Application of a precedent analysis paradigm for the purposes of multibase cloud monitoring of DNS traffic

doi:10.26565/2304-6201-2026-69-09

Danylo Chepel V.N. Karazin Kharkiv National University, 4 Svobody sq., Kharkiv, Ukraine, 61022 https://orcid.org/0009-0009-7449-8095
Serhii Malakhov V.N. Karazin Kharkiv National University, 4 Svobody sq., Kharkiv, Ukraine, 61022 https://orcid.org/0000-0001-8826-1616
Mykyta Honcharov V.N. Karazin Kharkiv National University, 4 Svobody sq., Kharkiv, Ukraine, 61022 https://orcid.org/0000-0002-9790-7260

DOI: https://doi.org/10.26565/2304-6201-2026-69-09

Keywords: information security, artificial intelligence, traffic filtering, DNS, RPZ, CBR, network anomalies, cloud computing, distributed network, DNS protocols

Abstract

Relevance. The increasing complexity of DNS infrastructure and the growing level of threats in the network environment necessitate the development of intelligent DNS traffic monitoring tools capable of providing transparent, adaptive, and well-grounded detection of behavioral anomalies. Particular relevance is associated with the implementation of approaches that enhance the traceability of decision-making logic in artificial intelligence (AI) systems.

Purpose. The purpose of this study is to experimentally investigate a prototype software tool for monitoring the current state of DNS traffic with extensive implementation of AI capabilities, the logic of which is based on the concept of case-based reasoning (CBR) for behavioral DNS traffic anomaly analysis.

Research Methods. The study employs simulation modeling methods, multi-base measurements of DNS query processing time using a system of distributed cloud-based sensor-testers, as well as case-based reasoning algorithms for intelligent post-processing of data. The prototype was implemented as a Python client integrated with the Gemini API, operating on a dataset formed based on the results of previous studies [1–2]. During operation, the system autonomously modifies the anomaly registry by adding new cases based on analytical processing results.

Results. The obtained results demonstrate that the proposed DNS traffic monitoring approach ensures the detection of both previously known anomalies and the localization of previously unidentified irregularities. The feasibility of applying the case-based approach to improve the efficiency of adjusting the parameters of the active Response Policy Zone (RPZ) [3] and to enhance situational awareness of personnel regarding DNS traffic security has been confirmed. At the same time, the experiments revealed a so-called “clustering” effect that may lead to false positive event assessments and, consequently, contradictory interpretations of the observed network events.

Conclusions. The revision of existing constraints and analytical tasks for AI modules, followed by further modeling, confirmed that the introduced modifications significantly reduced the identified “clustering” effect and improved the reliability of anomaly interpretation based on a defined system of indirect (implicit) indicators. The obtained results confirm the feasibility of further developing the case-based reasoning approach in intelligent DNS traffic monitoring systems.

Downloads

Download data is not yet available.

Author Biographies

Danylo Chepel, V.N. Karazin Kharkiv National University, 4 Svobody sq., Kharkiv, Ukraine, 61022

Ph.D student of the Department of Cybersecurity of Information Systems, Networks and Technologies

Serhii Malakhov, V.N. Karazin Kharkiv National University, 4 Svobody sq., Kharkiv, Ukraine, 61022

Ph.D, Associate Professor of the Department of Cybersecurity of Information Systems, Networks and Technologies

Mykyta Honcharov, V.N. Karazin Kharkiv National University, 4 Svobody sq., Kharkiv, Ukraine, 61022

Ph.D student of the Department of Cybersecurity of Information Systems, Networks and Technologies

References

/

References

D. Chepel and S. Malakhov, “Multibased cloud monitoring of DNS traffic for operative correction of current RPZ parameters,” Modern Information Security, vol. 63, no. 3, pp. 176–187, 2025. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.31673/2409-7292.2025.031949

