- Title
- Geo-spatial autocorrelation as a metric for the detection of fast-flux botnet domains
- Creator
- Stalmans, Etienne, Hunter, Samuel O, Irwin, Barry V W
- Subject
- To be catalogued
- Date
- 2012
- Type
- text
- Type
- article
- Identifier
- http://hdl.handle.net/10962/429799
- Identifier
- vital:72640
- Identifier
- 10.1109/ISSA.2012.6320433
- Description
- Botnets consist of thousands of hosts infected with malware. Botnet owners communicate with these hosts using Command and Control (C2) servers. These C2 servers are usually infected hosts which the botnet owners do not have physical access to. For this reason botnets can be shut down by taking over or blocking the C2 servers. Botnet owners have employed numerous shutdown avoidance techniques. One of these techniques, DNS Fast-Flux, relies on rapidly changing address records. The addresses returned by the Fast-Flux DNS servers consist of geographically widely distributed hosts. The distributed nature of Fast-Flux botnets differs from legitimate domains, which tend to have geographically clustered server locations. This paper examines the use of spatial autocorrelation techniques based on the geographic distribution of domain servers to detect Fast-Flux domains. Moran's I and Geary's C are used to produce classifiers using multiple geographic co-ordinate systems to produce efficient and accurate results. It is shown how Fast-Flux domains can be detected reliably while only a small percentage of false positives are produced.
- Format
- 7 pages, pdf
- Language
- English
- Relation
- Information Security for South Africa, Stalmans, E., Hunter, S.O. and Irwin, B., 2012, August. Geo-spatial autocorrelation as a metric for the detection of fast-flux botnet domains. In 2012 Information Security for South Africa (pp. 1-7). IEEE, Information Security for South Africa volume 2012 number 1 1 7 2012 2330-9881
- Rights
- Publisher
- Rights
- Use of this resource is governed by the terms and conditions of the IEEE Xplore Terms of Use Statement (https://ieeexplore.ieee.org/Xplorehelp/overview-of-ieee-xplore/terms-of-use)
- Hits: 128
- Visitors: 133
- Downloads: 9
Thumbnail | File | Description | Size | Format | |||
---|---|---|---|---|---|---|---|
View Details | SOURCE1 | Geo-spatial autocorrelation as a metric for the detection of fast-flux botnet domains.pdf | 653 KB | Adobe Acrobat PDF | View Details |