中央研究院  |  資訊科學研究所  |  多媒體網路與系統實驗室
Fast-Flux Bot Detection in Real Time
(NOTE: Sheng-Wei Chen is also known as Kuan-Ta Chen.)

Abstract
The fast-flux service network architecture has been widely adopted by bot herders to increase the productivity and extend the lifes- pan of botnets' domain names. A fast-flux botnet is unique in that each of its domain names is normally mapped to different sets of IP addresses over time and legitimate users' requests are handled by machines other than those contacted by users directly. Most existing methods for de- tecting fast-flux botnets rely on the former property. This approach is effective, but it requires a certain period of time, maybe a few days, before a conclusion can be drawn.<p> In this paper, we propose a novel way to detect whether a web service is hosted by a fast-flux botnet in real time. The scheme is unique because it relies on certain intrinsic and invariant characteristics of fast-flux bot- nets, namely, 1) the request delegation model, 2) bots are not dedicated to malicious services, and 3) the hardware used by bots is normally infe- rior to that of dedicated servers. Our empirical evaluation results show that, using a passive measurement approach, the proposed scheme can detect fast-flux bots in a few seconds with more than 96% accuracy, while the false positive/negative rates are both lower than 5%.

Materials
Citation
Ching-Hsiang Hsu, Chun-Ying Huang and Kuan-Ta Chen, "Fast-Flux Bot Detection in Real Time," In Proceedings of RAID 2010, Sep 2010.

BibTex
@INPROCEEDINGS{hsu10:ffbot,
  TITLE      = {Fast-Flux Bot Detection in Real Time},
  AUTHOR     = {Ching-Hsiang Hsu and Chun-Ying Huang and Kuan-Ta Chen},
  BOOKTITLE  = {Proceedings of RAID 2010},
  MONTH      = {Sep},
  YEAR       = {2010}
}