D. Chepel and S. Malakhov, “Summary of DNS traffic filtering trends as a component of modern information systems security,” Computer Science and Cybersecurity, no. 1, pp. 6–21, Sep. 2024. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.26565/2519-2310-2024-1-01 [in Ukrainian]

D. Chepel and S. Malakhov, “Мультипротокольний моніторинг трафіку DNS, як основа для коригування поточних параметрів RPZ [Multi-protocol DNS traffic monitoring as a basis for adjusting current RPZ parameters],” in Theoretical and Practical Aspects of Modern Scientific Research. Eur. Scientific Platform, 2025. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.36074/logos-24.01.2025.049 [in Ukrainian]

Т. Korobeinikova and Т. Fedchuk, “Огляд протоколів DNS, DoH та DoT [Overview of DNS, DoH, and DoT protocols],” in Débats scientifiques et orientations prospectives du développement scientifique. Eur. Scientific Platform, 2024. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.36074/logos-01.03.2024.056 [in Ukrainian]

M. F. Safitra, M. Lubis, T. F. Kusumasari, and D. P. Putri, “Advancements in artificial intelligence and data science: Models, applications, and challenges,” Procedia Computer Science, vol. 234, pp. 381–388, 2024. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.1016/j.procs.2024.03.018

J. P. Inala et al., Data Analysis in the Era of Generative AI. To be published. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.48550/arXiv.2409.18475

A. M. Rahmani et al., “Artificial intelligence approaches and mechanisms for big data analytics: A systematic study,” PeerJ Computer Science, vol. 7, Apr. 2021, Art. no. e488. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.7717/peerj-cs.488

T. Zebin, S. Rezvy, and Y. Luo, “An explainable AI-based intrusion detection system for DNS over HTTPS (DoH) attacks,” IEEE Transactions on Information Forensics and Security, p. 1, 2022. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.1109/tifs.2022.3183390

B. Ali and G. Chen, “Next-generation AI for advanced threat detection and security enhancement in DNS over HTTPS,” Journal of Network and Computer Applications, vol. 244, p. 104326, Dec. 2025. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.1016/j.jnca.2025.104326

P. Pradeep, M. Caro-Martínez, and A. Wijekoon, “Empowering explainable artificial intelligence through case-based reasoning: A comprehensive exploration,” IEEE Transactions on Knowledge and Data Engineering, pp. 1–20, 2025. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.1109/tkde.2025.3609825

P. Pradeep, M. Caro-Martínez, and A. Wijekoon, “A practical exploration of the convergence of Case-Based Reasoning and Explainable Artificial Intelligence,” Expert Systems With Applications, p. 124733, Jul. 2024. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.1016/j.eswa.2024.124733

K. Hatalis, D. Christou, and V. Kondapalli, Review of Case-Based Reasoning for LLM Agents: Theoretical Foundations, Architectural Components, and Cognitive Integration. To be published. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.48550/arXiv.2504.06943

М. Гончаров, Д. Чепель, and С. Малахов, “Оцінка обчислювальної складності етапу попередньої обробки вхідних даних при реалізації процедур стегановставки зображень,” Наука і техніка сьогодні, no. 8(49), Sep. 2025. Accessed: Feb. 23, 2026. [Online]. Available: https://doi.org/10.52058/2786-6025-2025-8(49)-1228-1245 [in Ukrainian]

М. Horelko and S. Malakhov, “Аналіз метаданих шифрованого трафіку як чинник нівелювання «сліпих зон» безпеки в сучасних ІТ – системах [Metadata analysis of encrypted traffic as a factor in eliminating security "blind spots" in modern IT systems],” in Інтелектуальні технології у міждисциплінарних дослідженнях: Збірник наукових праць ХІ МНТК. Харків, Україна: ХНУ ім. В.Н. Каразіна, 2025, pp. 89–92. [in Ukrainian]

Chepel D., Malakhov S. Multibased cloud monitoring of DNS traffic for operative correction of current RPZ parameters. Modern information security. 2025. Т. 63, № 3. С. 176–187. URL: https://doi.org/10.31673/2409-7292.2025.031949 (дата звернення: 23.02.2026).

