Our goal was to detect misconfigurations of DNS servers by data mining the request log of the DNS A-root server. We represented the request log in a feature space. After projecting the data onto the principal components, we applied the k-means

About This Presentation

Title:

Our goal was to detect misconfigurations of DNS servers by data mining the request log of the DNS A-root server. We represented the request log in a feature space. After projecting the data onto the principal components, we applied the k-means

Description:

Our goal was to detect misconfigurations of DNS servers by data mining the ... Bonnie Kirkpatrick Simon Lacoste-Julien Wei Xu (xuw_at_cs.berkely.edu) Results. Algorithm ... – PowerPoint PPT presentation

Number of Views:44

Avg rating:3.0/5.0

Slides: 2

Provided by: peter262

Category:

more less

Transcript and Presenter's Notes

Title: Our goal was to detect misconfigurations of DNS servers by data mining the request log of the DNS A-root server. We represented the request log in a feature space. After projecting the data onto the principal components, we applied the k-means

1
Clustering Abnormal behavior of DNS
servers Bonnie Kirkpatrick Simon
Lacoste-Julien Wei Xu (xuw_at_cs.berkely.edu)
Algorithm
Introduction
Our goal was to detect misconfigurations of DNS
servers by data mining the request log of the DNS
A-root server. We represented the request log in
a feature space. After projecting the data onto
the principal components, we applied the k-means
algorithm to obtain clusters. Our clusters
revealed four classes of DNS misconfigurations,
which were verified by DNS operators.
HIERARCHICAL CLUSTERING

Features
time of slice
source IP
total reqests
- unique queries
max of repeated queries
min / max / avg interarrival time
min / max / avg / std TTL

Project data into principal component basis (12d)
PCA
2
DNS requests log
PREPROCESSING
1

About DNS
Scalable, distributed name-to-IP mappings
Hierarchically-organized name servers
Different types of resource records
DNS query
Local cache absorbs a large part of the DNS
traffic
90, according to previous studies
Otherwise, requests traverse the DNS hierarchy
Problems with DNS infrastructure
Local misconfigurations bring extra traffic to
DNS infrastructure
Up to 34 of traffic in our dataset is caused by
sources that behave abnormally
Scalability and high redundancy hides local
misconfigurations
Attack attempts on DNS-roots everyday
Use resources of DNS root to attack others (IP
spoofing etc.)

feature engineering and preprocessing
K-MEANS CLUSTERING
4
1 datapoint 3min statistis for a source IP
LINEAR DISCRIMINANT ANALYSIS
5
Yields discriminating directions
Results
Description of dataset

One day log from tcpdump on the subnet of DNS
A-root

Time_stamp source_IP TTL EDNS0 Qname /
Qclass / Qtype 1094616016.955030 64.4.25.22 114 n
www.lelplastic.com/IN/A
Green Small TTL variations may be caused by
slightly varied paths through the Internet, or
the use of multiple proxies. Large TTL
variations may imply other problems.
Blue Sources sending mostly unique requests may
not be caching the results or following the
levels of indirections correctly. Red Many
repeated queries may indicate more serious
problems such as exponential back-off
misconfigurations, inability to receive DNS
responses, buggy software, etc.
Black Black points have low numbers of both total
and unique queries. These points indicate that
some sources are querying the root with repeated
queries at fairly regular intervals, which may be
caused by monitoring traffic.

Write a Comment

User Comments (0)