Detection of Benign and Malicious DNS Traffic in ISP Network Using Machine Learning Algorithms

In this paper we have presented a working model for the detection of the genuine and fake Domain Name System (DNS) traffic in internet service providers (ISP) network traffic using data science and machine learning (ML). When any host is accessing the network for DNS query or mail exchange records. Based on the source port, destination port, source address and destination address we recorded the net-flow traffic from the router port using the various port mirroring techniques for a certain time period. A pattern was used with the number of DNS requests and their response for each record. Two ML patterns were used K-nearest neighbors (KNN), Naive Bayes (NB) for classification purposes and using it further to predict and analyze the behavior in the data. We used the prediction to classify the accuracy and training time as metrics of performance to find out which algorithm is more accurate than the other. The data set used in training and testing the algorithms contains several types of malicious as well as genuine ports for classification.