DNS based infection scores
First Claim
1. A non-transitory computer-readable medium storing computer-executable instructions that when executed by a computer cause the computer to:
- maintain query profiles for members of a set of clients in a network based on domain name system (DNS) queries sent from the members of the set of clients, wherein the query profiles track, for their respective members of the set of clients, quantities of types of domain names requested in DNS queries sent from the members of the set of clients, wherein the types of domain names include blacklisted domains, whitelisted domains, and grey domains, and wherein the grey domains are not included in the whitelisted domains or the blacklisted domains;
generate infection scores for the members of the set of clients based on their respective query profiles, wherein the infection scores are generated based on quantities of the types of domain names requested in the DNS queries sent from the members of the set of clients; and
prioritize a vulnerable member of the set of clients for remedial action based on the infection scores.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods associated with domain name system (DNS) based infection scores. One example method includes maintaining query profiles for members of a set of clients in a network. The query profiles may be maintained based on DNS queries sent from the members of the set of clients, and on DNS responses received by the members of the set of clients. The method also includes generating infection scores for the members of the set of clients based on their respective query profiles. The method also includes prioritizing a vulnerable member of the set of clients for remedial action. The vulnerable member may be prioritized based on infection scores of members of the set of clients.
56 Citations
20 Claims
-
1. A non-transitory computer-readable medium storing computer-executable instructions that when executed by a computer cause the computer to:
-
maintain query profiles for members of a set of clients in a network based on domain name system (DNS) queries sent from the members of the set of clients, wherein the query profiles track, for their respective members of the set of clients, quantities of types of domain names requested in DNS queries sent from the members of the set of clients, wherein the types of domain names include blacklisted domains, whitelisted domains, and grey domains, and wherein the grey domains are not included in the whitelisted domains or the blacklisted domains; generate infection scores for the members of the set of clients based on their respective query profiles, wherein the infection scores are generated based on quantities of the types of domain names requested in the DNS queries sent from the members of the set of clients; and prioritize a vulnerable member of the set of clients for remedial action based on the infection scores. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 15)
-
-
9. A domain name system (DNS) based infection scoring system, comprising:
-
at least one processor; a data store to store DNS query profiles associated with members of a set of clients protected by the DNS based infection scoring system; non-transitory computer-readable medium storing computer-executable instructions that when executed by the at least one processor cause the system to; perform real time updating of DNS query profiles based on DNS queries sent from the members of the set of clients, wherein the query profiles track, for their respective members of the set of clients, quantities of types of domain names requested in DNS queries sent from the members of the set of clients, wherein the types of domain names include blacklisted domains, whitelisted domains, and grey domains, and wherein the grey domains are not included in the whitelisted domains or the blacklisted domains; generate weighted infection scores for the members of the set of clients based on their respective DNS query profiles, wherein the infection scores are generated based on quantities of the types of domain names requested in DNS queries sent from the members of the set of clients; and cause a remedial action to be performed on the member of the set of clients having a highest weighted infection score. - View Dependent Claims (10, 11, 12, 13, 16, 18, 19)
-
-
14. A method for a computer, comprising:
-
inspecting domain name system (DNS) packets sent from a client, wherein the client is a member of a set of clients in a network protected by the computer; collecting the attributes over time into a query profile associated with the client, wherein the query profiles track, for their respective members of the set of clients, quantities of types of domain names requested in DNS queries sent from the members of the set of clients, wherein the types of domain names include blacklisted domains, whitelisted domains, and grey domains, and wherein the grey domains are not included in the whitelisted domains or the blacklisted domains; comparing the query profile against control profiles to generate an infection score for the client, wherein the infection score is generated based on quantities of the types of domain names requested in DNS queries sent from the client; and scheduling the client for a remedial action when the client has a high infection score, when compared against infection scores of other members of the set of clients. - View Dependent Claims (17, 20)
-
Specification