Domain name system (dns) based anomaly detection

What is claimed is: 1 . A method comprising: receiving at an analytics module operating at a network device, network traffic data collected from a plurality of sensors distributed throughout a network and installed in network components to obtain the network traffic data; identifying at the analytics module, Domain Name System (DNS) exchanges within the network; associating at the analytics module, said DNS exchanges with process, user, and host information; and identifying at the analytics module, anomalies in said DNS exchanges. 2 . The method of claim 1 wherein the network traffic data is collected from packets transmitted to and from the network components to monitor network flows at hosts and within the network from multiple perspectives in the network. 3 . The method of claim 1 wherein identifying said anomalies comprises calculating scores for said DNS exchanges to identify said anomalies. 4 . The method of claim 1 wherein identifying said anomalies comprises identifying TTL (Time to Live) inconsistencies within said DNS exchanges. 5 . The method of claim 1 wherein identifying said anomalies comprises identifying network inconsistencies within said DNS exchanges. 6 . The method of claim 1 further comprising performing a second level domain check and wherein said anomalies are identified based on said second level domain check. 7 . The method of claim 1 wherein identifying said anomalies comprises detecting a Domain Generation Algorithm (DGA). 8 . The method of claim 1 wherein identifying said anomalies comprises detecting domain fluxing. 9 . The method of claim 1 wherein identifying said anomalies comprises identifying use of DNS tunnels to carry data. 10 . The method of claim 1 wherein identifying said anomalies comprises utilizing cross correlation between host and network views of the network traffic data. 11 . The method of claim 1 wherein identifying said DNS exchanges further comprises discovering applications in the network. 12 . The method of claim 1 further comprising generating application specific features for SSH (Secure Shell) traffic using machine learning. 13 . The method of claim 1 further comprising identifying SSH (Secure Shell) traffic using packet snooping. 14 . The method of claim 1 wherein the network traffic data is received from at least one network device comprising multiple sensors. 15 . An apparatus comprising: an interface for receiving network traffic data collected from a plurality of sensors distributed throughout a network and installed in network components to obtain the network traffic data; and a processor for identifying Domain Name System (DNS) exchanges within the network, associating said DNS exchanges with process, user, and host information, and identifying anomalies in said DNS exchanges. 16 . The apparatus of claim 15 wherein the network traffic data comprises data collected from a network device comprising multiple sensors. 17 . The apparatus of claim 15 wherein identifying said anomalies comprises identifying use of DNS tunnels to carry data. 18 . Logic encoded on one or more non-transitory computer readable media for execution and when executed operable to: process at an analytics module operating at a network device, network traffic data collected from a plurality of sensors distributed throughout a network and installed in network components to obtain the network traffic data; identify at the analytics module, Domain Name System (DNS) exchanges within the network; associate at the analytics module, said DNS exchanges with process, user, and host information; and identify at the analytics module, anomalies in said DNS exchanges. 19 . The logic of claim 18 wherein identifying said anomalies comprises identifying use of DNS tunnels to carry data. 20 . The logic of claim 18 further operable to generate application specific features for DNS traffic using machine learning.