Detecting botnet domains
First Claim
1. A computer-implemented method comprising:
- monitoring network traffic associated with a plurality of clients in a network;
based on the monitoring, storing information related to a plurality of domains that are queried by the plurality of clients;
identifying one or more suspect clients of the plurality of clients in the network based on the stored information;
determining a subset of suspect domains of the plurality of domains based on the stored information related to the plurality of domains queried by the one or more suspect clients;
based on the monitoring and the storing, determining client activity information related to;
(i) a number of clients querying each domain of the subset of suspect domains, (ii) identities of the clients querying each domain of the subset of suspect domains, (iii) a number of total domains each of the clients queries over a defined time window, and (iv) for each domain of the subset of suspect domains, a proportion of the clients that query that domain over two consecutive time windows;
determining a polytope region for a first client of the one or more suspect clients based on the client activity information;
comparing each domain of the subset of suspect domains to the polytope region for the first client;
associating at least a first domain of the subset of suspect domains with a group of blocked domains if the first domain falls within the polytope region for the first client; and
blocking at least one of a query or an access attempt by one of the plurality of clients to the first domain.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and an apparatus for detecting botnet domains is described. In one embodiment, the method includes monitoring network traffic associated with a plurality of clients in a network. Based on the monitoring, information related to a plurality of domains that are queried is stored. The method includes identifying one or more suspect clients in the network based on the stored information and determining a subset of suspect domains based on the stored information related to the domains queried by the suspect clients. The method can include determining client activity information and using the client activity information to determine a polytope region for a client. The method includes comparing each suspect domain to the polytope region and associating a domain with a group of blocked domains if the domain falls within the polytope region.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
monitoring network traffic associated with a plurality of clients in a network; based on the monitoring, storing information related to a plurality of domains that are queried by the plurality of clients; identifying one or more suspect clients of the plurality of clients in the network based on the stored information; determining a subset of suspect domains of the plurality of domains based on the stored information related to the plurality of domains queried by the one or more suspect clients; based on the monitoring and the storing, determining client activity information related to;
(i) a number of clients querying each domain of the subset of suspect domains, (ii) identities of the clients querying each domain of the subset of suspect domains, (iii) a number of total domains each of the clients queries over a defined time window, and (iv) for each domain of the subset of suspect domains, a proportion of the clients that query that domain over two consecutive time windows;determining a polytope region for a first client of the one or more suspect clients based on the client activity information; comparing each domain of the subset of suspect domains to the polytope region for the first client; associating at least a first domain of the subset of suspect domains with a group of blocked domains if the first domain falls within the polytope region for the first client; and blocking at least one of a query or an access attempt by one of the plurality of clients to the first domain. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to perform operations comprising:
-
monitoring network traffic associated with a plurality of clients in a network; based on the monitoring, storing information related to a plurality of domains that are queried by the plurality of clients; identifying one or more suspect clients of the plurality of clients in the network based on the stored information; determining a subset of suspect domains of the plurality of domains based on the stored information related to the plurality of domains queried by the one or more suspect clients; based on the monitoring and the storing, determining client activity information related to;
(i) a number of clients querying each domain of the subset of suspect domains, (ii) identities of the clients querying each domain of the subset of suspect domains, (iii) a number of total domains each of the clients queries over a defined time window, and (iv) for each domain of the subset of suspect domains, a proportion of the clients that query that domain over two consecutive time windows;determining a polytope region for a first client of the one or more suspect clients based on the client activity information; comparing each domain of the subset of suspect domains to the polytope region for the first client; associating at least a first domain of the subset of suspect domains with a group of blocked domains if the first domain falls within the polytope region for the first client; and blocking at least one of a query or an access attempt by one of the plurality of clients to the first domain. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An apparatus comprising:
-
a communication interface configured to enable network communications; and a processor coupled with the communication interface, and configured to; monitor network traffic associated with a plurality of clients in a network; based on the monitoring, store information related to a plurality of domains that are queried by the plurality of clients; identify one or more suspect clients of the plurality of clients in the network based on the stored information; determine a subset of suspect domains of the plurality of domains based on the stored information related to the plurality of domains queried by the one or more suspect clients; based on the monitoring and the storing, determine client activity information related to;
(i) a number of clients querying each domain of the subset of suspect domains, (ii) identities of the clients querying each domain of the subset of suspect domains, (iii) a number of total domains each of the clients queries over a defined time window, and (iv) for each domain of the subset of suspect domains, a proportion of the clients that query that domain over two consecutive time windows;determine a polytope region for a first client of the one or more suspect clients based on the client activity information; compare each domain of the subset of suspect domains to the polytope region for the first client; associate at least a first domain of the subset of suspect domains with a group of blocked domains if the first domain falls within the polytope region for the first client; and block at least one of a query or an access attempt by one of the plurality of clients to the first domain. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification