Method and system for detecting malicious and/or botnet-related domain names

US 10,027,688 B2
Filed: 08/10/2009
Issued: 07/17/2018
Est. Priority Date: 08/11/2008
Status: Active Grant

First Claim

Patent Images

1. A method of detecting at least one malicious and/or botnet-related domain name, comprising:

performing processing associated with collecting at least one domain name by monitoring Domain Name System (DNS) traffic in at least one network;

performing processing associated with obtaining, during a time period, information about the at least one domain name, comprising determining if the at least one domain name is in at least one domain name white list;

wherein the obtained information further comprises statistics related to the at least one domain name comprising a total number of queries to the at least one domain name during the time period and a total number of distinct source IP addresses that queried the at least one domain name during the time period;

responsive to determining that the at least one domain name is not in the at least one domain name white list, performing processing associated with automatically obtaining, using at least one Internet search engine, search results for the at least one domain name;

performing processing associated with analyzing the search results to determine whether at least one search result associated with the at least one domain name comprises a known malware site; and

performing processing associated with classifying the at least one domain name as at least one of malicious, suspicious, and legitimate based on the analyzed search results.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system of detecting a malicious and/or botnet-related domain name, comprising: reviewing a domain name used in Domain Name System (DNS) traffic in a network; searching for information about the domain name, the information related to: information about the domain name in a domain name white list and/or a domain name suspicious list; and information about the domain name using an Internet search engine, wherein the Internet search engine determines if there are no search results or search results with a link to at least one malware analysis site; and designating the domain name as malicious and/or botnet-related based on the information.

299 Citations

22 Claims

1. A method of detecting at least one malicious and/or botnet-related domain name, comprising:
- performing processing associated with collecting at least one domain name by monitoring Domain Name System (DNS) traffic in at least one network;
  
  performing processing associated with obtaining, during a time period, information about the at least one domain name, comprising determining if the at least one domain name is in at least one domain name white list;
  
  wherein the obtained information further comprises statistics related to the at least one domain name comprising a total number of queries to the at least one domain name during the time period and a total number of distinct source IP addresses that queried the at least one domain name during the time period;
  
  responsive to determining that the at least one domain name is not in the at least one domain name white list, performing processing associated with automatically obtaining, using at least one Internet search engine, search results for the at least one domain name;
  
  performing processing associated with analyzing the search results to determine whether at least one search result associated with the at least one domain name comprises a known malware site; and
  
  performing processing associated with classifying the at least one domain name as at least one of malicious, suspicious, and legitimate based on the analyzed search results.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising, calculating a suspiciousness score based on the total number of queries to the at least one domain name during the time period and the total number of distinct source IP addresses that queried the at least one domain name during the time period,wherein the classifying the at least one domain name as at least one of malicious, suspicious, and legitimate is further based on the suspiciousness score.
  - 3. The method of claim 1, wherein the at least one domain name to be monitored is part of at least one sample chosen from a plurality of domain names;
    - andwherein a size of the at least one sample is based on a probability factor.
  - 4. The method of claim 3, further comprising generating a pseudorandom number;
    - wherein the at least one domain name is not selected for monitoring if the probability factor is less than the pseudorandom number.
  - 5. The method of claim 2, wherein the at least one domain name is ranked based on the suspiciousness score, andwherein the classifying the at least one domain name as at least one of malicious, suspicious, and legitimate is further based the ranking being above a predetermined threshold.
  - 6. The method of claim 1, wherein the obtained information further comprises performing at least one reverse lookup on the at least one domain name.
  - 7. The method of claim 1, wherein the at least one domain name to be monitored is filtered.
  - 8. The method of claim 1, wherein the at least one domain name to be monitored is filtered by determining if a second level domain (2LD) of the at least one domain name is in at least one domain name white list.
  - 9. The method of claim 8, wherein the at least one domain name to be monitored is further filtered by determining if a top level domain (TLD) of the at least one domain name is in at least one domain name suspicious list.
  - 10. The method of claim 9, wherein the at least one domain name to be monitored is further filtered by determining if the second level domain (2LD) of the at least one domain name is in a Dynamic Domain Name System (DDNS) 2LD suspicious list.
  - 11. The method of claim 1, wherein the obtained information further comprises:
    - determining whether a resolved IP address of the at least one domain name is that of at least one DSL or at least one dial-up connection; and
      
      /ordetermining a geographic location of the at least one resolved IP address, at least one Autonomous System (AS) number, or at least one AS name.

