Fast-Flux網路服務是目前最新興的殭屍網路問題之一。Fast-Flux利用DNS攻擊技術的方法，去對受害主機設備來當跳板，且利用快速活動且動態改變受害主機所對應的IP位址，讓其產生更多受害主機，並把自身隱藏在代理伺服器後面，無法利用黑名單方式去偵測。隨著網路的發達，當Fast-Flux網路服務技術越來越盛行，相對的產生的受害主機也越來越多，當受害感染主機一增多，就會造成更多使用者個人資訊被駭客拿來使用。因此本文提出即時的偵測Fast-Flux技術，讓使用者馬上就得知此網站是有問題的，來降低受害使用者的數量。
本文機制提出空間性及區域性地理定位之概念系統達到即時偵測Fast-Flux技術的研究。在真實的環境裡，我們觀察到駭客無法決定自己本身的感染受害主機的位置，並不像良性網站能決定自己的主機位置。經由所觀察到兩者不同的差異行為，我們運用切割格子狀的地表概念，達到更精確的判斷主機之間空間地理定位分佈關係。另一方面，透過感染受害主機分佈在不同的網際網路服務提供者，我們計算不同主機所對應到不同自治系統編號的數目，來彌補空間性特徵上的不足，並且達到判斷主機之間區域地理定位的分散關係。最後，我們利用貝式網路分類器來評估空間性及區域性之地裡定位特徵相關資訊，達到即時偵測Fast-Flux。實驗結果顯示，我們所提出的方法有較低的誤報率及較高的準確率。

Fast-Flux Service Networks (FFSNs), broadly used by botnets, are an evasive technique for conducting malicious behavior via rapid activities. FFSN detection easily fails in the case of poor performance and causes a high incidence of false positives due to the similarity of an FFSN to a content distribution network (CDN), a normal behavior for load balance. In this study, we propose a localized spatial geolocation detection (LSGD) system for identifying FFSNs in real time. We believe that the grid distribution of LSGD possesses a precise spatial locating capability for profiling the spatial relations among IP address resolutions. Furthermore, autonomous system numbers (ASNs) are used for enhancing localized geographic characteristics. The proposed system, incorporating LSGD, ASNs, and the domain name system (DNS), can respond well to identify potential FFSNs. The results of our experiment show that the proposed LSGD system has a better detection capability than state-of-the-art spatial or temporal detection approaches, with a lower false positive rate in real-time detection than the approach based on a spatial snapshot alone.

[1] ABHIJIT, B., XIN, H., G., S. K., AND TAEJOON, P. Behavioral detection of
malware on mobile handsets. In Proceedings of the 6th international conference
on Mobile systems, applications, and services (2008), MobiSys ’08.
[2] AKAMAI. Content distribution network. http://www.akamai.com.
[3] ALEXA OF SSFD PUBLIC DATASET. https://sites.google.com/site/huangpublication/datasets/-
1-fast-flux-attaack-datasets.
[4] ALPER, C., MIKE, T., DAN, D., DUSTIN, B., AND GERRY, E. Behavioral
analysis of fast flux service networks. In Proceedings of the 5th AnnualWorkshop
on Cyber Security and Information Intelligence Research: Cyber Security and
Information Intelligence Challenges and Strategies (2009), CSIIRW ’09.
[5] BOUCKAERT, R. Bayesian network classifiers in Weka. The University of
Waikato, 2004.
[6] CABALLERO, J., GRIER, C., KREIBICH, C., AND PAXSON, V. Measuring Payper-
Install: The Commoditization of Malware Distribution. In Proceedings of the the 20th USENIX Security Symposium (San Francisco, CA, August 2011).
[7] CAGLAYAN, A., TOOTHAKER, M., DRAPAEAU, D., BURKE, D., AND EATON,
G. Real-time detection of fast flux service networks. In Cybersecurity Applications
& Technology Conference for Homeland Security (2009).
[8] COOPER, G. F., AND HERSKOVITS, E. A bayesian method for the induction of
probabilistic networks from data. Machine Learning 9 (1992), 309–347.
[9] COVER, T. M., AND THOMAS, J. A. Elements of information theory. Wiley-
Interscience, New York, NY, USA, 1991.
[10] ELKAN, C. Using the triangle inequality to accelerate k-means. In ICML (2003),
pp. 147–153.
[11] FAST K-MEANS. Open source code for matlab. http://cseweb.ucsd.edu/ elkan/-
fastkmeans.html.
[12] FAULHABER, J. Microsoft security intelligence report. In Technical Report Volume
11, Microsoft, Inc. (2011).
[13] FEILY, M., SHAHRESTANI, A., AND RAMADASS, S. A survey of botnet and
botnet detection. Emerging Security Information, Systems, and Technologies,
The International Conference on 0 (2009), 268–273.
[14] FLUXOR OF SSFD PUBLIC DATASET. https://sites.google.com/site/huangpublication/datasets/-
1-fast-flux-attaack-datasets.
[15] FOSSI, M., EGAN, G., HALEY, K., JOHNSON, E., MACK, T., ADAMS, T.,
BLACKBIRD, J., KING, L. M., MAZUREK, D., MCKINNEY, D., AND WOOD, P. Symantec internet security threat report: Trend for 2010. In vol. XVI (Apr
2011).
[16] GANSNER, E., KOUTSOFIOS, E., AND NORTH, S. Drawing graphs with dot.
Tech. rep., 2006.
[17] GAO, L. On inferring autonomous system relationships in the internet.
IEEE/ACM Transactions on Networks. vol. 9, no. 6, pp. 733-745 (2001).
[18] GARC’I A-GARC’I A, D., PARRADO HERN’A NDEZ, E., AND D’I AZ-DE MAR’IA,
F. A new distance measure for model-based sequence clustering. IEEE Trans.
Pattern Anal. Mach. Intell. 31, 7 (July 2009), 1325–1331.
[19] GARDNER, B. Round robin dns (RRDNS). http://www.rrdns.com/.
[20] GLOBAL FAST FLUX. http://atlas.arbor.net/summary/fastflux.
[21] GMT: GREENWICH MEAN TIME - WORLD TIME / TIME IN EVERY TIME
ZONE. http://wwp.greenwichmeantime.com/.
[22] GU, G., PERDISCI, R., ZHANG, J., AND LEE, W. Botminer: Clustering analysis
of network traffic for protocol- and structure-independent botnet detection. In In
Proceedings of the 17th USENIX Security Symposium (Security’08) (2008).
[23] GU, G., ZHANG, J., AND LEE, W. Botsniffer: Detecting botnet command and
control channels in network traffic. In In Proceedings of the 15th Annual Network
and Distributed System Security Symposium (NDSS’08), San Diego, CA
(February 2008).
[24] HAWKINSON, J., AND BRISCO, T. RFC 1930: Guidelines for creation, selection,
and registration of an Autonomous System. RFC Editor, 1996.
[25] HOLZ, T., GORECKI, C., RIECK, K., AND FREILING, F. Measuring and detecting
fast-flux service networks. In Proceedings of the 15th Network & Distributed
System Security Symposium (NDSS) (2008).
[26] HONEYNET PROJECT. Know your enemy: Tracking botnets, March 2005.
http://www.honeynet.org/papers/bots.
[27] HSU, C.-H., HUANG, C.-Y., AND CHEN, K.-T. Fast-flux bot detection in real
time. In Proceedings of Recent Advances in Intrusion Detection (RAID) 2010
(September 2010).
[28] HUANG, S.-Y., MAO, C.-H., AND LEE, H.-M. Fast-flux service network detection
based on spatial snapshot mechanism for delay-free detection. In 5th ACM
Symposium on InformAtion, Computer and Communications Security (ASIACCS
2010) (2010).
[29] HUNT, G., AND BRUBACHER, D. Detours: binary interception of win32 functions.
In Proceedings of the 3rd conference on USENIX Windows NT Symposium
- Volume 3 (Berkeley, CA, USA, 1999), USENIX Association, pp. 14–14.
[30] ICANN SECURITY AND STABILITY ADVISORY COMMITTEE. Sac 025: Ssa
advisory on fast flux hosting and dns, March 2008.
[31] INTERNET SOFTWARE CONSORTIUM. Dimain information groper (DIG).
https://www.isc.org/software/bind.
[32] JOHN, J. P., MOSHCHUK, A., GRIBBLE, S. D., AND KRISHNAMURTHY, A.
Studying spamming botnets using botlab. In In USENIX Symposium on Networked
Systems Design and Implementation (NSDI) (2009).
[33] KNYSZ, M., HU, X., AND SHIN, K. G. Good guys vs. bot guise: Mimicry
attacks against fast-flux detection systems. In INFOCOM’11 (2011).
[34] KOHAVI, R., AND PROVOST, F. Glossary of terms. Editorial for the Special Issue
on Applications of Machine Learning and the Knowledge Discovery Process
30 (1998), 271–274.
[35] LABORATORY FOR DEPENDABLE DISTRIBUTED SYSTEMS UNIVERSITY OF
MANNHEIM. The dataset of fast-flux. http://pi1.informatik.uni-mannheim.de.
[36] LAU, F., RUBIN, S. H., SMITH, M. H., AND TRAJKOVIC, L. Distributed denial
of service attacks. In IEEE International Conference on Systems, Man, and
Cybernetics (October 2000).
[37] MA, J., SAUL, L. K., SAVAGE, S., AND VOELKER, G. M. Learning to detect
malicious urls. ACM Transactions on Intelligent Systems and Technology (TIST).
Volume 2, Issue 3 (2011).
[38] MALHEUR. Malware public datasets. http://pi1.informatik.unimannheim.
de/malheur/.
