Anomaly Detection in DNS traffic for Security Monitoring

Speaker: Harm Schotanus


DNS plays a significant role in how end-users connect to the internet. Not only legitimate applications use it, but nearly all malware make use of DNS somehow as well, including targeted attacks. Yet it is still a manageable volume of traffic. Hence DNS is a very interesting source for security monitoring, not just for DNS-based attacks.

I will present how toapply anomaly detection on DNS traffic to find threats that DNS firewalls missed. We detect command and control channels including DGA based domains or subdomains, and simple keep-alives, DNS tunnelling, spambots, fast flux domains, punycode misuse.


Harm Schotanus M.Sc. has over 18 years of experience in the cybersecurity domain, mainly as a senior researcher at TNO. Besides the substantive and broad insight into cybersecurity and the cybersecurity market.

Harm also has experience in software development. Harm is the lead scientist in a number of research projects within the Shared Research Programme Cybersecurity for the financial sector and within the defence domain. He is now CTO at Sightlabs.

voorjaar 2019

Vereniging NLUUG
           postbus 8189
6710 AD Ede