Detection of known and unknown malicious domains

US 10,574,681 B2
Filed: 09/04/2017
Issued: 02/25/2020
Est. Priority Date: 09/04/2016
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious command and control (CNC) channels, comprising:

collecting, by a processor, information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains;

acquiring, from one or more external or internal sources, malicious domain information and malicious Internet Protocol (IP) hosting information for the domains;

generating an access time profile based on the times of the transmissions to the domains;

generating a popularity profile based on the transmissions to the domains;

generating a malicious domain profile based on the acquired malicious domain information and the acquired malicious Internet Protocol (IP) hosting information;

modeling, using the access time profile, the popularity profile and the malicious domain profile, the collected information;

predicting one or more of the domains to host a malicious CNC channel based on their respective modeled collected information; and

generating an alert for the one or more predicted domains;

wherein predicting a given domain to be suspicious comprises calculating a score responsive to the modeled collected information for the given domain and the malicious domain information for the given domain, and detecting that the score is greater than a specified score threshold,wherein modeling the collected information comprises modeling using a malicious artifact profile, andwherein the malicious domain information comprises domain registration features or domain name features.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, including collecting information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains, and acquiring, from one or more external or internal sources, maliciousness information for the domains. An access time profile is generated based on the times of the transmissions to the domains, and a popularity profile is generated based on the transmissions to the domains. A malicious domain profile is generated based on the acquired maliciousness information, and the collected information is modeled using the access time profile, the popularity profile and the malicious domain profile. Based on their respective modeled collected information, one or more of the domains is predicted to be suspicious, and an alert is generated for the one or more identified domains.

42 Citations

View as Search Results

33 Claims

1. A method for detecting malicious command and control (CNC) channels, comprising:
- collecting, by a processor, information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains;
  
  acquiring, from one or more external or internal sources, malicious domain information and malicious Internet Protocol (IP) hosting information for the domains;
  
  generating an access time profile based on the times of the transmissions to the domains;
  
  generating a popularity profile based on the transmissions to the domains;
  
  generating a malicious domain profile based on the acquired malicious domain information and the acquired malicious Internet Protocol (IP) hosting information;
  
  modeling, using the access time profile, the popularity profile and the malicious domain profile, the collected information;
  
  predicting one or more of the domains to host a malicious CNC channel based on their respective modeled collected information; and
  
  generating an alert for the one or more predicted domains;
  
