Proposal of Anomaly Detection for DNS Attacks Based on Packets Prediction Using LSTM

DNS is an essential protocol of the Internet. However, DNS also tends to be used as the target of attacks, such as DNS Amplification Attack and Open Resolver Scanning due to its protocol. To detect these attacks, we present a novel anomaly detection method for DNS attacks based on the prediction values of DNS using LSTM(Long Short-Term Memory). Through the experiment, we compared the prediction accuracy of the sequential prediction method for short-term prediction and the batch prediction method for long-term prediction. Furthermore, we propose a dynamic threshold method that can be set automatically by using the error derived from training process. As a result, the sequential prediction method can predict with higher accuracy than the batch prediction method. We also show that the attacks can be detected by using the dynamic threshold method with the sequential prediction method.