Detecting malicious domains and client addresses in DNS traffic

US 10,382,478 B2
Filed: 12/20/2016
Issued: 08/13/2019
Est. Priority Date: 12/20/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

constructing, by a device in a network, a graph based on Domain Name System (DNS) traffic, wherein some vertices of the graph correspond to client addresses from the DNS traffic and some vertices of the graph correspond to domains from DNS traffic;

using, by the device, stacked autoencoders to determine priors for the domains and client addresses, wherein the priors are prior probabilities of corresponding domains and client addresses being malicious;

assigning, by the device, the determined priors to the corresponding vertices of the graph;

using, by the device, belief propagation on the graph to determine a malware inference from the graph; and

causing, by the device, performance of a mitigation action when the malware inference from the graph indicates the presence of malware.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network constructs a graph based on Domain Name System (DNS) traffic in which vertices of the graph correspond to client addresses from the DNS traffic and domains from DNS traffic. The device uses stacked autoencoders to determine priors for the domains and client addresses. The device assigns the determined priors to the corresponding vertices of the graph. The device uses belief propagation on the graph to determine a malware inference from the graph. The device causes performance of a mitigation action when the malware inference from the graph indicates the presence of malware.

57 Citations

View as Search Results

20 Claims

1. A method comprising:
- constructing, by a device in a network, a graph based on Domain Name System (DNS) traffic, wherein some vertices of the graph correspond to client addresses from the DNS traffic and some vertices of the graph correspond to domains from DNS traffic;
  
  using, by the device, stacked autoencoders to determine priors for the domains and client addresses, wherein the priors are prior probabilities of corresponding domains and client addresses being malicious;
  
  assigning, by the device, the determined priors to the corresponding vertices of the graph;
  
  using, by the device, belief propagation on the graph to determine a malware inference from the graph; and
  
  causing, by the device, performance of a mitigation action when the malware inference from the graph indicates the presence of malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as in claim 1, wherein the mitigation action comprises one of:
    - generating an alert based on the malware inference or blocking traffic associated with a potentially infected client.
  - 3. The method as in claim 1, further comprising:
    - receiving, at the device, data indicative of the DNS traffic; and
      
      extracting, by the device, the client addresses and domains from the data indicative of the DNS traffic.
  - 4. The method as in claim 1, wherein an output of the stacked autoencoders is a probability of a particular domain or client address being malware-related.
  - 5. The method as in claim 1, wherein using stacked autoencoders to determine priors for the domains and client addresses comprises:
    - using, by the device, a first set of stacked autoencoders to determine the priors for the domains; and
      
      using, by the device, a second set of stacked autoencoders to determine the priors for the client addresses, wherein the first and second sets of stacked autoencoders differ.
  - 6. The method as in claim 5, wherein using the first set of stacked autoencoders to determine the priors for the domains comprises:
    - determining, by the device, domain-related features of the DNS traffic for one or more of;
      
      a local time window, a global time window, or domain-related microservices; and
      
      constructing, by the device, a domain-related feature vector for input to the first set of stacked autoencoders.
  - 7. The method as in claim 5, wherein using the second set of stacked autoencoders to determine the priors for the client addresses comprises:
    - determining, by the device, client address-related features of the DNS traffic for one or more of;
      
      a local time window or client address-related microservices; and
      
      constructing, by the device, a client address-related feature vector for input to the second set of stacked autoencoders.
  - 8. The method as in claim 1, wherein using belief propagation on the graph to determine a malware inference from the graph comprises:
    - updating, by the device and for a particular vertex of the graph, the prior assigned to the particular vertex based on a number or type of edges connected to the particular vertex in the graph.
  - 9. The method as in claim 8, wherein the prior assigned to the particular vertex is further updated based in part on the priors assigned to the vertices connected to the particular vertex.

10. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store program instructions executable by the processor, the program instructions when executed operable to;
  
  construct a graph based on Domain Name System (DNS) traffic, wherein some vertices of the graph correspond to client addresses from the DNS traffic and some vertices of the graph correspond to domains from DNS traffic;
  
  use stacked autoencoders to determine priors for the domains and client addresses, wherein the priors are prior probabilities of corresponding domains and client addresses being malicious;
  
  assign the determined priors to the corresponding vertices of the graph;
  
  use belief propagation on the graph to determine a malware inference from the graph; and
  
  cause performance of a mitigation action when the malware inference from the graph indicates the presence of malware.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus as in claim 10, wherein the mitigation action comprises one of:
    - generating an alert based on the malware inference or blocking traffic associated with a potentially infected client.
  - 12. The apparatus as in claim 10, wherein the program instructions when executed is further operable to:
    - receive data indicative of the DNS traffic; and
      
      extract the client addresses and domains from the data indicative of the DNS traffic.
  - 13. The apparatus as in claim 10, wherein an output of the stacked autoencoders is a probability of a particular domain or client address being malware-related.
  - 14. The apparatus as in claim 10, wherein the apparatus uses the stacked autoencoders to determine priors for the domains and client addresses by:
    - using a first set of stacked autoencoders to determine the priors for the domains; and
      
      using a second set of stacked autoencoders to determine the priors for the client addresses, wherein the first and second sets of stacked autoencoders differ.
  - 15. The apparatus as in claim 14, wherein the apparatus uses the first set of stacked autoencoders to determine the priors for the domains by:
    - determining domain-related features of the DNS traffic for one or more of;
      
      a local time window, a global time window, or domain-related microservices; and
      
      constructing a domain-related feature vector for input to the first set of stacked autoencoders.
  - 16. The apparatus as in claim 14, wherein the apparatus uses the second set of stacked autoencoders to determine the priors for the client addresses by:
    - determining client address-related features of the DNS traffic for one or more of;
      
      a local time window or client address-related microservices; and
      
      constructing a client address-related feature vector for input to the second set of stacked autoencoders.
  - 17. The apparatus as in claim 10, wherein the apparatus uses belief propagation on the graph to determine a malware inference from the graph by:
    - updating, for a particular vertex of the graph, the prior assigned to the particular vertex based on a number or type of edges connected to the particular vertex in the graph.
  - 18. The apparatus as in claim 17, wherein the prior assigned to the particular vertex is further updated based in part on the priors assigned to the vertices connected to the particular vertex.

19. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising:
- constructing, by the device, a graph based on Domain Name System (DNS) traffic, wherein some vertices of the graph correspond to client addresses from the DNS traffic and some vertices of the graph correspond to domains from DNS traffic;
  
  using, by the device, stacked autoencoders to determine priors for the domains and client addresses, wherein the priors are prior probabilities of corresponding domains and client addresses being malicious;
  
  assigning, by the device, the determined priors to the corresponding vertices of the graph;
  
  using, by the device, belief propagation on the graph to determine a malware inference from the graph; and
  
  causing, by the device, performance of a mitigation action when the malware inference from the graph indicates the presence of malware.
- View Dependent Claims (20)
- - 20. The computer-readable medium as in claim 19, wherein using stacked autoencoders to determine priors for the domains and client addresses comprises:
    - using, by the device, a first set of stacked autoencoders to determine the priors for the domains; and
      
      using, by the device, a second set of stacked autoencoders to determine the priors for the client addresses, wherein the first and second sets of stacked autoencoders differ.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Rodriguez, David Brandon, Pan, Yuxi
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US15/385,079
Publication Number

US 20180176232A1
Time in Patent Office

966 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 43/045   for graphical visualisation...

H04L 43/062   related to network traffic

H04L 61/4511   using domain name system [DNS]

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Detecting malicious domains and client addresses in DNS traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

57 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious domains and client addresses in DNS traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links