Context-aware clustering of DNS query traffic

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Context-aware clustering of DNS query traffic

Full text

Pdf (530 KB)

Source

Internet Measurement Conference archive
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement table of contents

Vouliagmeni, Greece

SESSION: Infrastructure table of contents

Pages 217-230

Year of Publication: 2008

ISBN:978-1-60558-334-1

Authors

David Plonka	University of Wisconsin - Madison, Madison, WI, USA
Paul Barford	University of Wisconsin - Madison and Nemean Networks, Madison, WI, USA

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication
SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 76, Downloads (12 Months): 453, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1452520.1452547 What is a DOI?

ABSTRACT

The Domain Name System (DNS) is a one of the most widely used services in the Internet. In this paper, we consider the question of how DNS traffic monitoring can provide an important and useful perspective on network traffic in an enterprise. We approach this problem by considering three classes of DNS traffic: canonical (i.e., RFC-intended behaviors), overloaded (e.g.,black-list services), and unwanted (i.e., queries that will never succeed). We describe a context-aware clustering methodology that is applied to DNS query-responses to generate the desired aggregates. Our method enables the analysis to be scaled to expose the desired level of detail of each traffic type, and to expose their time varying characteristics. We implement our method in a tool we call TreeTop, which can be used to analyze and visualize DNS traffic in real-time. We demonstrate the capabilities of our methodology and the utility of TreeTop using a set of DNS traces that we collected from our campus network over a period of three months. Our evaluation highlights both the coarse and fine level of detail that can be revealed by our method. Finally, we show preliminary results on how DNS analysis can be coupled with general network traffic monitoring to provide a useful perspective for network management and operations.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Spam and Open Relay Blocking System. http://www.sorbs.net.
	2	J. Abley and K. Lindqvist. Operation of Anycast Services. IETF RFC 4786, December 2006.
	3	N. Brownlee, K. Claffy, and E. Nemeth. DNS Measurements at a Root Server. In Proceedings of IEEE Global Telecommunications Conference (Globecom '01), San Antonio, TX, December 2001.
	4	S. Cheshire. DNS Service Discovery. http://dns-sd.org.
	5	S. Cheshire. Multicast DNS. http://multicastdns.org.
	6	S. Cheshire. Method and Apparatus for Detecting Incorrect Responses to Network Queries. United States Patent 20060253612, 2006.
	7	Kenjiro Cho , Ryo Kaizaki , Akira Kato, Aguri: An Aggregation-Based Traffic Profiler, Proceedings of the Second International Workshop on Quality of Future Internet Services, p.222-242, September 24-26, 2001
	8	Thomas T. Cormen , Charles E. Leiserson , Ronald L. Rivest, Introduction to algorithms, MIT Press, Cambridge, MA, 1990
	9	D. Dagon, N. Provos, C. Lee, and W. Lee. Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority. In Proceedings of Network and Distributed System Security Symposium (NDSS '08), San Diego, CA, February 2008.
	10	D. Dagon, C. Zou, and W. Lee. Modeling Botnet Propagation Using Time Zones. In Proceedings of The Network and Distributed Systems Security Symposium (NDSS '06), San Diego, CA, February 2006.
	11	D. Deitrich, S. Gill, B. Greene, N. Long, and R. Thomas. Bogon Reference. http://www.team-cymru.org/?sec=8&opt=25, 2001.
	12	Christian Dewes , Arne Wichmann , Anja Feldmann, An analysis of Internet chat systems, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA [doi>10.1145/948205.948214]
	13	Jeffrey Erman , Martin Arlitt , Anirban Mahanti, Traffic classification using clustering algorithms, Proceedings of the 2006 SIGCOMM workshop on Mining network data, p.281-286, September 11-15, 2006, Pisa, Italy [doi>10.1145/1162678.1162679]
	14	Cristian Estan , Stefan Savage , George Varghese, Automatically inferring patterns of resource consumption in network traffic, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany [doi>10.1145/863955.863972]
