MA Yun-long,JIANG Cai-ping,ZHANG Qian-li,WANG Ji-long

DOI: https://doi.org/10.3969/j.issn.1000-436x.2014.z1.002

2014-01-01

Abstract:An algorithm based on IPFIX network flow data is proposed. By using proposed algorithm, suspicious and abnormal DNS will be detected accurately, and DNS traffic amplification attack will be distinguished rapidly. This algo-rithm has been applied in the Tsinghua University campus network. In our practice, DNS abnormal behaviors have been detected and alarm information has been sent to administrators. Thus, abnormal attack behaviors are restrained in time, and the monitoring and warning for abnormal traffic are all realized.

Chang Deliang,Zhang Qianli,Li Xing

DOI: https://doi.org/10.13245/j.hust.161123

2016-01-01

Abstract:To solve the problems that many approaches focus on flow analysis ,which is unrealistic for a large‐scale network ,a method of user online detection algorithm was proposed based on passive DNS log analysis .T his method avoided the complexity of traffic or raw packet analysis by utilizing DNS (domain name system) logs ,and exploited the silence of users′DNS activities when they were offline to identify users′online time length or join/departure time .The method was validated with real‐world data from the campus network of Tsinghua University ,with a 90 .6% precision rate and a recall rate of 96 .3% .Further study indicates that the users of wireless network often have shorter online time length and change faster ,and the network characteristics in workdays are different from weekends . These results show that this algorithm is capable of being utilized in a real‐world large‐scale network .

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Juozas Auskalnis,Nerijus Paulauskas,Algirdas Baskys

DOI: https://doi.org/10.5755/j01.eie.24.3.20972

2018-06-27

Elektronika ir Elektrotechnika

Abstract:Gap between the new attack appearance and signature creation for this attack may be critical. During this time, many computer systems may be affected and valuable resources may be lost. Even after signature creation, many computer systems still stay vulnerable because of bad security practice, i.e. patches and updates are not installed as needed. Therefore, anomaly intrusion detection system (IDS) that is capable to detect new unknown attacks is valuable security tool. This paper analyses the use of Local Outlier Factor (LOF) to detect anomalies in the computer network. The application of the LOF algorithm for the detection of anomalies when only normal network data are used for the model training has been demonstrated. Experimental results of different threshold values influence on the anomaly detection accuracy using NSL-KDD dataset is presented. DOI: http://dx.doi.org/10.5755/j01.eie.24.3.20972

engineering, electrical & electronic

Shaojie Chen,Bo Lang,Hongyu Liu,Duokun Li,Chuan Gao

DOI: https://doi.org/10.1016/j.cose.2020.102095

2021-05-01

Abstract:<p>DNS is a kind of basic network protocol that is rarely blocked by firewalls; therefore, it is used to build covert channels. Malicious DNS covert channels play an important role in data exfiltration and botnets and do great harm to the network environment. To detect DNS covert channels, researchers extract multiple features from different perspectives of DNS traffic. At present, many detection methods using machine learning are based on manual features, which usually include complex data preprocessing and feature extraction. Additionally, these methods seriously rely on expert knowledge, and some potential features are hard to discover. To address these problems, we propose a DNS covert channel detection method using the LSTM model, which does not rely on feature engineering. First, we use the FQDNs of DNS packets as the input and implement an end-to-end detection approach using LSTM. Then, we filter the detection results of the LSTM model with the grouped filtering method to further reduce the false positive rate. Using the packets from the Internet and the packets generated by running different DNS covert channel tools, we construct our datasets, in which generalization test datasets are included in addition to the FQDN and the DNS packet datasets for model training. Our method achieves an accuracy rate of 99.38% on the test dataset and a recall rate of 98.52% on the generalization test dataset, which are better than the state-of-the-art methods. This method is also tested in a real network environment and has detected multiple malicious DNS covert channel events.</p>

