TY - JOUR
T1 - DNS-ADVP
T2 - A machine learning anomaly detection and visual platform to protect top-level domain name servers against DDoS attacks
AU - Trejo, Luis A.
AU - Ferman, Victor
AU - Medina-Pérez, Miguel Angel
AU - Arredondo Giacinti, Fernando Miguel
AU - Monroy, Raúl
AU - Ramirez-Marquez, Jose E.
N1 - Publisher Copyright:
© 2019 Institute of Electrical and Electronics Engineers Inc.. All rights reserved.
PY - 2019
Y1 - 2019
N2 - DNS DDoS attacks may severely affect the operation of computer networks, prompting the need for methods able to timely detect them, and then to apply mitigation countermeasures. Visual models have been used to detect an ongoing DDoS attack, but often demand continuous attention from IT staff. However, machine learning techniques could complement a visual model with further information and with on-time alerts that could help IT officers give attention only when an attack is in progress at its very early stage. In this paper, we present DNS-ADVP, a DNS Anomaly Detection Visual Platform, which, in an integrated manner, provides a novel visualisation that depicts on-line DNS traffic, and a one-class classifier that deals with traffic anomaly detection. Using the visual mode, an IT officer may interpret the current state of traffic for an authoritative DNS server; the model comes with visual semaphores, controlled by the one-class classifier. Due to the highly dynamic nature of DNS traffic, our classification method continuously updates what counts as normal behaviour; it has been successfully tested on synthetic attacks, with an 83% of the area under the curve (AUC). DNS-ADVP is currently in use to real-time monitoring an actual authoritative DNS server.
AB - DNS DDoS attacks may severely affect the operation of computer networks, prompting the need for methods able to timely detect them, and then to apply mitigation countermeasures. Visual models have been used to detect an ongoing DDoS attack, but often demand continuous attention from IT staff. However, machine learning techniques could complement a visual model with further information and with on-time alerts that could help IT officers give attention only when an attack is in progress at its very early stage. In this paper, we present DNS-ADVP, a DNS Anomaly Detection Visual Platform, which, in an integrated manner, provides a novel visualisation that depicts on-line DNS traffic, and a one-class classifier that deals with traffic anomaly detection. Using the visual mode, an IT officer may interpret the current state of traffic for an authoritative DNS server; the model comes with visual semaphores, controlled by the one-class classifier. Due to the highly dynamic nature of DNS traffic, our classification method continuously updates what counts as normal behaviour; it has been successfully tested on synthetic attacks, with an 83% of the area under the curve (AUC). DNS-ADVP is currently in use to real-time monitoring an actual authoritative DNS server.
KW - Amplification attack
KW - Anomaly detection
KW - DNS DDoS attacks
KW - Domain name system
KW - One-class classification
KW - Visualisation model
UR - http://www.scopus.com/inward/record.url?scp=85079181485&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85079181485&partnerID=8YFLogxK
U2 - 10.1109/ACCESS.2019.2924633
DO - 10.1109/ACCESS.2019.2924633
M3 - Article
AN - SCOPUS:85079181485
VL - 7
SP - 116358
EP - 116369
JO - IEEE Access
JF - IEEE Access
M1 - 8744546
ER -