There are three weaknesses in previous Fast-flux domain name detection method on the aspects of stability, targeting, and applicability to common real-world DNS traffic environment. For this, a method based on DNS traffic, called Fast-flucos was proposed. Firstly, the traffic anomaly filtering and association matching algorithms were used for improving detection stability. Secondly, the features, quantified geographical width, country list, and time list, were applied for better targeting Fast-flux domains. Lastly, the feature extraction were finished by the more suitable samples for trying to adapt to common real-world DNS traffic. Several machine learning algorithms including deep learning are tried for determining the best classifier and feature combination. The experimental result based on real-world DNS traffic shows that Fast-flucos' recall rate is 0.998 6, precision is 0.976 7, and ROC_AUC is 0.992 9, which are all better than the current main stream approaches, such as EXPOSURE, GRADE and AAGD.

• 单位
  中国科学院大学; 南开大学