DNS Autonomic Protection System (DNSAPS)

Overview

Nowadays the Internet is almost meaningless without Domain Name System protocol that is used frequently when one browses websites, sends an email or connects to remote PC’s. The users of the DNS protocol trust the DNS protocol and they assume it is a secure protocol, but it's not as secure as they think. The problem is that most of the current DNS systems that are being used today are based on two RFC1035 and RFC1034 which has been written in 1987, when the performance was the most challenging problem. Consequently, the DNS protocol is not as secure and extremely vulnerable for exploitation by attackers’ misuse of any security holes in network protocols. The importance of the DNS security has led some researchers to redesign the DNS protocol with security consideration as a new DNSSEC protocol. But since the DNS protocol is a distributed system the deployment cost of any change in the protocol is very expensive. In addition the DNSSEC itself can be targeted by new attacks. We propose an alternative approach based on autonomic computing by continuously monitoring and analyzing the behavior of the DNS protocol to detect any anomalous behavior that might be triggered by DNS attacks. In this project we are designing a DNS anomaly detection system which employs the behavior analysis of DNS protocol to define the normal protocol activity model. Since most of the attacks will ignore the normal behavior of protocol, any deviation from these models can be detected as a potential threat. During the training phase, pattern generator will produce n-grams of a wide range of normal DNS traffic patterns during a window of interval T. These n-grams will define the frequency of normal usage of these n-grams. During the testing phase the Behavior Analysis will analyze protocol transition sequences to match them with normal behavior profile. When an attack exploits the vulnerabilities in the DNS protocol, it typically generates illegal or abnormal transitions in the protocol that can be detected by the DNS behavior analysis module.