Evaluation of strategies for improving anomaly detection in DNS traffic
Abstract
The increasing complexity of cyber threats makes the detection of anomalies in DNS traffic crucial for ensuring network security. Although several studies have been conducted to explore this process, the presence of false positives remains a significant challenge in the analysis. This work aims to validate DNS anomaly detection techniques with low false positive rates, using data from threat intelligence sources and domain analysis techniques applied in similar studies. The validation was performed using datasets publicly available and widely used. Despite the fact that the results did not meet the expectations, they indicate the need to evaluate the data using other techniques, and these aspects can be explored in future works.
Keywords:
Cyber Security, Computer Networks, DNS, DNS Tunneling, Threat Intelligence, MISP, Zeek
References
Alsabeh, A. (2021). P4-dga-multiclass. Github Repository. Acessed: March 19, 2025.
AlSabeh, A., Friday, K., Crichigno, J., and Bou-Harb, E. (2023). Effective dga family classification using a hybrid shallow and deep packet inspection technique on p4 programmable switches. In ICC 2023 - IEEE International Conference on Communications, pages 3781–3786.
AlSabeh, A., Friday, K., Kfoury, E., Crichigno, J., and Bou-Harb, E. (2024). On dga detection and classification using p4 programmable switches. Computers Security, 145:104007.
Ghodke, S. (2016). Alexa top 1 million sites: Rankings of the top 1 million websites in the world. Acessed: March 19, 2025.
Ishikura, N., Kondo, D., Vassiliades, V., Iordanov, I., and Tode, H. (2021). Dns tunneling detection by cache-property-aware features. IEEE Transactions on Network and Service Management, 18(2):1203–1216.
Kovar, R. (2015). Random words on entropy and dns. Splunk’s Website Article. Accessed: March 19, 2025.
Mahdavifar, S., Maleki, N., Lashkari, A. H., Broda, M., and Razavi, A. H. (2021). Classifying malicious domains using dns traffic analysis. In 2021 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), pages 60–67.
Sharma, N. and Swarnkar, M. (2023). Optituned: An optimized framework for zero-day dns tunnel detection using n-grams. In Proceedings of the 23rd IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), pages 1–6. IEEE.
Wang, Y., Zhou, A., Liao, S., Zheng, R., Hu, R., and Zhang, L. (2021). A comprehensive survey on dns tunnel detection. Computer Networks, 197:108322.
AlSabeh, A., Friday, K., Crichigno, J., and Bou-Harb, E. (2023). Effective dga family classification using a hybrid shallow and deep packet inspection technique on p4 programmable switches. In ICC 2023 - IEEE International Conference on Communications, pages 3781–3786.
AlSabeh, A., Friday, K., Kfoury, E., Crichigno, J., and Bou-Harb, E. (2024). On dga detection and classification using p4 programmable switches. Computers Security, 145:104007.
Ghodke, S. (2016). Alexa top 1 million sites: Rankings of the top 1 million websites in the world. Acessed: March 19, 2025.
Ishikura, N., Kondo, D., Vassiliades, V., Iordanov, I., and Tode, H. (2021). Dns tunneling detection by cache-property-aware features. IEEE Transactions on Network and Service Management, 18(2):1203–1216.
Kovar, R. (2015). Random words on entropy and dns. Splunk’s Website Article. Accessed: March 19, 2025.
Mahdavifar, S., Maleki, N., Lashkari, A. H., Broda, M., and Razavi, A. H. (2021). Classifying malicious domains using dns traffic analysis. In 2021 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), pages 60–67.
Sharma, N. and Swarnkar, M. (2023). Optituned: An optimized framework for zero-day dns tunnel detection using n-grams. In Proceedings of the 23rd IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), pages 1–6. IEEE.
Wang, Y., Zhou, A., Liao, S., Zheng, R., Hu, R., and Zhang, L. (2021). A comprehensive survey on dns tunnel detection. Computer Networks, 197:108322.
Published
2025-05-19
How to Cite
SANTOS, Mayara R. E.; SANTOS, Raquel S. M.; BRITO, Italo V. S.; SAMPAIO, Leobino N..
Evaluation of strategies for improving anomaly detection in DNS traffic. In: WORKSHOP ON SCIENTIFIC INITIATION AND GRADUATION - BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 43. , 2025, Natal/RN.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 314-321.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc_estendido.2025.8857.