Chepel D., Malakhov S. Summary of DNS traffic filtering trends as a component of modern information systems security. Computer science and cybersecurity. 2024. № 1. C. 6–21. URL: https://doi.org/10.26565/2519-2310-2024-1-01 (дата звернення: 23.02.2026).

Чепель Д., Малахов С. Мультипротокольний моніторинг трафіку DNS, як основа для коригування поточних параметрів RPZ. Theoretical and practical aspects of modern scientific research. 2025. URL: https://doi.org/10.36074/logos-24.01.2025.049 (дата звернення: 23.02.2026).

Коробейнікова Т., Федчук Т. Огляд протоколів DNS, DoH та DoT. Débats scientifiques et orientations prospectives du développement scientifique. 2024. URL: https://doi.org/10.36074/logos-01.03.2024.056 (дата звернення: 23.02.2026).

Advancements in artificial intelligence and data science: models, applications, and challenges / M. F. Safitra et al. Procedia computer science. 2024. Т. 234. C. 381–388. URL: https://doi.org/10.1016/j.procs.2024.03.018 (дата звернення: 23.02.2026).

Data analysis in the era of generative AI / J. P. Inala et al. 2024. (Препринт). URL: https://doi.org/10.48550/arXiv.2409.18475 (дата звернення: 23.02.2026).

Artificial intelligence approaches and mechanisms for big data analytics: a systematic study / A. M. Rahmani et al. PeerJ computer science. 2021. Т. 7. e488. URL: https://doi.org/10.7717/peerj-cs.488 (дата звернення: 23.02.2026).

Zebin T., Rezvy S., Luo Y. An explainable AI-based intrusion detection system for DNS over HTTPS (DoH) attacks. IEEE transactions on information forensics and security. 2022. C. 1. URL: https://doi.org/10.1109/tifs.2022.3183390 (дата звернення: 23.02.2026).

Ali B., Chen G. Next-generation AI for advanced threat detection and security enhancement in DNS over HTTPS. Journal of network and computer applications. 2025. T. 244. 104326. URL: https://doi.org/10.1016/j.jnca.2025.104326 (дата звернення: 23.02.2026).

Pradeep P., Caro-Martínez M., Wijekoon A. Empowering explainable artificial intelligence through case-based reasoning: a comprehensive exploration. IEEE transactions on knowledge and data engineering. 2025. C. 1–20. URL: https://doi.org/10.1109/tkde.2025.3609825 (дата звернення: 23.02.2026).

Pradeep P., Caro-Martínez M., Wijekoon A. A practical exploration of the convergence of Case-Based Reasoning and Explainable Artificial Intelligence. Expert systems with applications. 2024. 124733. URL: https://doi.org/10.1016/j.eswa.2024.124733 (дата звернення: 23.02.2026).

Hatalis K., Christou D., Kondapalli V. Review of case-based reasoning for LLM agents: theoretical foundations, architectural components, and cognitive integration. 2025. (Препринт). URL: https://doi.org/10.48550/arXiv.2504.06943 (дата звернення: 23.02.2026).

Гончаров М., Чепель Д., Малахов С. Оцінка обчислювальної складності етапу попередньої обробки вхідних даних при реалізації процедур стегановставки зображень. Наука і техніка сьогодні. 2025. № 8(49). URL: https://doi.org/10.52058/2786-6025-2025-8(49)-1228-1245 (дата звернення: 23.02.2026).

Горелько М., Малахов С. Аналіз метаданих шифрованого трафіку як чинник нівелювання «сліпих зон» безпеки в сучасних ІТ - системах. Інтелектуальні технології у міждисциплінарних дослідженнях: Збірник наукових праць ХІ МНТК. Харків: ХНУ ім. В.Н. Каразіна, Україна, 2025. С. 89–92.