Balkan Journal of Electrical and Computer Engineering

2147-284X 2147-284X

MUSA YILMAZ

10.17694/bajece.435230

Engineering

Mühendislik

Identification of abnormal DNS traffic with Hurst parameter

https://orcid.org/0000-0001-8265-1736

Gezer

Ali

University of Alabama at Birmingham

07 31 2018

6 3 191 197 06 21 2018 07 25 2018

2013

Balkan Journal of Electrical and Computer Engineering

It is a necessityfor effective network management to be aware of the activities taking place oncomputer networks. Network managers should always be alarmed about what ishappening now, what might be, or what will be in the future for the sake ofnetwork. To gather information about a computer system or a network, attackersmostly exploit networking tools to gain some privileges and login systems.Penetration testers also use these tools to gather information about systems,but their main concern is to discover the vulnerabilities of the system, and tofind out what kind of measures could be applied to make the system moreresistant to these vulnerabilities. In this study, we propose an abnormal DNStraffic identification method via utilizing Hurst parameter estimation. To doso, we employ DNS information gathering tools in Kali Linux to generateabnormal DNS flows. Then, we estimate its self-similarity degree to compare thedifferences between normal DNS traffic flows and abnormal ones. Obtainedresults show that abnormal DNS traffic show higher self-similarity degrees.Another interesting finding is that abnormal DNS traffic shows differentdistribution characteristic.

Traffic analysis DNS protocol distribution fitting abnormal traffic detection

[1] H. Chen, J.H. Cho, and S. Hu, “Quantifying the Security Effectiveness of Firewalls and DMZs”, In Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security, ACM, 2018.

[2] A. Patel, M. Taghavi, K. Bakhtiyari, and J. Celestino JúNior. "An intrusion detection and prevention system in cloud computing: A systematic review", Journal of network and computer applications, vol. 36, no. 1 , 2013, pp- 25-41.

[3] U.A. Sandhu, S. Haider, S. Naseer, and O. U. Ateeb, “A survey of intrusion detection & Prevention Techniques”, 2011 International Conference on Information Communication and Managenent IPCSIT, vol. 16, Singapore, 2011, pp. 66-67.

[4] M. Wielorgorshka, and D. O’Brien, DNS Traffic Analysis for Botnet Detection.

[5] C. Hyunsang, H. Lee, H. Lee, and H. Kim. "Botnet detection by monitoring group activities in DNS traffic", In Computer and Information Technology, 2007. CIT 2007. 7th IEEE International Conference on, 2007, pp. 715-720.

[6] C. Hyunsang, and H. Lee. "Identifying botnets by capturing group activities in DNS traffic", Computer Networks, vol. 56, no. 1, 2012, pp. 20-33.

[7] M.A. Hussain, H. Jin, Z.A. Hussien, Z.A. Abduljabbar, S.H. Abbdal, A. İbrahim, “DNS Protection Against Spoofing and Poisoning Attacks”, 3rd International Conference on Information Science and Control Engineering (ICISCE), Beijing China, 2016, pp. 1308-1312.

[8] M. Anagnostopoulos, G. Kambourakis, P. Kopanos, G. Louloudakis, and S. Gritzalis. "DNS amplification attack revisited." Computers & Security 39, 2013, pp. 475-485.

[9] D. Matthew, Z. Carlos, and H. Thaier, “Penetration Testing: Concepts, Attack Methods and Defense Strategies, Systems”, Applications and Technology Conference (LISAT), 2016 IEEE Long Island, NY USA, 2016.

[10] W.G.J. Halfound, S.R. Choudrary, and A. Orson, “Penetration Testing with Improved Input Vector Identification” , Software Testing Verification and Validation, 2ICST’09, Denver Co, USA, 2009, pp. 346-355.

[11] Kali Linux by Offensive Security, https://www.kali.org/, accessed September 2017.

[12] S. Giardano, S. Miduri, M. Pagano, F. Russo, S. Tartarelli, “A wavelet-based approach to the estimation of Hurst parameter for self-similar data”, International Conference on Digital Signal Processing, DSP 97 2, 1997, pp. 479–482.

[13] M. Barnsley, “Fractals Everywhere”, Academic Press, San Dieog, 1998.

[14] J. Beran, “Statistics for Long Memory Processes”, Chapman & Hall, New York, 1994.

[15] V. Paxson, S. Floyd, “Wide area traffic: the failure of Poisson modeling”, IEEE/ACM Transactions on Networking, vol. 3, no. 3, 1995, pp. 226–244.

[16] W.E. Leland, M.S. Taqqu, W. Willinger, D.V. Wilson, “On the self similar nature of Ethernet traffic (extended version)”, IEEE/ACM Transactions on Networking, vol. 2, no. 1, 1994, pp. 1–15.

[17] J. Beran, R. Sherman, M.S. Taqqu, W. Willinger, “Long-range dependence in variable-bit-rate video traffic”, IEEE Transactions Communications, vol. 43, no. 234, 1995, pp. 1566–1579.

[18] M.E. Crovella, A. Bestavros, “Self similarity in world wide web traffic: evidence and possible causes”, IEEE/ACM Transactions on Networking, vol. 5, no. 6, 1997, pp. 835–846.

[19] D.P. Heyman, T.V. Lakshman, “What are the implications of long-range dependence for VBR-video traffic engineering?”, IEEE/ACM Transactions on Networking, vol. 4, no. 3, 1996, pp. 301–317.

[20] E. Masry, “The wavelet transform of stochastic processes with stationary increments and its application to fractional Brownian motion”, IEEE Trans. Inform. Theory, Vol. 39, no. 1, 1993, pp. 260-264.

[21] G. Wornell, “A Karhunen Loe’ve like expansion for 1/f processes via wavelets”, IEEE Trans. Inform. Theory, Vol. 36, No. 4, pp. 859-861, 1990.

[22] P. Abry, D. Veitch, “Wavelet Analysis of Long-Range-Dependent Traffic”, IEEE Transactions on Information Theory, Vol. 44, No.1, pp. 2-15, 1998.

[23] H. J. Jeongy, D. McNicklez, K. Pawlikowski, “Fast Self-Similar Teletraffic Generation Based on FGN and Wavelets”, IEEE International Conference on Networks, Brisbane, Australia, 1999, pp. 75-82.

[24] R. Bassil, R. Hobeica, W. Itani, C. Ghali, A. Kayssi, and A. Chehab, “Security Analysis and Solution for Thwarting Cache Poisoning Attacks in the Domain Name System”, Proceedings of the 19th IEEE International Conference on Telecommunications (ICT’12), Lebanon, 2012, pp. 1-6.

[25] A. Pallavi, P. Hemlata, Network Traffic Analysis Using Packet Sniffer, International Journal of Engineering Research and and Applications, Vol. 2, No. 3, 2012, pp. 854-85