Analyzing DNS requests for anomaly detection

US 10,587,646 B2
Filed: 08/21/2018
Issued: 03/10/2020
Est. Priority Date: 07/06/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting anomalies in Domain Name System (DNS) requests, the method comprising:

receiving DNS data, the DNS data including a plurality of DNS requests generated within a time period, wherein the DNS data includes a plurality of DNS data fragments received during the time period;

the plurality of DNS requests including a first DNS request (Qi), wherein the first DNS request is associated with a domain name;

detecting a family of domain names associated with the domain name, said detecting comprising calculating a semantic similarity between strings of domain names;

selecting a plurality of second DNS requests (Qj) from the plurality of DNS requests, wherein each of the second DNS requests is member of the family of domain names;

calculating a count value for each of the DNS data fragments, wherein each of the count values represents a number of instances or frequency the second DNS requests appear within one of the DNS data fragments; and

determining an anomaly trend based on the count values of the plurality of second DNS requests associated with the plurality of the DNS data fragments.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting anomalies in DNS requests comprises receiving a plurality of DNS requests generated within a predetermined period. The predetermined period includes a plurality of DNS data fragments. The method further includes receiving a first DNS request and selecting a plurality of second DNS requests from the plurality of DNS requests such that each of the second DNS requests is a subset of the first DNS request. The method also includes calculating a count value for each of the DNS data fragments, where each of the count values represents a number of instances the second DNS requests appear within one of the DNS data fragments. In some embodiments, the count values for each of the DNS data fragments can be normalized. The method further includes determining an anomaly trend, for example, based on determining that at least one of the count values exceeds a predetermined threshold value.

21 Citations

View as Search Results

16 Claims

1. A computer-implemented method for detecting anomalies in Domain Name System (DNS) requests, the method comprising:
- receiving DNS data, the DNS data including a plurality of DNS requests generated within a time period, wherein the DNS data includes a plurality of DNS data fragments received during the time period;
  
  the plurality of DNS requests including a first DNS request (Qi), wherein the first DNS request is associated with a domain name;
  
  detecting a family of domain names associated with the domain name, said detecting comprising calculating a semantic similarity between strings of domain names;
  
  selecting a plurality of second DNS requests (Qj) from the plurality of DNS requests, wherein each of the second DNS requests is member of the family of domain names;
  
  calculating a count value for each of the DNS data fragments, wherein each of the count values represents a number of instances or frequency the second DNS requests appear within one of the DNS data fragments; and
  
  determining an anomaly trend based on the count values of the plurality of second DNS requests associated with the plurality of the DNS data fragments.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising normalizing the count values for each of the DNS data fragments.
  - 3. The method of claim 2, wherein the normalizing of the count values for each of the DNS data fragments includes:
    - calculating a total count value for the predetermined period, wherein the total count value represents a number of instances the second DNS requests appear within all of the DNS data fragments; and
      
      normalizing the count values by corresponding norm values.
  - 4. The method of claim 1, wherein the family of domain names comprises at least domain names having the same top level domain name and different second level domain names.
  - 5. The method of claim 1, wherein the determining of the anomaly trend comprises determining that at least one of the count values exceeds a predetermined threshold value.
  - 6. The method of claim 1, wherein each of the DNS data fragments is in the range from about 1 second to about one week.
  - 7. The method of claim 1, wherein the anomaly trend is determined using a machine learning classifier.
  - 8. The method of claim 1, comprising performing said calculation of a semantic similarity with any of a Markov machine and an auto-encoder.

9. A computer-implemented system for detecting anomalies in Domain Name System (DNS) requests, the system comprising at least one processor and at least one memory storing processor-executable codes, wherein the at least one processor is configured to:
- receive DNS data, the DNS data including a plurality of DNS requests generated within a time period, wherein the DNS data includes a plurality of DNS data fragments received during the time period;
  
  the plurality of DNS requests including a first DNS request (Qi), wherein the first DNS request is associated with a domain name;
  
  detect a family of domain names associated with the domain name, said detecting comprising calculating a semantic similarity between strings of domain names;
  
  select a plurality of second DNS requests (Qj) from the plurality of DNS requests, wherein each of the second DNS requests is member of the family of domain names;
  
  calculate a count value for each of the DNS data fragments, wherein each of the count values represents a number of instances or frequency the second DNS requests appear within one of the DNS data fragments; and
  
  determine an anomaly trend based on the count values of the plurality of second DNS requests associated with the plurality of the DNS data fragments.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein the at least one processor is configured to:
    - normalize the count values for each of the DNS data fragments.
  - 11. The system of claim 10, wherein the normalizing of the count values for each of the DNS data fragments includes:
    - calculating a total count value for the predetermined period, wherein the total count value represents a number of instances the second DNS requests appear within all of the DNS data fragments; and
      
      normalizing the count values by corresponding norm values.
  - 12. The system of claim 9, wherein the family of domain names comprises at least domain names having the same top level domain name and different second level domain names.
  - 13. The system of claim 9, wherein the determining of the anomaly trend comprises determining that at least one of the count values exceeds a predetermined threshold value.
  - 14. The system of claim 9, wherein each of the DNS data fragments is in the range from about 1 second to about one week.
  - 15. The system of claim 9, wherein the anomaly trend is determined using a machine learning classifier.

16. A non-transitory processor-readable medium having instructions stored thereon, which when executed by one or more processors, cause the one or more processors to implement a method for detecting anomalies in Domain Name System (DNS) requests, the method comprising:
- receiving DNS data, the DNS data including a plurality of DNS requests generated within a time period, wherein the DNS data includes a plurality of DNS data fragments received during the time period;
  
  the plurality of DNS requests including a first DNS request (Qi), wherein the first DNS request is associated with a domain name;
  
  detecting a family of domain names associated with the domain name, said detecting comprising calculating a semantic similarity between strings of domain names;
  
  selecting a plurality of second DNS requests (Qj) from the plurality of DNS requests, wherein each of the second DNS requests is member of the family of domain names;
  
  calculating a count value for each of the DNS data fragments, wherein each of the count values represents a number of instances or frequency the second DNS requests appear within one of the DNS data fragments; and
  
  determining an anomaly trend based on the count values of the plurality of second DNS requests associated with the plurality of the DNS data fragments.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies, Inc.
Original Assignee
Nominum Incorporated (Akamai Technologies, Inc.)
Inventors
Fakeri-Tabrizi, Ali, Nguyen, Thanh, Liu, Hongliang, O'Leary, Paul, Kullberg, Mikael, Iuzifovich, Iurii, Paugh, James, Wilbourn, Robert S.
Primary Examiner(s)
Revak, Christopher A

Application Number

US16/107,627
Publication Number

US 20190068634A1
Time in Patent Office

567 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Analyzing DNS requests for anomaly detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Analyzing DNS requests for anomaly detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links