A new statistical approach to DNS traffic anomaly detection

Authors:
Xuebiao Yuchi;Xin Wang;Xiaodong Lee;Baoping Yan
Affiliations:
China Internet Network Information Center, Computer Network Information Center, Chinese Academy of Sciences, Beijing, China and Graduate University of Chinese Academy of Sciences, Beijing, China;China Internet Network Information Center, Computer Network Information Center, Chinese Academy of Sciences, Beijing, China;China Internet Network Information Center, Computer Network Information Center, Chinese Academy of Sciences, Beijing, China;China Internet Network Information Center, Computer Network Information Center, Chinese Academy of Sciences, Beijing, China
Venue:
ADMA'10 Proceedings of the 6th international conference on Advanced data mining and applications - Volume Part II
Year:
2010

Citing 11
Cited 0

Information Retrieval: Computational and Theoretical Aspects

Information Retrieval: Computational and Theoretical Aspects
Modeling web data

Proceedings of the 2nd ACM/IEEE-CS joint conference on Digital libraries
DNS performance and the effectiveness of caching

IEEE/ACM Transactions on Networking (TON)
A formal derivation of Heaps' Law

Information Sciences—Informatics and Computer Science: An International Journal
Inferring Internet denial-of-service activity

ACM Transactions on Computer Systems (TOCS)
Context-aware clustering of DNS query traffic

Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Bayesian bot detection based on DNS traffic similarity

Proceedings of the 2009 ACM symposium on Applied Computing
Similarity Search over DNS Query Streams for Email Worm Detection

AINA '09 Proceedings of the 2009 International Conference on Advanced Information Networking and Applications
Measuring Internet Growth from DNS Observations

FITME '09 Proceedings of the 2009 Second International Conference on Future Information Technology and Management Engineering
DNS measurements at the .CN TLD servers

FSKD'09 Proceedings of the 6th international conference on Fuzzy systems and knowledge discovery - Volume 7
Tracking anomalous behaviors of name servers by mining DNS traffic

ISPA'06 Proceedings of the 2006 international conference on Frontiers of High Performance Computing and Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we describe a new statistical approach to detect traffic anomalies in the Domain Name System (DNS). By analyzing real-world DNS traffic data collected at some large DNS servers both authoritative and local, we find that normally the DNS traffic follows Heap's law in dual ways. Then we utilize these findings to characterize DNS traffic properties under normal network conditions. Based on these properties, we make estimations for the traffic of forthcoming. If the forthcoming traffic actually varies a lot with our estimations, then we can infer that some anomaly happens. Our approach is simple enough and can work in real-time. Experiments on both real and simulated DNS traffic anomalies show that our approach can detect most of the common anomalies in DNS traffic effectively.