Multi-dimensional aggregation for DNS monitoring

Open Access

Abstract

DNS is an essential service in the Internet as it allows to translate human language based domain names into IP addresses. DNS traffic reflects the user activities and behaviors. It is thus a helpful source of information in the context of large scale network monitoring. In particular, passive DNS monitoring garnered much interest for the security perspectives by highlighting the services the machines want to access. In this paper, we propose a new method for assessing the dynamics of the match between DNS names and IP subnetworks using an efficient aggregating scheme combined with relevant steadiness metrics. The evaluation relies on real data collected over several months and is able to detect anomalies related to malicious domains.

Keywords

This publication has 21 references indexed in Scilit:

Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis
IEEE Transactions on Dependable and Secure Computing, 2012
DNSSM: A large scale passive DNS security monitoring framework
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2012
Assessing the Real-World Dynamics of DNS
Lecture Notes in Computer Science, 2012
PhishDef: URL names say it all
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2011
Anomaly Detection in Network Traffic Based on Statistical Inference and \alpha-Stable Modeling
IEEE Transactions on Dependable and Secure Computing, 2011
PhishNet: Predictive Blacklisting to Detect Phishing Attacks
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2010
FluXOR: Detecting and Monitoring Fast-Flux Service Networks
Lecture Notes in Computer Science, 2009
Context-aware clustering of DNS query traffic
Published by Association for Computing Machinery (ACM) ,2008
Advanced Network Fingerprinting
Lecture Notes in Computer Science, 2008
Passive Monitoring of DNS Anomalies
Lecture Notes in Computer Science, 2007

Cited by 2 articles