Semi-supervised time series modeling for real-time flux domain detection on passive dns traffic

Abstract

Flux domain is one of the most active threat vectors and its behavior keeps changing to evade existing detection measures. In order to differentiate the malicious flux domains from legitimate ones such as content delivery network (CDN) and network time protocol (NTP) services that have similar behavior, a novel time series model is created with a set of features that are not only focused on domain name system (DNS) time-to-live (TTL) but on loyalty and entropy of DNS resource records. An offline system is built with big data technology for training the model in a semi-supervised mode. In addition, an online platform is designed and developed to support large throughput real-time DNS streaming data processing with advanced analytics technologies. The feature extraction, classification, accuracy and performance are discussed based on large amount of real world DNS data in this paper. © 2014 Springer International Publishing Switzerland.