Abstract
The Internet is a medium for people to communicate with each other. Individuals and/or organizations are faced with increased security threats on the Internet. Many organizations prioritize on handling external security threats over internal security threats and for this reason, internal security threats are often missed or worst ignored. Domain Name System (DNS) is one of major Internet services that resolve user's request on domain name to an IP address. Since all of the user query to domain name utilize DNS to resolve the domain name or vice versa, including malicious intended user's query. Thus, DNS is a great source of information for detecting potential insider threat to detect unknown insider threats. This research aims to detect insider threats using DNS based features and these potential insider threats are clustered based on the DNS traffic features. Machine learning algorithms are used to cluster the DNS traffic under investigation. Our research shows that suspected clusters of DNS traffic contain insider threats in the organizations and the most frequent suspect of insider threats are botnet, categorized as misuse in insider threat classification. Some clusters could be suspicious indicating insider threats and other cluster is also a benign cluster but potentially an abnormal traffic.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
