ANOMALY DETECTION SYSTEM IN DNS QUERIES

Abstract

The theoretical and practical aspects of an anomaly detection system in DNS queries, which serves as a crucial tool for ensuring the security of internet infrastructure, are examined. Anomalous DNS queries pose a serious threat to network security and stability as they can be an indicator of cyber attacks or malicious activity. One of the most common threats is the use of DNS to carry out DDoS attacks, in particular through the DNS amplification mechanism. An analysis of existing anomaly detection methods, including statistical, signature-based approaches, and machine learning methods, is conducted. The key stages of the proposed system's development are described, including data collection, preprocessing, and analysis, as well as the creation of a normal activity profile for identifying deviations. Innovative methods based on deep learning and time series analysis open new horizons in automated detection of anomalies in DNS traffic. Deep neural networks, such as recurrent neural networks (RNNs) and convolutional neural networks (CNNs), are used to detect complex patterns in large data sets, including the textual and temporal aspects of DNS queries.

The primary goal of the study is to demonstrate the effectiveness of a combined approach to DNS traffic analysis, utilizing modern machine learning algorithms such as Isolation Forest, One-Class SVM, and K-means. The proposed system achieves a high level of accuracy (92%) and completeness (90%) in anomaly detection, as confirmed by testing results on the CAIDA Passive DNS Dataset.

A description of the modular architecture of the system is presented, which allows for scalability in large networks with high traffic levels. The proposed approach is flexible and adaptive, enabling integration with existing network security and incident response tools.