Skip to main content
SpringerLink
Log in

A New Statistical Approach to DNS Traffic Anomaly Detection

  • Conference paper
Advanced Data Mining and Applications (ADMA 2010)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 6441))

Included in the following conference series:

Abstract

In this paper, we describe a new statistical approach to detect traffic anomalies in the Domain Name System (DNS). By analyzing real-world DNS traffic data collected at some large DNS servers both authoritative and local, we find that normally the DNS traffic follows Heap’s law in dual ways. Then we utilize these findings to characterize DNS traffic properties under normal network conditions. Based on these properties, we make estimations for the traffic of forthcoming. If the forthcoming traffic actually varies a lot with our estimations, then we can infer that some anomaly happens. Our approach is simple enough and can work in real-time. Experiments on both real and simulated DNS traffic anomalies show that our approach can detect most of the common anomalies in DNS traffic effectively.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Mockapetris, P.: Domain Names: Implementation and Specification. Internet Request for Comments 1035 (1987)

    Google Scholar 

  2. Wang, Y., Hu, M., Li, B., Yan, B.: Tracking Anomalous Behaviors of Name Servers by Mining DNS Traffic. In: Min, G., Di Martino, B., Yang, L.T., Guo, M., Rünger, G. (eds.) ISPA Workshops 2006. LNCS, vol. 4331, pp. 351–357. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  3. Plonka, D., Barford, P.: Context-aware Clustering of DNS Query Traffic. In: 8th ACM SIGCOMM Internet Measurement Conference, pp. 217–230. ACM, New York (2008)

    Chapter  Google Scholar 

  4. Villamarín-Salomón, R., Carlos Brustoloni, J.: Bayesian Bot Detection Based on DNS Traffic Similarity. In: 2009 ACM Symposium on Applied Computing, pp. 2035–2041. ACM, New York (2009)

    Chapter  Google Scholar 

  5. Chatzis, N., Brownlee, N.: Similarity Search over DNS Query Streams for Email Worm Detection. In: 2009 International Conference on Advanced Information Networking and Applications, pp. 588–595. IEEE Computer Society, Washington (2009)

    Chapter  Google Scholar 

  6. Jung, J., Sit, E., Balakrishnan, H., Morris, R.: DNS Performance and the Effectiveness of Caching. IEEE/ACM Transactions on Networking 10(5), 589–603 (2002)

    Article  Google Scholar 

  7. Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring Internet Denial-of-Service Activity. ACM Transactions on Computer Systems 24(2), 115–139 (2006)

    Article  Google Scholar 

  8. Heaps, H.S.: Information Retrieval: Computational and Theoretical Aspects. Academic Press, New York (1978)

    MATH  Google Scholar 

  9. Araújo, M., Navarro, G., Ziviani, N.: Large Text Searching Allowing Errors. In: 4th South American Workshop on String Processing. International Informatics Series, pp. 2–20. Carleton University Press, Ottawa (1997)

    Google Scholar 

  10. Baldi, P., Frasconi, P., Smyth, P.: Modeling the Internet and the Web: Probabilistic Methods and Algorithms. John Wiley & Sons, Chichester (2003)

    Google Scholar 

  11. CNNIC, http://www.cnnic.cn

  12. CSTNET, http://www.cstnet.cn

  13. Yuchi, X., Wang, X., Lee, X., Yan, B.: DNS Measurements at the. CN TLD Servers. In: 6th International Conference on Fuzzy Systems and Knowledge Discovery, vol. 7, pp. 540–545. IEEE Press, Piscataway (2009)

    Google Scholar 

  14. Yuchi, X., Lee, X., Jin, J., Yan, B.: Measuring Internet Growth from DNS Observations. In: 2nd Future Information Technology and Management Engineering, pp. 420–423. IEEE Press, Piscataway (2009)

    Google Scholar 

  15. Zipf, G.: Selected Studies of the Principle of Relative Frequency in Language. Harvard University Press, Cambridge (1932)

    Book  Google Scholar 

  16. Leijenhorst, D.C., Weide, T.P.: A Formal Derivation of Heaps’ Law. Information Sciences 170, 263–272 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  17. French, J.C.: Modeling Web Data. In: 2nd ACM/IEEE-CS Joint Conference on Digital Libraries, pp. 320–321. ACM, New York (2002)

    Google Scholar 

  18. DNSPod Website, https://www.dnspod.com

  19. DNS-OARC Presentation, https://www.dns-oarc.net/files/workshop-200911/Ziqian_Liu.pdf

  20. queryperf, http://www.freebsdsoftware.org/dns/queryperf.html

  21. ISC BIND, http://www.isc.org/software/bind

Download references

Author information

Authors and Affiliations

  1. China Internet Network Information Center, Computer Network Information Center, Chinese Academy of Sciences, 100190, Beijing, China

    Xuebiao Yuchi, Xin Wang, Xiaodong Lee & Baoping Yan

  2. Graduate University of Chinese Academy of Sciences, 100190, Beijing, China

    Xuebiao Yuchi

Authors
  1. Xuebiao Yuchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xin Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiaodong Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Baoping Yan
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Faculty of Engineering and Information Technology, University of Technology Sydney, 2007, Sydney, NSW, Australia

    Longbing Cao

  2. College of Computer Science, Chongqing University, 400030, Chongqing, China

    Jiang Zhong  & Yong Feng  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Yuchi, X., Wang, X., Lee, X., Yan, B. (2010). A New Statistical Approach to DNS Traffic Anomaly Detection. In: Cao, L., Zhong, J., Feng, Y. (eds) Advanced Data Mining and Applications. ADMA 2010. Lecture Notes in Computer Science(), vol 6441. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17313-4_30

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-17313-4_30

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-17312-7

  • Online ISBN: 978-3-642-17313-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation