Identifying suspicious activities through DNS failure graph analysis

Nan Jiang, Jin Cao, Yu Jin, Li Erran Li, Zhi-Li Zhang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

67 Scopus citations

Abstract

As a key approach to securing large networks, existing anomaly detection techniques focus primarily on network traffic data. However, the sheer volume of such data often renders detailed analysis very expensive and reduces the effectiveness of these tools. In this paper, we propose a light-weight anomaly detection approach based on unproductive DNS traffic, namely, the failed DNS queries, with a novel tool - DNS failure graphs. A DNS failure graph captures the interactions between hosts and failed domain names. We apply a graph decomposition algorithm based on the tri-nonnegative matrix factorization technique to iteratively extract coherent co-clusters (dense subgraphs) from DNS failure graphs. By analyzing the co-clusters in the daily DNS failure graphs from a 3-month DNS trace captured at a large campus network, we find these co-clusters represent a variety of anomalous activities, e.g., spamming, trojans, bots, etc.. In addition, these activities often exhibit distinguishable subgraph structures. By exploring the temporal properties of the co-clusters, we show our method can identify new anomalies that likely correspond to unreported domain-flux bots.

Original languageEnglish (US)
Title of host publication18th IEEE International Conference on Network Protocols, ICNP'10
Pages144-153
Number of pages10
DOIs
StatePublished - Dec 1 2010
Event18th IEEE International Conference on Network Protocols, ICNP'10 - Kyoto, Japan
Duration: Oct 5 2010Oct 8 2010

Publication series

NameProceedings - International Conference on Network Protocols, ICNP
ISSN (Print)1092-1648

Other

Other18th IEEE International Conference on Network Protocols, ICNP'10
CountryJapan
CityKyoto
Period10/5/1010/8/10

Fingerprint Dive into the research topics of 'Identifying suspicious activities through DNS failure graph analysis'. Together they form a unique fingerprint.

  • Cite this

    Jiang, N., Cao, J., Jin, Y., Li, L. E., & Zhang, Z-L. (2010). Identifying suspicious activities through DNS failure graph analysis. In 18th IEEE International Conference on Network Protocols, ICNP'10 (pp. 144-153). [5762763] (Proceedings - International Conference on Network Protocols, ICNP). https://doi.org/10.1109/ICNP.2010.5762763