Detection of DNS Traffic Anomalies in Large Networks

Almost every Internet communication is preceded by a translation of a DNS name to an IP address. Therefore monitoring of DNS traffic can effectively extend capabilities of current methods for network traffic anomaly detection. In order to effectively monitor this traffic, we propose a new flow metering algorithm that saves resources of a flow exporter. Next, to show benefits of the DNS traffic monitoring for anomaly detection, we introduce novel detection methods using DNS extended flows. The evaluation of these methods shows that our approach not only reveals DNS anomalies but also scales well in a campus network.

[1]  Roberto Perdisci,et al.  Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis , 2012, IEEE Transactions on Dependable and Secure Computing.

[2]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[3]  Nick Feamster,et al.  Notos: Building a Dynamic Reputation System for DNS , 2010 .

[4]  Sureswaran Ramadass,et al.  Detecting Botnet Activities Based on Abnormal DNS traffic , 2009, ArXiv.

[5]  Heejo Lee,et al.  Identifying botnets by capturing group activities in DNS traffic , 2012, Comput. Networks.

[6]  Lior Rokach,et al.  A fast and scalable method for threat detection in large-scale DNS logs , 2013, 2013 IEEE International Conference on Big Data.

[7]  Duane Wessels,et al.  Passive Monitoring of DNS Anomalies , 2007, DIMVA.

[8]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[9]  Michel Mandjes,et al.  Flow-Based Detection of DNS Tunnels , 2013, AIMS.

[10]  Aiko Pras,et al.  Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX , 2014, IEEE Communications Surveys & Tutorials.

[11]  Florian Weimer,et al.  Passive DNS Replication , 2005 .

[12]  Leyla Bilge,et al.  Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[13]  Ravi Sundaram,et al.  Preprocessing DNS Log Data for Effective Data Mining , 2009, 2009 IEEE International Conference on Communications.

[14]  Anestis Karasaridis,et al.  NIS04-2: Detection of DNS Anomalies using Flow Data Analysis , 2006, IEEE Globecom 2006.

[15]  Radu State,et al.  DNSSM: A large scale passive DNS security monitoring framework , 2012, 2012 IEEE Network Operations and Management Symposium.

[16]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.