Anomaly detection for DNS servers using frequent host selection

Akira Yamada; Yutaka Miyake; Masahiro Terabe; Kazuo Hashimoto; Nei Kato

doi:10.1109/AINA.2009.93

Anomaly detection for DNS servers using frequent host selection

Akira Yamada^*, Yutaka Miyake, Masahiro Terabe, Kazuo Hashimoto, Nei Kato

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

6 Citations (Scopus)

Abstract

DNS is one of the internet's fundamental building blocks, used by various applications such as web and mail transfer. Therefore, monitoring DNS traffic has potential to detect host anomalies such as spammers and infected hosts in a network. However, previous works assume a small number of hosts or target on domain name anomalies, so that they cannot be applied to a large-scale networks due to performance issues. A large number of hosts and long-term tracing consume computational resources and make realtime analysis difficult. In this paper, we propose anomaly detection for DNS servers using frequent host selection, which selects only potential hosts and does not depend on the number of hosts. We evaluate the proposed system using DNS traffic for 6 months of tracing, and show that the system can feasibly handle hosts in the dataset and detect anomalies, such as mail servers suffering from spam and DNS servers are configured incorrectly.

Original language	English
Title of host publication	Proceedings - 2009 International Conference on Advanced Information Networking and Applications, AINA 2009
Pages	853-860
Number of pages	8
DOIs	https://doi.org/10.1109/AINA.2009.93
Publication status	Published - 2009 Oct 5
Externally published	Yes
Event	2009 International Conference on Advanced Information Networking and Applications, AINA 2009 - Bradford, United Kingdom Duration: 2009 May 26 → 2009 May 29

Publication series

Name	Proceedings - International Conference on Advanced Information Networking and Applications, AINA
ISSN (Print)	1550-445X

Conference

Conference	2009 International Conference on Advanced Information Networking and Applications, AINA 2009
Country/Territory	United Kingdom
City	Bradford
Period	09/5/26 → 09/5/29

ASJC Scopus subject areas

Engineering(all)

Access to Document

10.1109/AINA.2009.93

Cite this

Yamada, A., Miyake, Y., Terabe, M., Hashimoto, K., & Kato, N. (2009). Anomaly detection for DNS servers using frequent host selection. In Proceedings - 2009 International Conference on Advanced Information Networking and Applications, AINA 2009 (pp. 853-860). Article 5076288 (Proceedings - International Conference on Advanced Information Networking and Applications, AINA). https://doi.org/10.1109/AINA.2009.93

Anomaly detection for DNS servers using frequent host selection. / Yamada, Akira; Miyake, Yutaka; Terabe, Masahiro et al.
Proceedings - 2009 International Conference on Advanced Information Networking and Applications, AINA 2009. 2009. p. 853-860 5076288 (Proceedings - International Conference on Advanced Information Networking and Applications, AINA).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Yamada, A, Miyake, Y, Terabe, M, Hashimoto, K & Kato, N 2009, Anomaly detection for DNS servers using frequent host selection. in Proceedings - 2009 International Conference on Advanced Information Networking and Applications, AINA 2009., 5076288, Proceedings - International Conference on Advanced Information Networking and Applications, AINA, pp. 853-860, 2009 International Conference on Advanced Information Networking and Applications, AINA 2009, Bradford, United Kingdom, 09/5/26. https://doi.org/10.1109/AINA.2009.93

Yamada A, Miyake Y, Terabe M, Hashimoto K, Kato N. Anomaly detection for DNS servers using frequent host selection. In Proceedings - 2009 International Conference on Advanced Information Networking and Applications, AINA 2009. 2009. p. 853-860. 5076288. (Proceedings - International Conference on Advanced Information Networking and Applications, AINA). doi: 10.1109/AINA.2009.93

@inproceedings{52b377b69ca14d42854a33c4ff19bc8a,

title = "Anomaly detection for DNS servers using frequent host selection",

abstract = "DNS is one of the internet's fundamental building blocks, used by various applications such as web and mail transfer. Therefore, monitoring DNS traffic has potential to detect host anomalies such as spammers and infected hosts in a network. However, previous works assume a small number of hosts or target on domain name anomalies, so that they cannot be applied to a large-scale networks due to performance issues. A large number of hosts and long-term tracing consume computational resources and make realtime analysis difficult. In this paper, we propose anomaly detection for DNS servers using frequent host selection, which selects only potential hosts and does not depend on the number of hosts. We evaluate the proposed system using DNS traffic for 6 months of tracing, and show that the system can feasibly handle hosts in the dataset and detect anomalies, such as mail servers suffering from spam and DNS servers are configured incorrectly.",

author = "Akira Yamada and Yutaka Miyake and Masahiro Terabe and Kazuo Hashimoto and Nei Kato",

year = "2009",

month = oct,

day = "5",

doi = "10.1109/AINA.2009.93",

language = "English",

isbn = "9780769536385",

series = "Proceedings - International Conference on Advanced Information Networking and Applications, AINA",

pages = "853--860",

booktitle = "Proceedings - 2009 International Conference on Advanced Information Networking and Applications, AINA 2009",

note = "2009 International Conference on Advanced Information Networking and Applications, AINA 2009 ; Conference date: 26-05-2009 Through 29-05-2009",

}

TY - GEN

T1 - Anomaly detection for DNS servers using frequent host selection

AU - Yamada, Akira

AU - Miyake, Yutaka

AU - Terabe, Masahiro

AU - Hashimoto, Kazuo

AU - Kato, Nei

PY - 2009/10/5

Y1 - 2009/10/5

N2 - DNS is one of the internet's fundamental building blocks, used by various applications such as web and mail transfer. Therefore, monitoring DNS traffic has potential to detect host anomalies such as spammers and infected hosts in a network. However, previous works assume a small number of hosts or target on domain name anomalies, so that they cannot be applied to a large-scale networks due to performance issues. A large number of hosts and long-term tracing consume computational resources and make realtime analysis difficult. In this paper, we propose anomaly detection for DNS servers using frequent host selection, which selects only potential hosts and does not depend on the number of hosts. We evaluate the proposed system using DNS traffic for 6 months of tracing, and show that the system can feasibly handle hosts in the dataset and detect anomalies, such as mail servers suffering from spam and DNS servers are configured incorrectly.

AB - DNS is one of the internet's fundamental building blocks, used by various applications such as web and mail transfer. Therefore, monitoring DNS traffic has potential to detect host anomalies such as spammers and infected hosts in a network. However, previous works assume a small number of hosts or target on domain name anomalies, so that they cannot be applied to a large-scale networks due to performance issues. A large number of hosts and long-term tracing consume computational resources and make realtime analysis difficult. In this paper, we propose anomaly detection for DNS servers using frequent host selection, which selects only potential hosts and does not depend on the number of hosts. We evaluate the proposed system using DNS traffic for 6 months of tracing, and show that the system can feasibly handle hosts in the dataset and detect anomalies, such as mail servers suffering from spam and DNS servers are configured incorrectly.

UR - http://www.scopus.com/inward/record.url?scp=70349508910&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70349508910&partnerID=8YFLogxK

U2 - 10.1109/AINA.2009.93

DO - 10.1109/AINA.2009.93

M3 - Conference contribution

AN - SCOPUS:70349508910

SN - 9780769536385

T3 - Proceedings - International Conference on Advanced Information Networking and Applications, AINA

SP - 853

EP - 860

BT - Proceedings - 2009 International Conference on Advanced Information Networking and Applications, AINA 2009

T2 - 2009 International Conference on Advanced Information Networking and Applications, AINA 2009

Y2 - 26 May 2009 through 29 May 2009

ER -

Anomaly detection for DNS servers using frequent host selection

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this