Embedding contexts for on-line threats into response policy zones

US 10,440,059 B1
Filed: 03/22/2017
Issued: 10/08/2019
Est. Priority Date: 03/22/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing contexts for on-line threats that are associated with domain names, the method comprising:

determining, based on threat intelligence information, one or more threat values associated with an on-line threat that is associated with a first domain name;

generating, based on the first domain name and the one or more threat values, a first alias for the first domain name;

generating a first DNS resource record that maps the first domain name to the first alias; and

transmitting a response policy zone (RPZ) that includes the first DNS resource record to a DNS name server that implements the RPZ to mitigate on-line threats.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a response policy zone (RPZ) application generates an RPZ that includes contexts for the on-line threats that are associated with domain names. For a domain name that is associated with an on-line threat, the RPZ application determines a threat specification that describes a characteristic of the on-line threat. The RPZ application then generates an alias based on the domain name and the threat specification. Subsequently, the RPZ application generates a domain name system (DNS) resource record that maps the domain name to the alias, includes the resource record in the RPZ, and transmits the RPZ to a DNS name server that implements the RPZ. Upon receiving a DNS query associated with the domain name, the DNS name server generates a DNS response based on the alias. Because the domain name and the threat specification is reflected in the alias, the DNS response automatically provides a relevant context.

7 Citations

View as Search Results

20 Claims

1. A computer-implemented method for providing contexts for on-line threats that are associated with domain names, the method comprising:
- determining, based on threat intelligence information, one or more threat values associated with an on-line threat that is associated with a first domain name;
  
  generating, based on the first domain name and the one or more threat values, a first alias for the first domain name;
  
  generating a first DNS resource record that maps the first domain name to the first alias; and
  
  transmitting a response policy zone (RPZ) that includes the first DNS resource record to a DNS name server that implements the RPZ to mitigate on-line threats.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein the one or more threat values describes at least one of a severity, a threat type, or a malware family associated with the on-line threat.
  - 3. The computer-implemented method of claim 1, wherein generating the first alias comprises:
    - performing a concatenation operation between a first subdomain label associated with a first threat value included in the one or more threat values and a first string associated with a second threat value included in the one or more threat values to generate a second string;
      
      prepending the first domain name to the second string to generate a third string; and
      
      appending a high-level domain name to the third string.
  - 4. The computer-implemented method of claim 3, wherein the first string includes at least a second subdomain label associated with the the second threat value.
  - 5. The computer-implemented method of claim 3, wherein the concatenation operation is performed based on a concatenation order that reflects a first importance of the first threat value with respect to a threat analysis process relative to a second importance of the second threat value with respect to the threat analysis process.
  - 6. The computer-implemented method of claim 1, further comprising performing one or more parsing operations on a file that is written in a Structured Threat Information Expression (STIX) format, an Open Indicators of Compromise (OpenIOC) format, or a Cyber Observable Expression (CybOX) format to determine the threat intelligence information.
  - 7. The computer-implemented method of claim 1, further comprising generating a second DNS resource record that maps the first alias to an Internet Protocol address or specifies that the first alias is a non-existent domain name, wherein the RPZ also includes the second DNS resource record.
  - 8. The computer-implemented method of claim 1, wherein the first DNS resource record comprises a Canonical name record.

9. One or more non-transitory computer-readable storage media including instructions that, when executed by one or more processors, cause the one or more processors to perform the steps of:
- determining, based on threat intelligence information, one or more threat values associated with an on-line threat that is associated with a first domain name;
  
  generating, based on the first domain name and the one or more threat values, a first alias for the first domain name;
  
  generating a first DNS resource record that maps the first domain name to the first alias; and
  
  transmitting a response policy zone (RPZ) that includes the first DNS resource record to a DNS name server that implements the RPZ to mitigate on-line threats.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The one or more non-transitory computer-readable storage media of claim 9, wherein the one or more threat values describes at least one of content or activities that classified as non-legitimate.
  - 11. The one or more non-transitory computer-readable storage media of claim 9, wherein generating the first alias comprises:
    - performing a concatenation operation between a first subdomain label associated with a first threat value included in the one or more threat values and a first string associated with a second threat value included in the one or more threat values to generate a second string;
      
      prepending the first domain name to the second string to generate a third string; and
      
      appending a high-level domain name to the third string.
  - 12. The one or more non-transitory computer-readable storage media of claim 11, wherein the first string includes at least a second subdomain label associated with the second threat value.
  - 13. The one or more non-transitory computer-readable storage media of claim 11, wherein the concatenation operation is performed based on a concatenation order that reflects a first importance of the first threat value with respect to a threat analysis process relative to a second importance of the second threat value with respect to the threat analysis process.
  - 14. The one or more non-transitory computer-readable storage media of claim 9, wherein the first DNS resource record comprises a Canonical name record.
  - 15. The one or more non-transitory computer-readable storage media of claim 9, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - determining, based on the threat intelligence information, that a second domain name is not malicious; and
      
      generating a second DNS resource record that causes the DNS name server to return an IP address associated with the second domain name.
  - 16. The one or more non-transitory computer-readable storage media of claim 9, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform the step of generating a second DNS resource record that maps a subdomain name associated with the first domain name to either the first alias or a second alias that is derived from the first alias.

17. A system comprising:
- a memory storing a response policy zone (RPZ) application; and
  
  a processor that is coupled to the memory that executes the RPZ application to;
  
  determine, based on threat intelligence, one or more threat values an on-line threat that is associated with a first domain name;
  
  generate, on the first domain name and the one or more threat values, a first alias for the first domain name;
  
  generate a first DNS resource record that maps the first domain name to the first alias; and
  
  transmit an RPZ that includes the first DNS resource record to a DNS name server that implements the RPZ to mitigate on-line threats.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the one or more threat values describes at least one of a severity, a threat type, or a malware family associated with the on-line threat.
  - 19. The system of claim 17, wherein the processor executes the RPZ application to generate the first alias by:
    - performing a concatenation operation between a first subdomain label associated with a first threat value included in the one or more threat values and a first string associated with a second threat value included in the one or more threat values to generate a second string;
      
      prepending the first domain name to the second string to generate a third string; and
      
      appending a high-level domain name to the third string.
  - 20. The system of claim 17, wherein the first DNS resource record comprises a Canonical name record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
McCarty, Benjamin Glen
Primary Examiner(s)
Shehni, Ghazal B

Application Number

US15/466,807
Time in Patent Office

930 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/4552   Lookup mechanisms between a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Embedding contexts for on-line threats into response policy zones

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Embedding contexts for on-line threats into response policy zones

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links