Detection of DNS Traffic Anomalies in Large Networks

  • Milan ČermákEmail author
  • Pavel Čeleda
  • Jan Vykopal
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8846)


Almost every Internet communication is preceded by a translation of a DNS name to an IP address. Therefore monitoring of DNS traffic can effectively extend capabilities of current methods for network traffic anomaly detection. In order to effectively monitor this traffic, we propose a new flow metering algorithm that saves resources of a flow exporter. Next, to show benefits of the DNS traffic monitoring for anomaly detection, we introduce novel detection methods using DNS extended flows. The evaluation of these methods shows that our approach not only reveals DNS anomalies but also scales well in a campus network.


Domain name system DNS IP flow monitoring IPFIX Traffic anomaly detection Internet measurements 



This material is based upon work supported by Cybernetic Proving Ground project (VG20132015103) funded by the Ministry of the Interior of the Czech Republic.


  1. 1.
    Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290 (2010)Google Scholar
  2. 2.
    Begleiter, R., Elovici, Y., Hollander, Y., Mendelson, O., Rokach, L., Saltzman, R.: A fast and scalable method for threat detection in large-scale DNS logs. In: 2013 IEEE International Conference on Big Data, pp. 738–741 (Oct 2013)Google Scholar
  3. 3.
    Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. 16(4), 14:1–14:28 (2014). CrossRefGoogle Scholar
  4. 4.
    Choi, H., Lee, H.: Identifying botnets by capturing group activities in dns traffic. Comput. Netw. 56(1), 20–33 (2012)CrossRefGoogle Scholar
  5. 5.
    Ellens, W., Żuraniewski, P., Sperotto, A., Schotanus, H., Mandjes, M., Meeuwissen, E.: Flow-based detection of DNS tunnels. In: Emerging Management Mechanisms for the Future Internet, pp. 124–135. Springer (2013)Google Scholar
  6. 6.
    Hofstede, R., Čeleda, P., Trammell, B., Drago, I., Sadre, R., Sperotto, A., Pras, A.: Flow monitoring explained: from packet capture to data analysis with netFlow and IPFIX. IEEE Communications Surveys & Tutorials (2014). doi: 10.1109/COMST.2014.2321898
  7. 7.
    Karasaridis, A., Meier-Hellstern, K., Hoeflin, D.: Detection of DNS anomalies using flow data analysis. In: Global Telecommunications Conference, 2006. GLOBECOM’06. IEEE. pp. 1–6. IEEE (2006)Google Scholar
  8. 8.
    Kováčik, M.: DNS plugin (2014).
  9. 9.
    Košata, B., Čermák, J., Surý, O., Filip, O.: DSCng: DNS server monitoring program (2013).
  10. 10.
    Manasrah, A.M., Hasan, A., Abouabdalla, O.A., Ramadass, S.: Detecting botnet activities based on abnormal DNS traffic. Int. J. Comput. Sci. Inf. Secur. 6(1), 97–104 (2009)Google Scholar
  11. 11.
    Marchal, S., Francois, J., Wagner, C., State, R., Dulaunoy, A., Engel, T., Festor, O.: DNSSM: a large scale passive DNS security monitoring framework. In: Network Operations and Management Symposium (NOMS), 2012 IEEE, pp. 988–993 (Apr 2012)Google Scholar
  12. 12.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)CrossRefGoogle Scholar
  13. 13.
    Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Depend. Secur. Comput. 9(5), 714–726 (2012)Google Scholar
  14. 14.
    Qu, J., Sztoch, P.: Dnsgraph (2003).
  15. 15.
    Schonewille, A., van Helmond, D.J.: The domain name service as an IDS. Research Project for the Master System-and Network Engineering at the University of Amsterdam (2006)Google Scholar
  16. 16.
    Snyder, M., Sundaram, R., Thakur, M.: Preprocessing DNS log data for effective data mining. In: IEEE International Conference on Communications, 2009. ICC ’09, pp. 1–5 (June 2009)Google Scholar
  17. 17.
    Čermák, M.: DNSAnomDet (2014).
  18. 18.
    Weimer, F.: Passive dns replication. In: FIRST Conference on Computer Security Incident (2005)Google Scholar
  19. 19.
    Wessels, D.: Dnstop: Stay on top of your DNS traffic (2013).
  20. 20.
    Zdrnja, B., Brownlee, N., Wessels, D.: Passive monitoring of DNS anomalies. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 129–139. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Institute of Computer ScienceMasaryk UniversityBrnoCzech Republic

Personalised recommendations