Kalman filter based DNS cache poisoning attack detection

Detection for Domain Name Systems cache poisoning attack is investigated. We exploit the fact that when attack is happening, the entropies of the query packet IP addresses of the cache server will have a decrease, to detect the cache poisoning attack. We pay attention to the detection method for the case that the entropy sequence has nonstationary dynamic at normal cases. In order to handle the nonstationarity, we first model the entropy sequence by a state space equation, and then we utilize Kalman filter to implement the attack detection. The problem is discussed for single and distributed cache poisoning attack, respectively. For the single one, we use the measurement errors to detect the anomaly. Under distributed attack, we utilize the correlation variation of the prediction errors to detect the attack event and identify the attacked cache servers. An experiment is illustrated to verify the effectiveness of our presented method.