DNS Misuse Detection Through Attribute Cardinality Tracking

1. A computer-implemented method to detect particular Domain Name System (DNS) misuse, the method comprising: obtaining monitored network data, the monitored network data including respective instances of request traffic, the request traffic being associated with DNS requests that request resolution of a name that belongs to at least one identified domain, each DNS request being sent from a source address of one or more stub resolver, each instance of request traffic including the source address, the name for which DNS resolution is requested, and the at least one identified domain associated with a corresponding DNS request; tracking over time an approximation of a first cardinality of names indicated for a selected domain of the at least one identified domain and included in the respective instances of request traffic, wherein the first cardinality includes a number of unique names of names indicated in instances of the request traffic for the selected domain, the first cardinality being approximated and tracked using a probabilistic algorithm, rather than counting; tracking over time an approximation of a second cardinality of source addresses associated with the selected domain and included in the respective instances of request traffic, wherein the second cardinality includes a number of unique source addresses of the source addresses indicated in instances of the request traffic for the selected domain, the second cardinality being approximated and tracked using the probabilistic algorithm, rather than counting; detecting a combination of a first condition of the approximation of the first cardinality and the a second condition of the approximation of the second cardinality, wherein the combination of the first and second conditions indicates the an occurrence of a specific DNS misuse; and performing an action to at least one of output a notification of and correct a condition associated with enabling traffic filtering of requests to at least one DNS resolver based on the detected occurrence of the specific DNS misuse.

2. The method of claim 1, wherein the probabilistic algorithm includes comprises a HyperLogLog algorithm.

3. The method of claim 1, wherein the probabilistic algorithm uses a substantially smaller amount of memory to track the approximation of the first and second cardinalities relative to methods that count exact amounts of unique queried names.

4. The method of claim 1, wherein the first condition of the approximation of the first cardinality is a rapid increase in the approximation of the first cardinality, and the second condition of the approximation of the second cardinality is a high level relative to a previous level or a predetermined threshold in the approximation of the second cardinality, and the specific DNS misuse indicated is a pseudo-random subdomain attack.

5. The method of claim 1, wherein the first condition of the approximation of the first cardinality is a high level relative to a previous level or a predetermined threshold in the approximation of the first cardinality, and the second condition of the approximation of the second cardinality is a low level with little or no deviation from a baseline, recent, or threshold approximations of the second cardinality, and the specific DNS misuse indicated detected is at least one of DNS data exfiltration and DNS tunneling.

6. The method of claim 1, wherein the selected domain is a top-level domain.

7. The method of claim 1, wherein the selected domain is a second- or lower level domain.

8. The method of claim 1, wherein the respective instances of request traffic include network traffic associated with DNS requests sent from the at least one stub resolver to at least one recursive DNS resolver, and/or recursive requests sent from the at least one recursive DNS resolver to at least one authoritative server.

9. The method of claim 1, wherein the corrective action includes enabling traffic filtering of requests to the DNS resolver.

10. A DNS misuse detector system to detect particular Domain Name System (DNS) misuse, the DNS misuse detector system comprising: a memory configured to store instructions; a processor disposed in communication with the memory, wherein the processor upon execution of the instructions is configured to: obtain monitored network data, the monitored network data including respective instances of request traffic, the request traffic being associated with DNS requests that request resolution of a name that belongs to at least one identified domain, each DNS request being sent from a source address of one or more stub resolver, each instance of request traffic including the source address, the name for which DNS resolution is requested to be resolved, and the at least one identified domain associated with a corresponding DNS request; track over time an approximation of a first cardinality of names indicated for a selected domain of the at least one identified domain and included in the respective instances of request traffic, wherein the first cardinality includes a number of unique names of names indicated in instances of the request traffic for the selected domain, the first cardinality being approximated and tracked using a probabilistic algorithm, rather than counting; track over time an approximation of a second cardinality of source addresses associated with the selected domain and included in the respective instances of request traffic, wherein the second cardinality includes a number of unique source addresses of the source addresses indicated in instances of the request traffic for the selected domain, the second cardinality being approximated and tracked using the probabilistic algorithm, rather than counting; detect a combination of a first condition of the approximation of the first cardinality and the a second condition of the approximation of the second cardinality, wherein the combination of the first and second conditions indicates the an occurrence of a specific DNS misuse; and perform an action to at least one of output a notification of and correct a condition associated with enable traffic filtering of requests to at least one DNS resolver based on the detected occurrence of the specific DNS misuse.

11. The DNS misuse detector system of claim 10, wherein the probabilistic algorithm includes comprises a HyperLogLog algorithm.

12. The DNS misuse detector system of claim 10, wherein the first condition of the approximation of the first cardinality is a rapid increase in the approximation of the first cardinality, and the second condition of the approximation of the second cardinality is a high level relative to a previous level or a predetermined threshold in the approximation of the second cardinality, and the specific DNS misuse indicated is a pseudo-random subdomain attack.

13. The DNS misuse detector system of claim 10, wherein the first condition of the approximation of the first cardinality is a high level relative to a previous level or a predetermined threshold in the approximation of the first cardinality, and the second condition of the approximation of the second cardinality is a low level with little or no deviation from a baseline, recent, or threshold approximations of the second cardinality, and the specific DNS misuse indicated detected is at least one of DNS data exfiltration and DNS tunneling.

14. The DNS misuse detector system of claim 10, wherein the selected domain is a top-level domain.

15. The DNS misuse detector system of claim 10, wherein the selected domain is a second or lower level domain.

16. The DNS misuse detector system of claim 10, wherein the respective instances of request traffic include network traffic associated with DNS requests sent from the at least one stub resolver to at least one recursive DNS resolver, and/or recursive requests sent from the at least one recursive DNS resolver to at least one authoritative server.

17. The DNS misuse detector system of claim 10, wherein the corrective action includes enabling traffic filtering of requests to the DNS resolver.

18. A non-transitory computer readable storage medium and one or more computer programs stored therein, the one or more computer programs comprising instructions, which when executed by a computer system, cause the computer system to: obtain monitored network data, the monitored network data including respective instances of request traffic, the request traffic being associated with DNS requests that request resolution of a name that belongs to at least one identified domain, each DNS request being sent from a source address of one or more stub resolver, each instance of request traffic including the source address, the name for which DNS resolution is requested to be resolved, and the at least one identified domain associated with a corresponding DNS request; track over time an approximation of a first cardinality of names indicated for a selected domain of the at least one identified domain and included in the respective instances of request traffic, wherein the first cardinality includes a number of unique names of names indicated in instances of the request traffic for the selected domain, the first cardinality being approximated and tracked using a probabilistic algorithm, rather than counting; track over time an approximation of a second cardinality of source addresses associated with the selected domain and included in the respective instances of request traffic, wherein the second cardinality includes a number of unique source addresses of the source addresses indicated in instances of the request traffic for the selected domain, the second cardinality being approximated and tracked using the probabilistic algorithm, rather than counting; detect a combination of a first condition of the approximation of the first cardinality and the a the second condition of the approximation of the second cardinality, wherein the combination of the first and second conditions indicates the an occurrence of a specific DNS misuse; and perform an action to at least one of output a notification of and correct a condition associated with enable traffic filtering of requests to at least one DNS resolver based on the detected occurrence of the specific DNS misuse.

19. The non-transitory computer readable storage medium of claim 18, wherein the probabilistic algorithm includes comprises a HyperLogLog algorithm.

20. The non-transitory computer readable storage medium of claim 18, wherein the respective instances of request traffic include network traffic associated with DNS requests sent from the at least one stub resolver to the at least one recursive DNS resolver, and/or recursive requests sent from the at least one recursive DNS resolver to at least one authoritative server.