TY - GEN
T1 - Identifying suspicious activities through DNS failure graph analysis
AU - Jiang, Nan
AU - Cao, Jin
AU - Jin, Yu
AU - Li, Li Erran
AU - Zhang, Zhi-Li
PY - 2010
Y1 - 2010
N2 - As a key approach to securing large networks, existing anomaly detection techniques focus primarily on network traffic data. However, the sheer volume of such data often renders detailed analysis very expensive and reduces the effectiveness of these tools. In this paper, we propose a light-weight anomaly detection approach based on unproductive DNS traffic, namely, the failed DNS queries, with a novel tool - DNS failure graphs. A DNS failure graph captures the interactions between hosts and failed domain names. We apply a graph decomposition algorithm based on the tri-nonnegative matrix factorization technique to iteratively extract coherent co-clusters (dense subgraphs) from DNS failure graphs. By analyzing the co-clusters in the daily DNS failure graphs from a 3-month DNS trace captured at a large campus network, we find these co-clusters represent a variety of anomalous activities, e.g., spamming, trojans, bots, etc.. In addition, these activities often exhibit distinguishable subgraph structures. By exploring the temporal properties of the co-clusters, we show our method can identify new anomalies that likely correspond to unreported domain-flux bots.
AB - As a key approach to securing large networks, existing anomaly detection techniques focus primarily on network traffic data. However, the sheer volume of such data often renders detailed analysis very expensive and reduces the effectiveness of these tools. In this paper, we propose a light-weight anomaly detection approach based on unproductive DNS traffic, namely, the failed DNS queries, with a novel tool - DNS failure graphs. A DNS failure graph captures the interactions between hosts and failed domain names. We apply a graph decomposition algorithm based on the tri-nonnegative matrix factorization technique to iteratively extract coherent co-clusters (dense subgraphs) from DNS failure graphs. By analyzing the co-clusters in the daily DNS failure graphs from a 3-month DNS trace captured at a large campus network, we find these co-clusters represent a variety of anomalous activities, e.g., spamming, trojans, bots, etc.. In addition, these activities often exhibit distinguishable subgraph structures. By exploring the temporal properties of the co-clusters, we show our method can identify new anomalies that likely correspond to unreported domain-flux bots.
UR - http://www.scopus.com/inward/record.url?scp=79957629730&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=79957629730&partnerID=8YFLogxK
U2 - 10.1109/ICNP.2010.5762763
DO - 10.1109/ICNP.2010.5762763
M3 - Conference contribution
AN - SCOPUS:79957629730
SN - 9781424486458
T3 - Proceedings - International Conference on Network Protocols, ICNP
SP - 144
EP - 153
BT - 18th IEEE International Conference on Network Protocols, ICNP'10
T2 - 18th IEEE International Conference on Network Protocols, ICNP'10
Y2 - 5 October 2010 through 8 October 2010
ER -