Abstract
Major network events can be reflected on domain name system (DNS) traffic at the top level server on the DNS hierarchical structure. This paper pursues a novel approach to detect the DNS traffic anomaly of 5.19 events in China at CN top level domain server using covariance analysis. We normalize, expand and average the covariance changes for different length of time slice to enhance the robustness of detection. Feature anomaly is detected based on clustering analysis of covariance change anomaly. To improve the accuracy and reduce the complexity of the k –means algorithm, an initial cluster selection technique is proposed and its performance is analyzed. Transient anomaly and time span anomaly are defined and an efficient real time approximating algorithm is derived. We use an incremental computational method for covariance matrix. The computation and transmission scheme of feature values are analyzed and the process of the detecting algorithm is given. The traffic detecting results of 5.19 event shows that the approach can accurately detect the network anomaly. Key words: Anomaly detection, DNS query traffic, covariance analysis.  
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
