Publication

Abstract : Fast Flux Botnet (FFB) poses a significant threat as an advanced method employed by cybercriminals for orchestrating distributed malicious attacks. Existing FFB detection systems face challenges such as vulnerability to evasion mechanisms, prolonged detection times, and high dimensionality of the feature set. In response to these issues, this study introduces Bot-FFX, an improved FFB detection architecture designed to enhance the accuracy and efficiency of detection. Bot-FFX comprises four integral modules: extractor, filter, resolver, and detector. The extractor module is dedicated to Domain Name System (DNS) queries on domains, while the filter module classifies incoming domains as denylist or safelist, redirecting unclassified domains to the resolver. The resolver extracts all associated IP addresses within 10 min of the domain's Time-To-Live (TTL). The detector module employs a rule-based Genetic Algorithm (GA) and K-Nearest Neighbor (KNN) for botnet detection. Utilizing metrics such as Standard Deviation of Round Trip Time (SDRTT), Average Google Hits (AGH), and Genetic Threshold Value (GTV), the detector, built on a K-Dimensional (KD) tree KNN algorithm, accurately classifies domains based on their set of IP addresses. To evaluate Bot-FFX, a dataset comprising 2000 benign domains and 1630 botnet domains was utilized, divided into 50% training and testing sets. The results demonstrate the effectiveness of Bot-FFX, achieving an impressive accuracy of 99.178%, with a minimal false positive rate of 0.8% and an equally low false negative rate of 0.8%. This study establishes Bot-FFX as a robust and efficient framework for Fast Flux Botnet detection, contributing to the ongoing efforts in cybersecurity to combat evolving cyber threats.