DNS-ADVP: A machine learning anomaly detection and visual platform to protect top-level domain name servers against DDoS attacks

Luis A. Trejo, Victor Ferman, Miguel Angel Medina-Pérez, Fernando Miguel Arredondo Giacinti, Raúl Monroy, Jose E. Ramirez-Marquez

    Research output: Contribution to journalArticlepeer-review

    20 Scopus citations

    Abstract

    DNS DDoS attacks may severely affect the operation of computer networks, prompting the need for methods able to timely detect them, and then to apply mitigation countermeasures. Visual models have been used to detect an ongoing DDoS attack, but often demand continuous attention from IT staff. However, machine learning techniques could complement a visual model with further information and with on-time alerts that could help IT officers give attention only when an attack is in progress at its very early stage. In this paper, we present DNS-ADVP, a DNS Anomaly Detection Visual Platform, which, in an integrated manner, provides a novel visualisation that depicts on-line DNS traffic, and a one-class classifier that deals with traffic anomaly detection. Using the visual mode, an IT officer may interpret the current state of traffic for an authoritative DNS server; the model comes with visual semaphores, controlled by the one-class classifier. Due to the highly dynamic nature of DNS traffic, our classification method continuously updates what counts as normal behaviour; it has been successfully tested on synthetic attacks, with an 83% of the area under the curve (AUC). DNS-ADVP is currently in use to real-time monitoring an actual authoritative DNS server.

    Original languageEnglish
    Article number8744546
    Pages (from-to)116358-116369
    Number of pages12
    JournalIEEE Access
    Volume7
    DOIs
    StatePublished - 2019

    Keywords

    • Amplification attack
    • Anomaly detection
    • DNS DDoS attacks
    • Domain name system
    • One-class classification
    • Visualisation model

    Fingerprint

    Dive into the research topics of 'DNS-ADVP: A machine learning anomaly detection and visual platform to protect top-level domain name servers against DDoS attacks'. Together they form a unique fingerprint.

    Cite this