Approximate String Matching for DNS Anomaly Detection

In this paper we propose a novel approach to identify anomalies in DNS traffic. The traffic time-points data is transformed to a string, which is used by new fast approximate string matching algorithm to detect anomalies. Our approach is generic in its nature and allows fast adaptation to different types of traffic. We evaluate the approach on a large public dataset of DNS traffic based on 10 days, discovering more than order of magnitude DNS attacks in comparison to auto-regression as a baseline. Moreover, the additional comparison has been made including other common regressors such as Linear Regression, Lasso, Random Forest and KNN, all of them showing the superiority of our approach.

[1]  Gerhard Münz,et al.  Traffic anomaly detection and cause identification using flow-level measurements , 2010 .

[2]  David A. Freedman,et al.  Statistical Models: Theory and Practice: References , 2005 .

[3]  Anirban Mahanti,et al.  Traffic classification using clustering algorithms , 2006, MineNet '06.

[4]  Youssif B. Al-Nashif,et al.  Anomaly Behavior Analysis of DNS Protocol , 2015, J. Internet Serv. Inf. Secur..

[5]  R. Tibshirani Regression Shrinkage and Selection via the Lasso , 1996 .

[6]  Bin Li,et al.  Tracking Anomalous Behaviors of Name Servers by Mining DNS Traffic , 2006, ISPA Workshops.

[7]  英哉 岩崎 20世紀の名著名論:D. E. Knuth J. H. Morris V. R. Pratt : Fast pattern matching in Strings , 2004 .

[8]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[9]  Marcin Szpyrka,et al.  An Entropy-Based Network Anomaly Detection Method , 2015, Entropy.

[10]  Thorsten Holz,et al.  As the net churns: Fast-flux botnet observations , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[11]  Xin Wang,et al.  A New Statistical Approach to DNS Traffic Anomaly Detection , 2010, ADMA.

[12]  Marius Kloft,et al.  Tracked Without a Trace: Linking Sessions of Users by Unsupervised Learning of Patterns in Their DNS Traffic , 2016, AISec@CCS.

[13]  Sy-Yen Kuo,et al.  Investigating DNS traffic anomalies for malicious activities , 2013, 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W).

[14]  Akira Yamada,et al.  Anomaly Detection for DNS Servers Using Frequent Host Selection , 2009, 2009 International Conference on Advanced Information Networking and Applications.

[15]  George Karabatis,et al.  Queryable Semantics to Detect Cyber-Attacks: A Flow-Based Detection Approach , 2018, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[16]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[17]  George Kesidis,et al.  Unsupervised, low latency anomaly detection of algorithmically generated domain names by generative probabilistic modeling , 2014, Journal of advanced research.

[18]  D. J. Allerton,et al.  Book Review: GPS theory and practice. Second Edition, HOFFMANNWELLENHOFF B., LICHTENEGGER H. and COLLINS J., 1993, 326 pp., Springer, £31.00 pb, ISBN 3-211-82477-4 , 1995 .

[19]  Vojtěch Krmı́ček,et al.  Inspecting DNS Flow Traffic for Purposes of Botnet Detection , 2011 .

[20]  Kenton Born,et al.  Detecting DNS Tunnels Using Character Frequency Analysis , 2010, ArXiv.

[21]  R. Villamarin-Salomon,et al.  Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[22]  Linh Vu Hong,et al.  DNS Traffic Analysis for Network-based Malware Detection , 2012 .

[23]  Ralf Greis Comparing Prediction Methods in Anomaly Detection : An Industrial Evaluation , 2018 .

[24]  Ivan Nikolaev Network Service Anomaly Detection , 2014 .

[25]  Heejo Lee,et al.  Botnet Detection by Monitoring Group Activities in DNS Traffic , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).

[26]  Radu Popescu-Zeletin,et al.  Flow Level Data Mining of DNS Query Streams for Email Worm Detection , 2008, CISIS.

[27]  Donald E. Knuth,et al.  Fast Pattern Matching in Strings , 1977, SIAM J. Comput..

[28]  Anestis Karasaridis,et al.  NIS04-2: Detection of DNS Anomalies using Flow Data Analysis , 2006, IEEE Globecom 2006.

[29]  Jan Vykopal,et al.  Detection of DNS Traffic Anomalies in Large Networks , 2014, EUNICE.

[30]  N. Altman An Introduction to Kernel and Nearest-Neighbor Nonparametric Regression , 1992 .