Abstract
In this paper we propose a novel approach to identify anomalies in DNS traffic. The traffic time-points data is transformed to a string, which is used by new fast approximate string matching algorithm to detect anomalies. Our approach is generic in its nature and allows fast adaptation to different types of traffic. We evaluate the approach on a large public dataset of DNS traffic based on 10 days, discovering more than order of magnitude DNS attacks in comparison to auto-regression as a baseline. Moreover, the additional comparison has been made including other common regressors such as Linear Regression, Lasso, Random Forest and KNN, all of them showing the superiority of our approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Security and Stability Advisory Committee (SSAC). SSAC advisory on fast flux hosting and DNS (2008)
Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: International Conference on in Malicious and Unwanted Software, pp. 24–31 (2008)
Villamarn-Salomn, R., Brustoloni, J.C.: Identifying botnets using anomaly detection techniques applied to DNS traffic. In: Consumer Communications and Networking Conference, pp. 476–481 (2008)
Choi, H., Lee, H., Lee, H., Kim, H.: Botnet detection by monitoring group activities in DNS traffic. In: IEEE International Conference on Computer and Information Technology, pp. 715–720 (2007)
Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis, CoRR, abs/1004.4358 (2010)
Karasaridis, A.: Detection of DNS Traffic Anomalies, AT&T report (2012)
Yuchi, X., Wang, X., Lee, X., Yan, B.: A new statistical approach to DNS traffic anomaly detection. In: Cao, L., Zhong, J., Feng, Y. (eds.) ADMA 2010. LNCS (LNAI), vol. 6441, pp. 302–313. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17313-4_30
Čermák, M., Čeleda, P., Vykopal, J.: Detection of DNS traffic anomalies in large networks. In: Kermarrec, Y. (ed.) EUNICE 2014. LNCS, vol. 8846, pp. 215–226. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13488-8_20
Yarochkin, F., Kropotov, V., Huang, Y., Ni, G.-K., Kuo, S.-Y., Chen, I.-Y.: Investigating DNS traffic anomalies for malicious activities. In: DSN Workshops, pp. 1–7 (2013)
Krmcek, V.: Inspecting DNS Flow Traffic for Purposes of Botnet Detection, manuscript (2011)
Satam, P., Alipour, H., Al-Nashif, Y., Hariri, S.: Anomaly behavior analysis of DNS protocol. J. Internet Serv. Inf. Secur. 5(4), 85–97 (2015)
Yamada, A., Miyake, Y., Terabe, M., Hashimoto, K., Kato, N.: Anomaly detection for DNS servers using frequent host selection. In: AINA, pp. 853–860 (2009)
Wang, Y., Hu, M.-z., Li, B., Yan, B.-r.: Tracking anomalous behaviors of name servers by mining DNS traffic. In: Min, G., Di Martino, B., Yang, Laurence T., Guo, M., Rünger, G. (eds.) ISPA 2006. LNCS, vol. 4331, pp. 351–357. Springer, Heidelberg (2006). https://doi.org/10.1007/11942634_37
Karasaridis, A., Meier-Hellstern, K., Hoeflin, D.: Nis04-2: detection of DNS anomalies using flow data analysis. In: GLOBECOM, pp. 1–6 (2006)
Gu, Y., McCallum, A., Towsley, D.: Detecting anomalies in network traffic using maximum entropy estimation. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement (2005)
Berezinski, P., Jasiul, B., Szpyrka, M.: An entropy-based network anomaly detection method. Entropy 17, 2367–2408 (2015)
AlEroud, A., Karabatis, G.: Queryable semantics to detect cyber-attacks:a flow-based detection approach. IEEE Trans. Syst. Man Cybern. Syst. 48, 207–223 (2017)
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. SIGCOMM Comput. Commun. Rev. 35(4), 217–228 (2005)
Raghuram, J., Miller, D.J., Kesidis, G.: Unsupervised, low latency anomaly detection of algorithmically generated domain names by generative probabilistic modeling. J. Adv. Res. 5, 423–433 (2014)
Kirchler, M., Herrmann, D., Lindemann, J., Kloft, M.: Tracked without a trace: linking sessions of users by unsupervised learning of patterns in their DNS traffic. In: AISec@CCS, pp. 23–34 (2016)
Erman, J., Arlitt, M., Mahanti, A.: Traffic classification using clustering algorithms. In: MineNet 2006, pp. 281–286 (2006)
Chatzis, N., Popescu-Zeletin, R.: Flow level data mining of DNS query streams for email worm detection. In: Corchado, E., Zunino, R., Gastaldo, P., Herrero, Á. (eds.) Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems CISIS 2008. Advances in Soft Computing, vol. 53, pp. 186–194. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88181-0_24
Moustafa, N., Slay, J.: Creating novel features to anomaly network detection using DARPA-2009 data set. In: Proceedings of the 14th European Conference on Cyber Warfare and Security 2015: ECCWS (2015)
Münz, G.: Traffic anomaly detection and cause identification using flow-level measurements. Technical University Munich 2010, pp. 1–228 (2010). ISBN 3-937201-12-2
Hong, L.V.: DNS Traffic Analysis for Network-based Malware Detection. Technical University of Denmark, Informatics and Mathematical Modelling (2012)
Nikolaev, I.: Network Service Anomaly Detection. Czech Technical University, Prague (2014)
Greis, R., Reis, T., Nguyen, C.: Comparing prediction methods in anomaly detection: an industrial evaluation. In: MILETS (2018)
Freedman, D.A.: Statistical Models: Theory and Practice. Cambridge University Press, Cambridge (2009)
Tibshirani, R.: Regression shrinkage and selection via the lasso. J. Roy. Stat. Soc.: Ser. B (Methodol.) 58(1), 267–288 (1996)
Ho, T.K.: Random decision forests. In: Proceedings of the 3rd International Conference on Document Analysis and Recognition, pp. 278–282 (1995)
Altman, N.S.: An introduction to kernel and nearest-neighbor nonparametric regression. Am. Statist. 46(3), 175–185 (1992)
Knuth, D.E., Morris Jr., J.H., Pratt, V.R.: Fast pattern matching in strings. SIAM J. Comput. 6(2), 323–350 (1977)
Hirani, M., Jones, S., Read, B.: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html. Accessed 9 Jan 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Mateless, R., Segal, M. (2019). Approximate String Matching for DNS Anomaly Detection. In: Wang, G., Feng, J., Bhuiyan, M., Lu, R. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2019. Lecture Notes in Computer Science(), vol 11611. Springer, Cham. https://doi.org/10.1007/978-3-030-24907-6_37
Download citation
DOI: https://doi.org/10.1007/978-3-030-24907-6_37
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-24906-9
Online ISBN: 978-3-030-24907-6
eBook Packages: Computer ScienceComputer Science (R0)