ANALYZING THE DYNAMICS BEHAVIOR OF FAST-FLUX DOMAIN NAME SYSTEM THROUGH
VISUALIZATION
BY
ANDI FITRIAH BINTI ABDUL KADIR
A thesis is submitted in fulfilment of the requirement for the degree of Master in Computer Science
Kulliyyah of Information and Communication Technology International Islamic University
Malaysia
FEBRUARY 2013
ii
ABSTRACT
As attempts to thwart cyber crime have intensified, so have innovations in how cybercriminals’ provision their infrastructure to dodge detection and take-down.
Today, a growing, sophisticated technique called Fast-Flux Service Networks (FFSN) poses a major problem to Internet security. They are increasingly used in many illegal practices including money mule recruitment sites, distribution of malware downloads, illegal adult content and other forms of Internet fraud. Essentially, FFSN were first used as a Domain Name Server (DNS) switching mechanism that combine distributed command and control, web-based load-balancing, and proxy redirection. However, cybercriminals are making use of this technology to cover their tracks and avoid detection. As such, their criminal infrastructures stay up longer to get more victims.
These issues are tackled by investigating the dynamics of FFSN by using k-Nearest Neighbor (kNN) classification method and data visualization technique. This combination can assist network administrators and security analyst to recognize the threats more easily and efficiently. In this study, over 500 domains are collected and monitored. By applying kNN classifier to the trained data, the presence of Single-Flux (SF), NS-Flux (NSF), and Double-Flux (DF) are observed. Subsequently, by scrutinizing and visualizing these fluxing domain names, the new types of fluxing designated as NS-Name-Flux(NF) and Nested-NS-Flux (NNF) are discovered. The analysis results of both NF and NNF exposed that FFSN have become extensively sophisticated and dynamic. This exemplifies that visualization is an alternative and effective data exploration method for understanding the complex behaviors of FFSN.
iii
ثحب لا صّخلم
في ثحثناو خاساكرتلاا كنزكو ،دَُشرَلاا حكثشو بىعالحا ىئاشج طاثحا خلاوامح دفثك ذمن فشكنا ٌدافرن بىعالحا ٍيشمج مثل ٍي حؼثرلدا قشطنا حُفُك .
واذخرعا شهظ ذمن ،واَلاا ِزْ في
ًػذذ بىعالحا ٍيشمج مثل ٍي جسىطريو حيذمري حمَشط Fast-Flux Service
Networks (FFSN) خايىهؼلدا حكثش ٍيا ًهػ ذَاضري اشطخ مثتم دحثصاو
. حُُمرنا ِزْ
غَصىذ ،لاىيلاا حلشغن حُهمو غلاىي مثي حُػشش يرغ ضاشغلا ذَاضري مكشت وذخرغذ دحثصا كَشط ٍػ لاُرحلاا لاكشا ٍي اْيرغو حمئلا يرغ خاَىرمح خار غلاىي ،ظغجرنا جياشت دَُشرَلاا .
،طاعلاا في جادأك حَاذثنا في ديذخرعا FFSN
غَصىذ ينت غًتج ،حُهَىتح DNS
لا ُّجىذ جداػاو ،دَُشرَلاا حكثش ًهػ مًُحرنا حَصاىيو جشطُغناو جداُمنا Proxy
. كنر غي
ىهفاشركا ةُتجو ىبه حصالخا خاساغلدا حُطغرن حُُمرنا ِزْ واذخرعات دَُشرَلاا حكثش ٍيشمج وال .
ٍي ذَضي ًهػ لىصحهن فشكنا مثل ٍكمم دلو لىطلا ساشًرعلاا غُطرغذ ،ىحُنا ازْ ًهػ اَاحضنا .
واذخرعات حُُمرنا ِزْ حثلاشيو مُهتح تم K-Nearest Neighbor
فُُُصرهن
خاَاُثنا سىصذ حمَشطو .
خاكثشنا ٍيا ٍههمح و خاكثشنا ءاسذي ذػاغَ ٌا ٍكيم جَضلدا ازْ
جءافكو حنىهع شثكا مكشت خاذَذهرنا فاشركا .
ٍي شثكا حظحلايو غجم تم حعاسذنا ِزْ في
500 لامج . فُصي كُثطذ للاخ ٍيو دىجو ظحلاَ ،حثَسذرنا خاَاُثنا ًهػ kNN
Single-
Flux (SF), NS-Flux (NSF), و
Double-Flux (DF) .
كُلذذ للاخ ٍي امحلا
حمفذرلدا خلاالمجا ٍي جذَذج عاىَا ،حمفذرلدا خلاالمجا ِزْ ءاسما سىصذو NS-Name-
Flux(NF) و
Nested-NS-Flux (NNF) دفشركا ذل
. لاكن مُهحرنا جئارَ
NF
و جسىطخ يذي دحضوا NNF
ٍكُياَُدو غعاو قاطَ ًهػ FFSN .
سىصذ ٌا دثثَ ازْ
من ذمؼلدا فشصرنا ىهفن خاَاُثنا فاشكرعلا حناؼفو حهَذت حمَشط ىْ خاَاُثنا . FFSN
APPROVAL PAGE
I certify that I have supervised and read this study and that in my opinion, it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a thesis for the degree of Master in Computer Science.
Supervisor
~{)~,)~k
• • •
~-
1·TY: ·::· -'~{ · · ···· · · · ···
Raja Azrina Raja Othman Co-Supervisor
I certify that I have read this study and that in my opinion it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and jjuality as a thesis for the degree of Master in Computer Science. ---~/:-
...
.., ..
~ ..Zulkefli truharnmed Yusof
~=·:¥:
Azman Samsudin External Examiner
This thesis was submitted to the Department of Computer Science (CS) and is accepted as a fulfilment of the requirement for the degree of Master in Computer Science.
...
~
~···Zulkefli Mttri'ilmmed Yusof Head, Department ofCS
This thesis was submitted to the Kuliyyah of Information and C Technology (KJCT) and is accepted as a fulfilment of the r
Master in Computer Science.
IV
v
DECLARATION
I hereby declare that this thesis is the result of my own investigations, except where otherwise stated. I also declare that it has not been previously or concurrently submitted as a whole for any other degrees at IIUM or other institutions.
Andi Fitriah Binti Abdul Kadir
Signature……… Date………
vi
INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA
DECLARATION OF COPYRIGHT AND AFFIRMATION OF FAIR USE OF UNPUBLISHED RESEARCH
Copyright © 2013 by International Islamic University Malaysia. All rights reserved.
ANALYZING THE DYNAMICS BEHAVIOR OF FAST-FLUX DOMAIN NAME SYSTEM THROUGH
VISUALIZATION
Affirmed by Andi Fitriah Binti Abdul Kadir
……….. ………..
Signature Date
I hereby affirm that The International Islamic University Malaysia (IIUM) hold all rights in the copyright of this Work and henceforth any reproduction or use in any form or by means whatsoever is prohibited without the written of IIUM. No part of this unpublished research may be reproduced, stored in a retrieval system, or transmitted, in any form or by means, electronic, mechanical, photocopying, recording or otherwise without prior written permission of the copyright holder.
vii
O Allah, increase me in knowledge while keeping me humble.
In dedication to my beloved parents,
Abdul Kadir Bin Arfah and Niswa Binti Mohd Noor for believing the best in me.
viii
ACKNOWLEDGMENTS
Bismillahhirrahmaannirrahim,
All praise belongs to Allah alone, and blessings and peace be upon the final Prophet
The dissertation was done under the supervision of Assoc. Prof. Dr. Normaziah Abdul Aziz, in the Department of Computer Science, KICT, IIUM and Mrs. Raja Azrina Raja Othman from JARING (Jaring Communications Sdn Bhd).
My heartfelt and sincere appreciation to both of my supervisors for their dedicated guidance, suggestions, critical comments and warm support throughout the process of completing this dissertation. Their flexibility and friendly nature have made the project stress-free and somewhat enjoyable.