computer science, information systems

Xiaobo Ma,Junjie Zhang,Jing Tao,Jianfeng Li,Jue Tian,Xiaohong Guan

DOI: https://doi.org/10.1109/tifs.2014.2357251

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:As the domain name system (DNS) plays a critical role in malicious services and number of networks, especially small enterprise networks and home networks that are generally and poorly managed, grows rapidly, it is highly desired to outsource the malicious domain detection service to a thirdparty system that can aggregate information from multiple vantage points to perform detection. To this end, we propose DNSRadar, a system that explores the coexistence of domain cache-footprints distributed in all networks that participate in the outsourcing service. Bootstrapping from a list of prelabeled malicious domains, DNSRadar leverages link analysis techniques to infer maliciousness likelihood of unknown domains based on coexistence information. As DNSRadar only uses the existence of an unknown domain in a network for detection, privacy concerns have been drastically reduced. Both MapReduce and lightweight matrix analysis techniques are employed to implement DNSRadar, making scalability as a built-in feature. Taking advantage of a large number of open recursive DNS servers, we have performed extensive evaluation at scale. Experimental results have demonstrated that DNSRadar can efficiently detect similar to 90% malicious domains given a low false positive rate of 1%. Of all these detected malicious domains, similar to 30% are on average 6 days earlier than public DNS reputation services, indicating DNSRadar's great early detection capability.

Qingnan Lai,Changling Zhou,Hao Ma,Zhen Wu,Shiyang Chen

DOI: https://doi.org/10.1016/j.neucom.2014.09.099

IF: 6

2015-01-01

Neurocomputing

Abstract:The Domain Name System (DNS) is a critical Internet service, which translates easily memorized domain names to numerical IP addresses for locating computer resources and services. In this paper, we try to explore the behaviors of DNS lookup by mining DNS logs from three primary DNS servers in a large university campus network in China. Our dataset is made up of two parts, namely DNS query logs and messages received or send by DNS servers. Firstly, through analyzing these DNS query logs, we are able to understand the overall trend of users’ surfing. For dealing with huge DNS dataset, we introduce an algorithm we call DNSReduce, which can be used to dig out top 10 client IP addresses and top 10 destination domain names efficiently. Moreover, we make comparative analysis of lookup behavior between wired and wireless users. Secondly, with messages received or send by DNS servers we can find these DNS servers׳behaviors, i.e., TTLs, equivalent answers and are able to accurately identify domain names with dynamic IP addresses. We provide different and specific visualization techniques for presenting these analysis results and show these techniques are very useful for understanding user behaviors, analyzing security events and characterizing overall tendency in campus network management.

Wensi Huang,Xin Lu,Jiandi Hu,Qiangbin Ye

DOI: https://doi.org/10.1088/1755-1315/632/4/042008

2021-01-01

IOP Conference Series: Earth and Environmental Science

Abstract:Abstract Aiming at the problems of a large amount of abnormal data in the distribution network and the poor adaptability of traditional distribution network data, the paper proposes an intelligent distribution network status and abnormal data monitoring method, which has undergone data pre-processing and data fusion, Data analysis and visualization, and state identification and processing, a total of 4 links, turning multiple electrical feature quantities into a single comprehensive feature quantity, monitoring the operation status of the distribution network, and according to the relationship between each node and the size of the local anomaly factor to achieve intelligence Judgment and location of distribution network fault areas. The thesis realizes the detection and location of faults according to the size of each node's LOF value and the node's association relationship. After RTDS semi-physical closed-loop test, the accuracy and reliability of fault determination and location are high, which has certain reference value.

Xiaoqing Sun,Mingkai Tong,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.1909.01590

2019-09-04

Cryptography and Security

Abstract:Domain name system (DNS) is a crucial part of the Internet, yet has been widely exploited by cyber attackers. Apart from making static methods like blacklists or sinkholes infeasible, some weasel attackers can even bypass detection systems with machine learning based classifiers. As a solution to this problem, we propose a robust domain detection system named HinDom. Instead of relying on manually selected features, HinDom models the DNS scene as a Heterogeneous Information Network (HIN) consist of clients, domains, IP addresses and their diverse relationships. Besides, the metapath-based transductive classification method enables HinDom to detect malicious domains with only a small fraction of labeled samples. So far as we know, this is the first work to apply HIN in DNS analysis. We build a prototype of HinDom and evaluate it in CERNET2 and TUNET. The results reveal that HinDom is accurate, robust and can identify previously unknown malicious domains.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Yue Wang,Anmin Zhou,Shan Liao,Rongfeng Zheng,Rong Hu,Lei Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108322

IF: 5.493

2021-10-01

Computer Networks

Abstract:<p>Domain Name System (DNS) tunnels, established between the controlled host and master server disguised as the authoritative domain name server, can be used as a secret data communication channel for malicious activities. Owing to the ready evasion of the DNS traffic to bypass the network security mechanism, DNS tunnelling can cause severe damage. Thus, an in-depth and comprehensive understanding of the various detection technologies is of considerable importance when facing this type of threat. However, most of the existing reviews focus on a single aspect of the DNS tunnel detection technologies, such as methods based on machine learning, traffic, and payload analysis. In addition, few studies have conducted comprehensive investigation that includes a sequentially integrated range of literature in this researchfield, or have analysed the latest literature on DNS tunnels. This paper reviews these detection technologies from a novel perspective of rule-based and model-based methods with descriptions and analyses of the DNS-based tools and their corresponding features. To the best of our knowledge, this is the first study to comprehensively discuss and analyse DNS tunnel detection in a novel and specific classification fashion from various aspects in detail, covering almost all the detection methods developed from 2006 to 2020. Furthermore, a comparative analysis of detection methods and several suggestions for future research directions are presented.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

牛国林,管晓宏,龙毅,秦涛

DOI: https://doi.org/10.3969/j.issn.1009-3443.2009.04.009

2009-01-01

Abstract:Based on tradeoffs analysis of abnormal behavior and detection methods,a multi-source traffic features analysis and abnormal detection method was proposed.The distribution characteristics of the flow size,IP addresses and ports were analyzed and found to be efficacious in traffic patterns analysis.The Renyi entropy was employed to fuse the multi-source information captured by different traffic features,and an abnormal behavior detection method was presented.Beacause of using the multi-source information,the models could detect many kinds of abnormal behaviors,which was an impossible mission for many other traditional abnormal detection methods.The experimental results based on actual network data show that the proposed abnormal detection methods are effective in detecting known and unknown attacks with high-accuracy detection rate and low complexity.

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Xin Ma,Shize Guo,Zhisong Pan,Bin Liu,Kaolin Jiang,Ming Chen,Shijiao Tang

DOI: https://doi.org/10.48550/arXiv.2207.06641

2022-07-14

Abstract:A covert attack method often used by APT organizations is the DNS tunnel, which is used to pass information by constructing C2 networks. And they often use the method of frequently changing domain names and server IP addresses to evade monitoring, which makes it extremely difficult to detect them. However, they carry DNS tunnel information traffic in normal DNS communication, which inevitably brings anomalies in some statistical characteristics of DNS traffic, so that it would provide security personnel with the opportunity to find them. Based on the above considerations, this paper studies the statistical discovery methodology of typical DNS tunnel high-frequency query behavior. Firstly, we analyze the distribution of the DNS domain name length and times and finds that the DNS domain name length and times follow the normal distribution law. Secondly, based on this distribution law, we propose a method for detecting and discovering high-frequency DNS query behaviors of non-single domain names based on the statistical rules of domain name length and frequency and we also give three theorems as theoretical support. Thirdly, we design a sliding window difference scheme based on the above method. Experimental results show that our method has a higher detection rate. At the same time, since our method does not need to construct a data set, it has better practicability in detecting unknown DNS tunnels. This also shows that our detection method based on mathematical models can effectively avoid the dilemma for machine learning methods that must have useful training data sets, and has strong practical significance.

Networking and Internet Architecture

Qasem Abu Al-Haija,Manar Alohaly,Ammar Odeh

DOI: https://doi.org/10.3390/s23073489

2023-03-27

Abstract:The Domain Name System (DNS) protocol essentially translates domain names to IP addresses, enabling browsers to load and utilize Internet resources. Despite its major role, DNS is vulnerable to various security loopholes that attackers have continually abused. Therefore, delivering secure DNS traffic has become challenging since attackers use advanced and fast malicious information-stealing approaches. To overcome DNS vulnerabilities, the DNS over HTTPS (DoH) protocol was introduced to improve the security of the DNS protocol by encrypting the DNS traffic and communicating it over a covert network channel. This paper proposes a lightweight, double-stage scheme to identify malicious DoH traffic using a hybrid learning approach. The system comprises two layers. At the first layer, the traffic is examined using random fine trees (RF) and identified as DoH traffic or non-DoH traffic. At the second layer, the DoH traffic is further investigated using Adaboost trees (ADT) and identified as benign DoH or malicious DoH. Specifically, the proposed system is lightweight since it works with the least number of features (using only six out of thirty-three features) selected using principal component analysis (PCA) and minimizes the number of samples produced using a random under-sampling (RUS) approach. The experiential evaluation reported a high-performance system with a predictive accuracy of 99.4% and 100% and a predictive overhead of 0.83 µs and 2.27 µs for layer one and layer two, respectively. Hence, the reported results are superior and surpass existing models, given that our proposed model uses only 18% of the feature set and 17% of the sample set, distributed in balanced classes.

Niu Yunlong,Luo Yunfeia,Cong Feiyun,Zheng Huidi,Liu Xinggao

DOI: https://doi.org/10.2298/ntrp2401047y

2024-01-01

Nuclear Technology and Radiation Protection

Abstract:The state-controlled radiation environment automatic monitoring stations are important facilities for monitoring the quality and trends of the radiation environment. However, the analysis and utilization of monitoring data from these stations have limitations. To address this issue, this paper proposes an approach that utilizes the high-dimensional data visualization method based on t-SNE and PCA-BIRCH algorithm's spectrum clustering model to classify historical spectrum data. Subsequently, a local outlier factor-based environmental spectrum abnormal fluctuation detection model is established to enhance discrimination of non-environmental factors causing spectrum anomalies. Results indicate significant differences in spectrum aggregation under different meteorological conditions. The clustering algorithm effectively separates clear and rainy weather spectra based on spectral features, with minimal time consumption and reduced interference from mixed spectrum data. By utilizing local density features, we establish an anomaly detection model, assigning an abnormal score to each spectrum. Comparative analysis demonstrates improved discriminability of the anomaly detection model for unclassified datasets. Our algorithm accurately identifies spectrum fluctuations caused by non-environmental factors amidst complex backgrounds, offering valuable technical support for environmental quality assurance and nuclear emergency decision-making.

nuclear science & technology

Hao Zhang,Zude Xiao,Jason Gu,Yanhua Liu

DOI: https://doi.org/10.1007/s11227-023-05474-y

IF: 3.3

2023-06-15

The Journal of Supercomputing

Abstract:With the rapid development of network technology, the Internet has brought significant convenience to various sectors of society, holding a prominent position. Due to the unpredictable and severe consequences resulting from malicious attacks, the detection of anomalous network traffic has garnered considerable attention from researchers over the past few decades. Accurately labeling a sufficient amount of network traffic data as a training dataset within a short period of time is a challenging task, given the rapid and massive generation of network traffic data. Furthermore, the proportion of malicious attack traffic is relatively small compared to the overall traffic data, and the distribution of traffic data across different types of malicious attacks also varies significantly. To address the aforementioned challenges, this paper presents a novel network anomaly detection algorithm based on semi-supervised learning and adaptive multiclass balancing. Building upon the assumption of consistent distribution between labeled and unlabeled data, this paper introduces the multiclass split balancing strategy and the adaptive confidence threshold function. These innovative approaches aim to tackle the issue of the multiclass imbalanced in traffic data. By leveraging the mutually beneficial relationship between semi-supervised learning and ensemble learning, this paper presents the collaborative rotation forest algorithm. This algorithm is specifically designed to enhance performance of anomaly detection in an environment with label inadequacy. Several comparative experiments conducted on the NSL-KDD, UNSW-NB15, and ToN-IoT demonstrate that the proposed algorithm achieves significant improvements in performance. Specifically, it enhances precision by 1.5–5.7%, recall by 1.5−5.7%, and F-Measure by 1.4−4.3% compared to the state-of-the-art algorithms.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Jinfa WANG,Siyuan JIA,Hai ZHAO,Jiuqiang XU,Chuan LIN

DOI: https://doi.org/10.1587/transcom.2017ebp3392

2018-12-01

IEICE Transactions on Communications

Abstract:Detecting anomalies, such as network failure or intentional attack in Internet, is a vital but challenging task. Although numerous techniques have been developed based on Internet traffic, detecting anomalies from the perspective of Internet topology structure is going to be possible because the anomaly detection of structured datasets based on complex network theory has become a focus of attention recently. In this paper, an anomaly detection method for the large-scale Internet topology is proposed to detect local structure crashes caused by the cascading failure. In order to quantify the dynamic changes of Internet topology, the network path changes coefficient (NPCC) is put forward which highlights the Internet abnormal state after it is attacked continuously. Furthermore, inspired by Fibonacci Sequence, we proposed the decision function that can determine whether the Internet is abnormal or not. That is the current Internet is abnormal if its NPCC is out of the normal domain calculated using the previous k NPCCs of Internet topology. Finally the new Internet anomaly detection method is tested against the topology data of three Internet anomaly events. The results show that the detection accuracy of all events are over 97%, the detection precision for three events are 90.24%, 83.33% and 66.67%, when k=36. According to the experimental values of index F1, larger values of k offer better detection performance. Meanwhile, our method has better performance for the anomaly behaviors caused by network failure than those caused by intentional attack. Compared with traditional anomaly detection methods, our work is more simple and powerful for the government or organization in items of detecting large-scale abnormal events.

telecommunications,engineering, electrical & electronic

Tao Qin,Zhaoli Liu,Pinghui Wang,Shancang Li,Xiaohong Guan,Lixin Gao

DOI: https://doi.org/10.1109/tifs.2019.2933731

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Anomaly detection is an important technique used to identify patterns of unusual network behavior and keep the network under control. Today, network attacks are increasing in terms of both their number and sophistication. To avoid causing significant traffic patterns and being detected by existing techniques, many new attacks tend to involve gradual adjustment of behaviors, which always generate incomplete sessions due to their running mechanisms. Accordingly, in this work, we employ the behavior symmetry degree to profile the anomalies and further identify unusual behaviors. We first proposed a symmetry degree to identify the incomplete sessions generated by unusual behaviors; we then employ a sketch to calculate the symmetry degree of internal hosts to improve the identification efficiency for online applications. To reduce the memory cost and probability of collision, we divide the IP addresses into four segments that can be used as keys of the hash functions in the sketch. Moreover, to further improve detection accuracy, a threshold selection method is proposed for dynamic traffic pattern analysis. The hash functions in the sketch are then designed using Chinese remainder theory, which can analytically trace the IP addresses associated with the anomalies. We tested the proposed techniques based on traffic data collected from the northwest center of CERNET (China Education and Research Network); the results show that the proposed methods can effectively detect anomalies in large-scale networks.