A Self-Healing, Self-Protecting Collaborative Intrusion Detection Architecture to Trace-Back Fast-Flux Phishing Domains

Millions of users divulge their personal information on phishing web sites, which causes over a billion dollars loss every year. Phishing domain take-down is the most promising approach to address this security issue, since there will be nothing there for a misled user to see if the fraudulent website has been removed completely. A key part of the take-down procedure is phishing hosting system trace-back. Traditional phishing hosting machines can be identified relatively quickly by their public DNS name or directly if their IP address is embedded within spam email. However, a newer architectural innovation known as fast-flux networks uses a pool of compromised machines to hide the phishing website hosting system, which makes phishing website trace-back almost impractical. We propose a decentralized collaborative intrusion detection approach to address this defense challenge, which is based on a collaborative intrusion detection system (CIDS) architecture. The participating detection systems are from different ISPs, which allows the fast-flux machines to be monitored. The suspicious communication pattern of fast- flux machines are correlated across different ISPs in a multistage manner, to trace-back the actual phishing website hosting machine. The architecture is scalable and self-healing through its use of a structured peer-to-peer network, and also enables the participants to be self-protecting. The communication is loosely coupled by a publish/subscribe mechanism. Our evaluation results show that our proposed decentralized CIDS is more effective than a fully centralized system.