Kenton Born
ABSTRACT
This paper introduced NgViz, a tool that examines DNS traffic and shows anomalies in n-gram frequencies. This is accomplished by comparing input files against a fingerprint of legitimate traffic. Both quantitative analysis and visual aids are provided that allow the user to make determinations about the legitimacy of the DNS traffic.
Supplemental Material
Available for Download
- Borders, K. and Prakash, A. 2004. Web tap: detecting covert web traffic. In CCS'04: Proceedings of the 11th ACM conference on Computer and Communications Security, New York, NY, ACM Press, 110--120. Google Scholar
Digital Library
- Born, K. and Gustafson, D. 2010. Detecting DNS Tunnels Using Character Frequency Analysis. In Proceedings of the 9th Annual Security Conference, April 7--8, Las Vegas, Nevada.Google Scholar
- Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L. 2007. Detecting HTTP Tunnels with Statistical Mechanisms. IEEE International Conference on Communications (ICC) '07, 6162--6168.Google Scholar
- Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L. 2008. Detection of Encrypted Tunnels Across Network Boundaries. In Proceedings of the 43rd IEEE International Conference on Communications (ICC 2008), May 19--23, Beijing, China.Google Scholar
- Dembour, O. Dns2tcp. http://www.hsc.fr/ressources/outils/dns2tcp/index.html.en, Nov 2008.Google Scholar
- Dusi, M., Gringoli, F., Salgarelli, L. 2008. A Preliminary Look at the Privacy of SSH Tunnels. In Proceedings of the 17th IEEE International Conference on Computer Communications and Networks (ICCN 2008), St. Thomas, U.S. Virgin Islands.Google ScholarCross Ref
- Hind, Jarod. 2009. Catching DNS Tunnels with A.I. In Proceedings of DefCon 17, July 29--Aug 2, Las Vegas, Nevada.Google Scholar
- Iodine. http://code.kryo.se/iodine/, June 2009.Google Scholar
- Plonka, D., and Barford, P. 2008. Context-aware Clustering of DNS Query Traffic. In Proceedings of the 8th ACM SIGCOMM Internet Measurement Conference (IMC'08), Oct 20--22, Vouliagmeni, Greece. Google ScholarDigital Library
- Pcap. 2010. http://en.wikipedia.org/wiki/Pcap.Google Scholar
- Ren, P., Kristoff, J., Gooch, B. 2006. Visualizing DNS Traffic. In Proceedings of the 3rd International Workshop on Visualization for Computer Security, Oct 30--Nov 3, Alexendria, VA. Google ScholarDigital Library
- Shannon, C. 1951. Prediction and Entropy of Printed English. The Bell Systems Technical Journal, 30:50--64Google ScholarCross Ref
- TCP-over-DNS tunnel software HOWTO. http://analogbit.com/tcp-over-dns_howto, July 2008Google Scholar
- Top Sites. http://www.alexa.com/topsites, Nov 2009.Google Scholar
- Zipf, G. 1932. Selective Studies and the Principle of Relative Frequency in Language, Cambridge, Ma.Google Scholar
Index Terms
- NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis
Recommendations
Network traffic analysis over clustering-based collective anomaly detection
AbstractDue to the ever-growing presence of network traffic, there has been a considerable amount of research on anomaly detection in network traffic by clustering. Most of them have not considered the problem that collective anomaly detection ...
Diagnosing network-wide traffic anomalies
Anomalies are unusual and significant changes in a network's traffic levels, which can often span multiple links. Diagnosing anomalies is critical for both network operators and end users. It is a difficult problem because one must extract and interpret ...
Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems
Highlights- A cloud-edge coordinated traffic anomaly detection approach is proposed.
- An anomalous traffic alarm model is used to detect anomalous traffic continuously.
- A feature extraction algorithm is proposed to efficiently extract traffic ...
AbstractIndustrial cyber-physical systems (ICPSs) are facing increasing cyber threats that can cause catastrophes in the physical systems. Efficient network traffic anomaly detection is essential for guaranteeing the system’s security and reliability. ...
Comments