Multi-dimensional aggregation for DNS monitoring

Author

Dolberg, Lautaro ; Francois, Jerome ; Engel, Thomas

Author_Institution

SnT (Interdiscipl. Centre for Security Reliability & Trust), Univ. of Luxembourg, Luxembourg, Luxembourg

fYear

2013

fDate

21-24 Oct. 2013

Firstpage

390

Lastpage

398

Abstract

DNS is an essential service in the Internet as it allows to translate human language based domain names into IP addresses. DNS traffic reflects the user activities and behaviors. It is thus a helpful source of information in the context of large scale network monitoring. In particular, passive DNS monitoring garnered much interest for the security perspectives by highlighting the services the machines want to access. In this paper, we propose a new method for assessing the dynamics of the match between DNS names and IP subnetworks using an efficient aggregating scheme combined with relevant steadiness metrics. The evaluation relies on real data collected over several months and is able to detect anomalies related to malicious domains.

Keywords

IP networks; Internet; computer network security; telecommunication traffic; DNS traffic; IP addresses; IP subnetworks; Internet; anomaly detection; domain name system; human language translation; large scale network monitoring; multidimensional aggregation; passive DNS monitoring; steadiness metrics; user activities; user behaviors; Conferences; Equations; IP networks; Mathematical model; Measurement; Monitoring; Servers; Aggregation; DNS; Malicious domains; Monitoring; Security;

fLanguage

English

Publisher

ieee

Conference_Titel

Local Computer Networks (LCN), 2013 IEEE 38th Conference on

Conference_Location

Sydney, NSW

ISSN

0742-1303

Print_ISBN

978-1-4799-0536-2

Type

conf

DOI

10.1109/LCN.2013.6761271

Filename

6761271