System and method to detect domain generation algorithm malware and systems infected by such malware

US 10,198,579 B2
Filed: 08/22/2014
Issued: 02/05/2019
Est. Priority Date: 08/22/2014
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer readable medium on which are stored instructions comprising instructions that when executed cause a programmable device to:

identify a domain name by monitoring network activity;

determine a length of a First Level Domain (FLD) of the domain name;

compare the length against a specified threshold;

remove, responsive to the comparing, the FLD from the domain name;

identify, responsive to the removing, a name as a remainder of the domain name;

calculate a lexical complexity score for the name; and

determine if the domain name is Domain Generated Algorithm (DGA) generated, based on at least the lexical complexity score.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detection of domain generated algorithms (DGA) and their command and control (C&C) servers are disclosed. In one embodiment, such an approach includes examining DNS queries for DNS resolution failures, and monitoring certain set of parameters such as number of levels, length of domain name, lexical complexity, and the like for each failed domain. These parameters may then be compared against certain thresholds to determine if the domain name is likely to be part of a DGA malware. Domain names identified as being part of a DGA malware may then be grouped together. Once a DGA domain name has been identified, activity from that domain name can be monitored to detect successful resolutions from the same source to see if any of the successful domain resolutions match these parameters. If they match specific thresholds, then the domain is determined to be a C&C server of the DGA malware and may be identified as such.

Citations

15 Claims

1. At least one non-transitory computer readable medium on which are stored instructions comprising instructions that when executed cause a programmable device to:
- identify a domain name by monitoring network activity;
  
  determine a length of a First Level Domain (FLD) of the domain name;
  
  compare the length against a specified threshold;
  
  remove, responsive to the comparing, the FLD from the domain name;
  
  identify, responsive to the removing, a name as a remainder of the domain name;
  
  calculate a lexical complexity score for the name; and
  
  determine if the domain name is Domain Generated Algorithm (DGA) generated, based on at least the lexical complexity score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory computer readable medium of claim 1, wherein the instructions that when executed cause a programmable device to identify a name further cause the programmable device to:
    - identify and remove a Top Level Domain (TLD) from the name;
      
      determine whether the name starts with a pretext;
      
      remove a pretext, responsive to the determining; and
      
      identify the remaining portion of the name as the name.
  - 3. The non-transitory computer readable medium of claim 2, wherein the pretext includes the characters www.
  - 4. The non-transitory computer readable medium of claim 1, wherein the instructions that when executed cause a programmable device to compare the length further cause the programmable device to determine the length of the FLD is equal or smaller than the specified threshold.
  - 5. The non-transitory computer readable medium of claim 1, wherein the instructions that when executed cause a programmable device to calculate a lexical complexity score for the name further comprise instructions to cause the programmable device to:
    - parse the name to identify valid words;
      
      create combination of valid words;
      
      calculate a total length of identified valid words;
      
      subtract the total length from a length of the name to determine a length of a remaining portion; and
      
      calculate the lexical complexity score by dividing the length of the remaining portion by the length of the name.
  - 6. The non-transitory computer readable medium of claim 5, wherein the instructions that when executed cause a programmable device to determine if the domain name is DGA generated further comprise instructions that when executed cause the programmable device to:
    - determine if a Domain Name Server (DNS) response for the domain name indicates a failed resolution;
      
      add the domain name to a list of non-existent domains if it is determined that the lexical complexity score is smaller than a lexical complexity threshold;
      
      calculate a time difference between when a first entry was made in the list of non-existent domains and a current entry was made;
      
      determine a number of entries in the list of non-existent domains; and
      
      identify the domain name as DGA generated if the time difference is smaller than a specified time threshold and the number of entries is larger than a specified count threshold.
  - 7. The non-transitory computer readable medium of claim 6, wherein the instructions that when executed cause a programmable device to determine if the domain name is DGA generated further comprise instructions to cause the programmable device to not identify the domain name as DGA generated if the domain name is identified as white listed.
  - 8. The non-transitory computer readable medium of claim 6, wherein the instructions that when executed cause a programmable device to determine if the domain name is DGA generated further comprise instructions to cause the programmable device to not identify the domain name as DGA generated if the length of the domain name is larger than a specified threshold.
  - 9. The non-transitory computer readable medium of claim 6, wherein the instructions that when executed cause a programmable device to determine if the domain name is DGA generated further comprise instructions to cause the programmable device to create a new non-existent domain list if it is determined that a calculated number of levels for the domain name has not previously been seen.

10. A method of identifying Domain Generated Algorithm (DGA) malware, comprising:
- identifying a domain name by monitoring activity of a network by a programmable device;
  
  determining a length of a First Level Domain (FLD) of the domain name;
  
  comparing the length against a specified threshold;
  
  removing, responsive to the comparing, the FLD from the domain name;
  
  identifying, responsive to the removing, a name as the remainder of the domain name;
  
  calculating a lexical complexity score for the name; and
  
  determining if the domain name is DGA generated based on at least the lexical complexity score.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein identifying a name further comprises:
    - identifying and removing a Top Level Domain (TLD) from the name;
      
      determining whether the name starts with a pretext;
      
      removing a pretext, responsive to the determining; and
      
      identifying the remaining portion of the name as the name.
  - 12. The method of claim 10, wherein comparing the length further comprises determining the length of the FLD is equal or smaller than the specified threshold.
  - 13. The method of claim 10, wherein the calculating a lexical complexity score for the name further comprises:
    - parsing the name to identify valid words;
      
      creating combination of valid words;
      
      calculating a total length of identified valid words;
      
      subtracting the total length from a length of the name to determine a length of a remaining portion; and
      
      calculating the lexical complexity score by dividing the length of the remaining portion by the length of the name.
  - 14. The method of claim 10, wherein determining if the domain name is DGA generated further comprises:
    - determining if a Domain Name Server (DNS) response for the domain name indicates a failed resolution;
      
      adding the domain name to a list of non-existent domain names if it is determined that the lexical complexity score is smaller than a lexical complexity threshold;
      
      calculating a time difference between when a first entry was made in the list of non-existent domain names and a current entry was made;
      
      determining a number of entries in the list of non-existent domain names; and
      
      identifying the domain name as DGA generated if the time difference is smaller than a specified time threshold and the number of entries is larger than a specified count threshold.
  - 15. The method of claim 14, wherein determining if the domain name is DGA generated further comprises creating a new non-existent domain list if it is determined that a calculated number of levels for the domain name has not previously been seen.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Thakar, Neeraj, Amritaluru, Praveen Kumar, Taneja, Vikas
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Le, Canh

Application Number

US14/466,806
Publication Number

US 20160057165A1
Time in Patent Office

1,628 Days
Field of Search

726 4
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method to detect domain generation algorithm malware and systems infected by such malware

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to detect domain generation algorithm malware and systems infected by such malware

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links