Introduction to algorithms
TCP/IP illustrated (vol. 1): the protocols
TCP/IP illustrated (vol. 1): the protocols
DNS performance and the effectiveness of caching
IEEE/ACM Transactions on Networking (TON)
New directions in traffic measurement and accounting
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Diversity in DNS performance measures
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Aguri: An Aggregation-Based Traffic Profiler
COST 263 Proceedings of the Second International Workshop on Quality of Future Internet Services
Automatically inferring patterns of resource consumption in network traffic
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
An analysis of Internet chat systems
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Is your caching resolver polluting the internet?
Proceedings of the ACM SIGCOMM workshop on Network troubleshooting: research, theory and operations practice meet malfunctioning reality
Transport layer identification of P2P traffic
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Learning-based anomaly detection in BGP updates
Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
Traffic classification using clustering algorithms
Proceedings of the 2006 SIGCOMM workshop on Mining network data
Proceedings of the 3rd international workshop on Visualization for computer security
Zero Configuration Networking: The Definitive Guide
Zero Configuration Networking: The Definitive Guide
Revealing botnet membership using DNSBL counter-intelligence
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
An architecture for generating semantics-aware signatures
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis
Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Building a dynamic reputation system for DNS
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
A new statistical approach to DNS traffic anomaly detection
ADMA'10 Proceedings of the 6th international conference on Advanced data mining and applications - Volume Part II
Measuring pay-per-install: the commoditization of malware distribution
SEC'11 Proceedings of the 20th USENIX conference on Security
IFIP'12 Proceedings of the 11th international IFIP TC 6 conference on Networking - Volume Part I
AIMS'12 Proceedings of the 6th IFIP WG 6.6 international autonomous infrastructure, management, and security conference on Dependable Networks and Services
DNS to the rescue: discerning content and services in a tangled web
Proceedings of the 2012 ACM conference on Internet measurement conference
Efficient multidimensional aggregation for large scale monitoring
lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
Towards classification of DNS erroneous queries
Proceedings of the 9th Asian Internet Engineering Conference
| Hi-index | 0.00 |
The Domain Name System (DNS) is a one of the most widely used services in the Internet. In this paper, we consider the question of how DNS traffic monitoring can provide an important and useful perspective on network traffic in an enterprise. We approach this problem by considering three classes of DNS traffic: canonical (i.e., RFC-intended behaviors), overloaded (e.g.,black-list services), and unwanted (i.e., queries that will never succeed). We describe a context-aware clustering methodology that is applied to DNS query-responses to generate the desired aggregates. Our method enables the analysis to be scaled to expose the desired level of detail of each traffic type, and to expose their time varying characteristics. We implement our method in a tool we call TreeTop, which can be used to analyze and visualize DNS traffic in real-time. We demonstrate the capabilities of our methodology and the utility of TreeTop using a set of DNS traces that we collected from our campus network over a period of three months. Our evaluation highlights both the coarse and fine level of detail that can be revealed by our method. Finally, we show preliminary results on how DNS analysis can be coupled with general network traffic monitoring to provide a useful perspective for network management and operations.