Anomaly Detection for DNS Servers Using Frequent Host Selection

Author

Yamada, Akira ; Miyake, Yutaka ; Terabe, Masahiro ; Hashimoto, Kazuo ; Kato, Nei

Author_Institution

Network Security Lab., KDDI R&D Labs. Inc., Saitama

fYear

2009

fDate

26-29 May 2009

Firstpage

853

Lastpage

860

Abstract

DNS is one of the internet´s fundamental building blocks, used by various applications such as web and mail transfer. Therefore, monitoring DNS traffic has potential to detect host anomalies such as spammers and infected hosts in a network. However, previous works assume a small number of hosts or target on domain name anomalies, so that they cannot be applied to a large-scale networks due to performance issues. A large number of hosts and long-term tracing consume computational resources and make real-time analysis difficult. In this paper, we propose anomaly detection for DNS servers using frequent host selection, which selects only potential hosts and does not depend on the number of hosts. We evaluate the proposed system using DNS traffic for 6 months of tracing, and show that the system can feasibly handle hosts in the dataset and detect anomalies, such as mail servers suffering from spam and DNS servers are configured incorrectly.

Keywords

IP networks; Internet; telecommunication security; telecommunication traffic; DNS traffic; Internet; anomaly detection; domain name system; frequent host selection; large-scale networks; Electronic mail; Internet; Large-scale systems; Monitoring; Network servers; Postal services; Telecommunication traffic; Web server;

fLanguage

English

Publisher

ieee

Conference_Titel

Advanced Information Networking and Applications, 2009. AINA '09. International Conference on

Conference_Location

Bradford

ISSN

1550-445X

Print_ISBN

978-1-4244-4000-9

Electronic_ISBN

1550-445X

Type

conf

DOI

10.1109/AINA.2009.93

Filename

5076288