Detection of DNS Traffic Anomalies in Large Networks

Čermák, Milan; Čeleda, Pavel; Vykopal, Jan

doi:10.1007/978-3-319-13488-8_20

Cited by 4 publications

(4 citation statements)

References 10 publications

(12 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the approach, a destination can become trusted by transitivity, if its origin can be evaluated by another trusted entity. The main contribution of [16] was an algorithm that performs DNS trafc monitoring in large networks based on the extension of standard fows. The authors in [15] presented NEMEA, a modular framework for network trafc analysis at Layer 7 that uses the stream-wise concept, i. e. data is analysed continuously in the memory with minimal data storage required.…”

Section: Flow-based Analysismentioning

confidence: 99%

A Flow-based Multi-agent Data Exfiltration Detection Architecture for Ultra-low Latency Networks

Marques

Epiphaniou

Al-Khateeb

et al. 2021

ACM Trans. Internet Technol.

View full text Add to dashboard Cite

Modern network infrastructures host converged applications that demand rapid elasticity of services, increased security, and ultra-fast reaction times. The Tactile Internet promises to facilitate the delivery of these services while enabling new economies of scale for high fidelity of machine-to-machine and human-to-machine interactions. Unavoidably, critical mission systems served by the Tactile Internet manifest high demands not only for high speed and reliable communications but equally, the ability to rapidly identify and mitigate threats and vulnerabilities. This article proposes a novel Multi-Agent Data Exfiltration Detector Architecture (MADEX), inspired by the mechanisms and features present in the human immune system. MADEX seeks to identify data exfiltration activities performed by evasive and stealthy malware that hides malicious traffic from an infected host in low-latency networks. Our approach uses cross-network traffic information collected by agents to effectively identify unknown illicit connections by an operating system subverted. MADEX does not require prior knowledge of the characteristics or behavior of the malicious code or a dedicated access to a knowledge repository. We tested the performance of MADEX in terms of its capacity to handle real-time data and the sensitivity of our algorithm’s classification when exposed to malicious traffic. Experimental evaluation results show that MADEX achieved 99.97% sensitivity, 98.78% accuracy, and an error rate of 1.21% when compared to its best rivals. We created a second version of MADEX, called MADEX level 2, that further improves its overall performance with a slight increase in computational complexity. We argue for the suitability of MADEX level 1 in non-critical environments, while MADEX level 2 can be used to avoid data exfiltration in critical mission systems. To the best of our knowledge, this is the first article in the literature that addresses the detection of rootkits real-time in an agnostic way using an artificial immune system approach while it satisfies strict latency requirements.

show abstract

Section: Flow-based Analysismentioning

confidence: 99%

A Flow-based Multi-agent Data Exfiltration Detection Architecture for Ultra-low Latency Networks

Marques

Epiphaniou

Al-Khateeb

et al. 2021

ACM Trans. Internet Technol.

View full text Add to dashboard Cite

show abstract

“…Yuchi et al [42] investigated DNS anomalies in the context of Heap's law stating that a corpus of text containing N words typically contains on the order of cNβ distinct words, for constant c and 0<β<1. Cermák et al [43] identified that only four DNS packet fields are useful for most of the DNS traffic analyzing methods: queried domain name, queried record type, response return code and response itself. They use the concept of standard flow and extended flow to detect DNS attacks on large networks.…”

Section: Dns Anomalies Identificationmentioning

confidence: 99%

THAAD: Efficient matching queries under temporal abstraction for anomaly detection

Mateless

Segal

Moskovitch

2021

Performance Evaluation

View full text Add to dashboard Cite

“…Yuchi et al [7] investigated DNS anomalies in the context of Heap's law stating that a corpus of text containing N words typically contains on the order of cN β distinct words, for constant c and 0<β<1. Cermák et al [8] identified that only four DNS packet fields are useful for most of the DNS traffic analzing methods: queried domain name, queried record type, response code and IP address returned. Yarochkin et al [9] presented an open source DNSPACKETLIZER tool to analyze DNS traffic in-real time.…”

Section: Related Workmentioning

confidence: 99%

Approximate String Matching for DNS Anomaly Detection

Mateless

Segal

2019

Security, Privacy, and Anonymity in Computation, Communication, and Storage

View full text Add to dashboard Cite

In this paper we propose a novel approach to identify anomalies in DNS traffic. The traffic time-points data is transformed to a string, which is used by new fast approximate string matching algorithm to detect anomalies. Our approach is generic in its nature and allows fast adaptation to different types of traffic. We evaluate the approach on a large public dataset of DNS traffic based on 10 days, discovering more than order of magnitude DNS attacks in comparison to auto-regression as a baseline. Moreover, the additional comparison has been made including other common regressors such as Linear Regression, Lasso, Random Forest and KNN, all of them showing the superiority of our approach.

show abstract

Detection of DNS Traffic Anomalies in Large Networks

Cited by 4 publications

References 10 publications

A Flow-based Multi-agent Data Exfiltration Detection Architecture for Ultra-low Latency Networks

A Flow-based Multi-agent Data Exfiltration Detection Architecture for Ultra-low Latency Networks

THAAD: Efficient matching queries under temporal abstraction for anomaly detection

Approximate String Matching for DNS Anomaly Detection

Contact Info

Product

Resources

About