TY - JOUR
T1 - A distributed intrusion detection model for the domain name system
AU - Chen, Chang-Sheng
AU - Tseng, Shian Shyong
AU - Liu, Chien-Liang
PY - 2002/11
Y1 - 2002/11
N2 - We have investigated the problem of detecting DoS-like DNS anomalies in DNS system. In this paper, we propose a distributed Two-phase DNS anomaly detection model for solving the problem. Three sets of algorithms corresponding to different configurations are proposed, including one sequential algorithm and two distributed algorithms, each with an increasing level of parallelism. The complexity of these algorithms have been found to be O (n log n). The distributed algorithms show at least a constant (1-1/Ck), Ck > 1, improvement over the sequential one. To evaluate the performance, we have implemented the algorithms and applied them to a number of examples. The experimental result shows a speed up of about 1.68 on the test example for running on an enhanced distributed architecture with C-IDS over the sequential one. A higher speed up might be common because DNS anomalies will make the traffic distribution more concentrated on the outliers, and the computation will usually converge much more quickly.
AB - We have investigated the problem of detecting DoS-like DNS anomalies in DNS system. In this paper, we propose a distributed Two-phase DNS anomaly detection model for solving the problem. Three sets of algorithms corresponding to different configurations are proposed, including one sequential algorithm and two distributed algorithms, each with an increasing level of parallelism. The complexity of these algorithms have been found to be O (n log n). The distributed algorithms show at least a constant (1-1/Ck), Ck > 1, improvement over the sequential one. To evaluate the performance, we have implemented the algorithms and applied them to a number of examples. The experimental result shows a speed up of about 1.68 on the test example for running on an enhanced distributed architecture with C-IDS over the sequential one. A higher speed up might be common because DNS anomalies will make the traffic distribution more concentrated on the outliers, and the computation will usually converge much more quickly.
KW - DNS
KW - Distributed two-phase DNS anomaly detection
KW - DoS
KW - IDS
KW - Two-phase anomaly detection algorithms
UR - http://www.scopus.com/inward/record.url?scp=0036852907&partnerID=8YFLogxK
U2 - 10.6688/JISE.2002.18.6.2
DO - 10.6688/JISE.2002.18.6.2
M3 - Article
AN - SCOPUS:0036852907
SN - 1016-2364
VL - 18
SP - 999
EP - 1009
JO - Journal of Information Science and Engineering
JF - Journal of Information Science and Engineering
IS - 6
ER -