I am indebted to my parents for their unconditional love and support. Without my father’s encouraging words and my mother caring nature, I would not have been resilient enough to make it through the two years here. Thank you Mak and Etta, for always believing in me and always allowing me to follow my heart.
A very special thanks goes to my siblings, relatives, and friends for standing by my side through the good and bad times. They are indeed my sunshine.
I thank as well my fellow colleagues from Information Security Research Group (ISRG) for their assistance and constructive criticism throughout the development of this dissertation.
Last but not least, I would like to thank all the people who help directly or indirectly to finish this dissertation. I am grateful to all the academic and administration staff at the Kulliyyah of ICT, International Islamic University for their cooperation, kindness and assistance.
Regards,
Andi Fitriah Abdul Kadir September 2012
ix
TABLE OF CONTENTS
Abstract ... ii
Abstract in Arabic ... iii
Approval Page ... iv
Declaration Page ... v
Copyright Page ... vi
Dedication ... vii
Acknowledgements ... viii
List of Tables ... xiii
List of Figures ... xvi
List of Formulas ... xxi
List of Tools ... xxii
CHAPTER 1: INTRODUCTION AND OVERVIEW 1.1 Introduction ... 1
1.2 Thesis Overview ... 2
1.2.1 Problem Statement ... 4
1.2.2 Objective ... 5
1.2.3 Research Question ... 6
1.2.4 Research Methodology ... 7
1.2.5 Research Hyphothesis ... 8
1.2.6 Significance ... 10
1.2.7 Scope and Limitation ... 11
1.3 Thesis Structure ... 14
CHAPTER 2: FAST-FLUX AND ITS RELATED WORK 2.1 Introduction ... 15
2.2 Fast-Flux Service Networks (FFSN) ... 16
2.2.1 Fast-Flux Conceptual Model ... 16
2.2.2 Fast-Flux Definition ... 19
2.2.3 Fast-Flux Type and Purpose ... 20
2.2.4 Fast-Flux Examples ... 23
2.2.5 Fast-Flux Features ... 26
2.2.6 Fast-Flux Issues and Challenges ... 27
2.2.7 Fast-Flux Botnet ... 28
2.2.8 Fast-Flux Mothership ... 30
x
2.2.9 Fast-Flux Behavior ... 32
2.2.10 Fast-Flux Classification Technique ... 33
2.2.11 Fast-Flux Detection ... 36
2.2.12 Fast-Flux Impact ... 38
2.2.13 Fast-Flux Mitigation ... 42
2.3 Comparison of FFSN with CDN and RRDNS ... 43
2.4 Network Visualization ... 44
2.5 Summary ... 45
CHAPTER 3: METHODOLOGY AND DESIGN 3.1 Introduction ... 46
3.2 Research Methodology ... 47
3.3 Research Design ... 50
3.3.1 Experimental Design ... 51
3.3.1.1 Data Sample, Data Collection, and Data Slicing ... 54
3.3.1.2 Preliminary Experiments ... 58
a. Variables Measurement ... 58
i. Frequency of Domain Lookup ... 59
ii. Metric of Fluxiness... 60
iii. k-Nearest Neighbor (kNN) Feature Set ... 62
iv. Monitoring Parameter... 64
b. Tools Evaluation ... 65
i. kNN Tools ... 65
ii. Visualization Tools ... 69
iii. Network Security Utilities... 73
iv. Website Reputation Rating Programs ... 76
v. Blacklist and Whitelist Checker ... 78
Preliminary Experiments: Result and Analysis ... 80
