Approximate String Matching for DNS Anomaly Detection
Roni Mateless, Michael Segal

TL;DR
This paper introduces a fast, generic approximate string matching method for DNS traffic anomaly detection, demonstrating superior performance over traditional regression-based approaches on large datasets.
Contribution
A novel approximate string matching algorithm tailored for DNS anomaly detection, enabling rapid adaptation and improved detection accuracy over existing methods.
Findings
Detected over an order of magnitude more DNS attacks than baseline methods
Outperformed regression, Lasso, Random Forest, and KNN in anomaly detection accuracy
Validated on a large 10-day public DNS traffic dataset
Abstract
In this paper we propose a novel approach to identify anomalies in DNS traffic. The traffic time-points data is transformed to a string, which is used by new fast appproximate string matching algorithm to detect anomalies. Our approach is generic in its nature and allows fast adaptation to different types of traffic. We evaluate the approach on a large public dataset of DNS traffic based on 10 days, discovering more than order of magnitude DNS attacks in comparison to auto-regression as a baseline. Moreover, the additional comparison has been made including other common regressors such as Linear Regression, Lasso, Random Forest and KNN, all of them showing the superiority of our approach.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Security and Intrusion Detection · Internet Traffic Analysis and Secure E-voting · Network Packet Processing and Optimization
