System and method to detect domain generation algorithm malware and systems infected by such malware
First Claim
1. At least one non-transitory computer readable medium on which are stored instructions comprising instructions that when executed cause a programmable device to:
- identify a domain name by monitoring network activity;
determine a length of a First Level Domain (FLD) of the domain name;
compare the length against a specified threshold;
remove, responsive to the comparing, the FLD from the domain name;
identify, responsive to the removing, a name as a remainder of the domain name;
calculate a lexical complexity score for the name; and
determine if the domain name is Domain Generated Algorithm (DGA) generated, based on at least the lexical complexity score.
10 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for detection of domain generated algorithms (DGA) and their command and control (C&C) servers are disclosed. In one embodiment, such an approach includes examining DNS queries for DNS resolution failures, and monitoring certain set of parameters such as number of levels, length of domain name, lexical complexity, and the like for each failed domain. These parameters may then be compared against certain thresholds to determine if the domain name is likely to be part of a DGA malware. Domain names identified as being part of a DGA malware may then be grouped together. Once a DGA domain name has been identified, activity from that domain name can be monitored to detect successful resolutions from the same source to see if any of the successful domain resolutions match these parameters. If they match specific thresholds, then the domain is determined to be a C&C server of the DGA malware and may be identified as such.
-
Citations
15 Claims
-
1. At least one non-transitory computer readable medium on which are stored instructions comprising instructions that when executed cause a programmable device to:
-
identify a domain name by monitoring network activity; determine a length of a First Level Domain (FLD) of the domain name; compare the length against a specified threshold; remove, responsive to the comparing, the FLD from the domain name; identify, responsive to the removing, a name as a remainder of the domain name; calculate a lexical complexity score for the name; and determine if the domain name is Domain Generated Algorithm (DGA) generated, based on at least the lexical complexity score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of identifying Domain Generated Algorithm (DGA) malware, comprising:
-
identifying a domain name by monitoring activity of a network by a programmable device; determining a length of a First Level Domain (FLD) of the domain name; comparing the length against a specified threshold; removing, responsive to the comparing, the FLD from the domain name; identifying, responsive to the removing, a name as the remainder of the domain name; calculating a lexical complexity score for the name; and determining if the domain name is DGA generated based on at least the lexical complexity score. - View Dependent Claims (11, 12, 13, 14, 15)
-
Specification