  wherein predicting a given domain to be suspicious comprises calculating a score responsive to the modeled collected information for the given domain and the malicious domain information for the given domain, and detecting that the score is greater than a specified score threshold,wherein modeling the collected information comprises modeling using a malicious artifact profile, andwherein the malicious domain information comprises domain registration features or domain name features.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method according to claim 1, wherein collecting the information comprises retrieving data packets from the network.
  - 3. The method according to claim 1, wherein collecting the information comprises retrieving the information from log data.
  - 4. The method according to claim 1, wherein the malicious artifact profile comprises one or more features selected from a group consisting of a domain reputation, a total number of connections to a given domain during a specific time period, an average volume of the connections to the given domain during a specific time period, a variance of the volume to the given domain during a specific time period, and a number of referrers to the given domain.
  - 5. The method according to claim 1, wherein predicting a given domain to be suspicious comprises predicting, for the given domain, a command and control (CnC) suspiciousness based on the modeled collected information and a malicious suspiciousness based on the malicious domain information.
  - 6. The method according to claim 5, wherein predicting the CnC suspiciousness comprises executing a classification algorithm using a CnC suspiciousness model, and wherein predicting the malicious suspiciousness comprises executing the classification algorithm using a malicious domain model.
  - 7. The method according to claim 5, wherein predicting the one or more domains to be suspicious comprises predicting a plurality of domains to be CnC channels based on their respective CnC suspiciousness, and predicting, from the plurality of domains predicted to be CnC channels, the one or more domains based on their respective malicious suspiciousness.
  - 8. The method according to claim 5, wherein predicting the one or more domains to be suspicious comprises predicting a plurality of domains to be malicious based on their respective malicious suspiciousness, and predicting, from the plurality of domains predicted malicious, the one or more domains based on their respective CnC suspiciousness.
  - 9. The method according to claim 1, wherein the malicious domain information comprises domain registration features and domain name features.
  - 10. The method according to claim 9, wherein the domain has a registrant, and wherein each of the domain registration features is selected from a list consisting of whether or not the registrant appears on a blacklist and whether or not the registrant comprises any suspicious keywords.
  - 11. The method according to claim 9, wherein each of the domain name features is selected from a list consisting of a length of the domain, whether or not the domain is a top level domain and an age of the domain.
  - 12. The method according to claim 1, wherein the malicious IP hosting information is selected from a list consisting of, domain to IP information for the domain, a number of distinct IP addresses resolved to the domain during a specified time period, a number of distinct autonomous systems that hosted the domain during a specified time period, whether or not the domain is hosted on a rentable autonomous system, whether or not the domain is hosted on a bulletproof autonomous system.
  - 13. The method according to claim 1, wherein generating an access profile based on the times of the transmissions to the domains comprises determining a number of distinct time periods of the transmissions to the domains during a specified time period, wherein a level of suspiciousness of a given domain is directly correlated to the number of distinct time periods of the transmissions to the given domain.
  - 14. The method according to claim 13, wherein the distinct time periods are selected from a list consisting of distinct dates, distinct hours during a specific time period, distinct weekend days during a specific time period, and a number of distinct hours.
  - 15. The method according to claim 1, wherein the access time profiles are also based on respective durations of the transmissions to each of the domains.
  - 16. The method according to claim 1, wherein the access time profiles are also based on respective variabilities of session lengths of the transmissions to each of the domain.
  - 17. The method according to claim 1, wherein the access time profiles are also based respective average lengths of the transmissions to each of the domains.
  - 18. The method according to claim 1, wherein generating the popularity profile comprises identifying a total number of connections to each given domain in the transmissions to the domains.
  - 19. The method according to claim 1, wherein generating the popularity profile comprises identifying a number of distinct endpoints accessing a given domain during a specific time period.
  - 20. The method according to claim 1, wherein a plurality of the endpoints comprise respective additional processors executing multiple software processes transmitting to the domains, and comprising identifying a first given software process as unpopular, identifying a second given software process as popular, identifying a first given domain as unpopular, and identifying a second given domain as anomalous, and wherein predicting one or more of the domains to be suspicious comprises identifying the first given software process transmitting to the first given domain or identifying the second given software process transmitting to the second given domain.

21. An apparatus for detecting malicious command and control (CNC) channels, comprising:
- a memory; and
  
  a processor configured;
  
  to collect information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains,to acquire, from one or more external or internal sources, malicious domain information and malicious Internet Protocol (IP) hosting information for the domains,to generate an access time profile based on of the transmissions to the domains,to generate a popularity profile based on the transmissions to the domains,to generate a malicious domain profile based on the acquired malicious domain information and the acquired malicious Internet Protocol (IP) hosting information,to model, using the access time profile, the popularity profile and the malicious domain profile, the collected information,to predict one or more of the domains to host a malicious CNC channel based on their respective modeled collected information, andto generate an alert for the one or more-predicted domains;
  
  wherein the processor is configured to predict a given domain to be suspicious by calculating a score responsive to the modeled collected information for the given domain and the malicious domain information for the given domain, and detecting that the score is greater than a specified score threshold,wherein the processor is configured to model the collected information using a malicious artifact profile, andwherein the malicious domain information comprises domain registration features or domain name features.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The apparatus according to claim 21, wherein the processor is configured to collect the information by retrieving data packets from the network.
  - 23. The apparatus according to claim 21, wherein the processor is configured to collect the information by retrieving the information from log data.
  - 24. The apparatus according to claim 21, wherein the malicious artifact profile comprises one or more features selected from a group consisting of a domain reputation, a total number of connections to a given domain during a specific time period, an average volume of the connections to the given domain during a specific time period, a variance of the volume to the given domain during a specific time period, and a number of referrers to the given domain.
  - 25. The apparatus according to claim 21, wherein the processor is configured to predict a given domain to be suspicious by predicting, for the given domain, a command and control (CnC) suspiciousness based on the modeled collected information and a malicious suspiciousness based on the malicious domain information.
  - 26. The apparatus according to claim 25, wherein the processor is configured to predict the CnC suspiciousness by executing a classification algorithm using a CnC suspiciousness model, and wherein the processor is configured to predict the malicious suspiciousness by executing the classification algorithm using a malicious domain model.
  - 27. The apparatus according to claim 25, wherein the processor is configured to predict the one or more domains to be suspicious by predicting a plurality of domains to be CnC channels based on their respective CnC suspiciousness, and predicting, from the plurality of domains predicted to be CnC channels, the one or more domains based on their respective malicious suspiciousness.
  - 28. The apparatus according to claim 25, wherein the processor is configured to predict the one or more domains to be suspicious by predicting a plurality of domains to be malicious based on their respective malicious suspiciousness, and predicting, from the plurality of domains predicted malicious, the one or more domains based on their respective CnC suspiciousness.
  - 29. The apparatus according to claim 21, wherein the access time profile comprises one or more features selected from a group consisting of a number of distinct dates that a given endpoint accesses by a given domain, a number of distinct hours during a specific time period that that a given endpoint accesses by a given domain, a duration of a given transmission to a given domain, a variability of a session length for a given transmission to a given domain, an average volume of transmissions to a given domain, a number of distinct weekdays a given domain is accessed during a specific time period, a number of distinct weekend days a given domain is accessed during a specific time period, and a number of distinct hours a given domain is accessed during a specific time period, and wherein the popularity profile comprises one or more features selected from a group consisting of a number of distinct endpoints accessing a given domain during a specific time period, and a total number of connections to a given domain during a specific time period.
  - 30. The apparatus according to claim 21, wherein the processor comprises a first processor, wherein a plurality of the endpoints comprise respective additional processors executing multiple software processes transmitting to the domains, and wherein the identifying a first given software process as unpopular, identifying a second given software process as popular, identifying a first given domain as unpopular, and identifying a second given domain as anomalous, and wherein the first processor is configured to predict one or more of the domains to be suspicious by identifying the first given software process transmitting to the first given domain or identifying the second given software process transmitting to the second given domain.

