Risk Factor Categories

Example in DNS Dataset

Machine Behaviour— Normal

Normal machine behaviour comprises processes, queries and patterns that are expected elements based on system configuration. In the context of DNS, this is the true resolution of legitimate queries to the corresponding legitimate IP address. This also includes legitimate queries sent by machine services to support user applications.

Machine behaviour—

normal

Anomalous machine behaviour is when a process, query or pattern error occurs. Machines do not make “mistakes”. In DNS data, this occurs when a packet is lost, or a DNS server is unable to resolve the query. This can be caused by a loss of confidentiality (machine query compromised due to leaked password), availability (server is down) or integrity (protocol attacks). Malicious behaviour includes illegitimate queries sent by malware to command and control servers. This behaviour can indicate that the compromised machine is being utilised as an infrastructure to conduct further malicious activity.

Human behaviour—

normal

Normal human behaviour comprises non-malicious queries to support legitimate internet browsing. In DNS data, this is when legitimate users are using the DNS service as it is designed. The majority of DNS query activity in the dataset was used for website browsing and email transmission.

Human behaviour—

anomalous or malicious

Anomalous human behaviour is most often caused by human error. An example of this in the DNS dataset is where the text query has contained a typographical error that is still a recognised domain name, resulting in the DNS resolver pointing to a domain that is inconsistent with the user’s intent. This domain could be high-risk. Malicious human behaviour is where an actor intentionally compromises the DNS service. This occurs initially through protocol and server attacks. Malicious human behaviour is also seen in the command and control of malware to spread infection and commandeer additional infrastructure within the network for malicious use.