Approximate String Matching for DNS Anomaly Detection
This work addresses DNS security for network administrators, but it appears incremental as it adapts approximate string matching to a specific domain.
The paper tackles DNS anomaly detection by transforming traffic data into strings and applying a new fast approximate string matching algorithm, discovering over an order of magnitude more DNS attacks compared to auto-regression and other common regressors on a 10-day public dataset.
In this paper we propose a novel approach to identify anomalies in DNS traffic. The traffic time-points data is transformed to a string, which is used by new fast appproximate string matching algorithm to detect anomalies. Our approach is generic in its nature and allows fast adaptation to different types of traffic. We evaluate the approach on a large public dataset of DNS traffic based on 10 days, discovering more than order of magnitude DNS attacks in comparison to auto-regression as a baseline. Moreover, the additional comparison has been made including other common regressors such as Linear Regression, Lasso, Random Forest and KNN, all of them showing the superiority of our approach.