Enriching netflow data with passive DNS data for botnet detection

US 10,460,101 B2
Filed: 06/06/2017
Issued: 10/29/2019
Est. Priority Date: 06/06/2017
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor;

memory; and

a botnet detection application that is stored in the memory and executed by the processor and that is configured to;

obtain Netflow data indicating one or more IP addresses accessed by a computer;

obtain passive Domain Name System (DNS) data indicating respective one or more domains associated with each of the one or more IP addresses;

generate features associated with the computer based on the Netflow data and passive DNS data;

generate probability data based on the Netflow data and passive DNS data, wherein the probability data indicates a probability that the computer accessed the one or more domains, and wherein, in one or more instances, the probability is determined using a computed probability distribution over the one or more IP addresses and/or the one or more domains;

assign weights to the features based on the probability data to provide weighted features; and

determine whether the computer is likely to be part of a botnet based on the weighted features.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one example, a system includes a processor, memory, and a botnet detection application stored in memory and executed by the processor and configured to: obtain (i) Netflow data indicating one or more IP addresses accessed by a computer and (ii) passive Domain Name System (DNS) data indicating respective one or more domains associated with each of the one or more IP addresses; generate features associated with the computer based on the Netflow data and passive DNS data; generate probability data based on the Netflow data and passive DNS data, wherein the probability data indicates a probability that the computer accessed the one or more domains; assign weights to the features based on the probability data to provide weighted features; and determine whether the computer is likely to be part of a botnet based on the weighted features.

Citations

23 Claims

1. A system comprising:
- a processor;
  
  memory; and
  
  a botnet detection application that is stored in the memory and executed by the processor and that is configured to;
  
  obtain Netflow data indicating one or more IP addresses accessed by a computer;
  
  obtain passive Domain Name System (DNS) data indicating respective one or more domains associated with each of the one or more IP addresses;
  
  generate features associated with the computer based on the Netflow data and passive DNS data;
  
  generate probability data based on the Netflow data and passive DNS data, wherein the probability data indicates a probability that the computer accessed the one or more domains, and wherein, in one or more instances, the probability is determined using a computed probability distribution over the one or more IP addresses and/or the one or more domains;
  
  assign weights to the features based on the probability data to provide weighted features; and
  
  determine whether the computer is likely to be part of a botnet based on the weighted features.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the botnet detection application is further configured to obtain domain registration data indicating at least one of a date of registration and a registrant associated with each of the one more domains.
  - 3. The system of claim 2, wherein the botnet detection application is further configured to generate the features based on the domain registration data.
  - 4. The system of claim 1, wherein the botnet detection application is configured to determine whether the computer is likely to be part of the botnet by applying a supervised machine learning algorithm to the weighted features.
  - 5. The system of claim 4, wherein applying the supervised machine learning algorithm comprises training the supervised machine learning algorithm using historical data and known labels associated with a plurality of different computers.
  - 6. The system of claim 1, wherein the features include one or more of:
    - an indication that the computer has accessed rare IP addresses or domains;
      
      an indication that the computer has accessed domains having less than or equal to a predetermined age;
      
      an indication that the computer has received a number of NX domain responses to DNS queries exceeding a predetermined threshold;
      
      an indication that the computer has accessed a number of IP addresses or domains for the first time exceeding a predetermined threshold; and
      
      an indication that the computer has accessed an IP address or domain associated with an idiosyncratic score exceeding a predetermined threshold.
  - 7. The system of claim 1, wherein the botnet detection application is configured to determine whether the computer is likely to be part of the botnet by comparing the weighted features with corresponding features associated with a plurality of different computers known to be part of a botnet.
  - 8. The system of claim 1, wherein the botnet detection application is configured to obtain the Netflow data from one or more routers.
  - 9. The system of claim 1, wherein the botnet detection application is configured to obtain the passive DNS data from one or more DNS servers.
  - 10. The system of claim 1, wherein the computer comprises a virtual machine.
  - 11. The system of claim 1, wherein the features include an indication that the computer has accessed rare IP addresses or domains.
  - 12. The system of claim 1, wherein the features include an indication that the computer has accessed domains having less than or equal to a predetermined age.
  - 13. The system of claim 1, wherein the features include an indication that the computer has received a number of NX domain responses to DNS queries exceeding a predetermined threshold.
  - 14. The system of claim 1, wherein the features include an indication that the computer has accessed a number of IP addresses or domains for a first time exceeding a predetermined threshold.
  - 15. The system of claim 1, wherein the features include an indication that the computer has accessed an IP address or domain associated with an idiosyncratic score exceeding a predetermined threshold.

16. A method comprising:
- obtaining, from one or more routers, Netflow data indicating one or more IP addresses accessed by a computer;
  
  obtaining, from one or more Domain Name System (DNS) servers, passive DNS data indicating respective one or more domains associated with each of the one or more IP addresses;
  
  generating features associated with the computer based on the Netflow data and passive DNS data, wherein the features include one or more of;
  
  an indication that the computer has accessed rare IP addresses or domains;
  
  an indication that the computer has accessed domains having less than or equal to a predetermined age;
  
  an indication that the computer has received a number of NX domain responses to DNS queries exceeding a predetermined threshold;
  
  an indication that the computer has accessed a number of IP addresses or domains for a first time exceeding a predetermined threshold;
  
  oran indication that the computer has accessed an IP address or domain associated with an idiosyncratic score exceeding a predetermined threshold;
  
  generating probability data based on the Netflow data and passive DNS data, wherein the probability data indicates a probability that the computer accessed the one or more domains;
  
  assigning weights to the features based on the probability data to provide weighted features;
  
  training a supervised machine learning algorithm using historical data and known labels associated with a plurality of different computers; and
  
  determining whether the computer is likely to be part of a botnet by applying the supervised machine learning algorithm to the weighted features.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, further comprising:
    - obtaining domain registration data indicting at least one of a date of registration and a registrant associated with each of the one or more domains.
  - 18. The method of claim 17, wherein generating the features is further based on the domain registration data.
  - 19. The method of claim 16, wherein the computer comprises a virtual machine.

20. A system comprising:
- a processor;
  
  memory;
  
  a botnet detection application that is stored in the memory and executed by the processor and that is configured to;
  
  obtain, from one or more routers, Netflow data indicating one or more IP addresses accessed by a computer;
  
  obtain, from one or more Domain Name System (DNS) servers, passive DNS data indicating respective one or more domains associated with each of the one or more IP addresses;
  
  generate features associated with the computer based on the Netflow data and passive DNS data, wherein the features include one or more of;
  
  an indication that the computer has accessed rare IP addresses or domains;
  
  an indication that the computer has accessed domains having less than or equal to a predetermined age;
  
  an indication that the computer has received a number of NX domain responses to DNS queries exceeding a predetermined threshold;
  
  an indication that the computer has accessed a number of IP addresses or domains for a first time exceeding a predetermined threshold;
  
  oran indication that the computer has accessed an IP address or domain associated with an idiosyncratic score exceeding a predetermined threshold;
  
  generate probability data based on the Netflow data and passive DNS data, wherein the probability data indicates a probability that the computer accessed the one or more domains;
  
  assign weights to the features based on the probability data to provide weighted features;
  
  train a supervised machine learning algorithm using historical data and known labels associated with a plurality of different computers; and
  
  determine whether the computer is likely to be part of a botnet by applying the supervised machine learning algorithm to the weighted features.
- View Dependent Claims (21, 22, 23)
- - 21. The system of claim 20, wherein the botnet detection application is further configured to obtain domain registration data indicting at least one of a date of registration and a registrant associated with each of the one or more domains.
  - 22. The system of claim 21, wherein the botnet detection application is further configured to generate the features based on the domain registration data.
  - 23. The system of claim 20, wherein the computer comprises a virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Teller, Tomer, Levin, Roy
Primary Examiner(s)
Song, Hosuk

Application Number

US15/615,002
Publication Number

US 20180349599A1
Time in Patent Office

875 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 61/4511   using domain name system [DNS]

H04L 63/0236   Filtering by address, proto...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

Enriching netflow data with passive DNS data for botnet detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Enriching netflow data with passive DNS data for botnet detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links