Anomaly detection of domain name system (DNS) query traffic at top level domain servers

Abstract

Major network events can be reflected on domain name system (DNS) traffic at the top level server on the DNS hierarchical structure. This paper pursues a novel approach to detect the DNS traffic anomaly of 5.19 events in China at CN top level domain server using covariance analysis. We normalize, expand and average the covariance changes for different length of time slice to enhance the robustness of detection. Feature anomaly is detected based on clustering analysis of covariance change anomaly. To improve the accuracy and reduce the complexity of the k -means algorithm, an initial cluster selection technique is proposed and its performance is analyzed. Transient anomaly and time span anomaly are defined and an efficient real time approximating algorithm is derived. We use an incremental computational method for covariance matrix. The computation and transmission scheme of feature values are analyzed and the process of the detecting algorithm is given. The traffic detecting results of 5.19 event shows that the approach can accurately detect the network anomaly.