DNS based infection scores

US 10,474,820 B2
Filed: 06/17/2014
Issued: 11/12/2019
Est. Priority Date: 06/17/2014
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium storing computer-executable instructions that when executed by a computer cause the computer to:

maintain query profiles for members of a set of clients in a network based on domain name system (DNS) queries sent from the members of the set of clients, wherein the query profiles track, for their respective members of the set of clients, quantities of types of domain names requested in DNS queries sent from the members of the set of clients, wherein the types of domain names include blacklisted domains, whitelisted domains, and grey domains, and wherein the grey domains are not included in the whitelisted domains or the blacklisted domains;

generate infection scores for the members of the set of clients based on their respective query profiles, wherein the infection scores are generated based on quantities of the types of domain names requested in the DNS queries sent from the members of the set of clients; and

prioritize a vulnerable member of the set of clients for remedial action based on the infection scores.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods associated with domain name system (DNS) based infection scores. One example method includes maintaining query profiles for members of a set of clients in a network. The query profiles may be maintained based on DNS queries sent from the members of the set of clients, and on DNS responses received by the members of the set of clients. The method also includes generating infection scores for the members of the set of clients based on their respective query profiles. The method also includes prioritizing a vulnerable member of the set of clients for remedial action. The vulnerable member may be prioritized based on infection scores of members of the set of clients.

56 Citations

View as Search Results

20 Claims

1. A non-transitory computer-readable medium storing computer-executable instructions that when executed by a computer cause the computer to:
- maintain query profiles for members of a set of clients in a network based on domain name system (DNS) queries sent from the members of the set of clients, wherein the query profiles track, for their respective members of the set of clients, quantities of types of domain names requested in DNS queries sent from the members of the set of clients, wherein the types of domain names include blacklisted domains, whitelisted domains, and grey domains, and wherein the grey domains are not included in the whitelisted domains or the blacklisted domains;
  
  generate infection scores for the members of the set of clients based on their respective query profiles, wherein the infection scores are generated based on quantities of the types of domain names requested in the DNS queries sent from the members of the set of clients; and
  
  prioritize a vulnerable member of the set of clients for remedial action based on the infection scores.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 15)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the query profiles track, for their respective members of the set of clients, quantities of types of internet protocol (IP) addresses received in DNS responses received by the members of the set of clients, and wherein the types of IP addresses received include blacklisted IP addresses, whitelisted IP addresses, and grey IP addresses.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the query profiles track, for their respective members of the set of clients, quantities of DNS responses received that contain no IP addresses, quantities of DNS responses received that contain a single IP address, and quantities of DNS responses received that contain multiple IP addresses.
  - 4. The non-transitory computer-readable medium of claim 1, wherein the query profiles track, for their respective members of the set of clients, derived features of the DNS queries and DNS responses, wherein the derived features include one or more of, a percentage of blacklisted domains requested, a percentage of blacklisted IP addresses received, a weighted score of blacklisted domains requested, and a weighted score of blacklisted IP addresses received.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the instructions that cause the computer to generate infection scores comprise instructions that cause the computer to:
    - generate feature vectors for members of the set of clients based on their respective query profiles; and
      
      compare the feature vectors to a control set of feature vectors having known infections states.
  - 6. The non-transitory computer-readable medium of claim 5, wherein the feature vectors are compared to the control set of feature vectors using one or more of, a decision tree, a logistic regression, clustering, and a support vector machine.
  - 7. The non-transitory computer-readable medium of claim 1, wherein prioritizing the vulnerable member of the set of clients is also based on one or more of, contents of the members of the set of clients, user identities associated with members of the set of clients, and past infection states of members of the set of clients.
  - 8. The non-transitory computer-readable medium of claim 1, wherein the remedial action comprises one or more of, removing a malware from the vulnerable member of the set of clients, installing a security application on the vulnerable member of the set of clients, restoring the vulnerable member of the set of clients to a prior state, and replacing the vulnerable member of the set of clients.
  - 15. The non-transitory computer-readable medium of claim 1, wherein the grey domains are domains that are not among the blacklisted domains or the whitelisted domains.

