A distributed intrusion detection model for the domain name system

We have investigated the problem of detecting DoS-like DNS anomalies in DNS system. In this paper, we propose a distributed Two-phase DNS anomaly detection model for solving the problem. Three sets of algorithms corresponding to different configurations are proposed, including one sequential algorithm and two distributed algorithms, each with an increasing level of parallelism. The complexity of these algorithms have been found to be O (n l(og)n). The distributed algorithms show at least a constant (1-1/C-k), C-k > 1, improvement over the sequential one. To evaluate the performance, we have implemented the algorithms and applied them to a number of examples. The experimental result shows a speed up of about 1.68 on the test example for running on an enhanced distributed architecture with C-IDS over the sequential one. A higher speedup might be common because DNS anomalies will make the traffic distribution more concentrated on the outliers, and the computation will usually converge much more quickly.