CCNS2015专题2(新型网络安全技术Fastflux)概要1.pptVIP

Collaborative Attacks Informal definition*: “Collaborative attacks (CA) occur when more than one attacker or running process synchronize their actions to disturb a target network” 6. Quality based detection method In benign fast-flux network, the agents are the machines, which are completely controlled. In fast-flux attack, almost all the agents are the compromised zombies. The quality of each agent in benign fast-flux network should be higher than that in fast-flux attacks. So we propose two metrics measuring the quality of agents’ service. We propose two metrics that focus on the quality of the agents’ service to distinguish the benign fast-flux network and FFA.. Minimum Availability Rate Average Online Rate 6. Quality based detection method The working process of our FFA monitoring system: Collecting Agents Monitoring Agents Estimate Metrics 6. Quality based detection method The Flux Agents Monitoring System (FAMS) The dig tool is used to gather information related to the monitored domains. The system runs discrete queries. The interval between two queries is the TTL indicated in the previous DNS response. The Agent Monitor (AM) will monitor the status of all the IPs in the IP records database. The AM will send HTTP requests, and record the responses. 6. Quality based detection method In the IP lifespan records database, 1 means the service is available. And 0 means the agent does not return a current HTTP response, including host inaccessible, port unavailable, HTTP service stopped and so on. A segment of the IP lifespan records is shown following. 6. Quality based detection method Based upon the IP lifespan records, two metrics can be computed. Minimum Availability Rate (MAR): Average Online Rate (AOR): 6. Quality based detection method Based upon the IP lifespan records, two metrics can be computed. During one month of observations, we monitor 157 FFANs, which are identified by ATLAS and FluXOR, and 7 benign FFSNs, which all are top 500 global sites