Real-Time Fast-Flux Identification via Localized Spatial Geolocation Detection

Fast-flux service networks (FFSNs), broadly used by botnets, are an evasive technique for conducting malicious behavior via rapid activities. FFSN detection easily fails in the case of poor performance and causes a high incidence of false positives due to the similarity of an FFSN to a content distribution network (CDN), a normal behavior for load balance. In this study, we propose a localized spatial geolocation detection (LSGD) system for identifying FFSNs in real time. We believe that the grid distribution of LSGD possesses a precise spatial locating capability for profiling the spatial relations between IP address resolutions. Furthermore, autonomous system numbers (ASNs) are used for enhancing localized geographic characteristics. The proposed system, incorporating LSGD, ASNs, and the domain name system (DNS), can respond well to identify potential FFSNs. The results of our experiment show that the proposed LSGD system has a better detection capability than state-of-the-art spatial or temporal detection approaches, with a lower false positive rate in real-time detection than the approach based on a spatial snapshot alone.