[39] MAO, C.-H., PAO, H.-K., FALOUTSOS, C., AND LEE, H.-M. Sbad: sequence
based attack detection via sequence comparison. In Proceedings of the international
ECML/PKDD conference on Privacy and security issues in data mining and machine learning (Berlin, Heidelberg, 2011), PSDML’10, Springer-Verlag,
pp. 78–91.
[40] MAXMIND. Geoip and related marks are registered trademarks of maxmind.
http://www.maxmind.com.
[41] MCGRATH, D. K., KALAFUT, A. J., AND GUPTA, M. Phishing infrastructure
fluxes all the way. IEEE Security and Privacy Magazine special issue on DNS
Security. vol. 7, no. 5, pp. 21-28 (2009).
[42] MOHEEB, A. R., JAY, Z., FABIAN, M., AND ANDREAS, T. A multifaceted
approach to understanding the botnet phenomenon. In Proceedings of the 6th
ACM SIGCOMM conference on Internet measurement (2006), IMC ’06.
[43] NAZARIO, J., AND HOLZ, T. As the net churns: Fast-flux botnet observations.
In Proceedings of the 3th International Malicious and Unwanted Software (Malware)
(2008).
[44] NDSS08 DATASET. http://pi1.informatik.uni-mannheim.de.
[45] PASSERINI, E., PALEARI, R., MARTIGNONI, L., AND BRUSCHI, D. FluXOR:
detecting and monitoring fast-flux service networks. In Proceedings of the 5th
Conference on Detection of Intrusions and Malware & Vulnerability Assessment
(DIMVA) (2008).
[46] PERDISCI, R., CORONA, I., DAGON, D., AND LEE, W. Detecting malicious
flux service networks through passive analysis of recursive dns traces. In 2009
Annual Computer Security Applications Conference (ACSAC) (2009).
[47] PERDISCI, R., CORONA, I., AND GIACINTO, G. Early detection of malicious
flux networks via large-scale passive dns traffic analysis. IEEE Transactions on
Dependable and Secure Computing 99, PrePrints (2012).
[48] RAY, S., AND TURI, R. H. Determination of number of clusters in k-means
clustering and application in colour image segmentation. In Proceedings of the
4th International Conference on Advances in Pattern Recognition and Digital
Techniques (ICAPRDT’99) (1999).
[49] RIECK, K., TRINIUS, P., WILLEMS, C., AND HOLZ, T. Automatic analysis of
malware behavior using machine learning. Journal of Computer Security (JCS)
19, 4 (2011), 639–668.
[50] ROBERTO, P., WENKE, L., AND NICK, F. Behavioral clustering of http-based
malware and signature generation using malicious network traces. USENIX Symposium
on Networked Systems Design and Implementation (NSDI 2010).
[51] SHABTAI, A., KANONOV, U., ELOVICI, Y., GLEZER, C., AND WEISS, Y. Andromaly:
a behavioral malware detection framework for android devices. Journal
of Intelligent Information Systems 38, 1 (2011), 161–190.
[52] STANDARD TIME ZONES. http://www.worldtimezone.com/standard.html.
[53] STONE-GROSS, B., COVA, M., CAVALLARO, L., GILBERT, B., SZYDLOWSKI,
M., KEMMERER, R. A., KRUEGEL, C., AND VIGNA, G. Your botnet is my
botnet: analysis of a botnet takeover. In ACM Conference on Computer and
Communications Security (2009), E. Al-Shaer, S. Jha, and A. D. Keromytis, Eds.,
ACM, pp. 635–647.
[54] TRINIUS, P., WILLEMS, C., HOLZ, T., AND RIECK, K. A malware instruction
set for behavior-based analysis. In Proc. of Conference “Sicherheit, Schutz und
Zuverl‥assigkeit” (SICHERHEIT) (2010).
[55] WHITTAKER, J. A., AND THOMASON, M. G. A markov chain model for statistical
software testing. IEEE Trans. Softw. Eng. 20, 10 (Oct. 1994), 812–824.
[56] WHOIS. Dns responses information. http://who.is/.
[57] WIKIPEDIA. The concept of cname record of dns server information.
http://en.wikipedia.org/wiki/CNAME record.
[58] WIKIPEDIA. The concept of mx record of dns server information.
http://en.wikipedia.org/wiki/MX record.
[59] WIKIPEDIA. Country code. http://en.wikipedia.org/wiki/Country code.
[60] WIKIPEDIA. Fast-flux. http://en.wikipedia.org/wiki/Fast flux.
[61] WILLEMS, C., HOLZ, T., AND FREILING, F. Toward automated dynamic
malware analysis using cwsandbox. IEEE Security and Privacy Magazine 5,
2 (2007), 32–39.
[62] WITTEN, I. H., AND FRANK, E. Data Mining: Practical Machine Learning
Tools and Techniques with Java Implementations. Morgan Kaufmann, October
1999.
[63] YAHOO RANDOM URL (YRU) DATASET. http://random.yahoo.com/bin/ryl.