DNSSM: A large scale passive DNS security monitoring framework

Author

Marchal, Samuel ; François, Jérome ; Wagner, Cynthia ; State, Radu ; Dulaunoy, Alexandre ; Engel, Thomas ; Festor, Olivier

Author_Institution

SnT, Univ. of Luxembourg, Luxembourg, Luxembourg

fYear

2012

fDate

16-20 April 2012

Firstpage

988

Lastpage

993

Abstract

We present a monitoring approach and the supporting software architecture for passive DNS traffic. Monitoring DNS traffic can reveal essential network and system level activity profiles. Worm infected and botnet participating hosts can be identified and malicious backdoor communications can be detected. Any passive DNS monitoring solution needs to address several challenges that range from architectural approaches for dealing with large volumes of data up to specific Data Mining approaches for this purpose. We describe a framework that leverages state of the art distributed processing facilities with clustering techniques in order to detect anomalies in both online and offline DNS traffic. This framework entitled DNSSM is implemented and operational on several networks. We validate the framework against two large trace sets.

Keywords

Internet; computer network security; computerised monitoring; data mining; invasive software; pattern clustering; software architecture; Botnet participating hosts; DNS traffic monitoring; DNSSM; anomalies detection; clustering techniques; data mining approaches; distributed processing facilities; large scale passive DNS security monitoring framework; participating hosts; passive DNS traffic; software architecture; system level activity profiles; Data mining; Entropy; IP networks; Indexes; Internet; Monitoring; Servers;

fLanguage

English

Publisher

ieee

Conference_Titel

Network Operations and Management Symposium (NOMS), 2012 IEEE

Conference_Location

Maui, HI

ISSN

1542-1201

Print_ISBN

978-1-4673-0267-8

Electronic_ISBN

1542-1201

Type

conf

DOI

10.1109/NOMS.2012.6212019

Filename

6212019