12. A computerized system for performing malware analysis on at least one guest environment, the system comprising:
- at least one server coupled to at least one network;
  
  at least one user terminal coupled to the at least one network;
  
  at least one application coupled to the at least one server and/or the at least one user terminal, wherein the at least one application is configured for;
  
  performing processing associated with collecting at least one domain name by monitoring Domain Name System (DNS) traffic in at least one network;
  
  performing processing associated with obtaining information about the at least one domain name, wherein the information is utilized to classify the at least one domain name, and the information is information about the at least one domain name in at least one domain name white list;
  
  wherein the obtained information further comprises statistics related to the at least one domain name comprising a total number of queries to the at least one domain name during the time period and a total number of distinct source IP addresses that queried the at least one domain name during the time period;
  
  responsive to determining that the at least one domain name is not in the at least one domain name white list, performing processing associated with automatically obtaining, using at least one Internet search engine, search results for the at least one domain name;
  
  performing processing associated with analyzing the search results to determine whether at least one search result associated with the at least one domain name comprises a known malware site; and
  
  performing processing associated with determining at least one likelihood that the at least one domain name is being used as at least one command and control domain for at least one botnet based at least in part on the analyzed search results.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the at least one domain name is monitored and statistics are gathered related to the at least one domain name.
  - 14. The system of claim 13, wherein the at least one domain name to be monitored is part of at least one sample chosen from a plurality of domain names.
  - 15. The system of claim 12, wherein the at least one domain name is further classified as malicious or suspicious based on the analyzed search results.
  - 16. The system of claim 12, wherein the at least one domain name is ranked based on probabilities related to at least one of how malicious the at least one domain name is and how botnet-related the at least one domain name is,wherein the determining at least one likelihood that the at least one domain name is being used as at least one command and control domain for at least one botnet is based on the rank.
  - 17. The system of claim 12, wherein the information further comprises performing at least one reverse lookup on the at least one domain name.
  - 18. The system of claim 12, wherein the at least one domain name to be monitored is filtered.
  - 19. The system of claim 12, wherein the at least one domain name to be monitored is filtered by determining if a second level domain (2LD) of the at least one domain name is in at least one domain name white list.
  - 20. The system of claim 19, wherein the at least one domain name to be monitored is further filtered by determining if a top level domain (TLD) of the at least one domain name is in at least one domain name suspicious list.
  - 21. The system of claim 20, wherein the at least one domain name to be monitored is further filtered by determining if the second level domain (2LD) of the at least one domain name is in a Dynamic Domain Name System (DDNS) 2LD suspicious list.
  - 22. The system of claim 12, wherein the information is related to at least one of:
    - information regarding whether or not a resolved IP address of the at least one domain name is that of at least one DSL or at least one dial-up connection; and
      
      information on geographic location of the at least one resolved IP address, at least one Autonomous System (AS) number, or at least one AS name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Perdisci, Roberto, Lee, Wenke
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almeida, Devin E

Application Number

US12/538,612
Publication Number

US 20100037314A1
Time in Patent Office

3,263 Days
Field of Search

726 22
US Class Current
CPC Class Codes

H04L 2463/144 Detection or countermeasure...

H04L 63/1416 Event detection, e.g. attac...

Method and system for detecting malicious and/or botnet-related domain names

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

299 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting malicious and/or botnet-related domain names

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

299 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links