A DNS Query Anomaly Detection Algorithm Based on Log Information

doi:10.13190/j.jbupt.2018-007

JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM ›› 2018, Vol. 41 ›› Issue (6): 83-89.doi: 10.13190/j.jbupt.2018-007

• Reports • Previous Articles Next Articles

A DNS Query Anomaly Detection Algorithm Based on Log Information

JI Xing¹, HUANG Tao¹, E Xin-hua², SUN Li¹

1. School of Information and Communication Engineering, Beijing University of Posts and Telecommunications, Beijing 100876, China;
2. Beijing Advanced Innovation Center for Future Internet Technology, Beijing University of Technology, Beijing 100124, China

Received:2018-01-09 Online:2018-12-28 Published:2018-12-24

Abstract

Abstract: Point at the anomaly queries existing in domain name system (DNS), an anomaly detection algorithm based on DNS query logs is proposed to detect suspicious and abnormal internet protocol addresses (IP). First, multiple dimensions of information in the DNS logs are extracted to characterize the source IPs after analyzing the difference between normal DNS query behaviors and the abnormal ones. Secondly, the datasets are mapped to a three-dimensional space through dimensionality reduction, which is beneficial for intuitive visualization and rapid data analysis. Finally, clustering the source IPs and calculating the credibility of them to identify the abnormal ones. The experiment results show that this algorithm can not only observe the correlation characteristics of multi-dimensional datasets directly, but also identify the abnormal source IPs in the global and local aspects.

Key words: domain name system query, dimensionality reduction, cluster analysis, anomaly detection

CLC Number:

TN915.02

JI Xing, HUANG Tao, E Xin-hua, SUN Li. A DNS Query Anomaly Detection Algorithm Based on Log Information[J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2018, 41(6): 83-89.

References

[1] Jung J Y, Sit E, Balakrishnan H, et al. DNS performance and the effectiveness of caching[J]. IEEE/ACM Transactions on Networking, 2002, 10(5):589-603.
[2] Shan Guihua, Wang Yang, Xie Maojin, et al. Visual detection of anomalies in DNS query log data[C]//IEEE Pacific Visualization Symposium. New York:IEEE Press, 2014:258-261.
[3] 林成虎, 李晓东, 金键, 等. 基于W-Kmeans算法的DNS流量异常检测[J]. 计算机工程与设计, 2013, 34(6):2104-2108. Lin Chenghu, Li Xiaodong, Jin Jian, et al. DNS traffic anomaly detection based on W-Kmeans algorithm[J]. Computer Engineering and Design, 2013, 34(6):2104-2108.
[4] 王靖云, 史建焘, 张兆心, 等. 基于相对密度的DNS请求数据流源IP异常检测算法[J]. 高技术通讯, 2016, 26(10-11):849-856. Wang Jingyun, Shi Jiantao, Zhang Zhaoxin, et al. An algorithm for detection of source IP anomalies in DNS query based on relative density[J]. High Technology Letters, 2016, 26(10-11):849-856.
[5] 马云龙, 姜彩萍, 张千里, 等. 基于IPFIX的DNS异常行为检测方法[J]. 通信学报, 2014, 35(增刊1):5-9. Ma Yunlong, Jiang Caiping, Zhang Qianli, et al. DNS abnormal behavior detection based on IPFIX[J]. Journal on Communications, 2014, 35(Sup1):5-9.
[6] 周昌令, 栾兴龙, 肖建国. 基于深度学习的域名查询行为向量空间嵌入[J]. 通信学报, 2016, 37(3):165-174. Zhou Changling, Luan Xinglong, Xiao Jianguo. Vector space embedding of DNS query behaviors by deep learning[J]. Journal on Communications, 2016, 37(3):165-174.
[7] Schölkopf B, Smola A J, Müller K R. Kernel principal component analysis[C]//7^th International Conference on Artificial Neural Networks (ICANN). Berlin:Springer, 1997:583-588.
[8] Davies D L, Bouldin D W. A cluster separation measure[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 1979, 1(2):224-227.
[9] Jenssen R. Kernel entropy component analysis[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2010, 32(5):847-860.

A DNS Query Anomaly Detection Algorithm Based on Log Information

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 9

Recommended Articles

Metrics

Comments

[1]	HUO Wei-gang, WANG Xing, LIANG Rui. An Anomaly Detection Method Combining Mutual Information Estimation with Adversarial Autoencoder [J]. Journal of Beijing University of Posts and Telecommunications, 2021, 44(5): 28-34.
[2]	QUI Xue-song, ZHANG Xun, SONG Yan-bin, ZHAO Bing, XU Si-ya. Two-Stage Traffic Anomaly Detection Method Based on Entropy and Linear Relation [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2018, 41(4): 56-62.
[3]	YING Fei-hao, XING Ning-zhe, JI Yu-tong, JI Chen-chen, LI Wen-jing. KTLAD Based Traffic Anomaly Detection Algorithm of Electric Power Data Network [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2017, 40(s1): 108-111.
[4]	ZENG Xing-dong, LIN Rong-heng, ZOU Hua, ZHANG Yong. An BIC Selection Method for Distribution Network Fault Data Feature Dimension Reduction [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2017, 40(3): 104-109.
[5]	ZHANG Le-jun, GUO Lin, ZHANG Jian-pei, YANG Jing, XIA Lei. Anomaly Detection for Distributed System Based on Measurement Attributes Analysis [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2013, 36(6): 69-73.
[6]	. A Dynamic Compuation Approach to Determining the  Threshold in Network Anomaly Detection [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2011, 34(2): 45-49.
[7]	QIU Xue-song;CHEN Jian;GUO Hai-sheng;GAO Zhi-peng. Anomaly Traffic Integrated Detection Model for Enterprise IT Network [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2009, 32(6): 28-31.
[8]	LV Shuwang1，LIU Heng1，SHEN Chang xiang. Traffic Periodic Analysis and Anomaly Detection on TCP/IP Backbone Network [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2005, 28(6): 1-4.
[9]	XIAN Jiqing1,LANG Fenghua2. Anomaly Detection Method Based on CSABased Unsupervised Fuzzy Clustering Algorithm [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2005, 28(4): 103-106.