31. A computer software product for detecting malicious command and control (CNC) channels, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer:
- to collect information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains;
  
  to acquire, from one or more external or internal sources, malicious domain registration information and malicious Internet Protocol (IP) hosting information for the domains;
  
  to generate an access time profile based on the times of the transmissions to the domains;
  
  to generate a popularity profile based on the transmissions to the domains;
  
  to generate a malicious domain profile based on the acquired malicious domain registration information and the acquired malicious Internet Protocol (IP) hosting information;
  
  to model, using the access time profile, the popularity profile and the malicious domain profile, the collected information;
  
  to predict one or more of the domains to host a malicious CNC channel based on their respective modeled collected information; and
  
  to generate an alert for the one or more predicted domains;
  
  wherein the computer is caused to predict a given domain to be suspicious by calculating a score responsive to the modeled collected information for the given domain and the malicious domain information for the given domain, and detecting that the score is greater than a specified score threshold,wherein the computer is caused to model the collected information using a malicious artifact profile, andwherein the malicious domain information comprises domain registration features or domain name features.

32. A method, comprising:
- collecting, by a processor, information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains;
  
  acquiring, from one or more external or internal sources, maliciousness information for the domains;
  
  generating an access time profile based on a number of distinct time periods of the transmissions to the domains during a specified time period, wherein a level of suspiciousness of a given domain is directly correlated to the number of distinct time periods of the transmissions to the given domain;
  
  generating a popularity profile based on the transmissions to the domains;
  
  generating a malicious domain profile based on the acquired maliciousness information;
  
  modeling, using the access time profile, the popularity profile and the malicious domain profile, the collected information;
  
  predicting one or more of the domains to be suspicious based on their respective modeled collected information; and
  
  generating an alert for the one or more predicted domains;
  
  wherein predicting a given domain to be suspicious comprises calculating a score responsive to the modeled collected information for the given domain and the maliciousness information for the given domain, and detecting that the score is greater than a specified score threshold,wherein modeling the collected information comprises modeling using a malicious artifact profile, andwherein the maliciousness information comprises domain registration features or domain name features.
- View Dependent Claims (33)
- - 33. The method according to claim 32, wherein the distinct time periods are selected from a list consisting of distinct dates, distinct hours during a specific time period and distinct weekend days during a specific time period, and a number of distinct hours.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Original Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Inventors
Meshi, Yinnon, Allon, Jonathan, Firstenberg, Eyal, Neuman, Yaron, Paz, Dekel, Amit, Idan
Primary Examiner(s)
Pwu, Jeffrey C
Assistant Examiner(s)
Cheema, Ali H.

Application Number

US15/694,890
Publication Number

US 20180069883A1
Time in Patent Office

904 Days
Field of Search

726 22, 726 23, 726 24, 709227, 706 12, 706 14, 713176
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06N 20/00   Machine learning

G06N 7/01   Probabilistic graphical mod...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Detection of known and unknown malicious domains

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of known and unknown malicious domains

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links