Detecting malicious domains and client addresses in DNS traffic
First Claim
Patent Images
1. A method comprising:
- constructing, by a device in a network, a graph based on Domain Name System (DNS) traffic, wherein some vertices of the graph correspond to client addresses from the DNS traffic and some vertices of the graph correspond to domains from DNS traffic;
using, by the device, stacked autoencoders to determine priors for the domains and client addresses, wherein the priors are prior probabilities of corresponding domains and client addresses being malicious;
assigning, by the device, the determined priors to the corresponding vertices of the graph;
using, by the device, belief propagation on the graph to determine a malware inference from the graph; and
causing, by the device, performance of a mitigation action when the malware inference from the graph indicates the presence of malware.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network constructs a graph based on Domain Name System (DNS) traffic in which vertices of the graph correspond to client addresses from the DNS traffic and domains from DNS traffic. The device uses stacked autoencoders to determine priors for the domains and client addresses. The device assigns the determined priors to the corresponding vertices of the graph. The device uses belief propagation on the graph to determine a malware inference from the graph. The device causes performance of a mitigation action when the malware inference from the graph indicates the presence of malware.
57 Citations
20 Claims
-
1. A method comprising:
-
constructing, by a device in a network, a graph based on Domain Name System (DNS) traffic, wherein some vertices of the graph correspond to client addresses from the DNS traffic and some vertices of the graph correspond to domains from DNS traffic; using, by the device, stacked autoencoders to determine priors for the domains and client addresses, wherein the priors are prior probabilities of corresponding domains and client addresses being malicious; assigning, by the device, the determined priors to the corresponding vertices of the graph; using, by the device, belief propagation on the graph to determine a malware inference from the graph; and causing, by the device, performance of a mitigation action when the malware inference from the graph indicates the presence of malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store program instructions executable by the processor, the program instructions when executed operable to; construct a graph based on Domain Name System (DNS) traffic, wherein some vertices of the graph correspond to client addresses from the DNS traffic and some vertices of the graph correspond to domains from DNS traffic; use stacked autoencoders to determine priors for the domains and client addresses, wherein the priors are prior probabilities of corresponding domains and client addresses being malicious; assign the determined priors to the corresponding vertices of the graph; use belief propagation on the graph to determine a malware inference from the graph; and cause performance of a mitigation action when the malware inference from the graph indicates the presence of malware. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising:
-
constructing, by the device, a graph based on Domain Name System (DNS) traffic, wherein some vertices of the graph correspond to client addresses from the DNS traffic and some vertices of the graph correspond to domains from DNS traffic; using, by the device, stacked autoencoders to determine priors for the domains and client addresses, wherein the priors are prior probabilities of corresponding domains and client addresses being malicious; assigning, by the device, the determined priors to the corresponding vertices of the graph; using, by the device, belief propagation on the graph to determine a malware inference from the graph; and causing, by the device, performance of a mitigation action when the malware inference from the graph indicates the presence of malware. - View Dependent Claims (20)
-
Specification