Identification of abnormal DNS traffic with Hurst parameter

Abstract

It is a necessity for effective network management to be aware of the activities taking place on computer networks. Network managers should always be alarmed about what is happening now, what might be, or what will be in the future for the sake of network. To gather information about a computer system or a network, attackers mostly exploit networking tools to gain some privileges and login systems. Penetration testers also use these tools to gather information about systems, but their main concern is to discover the vulnerabilities of the system, and to find out what kind of measures could be applied to make the system more resistant to these vulnerabilities. In this study, we propose an abnormal DNS traffic identification method via utilizing Hurst parameter estimation. To do so, we employ DNS information gathering tools in Kali Linux to generate abnormal DNS flows. Then, we estimate its self-similarity degree to compare the differences between normal DNS traffic flows and abnormal ones. Obtained results show that abnormal DNS traffic show higher self-similarity degrees. Another interesting finding is that abnormal DNS traffic shows different distribution characteristic.

Keywords

• Traffic analysis,DNS protocol,distribution fitting,abnormal traffic detection

References

1. [1] H. Chen, J.H. Cho, and S. Hu, “Quantifying the Security Effectiveness of Firewalls and DMZs”, In Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security, ACM, 2018.
2. [2] A. Patel, M. Taghavi, K. Bakhtiyari, and J. Celestino JúNior. "An intrusion detection and prevention system in cloud computing: A systematic review", Journal of network and computer applications, vol. 36, no. 1 , 2013, pp- 25-41.
3. [3] U.A. Sandhu, S. Haider, S. Naseer, and O. U. Ateeb, “A survey of intrusion detection & Prevention Techniques”, 2011 International Conference on Information Communication and Managenent IPCSIT, vol. 16, Singapore, 2011, pp. 66-67.
4. [4] M. Wielorgorshka, and D. O’Brien, DNS Traffic Analysis for Botnet Detection.
5. [5] C. Hyunsang, H. Lee, H. Lee, and H. Kim. "Botnet detection by monitoring group activities in DNS traffic", In Computer and Information Technology, 2007. CIT 2007. 7th IEEE International Conference on, 2007, pp. 715-720.
6. [6] C. Hyunsang, and H. Lee. "Identifying botnets by capturing group activities in DNS traffic", Computer Networks, vol. 56, no. 1, 2012, pp. 20-33.
7. [7] M.A. Hussain, H. Jin, Z.A. Hussien, Z.A. Abduljabbar, S.H. Abbdal, A. İbrahim, “DNS Protection Against Spoofing and Poisoning Attacks”, 3rd International Conference on Information Science and Control Engineering (ICISCE), Beijing China, 2016, pp. 1308-1312.
8. [8] M. Anagnostopoulos, G. Kambourakis, P. Kopanos, G. Louloudakis, and S. Gritzalis. "DNS amplification attack revisited." Computers & Security 39, 2013, pp. 475-485.

9. [9] D. Matthew, Z. Carlos, and H. Thaier, “Penetration Testing: Concepts, Attack Methods and Defense Strategies, Systems”, Applications and Technology Conference (LISAT), 2016 IEEE Long Island, NY USA, 2016.
10. [10] W.G.J. Halfound, S.R. Choudrary, and A. Orson, “Penetration Testing with Improved Input Vector Identification” , Software Testing Verification and Validation, 2ICST’09, Denver Co, USA, 2009, pp. 346-355.
11. [11] Kali Linux by Offensive Security, https://www.kali.org/, accessed September 2017.
12. [12] S. Giardano, S. Miduri, M. Pagano, F. Russo, S. Tartarelli, “A wavelet-based approach to the estimation of Hurst parameter for self-similar data”, International Conference on Digital Signal Processing, DSP 97 2, 1997, pp. 479–482.
13. [13] M. Barnsley, “Fractals Everywhere”, Academic Press, San Dieog, 1998.
14. [14] J. Beran, “Statistics for Long Memory Processes”, Chapman & Hall, New York, 1994.
15. [15] V. Paxson, S. Floyd, “Wide area traffic: the failure of Poisson modeling”, IEEE/ACM Transactions on Networking, vol. 3, no. 3, 1995, pp. 226–244.
16. [16] W.E. Leland, M.S. Taqqu, W. Willinger, D.V. Wilson, “On the self similar nature of Ethernet traffic (extended version)”, IEEE/ACM Transactions on Networking, vol. 2, no. 1, 1994, pp. 1–15.
17. [17] J. Beran, R. Sherman, M.S. Taqqu, W. Willinger, “Long-range dependence in variable-bit-rate video traffic”, IEEE Transactions Communications, vol. 43, no. 234, 1995, pp. 1566–1579.
18. [18] M.E. Crovella, A. Bestavros, “Self similarity in world wide web traffic: evidence and possible causes”, IEEE/ACM Transactions on Networking, vol. 5, no. 6, 1997, pp. 835–846.
19. [19] D.P. Heyman, T.V. Lakshman, “What are the implications of long-range dependence for VBR-video traffic engineering?”, IEEE/ACM Transactions on Networking, vol. 4, no. 3, 1996, pp. 301–317.
20. [20] E. Masry, “The wavelet transform of stochastic processes with stationary increments and its application to fractional Brownian motion”, IEEE Trans. Inform. Theory, Vol. 39, no. 1, 1993, pp. 260-264.
21. [21] G. Wornell, “A Karhunen Loe’ve like expansion for 1/f processes via wavelets”, IEEE Trans. Inform. Theory, Vol. 36, No. 4, pp. 859-861, 1990.
22. [22] P. Abry, D. Veitch, “Wavelet Analysis of Long-Range-Dependent Traffic”, IEEE Transactions on Information Theory, Vol. 44, No.1, pp. 2-15, 1998.
23. [23] H. J. Jeongy, D. McNicklez, K. Pawlikowski, “Fast Self-Similar Teletraffic Generation Based on FGN and Wavelets”, IEEE International Conference on Networks, Brisbane, Australia, 1999, pp. 75-82.
24. [24] R. Bassil, R. Hobeica, W. Itani, C. Ghali, A. Kayssi, and A. Chehab, “Security Analysis and Solution for Thwarting Cache Poisoning Attacks in the Domain Name System”, Proceedings of the 19th IEEE International Conference on Telecommunications (ICT’12), Lebanon, 2012, pp. 1-6.
25. [25] A. Pallavi, P. Hemlata, Network Traffic Analysis Using Packet Sniffer, International Journal of Engineering Research and and Applications, Vol. 2, No. 3, 2012, pp. 854-85