3.3.1.3 Fast-Flux Behavior and Dynamism Experiment ... 81
a. Data Lookup Process (P2) ... 81
b. Data Classification (P3) ... 83
c. Data Visualization (P4) ... 86
d. Data Grouping (P5) ... 87
e. Data Monitoring (P6) ... 89
f. Data Analysis (P7) ... 92
Result and Analysis ... 93
3.3.2 Case Studies ... 93
3.3.2.1 Case Study I: The Case of Bank-Related Phishing ... 94
Introduction… ... 95
xi
Approach and Implementation ... 97
a. Data Collection ... 97
b. Data Lookup Process ... 97
c. Data Classification and Grouping ... 98
d. Data Visualization ... 99
e. Data Monitoring and Analysis... 99
Result and Analysis ... 100
3.3.2.2 Case Study II: The case of Pharmaceutical Phishing ... 100
Introduction… ... 100
Approach and Implementation ... 101
a. Data Collection ... 101
b. Data Lookup Process ... 101
c. Data Classification and Grouping ... 102
d. Data Visualization ... 102
e. Data Monitoring and Analysis... 102
Result and Analysis ... 103
3.4 Propose Method ... 103
3.5 Summary ... 105
CHAPTER 4: RESULT AND ANALYSIS 4.1 Introduction ... 106
4.2 Experimental Design Result (Result Analysis III) ... 106
4.2.1 Data Classification and Grouping ... 106
a. kNN Classification ... 106
b. NS-Domain Grouping ... 112
4.2.2 Data Behavioral Analysis ... 114
a. Location Changes in DNS Hierarchy ... 114
b. Growth and Changes of DNS Records ... 115
s c. Domain Behavioral Analysis ... 116
d. Geographical Location ... 119
4.2.3 Data Relationship Analysis ... 120
a. Relationship to Benign ... 120
b. Relationship to Blacklist ... 121
c. Relationship to Web Hosting ... 122
4.2.4 Experimental Finding Summary ... 123
4.3 Case Study Results ... 125
4.3.1 Case Study I: The Case of Bank-Related Phishing ... 125
a. Data Classification and Grouping ... 125
b. Data Behavioral Analysis ... 127
c. Data Relationship Analysis ... 131
xii
4.3.2 Case Study II: The Case of Pharmaceutical Phishing ... 133
a. Data Classification and Grouping ... 133
b. Data Behavioral Analysis ... 134
c. Data Relationship Analysis ... 136
4.3.3 Case Study: Cross Case Conclusion ... 137
4.4 Summary ... 138
CHAPTER 5: ADDITIONAL FINDINGS: THE NEW TYPES OF FLUXING - NS-NAME-FLUX (NF) AND NESTED-NS-FLUX (NNF) 5.1 Introduction ... 139
5.2 NS-Name-Flux (NF) ... 139
5.2.1 What are the rates and point of change? ... 140
5.2.2 How are dynamics implemented? ... 142
5.2.3 Data Relationship Analysis ... 145
5.3 Nested-NS-Flux (NNF) ... 146
5.2.1 What are the rates and point of change? ... 148
5.2.2 How are dynamics implemented? ... 149
5.4 Summary ... 150
CHAPTER 6: CONCLUSION AND MOVING FORWARD 6.1 Introduction ... 151
6.2 Findings Summary ... 152
6.3 Contribution ... 158
6.4 Limitation and Future Work ... 161
BIBLIOGRAPHY ... 162
PUBLICATION/PRESENTATION/AWARD ... 167
APPENDIX I: TERMS DEFINITION ... 168
APPENDIX II: TECHNICAL BACKGROUND ON SUPPORTING TECHNIQUES (DNS, CDN, RRDNS) FOR FFSN ... 171
xiii
LIST OF TABLES
Table No.
Page No.
1.1 2.1
Linkage of research questions to its research objectives Summary of Fast-Flux features
6 26
2.2 Fast-Flux botnets 30
2.3 Summary of the Fast-Flux classification technique 33 2.4 Comparison of kNN and Bayesian classifier
(Jiayan Wu, et al., 2009)
35
2.5 kNN and RF experiment result of 6 attributes (Ziniu Chen et al., 2011)
35
2.6 Comparison of existing Fast-Flux detection 36
3.1 Data collection summary of Fast-Flux and benign domain Data slicing for all experiments
57
3.2 Cumulative number of Top Level Domain (TLD) names for distinct Fast-Flux domains names
57
3.3 Data slicing for all experiments 58
3.4 Cumulative number of IP address with DIG lookup frequency
59
3.5a The 1st test of kNN feature set 62
3.5b Result of the1st test of kNN feature set 63
3.6a The 2nd test of kNN feature set 63
3.6b Result of the 2nd test of kNN feature set 63
3.7 Summary of visualization tools 72
xiv
3.8 Data partitioning for kNN classification 83
3.9 kNN Experiment feature set 85
3.10 Example of parameter for kNN feature set 86
3.11 Cumulative number of Top Level Domain (TLD) names for Phishing domains name
97
3.12 Cumulative number of Top Level Domain (TLD) names for pharmaceutical Phishing domains name
101
4.1 The k output of average, majority vote, and local regression 107
4.2 Result summary of kNN classification 108
4.3a The average and majority vote confusion matrix 108
4.3b The average and majority vote error report 109
4.4 Summary of Fast-Flux domain grouping 112
4.5 Location of change for the top-3 most active Fast-Flux groups
114
4.6 Case Study I: Phishing domain grouping 126
4.7 Case Study I: Location of changes in DNS hierarchy 127
4.8 Case Study I: Bank-A and Bank-B relationship summary 131
4.9 Case Study II: Cumulative number of domain classification 133
4.10 Case Study II: Location of changes in DNS hierarchy 134
5.1 NS-Name-Flux domain summary 140
5.2 NS-Name-Flux domain grouping based on most active domain names ranking
140
5.3 NS-Name-Flux location of change 142
5.4 NNF group ranks 149
xv
5.5 Nested-NS location of change 149
6.1 Cumulative number of all Fast-Flux types 152
6.2 Summary of all Fast-Flux types 153
6.3 Hypothesis justification 155
6.4 List of findings based on analysis categorizing 157
xvi
LIST OF FIGURES
Figure No. Page No.
1.1 The cost of cybercrime worldwide in 2011 (Data collected from CyberSecurity Malaysia, 2011)
2
1.2 Distribution of FF lifetime in days (Nazario & Holz, 2008) 3
1.3 The main processes of the proposed method 7
1.4 Relationship of IV and DV over Fast-Flux research 9
2.1a Conceptual Model (cybercrime without FFSN). If the user fell into the trap and his computer is infected while doing online activities, there are many possible ways that can be attempted by the experts to trace and take down the attackers.
17
2.1b Conceptual Model (cybercrime with FFSN). If the user fell into the trap and his computer is infected while doing online
activities, it is very difficult for the experts to trace and take down the attackers, who are using FFSN.
17
2.2a Normal network (Honeynet Project, 2007) 20
2.2b Fast-Flux network (Honeynet Project, 2007) 20
2.3 DNS resolution comparison (Honeynet Project, 2007) 21
2.4 Fast-Flux types defined by ICANN 22
2.5 2.6
An example of Fast-Flux DNS records in one lookup An example of a DNS lookup process for FFSN
24 25 2.7 Sample of three DNS entries of FF domain for 5 minutes lapse
query
25
xvii
2.8 Fast-Flux Service Networks via a botnet (ENISA, 2011) 28
2.9 FFSN mothership (abuse.ch, 2010) 31
3.1 The stages of the research study (conceptual framework) 47
3.2 The conceptual framework for the research design 48
3.3 Stage4 (S4) of the research design 50
3.4 Overall research design (experimental approach S4.1) 52
3.5 ATLAS homepage screenshot 54
3.6 DNSBL homepage screenshot 55
3.7 DNS-BH homepage screenshot 55
3.8 Alexa homepage screenshot 56
3.9 kNN classifier codes using Matlab 66
3.10 XLMiner kNN screenshot 67
3.11 DataLab workspace screenshot of kNN features set 67
3.12 Example of Gephi visualization 69
3.13 Example of GraphViz visualization 70
3.14 Example of NodeXL visualization 71
3.15 The DIG output produced by windows cmd.exe 73
3.16 The DIG output produced by digwebinterface.com 74
3.17 Domain location using IP to country multilookup 75
3.18 Example of WOT output 76
3.19 Example of McAfee SiteAdvisor output 77
3.20 Example of Google Safe Browsing output 77
3.21 Blacklist example by eDNS.org 79
3.22 Blacklist example by MultiRBL blacklist/whitelist checker 79
xviii
3.23 DIG scheduled tasks configuration 82
3.24 The collected information in one DIG Lookup 82
3.25 Advantages of data visualization 87
3.26 Measurement variables of passive monitoring 90
3.27 Location of changes in DNS hierarchy 91
3.28 Daily DNS changes homepage 92
3.29 Overall research design (case studies, S4.2) 94
3.30 Number of unique Phishing sites from June 2010 to June 2011.
The data are collected from the Anti-Phishing Working Group (APWG)
96
3.31 Phish attacks by industry sectors – Q3 2011 (MarkMonitor, 2011)
96
3.32 Example of DIG lookup process 98
3.33 Example of NodeXL visualization 99
3.34 Example of the fake pharmaceutical website homepage 101
3.35 Phases of propose method 104
4.1 The result of cross correlation process 107
4.2 Frequency statistics comparison of the actual class (class_info) and the average weighting-mode prediction (KNN-1)
109
4.3 BoxPlot comparison of kNN prediction class and the actual class
110
4.4 Histogram comparison of kNN prediction class and the actual class
111
4.5 Scatter plots of kNN prediction class and the actual class 111
xix
4.6 Visualization of Fast-Flux domain grouping 113
4.7 Cumulative number of distinct IP for NS record (NS IP) 115
4.8 Types of NS relationship 117
4.9 IP fluxing comparison 117
4.10 Multiple infrastructures of fluxing 118
4.11 Wide distribution of NS 119
4.12 Fast-Flux geographical location using google map 120
4.13 Visualized Comparison between Benign and Fast-Flux Domains
121
4.14 Example of blacklists results 122
4.15 The visualization of DailyChanges reports 123
4.16 Case Study I: The classification of domain names 125
4.17 Case Study I: Classification of domain names 127
4.18 Case Study I: Visualization of Bank-A Domain IP address 127
4.19 Case Study I: Visualization of Bank- 128
4.20 Case Study I: Domain-Flux example of bank-related domains 128 4.21 Case Study I: Example of domain names that have more than
one URL
129
4.22 Case Study I: The bank-related phishing domain with hyperlink 129
4.23a Case Study I: Top Countries (Domain IP address) 130
4.23b Case Study I: Top Countries (NS IP address) 130
4.24 Case Study I: Bank-A and Bank-B domain relationship 132 4.25 Case Study II: Pharmaceutical Phishing domain group 133
4.26 Case Study II: Domains sharing the same NS 135
xx
4.27 Case Study II: Domain names with a single IP address 135
4.28 Top Countries (Domain IP address) 136
5.1 The new type of fluxing: NS-Name-Flux (NF) 141
5.2 Cumulative number of domains for NS-Name-Flux 141
5.3 Pornography cluster with NS-Name-Flux 143
5.4 Pharmaceutical cluster that fluxing with NF on its own 144
5.5 NS-Name-Flux for Pharmaceutical cluster 144
5.6 DailyChange.com reports 145
5.7 IP comparison between the monitored domains and Daily Changes
146
5.8a Nested-NS-Flux (NS name ) 147
5.8b Nested-NS-Flux with the domain names 148
5.9 Domain-Fluxing in Nested-NS-Flux 150
6.1 The visualization of all Fast-Flux domains 152
2.1 Example of domain resource records of iium.com 154
xxi
LIST OF FORMULAS
Formula No. Page No.
Euclidean distance between a test sample and the specified training samples for k-nearest neighbor, kNN (Yihua and Vemuri, 2002)
83
Fast-Flux metric of fluxiness proposed by Holz, et al. (2008) 84 Our extended formula of Fast-Flux Fluxiness (based on Holz et
al.,2008) applied in FF domains to sort out the types of fluxing into Single-Flux, NS-Flux, Double-Flux, and benign
84
Single-Flux rule’s parameter 85
Double-Flux rule’s parameter 85
NS-Flux rule’s parameter 85
Benign rule’s parameter 85
xxii
LIST OF TOOLS
Operating System:
Linux Ubuntu Version 10.04 LTS with Kernel Version 2.6.32 Windows Vista Home Premium
Computer Software:
Afterglow Version 1.5.8 DataLab Version 2.7 DIG Version 9.3.2 Gephi Version 0.7 Graphviz Version 1.0 Matlab Version 7.7
NodeXL excel template Version 1.0.1.209 XLminer Version 3.0
Web-based Programs:
Blacklist and Whitelist Checker:
eDNS.org - http://edns.org
multiRBL - http://multirbl.valli.org/
Network Utility:
DIG - http://digwebinterface.com/
Google Fusion Table - http://www.google.com/fusiontables/
IPto country multi-lookup tool - http://software77.net/geo-ip/multi-lookup/
Web Reputation Rating Programs:
Google safe browsing - http://www.google.com/tools/firefox/safebrowsing/
MCAfee Site Advisor - http://www.siteadvisor.com/howitworks/index.html WOT (Web of Trust) - http://www.mywot.com/
1
CHAPTER ONE
INTRODUCTION AND OVERVIEW
1.1 INTRODUCTION
Today, one of the greatest threats we face on the internet is cybercrime. It has enormous implications, not only to the victims, but to our national security, economic prosperity, and public safety. Finjan (2011) stated that cybercriminals nowadays keep on looking for improved methods to distribute their malware. Since they make money by trading stolen data or selling rogue software, they are looking for new and innovative techniques all the time. Indeed, they are reaching new levels of sophistication in their attacks. The sophisticated techniques called Rockphish, DNSchanger, and Fast-Flux Service Network (FFSN) are the examples. This research aims to analyze the dynamics behavior of FFSN through visualization. To achieve this aim, a novel approach to investigate the dynamics of Fast-Flux Domain Name System (DNS) is designed through the combination of the experimental design and the case studies as its research methodology.
This chapter is organized as follows: Section 1.1 describes the overview of this chapter by introducing the cybercrime trending which leads to the FFSN. Following this is the thesis overview of Section 1.2 that briefly explains the FFSN, problem statement, objectives, research questions, research methodology, hypotheses, significance, and the scope and limitations of the study. Finally, the thesis structure is outlined in Section 1.3.
2 1.2 THESIS OVERVIEW
The main motivation behind cybercrime is the easy financial gain. As stated by CyberSecurity Malaysia (2011), “the cost of cybercrime worldwide, including electronic bank fraud, identity theft, Phishing scams, botnets, and other e-crime schemes total up to $1 trillion” (Avanti Kumar, para. 3, 2011). This statistic is visualized in Figure 1.1. Apart from that, a study conducted by the Ponemon Institute and funded by Hewlett-Packard (2011) revealed the median cost of dealing with prevention and the repercussions of cybercrime rose from $3.8 million a year in 2010 to $5.9 million a year in 2011.
Figure 1.1: The cost of cybercrime worldwide in 2011 (Data collected from CyberSecurity Malaysia, 2011)
According to the Anti-Phishing Working Group (APWG), phishers are always refining their methods, to take advantage of new opportunities and circumvent defenses (APWG, para. 1, 2012). This is implemented by the use of FFSN. In FFSNs, the cybercriminals refine their methods, and exploit the DNS properties to maximize their illegal profit while minimizing the risk of being detected. This is achieved by using a large number of proxy hosts to relay requests to the back-end computer that actively hosts the Phishing site (known as the “mothership”). This multi-layer architecture makes it extremely difficult to trace-back the hosting machine (Zhou et al., 2008).
