Research Of Fast-flux Bot Detection And System Implementation

Botnet is a distributed computing system of bots，which can fulfill attack tasksassigned by network attackers，such as stealing privacy，sending spam emails and lauchingdistributed denial of service． Now botnet become a huge threat to networksecurity．Because of its security risks，researchers pay more and more attention to it．Butnetwork criminals never stay where they are，on the contray，they are studying andapplying many not only newly but deliberately created techniques to botnet，Fast-fluxDNS technique is such a method which was produced specific to botnet，it provide botnethigher availability，reliablity and better stealthy．Fast-flux DNS has many similarcharacters with Round-Robin DNS and CDN，which bring a big challenge to currentsecurity detection systems．After studying the constitution priciples and work mechanisms of Fast-flux botnet，based on those possible distinguishing inherent features，we provide a novle method todetect Fast-flux botnet．This method analyze the control capacity of Fast-flux botnet onbot agent，through actively mine DNS resolution data to calculate uniform distribution ratewhich measure the degree of distribution，and average service rate which measure degreeof availabilty of botnet， this method can identify Fast-flux domains in realtime．Experiment with SVM show that this method has high detection rate and low falsepositive rate．To verify the effectiveness of the provided method，we design and implement aprototype Fast-flux detection system，then deploy the system to our campus network．Theprototype system has four function modules，include data collecting module，datapre-processing module，feature extracting module and classification module．The data ofthe prototype system come from mirror image data of campus border router．The detectionresults show that the provided system can detect Fast-flux bot reliably．...