Detection of Fast-Flux Networks Using Various DNS Feature Sets

In this work, we study the detection of Fast-Flux Service Networks (FFSNs) using DNS (Domain Name System) response packets. We have observed that current approaches do not employ a large combination of DNS features to feed into the proposed detection systems. The lack of features may lead to high false positive or false negative rates triggered by benign activities including Content Distribution Networks (CDNs). In this paper, we study recently proposed detection frameworks to construct a high-dimensional feature vector containing timing, network, spatial, domain name, and DNS response information. In the detection system, we strive to use features that are delayfree, and lightweight in terms of storage and computational cost. Feature sub-spaces are evaluated using a C4.5 decision tree classifier by excluding redundant features using the information gain of each feature with respect to each class. Our experiments reveal the performance of each feature subset type in terms of the classification accuracy. Moreover, we present the best feature subset for the discrimination of FFSNs recorded with the datasets we used.