Identification of a DNS packet as malicious based on a value

US 10,686,817 B2
Filed: 09/21/2015
Issued: 06/16/2020
Est. Priority Date: 09/21/2015
Status: Active Grant

First Claim

Patent Images

1. A method, executable by a computing device, the method comprising:

determining a number of hosts, within an enterprise, resolving a particular domain; and

identifying whether the particular domain is benign based on the number of hosts resolving the particular domain, wherein identifying whether the particular domain is benign based the number of hosts resolving the particular domain comprises;

identifying the domain as benign if the number of hosts resolving the particular domain is above a threshold; and

identifying the domain as malicious if the number of hosts resolving the particular domain is below the threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples determine a number of hosts, within an enterprise, which are resolving a particular domain. Based on the number of hosts within the enterprise resolving the particular domain, the examples identify whether the particular domain is benign.

Citations

16 Claims

1. A method, executable by a computing device, the method comprising:
- determining a number of hosts, within an enterprise, resolving a particular domain; and
  
  identifying whether the particular domain is benign based on the number of hosts resolving the particular domain, wherein identifying whether the particular domain is benign based the number of hosts resolving the particular domain comprises;
  
  identifying the domain as benign if the number of hosts resolving the particular domain is above a threshold; and
  
  identifying the domain as malicious if the number of hosts resolving the particular domain is below the threshold.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein identifying whether the particular domain is benign based on the number of hosts resolving the particular domain comprises:
    - determining a number of resolutions corresponding to the particular domain; and
      
      in response to the identified number of hosts and the identified number of resolutions, identifying whether the particular domain is benign.
  - 3. The method of claim 2 wherein a higher number of resolutions indicates that the particular domain is benign.
  - 4. The method of claim 2 wherein determining the number of resolutions corresponding to the particular domain comprises:
    - determining an aggregate number of domain name system (DNS) packets resolving the particular domain over a period of time.
  - 5. The method of claim 1 comprising:
    - discarding a domain name system (DNS) log associated with the particular domain in response to the identification of the particular domain as benign.
  - 6. The method of claim 1 comprising:
    - in response to the identification the particular domain as benign, incorporating the particular domain name into a whitelist.

7. A non-transitory machine-readable storage medium comprising instructions that when executed by a processing resource cause a computing device to:
- determine a number of hosts resolving a particular domain;
  
  determine a number of resolutions corresponding to the particular domain; and
  
  identify whether the particular domain is benign based on the number of hosts and the number of resolutions, wherein to identify whether the particular domain is benign based on the number of hosts and the number of resolutions comprises instructions that when executed by the processing resource causes the computing device to;
  
  identify the particular domain as benign if the number of hosts and the number of resolutions are each above a threshold; and
  
  identify the domain as malicious if the number of hosts or the number of resolutions are below the threshold.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The non-transitory machine-readable medium of claim 7 wherein to determine the number of resolutions corresponding to the particular domain comprises instructions that when executed by the processing resource causes the computing device to:
    - determine an aggregate number of domain name system (DNS) packets resolving the particular domain over a period of time.
  - 9. The non-transitory machine-readable storage medium of claim 7 comprising instructions that when executed by the processing resource cause the computing device to:
    - discard DNS traffic log in response to the identification the particular domain is benign; and
      
      incorporate the particular domain into a whitelist.
  - 10. The non-transitory machine-readable medium of claim 7, wherein a higher number of hosts and a higher number of resolutions indicates the particular domain is benign.
  - 11. The non-transitory machine-readable storage medium of claim 7 comprising instructions that when executed by the processing resource cause the computing device to:
    - in response to the identification the particular domain as benign, incorporating the particular domain name into a whitelist.

12. A networking system comprising:
- an appliance to;
  
  process domain name system (DNS) traffic between a DNS server and hosts;
  
  determine a number of hosts, within an enterprise, resolving a particular domain;
  
  determine a number of resolutions corresponding to the particular domain; and
  
  identify whether the particular domain is benign based on the number of hosts and the number of resolutions, wherein to identify whether the particular domain is benign, the appliance is to;
  
  identify the particular domain as benign if the number of hosts and the number of resolutions are above a threshold; and
  
  identify the particular domain as malicious if the number of hosts or the number of resolutions are below the threshold.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12 further comprising:
    - a domain name system (DNS) server to exchange DNS traffic with the number of hosts.
  - 14. The system of claim 12, wherein a higher number of hosts and a higher number of resolutions indicates the particular domain is benign.
  - 15. The system of claim 12, the appliance to:
    - discard a domain name system (DNS) log associated with the particular domain in response to the identification of the particular domain as benign.
  - 16. The system of claim 12, the appliance to:
    - in response to the identification the particular domain as benign, incorporate the particular domain name into a whitelist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Rao, Prasad V., Bhatt, Sandeep N., Horne, William G., Manadhata, Pratyusa K., Mowbray, Miranda Jane Felicity
Primary Examiner(s)
Poltorak, Piotr

Application Number

US15/754,282
Publication Number

US 20180255083A1
Time in Patent Office

1,730 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/3015   Name registration, generati...

H04L 61/4511   using domain name system [DNS]

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Identification of a DNS packet as malicious based on a value

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Identification of a DNS packet as malicious based on a value

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links