DNSSM: A Large Scale Passive DNS Security Monitoring Framework

We present a monitoring approach and the supporting software architecture for passive DNS traffic. Monitoring DNS traffic can reveal essential network and system level activity profiles. Worm infected and botnet participating hosts can be identified and malicious backdoor communications can be detected. Any passive DNS monitoring solution needs to address several challenges that range from architectural approaches for dealing with large volumes of data up to specific Data Mining approaches for this purpose. We describe a framework that leverages state of the art distributed processing facilities with clustering techniques in order to detect anomalies in both online and offline DNS traffic. This framework entitled DNSSM is implemented and operational on several networks. We validate the framework against two large trace sets.

Mots clés

DNS data-mining large scale monitoring

Domaines

Réseaux et télécommunications [cs.NI]

Fichier principal

dnssm.pdf (947.4 Ko)

Origine : Fichiers produits par l'(les) auteur(s)

Jérôme François : Connectez-vous pour contacter le contributeur

https://hal.science/hal-00749243

Soumis le : mercredi 7 novembre 2012-09:22:40

Dernière modification le : lundi 11 septembre 2023-17:41:18

Archivage à long terme le : samedi 17 décembre 2016-08:23:52

Dates et versions

hal-00749243 , version 1 (07-11-2012)

Identifiants

HAL Id : hal-00749243 , version 1
DOI : 10.1109/NOMS.2012.6212019

Citer

Samuel Marchal, Jérôme François, Cynthia Wagner, Radu State, Alexandre Dulaunoy, et al.. DNSSM: A Large Scale Passive DNS Security Monitoring Framework. Network Operations and Management Symposium, Apr 2012, Lahaina, United States. pp.988 - 993, ⟨10.1109/NOMS.2012.6212019⟩. ⟨hal-00749243⟩

Exporter

BibTeX XML-TEI Dublin Core DC Terms EndNote DataCite

Collections

CNRS INRIA UNIV-LORRAINE INRIA2 LORIA LORIA-NSS

516 Consultations

947 Téléchargements