On a company network where there may be valuable assets to be protected, many techniques and software and hardware solutions are employed to prevent the loss of those valuable assets, but the current solutions have proven ineffective at stopping the infiltration and exfiltration attempts of intellectual property and data. One technique used by attacking hackers, commonly referred to as Advanced Persistent Threats (hereafter referred to as “APT” or “APTs”), is to infect a target machine by some mechanism to install malware to perform actions on behalf of the attacking hacker. The APT will then begin to “call out” or “beacon” to a host or list of hosts on the internet on a recurring basis.
A purpose of these callouts is to get through firewalls (which tend to prevent much incoming traffic but allow most outgoing traffic) and allow the attacker to instruct or control the victim device to carry out actions such as surveying other systems, collecting data from the infected system, further infiltrating the network, and sending information back to the attacker. Attackers have over time evolved better techniques for performing this call-back so that it is more difficult to catch where infected hosts may be attempting to connect to.
One of the most advanced current techniques uses techniques referred to as “Fast-Flux” network systems for avoiding detections. Existing systems do not effectively identify Uniform Resource Locators (URLs) that frequently change Internet Protocol (IP) addresses or changing authoritative Domain Name System (DNS) servers. The existing systems generally use pre-defined lists of known suspicious URLs, IPs or Domain Name System to perform detections.