A Deep Learning Based Fast-Flux and CDN Domain Names Recognition Method

Fast-Flux(FF) service network is one of the common technical means for network malicious behavior (such as phishing websites, spam, botnets, etc.) to avoid attack. Through the rapid change of answered IP addresses of the required domain name, Fast-Flux can avoid being isolated by IP blacklist and improve the availability of its services. Due to the use of Content Distribution Network (CDN) and circular DNS technology, some normal network services have similar characteristics. Differentiation between FF domain name and CDN domain name is one of the key problems in FF domain name detection. For the problems that manual extraction of FF features is complex and is easy to be deliberately bypass by the FF designer, this paper proposes a method called Fast-flux and CDN Domains Recognizer (FCDR) to self-learning FF and CDN features and recognition them based on LSTM network. By learning the domain names' resolved results collected at different times in different areas, the FCDR can classify and identify Fast Flux domain name, CDN domain name, other malicious domain names and common non-CDN domain name more accurately.