Abstract
DNS DDoS attacks may severely affect the operation of computer networks, prompting the need for methods able to timely detect them, and then to apply mitigation countermeasures. Visual models have been used to detect an ongoing DDoS attack, but often demand continuous attention from IT staff. However, machine learning techniques could complement a visual model with further information and with on-time alerts that could help IT officers give attention only when an attack is in progress at its very early stage. In this paper, we present DNS-ADVP, a DNS Anomaly Detection Visual Platform, which, in an integrated manner, provides a novel visualisation that depicts on-line DNS traffic, and a one-class classifier that deals with traffic anomaly detection. Using the visual mode, an IT officer may interpret the current state of traffic for an authoritative DNS server; the model comes with visual semaphores, controlled by the one-class classifier. Due to the highly dynamic nature of DNS traffic, our classification method continuously updates what counts as normal behaviour; it has been successfully tested on synthetic attacks, with an 83% of the area under the curve (AUC). DNS-ADVP is currently in use to real-time monitoring an actual authoritative DNS server.
Highlights
INTRODUCTION DDos attacks are a matter of concern for IT staff around the world since they severely affect the normal operation of networks, especially the operation of the DNS service
DNS amplification attacks are asymmetric [4] in that they are more harmful by using fewer computational resources in comparison to other kinds of attacks
Our classifier achieved an 83% of the area under the curve (AUC) when tested on synthetic attacks
Summary
Dos attacks are a matter of concern for IT staff around the world since they severely affect the normal operation of networks, especially the operation of the DNS service. We analyse the effectiveness of some techniques used to limit the effects of DDoS attacks targeting DNS servers and propose a set of measures to timely detect potential DDoS attacks against this service, such as amplification, and reflection attacks, among others By means of these countermeasures, we built DNS-ADVP, whose main components are a visual model that depicts on-line DNS traffic and a one-class classifier. 5) Our last contribution regards the integration and fusion of the two previous information sources, that is the classifier output and the visual model, into a graphical platform to monitor authoritative DNS traffic in real-time with the aim of timely detecting DDoS attacks.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
