Detection of Phishing Websites Hosted in Name Server Flux Networks Using Machine Learning

Abstract

: Attackers are increasingly using Name Server IP Flux Networks (NSIFNs) to run the domain name services of their phishing websites in order to extend the duration of their phishing operations. These networks host a name server that manages the Domain Name System (DNS) records of the websites on a network of compromised machines with frequently changing IP addresses. As a result, blacklisting the machines has less impact on stopping the services, lengthening their lifespan and that of the websites they support. High detection delays and the use of fewer, lesser varied detection features limit the proposed solutions for identifying the websites hosted in these networks, making them more susceptible to detection evasions. This study suggests a novel set of highly diverse features based on DNS, network, and host behaviors for fast and highly accurate detection of phishing websites hosted in NSIFNs using a Machine Learning (ML) approach. Using a variety of traditional and deep learning ML algorithms, the prediction performance of our features was assessed in the context of binary and multi-class classification tasks. Our approach achieved optimal accuracy rates of 98.59% and 90.41% for the binary and multi-class classification tasks, respectively. Our approach is a crucial step toward monitoring NSIFN components to mitigate phishing attacks efficiently.