As one of the most basic services of the Internet, DNS has suffered a lot of attacks. Existing attack detection methods rely on the learning of malicious samples, so it is difficult to detect new attacks and long-period attacks. This paper transforms the DNS data flow into time series, and proposes a DNS anomaly detection method based on graph attention network and graph embedding (GAT-DNS). GAT-DNS establishes a multivariate time series model to depict the DNS service status. When the actual flow of a feature exceeds the predicted range, it is considered that abnormal DNS behavior is found. In this paper, vertex dependency is proposed to describe the dependency between features. The features with high vertex dependency values are deleted to achieve model compression. This improves the system efficiency. Experiments on open data sets show that compared with the latest AD-Bop and QLAD methods, GAT-DNS method not only improves the precision, recall and F1 value, but also improves the time efficiency of the model.
GAT-DNS: DNS Multivariate Time Series Prediction Model Based on Graph Attention Network / Lu, X.; Zhang, X.; Lio, P.. - (2023), pp. 127-131. (Intervento presentato al convegno 2023 World Wide Web Conference, WWW 2023 tenutosi a Austin; usa) [10.1145/3543873.3587329].
GAT-DNS: DNS Multivariate Time Series Prediction Model Based on Graph Attention Network
Lio P.
2023
Abstract
As one of the most basic services of the Internet, DNS has suffered a lot of attacks. Existing attack detection methods rely on the learning of malicious samples, so it is difficult to detect new attacks and long-period attacks. This paper transforms the DNS data flow into time series, and proposes a DNS anomaly detection method based on graph attention network and graph embedding (GAT-DNS). GAT-DNS establishes a multivariate time series model to depict the DNS service status. When the actual flow of a feature exceeds the predicted range, it is considered that abnormal DNS behavior is found. In this paper, vertex dependency is proposed to describe the dependency between features. The features with high vertex dependency values are deleted to achieve model compression. This improves the system efficiency. Experiments on open data sets show that compared with the latest AD-Bop and QLAD methods, GAT-DNS method not only improves the precision, recall and F1 value, but also improves the time efficiency of the model.| File | Dimensione | Formato | |
|---|---|---|---|
|
Lu_GAT-DNS_2023.pdf
solo gestori archivio
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
1.19 MB
Formato
Adobe PDF
|
1.19 MB | Adobe PDF | Contatta l'autore |
|
lu_preprint_GAT-DNS_2023.pdf
accesso aperto
Note: https://doi.org/10.1145/3543873.3587329
Tipologia:
Documento in Pre-print (manoscritto inviato all'editore, precedente alla peer review)
Licenza:
Creative commons
Dimensione
879.82 kB
Formato
Adobe PDF
|
879.82 kB | Adobe PDF |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
