PASSVM: A highly accurate fast flux detection system

Fast Flux service networks (FFSNs) are used by adversaries to provide high availability to malicious servers while keeping them hidden from direct access. In these networks, a large number of botnet machines work as proxies to relay the traffic between end users and a ma-licious mothership server which is controlled by an adversary. Various mechanisms have been proposed for detecting FFSNs. However, most of these mechanisms depend on col-lecting a large amount of DNS traffic traces and require a considerable amount of time to identify fast flux domains. In this paper, we propose an efficient AI-based online fast flux detection system that performs highly accurate and extremely fast detection of fast flux do-mains. The proposed system, called PASSVM, is based on features that are associated with DNS response messages of a given domain name. The approach relies on features that are stored in local databases, in addition to features that are extracted from the response DNS messages. The information in the databases are obtained from Censys search engine and an IP Geolocation service. PASSVM is evaluated using three types of supervised machine learn-ing algorithms which are: Multilayer Perceptron (MLP), Radial Basis Function Network (RBF), and Support Vector Machines (SVM). Results show that SVM with RBF kernel outperformed the other two methods with an accuracy of 99.557% and a detection time of less than 18 ms. (c) 2021 Elsevier Ltd. All rights reserved.