Method and system for detecting malicious and/or botnet-related domain names
First Claim
1. A method of detecting at least one malicious and/or botnet-related domain name, comprising:
- performing processing associated with collecting at least one domain name by monitoring Domain Name System (DNS) traffic in at least one network;
performing processing associated with obtaining, during a time period, information about the at least one domain name, comprising determining if the at least one domain name is in at least one domain name white list;
wherein the obtained information further comprises statistics related to the at least one domain name comprising a total number of queries to the at least one domain name during the time period and a total number of distinct source IP addresses that queried the at least one domain name during the time period;
responsive to determining that the at least one domain name is not in the at least one domain name white list, performing processing associated with automatically obtaining, using at least one Internet search engine, search results for the at least one domain name;
performing processing associated with analyzing the search results to determine whether at least one search result associated with the at least one domain name comprises a known malware site; and
performing processing associated with classifying the at least one domain name as at least one of malicious, suspicious, and legitimate based on the analyzed search results.
12 Assignments
0 Petitions
Accused Products
Abstract
A method and system of detecting a malicious and/or botnet-related domain name, comprising: reviewing a domain name used in Domain Name System (DNS) traffic in a network; searching for information about the domain name, the information related to: information about the domain name in a domain name white list and/or a domain name suspicious list; and information about the domain name using an Internet search engine, wherein the Internet search engine determines if there are no search results or search results with a link to at least one malware analysis site; and designating the domain name as malicious and/or botnet-related based on the information.
299 Citations
22 Claims
-
1. A method of detecting at least one malicious and/or botnet-related domain name, comprising:
-
performing processing associated with collecting at least one domain name by monitoring Domain Name System (DNS) traffic in at least one network; performing processing associated with obtaining, during a time period, information about the at least one domain name, comprising determining if the at least one domain name is in at least one domain name white list; wherein the obtained information further comprises statistics related to the at least one domain name comprising a total number of queries to the at least one domain name during the time period and a total number of distinct source IP addresses that queried the at least one domain name during the time period; responsive to determining that the at least one domain name is not in the at least one domain name white list, performing processing associated with automatically obtaining, using at least one Internet search engine, search results for the at least one domain name; performing processing associated with analyzing the search results to determine whether at least one search result associated with the at least one domain name comprises a known malware site; and performing processing associated with classifying the at least one domain name as at least one of malicious, suspicious, and legitimate based on the analyzed search results. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computerized system for performing malware analysis on at least one guest environment, the system comprising:
-
at least one server coupled to at least one network; at least one user terminal coupled to the at least one network; at least one application coupled to the at least one server and/or the at least one user terminal, wherein the at least one application is configured for; performing processing associated with collecting at least one domain name by monitoring Domain Name System (DNS) traffic in at least one network; performing processing associated with obtaining information about the at least one domain name, wherein the information is utilized to classify the at least one domain name, and the information is information about the at least one domain name in at least one domain name white list; wherein the obtained information further comprises statistics related to the at least one domain name comprising a total number of queries to the at least one domain name during the time period and a total number of distinct source IP addresses that queried the at least one domain name during the time period; responsive to determining that the at least one domain name is not in the at least one domain name white list, performing processing associated with automatically obtaining, using at least one Internet search engine, search results for the at least one domain name; performing processing associated with analyzing the search results to determine whether at least one search result associated with the at least one domain name comprises a known malware site; and performing processing associated with determining at least one likelihood that the at least one domain name is being used as at least one command and control domain for at least one botnet based at least in part on the analyzed search results. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification