Software Engineering Institute

This presentation was given at FloCon 2023, an annual conference that focuses on applying any and all collected data to defend enterprise networks.

The number of cyber security attacks increases over time with the size of networks, and as IoT devices’ market share grows we expect the number of attacks to increase on these vulnerable devices.

Passive monitoring of IoT devices in the network is essential as most of these devices do not have the hardware capacity to have advanced endpoint security software installed. IoT devices generally have well-defined behavior, making anomaly detection an appropriate method to detect emerging threats to a network.

We describe a lightweight DNS anomaly detection system that employs a deep learning method, generally used in natural language processing, specifically word2vec and doc2vec, on DNS traffic to characterize the network devices.

Word2vec is one of the most common techniques to learn word embedding. Word embedding is a vectorized representation of text. It uses a neural network model to learn associations between words in a corpus. In word2vec, we define a fake problem of filling missing words in sentences and as a side effect, we end up with embedded vectors of the words. The level of similarity between the words will be reflected by the similarity between the vectors. The vectors capture different characteristics of the words with regard to the overall text. To apply word2vec in our context, we collect DNS traffic and take all the DNS queries of an end user in a 20-minute time window as a sentence where domains are treated as words. And a document is a collection of all the sentences. The doc2vec model is used to create a vector representation of a group of words taken collectively as a single unit.

In the DNS context, we treat all the DNS queries of an end host in a day as a document. We form a vector to represent each of those documents. From here we can use different approaches to identify anomalies. 1) Apply an anomaly detection method such as Isolation forest on the constructed vectors of end-user activities on different dates to see which dates the user behavior vectors are different. 2) Use doc2vec over all the DNS activities of devices with the same type and form a vector that generalizes the generic patterns of devices with the same type, then take the similarity between the behavior vector of each individual device with the generic behavior of its type and find the ones with large deviations. 3) Mix approaches 1 and 2 and compare both the user behavior vector with its past and the activity of devices with the same type. Any large deviation from this normal behavior would indicate an anomaly. However, not all deviations are indicators of the threats. We have come up with a ranking algorithm to order anomalous devices based on their potential threat risk to the network.

Passive monitoring of IoT devices in the network is essential as most of these devices do not have the hardware capacity to have advanced endpoint security software installed. IoT devices generally have well-defined behavior, making anomaly detection an appropriate method to detect emerging threats to a network.

We describe a lightweight DNS anomaly detection system that employs a deep learning method on DNS traffic to characterize the network devices. We measure the normal behavior of the devices using the similarity score of activity of devices of the same type and the past activity of each device itself. Any large deviation from this normal behavior would indicate an anomaly.