Date of Award
Master of Science
Electrical and Computer Engineering
The fast-fluxing has been used by attackers to increase the availability of malicious domains and the robustness against detection systems. Since 2008, researchers have proposed a number of methods to detect malicious fast-flux domains, however they have some common drawbacks in the system design, which are as follows: no anonymity, partial view on the domain, and unable to detect before an attack takes place. Therefore, to overcome these drawbacks, we propose a new technique called ADAPT, which enables a detection system to collect DNS information of a domain anonymously all around the globe in short period of time with less resource using Tor network.
In this thesis, we have developed a prototype of ADAPT, which takes its input from domain zone files to detect in-the-wild malicious fast-flux domains. We defined a flux score formula to propose 10 new detection features. The prototype of ADAPT has scanned over 550,000 .net domains, and extracted 20 distinct features for each of the domains.
By analyzing the obtained DNS dataset, we observed several new findings and confirmed some new trends reported in the previous researches. Moreover, our experimental result showed that the prototype of ADAPT has a potential to outperform the existing detection systems, with a few modifications and updates in the detection process.
Otgonbold, Tsolmon, "ADAPT: an anonymous, distributed, and active probing-based technique for detecting malicious fast-flux domains" (2014). Graduate Theses and Dissertations. 14225.