Qingnan Lai,Changling Zhou,Hao Ma,Zhen Wu,Shiyang Chen

DOI: https://doi.org/10.1016/j.neucom.2014.09.099

IF: 6

2015-01-01

Neurocomputing

Abstract:The Domain Name System (DNS) is a critical Internet service, which translates easily memorized domain names to numerical IP addresses for locating computer resources and services. In this paper, we try to explore the behaviors of DNS lookup by mining DNS logs from three primary DNS servers in a large university campus network in China. Our dataset is made up of two parts, namely DNS query logs and messages received or send by DNS servers. Firstly, through analyzing these DNS query logs, we are able to understand the overall trend of users’ surfing. For dealing with huge DNS dataset, we introduce an algorithm we call DNSReduce, which can be used to dig out top 10 client IP addresses and top 10 destination domain names efficiently. Moreover, we make comparative analysis of lookup behavior between wired and wireless users. Secondly, with messages received or send by DNS servers we can find these DNS servers׳behaviors, i.e., TTLs, equivalent answers and are able to accurately identify domain names with dynamic IP addresses. We provide different and specific visualization techniques for presenting these analysis results and show these techniques are very useful for understanding user behaviors, analyzing security events and characterizing overall tendency in campus network management.

Jianfeng Li,Xiaobo Ma,Li Guodong,Xiapu Luo,Junjie Zhang,Wei Li,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom.2018.8486210

2018-01-01

Abstract:Domain Name System (DNS) is one of the pillars of today's Internet. Due to its appealing properties such as low data volume, wide-ranging applications and encryption free, DNS traffic has been extensively utilized for network monitoring. Most existing studies of DNS traffic, however, focus on domain name reputation. Little attention has been paid to understanding and profiling what people are doing from DNS traffic, a fundamental problem in the areas including Internet demographics and network behavior analysis. Consequently, simple questions like “How to determine whether a DNS query for www.google.com means searching or any other behaviors?” cannot be answered by existing studies. In this paper, we take the first step to identify user activities from raw DNS queries. We advance a multiscale hierarchical framework to tackle two practical challenges, i.e., behavior ambiguity and behavior polymorphism. Under this framework, a series of novel methods, such as pattern upward mapping and multi-scale random forest classifier, are proposed to characterize and identify user activities of interest. Evaluation using both synthetic and real-world DNS traces demonstrates the effectiveness of our method.

Shanshan Hao,Renjie Liu,Deliang Chang,Chenhuan Liu,Xing Li

DOI: https://doi.org/10.1109/imcec46724.2019.8984017

2019-01-01

Abstract:The Domain Name System (DNS) is a critical Internet infrastructure that maps a name to an IP. The Top-Level Domain (TLD) of a name represents its administrative jurisdiction, and the location of the IP represents where the service is operating, however the two are sometimes inconsistent. This inconsistency can lead to anomalies in network accessibility in special cases, and has been exploited to evade regulation. In this work, we analyze the statistics, characteristics and causes of this inconsistency between whether a name is part of .cn ccTLD and whether its IP locates in China, using a dataset of the most requested 100k names generated from 157839692 queries collected during two weeks by the campus network resolver. As a result, 4% of .cn names locate out of China, up to 76% of names with IP within China are not part of .cn, and only 28% of them own a corresponding .cn name. Our work shows the threats of this inconsistency and provides insights for future network administration.

Zhiyang Sun,Tiancheng Guo,Shiyu Luo,Yingqiu Zhuang,Yuke Ma,Yang Chen,Xin Wang

DOI: https://doi.org/10.3390/info13110542

2022-01-01

Information

Abstract:Understanding the network usage patterns of university users is very important today. This paper focuses on the research of DNS request behaviors of university users in Shanghai, China. Based on the DNS logs of a large number of university users recorded by CERNET, we conduct a general analysis of the behavior of network browsing from two perspectives: the characteristics of university users' behavior and the market share of CDN service providers. We also undertake experiments on DNS requests patterns for CDN service providers using different prediction models. Firstly, in order to understand the university users' Internet access patterns, we select the top seven universities with the most DNS requests and reveal the characteristics of different university users. Subsequently, to obtain the market share of different CDN service providers, we analyze the overall situation of the traffic distribution among different CDN service providers and its dynamic evolution trend. We find that Tencent Cloud and Alibaba Cloud are leading in both IPv4 and IPv6 traffic. Baidu Cloud has close to 15% in IPv4 traffic, but almost no fraction in IPv6 traffic. Finally, for the characteristics of different CDN service providers, we adopt statistical models, traditional machine learning models, and deep learning models to construct tools that can accurately predict the change in request volume of DNS requests. The conclusions obtained in this paper are beneficial for Internet service providers, CDN service providers, and users.

Miao Yu,Xiaojie Liu

DOI: https://doi.org/10.1155/2022/7914842

IF: 1.43

2022-01-01

Mathematical Problems in Engineering

Abstract:The traditional computer image content retrieval technology can only meet the specific requirements of customers; because of its general features, it cannot comply with the requirements of various environments, purposes, and time simultaneously. This study presents a computer image content retrieval method for a K-means clustering algorithm (KCA). The information collected by computer is preprocessed by K-means clustering algorithm, and the unacquired computer image is labeled based on the optimal learning order according to the KCA. The K-means clustering algorithm classifies the color, pattern, shape, and content of computer images and takes advantage of the invariance advantages of image content retrieval such as scale, rotation, illumination, and blur correction to effectively solve the recurring problems of computer images during retrieval and increase its accuracy. The results of the experiment indicate that the proposed K-means clustering algorithm can enhance the efficiency and performance effectively during image retrieval by computer as compared to the traditional content search algorithm and also help to quickly converge to the query content; it also shows that KCA has good robustness.

Weitao Weng,Kai Lei,Kuai Xu,Xiaoyou Liu,Tao Sun

DOI: https://doi.org/10.1007/978-3-319-39937-9_29

2016-01-01

Abstract:Campus networks consist of a rich diversity of end hosts including wired desktops, servers, and wireless BYOD devices such as laptops and smartphones, which are often compromised in insecure networks. Making sense of traffic behaviors of end hosts in campus networks is a daunting task due to the open nature of the network, heterogeneous devices, high mobility of end users, and a wide range of applications. To address these challenges, this paper applies a combination of graphical approaches and spectral clustering to group the Internet traffic of campus networks into distinctive traffic clusters in a divide-and-conquer manner. Specifically, we first model the data communication between a particular subnet of campus networks and the Internet on a specific application port via bipartite graphs, and subsequently use the one-mode projection to capture behavior similarity of end hosts in the same subnet for the same network applications. Finally we apply a spectral clustering algorithm to explore the behavior similarity to identify distinctive application clusters within each subnet. Our experimental results have demonstrated the benefits of our proposed method for analyzing Internet traffic of a large university town to discover anomalous behaviors and to uncover distinctive temporal and spatial traffic patterns.

YU Han-Bing,WANG Ji-Long

2008-01-01

Periodical of Ocean University of China

Abstract:Abnormal traffic appears very different from normal traffic on the distribution of both destination IP address and time.This paper clusters the Netflow records of the traffic via the campus network based on the higher 16 bits of the outer IP address,finding that some clusters appear unusual on frequency of the emergence.This paper analyzes two kinds of typical cluster,proposes a method to detect anomaly sources insides the campus network using the clusters,and finds the differences of two kinds of anomaly source.Comparing with common anomaly detection methods,this method has fewer amounts of data required for dealing with,and therefore higher efficiency.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Bo Zhang,Yangyang Guan,Wenjia Niu,Jianlong Tan,Zhi Mao

DOI: https://doi.org/10.1109/iccsn.2015.7296198

2015-01-01

Abstract:For a number of reasons, including the shortage of IPv4 addresses, many hosts are connected to the Internet through NAT devices. NAT devices effectively anonymize the origin of communication traffic, and remove many identifying features, which makes it difficult to isolate web traffic into mutually disjoint same-host sets called packet groups. However, ISPs or network supervisors can do product suggestions, targeted advertising, and online criminal detection by analyzing the packet group of one host. In this paper, we provide a hybrid packet clustering approach that can cluster NAT host's packets into packet groups. Our hybrid approach could group an NAT host's traffic from visiting different websites and would not suffer from bad network communications or anonymizing behavior of NAT devices. We use our isolating method on datasets obtained from two local area networks and both of them can get good results that accuracy is more than 90% and coverage is more than 50%.

Wanrong Qiu,Feng Zhai,Zhejing Bao,Baofeng Lie,Qiang Yang,Yongfeng Cao

DOI: https://doi.org/10.1109/ciced.2016.7576194

2016-01-01

Abstract:In this paper, the clustering approach and characteristic indices for load profiles of customers are researched. First, a method for extracting the typical electricity usage profile of an individual customer is proposed, in which the density-based DBSCAN algorithm is followed by a correction strategy aiming at eliminating the significant distortion in the extraction results caused by DBSCAN. Second, K-means clustering is performed to cluster the behavior of the customers' typical load profiles and the evaluation function for clustering effect is applied to determine the most appropriate number of clusters. Finally, the characterization indices are presented with which the profile cluster of a customer could be identified easily. The effectiveness of the proposed methods is demonstrated by the real data of power consumption of industrial and commercial customers from AMI.

Chang Deliang,Zhang Qianli,Li Xing

DOI: https://doi.org/10.13245/j.hust.161123

2016-01-01

Abstract:To solve the problems that many approaches focus on flow analysis ,which is unrealistic for a large‐scale network ,a method of user online detection algorithm was proposed based on passive DNS log analysis .T his method avoided the complexity of traffic or raw packet analysis by utilizing DNS (domain name system) logs ,and exploited the silence of users′DNS activities when they were offline to identify users′online time length or join/departure time .The method was validated with real‐world data from the campus network of Tsinghua University ,with a 90 .6% precision rate and a recall rate of 96 .3% .Further study indicates that the users of wireless network often have shorter online time length and change faster ,and the network characteristics in workdays are different from weekends . These results show that this algorithm is capable of being utilized in a real‐world large‐scale network .

Bingyang Guo,Min Zhang,Chengxi Xu,Fan Shi

DOI: https://doi.org/10.1109/ICCCS52626.2021.9449288

2021-01-01

Abstract:As the Internet continues to evolve, the Domain Name System (DNS), which is originally designated as distributed service, starts to aggregate to fewer DNS servers. Thus, it is of great significance to dig out these name servers and carry out specific security protection on them. Researchers try to calculate the importance of an individual name server based on the number of domains resolved by it. ...

ZHOU Chang-ling,LUAN Xing-long,XIAO Jian-guo

DOI: https://doi.org/10.11959/j.issn.1000-436x.2016064

2016-01-01

Abstract:A novel approach to analyze DNS query behaviors was introduced.This approach embeds queried domains or querying hosts to vector space by deep learning mechan then the relationship between querying of domains or hosts was mapped to vector space operations.By processing two real campus network DNS log datasets,it is found that this method maintains relationships very well.After doing mension reduction and clustering analysis,researchers can not only easily explore hidden relationships intuitively,but also discover abnormal network events like botnet.

Fan Zhou,Weifeng Zhang,Yong Wang,Ting Zhong,Goce Trajcevski,Ashfaq Khokhar

DOI: https://doi.org/10.1109/mnet.012.2100293

IF: 10.294

2022-07-15

IEEE Network

Abstract:Given an IP address, understanding its initial assignment,and predicting its potential usage can significantly help toward improving efficiency of many practical IP-based applications, such as Ad-recommendation, point of interest selection, fraud detection, and Internet service optimization. However, there are only a few prior studies conducted on predicting IP usage from its assignment. Surprisingly, there does not exist a benchmark dataset available to academia that can be used to investigate and develop IP usage predictions for different IP applications. In this work, we formulate the IP usage prediction problem; specifically, we collect large-scale, real-world data and extract salient features using sophisticated networking tools such as different network signals, trace route delay, IP block usage, and geographical landmarks. We showcase a series of tabular information retrieval methods to learn network signals and their interactions, and identify the IP usage scenarios. We believe our datasets and algorithms can benefit the community to facilitate relevant research in this domain, yielding more efficient and effective solutions to multiple categories of applications.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Qi Zhang,Xing Xie,Lee Wang,Lihua Yue,Wei-Ying Ma

DOI: https://doi.org/10.1007/978-3-540-74469-6_79

2007-01-01

Abstract:Knowing the geographical serving area of web resources is very important for many web applications. Here serving area stands for the geographical distribution of online users who are interested in a given web site. In this paper, we proposed a set of novel methods to detect the serving area of web resources by analyzing search engine logs. We use the search logs to detect serving area in two ways. First, we extracted the user IP locations to generate the geographical distribution of users who had the same interests in a web site. Second, query terms input by users were considered as the user knowledge about a web site. To increase the confidence and to cover new sites for use in real-time applications, we also proposed a categorization system for local web sites. A novel method for detecting the serving area was proposed based on categorizing the web content. For each category, a radius was assigned according to previous logs. In our experiments, we evaluated all these three algorithms. From the results, we found that the approach based on query terms was superior to that based on IP locations, since search queries for local sites tended to include location words while the IP locations were sometimes erroneous. The approach based on categorization was efficient for sites of known categories and were useful for small sites without sufficient number of query logs.

Zhenhui Li,Fan Zhou,Zhiyuan Wang,Xovee Xu,Leyuan Liu,Guangqiang Yin

DOI: https://doi.org/10.1038/s41598-024-55750-x

IF: 4.6

2024-03-02

Scientific Reports

Abstract:Understanding user behavior via IP addresses is a crucial measure towards numerous pragmatic IP-based applications, including online content delivery, fraud prevention, marketing intelligence, and others. While profiling IP addresses through methods like IP geolocation and anomaly detection has been thoroughly studied, the function of an IP address—e.g., whether it pertains to a private enterprise network or a home broadband—remains underexplored. In this work, we initiate the first attempt to address the IP usage scenario classification problem. We collect data consisting of IP addresses from four large-scale regions. A novel continuous neural tree-based ensemble model is proposed to learn IP assignment rules and complex feature interactions. We conduct extensive experiments to evaluate our model in terms of classification accuracy and generalizability. Our results demonstrate that the proposed model is capable of efficiently uncovering significant higher-order feature interactions that enhance IP usage scenario classification, while also possessing the ability to generalize from the source region to the target one.

multidisciplinary sciences

Weigang Liu

DOI: https://doi.org/10.1155/2022/4927504

2022-06-10

Wireless Communications and Mobile Computing

Abstract:Attacks on network systems are becoming more and more common, the current state of increasingly sophisticated attack methods, the emergence of intrusion prevention technology is the inevitable result of the development of computer technology and network technology, and research on intrusion prevention has become a new focus of network security technology research in recent years. In order to ensure the security of computer network confidential information, the authors propose a semisupervised clustering intrusion detection algorithm. An overview of machine learning, followed by an explanation of the theory of cluster analysis, simulation experiments were carried out using the K -means algorithm and the semisupervised clustering algorithm proposed by the author, for 10,000 records, the K -means clustering algorithm and the semisupervised clustering algorithm described in this paper are used, respectively, and intrusion detection data tests were performed. At the same time, different K values were selected, three datasets were selected from "kddcup.newtestdata_10_percent_corrected," the test data were tested separately, and their average value was taken as the test result. From the simulation results, the detection rate of the semisupervised clustering algorithm is higher than that of the K -means clustering algorithm, and the false alarm rate and K -means algorithms have also been improved. Therefore, the author's semisupervised algorithm enhances the stability of the system, and the performance of the K -means algorithm is improved to a certain extent. When the value of K gradually increases, the false alarm rate also increases; however, when K is 20, the detection rate is maximized, from this, it can be known that when K is 20, its detection rate reaches 91.76%, and the false alarm rate is 8.54%. The detection rate of the author's algorithm is significantly higher than the other two algorithms, the false positive rate is slightly higher than K -means, and the false positive rate is lower than that of the other algorithm, proving the superior performance of our algorithm.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chen Chen,Chuanxiong Guo,Yunxin Liu,Helen J. Wang,Qing Yu

2007-01-01

Abstract:In this paper, we observe that many Web pages contain geolocation information (address, zipcode, and telephone area code) and many of these geolocation items are directly related to the locations of the IP addresses that host the Web pages. We then design Structon, a system that mines Web pages for IP address geolocations. In Structon, we first extract geolocation information from every crawled Web pages, we then devise a serial of information clustering, false-information filtering, error-correction, and location inferring algorithms to map IP addresses to geolocations. We have run our algorithms on top of a set of 74M Chinese Web pages, from which we are able to identify the geolocations for 8.2M IP addresses, which contain addresses for not only Web servers but also client hosts. We have verified our result with an IP address location table of a major Chinese ISP, the verification shows that the accuracy of Structon is 94.4% at province level.

HAN Dianfei,YUAN Ruixi,GUAN Xiaohong

DOI: https://doi.org/10.1016/b978-0-12-803306-7.00003-6

2007-01-01

Abstract:The correct configuration of domain name servers is the foundation of good and robust performance of network service.Past operation practice has shown that incorrect configuration has severe impact on network services.In recent years,the.CN domain,an important part of Internet developed very rapidly.However,there are many issues arising in its management.The DNS configuration errors in.CN domain are measured and analyzed.It is found that over 30% zones suffer from misconfiguration errors.This problem may pose serious hinder to efficient and secure operation of Internet in China and should be brought enough attentions.

Qi Zhang,Xing Xie,Lee Wang,Lihua Yue,Wei-Ying Ma

2006-01-01

Abstract:Most human activities occur around where the user is physically located. Knowing the geographical serving area of web resources, therefore, is very important for many web applications. Here serving area stands for the geographical distribution of online users who are interested in a given web site. It can be also seen as the geographical area that this web site intends to reach. For example, the serving area of a restaurant site is usually restricted to a town or city, while the serving area of an airport site can be as large as a state. In this paper, we proposed a set of novel methods to detect the serving area of web resources by analyzing search engine logs, our example of web usage data. We use the search logs to detect serving area in two ways. First, we extracted the user IP locations to generate the geographical distribution of users who had the same interests in a web site. Second, query terms input by users were considered as the user knowledge about a web site. From the experimental results, we found that the approach based on query terms was superior to that based on IP locations, since search queries for local sites tended to include location words while the IP locations were sometimes erroneous.