A fast and scalable method for threat detection in large-scale DNS logs

Begleiter, Ron; Elovici, Yuval; Hollander, Yona; Mendelson, Ori; Rokach, Lior; Saltzman, Roi

doi:10.1109/bigdata.2013.6691646

Cited by 10 publications

(3 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Begleiter et al presented a fast and scalable method for detecting threats in large-scale DNS logs [22]. With their method, a language model algorithm learns normal domain-names from a large dataset to rate the extent of domain-name abnormality within a big data stream of DNS queries in the organization.…”

Section: Existing Apt Detection Methodsmentioning

confidence: 99%

Discovering Suspicious APT Behaviors by Analyzing DNS Activities

Yan

Guo

et al. 2020

Sensors

View full text Add to dashboard Cite

As sensors become more prevalent in our lives, security issues have become a major concern. In the Advanced Persistent Threat (APT) attack, the sensor has also become an important role as a transmission medium. As a relatively weak link in the network transmission process, sensor networks often become the target of attackers. Due to the characteristics of low traffic, long attack time, diverse attack methods, and real-time evolution, existing detection methods have not been able to detect them comprehensively. Current research suggests that a suspicious domain name can be obtained by analyzing the domain name resolution (DNS) request to the target network in an APT attack. In past work based on DNS log analyses, most of the work would simply calculate the characteristics of the request message or the characteristics of the response message or the feature set of the request message plus the response message, and the relationship between the response message and the request message was not considered. This may leave out the detection of some APT attacks in which the DNS resolution process is incomplete. This paper proposes a new feature that represents the relationship between a DNS request and the response message, based on a deep learning method used to analyze the DNS request records. The algorithm performs threat assessment on the DNS behavior to be detected based on the calculated suspicious value. This paper uses the data of 4, 907, 147, 146 DNS request records (376, 605, 606 records after DNS Data Pre-processing) collected in a large campus network and uses simulation attack data to verify the validity and correctness of the system. The results of the experiments show that our method achieves an average accuracy of 97.6% in detecting suspicious DNS behavior, with the orange false positive (FP) at 2.3% and the recall at 96.8%. The proposed system can effectively detect the hidden and suspicious DNS behavior in APT.

show abstract

Section: Existing Apt Detection Methodsmentioning

confidence: 99%

Discovering Suspicious APT Behaviors by Analyzing DNS Activities

Yan

Guo

et al. 2020

Sensors

View full text Add to dashboard Cite

show abstract

“…Variable order Markov models and their usage have been extensively explored, e.g., for prediction tasks [15,26,27], time series classification [28,29], clustering [30,31], anomaly detection [10,32], and modeling DNA sequences [11,33]. Two works were found that incorporated variable order models and information or entropy.…”

Section: Related Workmentioning

confidence: 99%

Context Based Predictive Information

Shalev¹,

Ben‐Gal²

2019

Entropy

View full text Add to dashboard Cite

We propose a new algorithm called the context-based predictive information (CBPI) for estimating the predictive information (PI) between time series, by utilizing a lossy compression algorithm. The advantage of this approach over existing methods resides in the case of sparse predictive information (SPI) conditions, where the ratio between the number of informative sequences to uninformative sequences is small. It is shown that the CBPI achieves a better PI estimation than benchmark methods by ignoring uninformative sequences while improving explainability by identifying the informative sequences. We also provide an implementation of the CBPI algorithm on a real dataset of large banks’ stock prices in the U.S. In the last part of this paper, we show how the CBPI algorithm is related to the well-known information bottleneck in its deterministic version.

show abstract

“…A query logging on DNS servers represents the simplest way how to monitor DNS traffic without additional monitoring infrastructure. The analysis of server logs was presented in [2,19] including the optimization of this process for a large amount of logs. The main disadvantage of this approach is its inability to monitor traffic that does not pass through the monitored servers.…”

Section: Related Workmentioning

confidence: 99%

Detection of DNS Traffic Anomalies in Large Networks

Čermák

Čeleda

Vykopal

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Almost every Internet communication is preceded by a translation of a DNS name to an IP address. Therefore monitoring of DNS traffic can effectively extend capabilities of current methods for network traffic anomaly detection. In order to effectively monitor this traffic, we propose a new flow metering algorithm that saves resources of a flow exporter. Next, to show benefits of the DNS traffic monitoring for anomaly detection, we introduce novel detection methods using DNS extended flows. The evaluation of these methods shows that our approach not only reveals DNS anomalies but also scales well in a campus network.

show abstract

A fast and scalable method for threat detection in large-scale DNS logs

Cited by 10 publications

References 9 publications

Discovering Suspicious APT Behaviors by Analyzing DNS Activities

Discovering Suspicious APT Behaviors by Analyzing DNS Activities

Context Based Predictive Information

Detection of DNS Traffic Anomalies in Large Networks

Contact Info

Product

Resources

About