Real time DNS traffic profiling enhanced detection design for national level network

Abstract

A recent study shows, an investigation of Advanced Persistent Threat (APT) activity can be done effectively through malicious DNS traffic analysis. But, most of the experiments are conducted in a limited, simulated environment e.g. small campus network. Since APT is very dynamic and to address traffic grows, a light weight computation architecture is then needed to profile suspected activity in near real time. In this study, we proposed an enhanced design to detect malicious DNS traffic for high speed, large scale, national level, near real time network. This experiment combines available open source solution tools in order to gain real time, better accuracy of anomaly recognition and faster detection.