Network anomaly detection
First Claim
1. A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing device for network anomaly detection, the machine-readable storage medium comprising instructions to cause the hardware processor to:
- receive, from each of a plurality of packet capture devices of a private network, domain name system (DNS) query packets that were sent by a particular client computing device operating on the private network, each DNS query packet specifying i) a destination DNS server, ii) a query domain name, and iii) a source address that specifies the particular client computing device;
provide at least one of the DNS query packets to a DNS traffic analyzer that is trained to identify DNS anomalies based on (i) characteristics of the at least one DNS query packets, (ii) data representing previous occurrences of DNS anomalies, and (iii) one or more machine learning techniques, wherein the characteristics include one or more of a change in DNS configuration of the particular client computing device and a time it takes to process the at least one DNS query packet;
receive anomaly output from the DNS traffic analyzer, the anomaly output indicating a DNS anomaly that was identified for the at least one DNS query packets;
determine an action that caused the DNS anomaly to occur; and
in response to receiving the anomaly output, provide a user device with data specifying the identified DNS anomaly and data specifying the action that caused the DNS anomaly to occur.
2 Assignments
0 Petitions
Accused Products
Abstract
Examples relate to detecting network anomalies. In one example, a computing device may: receive, from each of a plurality of packet capture devices of a private network, domain name system (DNS) query packets that were sent by a particular client computing device operating on the private network, each DNS query packet specifying i) a destination DNS server, ii) a query domain name, and iii) a source address that specifies the particular client computing device; provide at least one of the DNS query packets to a DNS traffic analyzer that is trained to identify DNS anomalies based on characteristics of the DNS query packets; receive anomaly output from the DNS traffic analyzer, the anomaly output indicating a DNS anomaly that was identified for the DNS query packets; and in response to receiving the anomaly output, provide a user device with data specifying the identified DNS anomaly.
54 Citations
20 Claims
-
1. A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing device for network anomaly detection, the machine-readable storage medium comprising instructions to cause the hardware processor to:
-
receive, from each of a plurality of packet capture devices of a private network, domain name system (DNS) query packets that were sent by a particular client computing device operating on the private network, each DNS query packet specifying i) a destination DNS server, ii) a query domain name, and iii) a source address that specifies the particular client computing device; provide at least one of the DNS query packets to a DNS traffic analyzer that is trained to identify DNS anomalies based on (i) characteristics of the at least one DNS query packets, (ii) data representing previous occurrences of DNS anomalies, and (iii) one or more machine learning techniques, wherein the characteristics include one or more of a change in DNS configuration of the particular client computing device and a time it takes to process the at least one DNS query packet; receive anomaly output from the DNS traffic analyzer, the anomaly output indicating a DNS anomaly that was identified for the at least one DNS query packets; determine an action that caused the DNS anomaly to occur; and in response to receiving the anomaly output, provide a user device with data specifying the identified DNS anomaly and data specifying the action that caused the DNS anomaly to occur. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computing device for network anomaly detection, the computing device comprising:
-
a hardware processor; and a data storage device storing instructions that, when executed by the hardware processor, cause the hardware processor to; obtain, from a plurality of network packet capture devices of a private network, a set of domain name system (DNS) packets, each DNS packet i) being addressed to a DNS server, and ii) having a source address that specifies a client computing device included in the private network; identify, from the set of DNS packets, whitelist DNS packets that specify a whitelisted domain name included in a whitelist of domain names; identify, from the set of DNS packets, blacklist DNS packets that specify a blacklisted domain name included in a blacklist of domain names; identify, from the set of DNS packets, a set of unknown DNS packets by excluding, from the set of DNS packets, each whitelist DNS packet and blacklist DNS packet; analyze, for a particular client computing device included in the private network, unknown DNS packets having a particular source address that specifies the particular client computing device; identify, based on (i) at least one characteristic of the analyzed unknown DNS packets, (ii) data representing previous occurrences of DNS anomalies, and (iii) one or more machine learning techniques, a DNS anomaly for the particular client computing device, wherein the at least one characteristic includes one or more of a change in DNS configuration of the particular client computing device and a time it takes to process the unknown DNS packets; and determine an action that caused the DNS anomaly to occur. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for network anomaly detection, implemented by a hardware processor, the method comprising:
-
obtaining, from a plurality of network packet capture devices of a private network, domain name system (DNS) query packets that were sent by a plurality of client computing devices operating on the private network, each DNS query packet specifying i) a destination DNS server, ii) a query domain name, and iii) a source address that specifies one of the plurality of client computing devices; identifying, from the DNS query packets, a set of client DNS packets for a particular client, each client DNS packet specifying a source address associated with the particular client; identifying, based on (i) at least one characteristic of the set of client DNS packets, (ii) data representing previous occurrences of DNS anomalies, and (iii) one or more machine learning techniques, a DNS anomaly for the particular client, wherein the at least one characteristic includes one or more of a change in DNS configuration of the particular client and a time it takes to process the unknown DNS packets; determining an action that caused the DNS anomaly to occur; and providing, to a user device, data specifying the DNS anomaly and data specifying the action that caused the DNS anomaly to occur. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification