Anomaly Behavior Analysis of DNS
Protocol 1Department
of Electrical and Computer Engineering, University of Arizona, Tucson, AZ
85721 USA yalnashif@flpoly.org
Abstract DNS
protocol is critically important for secure network operations. All networked
applications request DNS protocol to translate the network domain names to
correct IP addresses. The DNS protocol is prone to attacks like cache
poisoning attacks and DNS hijacking attacks that can lead to compromising user’s
accounts and stored information. In this paper, we present an anomaly based
Intrusion Detection System (IDS) for the DNS protocol (DNS-IDS) that models
the normal operations of the DNS protocol and accurately detects any abnormal
behavior or exploitation of the protocol. The DNS-IDS system operates in two
phases, the training phase and the operational phase. In the training phase,
the normal behavior of the DNS protocol is modeled as a finite state machine
where we derive the temporal statistics of normal DNS traffic. Then we
develop an anomaly metric for the DNS protocol that is a function of the
temporal statistics for both the normal and abnormal transitions of the DNS
protocol. During the operational phase, the anomaly metric is used to detect
DNS attacks (both known and novel attacks). We have evaluated our approach
against a wide range of DNS attacks (DNS hijacking, Kaminsky attack,
amplification attack, Birthday attack, DNS Rebinding attack). Our results
show attack detection rate of 97% with very low false positive alarm rate (0.01397%),
and round 3% false negatives. Keywords: DNS,
Intrusion detection system, Anomaly detection, Machine learning, Data mining, +: Corresponding author: Pratik Satam
Journal of Internet Services and Information Security (JISIS), 5(4): 85-97, November 2015 [pdf] |