DNSSM: A Large Scale Passive DNS Security Monitoring Framework

Abstract : We present a monitoring approach and the supporting software architecture for passive DNS traffic. Monitoring DNS traffic can reveal essential network and system level activity profiles. Worm infected and botnet participating hosts can be identified and malicious backdoor communications can be detected. Any passive DNS monitoring solution needs to address several challenges that range from architectural approaches for dealing with large volumes of data up to specific Data Mining approaches for this purpose. We describe a framework that leverages state of the art distributed processing facilities with clustering techniques in order to detect anomalies in both online and offline DNS traffic. This framework entitled DNSSM is implemented and operational on several networks. We validate the framework against two large trace sets.
Document type :
Conference papers
Complete list of metadatas

Cited literature [20 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-00749243
Contributor : Jérôme François <>
Submitted on : Wednesday, November 7, 2012 - 9:22:40 AM
Last modification on : Thursday, February 7, 2019 - 2:59:32 PM
Long-term archiving on : Saturday, December 17, 2016 - 8:23:52 AM

File

dnssm.pdf
Files produced by the author(s)

Identifiers

Collections

Citation

Samuel Marchal, Jérôme François, Cynthia Wagner, Radu State, Alexandre Dulaunoy, et al.. DNSSM: A Large Scale Passive DNS Security Monitoring Framework. Network Operations and Management Symposium, Apr 2012, Lahaina, United States. pp.988 - 993, ⟨10.1109/NOMS.2012.6212019⟩. ⟨hal-00749243⟩

Share

Metrics

Record views

649

Files downloads

1040