Detecting anomalies in DNS protocol traces via Passive Testing and Process Mining

Author

Saint-Pierre, Cecilia ; Cifuentes, Francisco ; Bustos-Jimenez, Javier

Author_Institution

Comput. Sci. Dept., Pontificia Univ. Catolica, Santiago, Chile

fYear

2014

fDate

29-31 Oct. 2014

Firstpage

520

Lastpage

521

Abstract

In this article we present our first approach in using Passive Testing (used in protocol and software conformance checking) and Process Mining (used in enterprise workflow analysis) techniques for analyzing DNS operation traces. We propose a process approach for DNS protocol, modeling it as a sequence of structured activities, queries and responses that are executed by actors, in this case clients and servers, with the objective of exchange some valuable information. As an example, we applied our techniques over A Day in Internet Life DNS traces for showing how easily a mail bonnet attack can be discovered. We conclude that with our first approach this techniques have promising future in order to analyze DNS traces, and plan to extend the testing for conformance against the formal definition of DNS presented in the RFC 1035.

Keywords

Internet; computer network security; conformance testing; data mining; protocols; DNS operation traces; DNS protocol; DNS traces; RFC 1035; anomaly detection; conformance testing; enterprise workflow analysis; formal definition; mail bonnet attack; passive testing; process mining; software conformance checking; structured activity; Business; Data mining; Electronic mail; Internet; Protocols; Servers; Testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications and Network Security (CNS), 2014 IEEE Conference on

Conference_Location

San Francisco, CA

Type

conf

DOI

10.1109/CNS.2014.6997534

Filename

6997534