1. Technical Field
The application relates to fast-flux domain name system (DNS) attacks, and more particularly, to network attack detection devices and methods for detecting a fast-flux domain name system attack.
2. Related Art
In 2007, a fast-flux domain name system (DNS) attack was discovered. The fast-flux domain name system (DNS) attack is different from conventional attacks because the fast-flux domain name system (DNS) attack can evade conventional blacklist mechanisms and can extend the time allotted for hacking. Fast-flux domain name system (DNS) attacks are mostly used by Botnet for malicious behavior such as spamming, phishing and malicious file download etc.
Current fast-flux domain name system (DNS) attack detection methods, detect fast-flux domain name system (DNS) attacks according to time delay information. Accordingly, when applied, delay detection problems may occur.
There are two types of fast-flux domain name system (DNS) attack detection methods which are based on different temporal characteristics. One is based on the information of internet protocol addresses. For example, there is a 99% accuracy rate when using the method, applying time to live (TTL) time differences, such as an autonomous system number (ASN), which correspond to internet protocol addresses and an AI method for automatic detection. However, delay detection problems occur.
The second method is based on the information of domain name systems (DNS) and internet protocol addresses. Since the TTL time of most malicious attacks is below three hours, accuracy rate may be increased by applying information of domain name systems, such as the application time of a domain name. The detection time is determined according to the TTL time of every domain name, and the waiting time is 1-3 hours. In addition, there is a 99% accuracy rate when also adding a naive Bayes classifier for automatic detection. However, delay detection problems also occur.