	15	Cristian Estan , George Varghese, New directions in traffic measurement and accounting, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
	16	E. Gavron, A Security Problem and Proposed Correction With Widely Deployed DNS Software, RFC Editor, 1993
	17	R. Hinden and S. Deering. IP Version 6 Addressing Architecture. IETF RFC 4291, February 2006.
	18	Jaeyeon Jung , Emil Sit , Hari Balakrishnan , Robert Morris, DNS performance and the effectiveness of caching, IEEE/ACM Transactions on Networking (TON), v.10 n.5, p.589-603, October 2002 [doi>10.1109/TNET.2002.803905]
	19	Thomas Karagiannis , Andre Broido , Michalis Faloutsos , Kc claffy, Transport layer identification of P2P traffic, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy [doi>10.1145/1028788.1028804]
	20	Thomas Karagiannis , Konstantina Papagiannaki , Michalis Faloutsos, BLINC: multilevel traffic classification in the dark, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
	21	Richard Liston , Sridhar Srinivasan , Ellen Zegura, Diversity in DNS performance measures, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637204]
	22	A. McGregor, M. Hall, P. Lorier, and J. Brunskill. Flow Clustering Using Machine Learning Techniques. In Proceedings of the Passive and Active Measurement Conference (PAM '04), Antibes Juan-les-Pins, France, April 2004.
	23	P. V. Mockapetris, Domain names - concepts and facilities, RFC Editor, 1987
	24	P. V. Mockapetris, Domain names - implementation and specification, RFC Editor, 1987
	25	D. Plonka. The TreeTop analysis tool. http://net.doit.wisc.edu/~plonka/treetop/, 2008.
	26	Anirudh Ramachandran , Nick Feamster , David Dagon, Revealing botnet membership using DNSBL counter-intelligence, Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, p.8-8, July 07, 2006, San Jose, CA
	27	Pin Ren , John Kristoff , Bruce Gooch, Visualizing DNS traffic, Proceedings of the 3rd international workshop on Visualization for computer security, November 03-03, 2006, Alexandria, Virginia, USA [doi>10.1145/1179576.1179582]
	28	Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
	29	Matthew Roughan , Subhabrata Sen , Oliver Spatscheck , Nick Duffield, Class-of-service mapping for QoS: a statistical signature-based approach to IP traffic classification, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy [doi>10.1145/1028788.1028805]
	30	K. Sklower. A Tree-Based Packet Routing Table for Berkeley Unix. In USENIX Winter Conference '91, Dallas, TX, January 1991.
	31	Daniel Steinberg , Stuart Cheshire, Zero Configuration Networking: The Definitive Guide, O'Reilly Media, Inc., 2005
	32	W. Richard Stevens, TCP/IP illustrated (vol. 1): the protocols, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1993
	33	F. Weimer. Passive DNS Replication. In Proceedings of FIRST Conference on Computer Security Incident Hand ling, Singapore, July 2005.
	34	D. Wessels. dnstop. http://dns.measurement-factory.com/tools/dnstop/, 2002.
	35	Duane Wessels, Is your caching resolver polluting the internet?, Proceedings of the ACM SIGCOMM workshop on Network troubleshooting: research, theory and operations practice meet malfunctioning reality, September 03-03, 2004, Portland, Oregon, USA [doi>10.1145/1016687.1016695]
	36	D. Whyte, E. Kranakis, and P. Van Oorschot. DNS-Based Detection of Scanning Worms in an Enterprise Network. In Proceedings of Network and Distributed System Security Symposium (NDSS'05), San Diego, CA, February 2005.
	37	Vinod Yegneswaran , Jonathon T. Giffin , Paul Barford , Somesh Jha, An architecture for generating semantics-aware signatures, Proceedings of the 14th conference on USENIX Security Symposium, p.7-7, July 31-August 05, 2005, Baltimore, MD
	38	Bojan Zdrnja , Nevil Brownlee , Duane Wessels, Passive Monitoring of DNS Anomalies, Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, July 12-13, 2007, Lucerne, Switzerland [doi>10.1007/978-3-540-73614-1_8]
	39	Jian Zhang , Jennifer Rexford , Joan Feigenbaum, Learning-based anomaly detection in BGP updates, Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data, August 26-26, 2005, Philadelphia, Pennsylvania, USA [doi>10.1145/1080173.1080189]