Detection Of DNS Cache Attacks Based On Improved CUSUM Algorithm

With the development of the information technology, network becomes the indispensable resources of the society, and at the same time network threats and information security become the focus of attention gradually. Security of the domain name service system has become a very important realistic problem. Along with the reveal of the domain name service vulnerabilities, there are more and more network attacks aiming at the DNS, and among them DNS cache loopholes are the most serious ones. Good prevention technology aiming at DNS cache attack has become presently needed.Currently the main method of protecting the DNS cache is using the passive ways, such as sending the DNS request packets using the random port to reduce the probability of attacker's success. The practice proves that this way can reduce the efficient of attack but the effect is very limited. With the development of the information technology the attackers'approaches become abundant and the procedures become more complexity. This way has failed to meet the network security needs. If we can consider the protection technology from the statistical characterization of the network protocol but from the feature of particular attacks, we will provide much better security protection to the DNS cache and satisfy the domain name service system needs much better.This paper pays much attention to the detection algorithms of the domain name service cache attack, systematically summarizes the main problems which domain name service faces, the research situation at home and abroad, and the future development trend. Besides that, this paper analysis the main methods, characterization and classification of the intrusion detection, including the abnormal detection based on statistics and system calls. This paper proposes a simple and robust detection mechanism against the popular and harmful DNS cache poison attacks. The core of this mechanism is based on the inherent DNS protocol behaviors and applies an instance of change point detection algorithm to detect attack behavior. To make the detection mechanism insensitive to attack and low computational complexity, based on the nonparametric Cumulative Sum algorithm, we make some improvements in view of DNS protocol behavior. Simulation results show that while achieving the goal of detecting the DNS poison attacks, we make good compromise between the detection rate and the false alarm rate.