基于日志信息的DNS查询异常检测算法

针对域名系统（DNS）中存在异常查询的问题，提出了一种基于日志信息的DNS查询异常检测算法，以检测异常的互联网协议地址（IP）.通过分析DNS正常与异常请求行为的区别，提取了DNS日志中多个维度的信息来表征源IP；其次，利用降维处理将数据映射到三维空间，以便直观地可视化呈现和快速地进行数据分析；最后，利用聚类分析和计算各源IP的可信度，检测出异常的源IP.实验结果表明，所提算法不但能直观观察到多维数据集中的关联特性，而且能从全局和局部2个层面识别网络中异常的源IP.

A DNS Query Anomaly Detection Algorithm Based on Log Information

Point at the anomaly queries existing in domain name system (DNS), an anomaly detection algorithm based on DNS query logs is proposed to detect suspicious and abnormal internet protocol addresses (IP). First, multiple dimensions of information in the DNS logs are extracted to characterize the source IPs after analyzing the difference between normal DNS query behaviors and the abnormal ones. Secondly, the datasets are mapped to a three-dimensional space through dimensionality reduction, which is beneficial for intuitive visualization and rapid data analysis. Finally, clustering the source IPs and calculating the credibility of them to identify the abnormal ones. The experiment results show that this algorithm can not only observe the correlation characteristics of multi-dimensional datasets directly, but also identify the abnormal source IPs in the global and local aspects.