DNS-ADVP: A machine learning anomaly detection and visual platform to protect top-level domain name servers against DDoS attacks

© 2019 Institute of Electrical and Electronics Engineers Inc.. All rights reserved.DNS DDoS attacks may severely affect the operation of computer networks, prompting the need for methods able to timely detect them, and then to apply mitigation countermeasures. Visual models have been used to detect an ongoing DDoS attack, but often demand continuous attention from IT staff. However, machine learning techniques could complement a visual model with further information and with on-time alerts that could help IT officers give attention only when an attack is in progress at its very early stage. In this paper, we present DNS-ADVP, a DNS Anomaly Detection Visual Platform, which, in an integrated manner, provides a novel visualisation that depicts on-line DNS traffic, and a one-class classifier that deals with traffic anomaly detection. Using the visual mode, an IT officer may interpret the current state of traffic for an authoritative DNS server; the model comes with visual semaphores, controlled by the one-class classifier. Due to the highly dynamic nature of DNS traffic, our classification method continuously updates what counts as normal behaviour; it has been successfully tested on synthetic attacks, with an 83% of the area under the curve (AUC). DNS-ADVP is currently in use to real-time monitoring an actual authoritative DNS server.

DNS-ADVP: A machine learning anomaly detection and visual platform to protect top-level domain name servers against DDoS attacks Academic Article in Scopus