Abstract
Almost every Internet communication is preceded by a translation of a DNS name to an IP address. Therefore monitoring of DNS traffic can effectively extend capabilities of current methods for network traffic anomaly detection. In order to effectively monitor this traffic, we propose a new flow metering algorithm that saves resources of a flow exporter. Next, to show benefits of the DNS traffic monitoring for anomaly detection, we introduce novel detection methods using DNS extended flows. The evaluation of these methods shows that our approach not only reveals DNS anomalies but also scales well in a campus network.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290 (2010)
Begleiter, R., Elovici, Y., Hollander, Y., Mendelson, O., Rokach, L., Saltzman, R.: A fast and scalable method for threat detection in large-scale DNS logs. In: 2013 IEEE International Conference on Big Data, pp. 738–741 (Oct 2013)
Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. 16(4), 14:1–14:28 (2014). http://doi.acm.org/10.1145/2584679
Choi, H., Lee, H.: Identifying botnets by capturing group activities in dns traffic. Comput. Netw. 56(1), 20–33 (2012)
Ellens, W., Żuraniewski, P., Sperotto, A., Schotanus, H., Mandjes, M., Meeuwissen, E.: Flow-based detection of DNS tunnels. In: Emerging Management Mechanisms for the Future Internet, pp. 124–135. Springer (2013)
Hofstede, R., Čeleda, P., Trammell, B., Drago, I., Sadre, R., Sperotto, A., Pras, A.: Flow monitoring explained: from packet capture to data analysis with netFlow and IPFIX. IEEE Communications Surveys & Tutorials (2014). doi:10.1109/COMST.2014.2321898
Karasaridis, A., Meier-Hellstern, K., Hoeflin, D.: Detection of DNS anomalies using flow data analysis. In: Global Telecommunications Conference, 2006. GLOBECOM’06. IEEE. pp. 1–6. IEEE (2006)
Kováčik, M.: DNS plugin (2014). https://www.liberouter.org/technologies/dns-plugin/
Košata, B., Čermák, J., Surý, O., Filip, O.: DSCng: DNS server monitoring program (2013). http://www.dscng.cz/
Manasrah, A.M., Hasan, A., Abouabdalla, O.A., Ramadass, S.: Detecting botnet activities based on abnormal DNS traffic. Int. J. Comput. Sci. Inf. Secur. 6(1), 97–104 (2009)
Marchal, S., Francois, J., Wagner, C., State, R., Dulaunoy, A., Engel, T., Festor, O.: DNSSM: a large scale passive DNS security monitoring framework. In: Network Operations and Management Symposium (NOMS), 2012 IEEE, pp. 988–993 (Apr 2012)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)
Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Depend. Secur. Comput. 9(5), 714–726 (2012)
Qu, J., Sztoch, P.: Dnsgraph (2003). http://dnsgraph.sourceforge.net/
Schonewille, A., van Helmond, D.J.: The domain name service as an IDS. Research Project for the Master System-and Network Engineering at the University of Amsterdam (2006)
Snyder, M., Sundaram, R., Thakur, M.: Preprocessing DNS log data for effective data mining. In: IEEE International Conference on Communications, 2009. ICC ’09, pp. 1–5 (June 2009)
Čermák, M.: DNSAnomDet (2014). https://is.muni.cz/publication/1131184
Weimer, F.: Passive dns replication. In: FIRST Conference on Computer Security Incident (2005)
Wessels, D.: Dnstop: Stay on top of your DNS traffic (2013). http://dns.measurement-factory.com/tools/dnstop/
Zdrnja, B., Brownlee, N., Wessels, D.: Passive monitoring of DNS anomalies. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 129–139. Springer, Heidelberg (2007)
Acknowledgments
This material is based upon work supported by Cybernetic Proving Ground project (VG20132015103) funded by the Ministry of the Interior of the Czech Republic.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Čermák, M., Čeleda, P., Vykopal, J. (2014). Detection of DNS Traffic Anomalies in Large Networks. In: Kermarrec, Y. (eds) Advances in Communication Networking. EUNICE 2014. Lecture Notes in Computer Science(), vol 8846. Springer, Cham. https://doi.org/10.1007/978-3-319-13488-8_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-13488-8_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13487-1
Online ISBN: 978-3-319-13488-8
eBook Packages: Computer ScienceComputer Science (R0)