Active Probing-Based Schemes and Data Analytics for Investigating Malicious Fast-Flux Web-Cloaking Based Domains

Abstract

There have been increasing levels of sophistication in the continuous battles between cyber criminals and law enforcement/cybersecurity practitioners. For example, Darknet operators often take advantage of the evasion techniques to hide their criminal activities, such as hosting illegal content, selling illegal materials, or terror-information exchanges. Web cloaking and fast-fluxing are the two common ones. Fast-fluxing constantly changes the host IP addresses and offers higher degree availability & robustness for malicious domain users. Web cloaking allows some dynamic web contents be sent at ordinary times, but different contents may be triggered by specific keywords on search engines or other geo-locations. Both contribute to the great challenges to cybersecurity and law enforcement practitioners, due to the fact that at the time of evidence collection, evidential data from the source may be simply not the same as that the evidence generated earlier for malicious purposes. In this paper, we will present new active probing-based schemes for detecting cloaking fast-flux malicious domains. In our prototype platform, we have integrated our schemes with the Tor system in order that our query and evidence collection are anonymous and distributed, to avoid the detection of malicious domain hosting servers. During the last 10 months, we have used this system to collect evidence data using the six of top ten worldwide search engines (e.g., Bing, Baidu, Ask, AoL, Lycos and Search). With the collected data, we developed algorithmic data analytic solutions to extract and classify the malicious fast-fluxing and web-cloaking domains. The effective evidence collection and analytic solutions will help law enforcement practitioners in their case work handling such malicious domains.