Abstract

Phishing is a significant security threat to users of Internet services. Nowadays, phishing has become more resilient to detection and trace-back with the invention of Fast Flux (FF) service networks. We propose two approaches to correlate evidence from multiple DNS servers and multiple suspect FF domains. Real-world experiments show that our correlation approaches speed-up FF domain detection, based on an analytical model that we propose to quantify the number of DNS queries needed to confirm a FF domain. We also show how our correlation scheme can be implemented on a large scale by using a decentralized publish-subscribe correlation model called LarSID, which is more scalable than a fully centralized architecture.