9. A domain name system (DNS) based infection scoring system, comprising:
- at least one processor;
  
  a data store to store DNS query profiles associated with members of a set of clients protected by the DNS based infection scoring system;
  
  non-transitory computer-readable medium storing computer-executable instructions that when executed by the at least one processor cause the system to;
  
  perform real time updating of DNS query profiles based on DNS queries sent from the members of the set of clients, wherein the query profiles track, for their respective members of the set of clients, quantities of types of domain names requested in DNS queries sent from the members of the set of clients, wherein the types of domain names include blacklisted domains, whitelisted domains, and grey domains, and wherein the grey domains are not included in the whitelisted domains or the blacklisted domains;
  
  generate weighted infection scores for the members of the set of clients based on their respective DNS query profiles, wherein the infection scores are generated based on quantities of the types of domain names requested in DNS queries sent from the members of the set of clients; and
  
  cause a remedial action to be performed on the member of the set of clients having a highest weighted infection score.
- View Dependent Claims (10, 11, 12, 13, 16, 18, 19)
- - 10. The DNS based infection scoring system of claim 9, wherein the remedial action includes providing an alert to an administrator identifying the member of the set of clients and the remedial action.
  - 11. The DNS based infection scoring system of claim 9, further comprising a control data set against which DNS query profiles are compared when generating infection scores for the members of the set of clients.
  - 12. The DNS based infection scoring system of claim 11, wherein the instructions when executed by the processor cause the system to modify the control data set over time based on the infection scores.
  - 13. The DNS based infection scoring system of claim 12, wherein the instructions when executed by the processor cause the system to modify the control data set over time based on one or more of, input from administrators, and the query profiles.
  - 16. The DNS based infection scoring system of claim 9, wherein the grey domains are domains that are not among the blacklisted domains or the whitelisted domains.
  - 18. The DNS based infection scoring system of claim 9, wherein the DNS query profiles track, for their respective members of the set of clients, quantities of types of internet protocol (IP) addresses received in DNS responses received by the members of the set of clients, and wherein the types of IP addresses received include blacklisted IP addresses, whitelisted IP addresses, and grey IP addresses.
  - 19. The DNS based infection scoring system of claim 9, wherein the DNS query profiles track, for their respective members of the set of clients, quantities of DNS responses received that contain no IP addresses, quantities of DNS responses received that contain a single IP address, and quantities of DNS responses received that contain multiple IP addresses.

14. A method for a computer, comprising:
- inspecting domain name system (DNS) packets sent from a client, wherein the client is a member of a set of clients in a network protected by the computer;
  
  collecting the attributes over time into a query profile associated with the client, wherein the query profiles track, for their respective members of the set of clients, quantities of types of domain names requested in DNS queries sent from the members of the set of clients, wherein the types of domain names include blacklisted domains, whitelisted domains, and grey domains, and wherein the grey domains are not included in the whitelisted domains or the blacklisted domains;
  
  comparing the query profile against control profiles to generate an infection score for the client, wherein the infection score is generated based on quantities of the types of domain names requested in DNS queries sent from the client; and
  
  scheduling the client for a remedial action when the client has a high infection score, when compared against infection scores of other members of the set of clients.
- View Dependent Claims (17, 20)
- - 17. The method of claim 14, wherein the grey domains are domains that are not among the blacklisted domains or the whitelisted domains.
  - 20. The method of claim 14, wherein the query profile tracks, for the client, quantities of types of internet protocol (IP) addresses received in DNS responses received by the client, and wherein the types of IP addresses received include blacklisted IP addresses, whitelisted IP addresses, and grey IP addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Manadhata, Pratyusa K
Primary Examiner(s)
Kanaan, Simon P

Application Number

US15/319,539
Publication Number

US 20170323102A1
Time in Patent Office

1,974 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/435   Filtering based on addition...

G06F 16/9554   by using bar codes

G06F 21/55   Detecting local intrusion o...

G06F 21/57   Certifying or maintaining t...

H04L 61/4511   using domain name system [DNS]

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

DNS based infection scores

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DNS based infection scores

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links