Detecting anomalies in DNS protocol traces via Passive Testing and Process Mining

In this article we present our first approach in using Passive Testing (used in protocol and software conformance checking) and Process Mining (used in enterprise workflow analysis) techniques for analyzing DNS operation traces. We propose a process approach for DNS protocol, modeling it as a sequence of structured activities, queries and responses that are executed by actors, in this case clients and servers, with the objective of exchange some valuable information. As an example, we applied our techniques over A Day in Internet Life DNS traces for showing how easily a mail bonnet attack can be discovered. We conclude that with our first approach this techniques have promising future in order to analyze DNS traces, and plan to extend the testing for conformance against the formal definition of DNS presented in the RFC 1035.

[1]  David Lee,et al.  Principles and methods of testing finite state machines-a survey , 1996, Proc. IEEE.

[2]  David Lee,et al.  Network protocol system monitoring-a formal approach with passive testing , 2006, IEEE/ACM Transactions on Networking.

[3]  K. A. Arisha,et al.  On fault location in networks by passive testing , 2000, Conference Proceedings of the 2000 IEEE International Performance, Computing, and Communications Conference (Cat. No.00CH37086).

[4]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[5]  David Carrera,et al.  Business Process Mining from E-Commerce Web Logs , 2013, BPM.

[6]  R. E. Miller,et al.  Passive testing of networks using a CFSM specification , 1998, 1998 IEEE International Performance, Computing and Communications Conference. Proceedings (Cat. No.98CH36191).

[7]  Stéphane Maag,et al.  Passive performance testing of network protocols , 2014, Comput. Commun..

[8]  Hajo A. Reijers,et al.  Discovering Social Networks from Event Logs , 2005, Computer Supported Cooperative Work (CSCW).

[9]  Wil M. P. van der Aalst,et al.  Process Mining - Discovery, Conformance and Enhancement of Business Processes , 2011 .

[10]  Wil M. P. van der Aalst,et al.  Conformance Checking in the Large: Partitioning and Topology , 2013, BPM.

[11]  Wil M. P. van der Aalst,et al.  Conformance checking of processes based on monitoring real behavior , 2008, Inf. Syst..