Methods and apparatus for identifying suspicious domains using common user clustering

US 10,129,276 B1
Filed: 03/29/2016
Issued: 11/13/2018
Est. Priority Date: 03/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining network event data comprising a plurality of network connections;

identifying users and domain names associated with said network connections in said network event data;

creating a connection between each user/domain pair that communicate with one another in said identified users and said identified domain names to generate a graph;

connecting domain names in said graph using inter-domain edges that share common users to obtain a graph of interconnected domains;

identifying bi-connected components in said graph of interconnected domain names, wherein said bi-connected components comprise node pairs having at least two paths in said graph of interconnected domain names between them; and

processing said bi-connected components to identify a plurality of suspicious domain names that are likely to participate in a computer security attack.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for identifying suspicious domains using common user clustering. An exemplary method comprises obtaining network event data comprising a plurality of network connections; identifying users and domains associated with the network connections in the network event data; creating a connection between each user/domain pair that communicate with one another in the identified users and the identified domains to generate a graph; connecting domains in the graph using inter-domain edges that share common users to obtain a graph of interconnected domains; identifying bi-connected components in the graph of interconnected domains, wherein the bi-connected components comprise node pairs having at least two paths in the graph of interconnected domains between them; and processing the bi-connected components to identify a plurality of suspicious domains that are likely to participate in a computer security attack. The graph of interconnected domains is optionally pruned and/or filtered to remove one or more inter-domain edges.

Citations

20 Claims

1. A method comprising:
- obtaining network event data comprising a plurality of network connections;
  
  identifying users and domain names associated with said network connections in said network event data;
  
  creating a connection between each user/domain pair that communicate with one another in said identified users and said identified domain names to generate a graph;
  
  connecting domain names in said graph using inter-domain edges that share common users to obtain a graph of interconnected domains;
  
  identifying bi-connected components in said graph of interconnected domain names, wherein said bi-connected components comprise node pairs having at least two paths in said graph of interconnected domain names between them; and
  
  processing said bi-connected components to identify a plurality of suspicious domain names that are likely to participate in a computer security attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the step of connecting domain names in said graph further comprises the step of removing users in said graph.
  - 3. The method of claim 1, wherein the step of connecting domain names using inter-domain edges further comprises connecting two domain names if one or more of two domain names share at least a predefined number of users;
    - share at least a predefined percentage of users; and
      
      have a Jaccard index that exceeds a predefined value.
  - 4. The method of claim 3, wherein the inter-domain edges have a weight based on one or more of the predefined number of shared users;
    - predefined percentage of shared users;
      
      the Jaccard index and a difference in a suspicious domain score.
  - 5. The method of claim 1, further comprising the step of pruning said graph of interconnected domain names.
  - 6. The method of claim 5, wherein the pruning comprises removing one or more of inter-domain edges between two nodes that do not have a similar predefined common property value and inter-domain edges based on an edge strength.
  - 7. The method of claim 1, further comprising the step of filtering said graph of interconnected domain names.
  - 8. The method of claim 7, wherein the filtering comprises removing one or more of inter-domain edges comprising nodes having zero intersection of neighbors and inter-domain edges comprising node pairs that are not said bi-connected components having at least two paths between them.
  - 9. The method of claim 1, further comprising the step of annotating each of said connections between each user/domain pair with one or more of whether one or more events associated with a given connection is associated with one or more of (i) beaconing communications;
    - (ii) a predefined number of HTTP requests; and
      
      (iii) predefined off-work hours.

10. A system, comprising:
- a memory; and
  
  at least one processing device, coupled to the memory, operative to;
  
  obtain network event data comprising a plurality of network connections,identify users and domain names associated with said network connections in said network event data;
  
  create a connection between each user/domain pair that communicate with one another in said identified users and said identified domain names to generate a graph;
  
  connect domain names in said graph using inter-domain edges that share common users to obtain a graph of interconnected domains;
  
  identify bi-connected components in said graph of interconnected domain names, wherein said bi-connected components comprise node pairs having at least two paths in said graph of interconnected domain names between them; and
  
  process said bi-connected components to identify a plurality of suspicious domain names that are likely to participate in a computer security attack.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the connecting of said domain names in said graph further comprises removing users in said graph.
  - 12. The system of claim 10, wherein the connecting of said domain names using said inter-domain edges further comprises connecting two domain names if one or more of two domain names share at least a predefined number of users;
    - share at least a predefined percentage of users; and
      
      have a Jaccard index that exceeds a predefined value.
  - 13. The system of claim 10, wherein said at least one processing device is further configured to prune said graph of interconnected domain names by removing one or more of inter-domain edges between two nodes that do not have a similar predefined common property value and inter-domain edges based on an edge strength.
  - 14. The system of claim 10, wherein said at least one processing device is further configured to filter said graph of interconnected domain names by removing one or more of inter-domain edges comprising nodes having zero intersection of neighbors and inter-domain edges comprising node pairs that are not said bi-connected components having at least two paths between them.
  - 15. The system of claim 10, wherein said at least one processing device is further configured to annotate each of said connections between each user/domain pair with one or more of whether one or more events associated with a given connection is associated with one or more of (i) beaconing communications;
    - (ii) a predefined number of HTTP requests; and
      
      (iii) predefined off-work hours.

16. An article of manufacture comprising a non-transitory machine readable recordable medium containing one or more programs which when executed by at least one processing device implement the steps of:
- obtaining network event data comprising a plurality of network connections;
  
  identifying users and domain names associated with said network connections in said network event data;
  
  creating a connection between each user/domain pair that communicate with one another in said identified users and said identified domain names to generate a graph;
  
  connecting domain names in said graph using inter-domain edges that share common users to obtain a graph of interconnected domains;
  
  identifying bi-connected components in said graph of interconnected domain names, wherein said bi-connected components comprise node pairs having at least two paths in said graph of interconnected domain names between them; and
  
  processing said bi-connected components to identify a plurality of suspicious domain names that are likely to participate in a computer security attack.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The article of manufacture of claim 16, wherein the step of connecting domain names in said graph further comprises the step of removing users in said graph.
  - 18. The article of manufacture of claim 16, further comprising the step of pruning said graph of interconnected domain names by removing one or more of inter-domain edges between two nodes that do not have a similar predefined common property value and inter-domain edges based on an edge strength.
  - 19. The article of manufacture of claim 16, further comprising the step of filtering said graph of interconnected domain names by removing one or more of inter-domain edges comprising nodes having zero intersection of neighbors and inter-domain edges comprising node pairs that are not said bi-connected components having at least two paths between them.
  - 20. The article of manufacture of claim 16, further comprising the step of annotating each of said connections between each user/domain pair with one or more of whether one or more events associated with a given connection is associated with one or more of (i) beaconing communications;
    - (ii) a predefined number of HTTP requests; and
      
      (iii) predefined off-work hours.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Raviv, Kineret, Sahar, Carmit, Kolman, Eyal, Amram, Shay, Kaufman, Alon
Primary Examiner(s)
Revak, Christopher

Application Number

US15/083,899
Time in Patent Office

959 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Methods and apparatus for identifying suspicious domains using common user clustering

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for identifying suspicious domains using common user clustering

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links