Anomaly detection based on machine learning techniques

Abstract

This report presents an experimental exploration of supervised inductive learning methods for the task of Domain Name Service (DNS) query filtering for anomaly detection. The anomaly types for which I implement a learning monitor represent specific attack vectors, such as distributed denial-of-service (DDOS), remote-to-user (R2U), and probing, that have been increasing in size and sophistication in recent years. A number of anomaly detection measures, such as honeynet-based and Intrusion Detection System (IDS)-based, have been proposed. However, IDS-based solutions that use signatures seem to be ineffective, because attackers associated with recent anomalies are equipped with sophisticated code update and evasion techniques. By contrast, anomaly detection methods do not require pre-built signatures and thus have the capability to detect new or unknown anomalies. Towards this end, this project implements and applies an anomaly detection model learned from DNS query data and evaluates the effectiveness of an implementation of this model using popular machine learning techniques. Experimental results show how this machine learning approach uses existing inductive learning algorithms such as k-NN (k-nearest neighbour), Decision trees and Naive Bayes can be used effectively in anomaly detection.