Detection of known and unknown malicious domains
First Claim
1. A method for detecting malicious command and control (CNC) channels, comprising:
- collecting, by a processor, information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains;
acquiring, from one or more external or internal sources, malicious domain information and malicious Internet Protocol (IP) hosting information for the domains;
generating an access time profile based on the times of the transmissions to the domains;
generating a popularity profile based on the transmissions to the domains;
generating a malicious domain profile based on the acquired malicious domain information and the acquired malicious Internet Protocol (IP) hosting information;
modeling, using the access time profile, the popularity profile and the malicious domain profile, the collected information;
predicting one or more of the domains to host a malicious CNC channel based on their respective modeled collected information; and
generating an alert for the one or more predicted domains;
wherein predicting a given domain to be suspicious comprises calculating a score responsive to the modeled collected information for the given domain and the malicious domain information for the given domain, and detecting that the score is greater than a specified score threshold,wherein modeling the collected information comprises modeling using a malicious artifact profile, andwherein the malicious domain information comprises domain registration features or domain name features.
3 Assignments
0 Petitions
Accused Products
Abstract
A method, including collecting information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains, and acquiring, from one or more external or internal sources, maliciousness information for the domains. An access time profile is generated based on the times of the transmissions to the domains, and a popularity profile is generated based on the transmissions to the domains. A malicious domain profile is generated based on the acquired maliciousness information, and the collected information is modeled using the access time profile, the popularity profile and the malicious domain profile. Based on their respective modeled collected information, one or more of the domains is predicted to be suspicious, and an alert is generated for the one or more identified domains.
42 Citations
33 Claims
-
1. A method for detecting malicious command and control (CNC) channels, comprising:
-
collecting, by a processor, information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains; acquiring, from one or more external or internal sources, malicious domain information and malicious Internet Protocol (IP) hosting information for the domains; generating an access time profile based on the times of the transmissions to the domains; generating a popularity profile based on the transmissions to the domains; generating a malicious domain profile based on the acquired malicious domain information and the acquired malicious Internet Protocol (IP) hosting information; modeling, using the access time profile, the popularity profile and the malicious domain profile, the collected information; predicting one or more of the domains to host a malicious CNC channel based on their respective modeled collected information; and generating an alert for the one or more predicted domains; wherein predicting a given domain to be suspicious comprises calculating a score responsive to the modeled collected information for the given domain and the malicious domain information for the given domain, and detecting that the score is greater than a specified score threshold, wherein modeling the collected information comprises modeling using a malicious artifact profile, and wherein the malicious domain information comprises domain registration features or domain name features. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An apparatus for detecting malicious command and control (CNC) channels, comprising:
-
a memory; and a processor configured; to collect information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains, to acquire, from one or more external or internal sources, malicious domain information and malicious Internet Protocol (IP) hosting information for the domains, to generate an access time profile based on of the transmissions to the domains, to generate a popularity profile based on the transmissions to the domains, to generate a malicious domain profile based on the acquired malicious domain information and the acquired malicious Internet Protocol (IP) hosting information, to model, using the access time profile, the popularity profile and the malicious domain profile, the collected information, to predict one or more of the domains to host a malicious CNC channel based on their respective modeled collected information, and to generate an alert for the one or more-predicted domains; wherein the processor is configured to predict a given domain to be suspicious by calculating a score responsive to the modeled collected information for the given domain and the malicious domain information for the given domain, and detecting that the score is greater than a specified score threshold, wherein the processor is configured to model the collected information using a malicious artifact profile, and wherein the malicious domain information comprises domain registration features or domain name features. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A computer software product for detecting malicious command and control (CNC) channels, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer:
-
to collect information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains; to acquire, from one or more external or internal sources, malicious domain registration information and malicious Internet Protocol (IP) hosting information for the domains; to generate an access time profile based on the times of the transmissions to the domains; to generate a popularity profile based on the transmissions to the domains; to generate a malicious domain profile based on the acquired malicious domain registration information and the acquired malicious Internet Protocol (IP) hosting information; to model, using the access time profile, the popularity profile and the malicious domain profile, the collected information; to predict one or more of the domains to host a malicious CNC channel based on their respective modeled collected information; and to generate an alert for the one or more predicted domains; wherein the computer is caused to predict a given domain to be suspicious by calculating a score responsive to the modeled collected information for the given domain and the malicious domain information for the given domain, and detecting that the score is greater than a specified score threshold, wherein the computer is caused to model the collected information using a malicious artifact profile, and wherein the malicious domain information comprises domain registration features or domain name features.
-
-
32. A method, comprising:
-
collecting, by a processor, information on data transmitted at respective times between multiple endpoints and multiple Internet sites having respective domains; acquiring, from one or more external or internal sources, maliciousness information for the domains; generating an access time profile based on a number of distinct time periods of the transmissions to the domains during a specified time period, wherein a level of suspiciousness of a given domain is directly correlated to the number of distinct time periods of the transmissions to the given domain; generating a popularity profile based on the transmissions to the domains; generating a malicious domain profile based on the acquired maliciousness information; modeling, using the access time profile, the popularity profile and the malicious domain profile, the collected information; predicting one or more of the domains to be suspicious based on their respective modeled collected information; and generating an alert for the one or more predicted domains; wherein predicting a given domain to be suspicious comprises calculating a score responsive to the modeled collected information for the given domain and the maliciousness information for the given domain, and detecting that the score is greater than a specified score threshold, wherein modeling the collected information comprises modeling using a malicious artifact profile, and wherein the maliciousness information comprises domain registration features or domain name features. - View Dependent Claims (33)
-
Specification