SpringerLink
Log in

Unsupervised Anomaly Detection Method Based on DNS Log Data

  • Conference paper
  • First Online:
Artificial Intelligence in China (AIC 2022)

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 871))

Included in the following conference series:

  • 494 Accesses

Abstract

In order to solve the problem of network attack by malicious code using Domain Name System (DNS), on the basis of analyzing the characteristics of malicious code lines and abnormal operation behaviors, this paper proposes an unsupervised abnormal IP detection method based on DNS log data. Through the construction of DNS fingerprint characteristics, it is used to demonstrate the DNS behavior characteristics of IP to the greatest extent. The detection model is constructed by using isolated forest and local outlier factor algorithm, and the anomaly score of IP is obtained. The experimental results show that the detection method designed in the paper can well detect the attack exceptions and operation exceptions in the network environment. With the help of whitelist, the accuracy of the method can reach more than 90% after selecting the appropriate anomaly score threshold.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Germany)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 234.33
Price includes VAT (Germany)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 299.59
Price includes VAT (Germany)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info
Hardcover Book
EUR 299.59
Price includes VAT (Germany)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Lin, C.H., Li, X.D., JJ, et al.: DNS traffic anomaly detection based on w-kmeans algorithm. Comput. Eng. Des. 34(006):2104–2108 (2013)

    Google Scholar 

  2. Wang, Q., **e, K., Ma, Y., et al.: DNS tunnel detection based on log statistics. J. Zhejiang Univ. (Engineering Science edition) 2020(9) (2020)

    Google Scholar 

  3. Wang, J.Y., Shi, J.T., Zhang, Z.X., et al.: Source IP anomaly detection algorithm for DNS request data flow based on relative density. High Technol. Commun. 26(Z2), 849–856 (2016)

    Google Scholar 

  4. Mockapetris, P,, Dunlap, K.J.: Development of the domain name system. ACM SIGCOMM Comput. Commun. Rev. 25(1) (2001)

    Google Scholar 

  5. Li, B.S., Chang, A.Q., Zhang, J.X.: IoT botnets threatened network infrastructure security seriously—analysis of Dyn attacked by Botnet. J. Inf. Secur. Res. 2(11), 1042–1048 (2016)

    Google Scholar 

  6. Wang, J.Y., Shi, J.T., Zhang, Z.X., et al.: An algorithm for detection of source IP anomalies in DNS query based on relative density. Chinese High Technol. Lett. 26(Z2), 849–856 (2016)

    Google Scholar 

  7. Ji, X., Huang, T., Hua, E.X., Sun, L.: A DNS query anomaly detection algorithm based on log information. J. Bei **g Univ. Posts Telecommun. 41(6), 83–89 (2018)

    Google Scholar 

  8. Singh, M., Singh, M., Kaur, S.: Detecting bot-infected machines using DNS fingerprinting. Digit. Investig. 28 (2018)

    Google Scholar 

  9. Lee, J., Lee, H.: GMAD: Graph-based Malware Activity Detection by DNS traffic analysis. Comput. Commun. 49(Aug.1), 33–47 (2014)

    Google Scholar 

  10. Gu, Y.H., Guo, Z.Y.: Fast-flux botnet domain detection method based on network Traffic. J. Inf. Secur. Res. 006(005), 388–395 (2020)

    Google Scholar 

  11. Woodbridge, J., Anderson, H.S., Ahuja, A., et al.: Predicting domain generation algorithms with long short-term memory networks. ar**v: 1611.00791 [cs], (2016)

    Google Scholar 

  12. Breunig, M.M., Kriegel, H.P., Ng. R.T., et al.: LOF:Identifying density-based local outliers. In: Proceedings of ACM SIGMOD Conference, pp. 427-438. ACM, New York (2000)

    Google Scholar 

  13. Liu, F.T., Ting, K.M., Zhou, Z.H.: Isolation forest. In: 2008 Eighth IEEE International Conference on Data Mining (2009)

    Google Scholar 

  14. Chandola, V., Banerjee, A., Kumar, V.: Anomaly Detection: A Survey. ACM Comput. Surv. 41(3) (2009)

    Google Scholar 

  15. Antonakakis, M., Perdisci, R., Nadji, Y., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Usenix Conference on Security Symposium (2012)

    Google Scholar 

  16. Wang, Q., **e, K., Ma, Y., et al.: Detection of DNS tunnels based on log statistics feature. J. Zhejiang Univ. (Engineering Science), 54(9) (2020)

    Google Scholar 

  17. Buczak, A.L., Hanke, P.A., Cancro, G.J., et al.: Detection of tunnels in PCAP data by random Forests cyber In: Cyber and Information Security Research (CISR) Conference (2016)

    Google Scholar 

  18. Zuo, X.J., Dong, L.M., Qu, W.: Fast-flux botnet detection method based on domain name system traffic. Comput. Eng. 43(09), 185–193 (2017)

    Google Scholar 

Download references

Funding Statement

This work was supported by the National Natural Science Foundation of China (NSFC) under Grant No. 61901447.

Author information

Authors and Affiliations

  1. Institute of High Energy Physics, Chinese Academy of Sciences, Bei**g, 100049, China

    Wang Jiarong, Liang Zhongtian, Qi Fazhi, Yan Tian & Zhou Caiqiu

  2. University of Chinese Academy of Sciences, Bei**g, 100049, China

    Liang Zhongtian

  3. School of Cyber Science and Engineering, Zhengzhou University, Zhengzhou, 450001, China

    Liu Jiahao

Authors
  1. Wang Jiarong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Liang Zhongtian
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Qi Fazhi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yan Tian
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Liu Jiahao
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Zhou Caiqiu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhou Caiqiu .

Editor information

Editors and Affiliations

  1. Department of Electrical Engineering, University of Texas at Arlington, Arlington, TX, USA

    Qilian Liang

  2. Tian** Normal University, Tian**, China

    Wei Wang

  3. Tian** Normal University, Tian**, China

    Jiasong Mu

  4. Dalian University of Technology, Dalian, China

    **n Liu

  5. School of Information Science and Technology, Dalian Maritime University, Dalian, China

    Zhenyu Na

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Jiarong, W., Zhongtian, L., Fazhi, Q., Tian, Y., Jiahao, L., Caiqiu, Z. (2023). Unsupervised Anomaly Detection Method Based on DNS Log Data. In: Liang, Q., Wang, W., Mu, J., Liu, X., Na, Z. (eds) Artificial Intelligence in China. AIC 2022. Lecture Notes in Electrical Engineering, vol 871. Springer, Singapore. https://doi.org/10.1007/978-981-99-1256-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-1256-8_5

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-1255-1

  • Online ISBN: 978-981-99-1256-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation