CapSource

LibraryCapSource OpenCasesAnomaly Detection of Emerging Threats in DNS Data

To View Full Case Details.

Already Have an account? Log In

Anomaly Detection of Emerging Threats in DNS Data

Last Updated: 04/28/2026

Case Organization

Intrusion Inc

Proactive cyber threat prevention powered by global threat intelligence

https://www.intrusion.com

51-100

Case Contributors

Arron Mitchell

Case Disciplines

Data Management Research & Development

Skills & Expertise

Data Analytics Data Processing Data Visualization Machine Learning

Featured Videos

Background & Objective The challenge or opportunity you are trying to address for the organization.	Intrusion collects telemetry of DNS data from an array of global sensors. This data is rich with information and supports forensic investigations and debugging. We want to explore better ways to leverage the data proactively to alert to potential emerging threats by applying statistical models to the dataset daily. The pattern we are looking for is when a domain name suddenly spikes in popularity across multiple sensors. This could be caused by a variety of reasons, including: A new malware campaign results in new call homes to command and control servers A new phishing campaign results in victims clicking links in email Existing widespread website changes hosting provider or dependencies A company onboards new software or technology Legitimate links going viral via social media Take, for instance, the domain “beside.media”. This domain was first observed in DNS requests in the dataset on 2023-01-02. Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur excepteur sint occaecat cupidatat non proident sunt in culpa qui officia deserunt mollit anim id est laborumLorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur excepteur sint occaecat cupidatat non proident sunt in culpa qui officia deserunt mollit anim id est laborumLorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irur
Learning Objectives This is what students will learn as they complete the case.	In today’s cybersecurity landscape, detecting emerging threats in real time is critical to preventing large-scale attacks. This case places students in the role of data scientists and cybersecurity analysts tasked with leveraging large-scale DNS telemetry data to proactively identify anomalies and potential threats. Students will combine machine learning, statistical modeling, and data engineering to design scalable detection systems capable of operating under real-world constraints. Students completing this case will be able to: Understand how DNS telemetry data is used in cybersecurity to identify threats and anomalous network behavior. Analyze large, sparse, and high-volume datasets to uncover patterns in domain activity across distributed sensors. Develop anomaly detection models (e.g., time-series, statistical, or ML-based) to identify sudden spikes in domain popularity. Design algorithms to detect statistically significant co-occurrences between domains, revealing potential coordinated or related activity. Evaluate model performance by balancing detection accuracy with false positive reduction. Apply data enrichment techniques (e.g., WHOIS, geolocation, threat intelligence) to contextualize and validate detected anomalies. Visualize anomaly patterns and trends using appropriate data visualization tools to support threat analysis. Refine models through feature engineering, threshold tuning, and iterative improvements based on analytical findings. Design scalable data processing workflows capable of handling large datasets within operational constraints (e.g., under one hour processing time). Communicate technical insights and recommendations effectively through reports and presentations for both technical and non-technical stakeholders.
Key Action Items These are activities and action items you might want to complete in order to achieve the expected outcomes.	Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur excepteur sint occaecat cupidatat non proident sunt in culpa qui officia deserunt mollit anim id est laborumLorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur excepteur sint occaecat cupidatat non proident sunt in culpa qui officia deserunt mollit anim id est laborum
Milestones	Milestone #1 Guiding Questions Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur excepteur sint occaecat cupidatat non proident sunt in culpa qui officia deserunt mollit anim id est Deliverable Suggested Outcome(s) Milestone #2 Guiding Questions Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur excepteur sint occaecat cupidatat non proident sunt in culpa qui officia deserunt mollit anim id e Deliverable Suggested Outcome(s) Milestone #3 Guiding Questions Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur excepteur sint occaecat cupidatat non proident sunt in culpa qui officia deserunt mollit anim id est laborumLorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmo Deliverable Suggested Outcome(s) Milestone #4 Guiding Questions Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur excepteur sint occaecat cupidatat non proident sunt in culpa qui officia deserunt mollit anim id est laborumLorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat d Deliverable Suggested Outcome(s) Milestone #5 Guiding Questions Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur excepteur sint occaecat cupidatat non proident sunt in culpa qui officia deserunt mollit anim id est labor Deliverable Suggested Outcome(s)

Explore the CapSource Case Library

Explore Case Library

The CapSource Case Library helps students explore real-world challenges faced by leading organizations across industries. Each case introduces a practical business or social impact problem and invites students to think critically about potential solutions.

Students can use cases to:

Discover potential career paths and industries

Learn how organizations approach strategy, operations, and innovation

Practice solving real-world challenges

Build a portfolio of real work product that showcase impact

Educators can register and browse the library for free. Upgrade for classroom use to bring experiential learning into your courses through case discussions, assignments, and competitions. The library is constantly growing and used by schools everywhere.

What you get when you upgrade:

Case notes and discussion/facilitation guides

In class presentation slides and teaching support materials

Visibility of student submissions and industry feedback

Evaluation tools and outcomes reporting

Unlock the Full Case

Create a free account to browse case materials, submit custom cases/case responses, and explore ways you can leverage this material to improve classroom engagement and enhance learning outcomes.

Already have an account? Log In

Educator or organization? Book A Demo

LibraryCapSource OpenCasesAnomaly Detection of Emerging Threats in DNS Data

CapSource OpenCases

Anomaly Detection of Emerging Threats in DNS Data

Featured Videos

Milestone #1 Lorem ipsum dolor sit amet consectetur adi

Milestone #2 Lorem ipsum do

Milestone #3 Lorem ipsum dolor s

Milestone #4 Lorem ipsum d

Milestone #5 Lorem ipsum dolor sit

Explore the CapSource Case Library

Unlock the Full Case

Milestone #1

Milestone #2

Milestone #3

Milestone #4

Milestone #5