Fast-Flux_Service_Networks .
[4]	PASSERINI E, PALEARI R, MARTIGNONI L, et al. Fluxor: Detecting and Monitoring Fast-Flux Service Networks[C]// Springer. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Heidelberg: Springer, 2008: 186-206.
[5]	HSU C H, HUANG Chunying, CHEN K T. Fast-Flux Bot Detection in Real Time[C]// Springer. International Workshop on Recent Advances in Intrusion Detection. Heidelberg: Springer, 2010: 464-483.
[6]	NIU Weina, JIANG Tianyu, ZHANG Xiaosong, et al. Fast-Flux Botnet Detection Method Based on Spatiotemporal Feature of Network Traffic[J]. Journal of Electronics & Information Technology, 2020, 42(8): 1872-1880.
	牛伟纳, 蒋天宇, 张小松, 等. 基于流量时空特征的fast-flux僵尸网络检测方法[J]. 电子与信息学报, 2020, 42(8): 1872-1880.
[7]	ALMOMANI A, AL-NAWASRAH A, ALAUTHMAN M, et al. Botnet Detection Used Fast-Flux Technique, Based on Adaptive Dynamic Evolving Spiking Neural Network Algorithm[J]. International Journal of Ad Hoc and Ubiquitous Computing, Inderscience Publishers (IEL), 2021, 36(1): 50-65.
[8]	TRUONG D T, TRAN D T, HUYNH B. Detecting Malicious Fast-Flux Domains Using Feature-Based Classification Techniques[J]. Journal of Internet Technology, 2020, 21(4): 1061-1072.
[9]	ALMOMANI A. Fast-Flux Hunter: A System for Filtering Online Fast-Flux Botnet[J]. Neural Computing and Applications, 2018, 29(7): 483-493.
[10]	HUANG Siyu, MAO C H, LEE H M. Fast-Flux Service Network Detection based on Spatial Snapshot Mechanism for Delay-Free Detection[C]// ACM. 5th ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2010: 101-111.
[11]	AL-DUWAIRI B, JARRAH M, SHATNAWI A. PASSVM: A Highly Accurate Online Fast Flux Detection System[EB/OL]. (2020-06-05)[2021-04-11]. https://www.researchgate.net/publication/341998237_PASSVM_A_Highly_Accurate_Online_Fast_Flux_Detection_System .
[12]	LOMBARDO P, SAELI S, BISIO F, et al. Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic[C]// Springer. International Conference on Information Security. Heidelberg: Springer, 2018: 463-480.
[13]	CHANDAVARKAR B R. MalDetect: A Framework to Detect Fast Flux Domains[C]// IEEE. Distributed Computing, VLSI, Electrical Circuits and Robotics (DISCOVER). New York: IEEE, 2018: 141-146.
[14]	CHEN Xunxun, LI Gaochao, ZHANG Yongzheng, et al. A Deep Learning Based Fast-Flux and CDN Domain Names Recognition Method[C]// ACM. Proceedings of the 2019 2nd International Conference on Information Science and Systems. New York: ACM, 2019: 54-59.
[15]	XU Bingbing, CEN Keting, HUANG Junjie, et al. A Survey on Graph Convolutional Neural Network[J]. Chinese Journal of Computers, 2020, 43(5): 755-780.
	徐冰冰, 岑科廷, 黄俊杰, 等. 图卷积神经网络综述[J]. 计算机学报, 2020, 43(5): 755-780.
[16]	ZHAUNIAROVICH Y, KHALIL I, YU Ting, et al. A Survey on Malicious Domains Detection through DNS Data Analysis[J]. ACM Computing Surveys (CSUR), 2018, 51(4): 1-36.
[17]	WANG Jiajia, CHEN Yu. Fast-Flux Detection Method Based on DNS Attribute[EB/OL]. (2019-12-18)[2021-05-13]. https://iopscience.iop.org/article/10.1088/1742-6596/1325/1/012049/pdf .
[18]	Github. CDN Domain[EB/OL]. (2018-08-14)[2021-01-21]. https://github.com/vysecurity/DomainFrontingLists .
[19]	HUANG Siyu. Fluxor Public Datase[EB/OL]. (2013-12-05)[2021-01-21]. https://sites.google.com/site/huangpublication/datasets/-1-fast-flux-attaack-datasets .
[20]	Phishstats. Phishstats[EB/OL]. (2021-01-20)[2021-02-23]. https://phishstats.info/ .
[21]	ALEXA. Alexa Domain[EB/OL]. (2019-12-18)[2021-02-23]. https://www.alexa.com/ .

数据集名称	训练集			测试集
数据集名称	Alexa 域名数 /个	CDN 域名数 /个	Fast-Flux恶意域名数 /个	Alexa 域名数 /个	CDN 域名数 /个	Fast-Flux 恶意域名数 /个
fast-flux-attack- datasets	7500	7500	15000	2500	2500	5000
my_dataset	975	975	1950	325	325	650

模型方法	精确率	召回率	准确率
Flux-score	96.32%	92.87%	99.75%
本文方法	99.94%	99.76%	99.69%

模型方法	精确率	召回率	准确率
Flux-score	54.88%	100%	42.39%
FluxOR	68.79%	66.39%	70.84%
FCDR	90.23%	90.29%	90.16%
本文方法	91.07%	91.15%	91.02%

特征	fast-flux-attack-datasets	my_dataset
空间特征	74.40%	59.30%
文本特征	97.82%	87.35%
侧信息特征	96.62%	68.06%
空间特征+文本特征	99.62%	88.19%
空间特征+侧信息特征	98.86%	69.37%
文本特征+侧信息特征	99.84%	89.74%
空间特征+文本特征+侧信息特征	99.94%	91.07%