Skip to main content
SpringerLink
Log in

Approximate String Matching for DNS Anomaly Detection

  • Conference paper
  • First Online:
Security, Privacy, and Anonymity in Computation, Communication, and Storage (SpaCCS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 11611))

Abstract

In this paper we propose a novel approach to identify anomalies in DNS traffic. The traffic time-points data is transformed to a string, which is used by new fast approximate string matching algorithm to detect anomalies. Our approach is generic in its nature and allows fast adaptation to different types of traffic. We evaluate the approach on a large public dataset of DNS traffic based on 10 days, discovering more than order of magnitude DNS attacks in comparison to auto-regression as a baseline. Moreover, the additional comparison has been made including other common regressors such as Linear Regression, Lasso, Random Forest and KNN, all of them showing the superiority of our approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Security and Stability Advisory Committee (SSAC). SSAC advisory on fast flux hosting and DNS (2008)

    Google Scholar 

  2. Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: International Conference on in Malicious and Unwanted Software, pp. 24–31 (2008)

    Google Scholar 

  3. Villamarn-Salomn, R., Brustoloni, J.C.: Identifying botnets using anomaly detection techniques applied to DNS traffic. In: Consumer Communications and Networking Conference, pp. 476–481 (2008)

    Google Scholar 

  4. Choi, H., Lee, H., Lee, H., Kim, H.: Botnet detection by monitoring group activities in DNS traffic. In: IEEE International Conference on Computer and Information Technology, pp. 715–720 (2007)

    Google Scholar 

  5. Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis, CoRR, abs/1004.4358 (2010)

    Google Scholar 

  6. Karasaridis, A.: Detection of DNS Traffic Anomalies, AT&T report (2012)

    Google Scholar 

  7. Yuchi, X., Wang, X., Lee, X., Yan, B.: A new statistical approach to DNS traffic anomaly detection. In: Cao, L., Zhong, J., Feng, Y. (eds.) ADMA 2010. LNCS (LNAI), vol. 6441, pp. 302–313. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17313-4_30

    Chapter  Google Scholar 

  8. Čermák, M., Čeleda, P., Vykopal, J.: Detection of DNS traffic anomalies in large networks. In: Kermarrec, Y. (ed.) EUNICE 2014. LNCS, vol. 8846, pp. 215–226. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13488-8_20

    Chapter  Google Scholar 

  9. Yarochkin, F., Kropotov, V., Huang, Y., Ni, G.-K., Kuo, S.-Y., Chen, I.-Y.: Investigating DNS traffic anomalies for malicious activities. In: DSN Workshops, pp. 1–7 (2013)

    Google Scholar 

  10. Krmcek, V.: Inspecting DNS Flow Traffic for Purposes of Botnet Detection, manuscript (2011)

    Google Scholar 

  11. Satam, P., Alipour, H., Al-Nashif, Y., Hariri, S.: Anomaly behavior analysis of DNS protocol. J. Internet Serv. Inf. Secur. 5(4), 85–97 (2015)

    Google Scholar 

  12. Yamada, A., Miyake, Y., Terabe, M., Hashimoto, K., Kato, N.: Anomaly detection for DNS servers using frequent host selection. In: AINA, pp. 853–860 (2009)

    Google Scholar 

  13. Wang, Y., Hu, M.-z., Li, B., Yan, B.-r.: Tracking anomalous behaviors of name servers by mining DNS traffic. In: Min, G., Di Martino, B., Yang, Laurence T., Guo, M., Rünger, G. (eds.) ISPA 2006. LNCS, vol. 4331, pp. 351–357. Springer, Heidelberg (2006). https://doi.org/10.1007/11942634_37

    Chapter  Google Scholar 

  14. Karasaridis, A., Meier-Hellstern, K., Hoeflin, D.: Nis04-2: detection of DNS anomalies using flow data analysis. In: GLOBECOM, pp. 1–6 (2006)

    Google Scholar 

  15. Gu, Y., McCallum, A., Towsley, D.: Detecting anomalies in network traffic using maximum entropy estimation. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement (2005)

    Google Scholar 

  16. Berezinski, P., Jasiul, B., Szpyrka, M.: An entropy-based network anomaly detection method. Entropy 17, 2367–2408 (2015)

    Article  Google Scholar 

  17. AlEroud, A., Karabatis, G.: Queryable semantics to detect cyber-attacks:a flow-based detection approach. IEEE Trans. Syst. Man Cybern. Syst. 48, 207–223 (2017)

    Article  Google Scholar 

  18. Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. SIGCOMM Comput. Commun. Rev. 35(4), 217–228 (2005)

    Article  Google Scholar 

  19. Raghuram, J., Miller, D.J., Kesidis, G.: Unsupervised, low latency anomaly detection of algorithmically generated domain names by generative probabilistic modeling. J. Adv. Res. 5, 423–433 (2014)

    Article  Google Scholar 

  20. Kirchler, M., Herrmann, D., Lindemann, J., Kloft, M.: Tracked without a trace: linking sessions of users by unsupervised learning of patterns in their DNS traffic. In: AISec@CCS, pp. 23–34 (2016)

    Google Scholar 

  21. Erman, J., Arlitt, M., Mahanti, A.: Traffic classification using clustering algorithms. In: MineNet 2006, pp. 281–286 (2006)

    Google Scholar 

  22. Chatzis, N., Popescu-Zeletin, R.: Flow level data mining of DNS query streams for email worm detection. In: Corchado, E., Zunino, R., Gastaldo, P., Herrero, Á. (eds.) Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems CISIS 2008. Advances in Soft Computing, vol. 53, pp. 186–194. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88181-0_24

    Chapter  Google Scholar 

  23. Moustafa, N., Slay, J.: Creating novel features to anomaly network detection using DARPA-2009 data set. In: Proceedings of the 14th European Conference on Cyber Warfare and Security 2015: ECCWS (2015)

    Google Scholar 

  24. Münz, G.: Traffic anomaly detection and cause identification using flow-level measurements. Technical University Munich 2010, pp. 1–228 (2010). ISBN 3-937201-12-2

    Google Scholar 

  25. Hong, L.V.: DNS Traffic Analysis for Network-based Malware Detection. Technical University of Denmark, Informatics and Mathematical Modelling (2012)

    Google Scholar 

  26. Nikolaev, I.: Network Service Anomaly Detection. Czech Technical University, Prague (2014)

    Google Scholar 

  27. Greis, R., Reis, T., Nguyen, C.: Comparing prediction methods in anomaly detection: an industrial evaluation. In: MILETS (2018)

    Google Scholar 

  28. Freedman, D.A.: Statistical Models: Theory and Practice. Cambridge University Press, Cambridge (2009)

    Google Scholar 

  29. Tibshirani, R.: Regression shrinkage and selection via the lasso. J. Roy. Stat. Soc.: Ser. B (Methodol.) 58(1), 267–288 (1996)

    MathSciNet  MATH  Google Scholar 

  30. Ho, T.K.: Random decision forests. In: Proceedings of the 3rd International Conference on Document Analysis and Recognition, pp. 278–282 (1995)

    Google Scholar 

  31. Altman, N.S.: An introduction to kernel and nearest-neighbor nonparametric regression. Am. Statist. 46(3), 175–185 (1992)

    MathSciNet  Google Scholar 

  32. Knuth, D.E., Morris Jr., J.H., Pratt, V.R.: Fast pattern matching in strings. SIAM J. Comput. 6(2), 323–350 (1977)

    Article  MathSciNet  Google Scholar 

  33. Hirani, M., Jones, S., Read, B.: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html. Accessed 9 Jan 2019

  34. https://www.icann.org/news/announcement-2019-02-22-en

Download references

Author information

Authors and Affiliations

  1. Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev, 84105, Beer-Sheva, Israel

    Roni Mateless

  2. School of Electrical and Computer Engineering, Department of Communication Systems Engineering, Ben-Gurion University of the Negev, 84105, Beer-Sheva, Israel

    Michael Segal

Authors
  1. Roni Mateless
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Segal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Segal .

Editor information

Editors and Affiliations

  1. Guangzhou University, Guangzhou, China

    Guojun Wang

  2. Huazhong University of Science and Technology, Wuhan, China

    Jun Feng

  3. Fordham University, New York City, NY, USA

    Md Zakirul Alam Bhuiyan

  4. University of New Brunswick, Fredericton, NB, Canada

    Rongxing Lu

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mateless, R., Segal, M. (2019). Approximate String Matching for DNS Anomaly Detection. In: Wang, G., Feng, J., Bhuiyan, M., Lu, R. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2019. Lecture Notes in Computer Science(), vol 11611. Springer, Cham. https://doi.org/10.1007/978-3-030-24907-6_37

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-24907-6_37

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-24906-9

  • Online ISBN: 978-3-030-24907-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation