Hongbo Shi,Haoyuan Xu

DOI: https://doi.org/10.1049/cp.2015.0756

2015-01-01

Abstract:According to the improvement of data mining technologies, big data now is a hot topic in various areas, such as Internet, finance, healthcare etc. As well as known, big data is collected and accumulated across a wide variety of fields fast and in real time. It is very important to find the structure from big data. In this paper, we focus on the neral network algorithm, Growing Hierarchical Self-Organizing Maps (GHSOM). GHSOM is considered that it can provide structured clustering. However, the hierarchical growing mechanism of GHSOM is faulty. This paper proposes a new enhanced GHSOM, called sGHSOM. sGHSOM solves the issue of the growing mechanism in GHSOM. We use the KDD Cup 1999 Data as the benchmark for estimating the performance of sGHSOM. The experiment results show that sGHSOM has a higher precision than GHSOM on classification. Furthermore, this paper uses actual measured DNS queries to show that sGHSOM can visualize the structure of DNS queries in time series exactly for detecting infected computers comparing with GHSOM.

Muhammad Dawood,Chunagbai Xiao,Shanshan Tu,Faiz Abdullah Alotaibi,Mrim M. Alnfiai,Muhammad Farhan

DOI: https://doi.org/10.7717/peerj-cs.2027

2024-05-28

PeerJ Computer Science

Abstract:This article explores detecting and categorizing network traffic data using machine-learning (ML) methods, specifically focusing on the Domain Name Server (DNS) protocol. DNS has long been susceptible to various security flaws, frequently exploited over time, making DNS abuse a major concern in cybersecurity. Despite advanced attack, tactics employed by attackers to steal data in real-time, ensuring security and privacy for DNS queries and answers remains challenging. The evolving landscape of internet services has allowed attackers to launch cyber-attacks on computer networks. However, implementing Secure Socket Layer (SSL)-encrypted Hyper Text Transfer Protocol (HTTP) transmission, known as HTTPS, has significantly reduced DNS-based assaults. To further enhance security and mitigate threats like man-in-the-middle attacks, the security community has developed the concept of DNS over HTTPS (DoH). DoH aims to combat the eavesdropping and tampering of DNS data during communication. This study employs a ML-based classification approach on a dataset for traffic analysis. The AdaBoost model effectively classified Malicious and Non-DoH traffic, with accuracies of 75% and 73% for DoH traffic. The support vector classification model with a Radial Basis Function (SVC-RBF) achieved a 76% accuracy in classifying between malicious and non-DoH traffic. The quadratic discriminant analysis (QDA) model achieved 99% accuracy in classifying malicious traffic and 98% in classifying non-DoH traffic.

computer science, information systems, artificial intelligence, theory & methods

Yao Wang,Ming-zeng Hu,Bin Li,Bo-ru Yan

DOI: https://doi.org/10.1007/11942634_37

2006-01-01

Abstract:This paper seeks to quantitatively understand the nature of the current threat towards the common name servers. A new tracking technique based on statistical model is proposed to locate the anomalous name servers by analyzing the real-world DNS traffic. After summarizing the attacks towards DNS, the detection method based on associative feature analysis is presented. Experiments are conducted which highlighting both the payload anomaly and the data flow anomaly, and the experimental results reveal the efficiency of our method in detecting the anomalous behaviors of name servers.

Weina Niu,Xiaosong Zhang,Guowu Yang,Jianan Zhu,Zhongwei Ren

DOI: https://doi.org/10.1155/2017/4916953

IF: 1.43

2017-01-01

Mathematical Problems in Engineering

Abstract:Advanced Persistent Threat (APT) is a serious threat against sensitive information. Current detection approaches are time-consuming since they detect APT attack by in-depth analysis of massive amounts of data after data breaches. Specifically, APT attackers make use of DNS to locate their command and control (C&C) servers and victims' machines. In this paper, we propose an efficient approach to detect APT malware C&C domain with high accuracy by analyzing DNS logs. We first extract 15 features from DNS logs of mobile devices. According to Alexa ranking and the VirusTotal's judgement result, we give each domain a score. Then, we select the most normal domains by the score metric. Finally, we utilize our anomaly detection algorithm, called Global Abnormal Forest (GAF), to identify malware C&C domains. We conduct a performance analysis to demonstrate that our approach is more efficient than other existing works in terms of calculation efficiency and recognition accuracy. Compared with Local Outlier Factor (LOF),k-Nearest Neighbor (KNN), and Isolation Forest (iForest), our approach obtains more than 99% F-M and R for the detection of C&C domains. Our approach not only can reduce data volume that needs to be recorded and analyzed but also can be applicable to unsupervised learning.

Xiaoqing Sun,Jiahai Yang,Zhiliang Wang,Heng Liu

DOI: https://doi.org/10.1109/noms47738.2020.9110462

2020-01-01

Abstract:As a fundamental component of the Internet, Domain Name System (DNS) is widely abused by attackers in various cybercrimes, making malicious domain detection an essential task in network defenses. However, some well-crafted attacks with tricky techniques can not only bypass blacklists but also make some machine learning-based detection systems infeasible. In this paper, we design HGDom, an accurate and robust malicious domain detection system based on a heterogeneous graph convolutional network method. First, we jointly analyze domain features as well as the complex relations among domains, clients, and IP addresses. To capture richer information, we introduce a Heterogeneous Information Network (HIN) to model the DNS scene. Then, we propose a novel representation method named MAGCN. With a meta-path-based attention mechanism, it can handle node features and the graph structure in HIN at the same time. To our best knowledge, this is the first work to apply GCN in cyber security analysis. Comprehensive experiments over DNS data from TUNET and CERNET2 are conducted to validate the effectiveness and superiority of our proposed methods. The comparison results show that HGDom outperforms state-of-the-art approaches with promising performance. Besides, the system is decided to be deployed in production to assist with network security management for CERNET2.

Xiaoqing Sun,Mingkai Tong,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.1909.01590

2019-09-04

Cryptography and Security

Abstract:Domain name system (DNS) is a crucial part of the Internet, yet has been widely exploited by cyber attackers. Apart from making static methods like blacklists or sinkholes infeasible, some weasel attackers can even bypass detection systems with machine learning based classifiers. As a solution to this problem, we propose a robust domain detection system named HinDom. Instead of relying on manually selected features, HinDom models the DNS scene as a Heterogeneous Information Network (HIN) consist of clients, domains, IP addresses and their diverse relationships. Besides, the metapath-based transductive classification method enables HinDom to detect malicious domains with only a small fraction of labeled samples. So far as we know, this is the first work to apply HIN in DNS analysis. We build a prototype of HinDom and evaluate it in CERNET2 and TUNET. The results reveal that HinDom is accurate, robust and can identify previously unknown malicious domains.

QIN Huidong,YANG Jia,LI Xiaonan,MA Hao,LUO Ziyuan,GUO Qiang

DOI: https://doi.org/10.3724/sp.j.1249.2020.99036

2020-01-01

JOURNAL OF SHENZHEN UNIVERSITY SCIENCE AND ENGINEERING

Abstract:In this paper, we propose a local outlier factor (LOF) algorithm based on multi-dimensional timing characteristics for detecting abnormal source IPs of DNS. The algorithm is used to identify abnormal source IPs of the DNS traffic of a campus network. Based on the algorithm, we further introduce a multi-feature-based abnormal domain name detection method and efficiently improve the detection of DNS anomalies of the campus network.

Manmeet Singh,Maninder Singh,Sanmeet Kaur

DOI: https://doi.org/10.1007/s11416-023-00462-5

2023-01-25

Journal of Computer Virology and Hacking Techniques

Abstract:Data security and privacy concerns on the Internet are continuously rising considering security breaches. These security breaches are often due to the presence of host(s) infected with malware called bots. As a result, bot-infection detection in enterprise networks is getting a greater research focus. From the perspective of law enforcement, the focus is to detect and destroy the botnet infrastructure which comprises mostly of Command and Control server along with the technique used for communication. From an enterprise perspective, it is important to detect and quarantine bot-infected machines thereby preventing the chance of any security breach. While many efforts have been made to detect malicious domains, limited research is done to detect infected machines in an enterprise network. This paper presents a deep learning-based technique for detecting bot-infected machines in a network applied to the hourly hosts' Domain Name System (DNS) fingerprint. Multi feature anomaly detection technique was implemented to detect bots in the campus network thereby minimizing the number of false positives. The results indicate a significant improvement over previous work. Finally, a GUI tool named DeepDAD is presented to facilitate investigating and detecting bots in a network traffic using DNS traffic analysis.

Chen Tingting,Fang Binxing,Zheng Jun

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.05.002

2006-01-01

Abstract:This paper presents an application of a hierarchical self-organizing map(HSOM)algorithm for network anomaly detection.By growing in a top-down approach and extending the connections of neurons from horizontal dimension to both horizontal and hierarchical dimension,HSOM significantly accelerates the searching of winning neurons.Based on HSOM,a data analyzer in network anomaly detection system HSOMDA is designed and implemented.The results of experiments on DARPA 1999 dataset demonstrate its effectiveness and efficiency in anomaly detection.

Futai Zou,Yundong Ren,Jiachen Zhu,Junhua Tang

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys53884.2021.00090

2021-01-01

Abstract:In recent years, privacy data leakage has become a hot topic of security. After malware controls the target client, it needs to bypass the existing security defense to transmit the data to the controller. DNS is a common communication protocol in the network, thus traditional defense methods will not place strict restrictions on DNS traffic. Researchers have found various domain requests for covert data transmission in DNS traffic. In the past ten years, people have only noticed the communication of DNS tunnels, but the new kind of DNS data leakage has a more covert transmission mode through sub-domain name coding and other ways. DNS data leakage exhibits low traffic volume and periodicity, which is totally different from DNS tunnels with bi-directional data exchange and high traffic volume. In this paper, a detection model named as LSTM-AE is proposed. LSTM-AE integrates LSTM-based time-series characterization and unsupervised autoencoder to detect data leakage malware through DNS traffic. Experimental results show the detection performance of LSTM-AE is better than other ML-based methods and several unknown malicious domains related data leakage have been detected with real-world DNS traffic.

Xiaoqing Sun,Zhiliang Wang,Jiahai Yang,Xinran Liu

DOI: https://doi.org/10.1016/j.cose.2020.102057

IF: 5.105

2020-01-01

Computers & Security

Abstract:As an essential network service, the Domain Name System (DNS) is widely abused by attackers, making malicious domain detection a crucial task when combating cybercrimes. The increasing sophistication of attackers calls for new detection methods against novel threats and evasions. In this paper, we analyze the DNS scene and design an intelligent malicious domain detection system, named DeepDom. With joint consideration of both domain’s local features and their global associations, DeepDom is more accurate and is harder for attackers to evade. In DeepDom, we first represent the DNS scene as a Heterogeneous Information Network (HIN) with diverse entities like clients, domains, IP addresses, and accounts to capture richer information. Then, considering the heterogeneous and dynamic nature of DNS, we propose a novel Graph Convolutional Network (GCN) method named SHetGCN to inductively classify domain nodes in the HIN. By guiding the convolution operations with meta-path based short random walks, SHetGCN can jointly handle node features together with structural information and support inductive node embedding. We build a prototype of DeepDom and validate its effectiveness with comprehensive experiments over the DNS data collected from a real-world network, CERNET2. The comparison results demonstrate that our approaches outperform other state-of-the-art techniques.

Ahmed M. Manasrah,Awsan Hasan,Omar Amer Abouabdalla,Sureswaran Ramadass

DOI: https://doi.org/10.48550/arXiv.0911.0487

2009-11-03

Networking and Internet Architecture

Abstract:IThe botnet is considered as a critical issue of the Internet due to its fast growing mechanism and affect. Recently, Botnets have utilized the DNS and query DNS server just like any legitimate hosts. In this case, it is difficult to distinguish between the legitimate DNS traffic and illegitimate DNS traffic. It is important to build a suitable solution for botnet detection in the DNS traffic and consequently protect the network from the malicious Botnets activities. In this paper, a simple mechanism is proposed to monitors the DNS traffic and detects the abnormal DNS traffic issued by the botnet based on the fact that botnets appear as a group of hosts periodically. The proposed mechanism is also able to classify the DNS traffic requested by group of hosts (group behavior) and single hosts (individual behavior), consequently detect the abnormal domain name issued by the malicious Botnets. Finally, the experimental results proved that the proposed mechanism is robust and able to classify DNS traffic, and efficiently detects the botnet activity with average detection rate of 89 percent.

futai zou,siyu zhang,weixiong rao,ping yi

DOI: https://doi.org/10.1155/2015/102687

2015-01-01

Abstract:AbstractMalware remains a major threat to nowadays Internet. In this paper, we propose a DNS graph mining-based malware detection approach. A DNS graph is composed of DNS nodes, which represent server IPs, client IPs, and queried domain names in the process of DNS resolution. After the graph construction, we next transform the problem of malware detection to the graph mining task of inferring graph nodes' reputation scores using the belief propagation algorithm. The nodes with lower reputation scores are inferred as those infected by malwares with higher probability. For demonstration, we evaluate the proposed malware detection approach with real-world dataset. Our real-world dataset is collected from campus DNS servers for three months and we built a DNS graph consisting of 19,340,820 vertices and 24,277,564 edges. On the graph, we achieve a true positive rate 80.63% with a false positive rate 0.023%. With a false positive of 1.20%, the true positive rate was improved to 95.66%. We detected 88,592 hosts infected by malware or C&C servers, accounting for the percentage of 5.47% among all hosts. Meanwhile, 117,971 domains are considered to be related tomalicious activities, accounting for 1.5% among all domains. The results indicate that our method is efficient and effective in detecting malwares.

Qasem Abu Al-Haija,Manar Alohaly,Ammar Odeh

DOI: https://doi.org/10.3390/s23073489

2023-03-27

Abstract:The Domain Name System (DNS) protocol essentially translates domain names to IP addresses, enabling browsers to load and utilize Internet resources. Despite its major role, DNS is vulnerable to various security loopholes that attackers have continually abused. Therefore, delivering secure DNS traffic has become challenging since attackers use advanced and fast malicious information-stealing approaches. To overcome DNS vulnerabilities, the DNS over HTTPS (DoH) protocol was introduced to improve the security of the DNS protocol by encrypting the DNS traffic and communicating it over a covert network channel. This paper proposes a lightweight, double-stage scheme to identify malicious DoH traffic using a hybrid learning approach. The system comprises two layers. At the first layer, the traffic is examined using random fine trees (RF) and identified as DoH traffic or non-DoH traffic. At the second layer, the DoH traffic is further investigated using Adaboost trees (ADT) and identified as benign DoH or malicious DoH. Specifically, the proposed system is lightweight since it works with the least number of features (using only six out of thirty-three features) selected using principal component analysis (PCA) and minimizes the number of samples produced using a random under-sampling (RUS) approach. The experiential evaluation reported a high-performance system with a predictive accuracy of 99.4% and 100% and a predictive overhead of 0.83 µs and 2.27 µs for layer one and layer two, respectively. Hence, the reported results are superior and surpass existing models, given that our proposed model uses only 18% of the feature set and 17% of the sample set, distributed in balanced classes.

Jingxi Liang,Wen Zhao,Wei Ye

DOI: https://doi.org/10.1145/3171592.3171594

2017-01-01

Abstract:As the era of cloud technology arises, more and more people are beginning to migrate their applications and personal data to the cloud. This makes web-based applications an attractive target for cyber-attacks. As a result, web-based applications now need more protections than ever. However, current anomaly-based web attack detection approaches face the difficulties like unsatisfying accuracy and lack of generalization. And the rule-based web attack detection can hardly fight unknown attacks and is relatively easy to bypass. Therefore, we propose a novel deep learning approach to detect anomalous requests. Our approach is to first train two Recurrent Neural Networks (RNNs) with the complicated recurrent unit (LSTM unit or GRU unit) to learn the normal request patterns using only normal requests unsupervisedly and then supervisedly train a neural network classifier which takes the output of RNNs as the input to discriminate between anomalous and normal requests. We tested our model on two datasets and the results showed that our model was competitive with the state-of-the-art. Our approach frees us from feature selection. Also to the best of our knowledge, this is the first time that the RNN is applied on anomaly-based web attack detection systems.

Chao Li,Jian Chen,Zhaoxin Zhang,Zhiping Li,Yanan Cheng,Chendi Ma

DOI: https://doi.org/10.1016/j.cose.2024.103946

IF: 5.105

2024-01-01

Computers & Security

Abstract:The DNS root server is at the top of the hierarchical structure of the DNS system and is the initial node that bootstraps all DNS queries. If the root server resolves abnormally, all domain name resolutions will fail, and many users cannot access the Internet. For this reason, this paper detects the root server itself resolution anomalies and non-self resolution anomalies by constructing high-confidence root zone file and anomaly judgment rules. First, we use the weighted voting statistics method to build high-confidence root zone file by calculating the confidence of multi-source root zone files. Based on high-confidence root zone files, we construct three types of anomaly detection judgment rules: (1) root-side resolution anomaly judgment rules based on feature value matching, (2) response hijacking judgment rules by correlating response anomaly features and resolution routing information, (3) root zone file synchronization anomaly judgment rules by calculating the relative synchronization delay of multi-source root zone files. Finally, using three anomaly judgment rules, we perform anomaly detection on the root resolution data obtained by active measurement. Our detection results show that root zone file synchronization delay distributions of different root server instances vary greatly. Some instances even show minute-level convergence, resulting in incorrect resolution for some TLDs. We also detect one response hijacking incident for 2 TLDs resolution, caused by the domain takeover mechanism adopted by the ISP to reduce inter-domain traffic settlement and decrease resolution latency. Except for the unresponsive exception caused by network packet loss, no root-side resolution anomaly is found, indicating that there is no artificial manipulation of TLD resolution on the root server and reflecting the responsibility of each root server operator aiming to maintain global Internet interconnection. The detection results show that the detection rules proposed in this paper can effectively achieve the anomaly detection of root server resolution and help to maintain the health and stability of the DNS system.

Siyu Zhang,Zhipeng Han,Kaida Jiang

DOI: https://doi.org/10.1109/ICPICS58376.2023.10235404

2023-01-01

Abstract:In recent years, malicious software that utilizes covert channels to transmit private data has become increasingly prevalent. The privacy information of affected users, such as accounts and passwords, is quietly transmitted to attackers. Hackers commonly employ covert tunnels that utilize the Domain Name System (DNS) to achieve this, transmitting stolen information through malicious domains. Traditional DNS tunneling techniques generate significant communication traffic, and related research has delved deeper into this area. However, they face challenges in detecting malicious software that transmits data at low rates. This paper proposes a DNS data leakage detection algorithm based on anomaly detection models. Through experimental verification combining simulated attacks with real data, this algorithm demonstrates high detection rates for low-rate data leakage channels, while also maintaining good detection performance for traditional DNS tunnels.

Dingde Jiang,Zhengzheng Xu,Peng Zhang,Ting Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.09.014

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic anomalies contain existing abnormal changes in network traffic, which are derived from malicious and anomalous behaviors of users or network devices, such as network faults, abuses, network attacks, etc. These anomalies often damage our operation networks and even lead to network disruptions. In the present paper, we propose a novel method for detecting traffic anomalies in a network by exacting and capturing their features in the transform domain. Here, we take in consideration network topology information and network-wide traffic jointly. We find that anomalous network-wide traffic usually exhibits distinct high-frequency nature. This motivates us to utilize transform domain analysis theory to characterize network-wide traffic to identify its abnormal components. Besides, we group all origin-destination flows in the network in accordance with common destination nodes. By combining network topology information and transform-domain analysis in the given time window, the specious traffic components can be found and identified. Simulation results show that our detection algorithm exhibits a fairly robust detection ability and provides the better detection performance than previous algorithms. (c) 2013 Elsevier Ltd. All rights reserved.

Chao Li,Yanan Cheng,Zhaoxin Zhang,Zundong Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110669

IF: 5.493

2024-01-01

Computer Networks

Abstract:The Domain Name System (DNS), as a critical component of Internet infrastructure, is crucial for maintaining network stability and security. However, vulnerabilities in the DNS resolution process make it susceptible to various network attacks. Current DNS resolution anomaly detection methods are challenged by the scarcity of diverse anomalous sample data and the difficulty in accurately capturing such anomalies. To address those challenges, we firstly introduce a proactive anomaly detection method based on bidirectional national censorship behavior, abbreviated as CB-BiDAM. This method can collect diverse anomalous resolution data from multiple network spaces, covering common types of resolution anomalies and effectively solving the problem of sample scarcity. Further, we extract multidimensional features from four key aspects: response content, DNS attributes, resolution paths, and timing, to gain a deeper understanding of the relationship between multifaceted information in the DNS resolution process and anomalous events. Finally, based on these multidimensional features, we construct a DNS resolution anomaly detection model named DRADC, using a stacked ensemble approach. Through a series of comparative experiments, the DRADC model significantly outperforms existing machine learning algorithms in key metrics such as accuracy (97.48%), recall (96.87%), and F1 score (97.09%). Feature ablation experiments further demonstrates that incorporating multidimensional features significantly improves model performance, with a 3% increase in accuracy and a 3.5% increase in precision compared to models relying solely on response content features. By providing an accurate detection model for DNS resolution anomalies, this study aids network administrators in more effectively identifying and countering network attacks. Additionally, our research also contributes to the detection and response to domain censorship mechanisms, which is crucial for maintaining the openness and free flow of the Internet.

Jingxi Liang,Wen Zhao,Wei Ye

DOI: https://doi.org/10.1145/3171592.3171594

2017-01-01

Abstract:As the era of cloud technology arises, more and more people are beginning to migrate their applications and personal data to the cloud. This makes web-based applications an attractive target for cyber-attacks. As a result, web-based applications now need more protections than ever. However, current anomaly-based web attack detection approaches face the difficulties like unsatisfying accuracy and lack of generalization. And the rule-based web attack detection can hardly fight unknown attacks and is relatively easy to bypass. Therefore, we propose a novel deep learning approach to detect anomalous requests. Our approach is to first train two Recurrent Neural Networks (RNNs) with the complicated recurrent unit (LSTM unit or GRU unit) to learn the normal request patterns using only normal requests unsupervisedly and then supervisedly train a neural network classifier which takes the output of RNNs as the input to discriminate between anomalous and normal requests. We tested our model on two datasets and the results showed that our model was competitive with the state-of-the-art. Our approach frees us from feature selection. Also to the best of our knowledge, this is the first time that the RNN is applied on anomaly-based web attack detection systems.