Abstract
In this paper, we describe a new statistical approach to detect traffic anomalies in the Domain Name System (DNS). By analyzing real-world DNS traffic data collected at some large DNS servers both authoritative and local, we find that normally the DNS traffic follows Heap’s law in dual ways. Then we utilize these findings to characterize DNS traffic properties under normal network conditions. Based on these properties, we make estimations for the traffic of forthcoming. If the forthcoming traffic actually varies a lot with our estimations, then we can infer that some anomaly happens. Our approach is simple enough and can work in real-time. Experiments on both real and simulated DNS traffic anomalies show that our approach can detect most of the common anomalies in DNS traffic effectively.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Mockapetris, P.: Domain Names: Implementation and Specification. Internet Request for Comments 1035 (1987)
Wang, Y., Hu, M., Li, B., Yan, B.: Tracking Anomalous Behaviors of Name Servers by Mining DNS Traffic. In: Min, G., Di Martino, B., Yang, L.T., Guo, M., Rünger, G. (eds.) ISPA Workshops 2006. LNCS, vol. 4331, pp. 351–357. Springer, Heidelberg (2006)
Plonka, D., Barford, P.: Context-aware Clustering of DNS Query Traffic. In: 8th ACM SIGCOMM Internet Measurement Conference, pp. 217–230. ACM, New York (2008)
Villamarín-Salomón, R., Carlos Brustoloni, J.: Bayesian Bot Detection Based on DNS Traffic Similarity. In: 2009 ACM Symposium on Applied Computing, pp. 2035–2041. ACM, New York (2009)
Chatzis, N., Brownlee, N.: Similarity Search over DNS Query Streams for Email Worm Detection. In: 2009 International Conference on Advanced Information Networking and Applications, pp. 588–595. IEEE Computer Society, Washington (2009)
Jung, J., Sit, E., Balakrishnan, H., Morris, R.: DNS Performance and the Effectiveness of Caching. IEEE/ACM Transactions on Networking 10(5), 589–603 (2002)
Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring Internet Denial-of-Service Activity. ACM Transactions on Computer Systems 24(2), 115–139 (2006)
Heaps, H.S.: Information Retrieval: Computational and Theoretical Aspects. Academic Press, New York (1978)
Araújo, M., Navarro, G., Ziviani, N.: Large Text Searching Allowing Errors. In: 4th South American Workshop on String Processing. International Informatics Series, pp. 2–20. Carleton University Press, Ottawa (1997)
Baldi, P., Frasconi, P., Smyth, P.: Modeling the Internet and the Web: Probabilistic Methods and Algorithms. John Wiley & Sons, Chichester (2003)
CNNIC, http://www.cnnic.cn
CSTNET, http://www.cstnet.cn
Yuchi, X., Wang, X., Lee, X., Yan, B.: DNS Measurements at the. CN TLD Servers. In: 6th International Conference on Fuzzy Systems and Knowledge Discovery, vol. 7, pp. 540–545. IEEE Press, Piscataway (2009)
Yuchi, X., Lee, X., Jin, J., Yan, B.: Measuring Internet Growth from DNS Observations. In: 2nd Future Information Technology and Management Engineering, pp. 420–423. IEEE Press, Piscataway (2009)
Zipf, G.: Selected Studies of the Principle of Relative Frequency in Language. Harvard University Press, Cambridge (1932)
Leijenhorst, D.C., Weide, T.P.: A Formal Derivation of Heaps’ Law. Information Sciences 170, 263–272 (2005)
French, J.C.: Modeling Web Data. In: 2nd ACM/IEEE-CS Joint Conference on Digital Libraries, pp. 320–321. ACM, New York (2002)
DNSPod Website, https://www.dnspod.com
DNS-OARC Presentation, https://www.dns-oarc.net/files/workshop-200911/Ziqian_Liu.pdf
queryperf, http://www.freebsdsoftware.org/dns/queryperf.html
ISC BIND, http://www.isc.org/software/bind
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yuchi, X., Wang, X., Lee, X., Yan, B. (2010). A New Statistical Approach to DNS Traffic Anomaly Detection. In: Cao, L., Zhong, J., Feng, Y. (eds) Advanced Data Mining and Applications. ADMA 2010. Lecture Notes in Computer Science(), vol 6441. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17313-4_30
Download citation
DOI: https://doi.org/10.1007/978-3-642-17313-4_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17312-7
Online ISBN: 978-3-642-17313-4
eBook Packages: Computer ScienceComputer Science (R0)