π Overview
This project implements a deep learning framework for detecting Fast Flux DNS attacks using: LSTM, GRU, BiLSTM (RNN-based models) Spiking Neural Network (SNN) Feature-level Ablation Studies
DNS behavioral features are extracted from raw dig logs and used to classify: 0 β Benign 1 β Fast Flux
π Project Structure
fast-flux-detection/
β
βββ fast_flux_detection_rnn_snn.py
βββ ablation_test_no_features.py
βββ ablation_test_feature_groups_only.py
βββ dataset/
β βββ benign/
β βββ ff/
βββ README.md
π§ Main Model: RNN & SNN Pipeline File: fast_flux_detection_rnn_snn.py Includes: -DNS feature extraction -Shannon entropy calculation -Data normalization (StandardScaler) -Sequence generation (SEQ_LEN = 5) -LSTM, GRU, BiLSTM -Spiking Neural Network (LIF neurons via snntorch) -Early stopping -Classification report & confusion matrix
π§ͺ Ablation Test 1 β Feature Removal File: ablation_test_no_features.py
Experiments: Baseline (All Features) No TTL Features No IP Diversity Features No DNS Structure Features Purpose: To measure performance impact when specific feature groups are removed.
π§ͺ Ablation Test 2 β Single Feature Groups File: ablation_test_feature_groups_only.py Experiments: TTL Only IP Diversity Only DNS Structure Only Purpose: To evaluate how well each feature group performs independently.
π Feature Groups -TTL Features -ttl_min, ttl_max, ttl_avg, ttl_stddev -IP Diversity Features -num_A_records, ip_entropy, num_unique_subnets -DNS Structure Features -num_CNAME_records, num_NS_records
π Evaluation -Accuracy -Precision -Recall -F1-score -Confusion Matrix
Dataset split: -70% Training -15% Validation -15% Testing
π Technologies Python PyTorch snntorch scikit-learn pandas / numpy matplotlib / seaborn